Digital Rights Management

(1)

Digital Rights Management

Master’s thesis in Image Coding by

Cristina García Valverde and Rubén Cano Collado

Report nº LITH-ISY-EX-3423-2003

(2)

(3)

Digital Rights Management

Master’s thesis in Image Coding by

Cristina García Valverde and Rubén Cano Collado

Report nº LITH-ISY-EX-3423-2003

Date

: 2003-07-15

Supervisors: Karl-Göran Stenborg and Jacob Löfvenberg Examiner: Robert Forchheimer

(4)

(5)

Avdelning, Institution Division, Department Institutionen för Systemteknik 581 83 LINKÖPING Datum Date 2003-07-15 Språk

Language Rapporttyp Report category ISBN Svenska/Swedish

X Engelska/English

Licentiatavhandling

X Examensarbete ISRN LITH-ISY-EX-3423-2003 C-uppsats D-uppsats Serietitel och serienummer

Title of series, numbering ISSN Övrig rapport

____

URL för elektronisk version

http://www.ep.liu.se/exjobb/isy/2003/3423/ Titel

Title Digital Rights Management Författare

Authors Cristina García Valverde and Rubén Cano Collado

Sammanfattning Abstract

Nowadays, one of the main issues for the enterprises that are interested in e-bussiness is to protect their Intellectual Properties (IP) against illegal uses, that is, to guarantee, thanks to the Digital Rights, that only the users which have those Digital Rights granted can enjoy such IPs.

The DRM systems emerge towards this end. This thesis will study the different steps that are followed in order to develope a DRM Solution: the framework, the requirements, the identifiers and metadata (data about data) of the IP, a standard language to express the rights (<indecs> project) and the available tools to develop the DRM Solution.

To conclude, we will study a practical example of Open Proposal: OpenIPMP, and we will draw the relevant conclusions.

Nyckelord Keyword

DRM, IP, metadata, identifiers, interoperability, persistence, <indecs> project, rights, trusted system, DOI, ODRL, XML Security Standards, XrML, OpenIPMP.

(6)

(7)

Acknowledgements

We would like to thank Magnus Andrén and our supervisors Karl-Göran Stenborg and Jacob Löfvenberg for their support in the development of this thesis. We also want to thank our supervisor Robert Forchheimer who has done everything possible in order to help us.

(8)

(9)

Abstract

Nowadays, one of the main issues for the enterprises that are interested in e-bussiness is to protect their Intellectual Properties (IP) against illegal uses, that is, to guarantee, thanks to the Digital Rights, that only the users which have those Digital Rights granted can enjoy such IPs.

The DRM systems emerge towards this end. This thesis will study the different steps that are followed in order to develope a DRM Solution: the framework, the requirements, the identifiers and metadata (data about data) of the IP, a standard language to express the rights (<indecs> project) and the available tools to develop the DRM Solution.

To conclude, we will study a practical example of Open Proposal: OpenIPMP, and we will draw the relevant conclusions.

(10)

(11)

List of Figures

FIGURE 1.1. Distribution Value Chain………...2

FIGURE 2.1. DRM Functional Architecture………...7

FIGURE 2.2. Core Entities Model………...10

FIGURE 2.3. Creation Structural Types: Descriptive Data………...11

FIGURE 2.4. Parties model………...12

FIGURE 2.5. Primary Entity Relationships: Integrated Data Model………....14

FIGURE 2.6. Rights Expression Model………...15

FIGURE 2.7. Generic DRM Software Application Architecture………...16

FIGURE 2.8. DRM processes between Server and User...17

FIGURE 2.9. Logical Model of a Digital Asset...20

FIGURE 2.10. Encryption and decryption………...29

FIGURE 2.11. Conventional Encryption………...30

FIGURE 2.12. Public Key Encryption………...32

FIGURE 2.13. Simple Digital Signatures………...33

FIGURE 2.14. Software Security Dongles………...34

FIGURE 2.15. Principle of Individual Video Watermarking………...37

FIGURE 2.16. Interoperability of watermarking in the uncoded and coded domain...38

FIGURE 2.17. Broadcasting of video with individual watermark embedding at the receiver side...39

FIGURE 3.1. ODRL Foundation Model………...74

FIGURE 3.2. ODRL Permission Model…………...76

FIGURE 3.3. ODRL Constraint Model…………...78

FIGURE 3.4. ODRL Requirement Model…………...80

FIGURE 3.5. ODRL Condition Model…………...81

FIGURE 3.6. ODRL Rights Holder Model…………...81

FIGURE 3.7. ODRL Context Model…………...83

FIGURE 3.8. ODRL Offer Model…………...83

FIGURE 3.9. ODRL Agreement Model…………...84

FIGURE 3.10. ODRL Revoke Model…………...85

FIGURE 3.11. ODRL Encryption Model…………...86

FIGURE 3.12. ODRL Digital Signature Model…………...87

FIGURE 3.13. DOI Syntax…………...90

FIGURE 3.14. DRM process flow…………...96

FIGURE 3.15. The DOI Directory…………...97

FIGURE 3.16. Components of an XML Signature…………...99

FIGURE 3.17. XML Data structure without encryption...101

FIGURE 3.18. XML Data structure fully encryted…………...102

FIGURE 3.19. The SAML Domain Model…………...104

(16)

FIGURE 3.21. Data-flow diagram…………...108

FIGURE 3.22. XACML context…………...109

FIGURE 3.23. Relationship between XML DSig, XML Encrypt and the XML Key Management Services...……...110

FIGURE 3.24. XrML data model…………...112

FIGURE 3.25. XrML license model…………...113

FIGURE 3.26. XrML organization…………...114

FIGURE 3.27. XrML trust model…………...116

FIGURE 4.1. EJBCA Architecture…………...127

FIGURE 4.2. OpenIPMP Login…………...131

FIGURE 4.3. OpenIPMP Register New User…………...131

FIGURE 4.4. OpenIPMP Acquire Keystore…………...132

FIGURE 4.5. OpenIPMP Registered Content…………...132

FIGURE 4.6. OpenIPMP Licenses…………...133

FIGURE 4.7. Mp4creator command line…………...134

(17)

List of Tables

TABLE 2.1. Creations: Structural Types…………...11

TABLE 2.2. Rights Expressions…………...14

TABLE 2.3. Main Iniciatives with which <indecs> has communicated...59

TABLE 2.4. Mapped in the development of the <indecs> model...65

(18)

(19)

Chapter 1

Introduction and Background

1.1. WHAT IT IS AND WHY IT IS NEEDED

"Digital Rights Management (DRM) involves the description, identification, trading, protection, monitoring and tracking of all forms of rights usages over both tangible and intangible assets -both in physical and digital form- including management of Rights Holders relationships." [1].

The need of security and safe in electronic distribution of digital contents makes that Digital Rights Management (DRM) grows as an emerging and vital business concept. In its purest form, DRM provides a technology platform to allow trusted packaging, flexible distribution and managed consumption of digital content over electronic networks.

DRM technology provides content owners, service providers, distributors and retailers with a safe, secure method for meeting the consumer´s need for interactive, on-demand access to movies, online games, books, music, software and propietary data (virtually any type of digital media).

It is important to note that DRM is the “digital management of rights“ and not the “management of digital rights“. That is, DRM manages all rights, not only the rights applicable to permissions over digital content.

In order to find solutions to digital piracy, technology companies have spent hundreds of millions of dollars and thousands of engineering hours.There is not single solution that will solve all threats of piracy in all circumstances. Developing these technologies involves complex engineering efforts and it is the best interest for all content industries to work cooperatively.

(20)

1.2. DRM: DISTRIBUTION VALUE CHAIN

The objectives for managing content rights in the traditional media world include: • protecting the content and avoiding piracy,

• enabling revenue through outright purchase or licensing, • reinforcing traditional media brands and

• learning more about company´s audience.

This is so difficult to get in the digital world. Content creation, packaging and distribution have new meanings in the Internet economy. Content conversion, digitization, compression and storage technologies have created new oportunities and efficiencies, for media and information, to be archived, repackaged and redistributed through electronic channels (e.g., the Internet, extranets, cable, terrestrial broadcasts or satellites). As content becomes more widely available in digital form, it becomes even easier to distribute, share, copy and alter if it is improperly “meta-tagged“ (unique identifying tags related to media format, creator, usage and distribution rules) and encrypted throughout the digital distribution value chain.

This brings an exponential increase in the threat of piracy and the loss of revenue for original content owners and producers. Now that electronic content can be copied much more easily, content owners have a greater need for content control. IP authentication and password access are not able to protect the content from being duplicated or shared, thus creating a need for greater rights management controls. At the same time, digital media distribution can bring a variety of new business opportunities for owners or generators of content who incorporate the right technologies to control their digital media distribution value chain [2].

FIGURE 1.1. Distribution Value Chain

The Distribution Value Chain shows the need for a safe and secure method for accesing, distributing and merchandaising digital content. It is important to notice the following aspects of each link of the chain [3]:

Sponsors / Advertisers Content, Creators and Rights Owners Service Providers, Distributors and Retailers Clients or Consumers Packaging

(21)

• Content, Creators and Rights Owners: - Safeguards copyright integrity. - Assures revenue generation.

- Expands business model alternatives. - Protects brand identity.

• Service Providers, Distributors and Retailers: - Maximizes business opportunities.

- Protects revenue streams.

- Minimizes risk of unauthorized distribution. - Expands potential customer base.

• Clients or Consumers:

- Expands digital content choices. - Simplifies authorized playback. - Allows full-featured user experience.

(22)

(23)

Chapter 2

Digital Rights Management: Technical

description

2.1. ARCHITECTURE AND FRAMEWORK

2.1.1. SUMMARY

The basic responsibility of a standards organization is to construct reference architecture. However, it is also necessary to create a mechanism that takes into account the innovation and the future growth of technological developments. This concept is embodied in the guiding principle adopted by several organizations with which the owner of the media contents (music and video) has been associated; a specification shall not preclude any technological solution that provides the requisite functionality demanded by the industry stakeholders.

Components must be constructed in a modular manner and integrated into a flexible architecture so that the specification may survive.

It is also necessary to develop a common language or structure that facilitates discussion of complex issues by parties with widely divergent points of view and vocabularies in order to implement any standardized scheme for the management of rights in digital environment.

In this section we will study several architectures in order to define and give a framework to the DRM Solutions:

• Functional Architecture

The Functional Architecture tries to modeled the total DRM framework in order to build digital rights-enable systems. It is a vision, in three areas, of how to manage the creation of content, the trade of the content and the use of the content.

It stipulates, also, the roles and the behaviour of these three areas of Intellectual Property (IP).

(24)

• Information Architecture

The Information Architecture is a more flexible model to describe DRM framework. In order to do this description, this architecture take into account three main steps: to model the entities, to identify and describe them and to express the rights statements.

This architecture tries to model the entities and their relationships. To do that, it defines the three core entities: Users, Content and Rights.

Once the entities have been defined, it is necessary to express the rights that will be applied to the transactions between them (the Rights Expressions).

The Information Architecture also evidences the need of a standard, like Open Digital Rights Language (ODRL), that models the Rights Expressions and their relationships because these Rights Expressions can became complex very quickly.

• Software Application Architecture

The Software Application Architecture is a model from the technological point of view. It tries to explain different points:

- The steps to get a correct, safe and security transaction: metataging, encryption, permissions...

- The components of a typical DRM Software Architecture: content server, license server and client software.

- The process of a DRM transaction: the differents steps between the server and the user since the user asks for the content until he receives it.

These three different architectures give us a general vision, from different points of view (Intellectual Property (IP), entities and technological) of the DRM framework. Reference [4] has been one of the most important sources of information for this section.

2.1.2. FUNCTIONAL ARCHITECTURE

The total DRM framework adapted to building digital rights-enabled systems can be modeled in three areas:

• Intellectual Property (IP) Asset Creation and Capture:

How to manage the creation of content so it can be easily exchange. This includes asserting rights when content is first created (or reused and extended with appropiate rights to do so) by various content creators/providers.

(25)

• IP Asset Management:

How to manage and enable the trade of content. This includes accepting content from creators into an asset management system (we will see in section 2.2.2.: Digital Asset Management). The trading systems need to manage the descriptive metadata and rights metadata (e.g. parties, usages, payments, etc.).

• IP Asset Usage:

How to manage the usage of content once it has been traded. This includes supporting contraints over traded content in specific desktop systems/software.

The Functional Architecture provides a framework for the modules to implement DRM functionality (Figure 2.1.).

So that, the Functional Architecture stipulates the roles and behaviour of a number of cooperating and interoperating modules under the three areas of Intellectual Property (IP): Asset Creation, Management and Usage.

FIGURE 2.1. DRM Functional Architecture Æ The IP Asset Creation and Capture module supports:

• Rights Validation: this is a part to ensure that content being created from existing content (e.g. a copy) includes the rights to do so.

• Rights Creation: to allow rights to be assigned to new content, such as specifying the rights owners and allowable usage permissions.

• Rights Workflow: this part is to allow that the content can be processed through a series DRM Architecture IP Asset Management IP Asset Creation Capture Rights Creation Repository Trading Rights Workflow Permission Management Content Metadata Tracking Managementt Works Rights Parties Payments Fulfilment Licenses Packaging Rights Validation IP Asset Usage

(26)

Æ The IP Asset Management module supports:

• Repository functions: to allow the access/retrieval of the content in potentially distributed databases and the access/retrieval of metadata. The metadata covers Parties, Rights and descriptions of the Works. (See the Information Architecture section for more details).

• Trading functions: to enable the assignment of licenses to parties who have traded agreements for rights over content, including the payments from licenses to rights holders. In some cases, the content may need to go through fulfillment operations to satisfy the license agreement. For example, the content may be encrypted/protected or packaged for a particular type of desktop usage environment.

Æ The IP Asset Ussage module supports:

• Permissions Management: this is a part to enable the use associated with the content in accordance with the rights. For example, if the user only has the right to view the document, then printing will not be allowed.

• Tracking Management: it function is to enable the monitoring of the usage of content where such tracking is part of the agreed to license conditions (e.g., the user has a license to play a video ten times). This module may also need to interoperate with the trading system to track usage or to record transactions if there is payment due for each usage. These three modules and their relationships provide the core functionality for DRM systems. The modules have been described only at a high level, and they would also need to operate within other, existing e-business modules and Digital Asset Management modules (that we will study in 2.2.2. section: Digital Asset Management). Additionally, the modules would support other principles, requirements and characteristics, like interoperability, persistence, granularity, etc., that we will describe in next sections.

The Functional Architecture is only one of the models that exist in order to describe the DRM framework. The fast advance of technological development causes that Rights Management can become complex. For this reason, DRM systems must support the most flexible model possible to provide these complex and layered relationships. The Information Architecture provides this [4].

2.1.3. INFORMATION ARCHITECTURE

The Information Architecture is another model to describe DRM framework, but more flexible. The development of this model consists in three main issues:

• Modeling the entities

• Identifying and describing the entities • Expressing the rights statements

(27)

2.1.3.1. MODELING THE ENTITIES

It is important to adopt a clear and extensible model for the DRM entities and their relationship with other entities.

There are currently four major active communities of rights-holders directly confronting these questions: based in the book and electronic publishing sector works the DOI community; the IFPI community of record companies; the ISAN community for producers, users, and rights owners of audiovisuals; and the CISAC community of collecting societies for composers and publishers of music, but also extending into other areas of authors' rights, including literary, visual, and plastic arts [5].

¾ DOI (Digital Object Identifier) is a term that embraces a set of related initiatives centred on a persistent digital identifier (the DOI), a technology (Handle by the Corporation for National Research Initiatives ,CNRI), and an organisation (the International DOI Foundation). Metadata definition has become a major issue for the DOI.

¾ MUSE is an EC-funded initiative of the record industry scheduled to announce (around October 1998) a secure means of encoding and protecting identifiers within digital audio. It is linked to the ISRC (International Standard Recording Code), and the project includes the specification of ISRC-related metadata.

¾ ISAN (International Standard Audiovisual Number) is backed by the film industry and collecting societies and is currently in draft in ISO TC46 sc9. It will be the backbone of several industry databases and related metadata sets.

¾ The CIS (Common Information System) plan is a copyright society-led international standardisation programme based on the integration of identifiers and related metadata to support efficient licensing and royalty distribution.

Existing work in this area includes the <indecs> (Interoperability of Data in E-Commerce Systems) project [6]. The basic principle of the <indecs> model is to clearly separate and identify the three core entities: Users, Content and Rights, as shown in Figure 2.2. We will study this in section 2.4: The <indecs> project.

Another view of <indecs> is the Commerce one. The cycle of making and using can go round and round indefinitely, although ultimately there will be “end users” who simply perceive or “enjoy” a creation with one or more of their senses. In the framework this gives rise to three basic types of commerce entity: Parties, Creations and Transactions.

In the core entities model we can identify, as we said before, three “parts” [4]:

• Users entity: It can be any type of user, from a rights holder to an end-consumer, an agent

undertaking an activity or task in a creative or commercial event.

• Content entity:that is any type of content at any level of aggregation, the output of creative

activity.

• Rights entity: is an expression of the permissions, constraints, and obligations between the

Parties and the Creations, an event determining or recording the use of possible use of an entity.

(28)

This model provides the greatest flexibility when assigning rights to any combination or layering of Users and Content. The Core Entities Model also allows Creations from being used in new and evolving business models.

FIGURE 2.2. Core Entities Model

We could analyse the relationships, the rights and the descriptive metadata about the three entities. This metadata needs to include a mechanism to relate the entities to each other. The need for integration of metadata and rights management could be support for three propositions that set out a possible framework for an integrated approach. It based on models developed in the CIS plan and the DOI Rights Metadata group, and work on the ISRC, ISAN and ISWC standards and proposals [5].

The three propositions are:

1. DOI metadata must support all types of creation.

2. The secure transaction of requests and offers data depends on maintaining an integrated structure for documenting rights ownership agreements.

3. All elements of descriptive metadata (except titles) may also be elements of agreements. The main consequences of these propositions are:

1. A general and standard vocabulary is essential.

2. Non-confidential terms of rights ownership agreements must be generally accessible in a standard form. By this way, the network must be able to automatically determine the current owner of any right in any creation for any territory.

3. All descriptive metadata values (except titles) must be stored as unique, coded values. If we take into account these propositions, the implications on the behaviour and the future inter-dependency of the rights owner and content communities (audiovisual, visual, text…) are considerable.

The CIS plan uses the generic term creation to denote a product of human imagination

and/or endeavour by one or more Parties in which Rights may exist [5]. The term has the

advantage that it does not carry much baggage. It is free of the connotations or legal matters of the narrower term work and it has not been employed in any specific sector until now. It is now employed as a basic term in the vocabularies of CIS, DOI and in the IMPRIMATUR business model. CONTENT RIGHTS USERS Make Used by do about

(29)

Creations appear to come in four main structural types[5]:

Structural type Medium (material) Examples Means of identification

Package Physical (atoms, a single exemplar instantiation of an object)

Book, CD, video, photograph, painting

Printed text or barcodes (e.g., UPC/EAN, ISBN, ISSN, ISMN)

Object Digital (bits, the digital embodiment

of a performance of a work) Text, picture, audio, av file Digitally encoded (e.g., ISRC, ISAN, DOI )

Performance Spatio-temporal (actions, the intellectual or artistic realization of a work)

Live performance of work, broadcast of recording

In metadata only

Work Abstract (concepts, ideas, a distinct

intellectual or artistic creation)

Musical composition, literary work

In metadata only (e.g., ISWC, ISAN)

TABLE 2.1. Creations: Structural Types

Each structural type of creation may be manifested in any other. The same principles apply in audiovisual, visual, text and other primary types. The generic structural relationships are modelled in Figure 2.3.

FIGURE 2.3. Creation Structural Types: Descriptive Data

We could also say that creations can be said to be nested within each other: this also applies to creation of the same type (such as acts in a play or movements in a symphony).

The phenomenon of nesting is the norm for most works, not the exception. When one creation is traded, a complex network of them may in fact be traded. A single multimedia creation may nest hundreds of audiovisual works, graphics, texts, audio recordings and all their underlying abstract compositions and works: often thousands of distinct creations with rights owners attendance. Package Performance Object Work Physical Digital Spatio- Temporal Abstract Relationships

(30)

E-commerce creates the ability for each component creation to be individually discovered, identified, offered, acquired and for the resulting transaction to be accounted to source, although it does not mean anything new about the relationships in themselves.

This scalability has different implications. The creations can be used, adapted or combined in several ways with electronic tools in an environment which will be accessible in time to billions of users. For that reason, the issues of secure protection and billing are very important.

However, under the analysis being carried out within the communities identified above and by those who are developing technology and languages for rights-based e-commerce, it is becoming clear that “functional“ metadata is also a critical component. It is metadata (including identifiers) which defines a creation and its relationship to other creations and to the parties who created and variously own it; without a coherent metadata infrastructure e-commerce cannot properly flow. Securing the metadata network is every bit as important as securing the content, and there is little doubt which poses the greater problem [5].

2.1.3.2. IDENTIFYING AND DESCRIBING THE ENTITIES

Generically, we call Parties to people and companies, as shown in Figure 2.4.(a simpler form of the CIS term Interested Party). Names as identifiers are helpful for discovery but inadequate for secure identification and dangerous as a basis for automated e-commerce transactions because they are not unique, for this reason the parties require unique structured identifiers.

FIGURE 2.4. Parties model

Because parties may make creations and own rights of any kind, party metadata must be adaptable to all creation types [5].

We need to identify and describe all entities. Identification should be done via open and standard mechanisms for each entity in the model. Both the entities and the metadata records about the entities must be identifiable. Open standards such as Uniform Resource Identifiers (URI) and Digital Object Identifiers (DOI) (that we will study in section 3.2.2) and the emerging ISO International Standard Textual Work Code (ISTC) are typical schemes useful for Rights identification.

Parties

Corporate Agent

(31)

For describe each different type of Content, it should be used the most appropriate metadata standard (for example, the EDItEUR ONIX standard (ONIX) for books (physical and electronic) and the IMS Learning Resource Meta-data Information Model (IMS) for educational learning objects). Such metadata standards do not themselves try to include metadata elements in order to address rights management information, for this reason, it could be a problem how to describe such rights expressions. For example, the ONIX standard has elements for a number of rights holders (e.g., Authors and Publishers) and Territories for rights and single Price information. (The latter poses a problem in setting multiple prices depending on what rights are traded). In such cases, following the <indecs> model should take precedence.

To describe Users, vCard (VCARD) is the most well-known metadata standard for describing people and (to some extent) organizations. Rights model has to explain and fix the roles that Parties have with respect to Content [4].

At the present time, ownership and exploitation of rights in different creation-types is the norm. The majority of the enterprises in the different sectors do e-business with text, pictures, graphics, photographs, audiovisuals and sound recordings and, in general terms, there are no essential operational differences between them. So, the metadata framework has to cover all their requirements. It should also be considered that, in operational terms, there may be little or no difference between the digital transactions of different e-business enterprises.

2.1.3.3. EXPRESSING RIGHTS STATEMENTS

People that make Creations have to assign Rights in them to other people or companies through Agreements.

CIS defines a Right as the authority originating in law or by international convention for

a Party to do or to authorise another Party to do a defined act to a Creation [5].

An agreement is a written or unwritten accord between Parties which determines Rights

or entitlements in relation to Creations for a given Place and Time[5]. Figure 2.5. shows these

relationships, which models the fundamental entity relationships that form an integrated model. Agreements cover everything from a copyright act at one extreme to the terms of a single download transaction at the other.

(32)

FIGURE 2.5. Primary Entity Relationships: Integrated Data Model

A grant (or refusal) of rights can describe every transaction that involves creations, even where the rights are in the public domain. These transactions can be described in the same terms for physical packages, digital objects or abstract works, although the grant of rights have to go with different consequences for different structures.

The Rights entity allows transactions to be made about the allowable permissions, constraints, obligations, and any other rights-related information about Parties and Creations. By this way, the Rights entity is critical because it represents the expressiveness of the language that will be used to inform the rights metadata.

It is necessary to model rights expression and the relationships between them, because rights expressions can become complex quickly. Open Digital Rights Language (ODRL) (that we will study in 3.2.1. section) is a very good example of that [5].

As shown in Figure 2.6., Rights expressions should consist of:

Permissions/usages What you are allowed to do Constraints Restrictions on the permissions Obligations What you have to do/provide/accept Rights Holders Who is entitled to what

Rewards What you obtain

TABLE 2.2. Rights Expressions

PARTY RIGHT TIME CREATION PLACE AGREEMENT Relationship Component Component Relationship Contributor Party Creation Schedule Party Component Agreement

(33)

For example, a Rights expression may say that a particular video can by played (i.e., a usage permission) for a maximum of 10 times (i.e., a count constraint) in any semester (i.e., a time constraint) for a $10 fee (i.e., an obligation to pay). Each time the video is played, John, Mary, and Sue (the rights holders) receive a percentage of the fee. Usually, if a right is not explicit in an expression, it means that the right has not been granted. This is a critical assumption made by Rights languages and should be made clear to all Users.

For an example of a rights language, see the Open Digital Rights Language (ODRL). ODRL lists the many potential terms for permissions, constraints, and obligations as well as the rights holder agreements. As such terms may vary across sectors, rights languages should be modeled to allow the terms to be managed via a Data Dictionary and expressed via the language

[4].

FIGURE 2.6. Rights Expression Model

2.1.4. SOFTWARE APPLICATION ARCHITECTURE

From the technological point of view, we have to follow different steps to do a correct and safe transaction:

First step: once the assets have been created it is necessary to provide a flexible DRM technology strategy capable of meta-tag the assets and store them in databases and media asset management technologies.

Second step: the information, after the assets are metatagged, is encrypted to ensure the security of the content.

Third step: once we have obtained the permissions and authorizations that we need to, the content can be transmitted (a decrypted key unlocks protected content) and displayed in a secure and trusted environment via a client technology.

In order to determine the rights and policies for use the assets, as we have seen previosly, a set of rules have created in most of the commonly used DRM software applications for text, audio, video and software. The use of DRM software applications during the creation phase of

RIGHTS Rights Holders Rewards Obligations Constraints Usages Fixed Percentage Quantity … Devices Time Count Territory … Reuse Print Lend Play Pay Loyalty Points Tracking …

(34)

consumer can be assured that the content they receive was indeed sent by the appropriate party and in security conditions and that the consumer is authorized to receive the content.

FIGURE 2.7. Generic DRM Software Application Architecture

DRM architecture typically consists of the following components:

Æ Content Server: consisting of four blocks:

1. A content repository containing a metadata management environment to uniquely identify the digital assets. Some of the more efficient DRM software applications can integrate with asset management systems.

2. Product information, consisting of rights and product metadata.

3. A packager that encrypts the content with the appropriate mechanisms to unlock the content upon delivery to an end user.

4. A delivery mechanism that will be as DRM format independent as possible.

Æ License Server: consisting of three components: 1. An encrytion key repository.

2. A user identity database that collects the content.

3. A DRM license generator that binds the content and the encrytion key to the end user´s device and registers the user with the appropriate parties that make up the digital dstribution value chain.

Æ Client Software:

A piece of software that resides locally on an end user´s device that displays the encrypted content, communicating the appropriate rights and permissions to the end user and back to the license server. The number of communications back to the license server is determined by the contents rules at the time of packaging.

Copyrights Permissions Finance Marketing R & D Sales Management Card Processing Tax Calculation Transactions SSL AVS Settlement Territory Management ERP Commerce Content Server

Digital Asset Management System Content Workflow System (CMS)

Content Files Rights Packager Meta Data, Assets Busienss Rules DRM License Order Manager License IDs License Server Commerce Manager Account Manager License Creator Rendering Client License Decrypter License Manager Content Library DRM

(35)

DRM processes typically take place in the following order (see Figure 2.8): 1. The user obtains the content packages using various digital delivery services.

2. The user requests the content usage operation (e.g., view, play) within the client application.

3. Once the user abides by the appropiate registration (e.g., name, address, e-mail), payment and clearing methodologies (e.g., credit card, purchase order, taxes) for operation, the DRM license handler collects the user and content asset information and produces a license to decrypt the asset on the end user´s device. Depending upon the specific type of DRM software application used by the content creator, the license delivery process may happen simultaneously during the financial clearing part of the content delivery [2].

FIGURE 2.8. DRM processes between Server and User

SERVER USER

Content Package Content Usage Request

Operation (registration, payment, clearing) requests Validation Data

(36)

2.2. REQUIREMENTS

2.2.1. SUMMARY

In the previous section we have studied several architectures in order to define and give a framework to the DRM Solutions. Once we have the framework, we need to know the requirements to develop an effective DRM solution. For this purpose, in this section, we are going to study the following points:

• Digital Asset Management (DAM)

In order to complete a DRM solution it is necessary a good Digital Asset Management (DAM) System. In fact, DAM is a basis of effective Rights Management. This kind of systems give to the enterprises a competitive advantage: to stablish an asset repository that enables the association of essential rights and permissions information with specific assets.

Technically, a DAM System stores, indexes, categorizes, secures, searches, transforms, assembles and exports intellectual property.

• Trusted System

Once the DAM System has been chosen, it is necessary to guarantee that the transactions will be reliable by means of the identification of system participants, access restrictions, protection of digital content, etc. Trusted systems allow to solve these problems that are associated with digital content management.

• Expression Language

In order to standarize the expressions that are used in the information about intellectual property rights in digital transactions a general vocabulary is needed. The objective is to get automated rights transacions in an “universal language“ and, to do that, it is necessary a machine readable that permits to realize the conversion of original rights granted into usage permissions for digital transactions in an automatical and unique way.

• Protection

Up to now, we have a system that manages the intellectual property (DAM System), that guarantees secure digital transactions and a “common language“ that expresses the information about intellectual property rights.

Now, we need to protect and prepare the digital content and the transaction environment in order to avoid piracy and illegal exploitations. To do that, different technologies are used and we are going to study the following ones:

- Conditional Accesss Systems: in order to give access to the digital content only to suscribers.

- DRM Systems: in wich the client obtains the content in protected form and with a license that specifies the uses for it.

(37)

- Protection Technologies: methods for protection for the digital content to prevent piracy, to ensure integrity, to enforce the user the terms of license agreement, etc. We will study Cryptography (Conventional Cryptography, Public Key Cryptography, Digital Signature and Keys), Software Security Dongles, Watermarking (Digital Watermarking for Video and Digital Watermarking for Audio) and Fingerprinting. • Trading Architectures

To conclude, trading architecture helps enterprises to provide the users an environment to share data, applications and processes by means of internet-based technologies. We will study the principal components, the requirements and general architectures of a trading system.

2.2.2. DIGITAL ASSET MANAGEMENT

Any company that wishes to obtain a competitive advantage in business must to have the content rights on they own and, thanks to that, this company will obtain an efficience inventory of their assets. Precisely because of that, it is necessary a basis for effective Rights Management: Digital Asset Management (DAM) Solutions.

DAM software will stablish an asset repository that enables the association of essential rights and permissions information with specific assets at the very beginning of the DRM value chain. Due to the modular design of a DAM system (the best DAM solutions also have the capability to integrate with other DRM funcional applications), documented APIs and strong relationships with different partners, it is possible to ensure that consumers can use DAM to provide extended DRM functionality that grows with their business.

In order to complete a Digital Rights Management Solution, one of the most important steps is to choose a good Digital Asset Management system. By this way and thanks to DAM solutions, a lot of companies are building a strong foundation for a digital business strategy and, for this reason, are positioning themselves to take the competitive advantage [8].

Technically, Digital Asset Management stores, indexes, categorizes, secures, searches, transforms, assembles and exports content that has monetary or cultural value. Digital assets often include rich media such as video, audio and graphics, but this is not a requirement, the main characteristic of a digital asset is that it is an asset.

On the other hand, the fact that an asset is represented digitally presents numerous opportunities for revenue generation and operational efficiency; for this reason, a digital asset management platform gives preference to functionality and is quite different from other classes of software.

There are three essential elements that distinguish Enterprise Digital Asset Management solutions from other content management solutions:

1. All the system functions is the asset (security, search results, transactions, rights…), defined as specific combinations of content and data that have financial (monetary or cultural) value.

(38)

2. Each functional component of a Digital Asset Management solution including, but not limited to, store, indexing, cataloguing, navigation, transformation and export must offer thorough support for all types of media including streaming and still formats and for all traditional and e-delivery channels.

3. The architecture needs to be a basis component and an important value for the company, able to assure fulfillint the operations, scalable performance and distributed access throughout the extended organization.

In DAM systems it is very important the definition of an asset. There is general agreement that a digital asset is the asset's content plus metadata (or data about the content, as we have said before). Metadata can include information about format type, rights and permissions, usage history, etc. This kind of information is typically well suited to be stored in fields, e.g. as simple data elements [9].

When we have another type of related information, it is better to model it as relationships between assets. For this reason, it exits a complementary technology to DAM systems: link engines. This technology supplements classic metadata fields and can capture the relationships between assets and any other type of relationship that can occur between complex and compound digital assets.

Another widely used approach for providing context (and therefore additional value) to digital assets is the technique of categorization. Organizing digital assets into hierarchies (or webs) or related categories serves as a powerful organizing principle, simplifies navigation and provides a great advantage in relation to other search techniques.

The following figure illustrates the logical model for a Digital Asset: the definition and management of content, metadata (information about the content), and every other related information and behaviour is organized around the asset [9].

FIGURE 2.9. Logical Model of a Digital Asset

Links ASSET Sets Vocabulary Object Location Rights & Permissions Fielded Model (Metadata)

(39)

This logical model of a Digital Asset is an extended metadata approach, that can be used to track physical assets as well, that adds to the three mainly facets of fielded metadata, links and categories (vocabulary), additional information about rights and permissions, aggregations of assets (membership in sets) and mapping to the physical location of a digital asset.

Nowadays, every enterprise has the need to support all types of media content. From the technical point of view, it becomes clear that the way one stores, indexes, previews, navigates, transforms, secures and transports digital assets is highly dependent on the type of media that the digital assets are composed of. The behaviours that correspond to DAM functionality are radically different and demand distinct technological solutions.

When an Enterprise demands a DAM solution to another will not only looks for a system that supports a broad array of media types, the Enterprise looks for a solution based upon a modular architecture that will permit incremental extensions to accommodate new media types and increasingly sophisticated behaviours. Use cases, logical workflows, functional requirements and appropiate code are completely distinct as one considers different media types.

In conclusion, Digital Asset Management has clearly emerged as a critical component of IT infrastructure and has left behind its early niche as specialized software for effective Rights Management. The Internet revolution and the convergence of digital media has catapulted Digital Asset Management across the enterprise and into e-business industries [9].

2.2.3. TRUSTED SYSTEMS

The “Trusted systems“ notion was based on concepts of Trust Management, that has appeared as a new philosophy of encryption, analysis and trusted solutions management in computer systems. With the appearance of World Wide Web this concept was advanced and extended for using in terms of opened decentralizing systems that consist of the multiple administrative domens.

Before to trust whomever from system participants (trustee) to execute some action on some object, there are a basic principles of trust management to follow:

• to be exactly aware of privilege of this participant (trustee), • to entrust himself in the event of the external request and • to be careful before and after performing this operations.

In the process of creation trusted systems these principles are realized by performing the following requirements:

• Identification of system participants;

• Connecting of access restrictions with each system element;

• Assuming the authorized solutions in accordance with some rules. For this purpose both software and single-purpose hardware devices can be used.

In order to realize these requirements, it is necessary to ensure a flexibility level and protection of trusted systems in terms of open network environment. Due to this, in the second

(40)

intellectual property were started. As a result of these researches up to year 2000 a point of view was formed, in accordance with which digital rights management systems are to be considered and created as trusted systems.

Trusted systems allow to solve some key problems associated with digital content management:

• trusted systems allow publishers to put a set of rights in correspondence of specific digital work, according to which user shall use this work;

• trusted systems enforce user to meet the conditions and requirements of license agreement between publisher and user of digital content;

• trusted systems ensure integrity and protection of digital documents during the transactions across open networks;

• trusted systems can get information from other trusted systems and define inauthentic or wrong given data;

• trusted systems ensure confidentiality of user information.

As we are studying, concept of rights is a key in digital intellectual property management systems. It includes both copyrights associated with digital work, and rights of publishers, as well as usage rights that can be obtained by user. As shown before, there are several types of rights, for each type of right can be determined a charge, which user of content should pay for its realization. Besides, for each type of right are to be determined term of access that define who from users can realize this right [10].

To ensure a relationship between digital documents and rights, different companies and consortiums have designed and developed several special interpreted description language of the digital rights, as we will see in Expression Language (section 2.2.4.).

When a buyer acquire a digital work, through a right management system, enters into a digital contract with the publisher, assuming the obligations to execute the rights associated with it.That contract also defines ways of possible using of digital product. Another characteristic of trusted systems is the presence of mechanisms that enfore the buyer to meet the terms of digital contract. Once the server and the user are connected, with the necessary permissions on the part of the user, the transaction can carry out by two ways:

• by development of solutions based on software only

• by means of shared use of special hardware devices and software.

Nowadays companies are using the first way, developing technological solutions for digital rights management and sale of electronic content. However the use of only software solutions does not ensure required protection of digital work and protection of rights of owners. As a result, the number of hacker attacks on protected electronic publications has increased.

The second way can be realized by using the trusted peripherals for rendering, print or copying of the digital documents.

The trusted systems work, as we have shown, in digital content management and the conexion with it rights. This work allows to organize a protected, secure and safe transfer of digital work between the author and publisher to the seller and buyer.

(41)

The following main stages describe the general sequence of procedure on proccesing and transferring of digital product in a digital rights management system:

1. Author creates a product and will transfer it to a publisher in digital form.

2. Publisher assigns a product determined rights, creates conditions its using, defines a cost and right of access to the contents of product. All these requirements represent itself a contents of license, nonbreak connected with the product and presented in language XrML

3. Publisher realizes product protection and connected with it licenses by means of encryption of the content.

4. Distributor or retail seller gets a protected product and connected with it license, defines a price of sale depending on accepted business models and target market.

5. Buyer gets a digital product and connected with it license. Payment is realized automatically on the base of license agreement.

6. Clearing companies realize receiving payment and registration of user, buying exactly this copy of product. In case of transferring the product to another user they realize a registration of a deal.

7. Trusted devices and corresponding software ensure a control for using of obtained product by the user in accordance with terms of license.

Different ways are used by the developers of digital rights management systems to implement this stages, depending on the technologies that they have used for [10].

2.2.4. EXPRESSION LANGUAGE

As we discuss before, it is necessary a general vocabulary in order to standardize the expressions that are used in the information about intellectual property rights in the “digital“ communication between end users, and this language must be used in “two directions“:

• “downstream rights“: usage permissions expressed by producers and publishers during the transference and value chain.

• “upstream rights“: to define and manage the rights of creators and the relationships with producers and publishers on the part of the parties, parties that also believe that this point is a prerequisite for managing the downstream rights and permissions.

In order to get the management of both directions, downstream and upstream rights, it is necessary develop a consistent, ordered and machine-readable language for describing the rights in intellectual property from the beginning. By this way, permissions for such actions as print, copy, play, etc., can be implemented across the networked environment easier and in a common way. It is also necessary for two more reasons:

• The rights granted by creators through contracts must be expressed in a machine-readable language to avoid limit the downstream permissions granted to users through Digital Rights Management (DRM) processes. That is because the conversion of original paper-based expressions is done into local and probably proprietary machine readable languages.

(42)

• The development of a standard language avoids that DRM system have to interpret contractual expressions from different fonts describing the same types of rights in different terms. The lack of a standard language, in that case, would cause contractual chaos.

The objective is to get automated rigths transactions and, to do that, it is necessary a machine-readable that permits to realize the conversion of original rights granted into usage permissions for digital transactions in an automatical and unique way. Technological development and media convergence permit that rights management solutions can include IP industries as a whole, as an example, the object-based MPEG-4 standard that allows for the packaging of “digital objects“ the use of various types from many different sources, which suggests that an integrated approach is required.

For this reasons, a number of attempts have been developed in order to find a solution to create an understanding of the “right continuum“ that moves all interested parties to the same direction: a right management standardisation effort. The <indecs> project provided an underlying analysis of the generic requirements for rights management metadata (for further information see section 2.4. The <indecs> project).

Recent developments within MPEG, and also within Open e-Book Forum (OeBF), indicate that the need to solve the upstream rights issues is now more widely appreciated. One way to address these issues has been articulated within MPEG-21; this calls for the creation of an extensible dictionary and language for the expression of semantic sets of rights definitions (Note that MPEG’s sees a Rights Data Dictionary as a dictionary of key terms which are required to describe rights of all Users, including intellectual property rights, that can be unambiguously defined using a standard syntactic convention, and which can be applied across

all domains in which rights need to be expressed. A Rights Expression Language is seen as a

machine-readable language that can express rights and permissions using the terms as defined

in the Rights Data Dictionary)[11].

In addition to this, the public is growing increasingly concerned with issues of privacy and the use and abuse of personal information. The rights of the full spectrum of all parties involved in the exchange or transfer of digital content, including end users, creators, publishers, producers, aggregators and distributors, must be organized in order to satisfy all the requirements of the parts involved.

2.2.5. PROTECTION

Once the content owners organize their assets and associate them with vital information, including rights and permissions, thanks to Digital Asset Management solutions, the next step is to make the most of this capability (content organized and accessible) to obtain as increased revenue as possible. In order to do that is necessary to know what content is available and what rights one has to exploit it.

It is necessary to take into account Digital Rights Management in order to protect intellectual property. Customers are concerned about the importance of security in digital world, so, they want to be sure that they will be able to enforce copyrights and protect their creations before they introduce their intellectual property into digital markets.

(43)

Digital Rights Management is a concept that embraces many things to many people: rights informantion storage, contract and royalties management, watermarking, encryption, fingerprinting, enforcement or even the facilitation of the content transaction.

The Digital Rights Management spectrum is based on four basic capabilities that are: • Digital Asset Management:

the ability to digitally index and store rich media assets (pieces of content), associating specific rights and permissions information with individual assets (as shown in 2.2.2. section: Digital Asset Management).

• Contracts Management:

the digital creation (or translation) of contractual information (rights, royalties, licensing, etc.) and the use of this information to manage the movement of an asset (either digital or physical) and the revenues it generates.

• Asset Protection:

It embraces technologies that can limit the user’s access to the content of a digital file so as to establish value for the owner of that content. These technologies include conditional access systems, encryption/decryption, watermarking and fingerprinting (see 2.2.5.4. section: Protection Technologies).

• Financial Clearing:

managing the financial aspects of a digital commercial transaction, from obtaining and approving the buyer’s payment information to getting these revenues to the seller and rights holders.

To conclude, any company can digitize their rights management processes, the decision depends on different issues, for example :

• how far the company has evolved within the rights management spectrum, • how much security will be required,

• the impact this security will have on market penetration, • the impact that this security will have on the user experience, • how much its content is valued in the marketplace,

• revenue expectations for content distribution,

• the expected business model that will adapt to the content distribution and • the way that users expect to access the content [8].

(44)

2.2.5.1. CONDITIONAL ACCESS SYSTEMS

A conditional-access system is a simple form of rights-management system in which subscribers are given access to objects based (typically) on a service contract. Digital rights management systems often perform the same function, but typically impose restrictions on the use of objects after unlocking [12].

Conditional access (CA) systems such as cable, satellite TV, and satellite radio offer little or no protection against objects being introduced into the collection of networks and technologies used to share digital content from subscribing hosts. A conditional-access system customer needs some determitate permissions or licenses in order to access to channels or titles, and has essentially free use of channels that he has subscribed or paid for. Some CA systems provide post-unlock protections but they are generally cheap and easy to defeat.

As a result, this kind of systems provide a widely used, high-bandwidth source of video material for the networks but, due to the large size and low cost of CA-provided video content, will limit the exploitation of the networks for distributing video.

However, the use of the network to distribute conditional-access system broadcast keys is not in the same case: each head-end (satellite or cable TV head-end) uses an encryption key that must be made available to each customer (it is a broadcast), and in the case of a satellite system this could be millions of homes. CA-system providers take precautions to avoid limit the utility of exploited session keys (for example, they are changed every few seconds), but if the latencies of the technologies used to share the digital content are low or if encrypted broadcast data is circumvent, then CA-system revenues could be in danger.

The exposure of the conditional access provider to losses due to piracy is proportional to the number of customers that share a session key. For this reason , cable-operators are in a safer position than satellite operators because a cable operator can narrowcast more cheaply [12].

2.2.5.2. DRM SYSTEMS

A classical-DRM system is one in which a client obtains content in protected (typically encrypted) form, with a license that specifies the uses to which the content may be put. Examples of licensing terms that are being explored by the industry are “play on these three hosts,” “play

once,” “use computer program for one hour,” etc [12].

The DRM system has the responsibility of ensure some points:

¾ The client cannot remove the encryption from the file and send it to somebody,

¾ The client cannot copy its DRM system to make it run on another host,

¾ The client has to obey the rules present in the DRM license, and,

(45)

Advanced DRM systems may go further (see section 2.2.3.: Trusted Systems).

Some such technologies have been commercially very successful. For example, we can include in this category the following technologies:

the content encrytion system used in DVDs,

the protection schemes used by conditional access system providers (as shown in 2.2.4.1. section) and

newer DRM system that use internet as a distribution channel and computers as rendering devices.

These technologies promote the establishment of new businesses, reduce distribution costs and get success for the vendors if costs and licensing terms are in an attractive and correct way for the producers and the consumers. On the other hand, if the lisensing terms are inconvenient or incorrect, the cost are too high or competing systems exist, then the business will fail.

Nowadays, current DRM systems on personal computers are based on software systems using several ways to make them hard to piracy actions. DRM enable consumer electronics are also beginning to emerge.

DRM systems try to be BOBE (break-once, break everywhere)-resistant. That is, suppliers anticipate that individual instances (clients) of all security-systems, whether based on hardware or software, will be attack by hackers . If a client of a system is attack, then all content protected by that DRM client can be unprotected. There are to possibilities:

if the break can be applied to any other DRM client of that class so that all of those users can

break their systems, then the DRM-scheme is BOBE-weak.

If, on the other hand, knowledge gained breaking one client cannot be applied elsewhere, then

the DRM system is BOBE-strong [12].

The development of technologies and the widely extend use of digital environment grow so fast. For that reason, a final characteristic of existing DRM systems is renewability, in order to be easily adapted to this changes.

2.2.5.3. SOFTWARE

The DRM-systems that we have described above can be used to provide protection for software, in addition to other objects (e.g. audio and video). Alternatively, copy protection systems for computer programs may included the copy protection code in the software itself.

The most important copy-protection primitive for computer programs is for the software to be bound to a host in such a way that the program will not work on an unlicensed machine. Binding requires a machine ID: this can be a unique number on a machine (e.g. a network card

(46)

In order to get that, two requirements are necessary:

• the machine ID must not be “virtualizable.” For instance, if it is trivial to modify a NIC driver to return an invalid MAC address, then the software-host binding is easily broken and • the code that performs the binding checks must not be easy to patch.

Binding software to a host is a more solvable problem than protecting passive content. This is because while the first option only requires tamper resistance, the second one also requires the ability to hide and manage secrets. Software is as much subject to the dynamics of the network and technologies used to share digital content as passive content [12].

2.2.5.4. PROTECTION TECHNOLOGIES

Existing legislation ensures a protection of copyrights and responsibility for their infringement, but that is insufficiently for ensuring efficient protection of digital intellectual property.

Nowadays, thanks to different software and hardware technologies, it is relatively easy and with small expenses to produce a copying and circulating of the original author's product (programs, computer games, digital audio- and video files, computer graphics, electronic books). For these reasons and negligence to the law exactly pirate copies are circulating with high frecuence. The legislative measures to ensure copyright protection are obviously insufficiently, so authors, developers and publishers should know about methods of protection of their own works and products.

The choice and the application of methods of protection should be considered on initial stage of development and making the programs or digital works. Usually methods of protection are used for the following reasons:

to prevent a pirate copying and circulating the programs and digital works;

to ensure integrity of programs and digital works, i.e. to prevent the unauthorized change;

to ensure that the user obeys the terms of license agreement.

For software and database protection are usually used the following technologies:

cryptography of data and authentication of users;

software security

Digital Rights Management