actors in the distribution value chain, protecting multimedia content from unauthorised usage. KEY WORDS. Multimedia content protection, digital rights ...
TRUST AND RIGHTS IN MULTIMEDIA CONTENT MANAGEMENT SYSTEMS Víctor Torres, Eva Rodríguez, Silvia Llorente, Jaime Delgado Universitat Pompeu Fabra, Passeig de Circumval·lació, 8, 08003 Barcelona, Spain {victor.torres, eva.rodriguez, silvia.llorente, jaime.delgado}@upf.edu ABSTRACT Secure and trusted distribution of multimedia content is a key issue for content creators, content providers and distributors, as they want to fight piracy and receive the revenues derived from their creativity work. The provision of trust and protection has not been already solved by the existing multimedia distribution mechanisms. Such mechanisms lie on proprietary architectures and tools, and users have to cope with different viewers and players to consume multimedia contents. In order to provide enhanced multimedia capabilities to final users, several standards and initiatives have appeared. Our aim is to take profit of their effort to define an architecture flexible enough to provide the needed functionality to all the actors in the distribution value chain, protecting multimedia content from unauthorised usage. KEY WORDS Multimedia content protection, digital rights management, content management, standards.
1. Introduction Multimedia information processing, including all steps in the multimedia content life-cycle, from creation and production to distribution and consumption is a very complex and challenging area of research. One key aspect in the systems that control this life-cycle is the management of the rights associated to the content. Furthermore, apart from Digital Rights Management (DRM), we need to take into account other aspects, such as security, certification and control, to achieve a fully trusted system. This paper presents part of our work on the definition of a possible architecture that provides trust and rights management in a multimedia content management scenario. It is organised as follows. First, we introduce how we will develop and extend an initial architecture presented in [1] to make it as general as possible so as not to be restricted to a specific standard. After this, we present how the architecture is capable of managing
multimedia information represented using current standards such as MPEG-21 [2] and OMA DRM [3]. Next, we analyse how the elements of the architecture provide trust to the whole value chain, from the content creator to the final user. Then, we illustrate the system operation through a content consumption use case, and finally, we present the work that has been already done and the future work that consists on the development of demonstrators.
2. An architecture information processing
for
multimedia
In [1] we proposed the architecture of a system capable of processing multimedia information structured as defined in the MPEG-21 standard [2]. In this section we will refine and extend this architecture, trying to make it as general as possible so as not to be restricted to a specific standard, since our first version was too focused on MPEG-21. To complete this task we have considered the requirements of relevant standards, initiatives and projects such as the Open Mobile Alliance (OMA DRM) [3], MPEG-21 [2], Digital Media Project (DMP) [4], FP6 NAVSHP DRM [5] and AXMEDIS European project [6]. 2.1 Current Approach Figure 1 shows the basic modules that constitute the new architecture. The architecture, called DMAG Multimedia Information Protection and Management System (DMAGMIPAMS), whose name is after our group acronym DMAG [7], consists of several modules, where each of them provides a subset of the whole system functionality needed for managing and protecting multimedia content. The functionality of some modules might partially correspond to that provided by international standards or public specifications, such as MPEG-21 [2]. One of the benefits of defining a modular architecture is that it allows locating the different server modules in different machines. On the other hand, the architecture distinguishes between the final user and the servers
Trusted client
Intermediary
needed to provide the underlying infrastructure, while in the middle we have the “Intermediary”. Content Server
Protection Server
Governance Server
Adaptation Server
Certification Server
Supervisor Server
Figure 1. Revised DMAG-MIPAMS architecture The functionality of this intermediary element could be located either on the user side, server side or both, depending on the characteristics of the equipment or terminal used by the final user to access the multimedia content. Its main functionality is to hide the complexity of the system from the final user perspective, which allows describing the architecture in a very general way, while keeping independence from the equipment capabilities. Another important functionality of the intermediary is to provide access to different systems (with different content servers, license servers, etc), hiding this issue to the final user. The defined modules are sufficient to provide trust and rights management, but perhaps not exhaustive, what can be overcome by defining new modules if needed. Some of them could be also optional, depending on the requirements of the system being implemented. The functionality of each module presented in the architecture is described in the following sections. 2.1.1. Content server. It provides the content that final users may request. It can be internally decomposed into several modules, for instance, to separate digital items describing resources from the resource itself or from the resources that are stored in an external system. 2.1.2. Protection server. It is responsible for protecting the content or digital objects, which become protected objects, mainly using encryption techniques and managing the encryption keys. It can also provide other protection mechanisms, like scrambling. It must create and associate to the digital objects the information related to the protection process that has been followed and the protection techniques or tools that have been used so as to make it possible to determine the reverse process. It has also to provide the functionality to download the tools that have been used during the protection process in case a user does not have them available in the device. Finally, it must apply the protection techniques to the content in order to protect it, create the necessary
encryption keys (when needed) and deliver them to the final user or client. 2.1.3. Governance server. The governance server includes the following functionality: license generation, license storage, authorisation and translation support. The license generation functionality is only available for content creators, content providers and distributors. For example, a content creator can create a license that grants a content distributor the right to distribute its content under certain conditions. On the other hand, a content distributor will not be authorised to distribute content unless it has the corresponding license issued by a content creator or provider. Final users will not be able to access this functionality unless they act as content distributors (such as in P2P networks) or create their own content for distribution (in this case, they have to be considered as content creators). In any case, any user that creates a license describing the use of some specific content must have the corresponding rights. The generated licenses are associated to a content or digital object, which becomes a governed digital object. Licenses are stored in a license database for authorisation purposes, as we explain next. The governance server offers authorisation functionality. That is, it is responsible for authorising users to perform actions over resources. Every time a user tries to perform an action over a resource, this module checks in the license database if he has a license that authorises him to do so. As licenses can be written in different languages, as for instance ODRL [8] or MPEG-21 REL [9], translation functionality is necessary to provide interoperability. In this way, the system can work with a predefined language and convert licenses expressed in other languages to the predefined one under certain conditions. To facilitate this interoperability, we can define “equivalent” profiles between different rights expression languages, to enable their translation in both senses. We have been working in this area, implementing some tools to translate from ODRL to MPEG-21 and the other way around [10], and we have proposed an approach based on profiling [11]. 2.1.4. Certification server. It includes registration, authentication and verification functionality. Every time a user tries to do an action over a protected and governed object, his trusted viewer, browser, editor or tool connects to the certification server, which is in charge of verifying that both users and devices are registered in the system and that the used tools have not been manipulated; it is also in charge of resynchronising the missing data if any offline operation has been performed (i.e., if content has been accessed without the knowledge of the Certification server).
Every time a user runs a trusted tool, the certification server verifies its integrity so as to ensure that the original user tool has not been modified.
Next, we are going to describe how our architecture has the necessary functionality to cover different parts of this standard.
2.1.5. Adaptation server. It performs the adaptation of content and its associated metadata, depending on transmission, storage and consumption constraints. The adaptation of metadata can also involve the adaptation of the related licenses (in fact, the creation of new ones), as derived objects or content can be seen as new creations with regard to original ones.
DID. Digital objects can be structured as Digital Items, as defined in the DID part of the MPEG-21 standard.
2.1.6. Supervisor server. It receives event reports related to content usage or user blocking requests from different modules of the architecture. When a blocking request is received, the Supervisor immediately blocks a user, preventing him the access to the system. It can also generate automatic reports to the authorised parties. The information it collects (such as: user, device, object, operation details, etc.) is stored in a database in order to keep it organised for future access. This information can be then used by specific applications to keep track of what happens in the system by generating statistics and traces, or for accounting purposes.
3. Relationship of the architecture with existing standards As we have already mentioned, our intention is to define the architecture as general as possible so as not to be restricted to a specific standard, but to be able to align it to as many standards as possible. Moreover, it must be flexible enough to operate with current standards, such as MPEG-21 [2] and OMA DRM [3]. However, in order to have a fully interoperable architecture capable of managing different multimedia formats at the same time, common interfaces for the identified modules should be defined.
REL. Digital Items can include digital licenses written in MPEG-21 REL. Digital Items or objects managed by licenses are called governed digital objects. In our system, the Governance server offers the functionality not only for the creation, validation and edition of licenses, but also for the authorisation of users based on licenses and using the term genealogy defined in the Rights Data Dictionary (RDD, Part 6) [15] of the MPEG-21 standard. RDD comprises a set of clear, consistent, structured, integrated and uniquely identified terms. The structure of the RDD is designed to provide a set of well-defined terms for use in rights expressions. IPMP. The Intellectual Property Management and Protection part deals with the standardisation of a general solution for the management and protection of Intellectual Property. Digital Items can be protected in order to ensure that the access to the contents is done according to the license terms. The solution lies in the use of digital signatures and encryption techniques over the digital content, which makes it possible to deploy a business model that ensures the accomplishment of the license terms in a controlled way. These kinds of objects are called IPMP DIDL documents that consist of the protected object (or part of the DIDL document) and the IPMP information expressions. IPMP expressions contain protection information, such as the IPMP tools that protect the content, initialisation settings, keys, etc.; and governance information, such as licenses that govern the content or references to these licenses or license services.
3.1. MPEG-21 MPEG-21 standard is divided into several parts, which deal with different aspects of multimedia information management. In the MPEG-21 context, the information is structured in Digital Items, which are the fundamental unit of distribution and transaction. Digital Items are digital documents written in XML according to a XML Schema. A Digital Item, defined in the MPEG-21 Digital Item Declaration (DID, Part 2) [12], is constituted by the digital content, which can be embedded or referenced from the Digital Item, plus related metadata that describes additional information regarding the content, such as Intellectual Property Management and Protection (IPMP, Part 4) [13] information, Rights Expression Language (REL, Part 5) [9] expressions, Event Reporting (ER, Part 15) [14] information and others.
In our system, the protection server is the responsible for protecting the content and managing the protection keys and tools. It can also generate the protection information required to be included in Digital Items. ER. Event Reporting is required within the MPEG-21 Multimedia Framework in order to provide a standardised means for sharing information about Events amongst Peers and Users. Such Events are related to Digital Items and/or Peers that interact with them. In our system, the reporting functionality is provided by the Supervisor. Whereas the event reports are generated in any of the modules as notification messages, the Supervisor server is in charge of receiving and interpreting them and performing the appropriate actions.
3.2 OMA DRM OMA DRM [3] defines a rights expression language (REL) [16] that is based on ODRL [8]. ODRL and MPEG-21 REL are currently the two most important rights expression languages and, while they have a different syntax, their semantics is quite similar. We have been working for some time in this interoperability issue. After an initial proposal of a simple syntactic mapping [10], we are now proposing a specific subset of MPEG-21 REL that is interoperable with the second version of OMA DRM REL [16]. This work could lead to the specification of a MPEG-21 REL profile, as it is being discussed in the MPEG group after our proposal. Our architecture enables the use of whatever rights expression language the content creators, providers or distributors want to use, associated to digital objects. Internally, our system can work with a predefined rights expression language and provide some translation mechanisms for converting licenses expressed in other languages to the predefined one. This translation can only be performed under certain conditions, which can be grouped to define rights expressions languages profiles, as stated before. We have also studied the workflow of OMA DRM to provide a generic workflow for DRM systems [17].
4. Trust provision Once we have introduced an architecture and related standards, we are going to analyse the elements in the proposed system that provide trust from the final user point of view or even from the content creator, provider or distributor perspective. 4.1. Use of DRM Digital Rights Management (DRM) enables the association of rights and conditions of usage to digital content, written in a digital license that can be embedded together with the content or stored in a separate way. Digital licenses can be seen as digital documents that establish a contractual relationship between two parties: the license issuer and the granted party. That is, licenses can be used to establish contractual relationships in an ecommerce environment not only for final users (B2C scenario) but also between content creators/providers and distributors (B2B scenario). Another interesting functionality of digital licenses together with License server is the possibility to keep track of the identity and correctness of the actions performed by any of the value chain players, from the content creator to the final user. The authorisation
algorithms can use the licenses stored in the License server to determine whether all the parties (content provider, distributor, final user) use the contents in the right way, according to the rights they are granted by their authorising party. For example, a final user must own a license issued by a content distributor that grants him the right to reproduce a content and the distributor, as far as it is concerned, must own a license issued by a content creator or provider that grants it the necessary rights to distribute the content. As we have seen, DRM, by means of digital licenses, can be a key element to provide trust in a content management system. In the proposed system, the Governance server provides this functionality through its license creation and authorisation facilities. However, in order to ensure that the access to the content is done according to the license terms, protection mechanisms must be used, as explained in section 4.2. 4.2. Protection Protection mechanisms consist on the use of digital signatures and encryption techniques over the digital content and make it possible to deploy a business model that ensures the accomplishment of the license terms in a controlled way. In this way, protected objects are safe from unauthorised access, providing trust to the system. The protection of digital objects involves not only encryption and decryption together with the creation of keys, but also the association of some protection information or metadata to the contents and the management and delivery of protection keys. Key delivery must be performed in a secure and trusted way. On one hand, they must be provided through a secure channel. Moreover, they must be inaccessible in the client side. This can be achieved by providing the necessary keys to certified and hence trusted applications (see section 4.4) in the client side in an online scenario. 4.3. Certification of users and tools The tool in the user side must be trusted, it must perform some checks in the server side in an online operation and resynchronise the local information with the server side in every reconnection in order to enable an offline operation. Every time a user tries to do an action over a protected and governed object, the client side module must send the necessary information to the server side so that it can verify not only the user and the device, but also the tool integrity to ensure that the module has neither been modified nor corrupted. By ensuring the tool integrity, we can be sure that it is still trusted. The Certification server provides this functionality to verify user, device and tool integrity.
4.4. Supervision and tracking Transaction and operation supervision and tracking is another feature that can provide trust in such a system. In every transaction or operation, a reporting message can be created, under request, in the server side and sent to a processing module. This processing module, which we have called Supervisor server, will be responsible for collecting, interpreting and storing the appropriate information into a specific database. As we have already explained, the information in the reports can be notified to the corresponding party or used for accounting purposes or statistical analysis. Blocking requests are used to immediately block the access to users.
server determines that the user is granted to perform the requested operation and that the distribution chain is correct (all the parties in the license chain were granted by their corresponding license). 12. The Governance server notifies the trusted module in the client side that the user is authorised. 13. A message is sent to the Supervisor notifying the successful authorisation. User + Intermediary User Trusted Tool module 1. Open Digital object in viewer 2. Play movie
Certification Server
Governance Server
Supervisor Server
3. Authorised? 4. Check user and tool 5. Query database 8. User, tool OK
5. Use case
6. Check info 7. Authenticated, verified
9. Authorised? 10. Retrieve licenses
In this section we present a scenario to illustrate how the proposed architecture and the processing of protected and governed multimedia content are related. The scenario describes content consumption. Imagine that a user has purchased online a license that grants him the right to play a movie during a certain period of time. The mentioned user has installed in his device a specific tool or plug-in that manages the protected and governed objects of the proposed system and that is able to display them in the appropriate way. The use case begins when the user downloads the protected and governed movie and tries to open it in order to watch it with the viewer. Figure 2 shows the steps involved in the content consumption use case, which are the following: 1, 2. The user opens the movie in his favourite player, which includes the appropriate trusted plug in and tries to watch it (Play movie). 3. The viewer requires authorisation to an internal trusted module. 4. The internal trusted module connects to the Certification server in order to check user data, user status and tool integrity. 5, 6. The Certification server queries its database to retrieve and check user data, user status, and tool information related to tool integrity. 7. A message is sent to the Supervisor server notifying the successful authentication of the user and verification of the tool. 8. The Certification server notifies the trusted module in the client side that everything is OK. 9. The client trusted module contacts the Governance server and asks if the user is authorised. The authorisation consists on checking if the user is granted to exercise the right “play” over the movie according to a certain chain of licenses (going from the content creator to the final user). 10, 11. The Governance server searches in the database the licenses related to that user and runs an authorisation algorithm over the chain of licenses. The Governance
13. Authorised
11. Authorisation algorithm 12. Authorised
14. Protection Info? 15. Protection Info 16. Determine necessary tools and algorithms to unprotect content Detect tools and algorithms availability in device: available 17. Unprotect movie 18. Authorised 19. Display movie
Figure 2. Content consumption use case. 14. The trusted module in the client side asks the Supervisor server for the protection information related to the content. 15. The Supervisor server returns the protection information to the trusted module. 16. The trusted module determines the tools or algorithms needed to unprotect the object and detects that they are already available in the user device. 17. The trusted module in the user side unprotects the movie according to the protection information steps and using the necessary tools and algorithms. 18. The trusted module in the user side notifies the viewer that the user is authorised to watch the movie. 19. The object viewer displays the movie to the user.
6. Development of demonstrators The Distributed Multimedia Applications Group (DMAG) [7] has been working in the MIPAMS trusted architecture and related standards, and has already developed several of its modules. For example, we have developed several tools [18] that have been contributed to the standardisation of MPEG-21 and that are included in the MPEG-21 Reference Software [19]. The already implemented tools offer independent and isolated functionality and will be extended and integrated
with other modules in the context of the i2Cat project, which will provide a middleware architecture for the distribution of multimedia content and the AXMEDIS European project [6], which will develop several demonstrators for several delivery channels (PC distribution, satellite distribution, mobile distribution). These demonstrators will be publicly presented and will be very useful to verify the operation of the proposed modular architecture and to show different functionalities of the system. Moreover, an AXMEDIS framework will be publicly available for presenting the tools implemented in this project.
7. Conclusions This paper has presented a preliminary architecture of a distributed system for distribution and management of protected and governed multimedia content, based on different requirements, to reach a general model that is not restricted to a specific standard but keeps the flexibility to locate different functionalities in separate machines. In this sense, we have shown how the presented architecture is flexible enough to support current standards such as MPEG-21 and OMA DRM. In the MPEG-21 context, we have described the relationship between MPEG-21 parts and the elements or functionalities of the architecture while, regarding OMA DRM, we have shown how the use of different rights expressions languages can be managed by translation mechanisms and profile definition. On the other hand, we have analysed the elements in the proposed architecture to describe how they provide trust to the global system and the whole value chain. Then, a use case has been presented showing the successive steps that the system will follow in a content consumption scenario, considering authentication, verification and authorisation matters. Finally, based on our previous experience in the development of REL-based tools, several demonstrators that integrate the isolated functionality provided by the different modules will be developed. The demonstrator development plan will be part of the i2Cat project and the AXMEDIS European project. The latter will provide a framework that will be publicly available.
8. Acknowledgements This work has been partly supported by the Spanish administration (AgentWeb project, TIC 2002-01336) and is being developed within VISNET (IST-2003-506946, http://www.visnet-noe.org), a European Network of Excellence and AXMEDIS, a European Integrated Project, both funded under the European Commission IST
FP6 program, and "Projecte Integrat" project, funded by the Catalan Administration (Fundació i2Cat).
References: [1] V. Torres, E. Rodríguez, S. Llorente & J. Delgado, Architecture and Protocols for the protection and management of multimedia information, Proc. Second International Workshop on Multimedia Interactive Protocols and Systems, LNCS 3311, Springer Verlag, Grenoble (France), 2004, 252-263. [2] MPEG-21, http://www.chiariglione.org/mpeg/ standards/mpeg-21/mpeg-21.htm. [3] Open Mobile Alliance (OMA), DRM Specification (OMA-DRM-DRM-V2_0-20040716-C), July 2004, http://www.openmobilealliance.org. [4] Digital Media Project (DMP), http://www.dmpf.org/. [5] DRM Coordination Group of the EU FP6 Projects in the area of Networked AudioVisual Systems and Home Platforms (NAVSHP), http://www.rose.es/navshp. [6] Automatic Production of Cross Media Content for Multi-channel Distribution (AXMEDIS), IST-2004-511299, http://www.axmedis.org. [7] Distributed Multimedia Applications Group (DMAG), http://dmag.upf.edu. [8] Open Digital Rights Language (ODRL), http://odrl.net. [9] ISO/IEC, ISO/IEC IS 21000-5 – Rights Expression Language. [10] J. Polo, J. Prados & J. Delgado, Interworking of Rights Expression Languages for Secure Music Distribution, Proc. 4th International Conf. on Web Delivering of Music (Wedelmusic 2004), Barcelona (Spain), September 2004, pp. 78-84. [11] J. Delgado, J. Prados, E. Rodríguez, A subset of MPEG-21 REL for interoperability with OMA DRM v2.0, ISO/IEC JTC 1/SC 29/WG 11/M11893, MPEG Busan meeting (Korea), April 2005, http://dmag.upf.edu/DMAGMPEG21Tools/m11893.pdf. [12] ISO/IEC, ISO/IEC 2nd Edition FCD 21000-2 – Digital Item Declaration. [13] ISO/IEC, ISO/IEC CD 21000-4 – Intellectual Property Management and Protection. [14] ISO/IEC, ISO/IEC CD 21000-15 – Event Reporting. [15] ISO/IEC, ISO/IEC IS 21000-6 – Rights Data Dictionary. [16] OMA, DRM Rights Expression Language (OMADRM-REL-V2_0-20040716-C), July 2004, http://www.openmobilealliance.org. [17] S. Llorente, E. Rodríguez & J. Delgado, Workflow description of digital rights management systems, Proc. the second International Workshop on Regulatory Ontologies, LNCS 3292, Springer Verlag, Larnaca (Cyprus), 2004, 581-592. [18] DMAG MPEG-21 Tools, http://dmag.upf.edu/DMAGMPEG21Tools. [19] ISO/IEC, ISO/IEC FDIS 21000-8 – Reference Software.