[Paper Overview] [DRM-Workshop Homepage]
Pierre Vannel
GEMPLUS
The Group's customers use GEMPLUS memory and microprocessor smart cards, smart contactless cards, electronic tags, smart objects and magnetic stripe cards to simplify and secure a wide range of applications. From Web based and mobile commerce to financial transactions, loyalty, transportation, education healthcare, identity, pay TV and physical and logical access control, GEMPLUS provides intelligent end-to-end solutions that bring security, convenience and ease-of-use to millions of people worldwide.
Founded in 1988, GEMPLUS had sales of over 767 millions of Euro ($US 817 millions) in 1999, and employs 7,000 people (30 June, 2000) in 16 manufacturing facilities, 7 R&D centers and 44 sales and marketing offices located in more than 37 countries.
In 1999 GEMPLUS has absorbed one of its VAR (Value Added Reseller), a French company called EURITIS, specialized in DRM solutions.
Research
GEMPLUS has been involved into European Research projects:
With one of its VAR, a Norway company called SOSPITA, GEMPLUS has demonstrated with an USB smart card a protection system against software piracy at Cartes 2000, Paris, October 24, 2000. See press release at http://www.gemplus.fr/about/pressroom/press/hardware/2000/usb1_us.htm.
The smart card is user centric. It is a personal object used to protect personal data but also to protect data from a third party.
There are several topics we are interested in:
Abstract. Filigrane is a Java framework proposing a secure system for mobile software trading through networks (Internet, GSM…). It well fits the needs of the emerging market of the application service providing, including agent-based services. It aims both the application service provider and the consumer device manufacturer (PC, e-book, PDA…). To the application provider, it provides packaging services to protect the IPRs (Intellectual Property Right) of the software to deliver, according to a license agreement with the end-user. An IPMP (Intellectual Property Management and Protection) system specific to the software producer, plugged into the framework, coordinates the packaging services. Inside the client device, the corresponding IPMP system interprets the execution rules set and coordinates the previous operations. It could be split in two parts: one in the device and the other inside a multi-application smart card (i.e. a JavaCard) as an IPM! P ! card applet.
Thanks to the rapid growth of the Internet and the wireless telephony networks, new electronic distribution schemes of software are emerging: application service providers (ASP), mobile agents services… It seems promising: to the customers, it offers to cut software costs; to the software editors, it enlarges the market and provides recurrent revenues. The main threat for the software industry is the piracy at the customer's side.
The Filigrane project (ESPRIT program) has proposed an infrastructure for electronic software or license distribution. The Filigrane framework is a part of the infrastructure. The reference implementation is a pure Java framework, device independent.
API: Application Programming Interface
DTD Document Type Definition: collection of XML declarations
ERMS Electronic Rights Management System
IPMP Intellectual Property Management and Protection: protection system specific to a software producer in charge to coordinate the packaging of the software or to control its running
IPR Intellectual Property Right
XML Extensible Markup Language
Figure 1 - Architecture for applications distribution over the Internet
The OPIMA initiative [2] defines the concept of Protected Content, which consists of:
In Filigrane, the equivalent concept is an application package, a JAR file that consists of:
This picture introduces the following application distribution scenario.
The end-user selects an application to download (and its conditions of use) through the Application Provider Web site. The ERMS translates the user's selection, and eventually the user's personal data, into a license agreement. Filigrane proposes to express it in generic terms using XML: the proposed DTD should be enough generic to express any kind of license agreements for any software. The ERMS transmits the XML license agreement and the application reference to the Filigrane Framework (Provider part).
The Filigrane Framework prepares the Protected Content: it gets the application; it interprets the license agreement to an execution rules set thanks to the referenced IPMP system; it packages the application, the execution rules set and the Client IPMP systems set reference as a Protected Content. Then it prepares the Client (end-user terminal) to run the Protected Content by securely setting the specific license data into the end-user smart card. It assumes that the corresponding IPMP card applet is already present inside the smart card. The Filigrane Framework (Provider part) transfers the Protected Content to the Web Server, which sends it to the Client (end-user terminal).
Inside the Client, the Filigrane Framework (Client Part) allows the end-user to run the downloaded Protected Content. At the execution time, the referenced IPMP system set unpacks the Protected Content: it verifies, deciphers the Protected Content, interprets the execution rules according to the license stored into the smart card.
There are variations of the previous scenario:
The end-user has already the Protected Content but not the right license data inside the smart card. For example she/he has got it from a CD-ROM, or needs only an extension of the use period. She/he has to contact the Application Provider Web site to get the new license data (prepared by the Filigrane Framework (Provider part)).
The Filigrane Framework (Provider or Client part) has not the whole IPMP systems set referenced by the license agreement or the Protected Content. It automatically downloads the missing IPMP systems from IPMP systems servers into the device and eventually into the smart card.
The Filigrane Framework is limited to the packaging of the Protected Content (Provider side) and to the execution of the Protected Content (end-user side).
The Filigrane Framework proposes standard interfaces (application protocols, APIs) with the other components identified in the Filigrane distribution scenario.
In its design, the Filigrane Framework is able to run over different kinds of hardware and network: PC, PDA, e-book, phone, set-top box… Internet, GSM, TV network… etc.
The reference implementation runs over the Internet.
Figure 2 - Interfaces of the Filigrane Framework
The Application Services API provides the following functionalities:
The Filigrane Framework provides also an interface to download IPMP system components. For both the Provider and the Client, we adopt the protocol defined by the OPIMA specification 1.0, over a secure channel.
The OpenCard Framework (OCF) [3][4] offers the necessary functionalities to integrate various kinds of smart cards and card readers.
The core of the Filigrane Framework is composed of:
The following picture presents the internal organization of the framework. It combines both the roles of a Provider and a Client. Even if the design of the framework allows to split it in a version dedicated to each one, it is interesting to have it in one bundle: everyone on the Internet could be a producer and a consumer of information.
Figure 3 - Filigrane Framework Architecture
A CryptoBottle is a secure container for a mobile code. It has an external interface to package it or to run it (Application Services API). An IPMP System handles the specific protection. An IPMP System uses the Cryptographic Service and eventually the Watermarking Service provided by the framework. The SAC (Secure Authenticated Channel) Services allows secure downloading of new IPMP Systems. New add-ons to OCF allow to access to remote smart card (thanks to Remote Card Terminals components) or to make accessible the local smart cards by remote servers/users (thanks to OCF Servers components). Thus, the Provider can set license data into the remote smart cards of his users and as a Consumer, to update the smart card with new licenses acquired through the Internet.
The work carried out consisted in developing an IPMP system ad hoc for protecting JADE mobile agents.
The following two considerations are at the basis of the developed IPMP system.
JADE is a distributed midleware, i.e. it is composed of several nodes (called containers) running on different hosts and able each one to execute a number of agents.
An IPMP system must be able to control the execution of more that one protected content at the same time. Therefore it is a sort of container of objects (IPMP Sessions) each one controlling the execution of a single protected content.
The IPMP System for controlling agents is therefore structured as depicted in the following figure.
Figure 4 - Structure of the IPMP System for controlling agents
The following picture identifies the main partners involved in the applications distribution. The Code Producer provides application codes to the Application Service Provider. The latter packages the application code to protect it, and proposes it as a service to the End-User, using a network managed by a Network Operator.
The Software Company(ies) provides to the Application Service Provider IPMP systems, algorithms (watermarking, cryptography…), ERMS, PKI infrastructure… etc. The Secure Hardware Manufacturer provides secure hardware solution to protect the cryptographic keys and algorithms (smart cards, other secure modules…) to the Application Service Provider. To the End-User, it provides a secure support and storage for the IPMP systems. The Device Manufacturer provides the device (phone, PDA, e-book, PC, set-up box…) to run the applications to the End-User.
Figure 5 - Business Chain for Applications Distribution
Filigrane is an open framework. With the approach by blocks services, it is able to integrate cryptographic modules, watermarking modules…etc, from various vendors. The IPMP Services API defines how to plug an IPMP system, but doesn't make any assumptions about its internal structure. So the framework is potentially able to package and to run software from various sources, even free software.
The main feature of the Filigrane framework is to provide security upgradability: pluggable services modules and dynamic download of IPMP systems. The fight against piracy never stops. The ability to improve easily the protection gives a significant advantage.
Thanks to its open design, the Filigrane Framework could be easily ported to other multimedia contents: music, books, movies…
At the beginning of the year 2001, the reference implementation of the Filigrane Framework will be available on the Gemplus Developers Web site, http://developers.gemplus.com, as Open Source.
[1] FILIGRANE Consortium. ESPRIT project no 28423. Official Web Site at http://www.filigrane.org
[2] OPIMA Specifications 1.0. Available at the Web Site: http://drogo.cselt.it/ufv/leonardo/opima/
[3] OpenCard Consortium. Official Web Site at http://www.opencard.org
[4] U. Hansmann, M.S. Nicklous, T. Schäck & F. Seliger, Smart Card Application Development using Java. ISBN 3-540-65829-7. Springer, 2000.
[5] JADE Agent Platform. Official Web Site at http://sharon.cselt.it/projects/jade/