[Paper Overview] [DRM-Workshop Homepage]

Establishing security requirements for more effective
and scalable DRM Solutions

NTRU W3C Position Paper

Jeremy Wyant

Overview

There is a growing demand for electronic delivery of copyrighted and/or sensitive intangible goods. Lack of trust in the ability of existing infrastructure to protect these goods is a significant barrier to growth in these sectors. Standards based DRM that incorporates appropriate security technology is a critical enabler for trusted intangible goods distribution systems. Equally important to the security of the overall system is the acceptability of the system to the end user. A secure system must also meet customer expectations for convenience, performance and an ability to deal with intangible goods in ways they have come to expect and demand.

DRM Security Requirements

DRM technologies have their own inherent security requirements for protecting sensitive rights information, authenticating entities in transactions and providing data integrity. Understanding and defining security requirements is a fundamental part of establishing effective, interoperable DRM standards, the technologies that implement these standards and the systems that incorporate these technologies.

When establishing the standards for digital rights many security related questions must be considered including:

• What are the requirements for proving the authenticity (i.e. origin and integrity) of specified rights?
• What are the requirements to electronically bind content to rights?
• What type of rights information should be protected from access by unauthorized individuals and/or systems?
• Under what conditions should rights information be protected?

In addition to understanding the security requirements related to the rights standards themselves, it is important to understand the predominant technologies that could be used today and the implications for how any proposed standards can be applied to these technologies to build effective, practical solutions. Questions to consider include:

• How can DRM solutions leverage trusted software and hardware solutions?
• How can digital signature technology be used to authenticate entities in transactions, prove the authenticity of content and rights, and provide non-repudiation services?
• What technology can be used to bind content to a device or to a user?
• Can cryptographic technology be used as an enabling technology to allow a user to access content on multiple devices in a trusted manner?
• When will encryption be required? Protecting content? Protecting a subset of rights information?
• How does content watermarking and fingerprinting relate to and/or complement DRM technology?
• How does the implementation of DRM affect performance and use on low cost constrained end user devices?
• How can DRM solutions that incorporate authentication and encryption technology be used today in emerging consumer-oriented solutions?

Trusted DRM Solutions

There are strong incentives for providers of DRM solutions and complementary technology to work together to establish appropriate standards to facilitate growth in the distribution of intangible goods. Systems enhanced by secure DRM can provide the trust that distributors of valuable or sensitive content require before widely adopting electronic distribution methods.

Trusted end user devices are a foundation component in the delivery of intangible goods. These devices must provide content providers with a high degree of certainty that they are delivering content to authenticated, trusted devices and specific authorized users. But the security mechanisms used on these devices must be cost effective to implement, virtually transparent to the end user and designed to adapt to new security paradigms and transactions that require DRM related security services.

NTRU and other suppliers of encryption and authentication technology can provide insight into appropriate security requirements that apply directly to DRM standards. Considering security requirements during the process of establishing DRM standards is important to ensure that end systems will be:

• specified with security in mind not as an afterthought
• compliant with established security standards
• trusted by those with a vested interest in the protection of the content
• relatively easy to implement
• efficient to operate and maintain
• easy to use from the end user?s perspective throughout the lifecycle of the use of the intangible goods
• scalable
• adaptable to permit different security paradigms
• renewable from a security perspective

NTRU Background

NTRU Cryptosystems, Inc. provides fast and efficient security solutions that are especially well suited to complement DRM solutions to provide end-to-end content protection. The high performance NTRU Public Key algorithm meets the demanding requirements of constrained end user devices and provides the ability for servers to scale up to handle heavy secure transaction loads. NTRU?s unprecedented performance allows for new security paradigms including field level encryption and authentication and disposable keys in wired and wireless environments.