Lecture Notes in Computer Science:
advertisement
Trusted DRM on P2P Network
Chou-Chen Yang1,, Jyun-Yi Jiang2, and Ju-Chun Hsiao2
1
Department of Management Information Systems
National Chung Hsing University
Taichung 402, Taiwan, R.O.C
cc.yang@nchu.edu.tw
2
Department of Management Information Systems
National Chung Hsing University
Taichung 402, Taiwan, R.O.C
{g9629004, g9729001}@nchu.edu.tw
Received 13 July 2009; Revised 19 August 2009; Accepted 8 September 2009
Abstract. Peer-to-peer file sharing has become a common tool to exchange digital content in Internet. However, duo to a large number of unauthorized files are distributed over peer-to-peer network, users may download the digital files without copyrights thus violate intellectual property rights unconsciously. In this paper,
we propose a trusty system named TDRM, which aims to protect every file being exchanged legally. TDRM
is constructed on hybrid P2P structure, and adopts technologies including identity-based cryptosystem, digital
rights management, secure authentication and payment mechanism. We also show our scheme is more secure,
efficient, scalability, and low computational cost.
Keywords: Peer-to-peer network, digital rights management, trusted computing, identity-based cryptosystem
1 Introduction
With the rapid promotion of network technologies, getting communication with others to share files or search
information is getting more and more easily. Therefore, it has become one of the major motives that attract people to use Internet. According to [1], Internet World States indicates that the amount of Internet users in the
whole world had already exceeded 1.5 billion. Another report from [2] also shows the statistics of broadband
subscribers has at least 410.9 million until 2008. The more users use Internet, the more various files will be exchange. But the bottleneck problem often happens on the popular web-server with traditional client-server network architecture. To find the solution, the peer-to-peer (P2P) technology becomes a new medium between users
and offloads works from central server. However, the files exchanged on P2P network are not all authorized by
rights owners. The users, even P2P software companies, may be charged with the piracy behavior. The companies Napster [3-7] and Grokster [8] faced accusations in 2001 and 2005 respectively.
To prevent copyright infringement, digital rights management (DRM) technology is a common manner to encrypt digital content by secret key (license). Copyrights owners rely on the DRM module installed on customers’
devices to control the authorized usage. In the beginning, DRM technology was applied to a client-server architecture environment, but when the license buying request increased and centralized in few license-servers, it also
encountered bottleneck problems. Hence, some researchers [9-14] combined P2P network with DRM technology.
Unfortunately, they didn’t provide the detailed illustrations to explain how to implement their protocols. In this
paper, we propose a novel Trust-DRM (TDRM) system that establishes a trusty DRM module to let users exchange (selling or buying) files on P2P network legally, and also give consideration protecting secret payment
information from any possible malicious attacks.
The remainder of this paper is organized as follows: Peer-to-Peer network, DRM technology, and identitybased cryptosystem are introduced shortly in section 2. Our proposed TDRM system is introduced in section 3.
The TDRM security analysis is explained in section 4. The performance analysis is presented in section 5. The
conclusion is given in section 6.
Correspondence author
Yang et al: Trusted DRM on P2P Network
2 Related Works
2.1 Peer-to-peer Network
In peer-to-peer (P2P) network, each node not only acts as a client to request data, but also acts as a server to
provide data. In a typical simplest P2P network, nodes transmit resources among them without interfering by
other central server infrastructure. Owing to different requirements, the P2P network system may be deployed
into three categories.
Centralized P2P system: The centralized P2P system has a central server to manage all peers’ real-time IP
address and record index value of all sharing-files. Every peer can search resource easily by just sending a
searching-request to that central server. However, the major disadvantage of centralized P2P system is that it has
the poor scalability. When the number of peers increases gradually, the central server may become a bottleneck
and degrade the whole network efficiency. Napster [3-7] is an example of centralized P2P system.
Decentralized P2P system: This P2P system can be divided into structured and unstructured. Decentralized
structured P2P systems are generally based on the distributed hash table (DHT) [15]. The nodes construct a specific network topology that tightly controls the resources placement. Most of the researches about the distributed
resource search are based on the use of the DHT method. These methods achieve load balance effectively, as a
result of the hash function's characteristics. Some examples of such a system include Chord [16], CAN [17],
Pastry [18] and Tapestry [19]. In the decentralized unstructured P2P, relatively, there is no fixed structure. Each
node may join and leave freely. Both Gnutella [20, 21] and Freenet [22] belong to decentralized unstructured
P2P network.
Hybrid P2P system: Some researchers combine the advantage of centralized P2P system and decentralized
P2P system to propose a new P2P system: hybrid P2P system. There are some nodes acting as super nodes that
have the strong capabilities, e.g. bandwidth, computing speed and reliability. Each super node has an index table
to manage a part of local peers. Therefore, a super node and its managed local nodes compose a centralized P2P
system and all super nodes compose a decentralized P2P system. An example of such a system is eMule [23].
2.2 Digital Rights Management
Because of the digital contents are vulnerable to copy, tamper, and spread, a currently popular mechanism for
digital intellectual property is digital rights management (DRM) [24]. The DRM system allows digital content
publishers to define and enforce restrictions on how their contents are used. It protects, monitors, and traces the
relation between tangible (e.g. CDs) or intangible (e.g. digital documents) assets copyright and its owner. According to payment, different users may have different levels of right, and the usage rules will be record in license.
2.3 Identity-based Cryptosystem and Bilinear Pairings
The first concept of identity-based cryptosystem was proposed by A. Shamir in 1884[25]. In 2001, the first practical identity-based encryption (IBE) scheme was proposed by Boneh et al. [26]. In 2002, the identity-based signature (IBS) scheme was proposed by Paterson [27]. The security of IBE and IBS are based on the elliptic curve
discrete logarithm problem and bilinear Diffie-Hellman Problem [27-31] and they also use the properties of the
bilinear pairing of elliptic curve. Each user can use his well-known and unique identity as his public key, such as
IP address or e-mail address in the schemes of IBE and IBS. The basic definition and properties of the bilinear
pairing are as follows [32, 33]:
Let G1 be an additive group of prime order q and G 2 be a multiplicative group of the same order q . A bilinear pairing is a computable bilinear map between the two groups. We let e denote a general bilinear pairing
map. Therefore, the bilinear pairing is a map as e : G1 G1 G2 on the elliptic curve and satisfies the following
properties:
(1) Bilinear: if P, Q, R G1 , and a, b Z q* , such that
e( P Q, R) e( P, R) e(Q, R) ,
e( P, Q R) e( P, Q) e( P, R) ,
(2)
(3)
e(aP, bQ) e(abP, Q) e( P, abQ) e( P, Q) ab .
Non-degenerate: there exists P, Q G1 such that e( P, Q) 1 .
Computable: For all P, Q G1 , there is an efficient algorithm to compute e( P, Q) .
25
Journal of Computers Vol.20, No.3, October 2009
(4)
For all P, Q G1 , e( P, Q) e(Q, P) .
3 Proposed TDRM on P2P
3.1 System Architecture
Table 1 defines the notations that will be used in this paper. We design a TDRM system to provide users a full
legal P2P network environment. The TDRM has three features: 1) Every component of TDRM can process secure message transmission with each other. 2) File owner can protect his digital content from unauthorized users.
3) Reliable payment mechanism. In proposed TDRM system, both file owners and file forwarders have contribution to the P2P network. File owners create variant digital contents, and file forwarders assist speeding up transmission in P2P network. Therefore, when a user pays some expenses for playing a file, the expenses will be distributed to both file owner and forwarder. The system architecture of the proposed TDRM is showed as the Fig. 1.
Table 1. Notation table
Notation and Description
s / sP : The private / public key of trust server
K DRMC : A DRM key in DRM module
SignUi : A signature from user i
Ti :
Timestamp
RNij :
Request number for a session j from user i
Rij :
Random number j from user i
h() :
A general hash function
An identity-based cryptosystem hash function that hashes a value to a point
H1 () :
DS:
Dual signature
MAC:
Message authentication code
COI / LOI : Content order information / License order information
K play :
A key for playing content
K X ,Y :
The session key between X and Y, and it is computed by X.
The three major components of TDRM system and their abbreviations are as follows:
Trust server (TS). Trust server is a crucial part in entire system processing, and runs two subsystems for all
users: identity-based cryptosystem and DRM system. Identity-based cryptosystem is set by TS to serve as a
certificate authority, making sure the secret data transmit securely, e.g. payment message or authentication
message. Given an admissible bilinear pairing e : G1 G1 G2 where P is a generator of G1 . TS defines
two hash function H1 : {0,1}* G1* and H 2 : G2 {0,1}n . TS chooses a random number s Z q* as TS private key SKTS , and computes the TS public key is PK TS sP G1 . Finally, TS keeps s secretly and publishes {G1 , G2 , e, n, P, PK TS , H 1 , H 2 } . Once TS sets the identity-based cryptosystem parameters completely,
TS can compute private key for each registered superpeer or user. DRM system provides content copyright
protection for origin content publishers. If any user wants to share or buy files on the TDRM P2P system, he
must register to TS to get a DRM module that is created by DRM system of TS. In practical case, it would be
better that TS is maintained by a trust third party (TTP), e.g. government apparatus.
Superpeer (SP). There are several superpeers to provide searching service for users. As [34-37] said, the hybrid P2P architecture will bring better search result, so we construct superpeers to the hybrid P2P architecture.
Moreover, considering the practical condition, the role of superpeers was often performed by P2P software
company’s server in past days. When users use a P2P software to search and download files illegally, it’s hard
to declare user or software company the piracy guilty. In TDRM system, there is no piracy problem; superpeers can be set up by software companies, or even by ISPs.
User. When every user joins TDRM P2P network, he must choose a superpeer to provide service for him, i.e.
being managed by a superpeer’s domain. Then, users could be acting as three roles: content requester, content
26
Yang et al: Trusted DRM on P2P Network
forwarder, or content publisher. A content requester has to pay expenses for downloading files and buying licenses. Every content forwarder has the chances to get content requester’s partial expenses, and only the original content publisher has the corresponding license of every file. Therefore, the expenses distribution mechanism offers the incentive to every kind of user to keep share and upload. It can also avoid the free-rider problem in P2P network naturally.
For the purpose of protecting copyright in our system, the all process on authentication, encryption, or decryption will be taken over by DRM module. The general user’s typical behavior in P2P network with TDRM includes six steps as follows:
Initial Connection Phase. After a new TDRM participant gets his identity-based key pair and installs the DRM
module on his device, the user chooses a sharing-folder to put the files he wants to offer. Then, the user creates
content encryption keys for different files, and encrypts files to protect copyright. Finally, DRM module records
some sharing-information in two index table, and uploads to a superpeer, claiming what can be shared in this peer.
Contents Searching Phase. A content requester sends the file name, which he wishes to download, to the superpeer. According to the periodically updated index tables from every peer, the superpeer can reply the real-time
searching result.
Download Contents Phase. The content requester chooses a content forwarder in the searching result, and sends
file request message to him. The file request message includes some authentication data and digital signature,
thus content forwarder can apply to TS for the uploading commission.
License Request Phase. In the searching result, content requester can also know about the file’s original publisher. Because only the content publisher has the license, users must send license request message (similar to file
request message) for buying license. The content publisher will get profit from selling royalty.
Payment Authentication Phase. Although the user has got file and license from above steps, he needs to proceed this final step to obtain the other data to decrypt the protected file. The data is collected by TS when content
forwarder and publisher applying commission. In TDRM system, TS is a trusty organization to deal with all of
the processing about payment authentication and expenses distribution.
Content Playing Phase. If user’s DRM module gets all of the data correctly from TS, content forwarder, and
content publisher, DRM module can compute the decryption key and play clear content successfully.
TS
(Trust server)
Payment management
Payment
request
Digital Rights Management
Payment
request
Certificate Authority
Registration &
Payment authentication
UD
(Content forwarder)
Key Management
UC
(Content requester)
Download
contents
File-publish Module
Key Management
File-publish Module
UP
(Content publisher)
License
request
Key Management
File-publish Module
Search Engine
Search Engine
Search Engine
Digital Rights Management
Digital Rights Management
Digital Rights Management
Search
request
Search
request
SP1
(Superpeer)
Search
request
Key Management
Search Engine
27
Journal of Computers Vol.20, No.3, October 2009
Fig. 1. System architecture of the TDRM
3.2 Preliminary
Registration. All of the components need to register at TS to get the identity-based key pair. For example, in
registration beginning, a superpeer SP1 sends a registration request with his unique identity ( SP1 ) to TS. TS
computes and returns SP1 ’s private key SK SP1 sH 1 (SP1 ) through secure channel. If the registration requester is
a superpeer, the registration is completed when he receives the private key. But if the registration requester is a
general user, e.g. a user U C , he needs to request again to get a DRM module. The steps are shown on Fig. 2. The
DRM module contains some data and keys describing as follows. Notice that these information are embedded
inside DRM module, and they are unknown to users.
IDDRMC : The identity of user U C ’s DRM module
K DRMC : A secret key in the IDDRMC DRM module. TS computes different K DRMC h(U C , s) for different
user’s DRM module. K DRMC is used to compute the content encryption key in protected content generation
phase.
K play : The same K play is in every DRM module. When a user wants to play a file, he needs to decrypt the license by K play .
h() : A hash function. It will be used to generate content encryption key, payment information, device key, the
index of protected content in sharing folder, and some verified message.
Superpeer list. A list that records all available superpeers and related information of those superpeers.
UC or SP1
TS
Registration Request
Private Key (Secure Channel)
DRM Module Request
DRM Module
28
UC
SP1
Yang et al: Trusted DRM on P2P Network
Fig. 2. Registration
Key Agreement. After every component registers to TS successfully, the session key of any two communication
nodes in TDRM system can be easily established by the character from identity-based cryptosystem. As shown in
Fig. 3, for example, a user U C computes the session key with a superpeer SP1 , KUC ,SP1 e(sH 1 (U C ), H1 (SP1 )) ;
SP1 computes the session key K SP1,UC e(sH 1 (SP1 ), H1 (U C )) . Both U C and SP1 use his private key and the
other side’s public key to generate session key. Based on bilinear pairing,
KUC ,SP1 e(sH 1 (U C ), H1 (SP1 )) e(sH 1 (SP1 ), H1 (U C )) K SP1,UC . Therefore, U C and SP1 can exchange
secret data by this session key.
UC
EKU
C ,TS
TS
e( sH1 (U C ), sP)
EKTS ,U e( H1 (U C ), sP) s
(a)
C
SP1
TS
EK SP ,TS e( sH1 ( SP1 ), sP)
EKTS , SP e( H1 ( SP1 ), sP) s
(b)
1
1
UC
EKU
C , SP1
SP1
e( sH1 (U C ), H1 ( SP1 ))
(c)
EK SP ,U e( sH1 ( SP1 ), H1 (U C ))
1
C
Fig. 3. Key agreement between: (a) UC and TS (b) SP1 and TS (c) UC and SP1
3.3 Initial Connection Phase
A content forwarder or publisher must perform this phase periodically to tell his superpeer what files are shared
in the peer. In the beginning, for example, a user U C puts a original clear file file abc named abc , which he
wants to share, in a sharing-folder. DRM module creates a unique content encryption key
K abc hDRM (abc || K DRMC ) by hashes the concatenation of file name abc and the secret key K DRMC . Then,
the K abc is encrypted by secret key K play to be a license key E K play [ K abc ] . Using K abc , DRM module encrypts file abc , and gets protected file version Fabc E Kabc [ fileabc ] . The Fabc is ready for offering on Internet.
Except for preparing the encrypted files and license keys, the user needs to compute indexes about sharing
files and content encryption keys. DRM module uses index generation hash function h I () to hash every file, and
constructs a content index table Table 2. Also, another license key table is used to record the corresponding license key, and showed in Table 3. After these two tables being encrypted by the session key KUC ,SP1 , DRM
module will send them to superpeer SP1 ’s database. Superpeer manages the entire sharing-file indexes in its
domain, thus it can provide the real-time searching service for every user.
Table 2. Content index table
User
UC
IP address
IPC
Content name
abc
Content index
H ( Fabc )
Content publisher
Yes
Table 3. License key table
User
UC
IP address
IPC
Content name
abc
Content index
H ( Fabc )
License key
K play[ K abc ]
29
Journal of Computers Vol.20, No.3, October 2009
3.4 Content Searching Phase
User can deliver the searching message to superpeer through the TDRM client installed on user’s computer. For
example, the user U C wants to search a file filexyz . U C ’s DRM module sends the searching request to the manager superpeer SP1 . If SP1 can find available source in the database, SP1 will reply the source list to U C directly,
otherwise, forwarding the searching request to other superpeers. This searching mode is based on the hybrid P2P
structure [34-37], and it is proven that hybrid P2P structure has better searching efficiency. Table 4 shows the
searching result. When TDRM client receives this table, U C can choose any one user to be his content forwarder,
but U C can only get license from original content publisher U P .
Table 4. Search result table
User
IP address
Manager SPi
Content name
Content index
Content
publisher
UD
IPD
SP1
xyz
H ( Fxyz )
No
UE
IPE
SP1
xyz
H ( Fxyz )
No
UP
IPP
SP1
xyz
H ( Fxyz )
Yes
3.5 Download Contents Phase
We assume that U C chooses U D in Table 4 to be the content forwarder, and separate the download contents
phase into three parts, as showed on Fig.4:
Part 1 ( U C side): 1) DRM module takes over the authentication data preparation process, and creates two
kinds of data. The first one is the content order information COI including content name, content request, type,
index, size, and related information. The other is the payment information PI DT1 , which is for U D in T1 time.
PI DT1 is consisted of content forwarder’s identity U D and request number RNC1 . Request number is only known
between content requester and TS. After content requester gets the protected content and license, he must show
the request number to TS correctly to get some data for decrypting. 2) DRM module computes a message digest:
T1
H ( H (COI ) || H ( PI DT1 ) || T1 ) , and creates a dual signature DS SignU C [ H ( H (COI ) || H ( PID
) || T1 )] by signing
the message digest with U C ’s private key. Dual signature has the ability to control the different receiver getting
different information, for example, we set that U D only need to know the content order information COI , and
TS only know the detail of payment information PI DT1 . 3) DRM module computes a message
M DT1 E KU
C ,TS
[ PI DT1 || H (COI ) || DS || T1 ] . Finally, DRM module sends content requester’s identity U C , content
forwarder’s identity U D , content order information COI , dual signature DS , the hash value of payment information H ( PI DT1 ) , timestamp, and the message M DT1 to content forwarder U D .
Part 2 ( U D side): 1) Upon receiving request from U C , U D verifies whether the timestamp T1 is in valid period.
2)
If the verified result is positive, U D
H ( H (COI ) || H ( PI DT1 ) || T1 ) .
Then,
UD
uses
decrypts the
the
received
DS
data
to
and gets the hash value
compute
T1
H ( PI D
) || T1 )' ? H ( H (COI ) ||
T1
H ( PI D
) || T1 )'
the
hash
value
T1
H ( PI D
) || T1 )
3) Comparing H ( H (COI ) ||
. If both
H ( H (COI ) ||
hash value are the same, U D can confirm that the content order information is correct, and prepare related parameters before replying U C ’s requested file. 4) U D generates a random number RD1 and a secret key K D2 .
Then, U D computes an encrypted message RD EKU
and
TS.
MACUT1 ,TS
D
5) U D
computes
a
message
D ,TS
digest
[ RD1 K D2 ] by the session key KU D ,TS between U D
H ( K D2 )
and
a
message
authentication code
H ( KU D ,TS || RD || H ( K D2 ) || T1 ) . 6) U D sends identity of content requester U C , timestamp, the
message M DT1 , the encrypted message RD , message digest H ( K D2 ) , and the message authentication code
MACUT1
D ,TS
30
to TS. 7) Finally, U D encrypts U C ’s requested file Fxyz by the secret key K D2 . Moreover, U D
Yang et al: Trusted DRM on P2P Network
encrypts RD1 with the encrypted file EK D [ Fxyz ] by session key of U C and U D . 8) U D sends the
2
E KU
C ,U D
[ RD1 , E K D [ Fxyz ]] back to U C , and waits for the profit distribution by TS in the future. U C will get the
2
random number RD1 and encrypted file EK D [ Fxyz ] from U D .
2
UC
TS
UD
Compute message digest :
H ( H (COI )||H ( PI DT1 )||T1 )
Create dual signature
DS SignU C [ H ( H (COI )||H ( PI DT1 )||T1 )]
Compute
M DT1 EKU ,TS [ PI DT1||H (COI )||DS||T1 ]
C
U C , U D , COI , DS,
H ( PI DT1 ), T1 , M DT1
Generate random RD1 and secret key K D2
Compute RD E KU ,TS [ RD1 K D2 ]
D
Compute message digest H ( K D2 )
Compute message authentication code
MACUT1D ,TS H ( KU D ,TS||RD||H ( K D2 )||T1 )
U D , TS, UC , T1, M DT1 ,
RD, H(KD2 ), MACUT1D ,TS
Verify H ( H (COI )||H ( PI DT1 )||T1
Encrypt EK D [ Fxyz ]
2
Encrypt EKU
E KU
C ,U D
C ,U D
Verify MACUT1D ,TS
[ RD1 ,EK D [ Fxyz ]]
2
[ RD1 ,EK D [ Fxyz ]]
2
Fig. 4. Download contents phase
Part 3 (TS side): 1) Upon receiving request from U D , TS verifies whether the timestamp T1 is in valid period.
T1
2) TS decrypts M DT1 with the session key KU C ,TS and computes the hash value H ( H (COI ) || H ( PI D
) || T1 )' to
T1
T1
verify H ( H (COI ) || H ( PI D
) || T1 )' ? H ( H (COI ) || H ( PI D
) || T1 ) . If both hash value are the same, TS can con-
firm that the payment information is valid from U C . 3) TS uses the received data, RD , H ( K D2 ) , T1 , and the
session key KU D ,TS , to compute MACUT1
D ,TS
' . If MACUT1
D ,TS
' is equal to MACUT1
D ,TS
, TS can confirm that U D
is the valid content forwarder for U C .
3.6 License Request Phase
As in the Fig. 5, the original clear content filexyz was encrypted by the content key K xyz , so U C must perform
this phase to get the license key E K play [ K xyz ] , and rely on DRM module to decrypt it by the secret key K play .
According to the search result, U C sends a license request message to content publisher U P .
In this phase, when U P receives the license request message, and executes the similar validation process successfully as U D in content transmission phase, U P generates two random numbers R P1 and RP2 to create a
series of authentication data sending to TS. It’s showed on Fig. 5. Then, U P computes the reply message
E KU ,U [ R P1 , ( E K play [ K xyz ] R P2 ), rules] and returns it with the identity of U P , U C . Using the session key
P
C
between U P and U C , U C will get the random number R P1 , encrypted license key ( E K play [ K xyz ] RP2 ), and
content usage rules from U P .
31
Journal of Computers Vol.20, No.3, October 2009
UC
TS
UP
Compute message digest :
H ( H ( LOI )||H ( PI PT2 )||T2 )
Create dual signature
DS SignU C [ H ( H (COI )||H ( PI PT1 )||T2 )]
Compute
M PT2 E KU ,TS [ PI PT2||H ( LOI )||DS||T2 ]
C
U C , U P , LOI , DS,
H ( PI PT2 ), T2 , M PT2
Generate random RP1 and RP2
Compute RP EKU ,TS [ RP1 RP2 ]
P
Compute message digest H ( RP2 )
Compute message authentica tion code
MACUT2P ,TS H ( KU P ,TS||RP||H ( RP2 )||T2 )
U P , TS, U C , T2 , M PT2 ,
Encrypt EK play [ K xyz ]
Encrypt EKU
EKU
P ,U C
P ,U C
RP, H(RP2 ), MACUT2P ,TS
[ RP1 ,EK play [ K xyz ] RP2 , rules ]
[ RP1 ,EK play [ K xyz ] RP2 , rules]
Verify H ( H ( LOI )||H ( PI PT2 )||T2
Verify MACUT2P ,TS
Fig. 5. License request phase
3.7 Payment Authentication Phase
In TDRM P2P system, all the peers may login/logout dynamically except superpeers and trust server. Therefore,
we set the central TS to handle the payment calculation, distribution, and record, promoting the degree of confidence of TDRM system for all content users.
After U C receives encrypted content E K D [ Fxyz ] and encrypted license key ( E K play [ K xyz ] RP2 ), U C
2
needs to submit authentication data and payment to TS to buy the necessary parameters for decrypting license
key. It is showed on Fig. 6.
Part 1 ( U C side): 1) Content requester U C computes a payment message digest
PayCT3 H ( H (COI ) || H ( LOI ) || RN C1 || T3 ) , which is the hash value of concatenation by content order infor-
mation message digest H (COI ) , license order information message digest H ( LOI ) , request number RN C1 , and
T
timestamp T3 . 2) U C uses the identity-based private key to sign the payment message digest PayC3 and gets
T
signature SignUC [ PayC3 ] . 3) U C uses the session key KUC ,TS to encrypt the payment authentication message
PA E KU
C ,TS
[ RN C1 , T3 , (U D , R D1 ), (U P , R P1 )] . 4) Finally, U C sends the identity of U C and TS, signature
T
SignUC [ PayC3 ] , and payment authentication message PA to TS.
Part 2 (TS side): 1) When TS receives authentication message from U C , TS decrypts SignUC [ PayCT3 ] and
PA , and verifies the timestamp T3 inside PA whether in legal period. If the timestamp is valid, TS gathers all
the related data of this transaction RN C1 from U C , U D , and U P . 2) TS uses the gathered data to compute the
T
T
T
PayC3 ' , and compares PayC3 ' to PayC3 . If the two message digest are the same, it means that TS can confirm
the transaction of content requester U C . 3) TS computes the XOR operation of the value ( RD1 K D2 ) sent
from U D and the value RD1 sent from U C , to gets K D2 . In the same way, TS computes
( RP1 RP2 ) RP1 RP2 . 4) To check the correctness of K D2 and RP2 , TS hashes K D2 and RP2 respectively,
32
Yang et al: Trusted DRM on P2P Network
and verifies H ( K D2 )' ? H ( K D2 ) , H ( RP2 )' ? H ( RP2 ) . 5) TS encrypts K D2 and RP2 by computing:
K U C ,TS E K DRM [ K D2 , R P2 ] , and sends back to U C . 6) Finally, this transaction is completed entirely. TS will
C
distribute U C ’s payment to U D and U P .
UC
TS
Compute
Pay CT3 H ( H (C OI )||H ( LOI )||RN C1||T3 )
Compute
SignU C [ Pay CT3 ]
Compute
PA E KU ,TS [ RN C1 ,T3 ,(U D ,R D1 ) ,(U P ,R P1 )]
C
U C , TS, SignUC [ PayCT3 ], PA
Verify PayCT3
Compute ( RD1 K D 2 ) RD1 K D 2
Compute ( RP1 RP2 ) RP1 RP2
Verify H ( K D 2 ) and H ( RP2 )
Compute KU C ,TS E K DRM [ K D2 ,RP2 ]
C
Distribute U C ' s payment to U D and U P
KU C ,TS E K DRM [ K D2 ,RP2 ]
C
Fig. 6. Payment authentication phase
3.8 Content Playing Phase
As showed in Fig. 7, in the beginning, U C uses the session keys with U D , U P , and TS to decrypt secret messages, than gets the protected content E K D [ Fxyz ] , the encrypted license key ( E K play [ K xyz ] RP2 ) , and secret
2
value E K DRM [ K D2 , R P2 ] . Then, when U C wants to play filexyz every time, he needs to perform the following
C
steps: 1) U C inputs above data into DRM module. DRM module will decrypt the E K DRM [ K D2 , R P2 ] at first,
C
and use the
K D2
to decrypt
E K D [ Fxyz ] . 2) DRM module computes the XOR operation:
2
( E K play [ K xyz ] RP2 ) RP2 E K play [ K xyz ] , getting the license key successfully. 3) DRM module decrypts
license key and gets content key K xyz . Using K xyz , DRM module can decrypt and play original clear content
filexyz .
EK DRM [ K D2 , RP2 ]
C
DRM module
Decrypt E K DRM [ K D2 , R P2 ]
C
EK D [ Fxyz ]
2
( EK play [ K xyz ] RP2 )
Decrypt E K D [ Fxyz ]
2
Compute
( E K play [ K xyz ] R P2 ) R P2 E K play [ K xyz ]
Decrypt E K play [ K xyz ]
Decrypt Fxyz and play file xyz
33
Journal of Computers Vol.20, No.3, October 2009
Fig. 7. Content playing phase
4 Security Analysis
The security of our scheme is based on identity-based cryptosystem and DRM technology. By using identitybased key pairs, DRM keys, and hash chain for data authentication, our proposed TDRM system can provide a
reliable platform for both digital content seller and buyer.
4.1 Secure Transmission
Based on identity-based (ID-based) cryptosystem, we can make sure that the session key will only be generated
by the communication nodes. The session key is applied to protect following secret data:
The payment information PI DT1 and PI PT2 should be only known by TS, so it is encrypted by the ID-based
session key between U C and TS.
For restricting the paid user only, although the content and license had been protected by some keys in DRM
module, we use the ID-based session key to encrypt again.
The message authentication code (MAC) is composed of the concatenation from the ID-based session key and
other authentication data. Thus attackers a
re unable to forge MAC.
4.2 Replay Attack
The replay attack may cause authentication fault, network bandwidth congestion, or profit/charge error. So we
adopt timestamp in every transmission step. In TDRM system, every component should verify timestamp upon
receiving each message.
4.3 The Property of Non-repudiation
Any electronic commerce system should possess the character of non-repudiation. It is the basic requirement for
its customers. In our proposed TDRM system, for example, content requester U C can’t deny the request he ever
T1
sent to U D because of the dual signature DS signUC [ H ( H (COI ) || H ( PI D
) || T1 )] was signed by U C ’s ID-
based private key. Besides, U C sent the value M DT1 to U D , then U D forwarded it to TS. Duo to the
M DT1 E KU
C ,TS
[ PI DT1 || H (C OI ) || DS || T1 ] is generated from encrypting data by the session key of U C and TS,
M DT1 also plays an evidence role for U D .
4.4 Impersonation Attack
If an adversary attempts to impersonate the content requester to request files and licenses, or tries to impersonate
content forwarder / publisher to send fake reply, without the correct ID-based private key and session key, he will
fail to process mutual authentication.
4.5 Modification Attack
For integrity, TDRM system appends message authentication code (MAC) in each phase. Receivers can check
messages correctness to detect any modified data.
4.6 Distribution Attack
Our scheme also provides access control by employing the DRM module. A user bought the protected content
and the content license that can only be played on his devices. The content license is encrypted with the device
key and content play key. Only the DRM module can generate these keys, and these key are only stored inside
34
Yang et al: Trusted DRM on P2P Network
the DRM module. Therefore, the user can’t reveal these key from DRM module and shares to other users. Even
though he can share the protected content to other users, others’ DRM module can’t compute the right key to
decrypt it and play.
5 Performance Analysis
In this section, we compare the performance of TDRM with literature. When a user wants to join our scheme, he
must register with TS to get his identity- based private key and use this key to generate session key. The security
of identity-based system was based upon the difficulty of elliptic curve discrete logarithm problem (ECDLP).
Compared with public key infrastructure (PKI), identity-based system offers a better performance because it can
achieve the same security degree with a smaller key size. For example, a 160-bits key in identity-based cryptosystem and 1024-bits key in RSA have the same security level in practice. Using identity-based cryptosystem with
bilinear pairing, a user can use his identity-based private key and the public key of communication peer to compute their session key. Identity-based cryptosystem makes the key management easier and minimize the cost of
the conventional public key infrastructure. In Gu et al.’s paper [13], they use the public key infrastructure, modular operation, and modular exponentiation to protect content licenses and authenticate messages in their scheme.
In Xinwen et al.’s protocol [14], they also use the same technologies with [13]. However, their scheme doesn’t
protect and authenticate messages in message request phase. The attacker can implement modification attack to
destroy the integrity of message. Therefore, our scheme is more efficient and secure.
In our scheme, user keys his order information directly to search content and license. Then, he choose what he
wants directly from search result. However, In Xinwen et al.’s protocol [14], their scheme embeds in the BitTorrent architecture. The user must get the track file to contact track server and finds content information in BitTorrent architecture. If the user can’t find the track file or the track server is crashed, the scheme doesn’t be implemented. Therefore, proposed TDRM system has more convenient than other scheme in search phase.
We use the session key and hash function to authenticate messages. We can avoid the replay attack, modification attack, and forgery attack. In, Gu et al.’s paper [13], they use the technologies of multiplication and exponentiation operation to authenticate messages. However, if the value k of Shamir [k, n]-threshold secret sharing is too
big, the content will be divided more pieces and the computational cost increases immensely. Therefore, TDRM
is more efficient in message authentication phase than other schemes.
TDRM employs a TS and many superpeers to be the system backbone. The user is managed by the superpeer
and he doesn’t contact TS directly in content search and content transmission phase. User only needs to contact
TS in the payment authentication phase. When TS helps content publisher to compute the device key of content
requester, TS only operates one exclusive-OR operation and one hash operation to generate the device key. The
required computation cost of the two technologies can be lower as far as possible. The hybrid P2P architecture is
used in our scheme. When more and more users join TDRM, we can add more superpeers flexibly to preserve the
property of scalability. In [14], if user wants to transmit the content to other content requester, he must request
the encrypted key from track server. The track server employs the public key infrastructure, modular operation,
and modular exponentiation to generate the encrypted key. When the user requests the piece of content one time,
the track server must compute an encrypted key one time. Because the content is divided into pieces, it will lead
heavy computing in track server. In [13], they employed public key system, the modular operation, and modular
exponentiation to compute content license. These applications of technology will lead heavy computing of content publisher, license authorities, and customer. Besides, they employ the concept of Shamir’s [k, n]-threshold
secret sharing scheme to design their architecture. Once the value k of Shamir [k, n]-threshold secret sharing
increases, the content will be divided more pieces thus the computational cost of track server becomes heavy.
Comparing with these two schemes, both their schemes have the bottleneck problem. TDRM is more scalability
and better performance. Table 5 shows the comparisons of our scheme and [13], [14]. We show our scheme is
more secure, efficient, scalability, and low computational cost.
Table. 5. Performance comparison table
Architecture
Search
Scalability
Cryptosystem
Authentication cost
Our scheme
Xinwen et al. [14]
Gu et al. [13]
Hybrid
Convenience
High
ID-based+
Symmetric key+
Hash function
1 TMAC
Client-server
Not convenience
Low
asymmetric key +
Modular exponentiation
Multi-client-server
None
Low
asymmetric key +
Modular exponentiation
None
k*(TExp +Tmul)
35
Journal of Computers Vol.20, No.3, October 2009
Key agreement
Search mechanism
Payment mechanism
License computing cost
Yes
Yes
Yes
1 TXOR +2 Th
+2Tsym
No
No
No
m*( Tasym + TExp)
No
No
No
k*(TExp +Tmul)+ 1Tasym
m: the content is divided m pieces.
k: the value of shamir [k, n]- threshold secret sharing scheme.
TMAC: denotes the time complexity of one message authentication operation
TXOR: denotes the time complexity of one Exclusive- OR operation.
TExp: denotes the time complexity of one exponential operation.
Th: denotes the time complexity of one hashing operation.
Tsym: denotes the time complexity of one symmetric encryption or decryption.
Tasym: denotes the time complexity of one asymmetric encryption or decryption.
Tmul: denotes the time complexity of one multiplicative operation.
6 Conclusion
In this paper, we try to solve the copyrights violation problem on P2P network. TDRM system adopts identitybased cryptosystem to implement a trusty DRM module. Through TDRM, users get what they want legally, or
gain profit from what they want to sell. Moreover, we also consider about the transaction security carefully: data
integrity, message confidentiality, and user authentication. TDRM has the properties that can be developed to a
practical P2P business model.
Acknowledgement
This work was partially supported by the National Science Council, Taiwan, R.O.C., under contract no.: NSC962628-E-005-009-MY3.
36
Yang et al: Trusted DRM on P2P Network
References
[1] Internet World Stats, http://www.internetworldstats.com.
[2] F. Vanier, “World Broadband Statistics: Q4 2008,” http://point-topic.com/contentDownload/operatorsource/dslreports/w
orld%20broadband%20statistics%20q4%202008.pdf, 2009.
[3] K. Taima, “Can We Ever Charge Napster Users?,” IEEE Multimedia, Vol. 9, pp. 76-81, 2002.
[4] U. Lechner and B. F. Schmid, “Communities-Business Models and System Architectures: The Blueprint of MP3.com,
Napster and Gnutella Revisited,” Proceedings of the 34th Hawaii International Conference on System Sciences, 2001.
[5] “Napster Faces Copyright Charges,” Computer Fraud & Security, Vol. 2001, No.11, pp. 2-2, 2001.
[6] J. S. Beuscart, “Napster Users between Community and Clientele: The Formation and Regulation of a Sociotechnical
Group,” Sociologie du travail, Vol. 47, pp. 1-16, 2005.
[7] R. Stern, “Napster: A Walking Copyright Infringement?,” IEEE Micro, Vol. 20, pp. 4-5, 2000.
[8] M. F. Radcliffe, “Grokster: The New Law of Third Party Liability for Copyright Infringement under United States Law,”
Computer Law & Security Report, Vol. 22, pp. 137-149, 2006.
[9] S. Ortiz, “Proponents Try to Rehabilitate Peer-to-peer Technology,” Computer, Vol. 41, pp. 16-19, 2008.
[10] Y. Cheng, L. Jianbo, Z. Yichun, S. Aina, “The Implementation Architecture of Content Protection in P2P Network,”
International Conference on Computational Intelligence and Security Workshops, pp. 455-458, 2007.
[11] J. Nutzel and R. Grimm, “Potato System and Signed Media Format - An Alternative Approach to Online Music Business,” Third International Conference on Web Delivering of Music, pp. 23-26, 2003.
[12] T. Kalker, D. H. J. Epema, P. H. Hartel, R. L. Lagendijk, M. V. Steen, “Music2Share - Copyright-Compliant Music
Sharing in P2P Systems,” Proceedings of the IEEE, Vol. 92, pp. 961-970, 2004.
[13] G. Gu, B. Zhu, S. Li, S. Zhang, “PLI: A New Framework to Protect Digital Content for P2P Networks,” Applied Cryptography and Network Security, pp. 206-216, 2003.
[14] Z. Xinwen, L. Dongyu, C. Songqing, S. Ravi, “Towards Digital Rights Protection in BitTorrent-Like P2P Systems,”
Proceedings of the 15th ACM/SPIE Multimedia Computing and Networking, 2008.
[15] I. Gupta, K. Birman, P. Linga, A. Demers, R. Renesse, “Kelips: Building an Efficient and Stable P2P DHT through
Increased Memory and Background Overhead,” Peer-to-Peer Systems II, pp. 160-169, 2003.
[16] I. Stoica, R. Morris, D. Karger, M. F. Kaashoek, H. Balakrishnan, “Chord: A Scalable Peer-to-Peer Lookup Service for
Internet Applications,” Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols
for computer communication, pp. 149-160, 2001.
[17] S. Ratnasamy, P. Francis, M. Handley, R. Karp, S. Schenker, “A Scalable Content-Addressable Network,” Proceedings
of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications, pp.
161-172, 2001.
[18] A. Rowstron and P. Druschel, “Pastry: Scalable, Decentralized Object Location, and Routing for Large-Scale Peer-toPeer Systems,” Proceedings of the IFIP/ACM International Conference on Distributed Systems Platforms (Middleware
2001), Heidelberg, Germany, pp. 329-350, 2001.
[19] B. Zhao, J. Kubiatowicz, A. Joseph, “Tapestry: An Infrastructure for Fault-tolerant Wide-area Location and Routing,”
University of California at Berkeley, 2001.
37
Journal of Computers Vol.20, No.3, October 2009
[20] M. Portmann, P. Sookavatana, S. Ardon, A. Seneviratne, “The Cost of Peer Discovery and Searching in the Gnutella
Peer-to-Peer File Sharing Protocol,” Ninth IEEE International Conference on Networks, pp. 263-268, 2001.
[21] M. Ripeanu, “Peer-to-Peer Architecture Case Study: Gnutella Network,” First International Conference on Peer-toPeer Computing, pp. 99-100, 2001.
[22] I. Clarke, O. Sandberg, B. Wiley, T. Hong, “Freenet: A Distributed Anonymous Information Storage and Retrieval
System,” Designing Privacy Enhancing Technologies, Vol. 2009, pp. 46-66, 2001.
[23] P. L. Piccard, B. Baskin, C. Edwards, G. Spillman, M. H. Sachs, L. P. Paul, B. Brian, E. Craig, S. George, H. S. Marcus,
“eDonkey and eMule,” Securing Im and P2P Applications for the Enterprise Burlington: Syngress, pp. 267-283, 2005.
[24] W. Ku and C. H. Chi, “Survey on the Technological Aspects of Digital Rights Management,” Information Security, Vol.
3225, pp. 391-403, 2004.
[25] A. Shamir, “Identity-based Cryptosystems and Signature Schemes,” Advances in Cryptology, pp. 47-53, 1985.
[26] D. Boneh and M. Franklin, “Identity-based Encryption from the Weil Pairing,” Advances in Cryptology — CRYPTO
2001, pp. 213-229, 2001.
[27] K. G. Paterson, “ID-based Signatures from Pairings on Elliptic Curves,” Electronics Letters, Vol. 38, pp. 1025-1026,
2002.
[28] Q. Wang and Z. Cao, “Identity based Proxy Multi-Signature,” Journal of Systems and Software, Vol. 80, pp. 1023-1029,
2007.
[29] Y. Ming, X. Q. Shen, Y. M. Wang, “Identity-based Encryption with Wildcards in the Standard Model,” The Journal of
China Universities of Posts and Telecommunications, Vol. 16, pp. 64-68, 2009.
[30] Y. Yu, B. Yang, Y. Sun, S. L. Zhu, “Identity based Signcryption Scheme without Random Oracles,” Computer Standards & Interfaces, Vol. 31, pp. 56-62, 2009.
[31] C. C. Yang, T. Y. Chang, M. S. Hwang, “A New Anonymous Conference Key Distribution System based on the Elliptic
Curve Discrete Logarithm Problem,” Computer Standards & Interfaces, Vol. 25, pp. 141-145, 2003.
[32] C. Gorantla, R. Gangishetti, A. Saxena, “A Survey on ID-based Cryptographic Primitives,” 2005.
[33] L. Chen, “An Interpretation of Identity-based Cryptography,” Foundations of Security Analysis and Design IV, pp. 183208, 2007.
[34] M. Schlosser, M. Sintek, S. Decker, W. Nejdl, “HyperCuP - Shaping Up Peer-to-peer Networks,” 2002.
[35] X. Shi, J. Han, Y. Liu, L. M. Ni, “Popularity Adaptive Search in Hybrid P2P Systems,” Journal of Parallel and Distributed Computing, Vol. 69, pp. 125-134, 2009.
[36] S. S. Cao, W. Yin, X. Y. Chen, “A Robust Cluster-based Dynamic-Super-Node Scheme for Hybrid Peer-to-peer Network,” The Journal of China Universities of Posts and Telecommunications, Vol. 14, pp. 21-26, 2007.
[37] S. G. M. Koo, K. Kannanb, C. S. G. Lee, “On Neighbor-selection Strategy in Hybrid Peer-to-peer Networks,” Future
Generation Computer Systems, Vol. 22, pp. 732-741, 2006.
38
