Secure and Privacy-Preserving DRM for Mobile Devices with Web Service Security ∗ – An Experience Report –

Preserving the customer’s privacy has to be a major concern when implementing a commercial DRM system. In [12] a privacy-preserving digital rights management (DRM) architecture based on the widely used Open Mobile Alliance (OMA) DRM [17] specification for mobile devices has been suggested. In this paper the design of a possible implementation of the proposed architecture is explained which uses Web Service Security (WSS). This choice has been made since the web services originally designed in the architecture have to meet several security features which are necessary for privacy-preservation. Thus specifically selected WSS features facilitate validation of correctness of the security enhanced concept. This validation is reflected by a detailed security assessment. Moreover a prototypical implementation of privacy-preserving DRM by using a recent WSS implementation (WSS4J) is briefly explained. Finally, along with the experiences from the implementation, a discussion of a potential extension of our suggested architecture and implementation to other DRM systems is given. This discussion also reviews privacy and DRM, both mobile and stationary, in general from a technological point of view. The conclusion is that a similar extension would be possible for all DRM specifications that do not require an online on-access license validation.

[1]  Rose F. Gamble,et al.  Forming a Security Certification Enclave for Service-Oriented Architectures , 2006, 2006 IEEE Services Computing Workshops.

[2]  Daniel Kadenbach,et al.  A DRM Architecture for Securing User Privacy by Design , 2007, WOSIS.

[3]  David Chaum,et al.  Untraceable electronic mail, return addresses, and digital pseudonyms , 1981, CACM.

[4]  Bart De Decker,et al.  Towards a software architecture for DRM , 2005, DRM '05.

[5]  Daniel Kadenbach,et al.  Implementing OMA DRM Using Web Services: An Approach to Integrate OMA DRM and Web Services on Mobile Units , 2007, 2007 International Conference on Mobile Data Management.

[6]  Andreas Schaad,et al.  Towards secure SOAP message exchange in a SOA , 2006, SWS '06.

[7]  Valérie Monfort,et al.  A concrete solution for web services adaptability using policies and aspects , 2004, ICSOC '04.

[8]  Olivier Chevassut,et al.  Secure password-based authenticated key exchange for web services , 2004, SWS '04.

[9]  Giovanni Della-Libera,et al.  Web Services Trust Language (WS-Trust) , 2002 .

[10]  Michiel van der Veen,et al.  Controlled Sharing of Personal Content Using Digital Rights Management , 2006, J. Res. Pract. Inf. Technol..

[11]  John Zic,et al.  Performance Evaluation and Modeling of Web Services Security , 2007, IEEE International Conference on Web Services (ICWS 2007).

[12]  Andrew D. Gordon,et al.  An advisor for web services security policies , 2005, SWS '05.

[13]  Mario Piattini,et al.  PWSSec: Process for Web Services Security , 2006, 2006 IEEE International Conference on Web Services (ICWS'06).

[14]  Mario Piattini,et al.  Web services enterprise security architecture: a case study , 2005, SWS '05.