The DMAG's MIPAMS (Multimedia Information Protection and Management ... The Content Service (CS) enables applications to upload and download digital.
Rights management in architectures for distributed multimedia content applications Jaime Delgado1, Víctor Torres2, Silvia Llorente1, Eva Rodríguez1 1
Universitat Politècnica de Catalunya, 2Universitat Pompeu Fabra
Abstract There are several initiatives working in the definition and implementation of distributed architectures that enable the development of distributed multimedia applications on top of them, while offering Digital Rights Management (DRM) features. In the paper, the main features of MPEG Extensible Middleware (MXM) [1], the Advanced IPTV terminal (AIT) [2] and DMAG [3] Multimedia Information Protection and Management System (MIPAMS) [4] are presented, while highlighting the common ground and differences between MIPAMS and the standards. A set of usage scenarios is proposed to show how MIPAMS enables the development of applications on top of it, which deal with the needs of content creators, distributors and consumers according to different business models.
1. Introduction Amongst distributed multimedia applications and Digital Rights Management (DRM) architectures that deal with multimedia content, there are three initiatives, all related with standards at different levels, which should be taken into consideration. On the one hand, the MPEG Extensible Middleware (MXM) [1] and the Advanced IPTV terminal (AIT) [2] are the main initiatives from standardization bodies. On the other hand, the DMAG [3] Multimedia Information Protection and Management System (MIPAMS) [4] is a relevant standards-based architecture implemented as the basis to develop further applications. MIPAMS is not the only architecture providing DRM features (refer to [5] for a survey), but we will focus on it in relation to the mentioned MPEG standards. We first concentrate on describing MIPAMS and how its services can be used in different usage scenarios that correspond to different existing business models, for which some real development examples and projects are presented. Then, we highlight their common ground and differences in some specific aspects and justify why some features in MIPAMS are different from MXM or AIT.
2
2. The DMAG’s MIPAMS Architecture The DMAG’s MIPAMS (Multimedia Information Protection and Management System) is a service-oriented DRM platform developed by the DMAG (Distributed Multimedia Applications Group) [3]. The MIPAMS architecture is based on the flexible web services approach, as consists of several modules and services, which provide a subset of the whole system functionality needed for governing and protecting multimedia content. One of the advantages of having service-oriented DRM functionality relies on the possibility of decoupling it into different subsystems depending on the needs of the application that is going to be implemented, while being able to share the same common services between different applications with different requirements, thus reducing costs. MIPAMS encompasses an important part of the content value chain, from content creation and distribution to its consumption by final users.
User Authentication, Registration and Management
Authentication Service
Certification
Public Key Retrieval for Token Verification
Resource Upload, Download and Encryption
Content Service
Certification Authority Certification
Key Generation and Registration
Protection Service Key Retrieval
Authorisation Service
User Application
User
Intermediary
Authorisation and Key Retrieval
Reporting
Object Registration and Certification
Offer Publication and Management, License Acquisition
Object Registration Service
Reporting
Reporting Service
License Service
Reporting
Search Service
Object, License, Report and Offer Search and Retrieval
Fig. 1 DMAG-MIPAMS architecture.
Figure 1 depicts the MIPAMS architecture, for which we provide a general overview of its components and the different services being offered. The Content Service (CS) enables applications to upload and download digital resources such as audio or video files, text documents, etc. Those resources can be optionally encrypted under request, according to the available encryption mechan-
3
isms it provides. If encryption is selected, the protection keys will be first requested to the Protection Service and then registered through the same service, once encryption is performed. Content upload requires content to be uniquely identified. Since MIPAMS deals with single resource objects, the identifier being associated to content will be the same used for the object that contains it, and must be passed as input argument. This identifier can be requested to the Object Registration Service prior to the content upload or obtained from an external application using MIPAMS (it depends on the scenario). The Object Registration Service (ORS) enables applications to request a digital representation of content and metadata (i.e. digital objects) to be generated and registered in the system. Content and metadata are packaged together following the MPEG-21 Digital Item [6] approach. Once registered, objects are digitally signed by the ORS so that they can be checked for authenticity and integrity. The ORS also provides unique identifiers for those applications that need to upload content to the CS, as already explained. The License Service (LS) deals with rights offers and the issuance of licenses. Rights offers are set up by content creators or rights holders after registering content. They include the rights being offered for acquisition by other users and the conditions being applicable to those rights. License issuance refers to the process by which a license is generated as the result of a rights purchase, acquisition or because a rights holder directly grants some user a set of rights. Licenses are expressed using MPEG-21 Rights Expression Language [7]. The Authorization Service (AS) checks whether a user owns any appropriate license that grants him the right to perform a requested action (e.g., play) over a digital object. The authorization is based on the mechanism defined in [7]. The AS shares the access to the license repository with the LS. If the user is able to perform the action and the requested content is encrypted, the AS will retrieve the encryption keys from the Protection Service and return them to the requesting application. This is the only means for accessing encryption keys, which is performed as an atomic operation. The Protection Service (PS) generates encryption keys upon request, registers encryption keys associated to uniquely identified content and provides the encryption keys for protected content to the AS. When using MPEG-21 Intellectual Property Management and Protection [8] scheme and descriptors, the PS also offers the possibility to download the protection tools being used by those applications that may be out-of-date. The User Application (UA) is the player, edition tool, browser or any other means that is managed by the user to deal with the DRM functionality, such as registering and accessing protected contents. The UA may have an internal trusted module or intermediary to enforce DRM, which consists of a secure local repository for licenses, protection information, offline operation reports and other critical data. In those cases, it may be responsible for estimating tool fingerprints, require offline authorizations, unprotect content, track offline operations and manage content protection information.
4
The Intermediary may be an integral part of the UA or otherwise be located in the server part (e.g. web portal, brokerage service) to reduce the UA complexity. It can be seen as a broker to whom the UA requires different operations to be performed, as object registration, content upload, rights offer management, license acquisition, authorization, etc. The Search Service (SS) enables applications to perform accurate searches amongst metadata in the MIPAMS system. That is, it is the front-end for requesting any information present in MIPAMS services databases. Thus, it can be used for searching content, licenses, offers or reports or a combination of them. The Reporting Service (RS) collects usage reports regarding the registration of objects, the issuance of licenses and the authorizations being performed. It is also capable of building standards-based representations of those reports, such as MPEG-21 Event Reports [9]. Those reports may be used for computing statistics as well as for billing or tracking purposes. The Authentication Service (ATS) is needed to authenticate the identity of users. It generates SAML (Security Assertion Markup Language [10])-based tokens that identify MIPAMS users. Any service in the MIPAMS architecture will require a token argument to be provided in order to authenticate users. Tokens are digitally signed by the ATS, so that they can be checked for authenticity and integrity by the receiving service. Moreover, the ATS deals with user registration and management (i.e. personal data modification, user account deactivation, etc.). Finally, there is a need for having a recognized Certification Authority (CA), which issues credentials for the different Components and Actors in the system, as X.509 certificates and private keys for the different architectural components.
3. MXM and AIT The MPEG Extensible Middleware (MXM) [1] is an initiative of the MPEG standardisation group (ISO/IEC JTC1/SC29 WG11). This standard specification defines a middleware platform and a complete set of APIs and protocols for the management of digital content. It promotes the reusability of MPEG technologies that provide the required functionalities to the interoperable Digital Rights Management architecture described in [11]. The MXM standard comprises four public documents, which include the MXM architecture and technologies [12], MXM application programming interface [13], MXM reference software [14] and MXM protocols [15]. On the other hand, the Advanced IPTV (AIT) [2] is joint initiative of MPEG and ITU-T SG16. These two groups are jointly conducting the standardisation of a set of protocols and interfaces, which will enable new multimedia services in different environments, for example broadcasting. MPEG and ITU-T SG16 defined the requirements [16] for the Advanced IPTV terminal, and they also identified a set of candidate existing technologies that satisfied some of them. Then, a Call for
5
Proposals was issued in January 2010 and the responses, which fulfil some of the requirements, were evaluated during the 92nd MPEG meeting (April 2010). Since some of the requirements have not received enough contributions, a second Call for Proposals [17] has been launched taking into account the contributions received in the first call. Responses with relevant technologies will be evaluated during the next MPEG meeting in July 2010.
4. Digital Rights Management Integration Different usage scenarios can be set up using MIPAMS, our proposed architecture. In the next subsections, we describe a reduced set that we consider relevant according to present needs of content creators, distributors and consumers. For some of the scenarios, we also present some research and development projects where we have implemented the proposed functionalities using MIPAMS services and modules. We also include some screenshots of the final user applications and portals that have been implemented.
4.1 Content registration, protection, search, licensing and access control This scenario covers the full system functionality, including content registration and protection, offers publication, content search, purchase and licensing, authorization and access. In this case, we first need an interface for content creators to register and publish their content and determine and modify their offers. This functionality is provided by means of specific user applications for editing or otherwise integrated in a web portal. In this scenario, once content is registered, it can be linked from external sites so as to be able to license it through the mentioned portal, which means that the content promoted in external sites can include specific links towards the licensing portal. Moreover, apart from being linked from other sites, the portal itself would also be useful for promotion. Fig. 2 shows a screenshot of the portal, where content is being rendered. This scenario has been implemented in Musiteca [18], a research project funded by the Spanish Administration. In this project, we have used some of the services conforming MIPAMS (LS, RS, ATS, CS, ORS, SS and CA) to implement a content creation platform. The access to the Musiteca repository is done through a portal that permits the registration of content, the purchase of content (licensing) and the access to the content purchased after the user is authorized. The actions performed by the different users of the system are registered using the reporting functionality provided by RS.
6
Fig. 2 Protected rendering in a specific DRM portal in Musiteca.
4.2 Content registration and licensing This scenario just involves content licensing and registration. It is applicable to those cases where there are well established sites that deal with the promotion and collection of content, but for which licensing is not a part of their business model (e.g. Flickr, Picassa, Panoramio, Youtube, etc.). Although content can be directly accessed from those sites, it may be distributed under some restrictions that do not enable users to use it for free. This is the case when content is distributed e.g. under copyright (“all rights reserved”) or Creative Commons Non-Commercial models [19]. In this scenario, the DRM architecture would act as a trading portal, devised for formalizing the rights acquisition for personal or professional usage. Content owners or rights holders are responsible for registering content in the trading portal and providing the link towards it. As in the previous scenario, content can be linked from external sites. Figure 3 shows how content is linked from an external site, the Musiteca Freebase database [20], which holds information about musical content in the Musiteca project.
7
Fig. 3 Licensing link from Freebase to a specific DRM portal in Musiteca.
4.3 Content registration, licensing and access control without protection This scenario extends the previous one by adding the access to content after the license purchase, which would be authorization-based but giving the unprotected content to the purchasing user so that they can enjoy it without further DRM restrictions. This scenario has been implemented in the Intellectual Property Operations System (IPOS) [21], a Content Management System (CMS) resulting from several software developments done by DMAG under different contracts with NetPortedItems [22], a Spanish SME company. This CMS provides content authors the possibility of registering their work into the CMS. An author may even describe how other authors can use their work for deriving new content. This information is described using LS licenses, where we have added a special condition called Rights over Derivatives (ROD) [23][24]. This condition indicates the percentage of the income that someone gets from a derivative work that is required to return to the original author. When an author creates derived content from an existing work and gets any revenue from it, the CMS follows back the chain of works, calculates the money for each author from the ROD condition and creates a report for
8
each author informing of this fact. Reports can be consulted at established time periods to give each author the corresponding revenues. This system makes use of all MIPAMS services through a dedicated portal.
Fig. 4 Content access and unprotected rendering in IPOS.
4.4 Content registration, search, licensing and access control without content management This scenario is devised for content providers or distributors that want to use their specific protection mechanisms and content management systems so that content does never leave their well-established systems. In such scenario, when registering content in the Object Registration Service, specific proprietary identifiers are used for identifying external content. Once objects are registered, rights offers can be published and licenses issued without any technical restriction. Regarding the applications that access content, such as players and editors, content providers or distributors will have to design their own applications to manage the access to encryption keys and content from their systems or otherwise provide an API so that their content can be accessed from third-party applications. This scenario has been implemented in CulturaLive [25], a research project funded by Catalan Administration. In this project, we have integrated, using Web Services, MIPAMS LS, AS and RS into an existing system offered by another project partner [26] that provides audiovisual content to be broadcasted live by televisions participating in the project through Digital Terrestrial Television (DTT). With our modules, content purchases can be tracked, as we register each license acquisition and authorization result (positive or negative) into a reporting database. This database can be later consulted for billing purposes. It is worth noting that digital content to be broadcasted is not managed by MIPAMS but directly
9
by the different TV’s and SME’s forming part of the project. This gives an idea of the integration capabilities of the MIPAMS platform.
4.5 Content registration, protection, search, licensing and access control for limited capabilities devices This scenario involves limited capabilities devices. In some cases, the encryption strength being used should be limited so as not to be detrimental to the devices performance. In such cases, if content is already registered and protected using non-compatible protection mechanisms, the intermediary could be responsible for decrypting content and reencrypting it to deal with the devices limitations. Otherwise, if content is only to be used by limited capabilities devices, it should be encrypted using the suitable protection mechanism when uploaded to the CS. This scenario has been also implemented in some projects of our research group (for instance, AXMEDIS [27] but there were also other projects), but in a slightly different way. In such projects, the modules involved in the authorization of user actions were located inside the mobile device. In this way, when the user wanted to consume some content, the license for authorizing this action was inside the mobile. This was done to avoid calling external services, as it involved a phone call or data transaction that may involve a non-negligible cost for the user. Moreover, mobile devices used a proprietary licensing schema (OMA DRM [28]) addressed to devices with limited processing and communication capabilities. Currently, since smartphones and high capacity mobile devices are gaining relevance and current telecommunications companies are adopting competitive pricing policies for mobile users (e.g. flat fees), the solutions being implemented might be reconsidered.
4.6 Content registration and licensing through external services The last proposed scenario is based on the usage of registration functionalities, leaving content licensing for being tackled by external sites or services. In this scenario, the MIPAMS architecture would act as a mere intellectual property registry, proving content ownership and offering the possibility to link content with external sites that deal with its commercialization, as it may be the case of YouLicense [29], Getty Images [30], etc. Figure 5 shows how it could work in the Musiteca [18] project. Content would be registered and accessible for being searched, while the shopping chart icon would redirect the user to a specialized and external licensing service.
10
Fig. 5 Link to external sites for licensing content
5. MIPAMS compared to MXM and AIT In this section we analyze the three initiatives dealing with distributed multimedia applications development considered in this paper: MIPAMS, MXM and AIT. We are not going to compare or map them, but to justify how we have implemented MIPAMS in this way and not considered some of the modules and protocols defined in MXM and AIT. We describe these considerations in the next subsections. However, it must be noted that the first implementations of MIPAMS were made before the start of work on MXM and AIT [31].
5.1 MIPAMS compared to MXM The relationship between MIPAMS and MXM is mainly related with some of the protocols defined by MXM. In fact, some MIPAMS services (ORS, CS, RS and LS) follow and implement the concepts behind MXM protocols related with Content, Licenses and Event Reports. MIPAMS also implements part of the engines (Digital Item Engine, REL Engine, etc.), but it does not implement any functionality for modifying digital resources (image, video, audio, graphic, etc.) as it works at a higher abstraction level, the one described by MPEG-21. As digital resource operations are not implemented, Digital Item Adaptation operations considered in MXM have been discarded in current version of MIPAMS. In previous versions of our architecture we considered MPEG-21 Digital Item Adaptation [32] operations implementations but they only applied to the inclusion of MPEG-21 DIA expressions into MPEG-21 REL [7] licenses for authorizing complex digital resource adaptations for its rendering in limited capabilities devices (usually mobile devices) [33]. The Content Search and Security Engines described by MXM
11
are also considered into MIPAMS Search Service and Protection Service, respectively. Regarding MPEG-21 Media Value Chain Ontology (MVCO) [34], we are implementing an authorization engine based on this ontology to be integrated in MIPAMS. The authorization engine used, REL based or MVCO based, will only depend on the needs of the final user application making use of MIPAMS. To sum up, MIPAMS implements most of the engines and protocols described in MXM, although we have used a different approach in some cases. Regarding the functionality defined in MXM that is not part of MIPAMS, we are going to implement MVCO based authorizer, but we do not plan to include low level resource (audio, images, etc.) operations for the moment.
5.2 MIPAMS compared to AIT Although, as already mentioned, AIT is still in a very early stage of development, we are already in a position to compare it with MIPAMS. There is a close relationship between MIPAMS and AIT, as MIPAMS already implements several services described as AIT Elementary Services in [2], especially those related to content, licenses and event reports. MIPAMS also implements several services related to users and services, mainly the ones related to authentication and authorization. Regarding contracts, we do not implement any functionality inside MIPAMS current version, but we have some background on this area developed during the AXMEDIS project, where we analyzed several contracts from partners related to the audiovisual environment and we implemented an application for transforming textual contracts into MPEG-21 REL licenses. Our experience in this field has been reflected into a contribution to the AIT first call for proposals for the elementary services related to contracts [35]. We are working on a new version of this contribution as a new call for proposals has been issued for the next MPEG meeting [17]. On the other hand, MIPAMS does not include the implementation of the AIT elementary services related to devices, since this functionality is not required in the presented scenarios. In other contexts, we have defined and implemented operations over devices in projects like AXMEDIS (as described in section 4.5), but we decided not to include them on MIPAMS as they finally depend on the final user application (or in the intermediary) or they may change from application to application and need to be implemented according to the application requirements. Nevertheless, we are considering the specification of AIT devices functionality in a specific new module or as an extension of the ATS service. Finally, regarding services related to groups, in the IPOS project we have implemented grouping functionality in order to permit users to act as a single unit, while being flexible enough to support different shares. This specific part of IPOS
12
can be easily integrated into the MIPAMS architecture by extending the authentication service, whenever it is needed.
6. Conclusions In this paper, we have presented three initiatives that deal with the development of distributed multimedia applications and Digital Rights Management technologies. In this context, we have proposed several relevant usage scenarios that share some common functionality such as content registration, protection, search, licensing and access control. We have also presented some sample implementations done by the DMAG in different research projects and we have proved how the aforementioned functionality can be integrated into a single generic architecture called MIPAMS, which offers distributed services and enables to build specific applications on top of it, that depend on the business model being followed. Finally, we have compared our platform with the MXM and AIT standards, identifying why we are not strictly following them. We plan to continue contributing from our developments to the standards in progress and adopt new standards specifications when possible, to facilitate interoperability. Furthermore, we are progressing in the development and exploitation of the architecture and applications on top of it.
7. Acknowledgements Part of this work has been supported by the Spanish administration: Multimedia Content Management Life Cycle (MCM-LC) project (TEC2008-06692-C02-01), Musiteca project (TSI-020501-2008-117); by the European Commission: AXMEDIS (IST–2004–511299); by the Catalan administration: CulturaLive; and by the company NetPortedItems, S.L.: IPOS.
8. References [1] ISO/IEC (2010) MPEG Extensible Middleware, http://mxm.wg11.sc29.org. [2] ISO/IEC (2010) ISO/IEC JTC 1/SC 29/WG 11 N11230, Context and Objectives for Advanced IPTV Terminal (AIT), Kyoto, Japan [3] Distributed Multimedia Applications Group (DMAG) (2010) http://dmag.ac.upc.edu [4] Torres V, Delgado J, Llorente S (2006) An Implementation of a Trusted and Secure DRM Architecture. Lecture Notes in Computer Science 4277. Springer, Heidelberg
13 [5] Delgado J, Rodríguez E (2008) Digital Rights Management Technologies and Standards. In: Ng K and Nesi P (eds) Interactive Multimedia Music Technologies. Information Science Reference, New York [6] ISO/IEC (2005) ISO/IEC IS 21000:2 – Part 2: Digital Item Declaration [7] ISO/IEC (2004) ISO/IEC IS 21000:5 – Part 5: Rights Expression Language [8] ISO/IEC (2006) ISO/IEC IS 21000:4 – Part 4: Intellectual Property Management and Protection Components [9] ISO/IEC (2006) ISO/IEC IS 21000:15 – Part 15: Event Reporting [10] OASIS (2005) Security Assertion Markup Language (SAML) http://saml.xml.org/ [11] Rodríguez V, Delgado J, Chiariglione F et al (2010) Interoperable Digital Rights Management based on the MPEG Extensible Middleware, Multimedia Tools and Applications. Ed. Springer Netherlands [12] ISO/IEC (2010) ISO/IEC 23006-1: Information technology - MPEG-M (MPEG Extensible Middleware) - Part 1: MXM architecture and technologies. Final Committee Draft [13] ISO/IEC (2010) ISO/IEC 23006-2: Information technology - MPEG-M (MPEG Extensible Middleware) - Part 2: MXM API. Final Committee Draft [14] ISO/IEC (2010) ISO/IEC 23006-3: Information technology - MPEG-M (MPEG Extensible Middleware) - Part 3: MXM Reference software. Final Committee Draft [15] ISO/IEC (2010) ISO/IEC 23006-4: Information technology - MPEG-M (MPEG Extensible Middleware) - Part 4: MXM protocols. Final Committee Draft [16] ISO/IEC (2010) ISO/IEC JTC 1/SC 29/WG 11 N11228, Requirements for Advanced IPTV Terminal (AIT), Kyoto, Japan [17] ISO/IEC (2010) ISO/IEC JTC 1/SC 29/WG11 N11336, Advanced IPTV Terminal (AIT): 2nd Call for Proposals, Dresden, Germany [18] Musiteca research Project (TSI-020501-2008-117) (2008) Ministerio de Industria, Turismo y Comercio (Subprograma Avanza I+D) [19] Creative Commons licenses (2010) http://creativecommons.org/licenses/ [20] Musiteca Freebase database (2010) http://musiteca.freebase.com/ [21] Intellectual Property Operations System (IPOS) (2010) http://dmag1.ac.upc.edu/IPOS [22] NetPortedItems S.L.(2010) http://www.digitalmediavalues.com/ [23] Torres V, Delgado J, Maroñas X, Llorente S, Gauvin M (2009) A web-based rights management system for developing trusted value networks. Proc. of the 18th International World Wide Web Conference Developer’s Track 57-59 [24]Torres V, Delgado J, Maroñas X, Llorente S, Gauvin M (2009) Enhancing rights management systems through the development of trusted value networks. Proc. of the 7th International Workshop on Security in Information Systems 26-35 [25] CulturaLive research Project (2009REGIÓ 00024) (2009) Generalitat de Catalunya [26] Video Stream Networks (VSN) (2010) http://www.vsn-tv.com/es [27] AXMEDIS (IST-2004-511299) (2004-2008) Automating Production of Cross Media Content for Multi-channel Distribution, http://www.axmedis.org, European Commission [28] Open Mobile Alliance Digital Rights Management (OMA DRM) (2010) http://www.openmobilealliance.org/technical/release_program/drm_v2_1.aspx [29] YouLicense (2010) http://www.youlicense.com/ [30] Getty Images (2010) http://www.gettyimages.com/ [31] Torres V, Rodríguez E, Llorente S, Delgado J (2004) Architecture and Protocols for the Protection and Management of Multimedia Information. Lecture Notes in Computer Science 3311. Springer, Heidelberg [32] ISO/IEC (2007) ISO/IEC IS 21000:7 – Part 7: Digital Item Adaptation [33] Llorente S, Delgado J, Maroñas X (2007) Implementing Mobile DRM with MPEG-21 and OMA Proc of the 5th International Workshop on Security in Information Systems 166-175 [34] ISO/IEC (2010) ISO/IEC IS 21000:19 – Part 19: Media Value Chain Ontology [35] Rodríguez V, Delgado J, Rodríguez E, Llorente S (2010) ISO/IEC JTC1/SC29/WG11 MPEG2010/M17561 DMAG-UPC Response to the AIT Call, Dresden, Germany
