Executive Summary This document describes the results of the first two work packages of the research project " Enforcement for Usage Control " , carried out jointly by DoCoMo Euro-Labs and the Information Security group at ETH Zurich. The goal of the project is the development of a server-side architecture that enables the enforcement of usage control requirements at the data consumer's side. Data consumers can be both mobile phones and content providers. The goal of the first two work packages is to survey existing usage control mechanisms in order to identify which requirements are not yet supported, to create a systematic approach for classifying control mechanisms and describing their capabilities, and to define important areas of future work. The present report provides a taxonomy of usage control mechanisms, a survey of about twenty-five current Digital Rights Management (DRM) mechanisms and architectures, a comparison of these mechanisms on the grounds of the taxonomy, a discussion of the potential impact of heterogeneous client-side enforcement mechanisms on the server-side architecture, and a sketch of potential future work. The results can be summarized as follows. • The classification criteria for control mechanisms presented in this report can be used for systematically describing mechanisms and their capabilities. This is important for selecting the appropriate mechanism for a given use case. • There is a wide range of control mechanisms. However, many of them are very similar both in terms of the targeted applications and in terms of the usage requirements they can enforce. • There is a trend towards interoperability of DRM technologies and cross-industry standards. The industry seems to cater for the consumer's need to use content on any of their devices. The catalog of classification criteria can help determining if one mechanism can be safely replaced by another one that is available on a particular platform. • The weak links in encryption-based DRM mechanisms are key protection and protection of content after decryption. These problems can potentially be solved by means of hardware, e.g., trusted computing technology. • Client-side DRM mechanisms exist predominantly in the context of DRM for the protection of intellectual property. The areas of privacy and compliance are addressed only rudimentarily. • Observability and monitoring seem to be predominantly applicable when exchanging data between enterprises, e.g., telecommunication infrastructure providers and service/content providers. They have the potential of supporting usage requirements that are not enforced by control mechanisms. Observation mechanisms …
[1]
Susanne Guth.
Rights Expression Languages
,
2003,
Digital Rights Management.
[2]
Thomas S. Messerges,et al.
Digital rights management in a 3G mobile phone and beyond
,
2003,
DRM '03.
[3]
W. B. Bradley,et al.
The NEMO P2P service orchestration framework
,
2004,
37th Annual Hawaii International Conference on System Sciences, 2004. Proceedings of the.
[4]
Reihaneh Safavi-Naini,et al.
Digital Rights Management for Content Distribution
,
2003,
ACSW.
[5]
HweeHwa Pang,et al.
Evaluation of MPEG-4 IPMP extension
,
2005,
Proceedings. (ICASSP '05). IEEE International Conference on Acoustics, Speech, and Signal Processing, 2005..
[6]
Rik Van de Walle,et al.
MPEG-21: goals and achievements
,
2001
.
[7]
Xin Wang.
MPEG-21 Rights Expression Language: Enabling Interoperable Digital Rights Management
,
2004,
IEEE Multim..
[8]
Michael Waidner,et al.
Platform for Enterprise Privacy Practices: Privacy-Enabled Management of Customer Data
,
2002,
Privacy Enhancing Technologies.
[9]
Christian Schaefer,et al.
Usage Control Requirements in Mobile and Ubiquitous Computing Applications
,
2006,
2006 International Conference on Systems and Networks Communications (ICSNC'06).
[10]
Wouter Joosen,et al.
Digital rights management - a survey of existing technologies
,
2005
.
[11]
Larry Korba,et al.
Towards Meeting the Privacy Challenge: Adapting DRM
,
2002,
Digital Rights Management Workshop.
[12]
P. Bramhall,et al.
Extending HP Identity Management Solutions to Enforce Privacy Policies and Obligations for Regulatory Compliance by Enterprises ♦
,
2005
.
[13]
Xin Wang,et al.
XrML -- eXtensible rights Markup Language
,
2002,
XMLSEC '02.
[14]
P. V. Oorschot,et al.
Software Protection and Application Security : Understanding the Battleground ?
,
2003
.
[15]
Xin Wang,et al.
The MPEG-21 rights expression language and rights data dictionary
,
2005,
IEEE Transactions on Multimedia.
[16]
TIRAMISU: The Innovative Rights and Access Management Interplatform SolUtion
,
2005
.
[17]
Alexander Pretschner,et al.
On Obligations
,
2005,
ESORICS.