Case Study of a DRM Server

This article makes a case to build an industry-standard DRM Server as an open source project.


Goals and Non-Goals:

1. Why a DRM Server?

Digital market-place is inevitable. As the market-place mechanism for digital content establishes itself, the privacy and rights debates in the industry will have to eventually sort it out. It is highly likely that eventually, a level of DRM that is considered acceptable to both the content providers and the users will emerge.

Given that a DRM Server is an enabling piece of software for digital market-place, this is an attempt to study the building blocks for such a server.


2. Choice of DRM Standards to include in our case study:

The state of this technology is continually evolving and the industry is publishing standards at a rapid pace. There are standards from organizations like OMA that set standard for mobile DRM. The majority of the deployed DRM solutions and standards have come from a few leading industry players such as, Adobe, Microsoft and Apple.

A recent standard from Open Mobile Alliance or OMA provides some guidance on digital rights for streaming content to mobile platforms. This standard is known as the "Smartcard DRM profile".


3. Analysis to scope out the requirements:

Our initial focus is to analyze existing standards such as the Smartcard DRM profile as well to study the basic building blocks needed for our DRM server.

The early goals are to study and build prototypes for the various building blocks of a DRM server. The driving goal is to arrive at a set of high-level requirements that our DRM server will eventually satisfy.

High-Level Functional blocks of a DRM Server

In this section, we highlight the high level building blocks of a DRM Server.

1. Key Management Infrastructure

A DRM Server makes use of ciphers, which are algorithms that use cryptographic keys to scramble the content. These keys are required to descramble the content.

Since cryptographic keys play such an important role in a DRM Server application, key management is a central building block of a DRM Server. This system deals with the creation and management of cryptographic keys. The following figure outlines what could be a high-level overview of modules present in a key management System.



A brief explanation of each function is in order and is provided here,

1. Key storage or Key Vault

The main job of a key vault is to safely store and provide access to the keys used by the crypto. Engine. This is perhaps a vital piece of the DRM server design.

2. Key Manager

The key manager is an interface that manages the creation, deletion and updates of keys in the key vault. Naturally, it follows that when a key manager retires a key and activates a new key, the data has to be re-encrypted using the newly active primary key.

This is a very sensitive administrative function that must be performed by a cryptographic officer. It follows that the key manager has well-defined access control policies.

3. Crypto Engine

This is a critical piece of the DRM server, as it provides the basic crypto operations, including encryption, decryption, signing and verification. The crypto engine has access to the Key Vault. The providers and the key manager may have access to a crypto engine.

4. Key Manifest

This is a function that acts as the bridge between the keys stored in the key vault and their selection to encrypt the content. It deals with the key families and aliases. This function can also manage the key life cycle.

5. Provider

Provides a level of abstraction between the client and the crypto engine. It verifies a client request for encryption or decryption or other operation and selects the correct key aliases and any other additional parameters to satisfy the request. It passes the results back to the consumer.

6. Consumer

This is the contact point for an application that wishes to make use of the key management system. The consumer is aware of key families as well as receipts of encryption.

2. Key or License Distribution Protocols

When a user wants to use the content he or she purchased, a DRM Server must deliver licenses to the client system. These licenses contain the keys required to use the content on the client system. Key delivery protocols deal with the transfer of the purchase information and content licenses between a client and a DRM server.

The client and server may need to mutually authenticate each other and most of the standards leverage other industry standards to accomplish this function.

3. Content Management Server

If the KMS is part of our DRM Server, then the content management server needs to interact with the KMS to protect the content. The content is usually assigned a unique ID and this Identifier is tied to the Key set used to encrypt the content.