[Paper Overview] [DRM-Workshop Homepage]

Position paper for W3C DRM workshop.

Digital Qualification - direct deployment of PKC in the access control of diverse content and services

Kilho Shin, Fuji Xerox Co., Ltd. & AccessTicket Systems Inc.

Craig A. Schultz, AccessTicket Systems Inc.

Contents :

  1. Needs in the field of DRM that we would like to have addressed in the workshop.
  2. General expectations on the final output of the workshop.
  3. Potential contributions to the discussion, related ideas, and suggested solutions.
  4. A technical contribution describing potential applications accompanying this position paper as an appendix.

    We do not have any specific needs that we feel we need addressed by the workshop. Actually our primary intent is in the area of providing contributions supporting solutions. However, we feel that a workshop of this type will allow us to understand the needs of the community better and consider ways that we could possibly contribute even more either separately or collaboratively with other attendees or the W3C itself.

    As mentioned in point 1, we are hoping for a raised awareness by all the attendees of the requirements and possible solutions for the content and services access control field. But in addition we are hoping to develop collaborative relationships with parties interested in providing a richer and more secure Internet based content and services distribution experience.

    This paper aims to present a new framework for access control which is characterized by its ultimately simple model of authentication and authorization of rights based on the direct deployment of PKC (Public-Key Cryptography). Contrasted with DRM languages, rights authentication and authorization have little to do with the definition of rights for a given service or content, in fact, rights authentication and authorization are rights agnostic, just as they are content and services agnostic. Rights authentication and authorization only concern themselves with making sure that whatever rights are described, in whatever rights definition language they are described in, are carried out. To contrast this concept from DRM languages, we would like to introduce the term rights enforcement via Digital Qualification.

The chief objectives of Digital Qualification, which is a framework to realize rights enforcement, are as follows.

  1. To present a simple user-conceptual model of authentication and authorization of rights such that providers of services can easily design provision models of their proprietary services to end users.
  2. To provide a set of open procedures to authorize users (to grant rights to users) and authenticate claimed rights to services such that implementers can develop their systems enjoying advantages of an open-architecture oriented development environment.

To support the requirements of the simplicity and openness stated in the above, Digital Qualification deploys the direct application of Public Key Cryptography to access control. The most fundamental feature of Digital Qualification is as follows. A public key of PKC, or a certificate specifying the public key, is assigned to an entity to be accessed by end users instead of being assigned to individual users. The rights of an end user to access the entity is verified using only the public key and an appropriate PKC algorithm chosen from a variety of the PKC standards. This indicates that the authorized users are to be allowed to execute calculations resulting in equivalent calculation using the private key, paired with the public key to be used for the verification.

Example.

An author encrypts one's proprietary content using a public key assigned to the content, and distributes the content in encrypted form by arbitrary means (e.g. the Internet). At the usage of the content, a content viewer or player allows an authorized user to decrypt the encrypted contents using blind decryption techniques, for example, and then renders the content. Since Digital Qualification assumes that only authorized users can decrypt data encrypted using the public key, this prevents unauthorized access to the content by adversarial users.

Remark. In an ordinary implementation, it is a symmetric key of a block cipher that is actually used to encrypt the body of the content. Said symmetric key is then encrypted using the assigned public key.

Remark. Blind decryption techniques enables an owner of a decryption key to decrypt encrypted data without exposing the clear data itself.

Example.

Consider the case that a Web site provides a plurality of proprietary services only to subscribers of each individual service. For this purpose, the owner of the site assigns a public key to each service and develops the site so that whenever a subscriber requests provision of a service, the authentication protocols with regard to the public key associated to the service are executed (i.e. the site executes the same verification procedures using the assigned public key no matter who the subscriber is). Only when authentication is successful, will the site provide the requested service to the subscriber.

We have several points to be noted in the above examples.

First, an ACL (Access Control List) is no longer required. Actually, verification of claimed rights may be executed based only on public keys and PKC algorithms.

Secondly, the verification is totally off-line and need no central administration such as methods requiring rights tracking servers or a network connection at all.

By these two features, providers of content and services would be released from the burdens of maintaining ACL and rights relating servers in a secure manner (maintaining a rights server usually requires the use and maintenance of a fire-wall). Furthermore, these features would provide a virtually simple view of rights authentication to content and service providers, since verification of claimed rights is executed at the point where the content and services are consumed.

Thirdly, procedures for verification of rights (decryption of content) are directly derived from widely accepted PKC algorithms such as RSA. Thus, speaking of rights authentication, implementers can develop systems such as a content viewer or player only using standardized or other well-known public methods.

Lastly, from a user's point of view, authentication never uses any information which could be used to reveal ones' identification, as long as the policies of a given service provider do not specifically require that. Therefore, totally anonymous access to content and services is guaranteed.

However, we have an important technical issue to be overcome for the realization of Digital Qualification. That is to answer the question of how the secure use of private keys can be permitted only to authorized users. In other words, we need a cryptographic scheme to entrust only the use of private keys of PKC to third parties without allowing the abuse of the private keys.

Fuji Xerox Co., Ltd. and AccessTicket Systems Inc. have developed technologies to provide a solution to this issue. The technologies are collectively called AccessTicket Technology.

AccessTicket Technology realizes the secure entrustment of the use of private keys by assuming each user retains one's own unique black-box function, which we call Token. On input of an arbitrary challenge, it automatically outputs a response that satisfies a certain mathematical relation to the input challenge. At the same time, Token is assumed to be a black box in the sense that no one, without accessing secrets confined within Token, can ever predict its response to a given input challenge. Note that different users shall retain different instances of Token involving different definitions of the Token function.

Data called AccessTicket is another building block of AccessTicket Technology. An instance of AccessTicket is actually a cryptographic key generated dependent on a specific public key pair (a pair of a public key and a private key of PKC) and a specific instance of Token. An AccessTicket and a Token are combined and used as follows.

  1. Suppose that the AccessTicket and the Token validly correspond to each other. Using the AccessTicket as a cryptographic key, one can execute a PKC algorithm to obtain a result. At the same time, one can also acquire a response from the Token on input of an appropriate challenge. When one combines the first result with the second response in an appropriate manner, one can replay the same result as that obtained by executing the PKC algorithm using the actual private key.
    For example, in decrypting data encrypted with a particular public key, one executes the following two steps: execute a calculation using the AccessTicket as if it were the actual decryption key; input the encrypted data and other necessary information into the Token to receive a response. If and only if the AccessTicket and the Token form a valid pair, one can obtain clear data by combining the result of the first step and the response of the second step in an appropriate manner.
  2. Even if an adversary can access a valid AccessTicket, the adversary cannot acquire anything useful for impersonation from it as, without the corresponding Token, the AccessTicket will never produce any meaningful result.
    For example, an adversary to succeed in revealing the clear data from the result obtained by calculations involving the AccessTicket is as difficult as breaking the original PKC algorithm.
  3. In the same way, abuse of a Token never reveals any clues useful for impersonation.
    In the above example, even if an adversary abuses a Token at onefs will, one can never replay the data in clear without a valid AccessTicket/Token pair to decrypt the data.

The above immediately indicates that the transfer of an AccessTicket is meaningless for the purpose of impersonation as a Token is implemented as a copy-resistant entity, and therefore AccessTickets can be distributed even via insecure channels such as e-mail.

In addition, AccessTicket Technology supports the following requirements from a security point of view.

Non-forgeability: if an adversary can collect as many AccessTicket's as one likes, no clues useful for forging a new valid AccessTicket are revealed whether those given AccessTickets are for the same Token or random Tokens.

Open verification: a valid recipient of an AccessTicket, or trusted third parties, can verify the legitimacy of the AccessTicket through publicized procedures.

Non-repudiation: Simply verifying that a given AccessTicket is legitimate, its issuer cannot repudiate the fact of the issuance of the AccessTicket.

Taking advantages of AccessTicket Technology, Fuji Xerox and AccessTicket Systems have developed protocols for rights authentication, namely Ticket Authentication Protocols [1] (TAP). TAP deploys an efficiency-oriented design so that it can be implemented on any device and on any carrier protocols including TCP/IP, Bluetooth and so on.

Fuji Xerox Co., Ltd. and AccessTicket Systems Inc. will introduce the concept of Digital Qualification and its implementing technology, AccessTicket Technology, throughout this workshop as the applications are not limited only to goods and services normally considered during discussions of content or services access control but have much wider applications including but not limited to securing channels of communications. At the same time, we are pursuing any opportunities to collaborate with organizations or corporate entities which are actively making contributions to the Internet Society through W3C.

Reference

[1] M. Kyojima & K. Shin: Ticket Authentication Protocols Version 1, will be found at http://www.accessticket.com/eng-down.html.

4. Appendix:

Although TAP has been deployed to support the secure distribution, usage and storage of content valued up to US$30,000 per ticket and we would like to contribute to the current work regarding the management of digital content rights, we feel an even more interesting application of this technology is in the area of digital service rights.

Due to the totally data and rights agnostic behavior of Digital Qualification, one can see that basically it is a method to allow, or disallow access to digital data. In this context, some very interesting possibilities present themselves.

The most exciting of these possibilities is considering the fact that a nonce, or session key, could be the digital data that one is being granted access to. For example, a network or Internet service provider could use Needham-Schroeder challenge-response authentication for all network access. Instead of the session key being passed directly to the client application, it could be encapsulated using TAP and received by the client. Then, the usage rights included in the received capsule could be verified before the encrypted nonce is replayed and allowed to be used to carry on data exchange with the requested service provider.

Since this system is rights agnostic, the rights could require payment, in the case of billing for bandwidth usage, or it could require some form of identification such as a face scan or finger print. On the other hand, it could require nothing at all except having the required ticket received via e-mail or in person or any other method imaginable.

The business models this makes possible can be very interesting to say the least! A system whereby users can be securely identified, anonymously, to be billed for bandwidth usage. A system whereby content purchased via the web can be downloaded securely from an address that can only be accessed by the holders of the correct ticket. A system whereby a global corporate, or private Extra-net could be deployed with security that would even exceed the security of an intra-net! The most exciting is the possibility that for one entity what is encrypted data, for another entity it is simply opaque data.

What the last mentioned possibility presents to us is the possibility of layers and layers of access rights placed on the content by independent entities all being authenticated and enforced by a single system.