nuovo drm - satoss.uni.lusatoss.uni.lu/seminars/srm/pdfs/hugo-nuovo.pdfnuovo...

Nuovo DRMIntroducing Fair Exchange in Digital Rights Management

Hugo Jonker, Mohammad Torabi Dashti, Srijith Krishnan NairSaToSS group, University of Luxembourg

FM group, Eindhoven University of Technology

DRM & Fairness-DRM-requirements-fair exchange

Fairness in DRM

Nuovo DRM

Formalising Nuovo

Model checking

Conclusions

SRM, 28 Apr 2009 Nuovo DRM - p. 2/21

Digital Rights Management

idea: trade digital “content”

problem: unlimited, perfect copying

generalisation: access control needed

DRM: bundle access control with content

Fairness in DRM

Nuovo DRM

Formalising Nuovo

Model checking

Conclusions

Requirements of DRM systems

G1. effectiveness

G2. secrecy

G3. resist content masquerading

G4. strong fairness

Fairness in DRM

Nuovo DRM

Formalising Nuovo

Model checking

Conclusions

fair exchange

Alice: A ←→ Bob: B

Fairness in DRM

Nuovo DRM

Formalising Nuovo

Model checking

Conclusions

fair exchange

Alice: A ←→ Bob: B

Two fair endings:- Alice: B; Bob: A- Alice: A; Bob: B

recovery protocol

TTP needed

optimistic fair exchange: TTP hardly needed

DRM & Fairness

Fairness in DRM-P2P exchange-NPGCT05 issues

Nuovo DRM

Formalising Nuovo

Model checking

Conclusions

P2P exchange

Buying content c with rights r′:

1. d2 → d1 : Request content2. d1 ↔ d2 : Mutual authentication3. d1 → d2 : cK′ , K′pk(d2), Rd1 (c), r′, σ,Λ,Λ′

Λ′ = h(d1 , d2 , c, σ, r′)sk(d1)

4. d2 : Verifies σ, Λ′ and Rd1 (c) using Λ

5. d2 → d1 : ψ, [payment]

ψ = h(d1 , P, cK′ , σ, r′)sk(d2)

— from [NPGCT05]

DRM & Fairness

Fairness in DRM-P2P exchange-NPGCT05 issues

Nuovo DRM

Formalising Nuovo

Model checking

Conclusions

NPGCT05 issues

replay of rights

no fairness

DRM & Fairness

Fairness in DRM

Nuovo DRM-concept-assumptions-fair exchange-recovery

Formalising Nuovo

Model checking

Conclusions

concept

address NPGCT05’s flaws

verified security

practical security

DRM & Fairness

Fairness in DRM

Formalising Nuovo

Model checking

Conclusions

assumptions and limits

A1. trusted devices

A2. resilient communication

A3. PKI hierarchy

A4. price negotiations

DRM & Fairness

Fairness in DRM

Formalising Nuovo

Model checking

Conclusions

fair exchange

1. owner(d2 )→ d2 : d1 , h(c), r′

2. d2 → d1 : d2 , nd2

3. d1 → d2 : n′d1 , nd2 , d2sk(d1)

4. d2 → d1 : nd2 , n′

d1 , h(c), r′, d1sk(d2)

5. d1 → d2 : cK′ , K′pk(d2), r′, nd2sk(d1)

where:

d1 , d2 : devices h(c): hash of content c nx: nonce of X r′: rights

DRM & Fairness

Fairness in DRM

Formalising Nuovo

Model checking

Conclusions

recovery

1. owner(d2 )→ d2 : d1 , h(c), r′

2. d2 → d1 : d2 , nd2

3. d1 → d2 : n′d1 , nd2 , d2sk(d1 )

4. d2 → d1 : nd2 , n′

d1 , h(c), r′, d1sk(d2)

5r. d2 : resolves(d2 )

6r. d2 → P : d2 , n′d27r. P → d2 : n′

P, n′d2 , d2sk(P )

8r. d2 → P : n′d2 , n′P , 〈nd2 , n′

d1 , h(c), r′, d1 〉, r′′, Psk(d2)

9r. P → d2 : cK′′ , K′′pk(d2), r′′, n′d2SK(P )

DRM & Fairness

Fairness in DRM

Nuovo DRM

Formalising Nuovo-approach-abstract actions-fair exchange-recovery-intruder model

Model checking

Conclusions

approach

formalise processes in µCRLabstract actions highlight processing steps

Intruder model that respects RCC

formalise goals in regular µ-calculus

finite model checking: limited instance2 scenario’s.

DRM & Fairness

Fairness in DRM

Nuovo DRM

Model checking

Conclusions

abstract actions

request() start of exchange for receiving device

update() successful termination of exchange

lastttp no more TTP available

fair exchange

d1(Ω, nd1 ) =X

r∈Rgtsc∈Cont

recv(d2 ; d2 , h(c), r) · send(d2 ; d1 , nd1 ) ·

n∈Nonce

recv(d2 ; n, nd1 , d1sk(d2)) · send(d2 ; nd1 , n, h(c), r, d2sk(d1)) ·

request(d1 , h(c), r, d2 ) ·

K∈Key

recv(d2 ; cK , Kpk(d1), r, nd1sk(d2)) ·

update(d1 , h(c), r, d2 ) · d1(Ω ∪ 〈c, r〉,nxt(nd1 ))

+ RESOLVE(Ω, nd1 , (nd1 , n, h(c), r, d2 ))

recovery

RESOLVE(Ω, nd1 , (nd1 , n, h(c), r, d2 )) = resolves(d1 ) ·

r∈Rgtsc∈Cont

send(P ; d1 , nd1 ) ·

n′∈Nonce

recv(P ; n′, nd1 , d1sk(P )) ·

send(P ; nd1 , n′, (nd1 , n, h(c), r, d2 ), Psk(d1)) ·

request(d1 , h(c), r, P ) ·

K∈Key

recv(P ; cK , Kpk(d1), r, nd1sk(P )) ·

update(d1 , c, r, P ) · d1 (Ω ∪ 〈c, r〉, nxt(nd1 ))

DRM & Fairness

Fairness in DRM

Nuovo DRM

Model checking

Conclusions

intruder model

I(X,Y ) =X

p∈Agentm∈Msg

recv(p, m, I) · I(X ∪ m, Y ∪ m) +

p∈Agentm∈Msg

send(I,m, p) · I(X, Y \ m) ⊳ m ∈ Y ⊲ δ +

p∈Agentm∈Msg

send⋄(I, m, p) · I(X,Y ) ⊳ m ∈ synth(X) \ Y ⊲ δ +

c∈Cont

revealed(c) · δ ⊳ c ∈ synth(X) ⊲ δ

— From [CT06]

DRM & Fairness

Fairness in DRM

Nuovo DRM

Formalising Nuovo

Model checking-Scenarios-goals-fairness-results

Conclusions

Scenarios

S0: one provider P , d1 , d2 , trusted network, no intruder.

S1: three providers, d1 , d2 , untrusted network, intrudercontrols d1 .

content: c1, c2, c3

rights: r1, r2, r1 allows resale of r2

DRM & Fairness

Fairness in DRM

Nuovo DRM

Formalising Nuovo

Conclusions

G1. effectiveness

[T∗ · request(d1 , c, r, P )] µX.(〈T〉T ∧ [¬update(d1 , c, r, P )]X)

DRM & Fairness

Fairness in DRM

Nuovo DRM

Formalising Nuovo

Conclusions

G1. effectiveness

G2. secrecy[T∗ · revealed(c)]F

DRM & Fairness

Fairness in DRM

Nuovo DRM

Formalising Nuovo

Conclusions

G1. effectiveness

G2. secrecy[T∗ · revealed(c)]F

G3. resist content masquerading

[(¬request(d1 , c, r, P ))∗ · update(d1 , c, r, P )]F

DRM & Fairness

Fairness in DRM

Nuovo DRM

Formalising Nuovo

Conclusions

fairness

for provider for d2 when buying from provider for d2 when reselling

for d2 when buying from d1

DRM & Fairness

Fairness in DRM

Nuovo DRM

Formalising Nuovo

Conclusions

fairness

[T∗ · request(d2 , c, r, d1 ) · (¬(resolves(d2 ) ∨ update(d2 , c, r, d1 )))∗]

〈(¬com⋄(−,−,−))∗ · (resolves(d2 ) ∨ update(d2 , c, r, d1 ))〉T

DRM & Fairness

Fairness in DRM

Nuovo DRM

Formalising Nuovo

Conclusions

fairness

[T∗ · request(d2 , c, r, d1 ) · (¬(resolves(d2 ) ∨ update(d2 , c, r, d1 )))∗]

〈(¬com⋄(−,−,−))∗ · (resolves(d2 ) ∨ update(d2 , c, r, d1 ))〉T

[(¬lastttp)∗ · request(d2 , c, r, d1 ) · (¬lastttp)∗ · resolves(d2 )·

(¬(update(d2 , c, r, P ) ∨ lastttp))∗]

〈(¬com⋄(−,−,−))∗ · update(d2 , c, r, P )〉T

DRM & Fairness

Fairness in DRM

Nuovo DRM

Formalising Nuovo

Conclusions

results

G1. effectiveness:√

DRM & Fairness

Fairness in DRM

Nuovo DRM

Formalising Nuovo

Conclusions

results

G2. secrecy:√

DRM & Fairness

Fairness in DRM

Nuovo DRM

Formalising Nuovo

Conclusions

results

G2. secrecy:√

G3. resist content masquerading:√

DRM & Fairness

Fairness in DRM

Nuovo DRM

Formalising Nuovo

Conclusions

results

G2. secrecy:√

G4. strong fairness:

DRM & Fairness

Fairness in DRM

Nuovo DRM

Formalising Nuovo

Conclusions

results

G2. secrecy:√

G4. strong fairness:- for provider:

DRM & Fairness

Fairness in DRM

Nuovo DRM

Formalising Nuovo

Conclusions

results

G2. secrecy:√

√- for d2 when buying from provider:

DRM & Fairness

Fairness in DRM

Nuovo DRM

Formalising Nuovo

Conclusions

results

G2. secrecy:√

√- for d2 when reselling:

DRM & Fairness

Fairness in DRM

Nuovo DRM

Formalising Nuovo

Conclusions

results

G2. secrecy:√

√- for d2 when reselling:

√- for d2 when buying from d1 :

DRM & Fairness

Fairness in DRM

Nuovo DRM

Formalising Nuovo

Model checking

Conclusions-final remarks

final remarks

Nuovo beyond this talk:

attention to practical security proof-of-concept implementation

Closing remarks:

fair exchange in DRM seems possible formal modelling & verification helps only finite instances checked DRM also needs practical security (done for Nuovo)

DRM & Fairness

Fairness in DRM

Nuovo DRM

Formalising Nuovo

Model checking

Conclusions-final remarks

last slide

Thank you for your attention.

Questions?

nuovo drm - satoss.uni.lusatoss.uni.lu/seminars/srm/pdfs/hugo-nuovo.pdfnuovo...

Documents

the fundabac for amine treatment drm - haakon...

plm 자료보안 성공적구축사례 - plm.or.kr · pdf...

planning parameters for drm mode e (‘drm+’) parameters...

drm estadistica

hyperion drm training | hyperion drm training online | ...

tipos de drm drm social o blando versus drm duro

nuovo drm paradiso: formal speci cation and veri cation of...

srm-2605 srm-2605 en

to drm or not to drm?

copyright © 2005 kenwood all rights reserved. may not be...

srm catalog srm ebp configuration

planning parameters for drm mode e (‘drm+’) ·...

drm interoperability

digital rights management. 2 introduction of drm ...

hyperion drm online training | oracle hyperion drm online...

drm scouncilpresentation

cat. no. r132-es2-02...21. edición online funciones útiles...

drm prospectus

sap srm training | sap srm online training | sap srm course

drm - mamposteria