Imad Mahmoud Aref Abbadi (2008) Digital Rights Management for Personal Networks.
Full text access: Open
The thesis is concerned with Digital Rights Management (DRM), and in particular with DRM for networks of devices owned by a single individual. This thesis focuses on the problem of preventing illegal copying of digital assets without jeopardising the right of legitimate licence holders to transfer content between their own devices, which collectively make up what we refer to as an authorised domain. An ideal list of DRM requirements is specified, which takes into account the points of view of users, content providers and copyright law. An approach is then developed for assessing DRM systems based on the defined DRM requirements; the most widely discussed DRM schemes are then analysed and assessed, where the main focus is on schemes which address the concept of an authorised domain. Based on this analysis we isolate the issues underlying the content piracy problem, and then provide a generic framework for a DRM system addressing the identified content piracy issues. The defined generic framework has been designed to avoid the weaknesses found in other schemes. The main contributions of this thesis include developing four new approaches that can be used to implement the proposed generic framework for managing an authorised domain. The four novel solutions all involve secure means for creating, managing and using a secure domain, which consists of all devices owned by a single owner. The schemes allow secure content sharing between devices in a domain, and prevent the illegal copying of content to devices outside the domain. In addition, each solution incorporates a method for binding a domain to a single owner, ensuring that only a single consumer owns and manages a domain. This enables binding of content licences to a single owner, thereby limiting illicit content proliferation. In the first solution, domain owners are authenticated using two-factor authentication, which involves "something the domain owner has", i.e. a master control device that controls and manages consumers domains, and binds devices joining a domain to itself, and "something the domain owner is or knows", i.e. a biometric or password/PIN authentication mechanism that is implemented by the master control device. In the second solution, domain owners are authenticated using their payment cards, building on existing electronic payment systems by ensuring that the name and the date of birth of a domain creator are the same for all devices joining a domain. In addition, this solution helps to protect consumers' privacy; unlike in existing electronic payment systems, payment card details are not exposed to third parties. The third solution involves the use of a domain-specific mobile phone and the mobile phone network operator to authenticate a domain owner before devices can join a domain. The fourth solution involves the use of location-based services, ensuring that devices joining a consumer domain are located in physical proximity to the addresses registered for this domain. This restricts domain membership to devices in predefined geographical locations, helping to ensure that a single consumer owns and manages each domain.
This is a Published version This version's date is: 04/06/2008 This item is peer reviewed
https://repository.royalholloway.ac.uk/items/231c27e9-a35c-9f96-36fd-25e4a2b9315b/1/
Deposited by () on 28-Jun-2010 in Royal Holloway Research Online.Last modified on 14-Dec-2010
[1] Property attestation–scalable and privacy–friendly security assessment ofpeer computers. Technical report, RZ 3548, IBM Research, May 2004.
[2] 3rd Generation Partnership Project. 3GPP TS 21.133 — 3G Security;Security Threats and Requirements. Specification version 4.1.0 Release 4,December 2001.
[3] 3rd Generation Partnership Project. 3GPP TS 33.120 — 3G Security;Security Principles and Objectives. Specification version 4.0.0 Release 4,March 2001.
[4] 3rd Generation Partnership Project. 3GPP TS 33.102 — 3G Security;Security architecture. Specification version 7.0.0 Release 7, December 2005.
[5] 3rd Generation Partnership Project. 3GPP TS 23.271 — Functional stage2 description of Location Services (LCS). Specification version 7.5.0 Release7, June 2006.
[6] 3rd Generation Partnership Project. 3GPP TS 33.220 — Generic AuthenticationArchitecture (GAA) — System Description. Specification version7.0.0 Release 7, March 2006.
[7] 3rd Generation Partnership Project. 3GPP TS 33.919 — Generic AuthenticationArchitecture (GAA) — Generic Bootstrapping Architecture.Specification version 7.4.0 Release 7, June 2006.
[8] Imad Abbadi. Digital asset protection in personal private networks. In 8thInternational Symposium on Systems and Information Security (SSI 2006),Sao Jose dos Campos, Sao Paulo, Brazil, November 2006.
[9] Imad Abbadi. Authorised domain management using location based services.In Adrian David Cheak, Peter H J Chong, Winston Seah, and ShumPing, editors, Mobility ’07: proceedings of the 4th International Conferenceon Mobile Technology, Applications & Systems, pages 288–295. ACM Press,NY, September 2007.
[10] Imad Abbadi. Digital rights management using a master control device.In I. Cervesato, editor, ASIAN ’07: Proceedings of the 12th Annual AsianComputing Science Conference Focusing on Computer and Network Security,volume 4846 of Lecture Notes in Computer Science, pages 126–141.Springer-Verlag, Berlin, December 2007.
[11] Imad Abbadi and Chris Mitchell. Digital rights management using a mobilephone. In ICEC ’07: Proceedings of the ninth international conference onElectronic commerce, pages 185–194. ACM Press, NY, August 2007.
[12] Ross Anderson. Trusted computing frequently asked questions, 2003.http://www.cl.cam.ac.uk/rja14/tcpa-faq.html.
[13] Apple Inc. Apple Fairplay, 2006. http://www.apple.com/lu/support/itunes/authorization.html.
[14] Bill Arbaugh. Improving the TCPA specification. IEEE Computer,35(8):77–79, August 2002.
[15] Jakob Bardram, Rasmus Kjr, and Michael Pedersen. Context-aware userauthentication – supporting proximity-based login in pervasive computing.In Anind K. Dey, Albrecht Schmidt, and Joseph F. McCarthy, editors,UbiComp 2003, volume 2864 of Lecture Notes in Computer Science, pages107–123. Springer-Verlag, Berlin, 2003.
[16] Tobias Bauckhage. Digital rights management: Economic aspects. InE. Becker, W. Buhse, D. G¨unnewig, and N. Rump, editors, Digital RightsManagement: Technological, Economic, Legal and Political Aspects, volume2770 of Lecture Notes in Computer Science, pages 234–249. Springer-Verlag, Berlin, 2003.
[17] BBC News. Piracy blamed for CD sales slump,2002. http://news.bbc.co.uk/hi/english/entertainment/new media/newsid 1841000/1841768.stm.
[18] Ernie Brickell, Jan Camenisch, and Liqun Chen. Direct anonymous attestation.In Vijay Atluri, Birgit Pfitzmann, and Patrick McDaniel, editors,Proceedings of 11th ACM Conference on Computer and CommunicationsSecurity, pages 132–145. ACM Press, Washington DC, 2004.
[19] BSA and IDC Global Software. 2005 piracy study, 2005.http://www.bsa.org.
[20] Norris Carden. iTunes and iPod in the enterprise. The Journal of theInternational Systems Security Association, pages 22–25, May 2007.
[21] L. Chen, S. Pearson, and A. Vamvakas. On enhancing biometric authenticationwith data protection. In Proceedings of the Fourth InternationalConference on Knowledge-Based Intelligent Engineering Systems and AlliedTechnologies, volume 1, pages 249–252. IEEE, 2000.
[22] Liqun Chen, Rainer Landfermann, Hans L¨ohr, Markus Rohe, Ahmad-RezaSadeghi, and Christian St¨uble. A protocol for property-based attestation.In STC ’06: Proceedings of the first ACM workshop on Scalable trustedcomputing, pages 7–16, New York, NY, USA, 2006. ACM.
[23] J. Cuellar, J. Morris, D. Mulligan, J. Peterson, and J. Polk. Geopriv requirements.RFC 3693, Internet Engineering Task Force, February 2004.
[24] M. Danley, D. Mulligan, J. Morris, and J. Peterson. Threat analysis of thegeopriv protocol. RFC 3694, Internet Engineering Task Force, February2004.
[25] Dorothy E. Denning and Peter F. MacDoran. Location-based authentication:grounding cyberspace for better security. Computer Fraud & Security,Elsevier Science, 1996(2):12–16, February 1996.
[26] Alex W. Dent and Chris J. Mitchell. User’s Guide to Cryptography andStandards. Artech House, Norwood, MA, USA, 2005.
[27] D. Eastlake and P. Jones. US Secure Hash Algorithm 1 (SHA1). RFC 3174,Internet Engineering Task Force, September 2001.
[28] Taher ElGamal. A public-key cryptosystem and a signature scheme basedon discrete logarithms. IEEE Transactions on Information Theory, 31:469–472, 1985.
[29] Federal Information Processing Standards Publication. Digitalsignature standard (DSS) (FIPS PUB 186-2), 1994.http://www.itl.nist.gov/fipspubs/fip186.htm.
[30] Federal Information Processing Standards Publication. DataEncryption Standard (DES) (FIPS PUB 46-3), 1999.http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf.
[31] Federal Information Processing Standards Publication. AdvancedEncryption Standard (AES) (FIPS PUB 197), 2001.http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf.
[32] Amos Fiat and Moni Naor. Broadcast encryption. In Douglas R. Stinson,editor, Proceedings of the 13th Annual International Cryptology Conferenceon Advances in Cryptology, volume 773 of Lecture Notes in ComputerScience, pages 480–491. Springer-Verlag, Berlin, 1993.
[33] Eimear Gallery. An overview of trusted computing technology. In Chris J.Mitchell, editor, Trusted Computing, chapter 3, pages 29–113. IEE, 2005.
[34] Eimear Gallery and Allan Tomlinson. Secure delivery of conditional accessapplications to mobile receivers. In Chris J. Mitchell, editor, TrustedComputing, chapter 7, pages 195–237. IEE, 2005.
[35] Trusted Computing Group. Trusted platform module FAQ.
[36] Andr´e G¨unther and Christian Hoene. Measuring round trip times to determinethe distance between WLAN nodes. In Raouf Boutaba, Kevin C.Almeroth, Ramn Puigjaner, Sherman X. Shen, and James P. Black, editors,Proceedings of 4th International IFIP-TC6 Networking Conference,Waterloo, Canada, volume 3462 of Lecture Notes in Computer Science,pages 768–779. Springer-Verlag, Berlin, May 2005.
[37] S. Haber, B. Horne, J. Pato, T. Sander, and R. E. Tarjan. If piracy is theproblem, is DRM the answer? In E. Becker, W. Buhse, D. G¨unnewig, andN. Rump, editors, Digital Rights Management: Technological, Economic,Legal and Political Aspects, volume 2770 of Lecture Notes in ComputerScience, pages 224–233. Springer-Verlag, Berlin, 2003.
[38] Vivek Haldar, Deepak Chandra, and Michael Franz. Semantic remote attestation:a virtual machine directed approach to trusted computing. InVM’04: Proceedings of the 3rd conference on Virtual Machine ResearchAnd Technology Symposium, pages 3–3, Berkeley, CA, USA, 2004. USENIXAssociation.
[39] V. Hassler. Security Fundamentals for E-commerce. Artech House, Norwood,MA, USA, 2001.
[40] Natali Helberger, Nicole Dufft, Stef van Gompel, Kristof Kerenyi, BettinaKrings, Rik Lambers, Carsten Orwat, and Ulrich Riehm. Digital rightsmanagement and consumer acceptability. Technical report, DG InformationSociety, December 2004. http://www.indicare.org/soareport.
[41] R. Housley, W. Polk, W. Ford, and D. Solo. Internet X.509 public keyinfrastructure certificate and certificate revocation list (CRL) profile. RFC3280, Internet Engineering Task Force, April 2002.
[42] Bradley Huffaker, Marina Fomenkov, Daniel J. Plummer, DavidMoore, and K. Claffy. Distance metrics in the Internet.In IEEE International Telecommunications Symposium, 2002.http://www.caida.org/publications/papers/2002/ Distance/distance.pdf.
[43] Seong Oun Hwang, Ki Song Yoon, Kyung Pyo Jun, and Kwang HyungLee. Modeling and implementation of digital rights. Journal of Systemsand Software, 73(3):533–549, April 2003.
[44] IBM Research Division Almaden Research Center. xCP cluster protocol,2003. http://www-03.ibm.com/solutions/digitalmedia/doc/content/bin/xCPWhitepaper final 1.pdf.
[45] International Federation of the Phonographic Industry(IFPI). Music piracy report, 2005. http://www.ifpi.org/sitecontent/library/piracy2005.pdf.
[46] International Organization for Standardization. ISO/IEC 9798-3, Informationtechnology — Security techniques — Entity authentication — Part3: Mechanisms using digital signature techniques, 2nd edition, 1998.
[47] International Organization for Standardization. ISO/IEC 10118-1, Informationtechnology — Security techniques — Hash-functions — Part 1:General, 2nd edition, 2000.
[48] International Organization for Standardization. ISO/IEC 9797-2, Informationtechnology — Security techniques — Message Authentication Codes(MACs) — Part 2: Mechanisms using a dedicated hash-function, 1st edition,2002.
[49] International Organization for Standardization. ISO/IEC 21481: Informationtechnology — Telecommunications and information exchange betweensystems — Near Field Communication Interface and Protocol -2 (NFCIP-2), 2005.
[50] International Organization for Standardization. ISO/IEC 18033-2, Informationtechnology — Security techniques — Encryption algorithms — Part2: Asymmetric ciphers, 2006.
[51] International Organization for Standardization. ISO/IEC FCD 19772, Informationtechnology — Security techniques — Authenticated encryptionmechanisms, 2007.
[52] Ghassan Kbar and Wathiq Mansoor. Mobile station location based onhybrid of signal strength and time of arrival. In Proceedings of the Inter-national Conference on Mobile Business, pages 585–591. IEEE ComputerSociety, 2005.
[53] V. Khu-smith and C. J. Mitchell. Using EMV cards to protect e-commercetransactions. In K. Bauknecht, A. Min Tjoa, and G. Quirchmayr, editors,EC-Web 2002, 3rd International Conference on Electronic Commerceand Web Technologies, volume 2455 of Lecture Notes in Computer Science,pages 388–399. Springer-Verlag, Berlin, September 2002.
[54] V. Khu-smith and C. J. Mitchell. Using GSM to enhance e-commerce security.In WMC ’02, Proceedings of the Second ACM International Workshopon Mobile Commerce, pages 75–81. ACM Press, September 2002.
[55] V. Khu-smith and C. J. Mitchell. Enhancing e-commerce security usingGSM authentication. In E-Commerce and Web Technologies – 4th InternationalConference, volume 2738 of Lecture Notes in Computer Science,pages 72–83. Springer-Verlag, Berlin, September 2003.
[56] H. Krawczyk, M. Bellare, and R. Canetti. HMAC: keyed-hashing for messageauthentication. RFC 2104, Internet Engineering Task Force, February1997.
[57] Dirk Kuhlmann and Robert A. Gehring. Trusted platforms, DRM, andbeyond. In E. Becker, editor, Digital Rights Management, volume 2770 ofLecture Notes in Computer Science, pages 178–205. Springer-Verlag, Berlin,2003.
[58] Ulrich K¨uhn, Klaus Kursawe, Stefan Lucks, Ahmad-Reza Sadeghi, andChristian St¨uble. Secure data management in trusted computing. In CryptographicHardware and Embedded Systems – CHES 2005, volume 3659 ofLecture Notes in Computer Science, pages 324–338. Springer-Verlag, Berlin,2005.
[59] Ulrich K¨uhn, Marcel Selhorst, and Christian St¨uble. Realizing propertybasedattestation and sealing with commonly available hard- and software.In STC ’07: Proceedings of the 2007 ACM workshop on Scalable trustedcomputing, pages 50–57, New York, NY, USA, 2007. ACM.
[60] Axel K¨upper. Location-Based Services: Fundamentals and Operation. JohnWiley & Sons Ltd, 2005.
[61] K. Kursawe, D. Schellekens, and B. Preneel. Analyzing trusted platformcommunication, 2005. In: ECRYPT-CRASH.
[62] Qiong Liu, Reihaneh Safavi-Naini, and Nicholas Paul Sheppard. Digitalrights management for content distribution. In C. Johnson, P. Montague,and C. Steketee, editors, Proceedings of the Australasian Information SecurityWorkshop, volume 21, pages 49 – 58. ACM Press, NY, 2003.
[63] Simon Liu and Mark Silverman. A practical guide to biometric securitytechnology. IT Professional, 3(1):27–32, 2001.
[64] J. Lotspiech, S. Nusser, and F. Pestoni. Broadcast encryption’s brightfuture. Computer, 35(8):75–63, August 2002.
[65] D. Maltoni, D. Maio, A. K. Jain, and S. Prabahakar. Handbook of FingerprintRecognition. Springer-Verlag, Berlin, 2003.
[66] John Marchesini, Sean W. Smith, Omen Wild, Josh Stabiner, and AlexBarsamian. Open-source applications of tcpa hardware. In ACSAC ’04:Proceedings of the 20th Annual Computer Security Applications Conference,pages 294–303, Washington, DC, USA, 2004. IEEE Computer Society.
[67] MasterCard International. Secure Payment Application (SPA), 2004.http://www.mastercardintl.com.
[68] T. Matsumoto, H. Matsumoto, K. Yamada, and S. Hoshino. Impact ofartificial ‘gummy’ fingers on fingerprint systems. In Proceedings of SPIE,volume 4677, pages 275–289, 2002.
[69] T. S. Messerges and E. A. Dabbish. Digital rights management in a 3Gmobile phone and beyond. In Joan Feigenbaum, Tomas Sander, and MotiYung, editors, Proceedings of the 3rd ACM workshop on Digital RightsManagement, pages 27–38. ACM Press, NY, 2003.
[70] M. Myers, R. Ankney, A. Malpani, S. Galperin, and C. Adams. X.509Internet Public Key Infrastructure Online Certificate Status Protocol —OCSP. RFC 2560, Internet Engineering Task Force, June 1999.
[71] Ryan Naraine. Wozniak’s wheels of zeus tackles enterprise data encryption,2004. http://www.eweek.com/article2/0,1759,1734857,00.asp.
[72] A. Niemi and J. Arkko. Hypertext transfer protocol (HTTP) digest authenticationusing authentication and key agreement (AKA). RFC 3310,Internet Engineering Task Force, September 2002.
[73] D. O’Mahony, M. Peirce, and H. Tewari. Electronic Payment Systems forE-Commerce. Artech House, Norwood, MA, USA, 2001.
[74] Open Mobile Alliance. DRM Specification — Version 2.0, 2006.
[75] A. Pashalidis and C. J. Mitchell. Using GSM/UMTS for single sign-on. InK. Bauknecht, A. Min Tjoa, and G. Quirchmayr, editors, Proceedings ofSympoTIC ’03, Joint IST Workshop on Mobile Future and Symposium onTrends in Communications, pages 138–145. IEEE Press, October 2003.
[76] A. Pashalidis and C. J. Mitchell. Using EMV cards for single sign-on. InS. K. Katsikas, S. Gritzalis, and J. Lopez, editors, Public Key Infrastruc-ture: First European PKI Workshop, volume 3093 of Lecture Notes in ComputerScience, pages 205–217. Springer-Verlag, Berlin, June 2004.
[77] Fabien A. P. Petitcolas. Digital watermarking. In E. Becker, editor, DigitalRights Management, volume 2770 of Lecture Notes in Computer Science,pages 81–92. Springer-Verlag, Berlin, 2003.
[78] Benny Pinkas and Tomas Sander. Securing passwords against dictionaryattacks. In Proceedings of the 9th ACM conference on Computer and communicationssecurity, pages 161–170. ACM Press, New York, NY, USA,2002.
[79] Fred C. Piper and Sean Murphy. Cryptography: A Very Short Introduction.Oxford University press, New York, 2002.
[80] B. C. Popescu, F. L. A. J. Kamperman, B. Crispo, and A. S. Tanenbaum. ADRM security architecture for home networks. In Joan Feigenbaum, TomasSander, and Moti Yung, editors, Proceedings of the 4th ACM workshop onDigital Rights Management, pages 1–10. ACM Press, NY, 2004.
[81] R. Rivest. The MD5 Message-Digest Algorithm. RFC 1321, Internet EngineeringTask Force, April 1992.
[82] R. Rivest, A. Shamir, and L. Adleman. A method for obtaining digitalsignatures and public-key cryptosystems. In Communications of the ACM,volume 21, pages 120–126. ACM Press, NY, 1978.
[83] Laurie Freeman Rowell. The ballad of DVD JON. netWorker, 10(4):28–34,December 2006.
[84] A. Sadeghi. Trusted computing—special aspects and challenges. In V. Geffertet al., editor, SOFSEM, volume 4910 of Lecture Notes in ComputerScience, pages 98–117. Springer-Verlag, Berlin, 2008.
[85] Ahmad-Reza Sadeghi and Christian St¨uble. Property-based attestation forcomputing platforms: caring about properties, not mechanisms. In NSPW’04: Proceedings of the 2004 workshop on New security paradigms, pages67–77, New York, NY, USA, 2004. ACM.
[86] Tomas Sander. Golden times for digital rights management? In P. Syverson,editor, Financial Cryptography, volume 2339 of Lecture Notes in ComputerScience, pages 64–74. Springer-Verlag, Berlin, 2002.
[87] Mark Stefik. Letting loose the light: Igniting commerce in electronic publication.In Mark Stefik, editor, Internet Dreams — Archetypes, Myths, andMetaphors, pages 219–254. ACM Press, 1997.
[88] S. R. Subramanya and Byung K. Yi. Digital rights management. IEEEPotentials, 25(2):31–34, April 2006.
[89] Thomson. SmartRight technical white paper, 2003.http://www.smartright.org/images/SMR/content/SmartRighttech whitepaper jan28.pdf.
[90] Bori Toth. Biometric liveness detection. The International Journal ForInformation Assurance Professionals, 10(8):291–298, 2005.
[91] Trusted Computing Group. Infrastructure Working Group Architecture,Part II, Integrity Management. Specification version 1.0 Revision 1.0, 2006.
[92] Trusted Computing Group. TPM Main, Part 1, Design Principles. Specificationversion 1.2 Revision 94, 2006.
[93] Trusted Computing Group. TPM Main, Part 2, TPM Structures. Specificationversion 1.2 Revision 94, 2006.
[94] Trusted Computing Group. TPM Main, Part 3, Design Principles. Specificationversion 1.2 Revision 94, 2006.
[95] Visa International. 3-D Secure Protocol Specification: Core functions Version1.0.2, 2004. http://www.international.visa.com/.
[96] Aaron Weiss. Will the open, unrestricted PC soon become a thing of thepast? Journal of Trusted Computing, 10(3):18–25, September 2006.
[97] Susan Wiedenbeck, Jean-Camille Birget, Alex Brodskiy, Jim Waters, andNasir Memon. Authentication using graphical passwords: Effects of toleranceand image choice. In Proceedings of the 2005 symposium on Usableprivacy and security, pages 1–12. ACM Press, New York, NY, USA, 2005.
[98] Susan Wiedenbeck, Jim Waters, Leonardo Sobrado, and Jean-Camille Birget.Design and evaluation of a shoulder-surfing resistant graphical passwordscheme. In Proceedings of the working conference on Advanced visualinterfaces, pages 177–184. ACM Press, New York, NY, USA, 2006.
[99] Yilin Zhao. Standardization of mobile phone positioning for 3G systems.IEEE Communications Magazine, 40(7):108–116, July 2002.