Top Banner
© Grimm TU Ilmenau 2005 1 /28 INDICARE Workshop on DRM 3 rd February 2005 A security analysis of business models for digital products Prof. Dr. Rüdiger Grimm Institute for Media and Communication Study Technische Universität Ilmenau and Fraunhofer Institute for Digital Media Technology © Grimm TU Ilmenau 2005 2 /28 Content 1. Security 2. Digital Rights Management 3. Role of payment 4. New business models 5. PotatoSystem
14

A security analysis of business models for digital products

Feb 04, 2022

Download

Documents

dariahiddleston
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: A security analysis of business models for digital products

1

Seite 1

© Grimm TU Ilmenau 2005 1 /28

INDICARE Workshop on DRM

3rd February 2005

A security analysis of business models for digital products

Prof. Dr. Rüdiger Grimm

Institute for Media and Communication StudyTechnische Universität Ilmenau

andFraunhofer Institute for Digital Media Technology

© Grimm TU Ilmenau 2005 2 /28

Content

1. Security

2. Digital Rights Management

3. Role of payment

4. New business models

5. PotatoSystem

Page 2: A security analysis of business models for digital products

2

Seite 2

© Grimm TU Ilmenau 2005 3 /28

No music

No payment

No trust

What Can Happen in the Internet

• Eavesdropping

• Theft

• Change, delete

• Identity fraud

• Repudiate

• Loss of access

• Loss of control

• Virusses

• Privacyattacks

• SPAM

© Grimm TU Ilmenau 2005 4 /28

IT Security

• The aim of an „attack“ is a personal advantage of the attacker on the cost of the attacked.

• Security problems stem from conflicts of interest between human actors.

Page 3: A security analysis of business models for digital products

3

Seite 3

© Grimm TU Ilmenau 2005 5 /28

Digital Rights Management - Aims

• To imitate physical properties of goods

• Uniqueness

• No cheap copy

• Or to behave as specified by rights owner

© Grimm TU Ilmenau 2005 6 /28

Rights and Usage Rules

• Rights are encoded within media format

• Copy protection

• Usage restriction– Loss of quality (copies, pre-listening)– Number of copies– Number of replays– Time limits for replays– Usage environment for replays

Page 4: A security analysis of business models for digital products

4

Seite 4

© Grimm TU Ilmenau 2005 7 /28

Rights Enforcement

Content Provider

User executesusage rules

Specifies rightsSells content

Controls usage

User executesusage rules

User executesusage rules

User executesusage rules

© Grimm TU Ilmenau 2005 8 /28

Security Analysis for DRM

Provider Consumer

Value / Goods

Attacks/Threats

SecurityRequirements

SecurityMechanisms

Music data as product

Unpaid sharing

Integrity, Quality,Product-Money-Binding,Uniqueness

Safe Distribution,Copy protection

Music data asquality product

Unavailability

Integrity, Quality,Fair Price,Availability

Distribution,Forwarding→ DRM → P2P

Page 5: A security analysis of business models for digital products

5

Seite 5

© Grimm TU Ilmenau 2005 9 /28

Interest vs. Enforcement

• Content providers have interest in rights• Content providers specify rights and policies• Rights restrict usage

• Burdon on enforcement solely on users

• Users have interest in private use• Users circumvent rights

Market is destroyed

© Grimm TU Ilmenau 2005 10 /28

Role of Payment

GinnyConsumer

FredProvider

Wants MoneyWants Product

Payment System

fair exchange

Page 6: A security analysis of business models for digital products

6

Seite 6

© Grimm TU Ilmenau 2005 11 /28

Requirements

• Immediate money flow

• Low transaction costs– Bank clearance of micromoneyexpensive

• Other models– credit cards, subscription, packaging, intermediaries

• Additionally: fair exchange protocols

© Grimm TU Ilmenau 2005 12 /28

Payment Models

• Prepaid– HW (Chipcard, GeldKarte) *– SW (Paysafecard, Micromoney, Paybest Telefone TANs) *

• Intermediary– Credit Card (SSL, Visa 3D Secure)– Accounting (Paypal, Moneybookers, Firstgate, Paybest) *– Escrows for fair exchange (S-ITT)

• Traditional– Invoice– Bank withdrawal

* good for micropayment

Page 7: A security analysis of business models for digital products

7

Seite 7

© Grimm TU Ilmenau 2005 13 /28

Payment + Purchase Integration

• Physical goods escrow– Product delivery and money transfer trough third party (eBay)

• Download proxy– Firstgate, Paybest

• Virtual accounts– Multiple purchase– Packaged clearance– „Paid“ signal– Prepaid, accounting and escrow systems

© Grimm TU Ilmenau 2005 14 /28

Paybest

• Account Service for multiple purchase and packagedclearance

• Download proxy

• Multiple Payment methods included– Paypal, Moneybookers, Firstgate Click&Buy, Paysafecard, Micromoney– Original telefone TAN

• Integration of payment and purchase by Web Services

Page 8: A security analysis of business models for digital products

8

Seite 8

© Grimm TU Ilmenau 2005 15 /28

Paybest Web Services

Payment-System with Web Services

Shop with Web Services

PC-Application

Web-Service

Invocation ofWeb Service

Jürgen Nützel, 4FriendsOnly.com

© Grimm TU Ilmenau 2005 16 /28

DRM and Alternative Models

Users behave correctly because of

1. Technical enforcement• „Classical“ DRM• Windows Media, Sony Connect, Apples iTunes

2. Identification of misuse• LWDRM, M2S

3. Incentives• Users and providers cooperate• PotatoSystem, M2S

Page 9: A security analysis of business models for digital products

9

Seite 9

© Grimm TU Ilmenau 2005 17 /28

Windows Media Rights Manager

Digital Content

ProtectedMedia

PackageMedia1

Web Server

StreamingMedia Server

2 PostMedia

Clearing House License Server

3 LicenseTerms

Media Playerwith

Windows MediaRights Manager

5 RequestLicence

6 DownloadLicense

4 Request andReceive Media

7Transferto PortableDevice

Internet Nutzergeräte

© Grimm TU Ilmenau 2005 18 /28

iTunes Music Store, Apple

CustomerServer

Laptop

PCDesktop

Download toPC via Internet

Authorisationvia Internet

CDCreation

MobilePlayers,iPods

Burn to CD

Copy to Player

Page 10: A security analysis of business models for digital products

10

Seite 10

© Grimm TU Ilmenau 2005 19 /28

iTunes Music Store, Apple

• Free copy of music in private home network

• Free private copies on CD

• Only 5 PCs authorized to play music

• Secial format with authorization id

• Warning if PC is not authorized to play music

• MP3 reproduction out of scope

© Grimm TU Ilmenau 2005 20 /28

LWDRM® - Basic Idea

• Aims– Respect of user interest (Fair-Use, Privacy)– No clear text on user site (encryptionof content)– Identification of misuse

• Technically, a customer can copy and forwardcontent, if he digitally signs it (SMF)

• Otherwise, content is bound locally to an individualend-user device (LMF)

Page 11: A security analysis of business models for digital products

11

Seite 11

© Grimm TU Ilmenau 2005 21 /28

Incentives

• Provision (Potato)– Users share income

• Services (Potato, M2S)– Users get more:– Cover, info, albums– „from radio/concet/pub to an album“

• Guarantee of quality, upgrade (M2S)

• Community (Potato)– Users get contact to other users (Matching Service)

© Grimm TU Ilmenau 2005 22 /28

The PotatoSystem brings Users and Providers together

• Users are motivated to pay for the good, because they canresell and earn money

• Users become active redistributors (good for both, usersand providers)

• No copy protection mechanisms

• More user services: redistribution right, user matching, faninfos, combination with CDs and concert tickets

Jürgen Nützel, 4FriendsOnly.com

Page 12: A security analysis of business models for digital products

12

Seite 12

© Grimm TU Ilmenau 2005 23 /28

Sales Process

Payment -ServerPayment -ServerPotatoSystem

HTML-Jacket-ServerPotatoSystem

HTML-Jacket-ServerHTML-Jacket -

ServerAccounting-Serverwith Web-Service

SQL

XMLPayment -Server HTTPS

Web/File-Server of Original Supplier

Ginny‘s Browser

Payment

Song Infos

Fred‘s Web Page

Proxy

Data Transfer

Data Transfer Fred is anOriginal Supplier

Ginny buysFred‘s Song

mysong.mp3

mysong.mp3

Song Selection

Jürgen Nützel, 4FriendsOnly.com

© Grimm TU Ilmenau 2005 24 /28

After Payment Ginny is registered Reseller

• She may publish her own sell link in the Web:https://www.potatosystem.com/process/sell?tan=88099176227

• Or embed a mini HTML page (per iframe-Code):

Prelistening

Sales

More Info

<iframe style='{width:225pt; height:30pt;}' src='http://data.potatosystem.com/process/iFrame?tan=88099176227' marginwidth='0' marginheight='0' scrolling='no' frameborder='0'> </iframe>

Jürgen Nützel, 4FriendsOnly.com

Page 13: A security analysis of business models for digital products

13

Seite 13

© Grimm TU Ilmenau 2005 25 /28

Resale

Payment -ServerPayment -ServerPotatoSystem

HTML-Jacket-ServerPotatoSystem

HTML-Jacket-ServerHTML Jacket -

ServerAccounting-Serverwith Web-Service

SQL

XMLPayment -Server

HTTPS

Web/File-Server of Original Supplier

Web Page of a Reseller

Harry‘s Browser Ginny‘s Web Page

Proxy

Fred is anOriginal Supplier

Ginny resellsFred‘s Song

Harry can buy fromFred or from Ginny

mysong.mp3

Payment

Song InfosData Transfer

Data TransferSong Selection

mysong.mp3

Jürgen Nützel, 4FriendsOnly.com

© Grimm TU Ilmenau 2005 26 /28

Provisions

OS = Original Supplier (e.g., a Label), B1 … B4 = Buyer 1 bis 4

B4

B1 buys song “A”from F

B2 buys song “A”from B1

B3 buys song “A”from B2

B4 buys song “A”from B3

35%to OS

15%to OS

20%to B1

5%to OS

10%to B1

20%to B2

5%to B1

10%to B2

20%to B3

OS

B1

B2

B3

Jürgen Nützel, 4FriendsOnly.com

Page 14: A security analysis of business models for digital products

14

Seite 14

© Grimm TU Ilmenau 2005 27 /28

The PotatoSystem offers as Web service

• Account management for content owners and customers

• Payment clearance (Paybest)

• Delivery of purchased songs from provider server to the buyer viasecure proxy

• Provision management

• Detailed receipts for providers

• Rights management (GEMA)

• Combinationen with real CDs and concert tickets

• More functions under construction …

Jürgen Nützel, 4FriendsOnly.com

© Grimm TU Ilmenau 2005 28 /28

Conclusion

• Users are ready to pay for fair use

• Providers are ready to deliver for payment

• The common bracket is „payment“

• Pure DRM is not sufficient

• Payment is integrated part of purchase

• Free usage after payment is required

• See, for example, Potato and Paybest: