Abstract
There is a need to protect digital information content and the associated usage rights from unauthorized access, use, and dissemination. The protection mechanisms should meet the requirements for the correct management of fine-grained access and usage controls and the protection of user privacy. Digital rights management (DRM) solutions have significant relevance in this context. This paper describes a distributed DRM model for a secure information-distribution system consisting of six trust-building blocks. These are (i) the user application, (ii) the authentication and authorization module, (iii) Rights-Carrying and Self-Enforcing Objects (SEOs), (iv) the privacy enforcement module, (v) theUsage Tracking and Monitoring Proxy (UTMP), and (vi) thesecurity infrastructure. SEOs are information objects that carry access and usage rights and are responsible for the fine-grained enforcement of these rights. The security infrastructure plays a pivotal role in the creation, distribution, storage, manipulation, and communication of information objects across organizational boundaries with the required level of security. Our model was originally developed for an Internet-based learning project in Norwegian schools and meets most of the aforementioned requirements.
Similar content being viewed by others
References
Stefik M (1997) Trusted systems. Special report. http://www.sciam.com/0397issue/0397stefik.html
Liebert T (2000) Should we trust “Trusted Systems?”. 15 February 2000. http://www.llrx.com/features/trust.htm
LAVA Learning project page (2003). http://www.nr.no/lava/lava-le/
Diesen D, Oskal A (2001) Using object-oriented information distribution to present and protect information. In: SSGRR 2001, L’Aquila, 6–12 August 2001
Foyn B, Maus E (2002) Designing tools and contents for project-based learning with Net-based curriculum. In: ED-Media, World conference on Educational Multimedia, Hypermedia and Telecommunications 24–29 June 2002 Denver, CO
IMPRIMATUR Project (2002). Available at: http://www.imprimatur.net/ and http://www.imprimatur.net/IMP_FTP/cmi1.pdf
XrML – eXtensible rights Markup Language (2004). http://www.xrml.org/
Iannella R (2001) Digital rights management (DRM) architectures. D-Lib Mag 7(6). http:// www.dlib.org/dlib/june01/iannella/06iannella.html
Feigenbaum J, Freedman MJ, Sander T, Shostack A (2001) Privacy engineering for digital rights management systems. http://www.pdos.lcs.mit.edu/∼mfreed/docs/privacy-engineering.pdf
Arms C, Klavans J, Waters DJ (1999) Enabling access in digital libraries: a report on a workshop on access management. http://www.clir.org/pubs/reports/arms-79/pub79.pdf
Rosenblatt B, Trippe B, Mooney S (2002) Digital rights management: business and technology. M&T Books, New York
Abie H, Spilling P, Foyn B (2003) Authentication and authorization for digital rights management for information distribution systems. In: Proc. IASTED international conference on communication, network and information security (CNIS2003), New York, 10–12 December 2003, pp 256–263
(2000) ITU-T Recommendation X.509 “Information technology – open systems interconnection – the directory: public-key and attribute certificate frameworks”
López J., Maña A, Pimentel E, Troya JM, Yagüe MI (2003) Integrating PMI services in CORBA applications. Comput Standards Interfaces 25(4):391–409
López J, Maña A, Pimentel E, Troya JM, Yagüe MI (2002) Access control infrastructure for digital objects. In: Proc. ICICS. Lecture notes in computer science, vol 2513/2002. Springer, Berlin Heidelberg New York, pp 399–410
Karjoth G, Schunter M (2002) A privacy policy model for enterprises. In: Proc. 15th IEEE computer security foundations workshop (CSFW02), 24–26 June 2002, pp 271–281
Buhse W (2001) Implications of digital rights management for online music – a business perspective. Dept. of General and Industrial Management, Technical University of Munich, Germany. http://www.star-lab.com/sander/spdrm/papers/buhse.pdf
Lynch C (1998) A white paper on authentication and access management issues in cross-organizational use of networked information resources. Coalition for Networked Information, 14 April 1998
Netscape (1996) SSL3.0 Specification. http://www.netscape.com/eng/ssl3/
Rescorla E (2001) SSL and TLS: designing and building secure systems. Addison-Wesley, Reading, MA
Lashley B, Tarski A (2002) SSL. http://www.cs.umu.se/∼tdv94ati/ssl/ssl.html
Bravo A (2003) Secure servers with SSL in the World Wide Web. SANS Institute, GIAC Repository. http://www.giac.org/practical/GSEC/Alex_Bravo_GSEC.pdf
Sun Microsystems (2001) Java Secure Socket Extension (JSSE) Reference guide for Java 2 SDK. http://java.sun.com/j2se/1.4/docs/guide/security/jsse/JSSERefGuide.html
Oaks S (2001) Java security: writing and deploying secure applications, 2nd edn. O’Reilly, Sebastopol, CA
IETF TLS 1.0 (2002) http://www.ietf.org/internet-drafts/draft-ietf-tls-rfc2246-bis-01.txt
IAIK TUG (2002) isasilk 3 and rmi notes. http://jcewww.iaik.tu-graz.ac.at/products/isasilk/documentation/rmi/index.php
Globus Alliance (2004) The Grid Security Infrastructure (GSI). http://www.globus.org/security/
SOCKS V5 (2003) http://www.socks.nec.com/
SUN (2001) http://java.sun.com/products/jdk/1.2/docs/guide/rmi/faq.html
Fisher D (2002) SSL chip handles 10,000 TPS. 8 February 2002. http://www.eweek.com/article/0,3658,s%253D701%2526a%253D22527,00.asp
Abie H (2000) An overview of firewall technologies. Telektronikk 96(3-2000):47–52. ISSN 0085-7130
OMG (1998) Joint revised submission, CORBA/Firewall Security+Errata, 6 July 1998. ftp://ftp.omg.org/pub/docs/orbos/98-07-03.pdf
Abie H (2000) CORBA firewall security: increasing the security of CORBA applications. Telektronikk 96(3-2000):53–64. ISSN 0085-7130
RMI Proxy (2001) http://www.rmiproxy.com/
Kahn R, Wilensky R (1995) A framework for distributed digital object services. Technical report, Corporation for National Research Initiatives (CNRI). http://www.cnri.reston.va.us/k-w.html
Payette S, Lagoze C (1998) Flexible and extensible digital object and repository architecture. In: Proc. 2nd European conference on research and advanced technology for digital libraries, Heraklion, Greece, 21–23 September 1998. Lecture notes in computer science, vol 1513. Springer, Berlin Heidelberg New York. http://www.cs.cornell.edu/payette/papers/ECDL98/FEDORA.html
Röscheisen M (1997) FIRM: A network-centric design for relationship-based rights management. Computer Science Department, Stanford University, Stanford, CA
INDECS (2003) Interoperability of data in e-commerce systems. http://www.indecs.org/
Sibert O, Bernstein D, Van Wie D (1995) The DigiBox: a self-protecting container for information commerce. In: Proc. 1st USENIX workshop on electronic commerce. http://citeseer.nj.nec.com/sibert95digibox.html
Kaplan MA (1996) IBM Cryptolopes. SuperDistribution and digital rights management. http://www.research.ibm.com/people/k/kaplan/cryptolope-docs/crypap.html
DOI (2003) The Digital Object Identifier System. http://www.doi.org/
Corporation for National Research Initiatives (2003) Handle System http://www.handle.net/
Open Digital Rights Language (2003) http://odrl.net/
EBX (Electronic Book eXchange) (2004) http://www.ebxwg.org/
OEBF (Open eBook Forum) (2004) http://www.openebook.org/
Soundwrap (Virtual Shrink-wrap for Music Distribution) (2003) http://www.soundwrap.com
Liquid Audio (2004) http://www.liquidaudio.com/
IBM (2003) EMMS (Electronic Media Management System). http://www-3.ibm.com/software/data/emms/
Microsoft (2003) WMRM (Windows Media Rights Manager) – Windows Media Technologies. http://www.microsoft.com/windows/windowsmedia/drm.asp
Europa (2003) CEN/ISSS DRM Report, 30 September 2003. http://europa.eu.int/comm/enterprise/ict/policy/doc/drm.pdf
Open Mobile Alliance (2003) http://www.openmobilealliance.org/
EU Commission (2002) Staff working paper: digital rights, background, systems, assessment. SEC (2002) 197, Brussels 14/02–2002
Thomas RK, Sandhu RS (1994) Conceptual foundations for a model of task-based authorizations. In: Proc. 7th computer security foundation workshop (CSFW94), June 1994. IEEE Press, Los Alamitos, CA, pp 66–79
Jajodia S, Samarati P, Subrahmanian VS, Bertino E (1997) A unified framework for enforcing multiple access control policies. In: Proc. ACM SIGMOD international conference on management of data, May 1997, pp 474–485
Woo TYC, Lam SS (1993) A framework for distributed authorization. In: 1st ACM Conference on computer and communication security, November 1993
Policy Research Group (2003) Ponder: a policy language for distributed systems management. Distributed Software Engineering Group, Imperial College, London, UK. http://www-dse.doc.ic.ac.uk/Research/policies/ponder.shtml
Pearlman L, Welch V, Foster I, Kesselman C, Tuecke S (2002) A community authorization service for group collaboration. In: Proc. IEEE 3rd international workshop on policies for distributed systems and networks
Thompson M, Johnston W, Mudumbai S, Hoo G, Jackson K, Assiari A (1999) Certificate-based access control for widely distributed resources. In: Proc. 8th Usenix security symposium, 23–26 August 1999
Chadwick DW (2002) An X.509 role-based privilege management infrastructure. Business Briefing, Global Infosecurity, www.permis.org
Park J, Sandhu R (2002) Towards usage control models: beyond traditional access control. In: Proc. 7th ACM symposium on access control models and technologies
Abie H, Spilling P, Foyn B (2004) Rights-carrying and self-enforcing information objects for information distribution systems. In: Proc. 6th international conferences on information and communications security (ICICS’04), Malaga, Spain, 27–29 October 2004
Kocher P, Jaffe J, Jun B, Laren C, Lawson N (2003) Self-protecting digital content: a technical report from the CRI Content Security Research Initiative. www.cryptography.com/resources/whitepapers/SelfProtectingContent.pdf
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Abie, H., Spilling, P. & Foyn, B. A distributed digital rights management model for secure information-distribution systems. IJIS 3, 113–128 (2004). https://doi.org/10.1007/s10207-004-0058-4
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10207-004-0058-4