Skip to main content
SpringerLink
Log in

A distributed digital rights management model for secure information-distribution systems

  • Regular contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

There is a need to protect digital information content and the associated usage rights from unauthorized access, use, and dissemination. The protection mechanisms should meet the requirements for the correct management of fine-grained access and usage controls and the protection of user privacy. Digital rights management (DRM) solutions have significant relevance in this context. This paper describes a distributed DRM model for a secure information-distribution system consisting of six trust-building blocks. These are (i) the user application, (ii) the authentication and authorization module, (iii) Rights-Carrying and Self-Enforcing Objects (SEOs), (iv) the privacy enforcement module, (v) theUsage Tracking and Monitoring Proxy (UTMP), and (vi) thesecurity infrastructure. SEOs are information objects that carry access and usage rights and are responsible for the fine-grained enforcement of these rights. The security infrastructure plays a pivotal role in the creation, distribution, storage, manipulation, and communication of information objects across organizational boundaries with the required level of security. Our model was originally developed for an Internet-based learning project in Norwegian schools and meets most of the aforementioned requirements.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Similar content being viewed by others

References

  1. Stefik M (1997) Trusted systems. Special report. http://www.sciam.com/0397issue/0397stefik.html

  2. Liebert T (2000) Should we trust “Trusted Systems?”. 15 February 2000. http://www.llrx.com/features/trust.htm

  3. LAVA Learning project page (2003). http://www.nr.no/lava/lava-le/

  4. Diesen D, Oskal A (2001) Using object-oriented information distribution to present and protect information. In: SSGRR 2001, L’Aquila, 6–12 August 2001

  5. Foyn B, Maus E (2002) Designing tools and contents for project-based learning with Net-based curriculum. In: ED-Media, World conference on Educational Multimedia, Hypermedia and Telecommunications 24–29 June 2002 Denver, CO

  6. IMPRIMATUR Project (2002). Available at: http://www.imprimatur.net/ and http://www.imprimatur.net/IMP_FTP/cmi1.pdf

  7. XrML – eXtensible rights Markup Language (2004). http://www.xrml.org/

  8. Iannella R (2001) Digital rights management (DRM) architectures. D-Lib Mag 7(6). http:// www.dlib.org/dlib/june01/iannella/06iannella.html

  9. Feigenbaum J, Freedman MJ, Sander T, Shostack A (2001) Privacy engineering for digital rights management systems. http://www.pdos.lcs.mit.edu/∼mfreed/docs/privacy-engineering.pdf

  10. Arms C, Klavans J, Waters DJ (1999) Enabling access in digital libraries: a report on a workshop on access management. http://www.clir.org/pubs/reports/arms-79/pub79.pdf

  11. Rosenblatt B, Trippe B, Mooney S (2002) Digital rights management: business and technology. M&T Books, New York

    Google Scholar 

  12. Abie H, Spilling P, Foyn B (2003) Authentication and authorization for digital rights management for information distribution systems. In: Proc. IASTED international conference on communication, network and information security (CNIS2003), New York, 10–12 December 2003, pp 256–263

  13. (2000) ITU-T Recommendation X.509 “Information technology – open systems interconnection – the directory: public-key and attribute certificate frameworks”

  14. López J., Maña A, Pimentel E, Troya JM, Yagüe MI (2003) Integrating PMI services in CORBA applications. Comput Standards Interfaces 25(4):391–409

    Article  Google Scholar 

  15. López J, Maña A, Pimentel E, Troya JM, Yagüe MI (2002) Access control infrastructure for digital objects. In: Proc. ICICS. Lecture notes in computer science, vol 2513/2002. Springer, Berlin Heidelberg New York, pp 399–410

  16. Karjoth G, Schunter M (2002) A privacy policy model for enterprises. In: Proc. 15th IEEE computer security foundations workshop (CSFW02), 24–26 June 2002, pp 271–281

  17. Buhse W (2001) Implications of digital rights management for online music – a business perspective. Dept. of General and Industrial Management, Technical University of Munich, Germany. http://www.star-lab.com/sander/spdrm/papers/buhse.pdf

  18. Lynch C (1998) A white paper on authentication and access management issues in cross-organizational use of networked information resources. Coalition for Networked Information, 14 April 1998

  19. Netscape (1996) SSL3.0 Specification. http://www.netscape.com/eng/ssl3/

  20. Rescorla E (2001) SSL and TLS: designing and building secure systems. Addison-Wesley, Reading, MA

    Google Scholar 

  21. Lashley B, Tarski A (2002) SSL. http://www.cs.umu.se/∼tdv94ati/ssl/ssl.html

  22. Bravo A (2003) Secure servers with SSL in the World Wide Web. SANS Institute, GIAC Repository. http://www.giac.org/practical/GSEC/Alex_Bravo_GSEC.pdf

  23. Sun Microsystems (2001) Java Secure Socket Extension (JSSE) Reference guide for Java 2 SDK. http://java.sun.com/j2se/1.4/docs/guide/security/jsse/JSSERefGuide.html

  24. Oaks S (2001) Java security: writing and deploying secure applications, 2nd edn. O’Reilly, Sebastopol, CA

    Google Scholar 

  25. IETF TLS 1.0 (2002) http://www.ietf.org/internet-drafts/draft-ietf-tls-rfc2246-bis-01.txt

  26. IAIK TUG (2002) isasilk 3 and rmi notes. http://jcewww.iaik.tu-graz.ac.at/products/isasilk/documentation/rmi/index.php

  27. Globus Alliance (2004) The Grid Security Infrastructure (GSI). http://www.globus.org/security/

  28. SOCKS V5 (2003) http://www.socks.nec.com/

  29. SUN (2001) http://java.sun.com/products/jdk/1.2/docs/guide/rmi/faq.html

  30. Fisher D (2002) SSL chip handles 10,000 TPS. 8 February 2002. http://www.eweek.com/article/0,3658,s%253D701%2526a%253D22527,00.asp

  31. Abie H (2000) An overview of firewall technologies. Telektronikk 96(3-2000):47–52. ISSN 0085-7130

    Google Scholar 

  32. OMG (1998) Joint revised submission, CORBA/Firewall Security+Errata, 6 July 1998. ftp://ftp.omg.org/pub/docs/orbos/98-07-03.pdf

  33. Abie H (2000) CORBA firewall security: increasing the security of CORBA applications. Telektronikk 96(3-2000):53–64. ISSN 0085-7130

    Google Scholar 

  34. RMI Proxy (2001) http://www.rmiproxy.com/

  35. Kahn R, Wilensky R (1995) A framework for distributed digital object services. Technical report, Corporation for National Research Initiatives (CNRI). http://www.cnri.reston.va.us/k-w.html

  36. Payette S, Lagoze C (1998) Flexible and extensible digital object and repository architecture. In: Proc. 2nd European conference on research and advanced technology for digital libraries, Heraklion, Greece, 21–23 September 1998. Lecture notes in computer science, vol 1513. Springer, Berlin Heidelberg New York. http://www.cs.cornell.edu/payette/papers/ECDL98/FEDORA.html

  37. Röscheisen M (1997) FIRM: A network-centric design for relationship-based rights management. Computer Science Department, Stanford University, Stanford, CA

  38. INDECS (2003) Interoperability of data in e-commerce systems. http://www.indecs.org/

  39. Sibert O, Bernstein D, Van Wie D (1995) The DigiBox: a self-protecting container for information commerce. In: Proc. 1st USENIX workshop on electronic commerce. http://citeseer.nj.nec.com/sibert95digibox.html

  40. Kaplan MA (1996) IBM Cryptolopes. SuperDistribution and digital rights management. http://www.research.ibm.com/people/k/kaplan/cryptolope-docs/crypap.html

  41. DOI (2003) The Digital Object Identifier System. http://www.doi.org/

  42. Corporation for National Research Initiatives (2003) Handle System http://www.handle.net/

  43. Open Digital Rights Language (2003) http://odrl.net/

  44. EBX (Electronic Book eXchange) (2004) http://www.ebxwg.org/

  45. OEBF (Open eBook Forum) (2004) http://www.openebook.org/

  46. Soundwrap (Virtual Shrink-wrap for Music Distribution) (2003) http://www.soundwrap.com

  47. Liquid Audio (2004) http://www.liquidaudio.com/

  48. IBM (2003) EMMS (Electronic Media Management System). http://www-3.ibm.com/software/data/emms/

  49. Microsoft (2003) WMRM (Windows Media Rights Manager) – Windows Media Technologies. http://www.microsoft.com/windows/windowsmedia/drm.asp

  50. Europa (2003) CEN/ISSS DRM Report, 30 September 2003. http://europa.eu.int/comm/enterprise/ict/policy/doc/drm.pdf

  51. Open Mobile Alliance (2003) http://www.openmobilealliance.org/

  52. EU Commission (2002) Staff working paper: digital rights, background, systems, assessment. SEC (2002) 197, Brussels 14/02–2002

    Google Scholar 

  53. Thomas RK, Sandhu RS (1994) Conceptual foundations for a model of task-based authorizations. In: Proc. 7th computer security foundation workshop (CSFW94), June 1994. IEEE Press, Los Alamitos, CA, pp 66–79

  54. Jajodia S, Samarati P, Subrahmanian VS, Bertino E (1997) A unified framework for enforcing multiple access control policies. In: Proc. ACM SIGMOD international conference on management of data, May 1997, pp 474–485

  55. Woo TYC, Lam SS (1993) A framework for distributed authorization. In: 1st ACM Conference on computer and communication security, November 1993

  56. Policy Research Group (2003) Ponder: a policy language for distributed systems management. Distributed Software Engineering Group, Imperial College, London, UK. http://www-dse.doc.ic.ac.uk/Research/policies/ponder.shtml

  57. Pearlman L, Welch V, Foster I, Kesselman C, Tuecke S (2002) A community authorization service for group collaboration. In: Proc. IEEE 3rd international workshop on policies for distributed systems and networks

  58. Thompson M, Johnston W, Mudumbai S, Hoo G, Jackson K, Assiari A (1999) Certificate-based access control for widely distributed resources. In: Proc. 8th Usenix security symposium, 23–26 August 1999

  59. Chadwick DW (2002) An X.509 role-based privilege management infrastructure. Business Briefing, Global Infosecurity, www.permis.org

  60. Park J, Sandhu R (2002) Towards usage control models: beyond traditional access control. In: Proc. 7th ACM symposium on access control models and technologies

  61. Abie H, Spilling P, Foyn B (2004) Rights-carrying and self-enforcing information objects for information distribution systems. In: Proc. 6th international conferences on information and communications security (ICICS’04), Malaga, Spain, 27–29 October 2004

  62. Kocher P, Jaffe J, Jun B, Laren C, Lawson N (2003) Self-protecting digital content: a technical report from the CRI Content Security Research Initiative. www.cryptography.com/resources/whitepapers/SelfProtectingContent.pdf

Download references

Author information

Authors and Affiliations

  1. Norwegian Computing Center, 114, Blindern, 0314, Oslo, Norway

    Habtamu Abie & Bent Foyn

  2. Department of Informatics, University of Oslo, Norway

    Pål Spilling

Authors
  1. Habtamu Abie
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Pål Spilling
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Bent Foyn
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Habtamu Abie.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Abie, H., Spilling, P. & Foyn, B. A distributed digital rights management model for secure information-distribution systems. IJIS 3, 113–128 (2004). https://doi.org/10.1007/s10207-004-0058-4

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-004-0058-4

Keywords

Search

Navigation