A Digital Rights Management (DRM) system is a technology for securely protecting and systematically managing a rights object of digital contents, and provides a series of protection and management systems related to the prevention of illegal copy of digital contents and acquisition of rights object of the digital contents, generation and circulation of the digital contents, and procedures of use of the digital contents.
FIG. 1 is a schematic view of a digital rights management system. The digital rights management system controls digital contents provided from a contents provider to a user such that the user is able to use the digital contents as much as rights object granted to the user. Here, the contents provider is an entity corresponding to a Contents Issuer (CI) and/or a Rights Issuer (RI).
The Contents Issuer (CI) issues contents protected using a specific encoding key so as to protect the contents from users having no access rights, and the Rights Issuer (RI) issues Rights Object (RO) required to use the protected contents.
A DRM agent installed in a device (or a terminal) receives the protected contents and rights object, and controls a use of the contents by analyzing a license included in the rights object and converting the protected contents into a form suitable for being used in a corresponding terminal.
A Domain Authority/Domain Enforce Agent (DA/DEA) is an entity for managing and controlling a user domain. That is, the DA defines a Domain Policy for the user domain, and the DEA is an entity for performing the domain policy defined by the DA and may be positioned in a network or in a device within the domain.
FIG. 2 is an overview showing exemplary user domain architecture in DRM. FIG. 2 shows an exemplary framework for a Share-key management in a User Domain key Management scheme.
Differently from the concept of a domain in the related art OMA DRM technology, the user domain is configured such that the RI only performs a function of issuing a Domain Rights Object, and the DA/DEA performs a function of managing Domain Members. The user domain members (i.e., devices joined to the user domain) may share rights objects issued from different service providers through copy, move, and the like.
Referring to FIG. 2, if the device (or DRM agent) requests to join a corresponding user domain through a Join Domain Request message, the DA/DEA verifies (checks) the device (DRM agent) and securely transfers a Master Domain Key (MDK) to the terminal. Here, the DA/DEA performs an encryption on the MDK using the device's public key. All devices joined in the specific user domain may share the same MDK.
The DA/DEA securely issues, to the RI, a Diversified Domain Key (DDK) derived from the MDK. The DDK is used to encrypt a Rights Object Encryption Key (REK) of the domain rights object. The DA/DEA additionally issues a Validation Token (so called, V-Token) such that a member of the user domain, having received the RO, verifies the reliability of the RI. This V-Token includes information, such as a term or condition of a contract between the DA/DEA and the RI. Therefore, the device (e.g., DEV1 in FIG. 2) may verify through such information whether or not the RO transferred from the RI is valid (usable).
The device may obtain the DDK by deriving the MDK issued by the DA/DEA, and may use the DDK to use the RO (i.e., domain RO) issued from the RI. Here, before the RO is used, the device may verify through the V-Token whether the RO is valid. Meanwhile, if the terminal (e.g., DEV1) desires to share the RO with another terminal (e.g., DEV2) as a member of the user domain, the terminal (i.e., DEV1) may transfer a DRM Contents Format (DCF), the RO, and the V-Token to said another terminal (i.e., DEV2) for sharing.
FIG. 3 is a schematic block diagram showing a process of creating a domain RO by an RI in a user domain.
Referring to FIG. 3, if the device 1 (or DRM Agent 1) requests an RO from the RI (S1), the RI checks an ID of a corresponding user domain (e.g., in FIG. 3, a domain where the devices 1, 2 and 3 are joined), and requests domain information, the V-Token (or User Domain Token) and a key (DDK or DDK-set) from the DEA (Use Domain Request in FIG. 3) (S2). The RI receives a response to the request from the DEA (Use Domain Response in FIG. 3) (S3). After creating (generating) a user domain RO based on the information received from the response in step (S3), i.e., the DDK and V-Token, the RI issues the generated RO to the device 1 (RO Response in FIG. 3) (S4).