Considerations on DRM standards
These are some notes based on publically available information to
answer the following questions:
1. Industry consortia
Industry consortia are initiatives organized by the industry with
the goal to create technical specifications based on agreements
between their members. Many industry standards for digital media
have their roots in media industries whose businesses
traditionally were connected with the media transport on certain
networks.
- Broadcast industry (broadcast networks, e.g. satellite, broadband cable, terrestrial)
- Mobile telecommunication industry (mobile networks)
- Fixed line Telecommunication industry (old telephony networks)
With the convergence of networks and devices the boundaries
between the media industries are gradually disappearing.
1.1.1 Conditional Access (CA)
Digital PayTV broadcast systems are mostly based on the Digital
Video Broadcasting (DVB)
standard. DVB Conditional Access (CA) systems consist of several
blocks; among others
- the mechanisms to scramble the programme or services
- The Subscriber Management System (SMS), in which all customer data
are stored
- The Subscriber Authorization System (SAS), that
encrypts and delivers those Control Words which enable the
descrambler to make the programme legible.
It was one of the strategic decisions taken by the DVB Project
that neither the SMS nor SAS should be standardized. The billing
is also not specified by DVB. This allows a Service Provider to
choose the way to deal with the user's rights, the hierarchical
key systems, the billing, etc.. Proprietary SAS inhibit the
interoperability between DVB receivers. A major part of the DVB
PayTV set-top boxes can only receive Services of certain Service
Providers.
The only part of a CA system which was developed jointly by
members of DVB is the Common Scrambling Algorithm (CSA).
The MPEG-2 Transport Streams (TS) or the Packetised Elementary
Streams (PES) of the DVB broadcast signal are encrypted using the
CSA. Entitlement Control Messages (ECM) are added to the encrypted
packet streams. The ECM contain two Control Words encoded with a
proprietary algorithm (e.g. Irdeto) which are used by the receiver
to decrypt the DVB signal. In parallel broadcasters insert
Entitlement Management Messages (EMM) to manage the access rights
of users (e.g. to PayTV content).
- DVB Key Distribution (PayTV model)
- The structure/format of the EMM (Entitlement Management
Message) and ECM (Entitlement Control Message) for transmission
is standardized but not their content. ECM is ciphered using the
Broadcast Key. The Broadcast Key is common to all subscribers of
a given service of the Service Provider. EMMs are used to convey
rights or keys to users, or to invalidate or delete rights or
keys. The EMM are encrypted with a Management Key belonging to
the Service Provider.
1.1.2 Digital Video Broadcasting - Handheld (DVB-H)
DVB-H is a technical
specification for bringing broadcast services to handheld
receivers. DVB-H was formally adopted as ETSI standard EN 302 304 in
November 2004. Within DVB-H, two incompatible DRM schemes have
been specified for the protection of broadcast services. Both
schemes (OF and 18C) are based on OMA 2.0:
- Open Framework (OF) requires a proprietary smartcard (SIM). CAS vendors,
(e.g. Nagravision, Irdeto, NDS),
network operators and SIM vendors push for OF
- The Open Framework approach employs standard ISMAcryp scrambling, and standard signaling EMMs and ECMs in the
broadcast streams
- The Open Framework approach
provides for renewable security by means of downloading security
components or, optionally, by swapping the SIM/ USIM.
- 18Crypt (18C), requires no SIM card. Device Manufacturers
(e.g. Nokia)
push the terminal centric 18C based on certificates and Rights
Objects (RO). According to the 18C specification, the services
are protected at two levels:
- The actual payload IP traffic is encrypted with 128-bit AES
encryption in the Broadcast Encapsulator with a frequently
changing key (even every few seconds)
- The traffic decryption keys for each service are broadcast
along the encrypted service in the OMA DRM 2.0 protected key
stream so that only a mobile terminal with the proper DRM rights
object can decrypt it and access the service
Recently, several systems have been developed that enable the
delivery of broadcast services to mobile devices, including for
example:
While the mentioned standards cover the radio transmission and
additional server layer components, other standardization bodies
like the Open Mobile Alliance (OMA) concentrate on service layer
aspects of Mobile TV above IP transport.
The Open Mobile Alliance (OMA) is an industry
consortium which develops open standards for the mobile
industry. To this date two versions of OMA DRM have been
released:
- OMA DRM 1.0 specifies three main methods
- Forward Lock
- Combined Delivery (combined rights object / media object)
- Separate Delivery (separated rights object + encrypted media
object)
- OMA DRM 2.0 extends OMA DRM 1.0 by specifying separate delivery mechanisms
- Each participating device in OMA DRM 2.0 has an individual DRM PKI certificate with a public key, and the corresponding private key.
- Each Rights Object (RO) is individually protected for one receiving device by encrypting it with the device public key. The RO in turn contains the key that is used to decrypt the media object.
- Delivery of Rights Objects requires a registration with the Rights Issuer (RI, the entitiy distributing Rights Objects). During this registration, the device certificate is usually validated against a device blacklist by means of an Online Certificate Status Protocol (OCSP) verification.
The Open Mobile Alliance has adopted ODRL as the Rights Expression Language
(REL) used in their DRM specifications and new mobile phone
handsets support this ODRL Profile.
DMP approaches the problem of
DRM Interoperability by specifying technologies - that DMP calls
Tools - required to implement what DMP calls "Primitive
Functions". These are "smaller" functions obtained when the
functions value-chain users perform when they do business between
themselves are broken down into more atomic elements. DMP provides
specifications of Tools enabling Primitive Functions along with
examples of how Value-Chains serving specific goals can be set up
using the standard Tools. DMP specifications are developed in
phases (currently IDP-2),
so as to achieve gradual development of standards technologies.
IDP-2 starts with a set of notions of how content information is
packaged in an XML-based file format that includes an identifier,
metadata, rights information, and so on -- mostly based on MPEG-21
standards such as Digital Item Description Language (DIDL),
Intellectual Property Management Protocol (IPMP), and Rights
Expression Language (REL).
Then it includes a small set of core DRM functions that are
assumed to be present in every device that can exercise rights to
content such as play and store.
The flexibility of IDP-2 comes via the ways in which devices' DRM
functionality can be expanded. IDP-2 compatible devices can
provide storage for "DRM Tools", which expand their functionality
beyond the core. If a content license (which can be part of a
content item or separate from it) comes to a device with rights
that are beyond the device's capability to process, then the
device can contact a Service Provider to obtain the required DRM
tools, provided they work with the device in question. DRM tools
can also be bundled with content items.
Technical Specifications by DMP are made available in a form such
that users can implement them either freely, or on a royalty-free
basis. Technologies specified by DMP are standardized in MPEG.
In January 2005, five companies Intertrust, Panasonic, Philips,
Samsung, and Sony jointly developed specifications for a DRM-based
content sharing platform for consumer devices and multimedia
services called Marlin. Marlin
is founded on proprietary Octopus and NEMO technologies, and open
standards for distributed (web services) architectures.
Octopus is a toolkit for implementing rights management
functionality. The toolkit is using a graph-based relationship
engine that uses links and nodes to associate rights with abstract
entities, allowing for a semantic-free expression of rights. In
Marlin a Content Object refers to the encrypted content that the
system governs. It consists of various header data, and a block
containing the encrypted media file. The content object can be
delivered in a variety of ways and can be transported within
industry standard, open file formats. A symmetric key is used to
encrypt the media in the Content Object, and this key is itself
encrypted and delivered separately in a "License Bundle". The
Marlin toolkit includes a key distribution system. NEMO stands for
Networked Environment for Media Orchestration. It is a
services-based architecture for providing rights management by
supporting a trusted interaction among entities that play
well-defined and certified roles.
The Marlin Trust Management Organization (MTMO) serves as a
one-stop shop for all trust management services, including
certification and key management. The MTMO is an independent,
neutral organization set up as an LLC by the founding members.
The goal of the Coral Consortium is to enable a world in which
content consumers don't need to know or care what DRM is used to
protect any content, but in which content providers and other
parties have freedom to choose the DRM technology that is most
appropriate for their businesses.
From a consumer standpoint, the core of the interoperability
approach is the Coral rights token: when a consumer obtains access
to content (e.g., buys a song, uses a subscription), what really
happens is that the consumer gets a rights token that the Coral
technology creates and manages. Unlike some interoperability
approaches, which attempt to unify technologies by adjusting them
to fit a single model, the Coral approach is to interact with the
native software interfaces of each DRM and provide an
interoperability layer on top. To actually use the content (e.g.,
listen to the song), the consumer's rights token is translated
into an appropriate DRM license managed by the underlying DRM
technology that protects the content.
2. Standards organisations
Standards organisations are developing, coordinating,
promulgating, revising, amending, reissuing, interpreting, or
otherwise maintaining standards that address the interests of a
wide base of users outside the standards development organization.
The International Organization for Standardization (ISO) is an international
standard-setting body composed of representatives from national
standards bodies. The International Electrotechnical Commission
(IEC) is an international
standards organization dealing with electrical, electronic and
related technologies. Some of its standards are developed jointly
with ISO.
2.1.1 MPEG (Moving Picture Experts Group)
MPEG is a working group
of ISO/IEC charged with the development of video and audio
encoding standards. The scope of activity of the Moving Picture
Coding Experts Group (MPEG) covers standardisation of all technologies
that are required for interoperable multimedia.
MPEG operates in the framework of the Joint ISO/IEC Technical
Committee (JTC 1) on Information Technology and is formally WG11
of SC29. Published MPEG standards are the last stage of a long process. Attendance at MPEG meetings
requires accreditation by a National Standards Body or standards
committee in liaison. Experts attending MPEG not representing a
committee in liaison must be members of a National Delegation.
The European Telecommunications Standards Institute (ETSI) is
responsible for standardization of Information and Communication
Technologies (ICT) within Europe. These technologies include
telecommunications, broadcasting and related areas.
ETSI has been named as Custodian, by the companies which have
developed the DVB specifications, e.g. to handle licensing of the
Common Descrambling System and distribution of the specification
and other confidential information.
The main DRM components of the systems mentioned above include
- Service protection
- Service/ stream encryption
- Key management
- Content protection
Service and Content protection are necessary to protect privacy of
end users, but mainly to protect the commercial exploitation of
services from unauthorized access and re-distribution. The borders
between Service protection and Content Protection are sometimes
blurry, because in fact some methods can provide both Service and
Content protection.
The following components are also relevant for the protection of
digital media services, but are subordinate to the considerations
on DRM.
- electronic service guides (e.g. MHP EPG)
- media coding (e.g. MPEG-4/ AVC, )
- media transport (e.g. RTP)
Service protection restricts the access to authorized users that
have for example subscribed to a Service. The solutions consist of
service/stream encryption and key management components.
For Service/stream encryption several possibilities exist for the
choice of encrypted transport protocols, namely:
- IPsec
- SRTP (Secure Real-Time Transport Protocol)
- ISMACryp (e.g. used by Apple Fairplay)
A main distinguishing feature is the root of trust that the key
hierarchy used for protection of the service is based on. The
trust can either be based on:
- a proprietary smartcard system (DVB-H Open Framework)
- a SIM card (3GPP MBMS GBA, also called OMA BCAST SmartCard profile)
- a DRM PKI system and corresponding certificates (DVB-H 18Crypt and its derived version called OMA BCAST DRM profile)
Content protection protects elements of a Service even after
reception, and prevents use of the data not authorized by
corresponding permissions, copying, and re-distribution to other
users.
Within the MPEG-21 framework MPEG has standardized Digital
Items, being structured digital objects with a standard
representation, identification and metadata. Consequently in an
MPEG standard Content protected by Licenses (containing Rights
Expression) could be expressed in the form of Digital Items. It
appears also feasible to express DRM Tools in the form of Digital
Items.
1.3.1.1 Rights expression languages
Rights expression languages are used to express the rights to use
content in a machine-readable form. For example, they could define
embargos on pre-distributed Content or make the viewer fill out a
questionnaire before watching some content. The main standards
are:
- eXtensible rights Markup Language (XrML), which was
developed by ContentGaurd and is proprietary
- MPEG-21
REL, a standard which is based on XrML and is part of the
MPEG-21 multimedia framework
- Open Digital Rights Language (ODRL), which is an alternative
and noncompatible standard. It is used by the OMA standard. Its
backers claim that it is not subject to any patents
- Proprietary Octopus "relationship engine" (Marlin/
Intertrust)
1.3.1.2 Rights Data Dictionaries (RDD)
Rights dictionaries list terms definitions in natural language,
intended for human consumption and not easily automatable. The
MPEG Rights Data Dictionary (RDD)
intends to facilitate the accurate exchange and processing of
information between interested parties involved in the
administration of rights in, and use of, Digital Items. ODRL uses
a different RDD.
1.3.1.3 Ontologies
Basically, all REL standardisation initiatives have one thing in
common, they work at the syntactic level. Their approach is to
make a formalisation of some XML DTDs and Schemas that define a
rights expression language (REL). In some cases, the semantics of
these languages, the meaning of the expressions, are also provided
but formalised separately as rights data dictionaries (RDD).
Recently it has been shown (Roberto Gonzalez)
that the automation and interoperability of DRM frameworks can be
facilitated by integrating both parts, the Rights Expression
Language and the Rights Data Dictionary. These objectives can be
accomplished using Ontologies,
which provide the required definitions for the REL terms in a
machine-readable form.
Network operators determine the market in the mobile and broadcast
environments. The business models of most network operators still
rely on controlling the access to Services (e.g. telephony,
television broadcast) by combining proprietary DRM with smartcards
(SIM). Due to proprietary DRM schemes currently many devices
(e.g. DVB set-top boxes) are not interoperable. The lack of
interoperability is one of the reasons why DRM is rejected by many
end-users.
Internet services (e.g. Web Services)
are independent from networks. The breakthrough of IPTV and IP
Telephony (e.g. Skype) services shows that the business models of
network operators are changing. Established Network operators
(e.g. Broadband cable operators, fixed telco operators) are
becoming Multiple Service Operators (MSO), e.g. by offering "Triple Play" Services to their customers. However, the
business models of Internet services require Service protection to
be independent from network operators. Since Content and Services
are becoming network agnostic it can be foreseen that the focus of
DRM will gradually shift from Service Protection to Content
Protection.
Microsoft DRM protects Content and Services independently from
Networks. The drawback of Microsoft DRM is that device
interoperability depends on the licensing conditions of a single
company who has a quasi monopoly on computer operating systems and
the application API. Thus there is a risk that by controlling the
licensing conditions for their DRM Microsoft could dictate the
market conditions for network operators, service providers and
device manufacturers. A Microsoft monopoly on DRM would be harmful
for the business of independent DRM implementors.
From the perspective of device manufacturs, service providers, and
network operators open standards for interoperable DRM system
would be more profitable in the long term. Open standards would
enable independent implementations of DRM systems and horizontal
markets for device manufacturers and service providers. In order
to promote open standards for DRM the following approach appears
reasonable:
- team up with the CE industry (e.g. Japanese and Korean brands)
- team up with OS and middleware providers (e.g. Sun Microsystems)
- get involved with the specification of open standards for DRM (e.g. ISO/IEC)
Patent licensing issues continue to inject economic uncertainty to
Service Providers and Device manufacturers who implement DRM,
particularly when there are known patent licensing pools around
standards like OMA DRM and those from MPEG. Patent owners
contributing to DRM standardisation should consider the following
approach:
- identify patent rights in standard proposals
- state patent rights in international standards (e.g. ISO/IEC)
- examine whether additional patent rights will be necessary for standards
- negotiate with applicants outside of ISO (e.g. patent pool)
- make reliable statements to the industry that patent rights will be licensensed under RAND terms and conditions
The Digital Media Project (DMP) has already developed two versions
of the Interoperable DRM Platform specification (IDP-1 and
IDP-2). The Reference Implementation of the IDP is released as
Open Source Software. The reference software attracts implementors
from national research institutions and Universities and thus
efficiently promotes the IDP specifications for national
deployments.
- The Audio and Video coding Standard Workgroup of China (AVS) considers the IDP reference implementation for national standardisation
- The Electronics and Telecommunication Research Institute of Korea (ETRI) has implemented IDP-2 DRM Tools for DVB set-top boxes and mobile devices
4. Consider Open Source
"Open-source DRM can affect the trajectory of the market,
particularly in market segments that technology vendors haven't
locked up yet, such as mobile devices and digital broadcasting.
We also expect that open-source DRM will do more to advance the
cause of standards such as the ones mentioned above, few of which
have achieved any commercial traction" (DRMWatch).
Last modified: Tue Nov 14 11:29:05 CET 2006