[STANDARDS in a nutshell] Willms Buhse and Jan van der Meer

The Digital Rights Management

he Open Mobile Alliance secure distribution of digital content is solutions for content services across (OMA) is an industry forum a DRM system. The need for interoper- mobile networks, but in a network- with nearly 400 members ability and, hence, for a standardized and content-agnostic manner. These representing the entire DRM system, has led to sustained work DRM systems can then be used for any mobile industry value chain, within the OMA, while outside the OMA content in a wide variety of environ- Tincluding the telecommunications, some DRM standardization work was ments, services, and devices. information technology, and content also conducted. Content services do not industries. The OMA focuses on devel- benefit from market fragmentation and ISSUING BODY AND SCHEDULE oping market-driven, interoperable require a strong, open DRM standard The OMA was created in June 2002 mobile service enablers for the rapidly with wide adoption. Backed by its initial through the consolidation of the Open converging communications, entertain- focus on mobile, the convergence of Mobile Architecture initiative and the ment, and media worlds. OMA digital mobile services into home entertain- Wireless Application Protocol (WAP) rights management (DRM) systems are ment devices, and its suitability for use Forum. As mentioned earlier, the OMA important examples of such enablers. in nonmobile IP-based delivery chan- develops enablers, which are published Although they have been developed for nels to the home, the OMA DRM system in a two-step approach. When the tech- the mobile market, these systems has the potential of achieving this goal. nical development is finished, the speci- assume network and bearer-agnostic In response to an urgent market need fication is published as a candidate delivery of the content over Internet for a relatively simple protection system enabler, which serves as the basis for protocol (IP). This assumption makes for light media content (such as ring the first round of product implementa- OMA DRM systems suitable for use in tones, screensavers, and music tracks), tions. Next, interoperability testing any environment where the content is the world’s first open DRM standard was takes place and, if needed, refinements delivered over IP, which is true of a very released for mobile devices in the form of of the candidate enabler are performed. wide array of applications. In this arti- the OMA DRM 1.0 specification. As a next The enabler is considered mature as cle, we overview the OMA DRM systems, step, OMA DRM 2.0 was developed, with soon as interoperability is proven, at position them in the larger context of a focus on high-value premium content which time the specification is pub- DRM work, and describe their most (such as music, audiovisual clips, lished as an approved enabler. important features. movies, animated color screensavers, and The OMA DRM 1.0 specification was games.) This standard allows operators, published as a candidate enabler in BACKGROUND content providers, and consumers to November 2002 and as an approved take advantage of expanded device capa- enabler in September 2004. The OMA MOTIVATION bilities such as downloading and stream- DRM 2.0 specification was published as a The mobile content market is expected ing of rich media content. OMA DRM 2.0 candidate enabler in February 2004 and to reach US$30 billion worldwide by offers greater security and trust manage- (after extensive testing outlined in a later 2008, with about 1 billion devices being ment, provides largely improved user section) as an approved enabler in April released to the market every year. To convenience, and supports a wide variety 2006. The OMA DRM 2.0 tests have con- keep up with this growth, new content of distribution and payment use cases, tinued since then for the sole purpose of delivery business models are evolving at thereby opening up a new world of busi- testing product implementations. fast rates. The success and profitability ness opportunities for innovative servic- of these models depend upon the ability es. Throughout this article we will briefly STRUCTURE OF THE STANDARD of the content and service providers to refer to OMA DRM 1.0 and focus primari- The OMA DRM 2.0 specification consists ensure a “trusted environment,” with a ly on OMA DRM 2.0. of the DRM Requirements Document, secure end-to-end trust model and the DRM Architecture Document, the billing mechanism that prevents piracy OBJECTIVES DRM Content Format, the DRM Rights and secures the rights to consume and The objective of the OMA DRM sys- Expression Language (REL), and the distribute content. The basis for a tems is to provide standardized DRM (core) DRM specification. The DRM

1053-5888/07/$25.00©2007IEEE IEEE SIGNAL PROCESSING MAGAZINE [140] JANUARY 2007 Requirements Document contains The main focus of OMA DRM 2.0 is informative use cases and a set of nor- OMA DRM RESOURCES on mobile content services. However, mative market and engineering require- The Standard from a user convenience perspective, it ments. The DRM Architecture • OMA DRM 1.0: http://www.open- is very desirable that the protected con- Document describes the architecture of mobilealliance.org/release_program/ tent be consumed not only on mobile the OMA DRM 2.0 system. The DRM drm_v1_0.html phones but also on other user devices. content format describes the secure file • OMA DRM 2.0: http://www.open- User convenience is a major condition format(s) for download of OMA DRM mobilealliance.org/release_program/ for consumer acceptance of a DRM sys- drm_v2_0.html 2.0-protected content and is based on tem. Therefore, OMA DRM 2.0 intro- the ISO base media file format (ISO Tutorials, Overviews, Books duces the concept of so-called domains. 14496-12). Two formats are defined: the • E. Becker, W. Buhse, D. Equivalent to the user experience with Günnewig, and N. Rump, Digital DRM content format (DCF) and packe- CDs and DVDs, OMA DRM 2.0 enables Rights Management—Technologi- tized DCF (PDCF). With DCF, which is sharing of protected content between cal, Economic, Legal and Political intended for discrete media such as ring Aspects. (An 800 page compendium OMA DRM 2.0-compliant devices within tones, music tracks, and still pictures, from 60 different authors on DRM.) the home by creating a domain that the content in the file is encrypted as a Berlin: Springer-Verlag, 2003. contains all these devices. The devices single object, irrespective of its internal Resources for further developments may belong to the same user or to other structure and layout. With PDCF, • Group in charge of the OMA users within that domain, such as fami- intended to protect continuous media DRM system: BAC-DLDRM; DLDRM ly members or friends. such as audio and video, the content in portal accessible (for OMA members) In OMA DRM 2.0, the creation of the file is encrypted on a packet-by-pack- via the OMA site: http://www.open domains and the sharing of content with- et basis. PDCF supports streaming and mobilealliance.org/ in a domain are controlled by the RI. random access to the packetized con- • Email discussion list (for OMA When the user buys a new device, that tent. Either no encryption can be used members): [email protected] device can be added to the personal or the AES symmetric encryption mobilealliance.org domain by sending a registration request • OMA DRM 2.0 client conformance method as defined by NIST, in Cipher to the RI, upon receipt of which the RI test tool (only for OMA members): Block Chaining mode or in Counter sends the device and domain keys to the http://www.openmobilealliance.org/t mode (AES_128_CBC or AES_128_CTR, estfest/ and http://www.openmo- new device as appropriate. The domain respectively), can be used. The DRM bilealliance. org/testfest/IOP-DRM20- concept allows various use cases, such as REL is used to express the rights to con- TestFest.html 1) automatic content synchronization sume OMA DRM 2.0 protected content. • OMA DRM interoperability test- between the devices within a domain As for OMA DRM 1.0, OMA DRM 2.0 REL ing (for non-OMA members): after downloading new “domain content” is based on the open digital rights lan- [email protected] on one of the devices within said domain, guage (ODRL). The (core) DRM specifi- whereby new content becomes available cation defines the remaining elements of media object from leaving the device, 2) on all devices within that domain; 2) the OMA DRM 2.0 system such as: 1) the combined delivery for distributing a usage of domain content on “unconnect- rights object acquisition protocol protected media object jointly with the ed devices” (for example, a portable media (ROAP) suite specifying the communi- rights to consume it, and 3) separate player without connection to the wireless cation between a rights issuer (RI) and delivery for separate distribution of a network and without Internet browsing the DRM agent in a device, 2) the protected media object and the rights to capabilities, but with a inter- domain concept, allowing access to consume it. In particular, separate deliv- face that is used to convey the protected DRM content on a number of devices, ery allows users to legitimately forward content and associated rights); and 3) and 3) a certificate revocation mecha- a protected media object to other users, automatic download of video at different nism for RI and device certificates such as their friends and family. resolutions (for example, if a video clip is based on the online certificate status Recipients cannot consume the protect- downloaded to a mobile phone for use protocol (OCSP). ed content until they have requested the within a domain, and if the RI knows that rights to consume it from the RI. This the domain also contains a set-top-box TECHNOLOGY innovative marketing concept, called (STB) that requires a higher-quality video superdistribution, uses peer-to-peer than the mobile phone, then the RI can FUNCTIONALITIES data transfer to its advantage rather send a message that the video clip is also OMA DRM 1.0 is a simple protection than positioning it as a threat. The available for download at higher video system for single media objects (such as rights associated with superdistributed resolution for use on the STB). a ring tone or a music track) and sup- content enable revenue collection to be OMA DRM 2.0 distributes protected ports three basic functionalities: 1) for- independent of how the digital goods content in encrypted form using a con- ward lock to prevent an unprotected were distributed. tent key. By means of an access license

IEEE SIGNAL PROCESSING MAGAZINE [141] JANUARY 2007 [STANDARDS] continued carried in a rights object (RO), users can obtain the rights to consume the con- Unique Device Key tent either on a specific device or within Content Encrypt Content a specific domain. The access license Packager Content Content contains the content key and is encrypt- with ed for use by the specific target device or Key domain by means of the unique device or domain key, respectively. The OMA DRM 2.0 agent on the device decrypts License Encrypt License the access license by means of the device Server for or domain key, retrieves the content key Specific from the access license, and decrypts the Device Domain content during its consumption, as illustrated in Figure 1. [FIG1] Basic block diagram of an OMA DRM 2.0 system.

ARCHITECTURE The functional architecture of OMA DRM 2.0 is illustrated in Figure 2. Let us Transfer Content assume that a user is browsing the Web Encryption Key Content 2 Rights site of a content issuer; there he/she Issuer Issuer finds exciting content and decides to download it. By means of information Establish Browse to Web Site contained within the downloaded data, Trust, 1 and Download Purchase Rights 3 Purchase the OMA DRM 2.0 agent connects to the Protected Content and Establish Trust 6 and RI to allow purchase of the rights to Deliver 4 consume the content. After mutual Deliver Protected Rights George's Devices Rights Object Objects authentication and trust verification Unconnected 5 Super-Distribute between the RI and the device, the rights Devices Content to a Friend associated to the downloaded content are purchased, upon which the RI deliv- ers the protected RO. In this example, Share Content Within Your Domain Sarah's the rights allow consumption on the Phone devices within a specific domain. If the user is enthusiastic about the [FIG2] The OMA DRM 2.0 functional architecture. purchased content, he/she may send the downloaded content (or its URL) to a friend with a promotional message. That adoption on over 460 mobile phone mod- those of OMA DRM, it should be noted friend can then purchase the content els and server-side implementations on that these choices do not have a strong following the same procedure. This five continents. OMA DRM offers unique impact on market adoption. Far more example shows the OMA DRM 1.0 con- and compelling features and enables a important are the provided security and cept of superdistribution, which is fur- competitive and innovative market with user convenience features of the DRM ther developed in OMA DRM 2.0. Users offerings from many different vendors. system, which, in the case of OMA DRM, are free to share protected content, and Further, OMA DRM offers implementers are born out of successful industry-wide free previews may be available to enable the ability to innovate and distinguish in cooperation within the OMA. users to sample content, but the rights the market by means of manufacturer- to fully use the content must be pur- specific added value. PERFORMANCE chased separately by each consumer. Other open DRM standards are evolv- Because interoperability is crucial in a ing too, some of which provide a frame- standards-driven industry, the OMA COMPARISON WITH work for DRM systems rather than a organizes Test Fests to enable vendors OTHER STANDARDS complete end-to-end solution, thereby to verify and test the interoperability of Several proprietary standards have offering choices on how to achieve inter- their product implementations. In May entered the market, each controlled by a operability across networks, devices, and 2005, the interoperability of OMA DRM single company. In contrast to propri- geographies and putting interoperability 2.0 implementations was tested for the etary standards, OMA DRM is an open, at risk. While technology choices in first time at an OMA Test Fest. Five global DRM standard with major market other DRM systems may differ from more Test Fests followed in subsequent

IEEE SIGNAL PROCESSING MAGAZINE [142] JANUARY 2007 ing content rights to secure removable OMA DRM PRODUCTS media; and 3) secure content exchange to address the import of content protect- • OMA DRM 1.0: It is used by many mobile operators in their services across the ed by non-OMA systems and various globe—mainly for ring tone distribution and full music track downloads—and domain enhancements. This extension accepted by all music labels today protecting revenues worth billions of U.S. dollars. specifies mechanisms for a trusted device It is currently supported on more than 550 handset models, with superdistribution within the home to “translate” imported supported on more than 280 handset models. An overview of OMA 1.0 handset models is available at http://www.coremedia.com/ en/88632/drm content into OMA DRM protected con- tent. A user can be subscribed to more • OMA DRM 2.0: First (pre-)commercial OMA DRM 2.0-based services for music than one service with involvement of delivery, mobile TV, and games services were introduced/announced by several mobile operators, such as , Digita, Orange, SK Telecom, multiple RIs, which easily leads to multi- , and others. ple domain definitions for the same user. • The first handsets with OMA DRM 2.0 support are available on the market, with To improve user convenience in such more being developed. An overview of OMA 2.0 handset models is available at cases, the option to create a user-centric http://www.coremedia.com/en/88632/drm domain on top of one or more OMA DRM • OMA DRM 2.0 clients (for mobile phones, media players, and PCs) and servers 2.0 domains is defined. Furthermore, the available from various parties. An impression of involved companies can be retrieved capability of sharing OMA DRM protect- from http://product.openmobilealliance.org/, which also includes lists of (publicly ed content with other users is extended. known) DRM 2.0 Test Fest participants. RESOURCES Relevant resources for the OMA DRM months, with testing of 64 client and 28 FURTHER TECHNICAL standards are listed in the “OMA DRM server implementations over a period of DEVELOPMENTS Resources.” Test Fests are organized for six months. By the end of 2005, more The OMA continues to work on exten- testing purposes, and a test tool is avail- than 10,000 interoperability tests were sions of OMA DRM 2.0, which will lead to able for device implementations. conducted successfully in over 200 separate enablers that will reference intercompany product combinations. OMA DRM 2.0. Each of these extensions PRODUCTS Based on the success of this extensive can be used alone and will have their OMA DRM 1.0 is very successful on testing, OMA decided to approve OMA own interoperability testing programs to the market, with an estimated market DRM 2.0 in March 2006. allow progress from candidate to penetration of 97%. Following the The OMA DRM 2.0 Test Fests contin- approved enabler. The extensions under- announcement of the publication of ue after the publication of the approved way include a mechanism for detailed OMA DRM 2.0 earlier in 2006, several enabler for the sole purpose of testing metering of content usage (to be speci- mobile carriers announced OMA DRM product implementations, but only as fied in OMA DRM 2.1 and to be fully 2.0-compliant content services. long as sufficient vendors participate in compatible with OMA DRM 2.0) as well Typically, this reflects a natural migra- such tests. To help new vendors in the as extensions in the following areas: 1) tion path from OMA DRM 1.0 to OMA OMA DRM 2.0 market, the OMA also broadcast of OMA DRM protected con- DRM 2.0. The first handsets with OMA decided to support the development of tent to enable secure content services DRM 2.0 support have already entered an official OMA DRM 2.0 client confor- across broadcast channels such as DVB- the market. A summary of relevant mance test tool (CTT) provided by H, MBMS, BCMCS, DMB, and DAB. For products is included in “OMA DRM CoreMedia for conformance testing. The this purpose, binary Ros are defined, as Products”. CCT provides a complete DRM environ- well as save permissions (for superdistri- ment for testing devices and enables bution of broadcast content), subscriber AUTHORS companies to check their DRM agent groups, key stream handling, token- Willms Buhse (willms.buhse@coreme- implementation against the OMA DRM based metering of content usage, etc.; 2) dia.com) is head of products and market- 2.0 client conformance tests. Parti- secure removable media to enable bind- ing with CoreMedia, Hamburg, Germany, cipation in OMA DRM 2.0 Test Fests is ing of protected content to secure re- and is vice chair of the OMA working open to OMA members, but devices are movable media such as MultiMediaCard group that develops the OMA DRM required to reach a sufficient level of (MMC) or Secure Digital memory card System within the OMA. maturity in conformance testing prior to (SD), so that the content can be con- Jan van der Meer (jan.vandermeer Test Fest participation. Therefore, any sumed by an OMA DRM agent. In this @philips.com) is senior standardization vendor wishing to attend the Test Fest context; it should be noted that OMA manager with Philips Electronics, with an OMA DRM 2.0 client implemen- DRM 2.0 binds content rights to devices Eindhoven, The Netherlands, and chairs tation is required to submit a client CTT or domains and that this extension will the OMA working group that develops the report to gain entry. specify the additional capability of bind- OMA DRM system within the OMA. [SP]

IEEE SIGNAL PROCESSING MAGAZINE [143] JANUARY 2007