SSO (Single Sing On)
DRM
Applied SSO Concept on DRM for Short-term Renting or Frequent
Transactions
SSO (Single Sign On)
DRM
Applied SSO Concept on DRM for Short-term Renting or Frequent
Transactions
Student
Kuo-Fong Hsu
Advisor
Deng-Jyi Chen
A Thesis
Submitted to College of Computer Science National Chiao Tung University in Partial Fulfillment of the Requirements
for the Degree of Master of Science
in
Computer Science Jul 2010
SSO ( Single Sign On)
DRM
(
)
(Digital Right Management, DRM)
( : )
( Single Sign On ) SAML-based DRM
Applied SSO Concept on DRM for Short-term Renting or Frequent Transcations
Student
Kuo-Fong Hsu
Advisor
Dr. Deng-Jyi Chen
Degree Program of Computer Science
National Chiao Tung University
ABSTRACT
In recent year, internet is very popular , and there are many e-publishers (like e-book, e-news, e-magazine, e-learning...etc.) setting up in internet in the world.
However, following by the internet blooming, the problem of copy right is indeed challenged directly or indirectly by illegal download and illegal free share which disintegrate the profit, benefit, and the business growing for the e-publishers .
Now! Digital Right Management, DRM can help those e-publishers solve these situations. Basically, Digital Right Management, DRM is used to control the using of special e-service (like e-music, e-book, software, e-file...etc.) by various information technology which could provide e-publishers to prevent illegal download or illegal free share from internet, and which could also provide e-publishers to limit consumers' behavior. The purpose of Digital Right Management, DRM is focusing on protecting the valuable of e-asset for business and the high profit in the consumer market.
However, the processing of Digital Right may be not easy and take too long time to attract new customers in the low-price consumer market. In our thesis, we provide a model to solve this problem.We figure out a new architecture, SAML-based DRM with a similar concept of Single Sign On, which can help users log-in by an anonymous code.
In final, we will introduce and analyse the development in the future of this technology, which will be based on the concept of SAML-based DRM .
1 [1] ... 3 2 ... 6 3 Windows Media DRM ... 8 4 ... 12 5 ... 13 6 ... 15 7 SAML ... 17 8 SAML ... 18 9 SAML ... 19 10 SAML ... 19 11 SAML ... 20 12 SAML ... 21 13 iTunes ... 23 14 ... 24 14 DRM ... 25 16 SAML-based DRM ... 26 17 SAML-based DRM ... 27 18 SAML-based DRM ... 28 19 SAML-based DRM ... 31 20 SAML-based DRM ... 32 21 ... 38 22 ... 38 23 ... 39 22 ... 39 24 ... 39 25 Play ... 40 26 ... 40 27 ... 41 28 ... 41 29 ... 42 30 ... 42 31 Play ... 42 32 Advanced SAML-based DRM ... 44
1.1
( )
(Digital Right Management, DRM)
( : ) (License)
1.2
(Internet) (WWW) 1[1] (Content Owner)
(Consumer) (License Server) (Disturber)
1.
2.
3.
4.
1 [1]
Microsoft[2] Apple[3] [4] [5]
Apple iPod
Advancement of Structured Information Standards) (Single Sign
On, SSO) SAML
DRM SAML
1.3
SSO SAML-based DRM SSO DRM SAML-based DRM(Device-based DRM) (Identity-based DRM)
2.1
(Digital Right Management, DRM)
(Digital Right Management, DRM) ( :
)
2.1.1
2 Intertrust [7]
2 Intertrust (1) (License Server) (2) (Content Server) (3) (Content package)
(4) (Right) (Encryption Key)
(5) (4)
(License Package)
2.2
(Device-based DRM)
Windows
Media DRM
(Device-based DRM system) Windows Media DRM 1994 4 Windows Media DRM[8]Windows Media DRM X86 Windows Media DRM
2.2.1
DRM (Content
Provider) (License Server) (Client) (Content
Provider)
3 Windows Media DRM http://www.microsoft.com/windows/windowsmedia/howto/articles/drmarchitecture.aspx 1. (Packaging) Windows Media ( Windows Media ) URL Windows
Media Audio ( .wma) Windows Media Video ( .wmv)
2. (Distribution)
CD Windows Media DRM
3. (Establishing a License Server)
4. DRM (Request & Receive Media) DRM
5. (Request & Download License)
Windows Media
6. (Playing Media)
Windows Media DRM
PC
2.2.2
Windows Media Digital Rights Management (DRM)
Windows Media Rights Manager Windows Media DRM
1.
2.
Windows Media Rights Manager
3.
Windows Media Rights Manager
4.
Windows Media Rights Manager 5.
Windows Media Rights Manager Windows Millennium Edition Windows XP
6.
Windows Media Rights Manager
7.
8.
Windows Media Rights Manager 9
( )
2.2.3
Windows Media Right Manager (Windows Media Rights Manager ) (Windows Media Rights Manager
) PC
( Amazon)
( Android iPod)
Windows Media Player Android iPod
2.3
(Identity-based DRM)
(Device-based DRM
system) (Smart Card)
2.3.1
Conrado et al’s[9] 2003 DRM
(Smart Card) (Smart Card) [10] [10] 4 1. (RAN) (PK) (RAN) 2. (Content Provider)
SSI(Secret Security Identifier,
) 1
3.
SSI
5 1. (PK) (RK) 2. 3.
2.3.2
22.4
(Single Sign On, SSO)
EIP( ) ERP( ) CRM( ) KM( ) PLM( ) ( username/password) Single Sign On 1. 2. 3. ( ) 4.2.4.1
6[11] (Authentication domian) (Secondary domain) 1.2. 1. 2. 3. 4. 6 David Orrell, Eduserv Athens
Authentication Systems and Single Sign-On (SSO) EuroCAMP, 7-9 November 2005, Porto, Portugal
2.5 SAML
2.5.1
SAML OASIS Security Services Technical Committee [12] XML (Security Domain) (Identity Provider)
(Service Provider) XML SAML 1. 2002 11 OASIS SAML 1.0 2. 2003 SAML1.1 OASIS 3. 2005 SAML 2.0 OASIS 1. ( single sign-on ) 2. SAML SAML 1. (Assertions) XML 2. (Protocols) 3. (Bindings) SAML ( Http SOAP) 4. (Profiles) SAML
7 SAML
(Subject) (Assertion)
( )
1. (Authentication Assertion) 2. (Attribute Assertion)
3. (Authorization Decision Assertion) (Profile)
SAML Authority
Policy Decision Point PDP
2.5.2 SAML
SAML 1. 2.2.5.3
SAML [13]1. Single sign-on (SSO)
Web User Source Web Site Destination
Web Site use case diagram 7
8 SAML
Eve Maler, SAML basics A technical introduction to the Security Assertion Markup Language , XML Technology Center, Sun Microsystems, Inc.
2. Authorization service
Decision Point(PDP, ) User
9 SAML
Eve Maler, SAML basics A technical introduction to the Security Assertion Markup Language , XML Technology Center, Sun Microsystems, Inc.
3. Back office transaction
Buyer Seller1 Seller1 Seller1 Seller Buyer
Seller
10 SAML
Eve Maler, SAML basics A technical introduction to the Security Assertion Markup Language , XML Technology Center, Sun Microsystems, Inc.
2.5.4 SAML
SAML
2. (Service Provider) 3. (Client) 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11 SAML
Tom Scavo, Security Assertion Markup Language A Brief Introduction to SAML, NCSA,
2.5.5 SAML
SAML ( 12) SAML
1. (Web Server 1) (Web Server 2)
2. (artifact) 3. SAML (assertion) SAML 4. 12 SAML SAML http://www.csie.fju.edu.tw/~ie955148/indexXML.html
SAML-based DRM
1. DRM (License Server) 2. (Content) (License) (Content) (License Server) 3. DRM ( 13 iTunes ) [17] iTunes mp313 iTunes
http://www.itune.com
3.1
14 :http://www.easycard.com.tw/ 1. ( ) 2. 3. ( ) ( )
3.2 SAML-based DRM
15 DRM [14]
14 DRM
1. (Rights holders,content providers) (Online distribution servers)
2. (End users)
3. (Licesnse server)
4.
(SSO) (
)
SAML-based DRM (SSO) User
License server (Identity Provider, IDP) IDP
IDP IDP (
)
16 SAML-based DRM 1. (Rights holders,content providers)
(Online distribution servers) 2. (End users) 3. 4.
3.3 SAML-based DRM
SAML-based DRM 1. :iCash Online Game
( IDP )
OASIS Security Services Technical Committee SAML
DRM
(Right Issuer) (
) DRM
SAML License ( 17 ) 2. ( ) :
3.4
17 (Client) (Identity Provider) (Service Provider Content Server License Server)
17 SAML-based DRM 18
1. Content Server Content
3. Identity Provider 4. Assertion
5. Assertion License Service
6. Content Service Identity Provider
7. Content Server Content
8. Content Service Content
18 SAML-based DRM
3.5
SAML-based DRM
SAML-based DRM
XML XML SAML-based DRM
DRM
License SAML-based DRM DRM
(License Provider) SAML
(Authentication Assertion Attribute Assertion Authorization Decision Assertion) SOAP
3.5.1
(SAML Assertion)
(issuer)R (Subject)S (Time)T
(Condition)C (Assertion)A (Authentication Assertion) (Subject 9679531) (Time 2010-07-03~2011-07-03)T (Method password)M <saml:Assertion MajorVersion=“1” MinorVersion=“0” AssertionID=“128.9.167.32.12345678” Issuer=“NCTU SELab“ IssueInstant=“2010-07-03T10:02:00Z”> <saml:Conditions NotBefore=“2010-07-03T12:00:00Z” NotAfter=“2011-07-03T12:00:00Z” /> <saml:AuthenticationStatement AuthenticationMethod=“password” AuthenticationInstant=“2001-12-03T10:02:00Z”> <saml:Subject> <saml:NameIdentifier SecurityDomain=“estore.nctu.edu.tw” Name=“9679531” /> </saml:Subject> </saml:AuthenticationStatement>
<saml:AuthenticationStatement>…</saml:AuthenticationStatement> SAML (Attribute Assertion) (9679531) <saml:Assertion …> <saml:Conditions …/> <saml:AttributeStatement> <saml:Subject> <saml:NameIdentifier SecurityDomain=“estore.nctu.edu.tw” Name= “9679531” /> </saml:Subject> <saml:Attribute AttributeName=“Role” AttributeNamespace=“http://nctu.edu.tw”> <saml:AttributeValue> Admin </saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion> <saml:Attribute>…</saml:Attribute>
SAML (Authorization Decision Assertion)
<saml:Assertion …> <saml:Conditions …/>
<saml:AuthorizationStatement Decision=“Permit”
Resource=“http://estore.nctu.edu.tw/UserCart.aspx”> <saml:Actions Namespace ="nctu.edu.tw" >
<saml:Action>Execute</saml:Action> </saml:Actions>
<saml:Subject> <saml:NameIdentifier SecurityDomain=“nctu.edu.tw” Name=“9679531” /> </saml:Subject> </saml:AuthorizationStatement> </saml:Assertion>
(Subject)9679531 (Authentication Assertion) (Permit) (Resource) http://estore.nctu.edu.tw/UserCart.aspx (Execute)
3.5.2
XML (Assertion)
19 SAML-based DRM
Eve Maler, SAML basics A technical introduction to the Security Assertion Markup Language , XML Technology Center, Sun Microsystems, Inc.
Provider )
2. Consumer CarMonstor Consumer
3. (authorities) (Assertion)
Authentication authority Authentication Assertion Attribute authority Attribute assertion Policy decision point PDP Authorization decision assertion 4. (Policy store) PDP 9679531
3.5.3
(Assertion)http request /response (Assertion)
1. Consumer Subject HTTP Request(
Authentication Assertion request Attribute Assertion request Authorization Decision Assertion request 3 )
(1) Subject Consumer
Subject Consumer ) Request
<samlp:Request MajorVersion=“1” MinorVersion=“0” RequestID=“128.14.234.20.12345678” > <samlp:AuthenticationQuery> <saml:Subject> <saml:NameIdentifier SecurityDomain=“nctu.edu.tw” Name=“9679531” /> </saml:Subject> </samlp:AuthenticationQuery> </samlp:Request> (2) Subject Consumer
Subject Consumer ) Request <samlp:Request … > <samlp:AttributeQuery CompletenessSpecifier=“Partial”> <saml:Subject> <saml:NameIdentifier SecurityDomain=“smithco.com” Name=“9679531” /> </saml:Subject> <saml:AttributeDesignator AttributeName=“Role” AttributeNamespace=“http://nctu.edu.tw”> </saml:AttributeDesignator> </samlp:AttributeQuery> </samlp:Request> (3) Subject Consumer Subject Consumer ) Request
<samlp:AuthorizationQuery Resource=“http://estore.nctu.edu.tw/UserCart.aspx”> <saml:Subject> <saml:NameIdentifier SecurityDomain=“nctu.edu.tw” Name=“9679531” /> </saml:Subject> <saml:Actions Namespace=“http://…”> <saml:Action>Read</saml:Action> </saml:Actions> <saml:Evidence> <saml:Assertion> …some assertion… </saml:Assertion> </saml:Evidence> </samlp:AuthorizationQuery> </samlp:Request> 2. Request Response <samlp:Response MajorVersion=“1” MinorVersion=“0” RequestID=“128.14.234.20.90123456” InResponseTo=“128.14.234.20.12345678” StatusCode=“Success”> <saml:Assertion MajorVersion=“1” MinorVersion=“0” AssertionID=“128.9.167.32.12345678” Issuer=“NCTU SELab"> <saml:Conditions NotBefore=“2010-07-03T10:00:00Z” NotAfter=“2010-07-03T10:05:00Z” /> <saml:AuthenticationStatement …> </saml:AuthenticationStatement> </saml:Assertion> </samlp:Request>
3.5.4
HTTP XML
SOAP 3.5.3 Request Response
Request Response
SOAP Binding Authentication Request
POST /SamlService HTTP/1.1 Host: estore.nctu.edu.tw Content-Type: text/xml Content-Length: nnn SOAPAction: http://www.oasis-open.org/committees/security <SOAP-ENV:Envelope xmlns:SOAP-ENV=”http://schemas.xmlsoap.org/soap/envelope/”> <SOAP-ENV:Body>
<samlp:Request xmlns:samlp:=”…” xmlns:saml=”…” xmlns:ds=”…”> <ds:Signature> … </ds:Signature> <samlp:AuthenticationQuery> </samlp:AuthenticationQuery> </samlp:Request> </SOAP-ENV:Body> </SOAP-ENV:Envelope>
SOAP Binding Authentication Response HTTP/1.1 200 OK Content-Type: text/xml Content-Length: nnnn
<SOAP-ENV:Envelope
xmlns:SOAP-ENV=“http://schemas.xmlsoap.org/soap/envelope/”> <SOAP-ENV:Body>
<samlp:Response xmlns:samlp=”…” xmlns:saml=”…” xmlns:ds=”…”> <Status> <StatusCodevalue=”samlp:Success”/> </Status> <ds:Signature> … </ds:Signature> <saml:Assertion> <saml:AuthenticationStatement> ... </saml:AuthenticationStatement> </saml:Assertion>
</SOAP-Env:Body> </SOAP-ENV:Envelope>
( )
4.1
(Service
Provider) (Content Provider) DRM
SAML-based DRM CPU Intel Core Duo 1.66 Ghz
3072 MB Windows XP
Windows IIS
Microsoft asp.net Oracle
: Microsoft IIS 5.1
: Simple SAML
: DRM
: Oracle 9i
: Visual Studio 2008, VB.net
4.2
-( )
:
21 Identity Server
22
( 19635 ) (
23 ( 5 ) 22 ( 3 ) 24 (2010/8/3)
25 Play
4.3
-( ) : ( Identity Server) 26Identity Server
27
(
DRM )
29 ( 10 ) 30 (2013/4/23) 31 Play
5.1
DRM DRM DRM DRM SAML-based DRM SAML-based DRM DRM DRM 2 DRM DRM SAML SAML SAML Advanced SAML-based DRM 32 SAML DRM ( 32 DRM System A DRM System B)VISA VISA
[1] Piyali Mandal, Ashish Thakral, Shekhar Verma, Watermark Based Digital Rights
Management. IEEE Information Technology Coding and Computing, 2005. ITCC 2005, vol 1.pp.74-78,2005.
[2] Microsoft, Windows Media-Digital Right Management , [On-line].Available:
http://www.microsoft.com/windows/windowsmedia/howto/articles/drmarchitecture.aspx
[3] Apple, Thoughts on Music , [On-line].Available:
http://www.apple.com/hotnews/thoughtsonmusic/
[4] , DRM , http://www.caidiy.com/drm/
[5] , http://www.trustview.com.tw/tw/qa.aspx
[6] OASIS SAML 2.0 , [On-line].Available: http://www.oasis-open.org/specs/#samlv2.0
[7] , Xrml , ,
,
[8] Microsoft, Digital Right management , [On-line].Available:
http://www.microsoft.com/windows/windowsmedia/tw/drm/
[9] C. Conrado, F.Kamperman, C.J. Schrijen, and W. Jonker, Privacy in an Identity-based DRM system, IEEE Proceedings of the 14th International Workshop on Database and Expert Systems Applications (DEXA 03), Prgue, September w2003, pp. 385-395.
[10] , , ,
,
[11] David Orrell, Eduserv Athens
Authentication Systems and Single Sign-On (SSO), EuroCAMP, 7-9 November 2005, Porto, Portugal .
[12] Eve Maler, SAML basics A technical introduction to the Security Assertion Markup Language , XML Technology Center, Sun Microsystems, Inc.
[13] Wikipedia, SAML , [On-line].Available: http://en.wikipedia.org/wiki/SAML
[14] , , ,
[15] , http://www.easycard.com.tw/
[16] Tom Scavo, Security Assertion Markup Language A Brief Introduction to SAML, NCSA, [17] Bok-Nyong Park, Jae-Won Kim and Wonjun Lee, Precetp: A Privacy- Enhancing Licenese Management Protocol For Digital Rights Management , Proceeding of the 18th International Conference on Advanced Information Networking and Application, Vol. 1, pp.574 - 579, 2004.
