Loading ... A Short Study into Security Delay Frustration

This report discusses a small experiment to investigate the amount of time users are willing to wait for applications to load, before they become frustrated. In particular, the experiment investigates whether, users are willing to wait longer, if they are aware that a security operation needs to be performed before loading the application. Our results show that users are willing to wait, on average 5.5 seconds longer for applications to load, if they are aware of a security operation

Specifications for a Componetised Digital Rights Management (DRM) Framework

This document lays out the specifications for a componentised DRM system. Requirements for a general DRM system are discussed, and we detail a set of components that address these requirements. This document also details the specific services that should be offered by each component and specifies the communication protocols and contents of these messages. Each of the components of the DRM system are fully fledged web services, and thus some of these components can be used in areas other than DRM. Furthermore, we envisage existing services, such as Certificate Authorities, easily fitting into our proposed framework

Persistent Access Control: A Formal Model for DRM

Digital rights management (DRM) can be considered to be a mechanism to enforce access control over a resource without considering its location. There are currently no formal models for DRM, although there has been some work in analysing and formalising the interpretation of access control rules in DRM systems. A formal model for DRM is essential to provide specific access control semantics that are necessary for creating interoperable, unambiguous implementations. In this paper, we discuss how DRM differs as an access control model to the three well known traditional access control models -- DAC, MAC and RBAC, and using these existing approaches motivate a set of requirements for a formal model for DRM. Thereafter, we present a formal description of LiREL, a rights expression language that is able to express access control policies and contractual agreement in a single use license. Our motivation with this approach is to identify the different components in a license contract and define how these components interact within themselves and with other components of the license. A formal notation allows for an uniform and unambiguous interpretation and implementation of the access control policies

Using Payment Gateways to Maintain Privacy in Secure Electronic Transactions

Because many current payment systems are poorly implemented, or of incompetence, private data of consumers such as payment details, addresses and their purchase history can be compromised. Furthermore, current payment systems do not offer any non-repudiable verification to a completed transaction, which poses risks to all the parties of the transaction -- the consumer, the merchant and the financial institution. One solution to this problem was SET, but it was never really a success because of its complexity and poor reception from consumers. In this paper, we introduce a third party payment system that aims to preserve privacy by severing the link between their purchase and payment records, while providing a traceable transaction that maintains its integrity and is non-repudiable. Our system also removes much of the responsibilities placed on the merchant with regards to securing sensitive data related to customer payment, thus increasing the potential of small businesses to take part in e-commerce without significant investments in computer security

Extending ODRL to Enable Bi-Directional Communication

Current rights expression languages (RELs) only allow for rights holders to dictate terms to the end users. This limits their use as a means for negotiating electronic contracts and end users are not able to request changes in their rights contracts. In this paper we propose extensions to ODRL that allow end users to request changes and for the rights holder to grant or deny these changes. These extensions allow the end user to request changes to their current rights, and for the rights holder to grant or refuse the request. We also provide two examples to demonstrate possible uses of our extensions. The extensions we discuss can also be implemented in other RELs like XrML

DRM Use License Negotiation using ODRL v2.0

In [9], Camp discussed why DRM is not equivalent to copyright enforcement. In 2005, Arnab et al. discussed how DRM is in fact the enforcement of licensing agreements, and promoted the use of negotiation in DRM as a mechanism to handle fair use scenarios [3]. In this paper, we detail negotiation protocols for two of the three types of negotiation -- bidding and bargaining (the third type, auctioning, can easily be handled without any new technology). We motivate the correctness and completeness of our protocols through the use of Petri net modeling. We also motivate the use of the latest draft of the ODRL v2.0 rights expression language (REL) as a language for expressing negotiations in DRM systems. By using a REL in the protocol specifications we remove the need to translate between the protocol and the rights expression language, thus speeding up the overall license acquisition process and reducing the risk of translation errors

Verifiable Digital Object Identity System

Identification is a two part system comprising of a token or label (an identifier) that can be used to reference an entity and a process that can be used to create label-entity associations and verify that the reference and entity belong together. There are a number of identity systems for digital objects that provide identifiers (such as the Handle system, the DOI and URIs). However none of these systems provide verification services. The primary application for our proposed system is in a DRM system, where it is necessary to correctly match users' use licenses to the digital objects covered by the use licenses. In such a case, incorrect associations are effectively failures of the system, and could have wide ranging legal and economic impact, depending on the nature of the protected data. In this paper we present an identity system for digital objects that support verification and the related details such as the identifier format, the verification process as well as a protocol to create identifiers for digital objects

Distributed DRM System

There is no standardised framework for digital rights management (DRM). With the proliferation of DRM systems, there is an increasing need for portability across multiple platforms and DRM systems. Current DRM systems can also be considered incomplete. Some DRM systems are not scalable enough; some are too focused on a particular application/file format and most do not have adequate mechanisms to address all the needs of the end users of the DRM protected works. In this paper we outline a proposal for an open, componentized rights management framework. This framework includes the architecture and a set of features that we believe solves the requirements for a DRM system

Digital Rights Management - A current review

Digital Rights Management (DRM) systems aim to create a secure framework to control access and actions that can be performed by users (both human and machine). DRM technologies have become very important in an increasingly networked world because it promises the owner of the file persistent control over the file even when the file leaves the owner's machine. It is not only useful in combating piracy (which is currently the main use of DRM systems) but also for protecting sensitive documents in enterprises. DRM systems can be seen to fit at various levels on a computer system - at an application layer, which is currently seen in applications like Apple iTunes; at an operating system level like Microsoft's Rights Management System (RMS) in Windows Server 2003 or at a hardware level like Content Scramble System (CSS) in DVD players. However, current DRM systems are mostly not interoperable and in most cases either do not provide all the requirements expected by the customer or do not provide a totally secure framework. DRM systems that are used for copyright enforcement give rise to many legal questions mostly revolving on the amount of control the copyright holder has over their creations once they have been distributed to the users. Many of the legal questions do not affect DRM systems for enterprises, but most of the technical requirements are the same. This report gives a broad overview of current state of DRM systems and their strengths and weaknesses. It starts by looking at the legal requirements of the system to satisfy both the right holders and the end consumers. We then discuss the structure of DRM systems, their characteristics and how well they satisfy the legal requirements. Finally we review three types of DRM systems and how well they satisfy the requirements desired in a DRM system