The invention relates to electronic content security. More particularly, the invention relates to Digital Rights Management of electronic content.
More and more information is transmitted electronically in digital form. Virtually anything that can be represented by words, numbers, graphics, audio or video information, or a system of commands and instructions can be formatted into electronic digital information, also referred to as “digital content,” or just “content.” Electronic appliances of various types are all interconnected, providing their users with the potential to accomplish a myriad of tasks, such as telecommunications, financial transactions, business operations, research, and entertainment-related transactions.
A fundamental problem for digital content providers is extending their ability to control the use of proprietary information, such as copyrighted content. Content providers often want to limit the usage of the content to authorized activities and amounts. For example, commercial content providers are concerned with ensuring that they receive appropriate compensation for the use of content.
Content providers and distributors have employed a number of rights protection mechanisms to prevent unauthorized use of their content. Among these is Digital Rights Management (DRM). DRM relates to the licensing and control of the distribution and use of digital content. In general, DRM systems distribute digital content in an encrypted form. A set of rights is associated with the content, and only after acquiring the rights to access a protected piece of digital content will a user be allowed to decrypt it. Currently there are competing DRM specifications, which include Open Mobile Alliance (OMA DRM), Windows Media Device (WM D-DRM), and several others.
DRM content distribution is becoming more widespread as more devices, such as cellular telephones and personal digital assistants (PDAs) become DRM-enabled. According to conventional software architecture, as seen from a high-level system view, the software for the devices is one monolithic piece. For example, some current DRM solutions propose DRM function implementation within the software contained in the handheld device. More particularly, some conventional DRM solutions require the use of a dedicated “DRM player,” such as a browser, media player, and the like.
An alternative approach is to divide the software into a platform part, having a platform software domain, which includes fundamental services and software components; and an application part, having an application software domain, which includes software components that are more closely related to specific device features. An example of such a system is described in U.S. patent application Ser. No. 10/413,044, “Method and System for Digital Rights Management,” filed Apr. 14, 2003. In the following, it is assumed that a software architecture having platform and application parts is used.
FIG. 1 illustrates a basic model for providing content using DRM. A content provider 100 creates and packages digital content according to the DRM specification and establishes one or more sets of usage rights (or rules) and associated usage costs, which are associated with the various possible uses of the content (e.g., play, print, copy, distribute, etc.) and the allowable number of times, or time period, that the content is made available. The content is transferred to a distributor 110 that makes it available to users 120, for example on a distributor's storefront website. A user 120, operating user equipment (UE), may then browse the distributor's available content and select content of interest to the user 120, while also selecting one of the defined usage rights for the content (noting the associated usage costs). The user 120 makes the appropriate payment to the distributor 110 for the selected content/usage, at which time the content and usage rights can be transferred to the UE, which may be a mobile terminal, PDA, media player, or other like device capable of rendering content. The UE can then render the content according to the usage rules to make it available for use by the user 120 according to the usage rules. In some cases the rights are cleared through payment to an intermediary (not shown), such as a payment broker, which then signals the distributor 110 to supply the content.
The DRM-related data may be defined generally as two entities—a content container and a license—that can be transferred either as one physical package or as two separate physical packages. The latter case is more flexible since a new license can be obtained without resending the entire content and a higher security level is achieved when content and license are not transferred together. If the content container and license are transferred separately, they each must include linking information.
The content container comprises the actual content that the user wants to render, which is typically in an encrypted form to protect against unauthorized usage. The license generally includes the usage rights of the associated content, e.g., a rights object, and a key, or some or all of the information needed to generate a key, needed for content decryption.
As discussed above, the usage rights define the conditions that apply to the rendering of the content. To allow for flexible and extensible expression of the usage rights, special rights expression languages (REL) have been developed. Two of the dominating REL alternatives today are called extensible rights markup language (XrML) and open digital rights language (ODRL), both of which are based on extensible markup language (XML).
Platforms that support DRM-protected content distribution to the UE include some form of logical DRM component to provide the needed DRM functionality in the platform domain to process the DRM-protected content. For example, the platform for a telecommunications system must provide a logical DRM component to process the DRM-protected content that is made available for download to mobile terminals in the system. In general, the DRM component within the platform must provide DRM functionality support within the platform to an outside application (in the application domain) that is providing content to a UE supported by the platform.
The term platform as used here refers generally to platform software and hardware that at least partially make up a “secure” network in which users communicate, via UEs, either wirelessly or by wire, or a combination of the two. Network entities in the platform may be interfaced to outside applications in the application domain for the purposes of downloading DRM-protected content, among other things. The network is considered secure in the sense that the network platform and its communications traffic are managed and controlled by a network provider.
An example of such a secure network is a telecommunications system, generally comprising UEs (e.g., mobile terminals) communicating wirelessly to base stations, which in turn communicate with other telecommunication network entities and the like. Included among these other entities is an interface to outside networks, such as the Internet, and outside applications. These outside applications are accessible to users within the network via the various network entities and the software they use to communicate and move data to and from the user (i.e., the platform software) under the control of the network provider.
An encryption/decryption algorithm is employed for encrypting and decrypting the content. The algorithm is preferably symmetric, meaning an identical key is used for both operations, for efficiency reasons. The keys themselves, however, can also be protected by using asymmetric ciphering algorithms, which make use of a public/private key pair. Additional security may also be obtained by incorporating the use of certificates and digital signatures, as is known in the art. The complete model for reliable distribution of public keys by using certificates and digital signatures is known as the Public Key Infrastructure (PKI).
The UE decrypts the content using a decryption key supplied in the rights object via the platform. It is often the case that unique keys for decrypting the content must be distributed to each of a large number of UEs. Distributing a large number of keys typically requires a relatively significant amount of time, forcing the key distribution to take place well before the content is made available, e.g., a planned streaming video/audio event, because each distributed key is unique to each UE and the distribution typically follows rather complex protocols specified by the DRM solution. The fact that the key or key material will be available in the UE a long time before its intended usage results in an increased risk that the key will be compromised by unauthorized users and perhaps even widely distributed to other unauthorized users. Therefore the time that a key (or key material) is present on the UE before its intended usage should be minimized. This problem worsens as the amount of bandwidth available for key distribution decreases, since the amount of time needed to distribute the keys increases. Systems such as mobile communication systems are especially vulnerable, due to their limited bandwidth. Other domains, such as the Digital Broadcast (TV) domain, have enough bandwidth to distribute the key only shortly before a streaming content session is to begin.