Page 1
1
Seite 1
© Grimm TU Ilmenau 2005 1 /28
INDICARE Workshop on DRM
3rd February 2005
A security analysis of business models for digital products
Prof. Dr. Rüdiger Grimm
Institute for Media and Communication StudyTechnische Universität Ilmenau
andFraunhofer Institute for Digital Media Technology
© Grimm TU Ilmenau 2005 2 /28
Content
1. Security
2. Digital Rights Management
3. Role of payment
4. New business models
5. PotatoSystem
Page 2
2
Seite 2
© Grimm TU Ilmenau 2005 3 /28
No music
No payment
No trust
What Can Happen in the Internet
• Eavesdropping
• Theft
• Change, delete
• Identity fraud
• Repudiate
• Loss of access
• Loss of control
• Virusses
• Privacyattacks
• SPAM
© Grimm TU Ilmenau 2005 4 /28
IT Security
• The aim of an „attack“ is a personal advantage of the attacker on the cost of the attacked.
• Security problems stem from conflicts of interest between human actors.
Page 3
3
Seite 3
© Grimm TU Ilmenau 2005 5 /28
Digital Rights Management - Aims
• To imitate physical properties of goods
• Uniqueness
• No cheap copy
• Or to behave as specified by rights owner
© Grimm TU Ilmenau 2005 6 /28
Rights and Usage Rules
• Rights are encoded within media format
• Copy protection
• Usage restriction– Loss of quality (copies, pre-listening)– Number of copies– Number of replays– Time limits for replays– Usage environment for replays
Page 4
4
Seite 4
© Grimm TU Ilmenau 2005 7 /28
Rights Enforcement
Content Provider
User executesusage rules
Specifies rightsSells content
Controls usage
User executesusage rules
User executesusage rules
User executesusage rules
© Grimm TU Ilmenau 2005 8 /28
Security Analysis for DRM
Provider Consumer
Value / Goods
Attacks/Threats
SecurityRequirements
SecurityMechanisms
Music data as product
Unpaid sharing
Integrity, Quality,Product-Money-Binding,Uniqueness
Safe Distribution,Copy protection
Music data asquality product
Unavailability
Integrity, Quality,Fair Price,Availability
Distribution,Forwarding→ DRM → P2P
Page 5
5
Seite 5
© Grimm TU Ilmenau 2005 9 /28
Interest vs. Enforcement
• Content providers have interest in rights• Content providers specify rights and policies• Rights restrict usage
• Burdon on enforcement solely on users
• Users have interest in private use• Users circumvent rights
Market is destroyed
© Grimm TU Ilmenau 2005 10 /28
Role of Payment
GinnyConsumer
FredProvider
Wants MoneyWants Product
Payment System
fair exchange
Page 6
6
Seite 6
© Grimm TU Ilmenau 2005 11 /28
Requirements
• Immediate money flow
• Low transaction costs– Bank clearance of micromoneyexpensive
• Other models– credit cards, subscription, packaging, intermediaries
• Additionally: fair exchange protocols
© Grimm TU Ilmenau 2005 12 /28
Payment Models
• Prepaid– HW (Chipcard, GeldKarte) *– SW (Paysafecard, Micromoney, Paybest Telefone TANs) *
• Intermediary– Credit Card (SSL, Visa 3D Secure)– Accounting (Paypal, Moneybookers, Firstgate, Paybest) *– Escrows for fair exchange (S-ITT)
• Traditional– Invoice– Bank withdrawal
* good for micropayment
Page 7
7
Seite 7
© Grimm TU Ilmenau 2005 13 /28
Payment + Purchase Integration
• Physical goods escrow– Product delivery and money transfer trough third party (eBay)
• Download proxy– Firstgate, Paybest
• Virtual accounts– Multiple purchase– Packaged clearance– „Paid“ signal– Prepaid, accounting and escrow systems
© Grimm TU Ilmenau 2005 14 /28
Paybest
• Account Service for multiple purchase and packagedclearance
• Download proxy
• Multiple Payment methods included– Paypal, Moneybookers, Firstgate Click&Buy, Paysafecard, Micromoney– Original telefone TAN
• Integration of payment and purchase by Web Services
Page 8
8
Seite 8
© Grimm TU Ilmenau 2005 15 /28
Paybest Web Services
Payment-System with Web Services
Shop with Web Services
PC-Application
Web-Service
Invocation ofWeb Service
Jürgen Nützel, 4FriendsOnly.com
© Grimm TU Ilmenau 2005 16 /28
DRM and Alternative Models
Users behave correctly because of
1. Technical enforcement• „Classical“ DRM• Windows Media, Sony Connect, Apples iTunes
2. Identification of misuse• LWDRM, M2S
3. Incentives• Users and providers cooperate• PotatoSystem, M2S
Page 9
9
Seite 9
© Grimm TU Ilmenau 2005 17 /28
Windows Media Rights Manager
Digital Content
ProtectedMedia
PackageMedia1
Web Server
StreamingMedia Server
2 PostMedia
Clearing House License Server
3 LicenseTerms
Media Playerwith
Windows MediaRights Manager
5 RequestLicence
6 DownloadLicense
4 Request andReceive Media
7Transferto PortableDevice
Internet Nutzergeräte
© Grimm TU Ilmenau 2005 18 /28
iTunes Music Store, Apple
CustomerServer
Laptop
PCDesktop
Download toPC via Internet
Authorisationvia Internet
CDCreation
MobilePlayers,iPods
Burn to CD
Copy to Player
Page 10
10
Seite 10
© Grimm TU Ilmenau 2005 19 /28
iTunes Music Store, Apple
• Free copy of music in private home network
• Free private copies on CD
• Only 5 PCs authorized to play music
• Secial format with authorization id
• Warning if PC is not authorized to play music
• MP3 reproduction out of scope
© Grimm TU Ilmenau 2005 20 /28
LWDRM® - Basic Idea
• Aims– Respect of user interest (Fair-Use, Privacy)– No clear text on user site (encryptionof content)– Identification of misuse
• Technically, a customer can copy and forwardcontent, if he digitally signs it (SMF)
• Otherwise, content is bound locally to an individualend-user device (LMF)
Page 11
11
Seite 11
© Grimm TU Ilmenau 2005 21 /28
Incentives
• Provision (Potato)– Users share income
• Services (Potato, M2S)– Users get more:– Cover, info, albums– „from radio/concet/pub to an album“
• Guarantee of quality, upgrade (M2S)
• Community (Potato)– Users get contact to other users (Matching Service)
© Grimm TU Ilmenau 2005 22 /28
The PotatoSystem brings Users and Providers together
• Users are motivated to pay for the good, because they canresell and earn money
• Users become active redistributors (good for both, usersand providers)
• No copy protection mechanisms
• More user services: redistribution right, user matching, faninfos, combination with CDs and concert tickets
Jürgen Nützel, 4FriendsOnly.com
Page 12
12
Seite 12
© Grimm TU Ilmenau 2005 23 /28
Sales Process
Payment -ServerPayment -ServerPotatoSystem
HTML-Jacket-ServerPotatoSystem
HTML-Jacket-ServerHTML-Jacket -
ServerAccounting-Serverwith Web-Service
SQL
XMLPayment -Server HTTPS
Web/File-Server of Original Supplier
Ginny‘s Browser
Payment
Song Infos
Fred‘s Web Page
Proxy
Data Transfer
Data Transfer Fred is anOriginal Supplier
Ginny buysFred‘s Song
mysong.mp3
mysong.mp3
Song Selection
Jürgen Nützel, 4FriendsOnly.com
© Grimm TU Ilmenau 2005 24 /28
After Payment Ginny is registered Reseller
• She may publish her own sell link in the Web:https://www.potatosystem.com/process/sell?tan=88099176227
• Or embed a mini HTML page (per iframe-Code):
Prelistening
Sales
More Info
<iframe style='{width:225pt; height:30pt;}' src='http://data.potatosystem.com/process/iFrame?tan=88099176227' marginwidth='0' marginheight='0' scrolling='no' frameborder='0'> </iframe>
Jürgen Nützel, 4FriendsOnly.com
Page 13
13
Seite 13
© Grimm TU Ilmenau 2005 25 /28
Resale
Payment -ServerPayment -ServerPotatoSystem
HTML-Jacket-ServerPotatoSystem
HTML-Jacket-ServerHTML Jacket -
ServerAccounting-Serverwith Web-Service
SQL
XMLPayment -Server
HTTPS
Web/File-Server of Original Supplier
Web Page of a Reseller
Harry‘s Browser Ginny‘s Web Page
Proxy
Fred is anOriginal Supplier
Ginny resellsFred‘s Song
Harry can buy fromFred or from Ginny
mysong.mp3
Payment
Song InfosData Transfer
Data TransferSong Selection
mysong.mp3
Jürgen Nützel, 4FriendsOnly.com
© Grimm TU Ilmenau 2005 26 /28
Provisions
OS = Original Supplier (e.g., a Label), B1 … B4 = Buyer 1 bis 4
B4
B1 buys song “A”from F
B2 buys song “A”from B1
B3 buys song “A”from B2
B4 buys song “A”from B3
35%to OS
15%to OS
20%to B1
5%to OS
10%to B1
20%to B2
5%to B1
10%to B2
20%to B3
OS
B1
B2
B3
Jürgen Nützel, 4FriendsOnly.com
Page 14
14
Seite 14
© Grimm TU Ilmenau 2005 27 /28
The PotatoSystem offers as Web service
• Account management for content owners and customers
• Payment clearance (Paybest)
• Delivery of purchased songs from provider server to the buyer viasecure proxy
• Provision management
• Detailed receipts for providers
• Rights management (GEMA)
• Combinationen with real CDs and concert tickets
• More functions under construction …
Jürgen Nützel, 4FriendsOnly.com
© Grimm TU Ilmenau 2005 28 /28
Conclusion
• Users are ready to pay for fair use
• Providers are ready to deliver for payment
• The common bracket is „payment“
• Pure DRM is not sufficient
• Payment is integrated part of purchase
• Free usage after payment is required
• See, for example, Potato and Paybest: