Trusted DRM on P2P Network Chou-Chen Yang1,, Jyun-Yi Jiang2, and Ju-Chun Hsiao2 1 Department of Management Information Systems National Chung Hsing University Taichung 402, Taiwan, R.O.C cc.yang@nchu.edu.tw 2 Department of Management Information Systems National Chung Hsing University Taichung 402, Taiwan, R.O.C {g9629004, g9729001}@nchu.edu.tw Received 13 July 2009; Revised 19 August 2009; Accepted 8 September 2009 Abstract. Peer-to-peer file sharing has become a common tool to exchange digital content in Internet. However, duo to a large number of unauthorized files are distributed over peer-to-peer network, users may download the digital files without copyrights thus violate intellectual property rights unconsciously. In this paper, we propose a trusty system named TDRM, which aims to protect every file being exchanged legally. TDRM is constructed on hybrid P2P structure, and adopts technologies including identity-based cryptosystem, digital rights management, secure authentication and payment mechanism. We also show our scheme is more secure, efficient, scalability, and low computational cost. Keywords: Peer-to-peer network, digital rights management, trusted computing, identity-based cryptosystem 1 Introduction With the rapid promotion of network technologies, getting communication with others to share files or search information is getting more and more easily. Therefore, it has become one of the major motives that attract people to use Internet. According to [1], Internet World States indicates that the amount of Internet users in the whole world had already exceeded 1.5 billion. Another report from [2] also shows the statistics of broadband subscribers has at least 410.9 million until 2008. The more users use Internet, the more various files will be exchange. But the bottleneck problem often happens on the popular web-server with traditional client-server network architecture. To find the solution, the peer-to-peer (P2P) technology becomes a new medium between users and offloads works from central server. However, the files exchanged on P2P network are not all authorized by rights owners. The users, even P2P software companies, may be charged with the piracy behavior. The companies Napster [3-7] and Grokster [8] faced accusations in 2001 and 2005 respectively. To prevent copyright infringement, digital rights management (DRM) technology is a common manner to encrypt digital content by secret key (license). Copyrights owners rely on the DRM module installed on customers’ devices to control the authorized usage. In the beginning, DRM technology was applied to a client-server architecture environment, but when the license buying request increased and centralized in few license-servers, it also encountered bottleneck problems. Hence, some researchers [9-14] combined P2P network with DRM technology. Unfortunately, they didn’t provide the detailed illustrations to explain how to implement their protocols. In this paper, we propose a novel Trust-DRM (TDRM) system that establishes a trusty DRM module to let users exchange (selling or buying) files on P2P network legally, and also give consideration protecting secret payment information from any possible malicious attacks. The remainder of this paper is organized as follows: Peer-to-Peer network, DRM technology, and identitybased cryptosystem are introduced shortly in section 2. Our proposed TDRM system is introduced in section 3. The TDRM security analysis is explained in section 4. The performance analysis is presented in section 5. The conclusion is given in section 6. Correspondence author Yang et al: Trusted DRM on P2P Network 2 Related Works 2.1 Peer-to-peer Network In peer-to-peer (P2P) network, each node not only acts as a client to request data, but also acts as a server to provide data. In a typical simplest P2P network, nodes transmit resources among them without interfering by other central server infrastructure. Owing to different requirements, the P2P network system may be deployed into three categories. Centralized P2P system: The centralized P2P system has a central server to manage all peers’ real-time IP address and record index value of all sharing-files. Every peer can search resource easily by just sending a searching-request to that central server. However, the major disadvantage of centralized P2P system is that it has the poor scalability. When the number of peers increases gradually, the central server may become a bottleneck and degrade the whole network efficiency. Napster [3-7] is an example of centralized P2P system. Decentralized P2P system: This P2P system can be divided into structured and unstructured. Decentralized structured P2P systems are generally based on the distributed hash table (DHT) [15]. The nodes construct a specific network topology that tightly controls the resources placement. Most of the researches about the distributed resource search are based on the use of the DHT method. These methods achieve load balance effectively, as a result of the hash function's characteristics. Some examples of such a system include Chord [16], CAN [17], Pastry [18] and Tapestry [19]. In the decentralized unstructured P2P, relatively, there is no fixed structure. Each node may join and leave freely. Both Gnutella [20, 21] and Freenet [22] belong to decentralized unstructured P2P network. Hybrid P2P system: Some researchers combine the advantage of centralized P2P system and decentralized P2P system to propose a new P2P system: hybrid P2P system. There are some nodes acting as super nodes that have the strong capabilities, e.g. bandwidth, computing speed and reliability. Each super node has an index table to manage a part of local peers. Therefore, a super node and its managed local nodes compose a centralized P2P system and all super nodes compose a decentralized P2P system. An example of such a system is eMule [23]. 2.2 Digital Rights Management Because of the digital contents are vulnerable to copy, tamper, and spread, a currently popular mechanism for digital intellectual property is digital rights management (DRM) [24]. The DRM system allows digital content publishers to define and enforce restrictions on how their contents are used. It protects, monitors, and traces the relation between tangible (e.g. CDs) or intangible (e.g. digital documents) assets copyright and its owner. According to payment, different users may have different levels of right, and the usage rules will be record in license. 2.3 Identity-based Cryptosystem and Bilinear Pairings The first concept of identity-based cryptosystem was proposed by A. Shamir in 1884[25]. In 2001, the first practical identity-based encryption (IBE) scheme was proposed by Boneh et al. [26]. In 2002, the identity-based signature (IBS) scheme was proposed by Paterson [27]. The security of IBE and IBS are based on the elliptic curve discrete logarithm problem and bilinear Diffie-Hellman Problem [27-31] and they also use the properties of the bilinear pairing of elliptic curve. Each user can use his well-known and unique identity as his public key, such as IP address or e-mail address in the schemes of IBE and IBS. The basic definition and properties of the bilinear pairing are as follows [32, 33]: Let G1 be an additive group of prime order q and G 2 be a multiplicative group of the same order q . A bilinear pairing is a computable bilinear map between the two groups. We let e denote a general bilinear pairing map. Therefore, the bilinear pairing is a map as e : G1 G1 G2 on the elliptic curve and satisfies the following properties: (1) Bilinear: if P, Q, R G1 , and a, b Z q* , such that e( P Q, R) e( P, R) e(Q, R) , e( P, Q R) e( P, Q) e( P, R) , (2) (3) e(aP, bQ) e(abP, Q) e( P, abQ) e( P, Q) ab . Non-degenerate: there exists P, Q G1 such that e( P, Q) 1 . Computable: For all P, Q G1 , there is an efficient algorithm to compute e( P, Q) . 25 Journal of Computers Vol.20, No.3, October 2009 (4) For all P, Q G1 , e( P, Q) e(Q, P) . 3 Proposed TDRM on P2P 3.1 System Architecture Table 1 defines the notations that will be used in this paper. We design a TDRM system to provide users a full legal P2P network environment. The TDRM has three features: 1) Every component of TDRM can process secure message transmission with each other. 2) File owner can protect his digital content from unauthorized users. 3) Reliable payment mechanism. In proposed TDRM system, both file owners and file forwarders have contribution to the P2P network. File owners create variant digital contents, and file forwarders assist speeding up transmission in P2P network. Therefore, when a user pays some expenses for playing a file, the expenses will be distributed to both file owner and forwarder. The system architecture of the proposed TDRM is showed as the Fig. 1. Table 1. Notation table Notation and Description s / sP : The private / public key of trust server K DRMC : A DRM key in DRM module SignUi : A signature from user i Ti : Timestamp RNij : Request number for a session j from user i Rij : Random number j from user i h() : A general hash function An identity-based cryptosystem hash function that hashes a value to a point H1 () : DS: Dual signature MAC: Message authentication code COI / LOI : Content order information / License order information K play : A key for playing content K X ,Y : The session key between X and Y, and it is computed by X. The three major components of TDRM system and their abbreviations are as follows: Trust server (TS). Trust server is a crucial part in entire system processing, and runs two subsystems for all users: identity-based cryptosystem and DRM system. Identity-based cryptosystem is set by TS to serve as a certificate authority, making sure the secret data transmit securely, e.g. payment message or authentication message. Given an admissible bilinear pairing e : G1 G1 G2 where P is a generator of G1 . TS defines two hash function H1 : {0,1}* G1* and H 2 : G2 {0,1}n . TS chooses a random number s Z q* as TS private key SKTS , and computes the TS public key is PK TS sP G1 . Finally, TS keeps s secretly and publishes {G1 , G2 , e, n, P, PK TS , H 1 , H 2 } . Once TS sets the identity-based cryptosystem parameters completely, TS can compute private key for each registered superpeer or user. DRM system provides content copyright protection for origin content publishers. If any user wants to share or buy files on the TDRM P2P system, he must register to TS to get a DRM module that is created by DRM system of TS. In practical case, it would be better that TS is maintained by a trust third party (TTP), e.g. government apparatus. Superpeer (SP). There are several superpeers to provide searching service for users. As [34-37] said, the hybrid P2P architecture will bring better search result, so we construct superpeers to the hybrid P2P architecture. Moreover, considering the practical condition, the role of superpeers was often performed by P2P software company’s server in past days. When users use a P2P software to search and download files illegally, it’s hard to declare user or software company the piracy guilty. In TDRM system, there is no piracy problem; superpeers can be set up by software companies, or even by ISPs. User. When every user joins TDRM P2P network, he must choose a superpeer to provide service for him, i.e. being managed by a superpeer’s domain. Then, users could be acting as three roles: content requester, content 26 Yang et al: Trusted DRM on P2P Network forwarder, or content publisher. A content requester has to pay expenses for downloading files and buying licenses. Every content forwarder has the chances to get content requester’s partial expenses, and only the original content publisher has the corresponding license of every file. Therefore, the expenses distribution mechanism offers the incentive to every kind of user to keep share and upload. It can also avoid the free-rider problem in P2P network naturally. For the purpose of protecting copyright in our system, the all process on authentication, encryption, or decryption will be taken over by DRM module. The general user’s typical behavior in P2P network with TDRM includes six steps as follows: Initial Connection Phase. After a new TDRM participant gets his identity-based key pair and installs the DRM module on his device, the user chooses a sharing-folder to put the files he wants to offer. Then, the user creates content encryption keys for different files, and encrypts files to protect copyright. Finally, DRM module records some sharing-information in two index table, and uploads to a superpeer, claiming what can be shared in this peer. Contents Searching Phase. A content requester sends the file name, which he wishes to download, to the superpeer. According to the periodically updated index tables from every peer, the superpeer can reply the real-time searching result. Download Contents Phase. The content requester chooses a content forwarder in the searching result, and sends file request message to him. The file request message includes some authentication data and digital signature, thus content forwarder can apply to TS for the uploading commission. License Request Phase. In the searching result, content requester can also know about the file’s original publisher. Because only the content publisher has the license, users must send license request message (similar to file request message) for buying license. The content publisher will get profit from selling royalty. Payment Authentication Phase. Although the user has got file and license from above steps, he needs to proceed this final step to obtain the other data to decrypt the protected file. The data is collected by TS when content forwarder and publisher applying commission. In TDRM system, TS is a trusty organization to deal with all of the processing about payment authentication and expenses distribution. Content Playing Phase. If user’s DRM module gets all of the data correctly from TS, content forwarder, and content publisher, DRM module can compute the decryption key and play clear content successfully. TS (Trust server) Payment management Payment request Digital Rights Management Payment request Certificate Authority Registration & Payment authentication UD (Content forwarder) Key Management UC (Content requester) Download contents File-publish Module Key Management File-publish Module UP (Content publisher) License request Key Management File-publish Module Search Engine Search Engine Search Engine Digital Rights Management Digital Rights Management Digital Rights Management Search request Search request SP1 (Superpeer) Search request Key Management Search Engine 27 Journal of Computers Vol.20, No.3, October 2009 Fig. 1. System architecture of the TDRM 3.2 Preliminary Registration. All of the components need to register at TS to get the identity-based key pair. For example, in registration beginning, a superpeer SP1 sends a registration request with his unique identity ( SP1 ) to TS. TS computes and returns SP1 ’s private key SK SP1 sH 1 (SP1 ) through secure channel. If the registration requester is a superpeer, the registration is completed when he receives the private key. But if the registration requester is a general user, e.g. a user U C , he needs to request again to get a DRM module. The steps are shown on Fig. 2. The DRM module contains some data and keys describing as follows. Notice that these information are embedded inside DRM module, and they are unknown to users. IDDRMC : The identity of user U C ’s DRM module K DRMC : A secret key in the IDDRMC DRM module. TS computes different K DRMC h(U C , s) for different user’s DRM module. K DRMC is used to compute the content encryption key in protected content generation phase. K play : The same K play is in every DRM module. When a user wants to play a file, he needs to decrypt the license by K play . h() : A hash function. It will be used to generate content encryption key, payment information, device key, the index of protected content in sharing folder, and some verified message. Superpeer list. A list that records all available superpeers and related information of those superpeers. UC or SP1 TS Registration Request Private Key (Secure Channel) DRM Module Request DRM Module 28 UC SP1 Yang et al: Trusted DRM on P2P Network Fig. 2. Registration Key Agreement. After every component registers to TS successfully, the session key of any two communication nodes in TDRM system can be easily established by the character from identity-based cryptosystem. As shown in Fig. 3, for example, a user U C computes the session key with a superpeer SP1 , KUC ,SP1 e(sH 1 (U C ), H1 (SP1 )) ; SP1 computes the session key K SP1,UC e(sH 1 (SP1 ), H1 (U C )) . Both U C and SP1 use his private key and the other side’s public key to generate session key. Based on bilinear pairing, KUC ,SP1 e(sH 1 (U C ), H1 (SP1 )) e(sH 1 (SP1 ), H1 (U C )) K SP1,UC . Therefore, U C and SP1 can exchange secret data by this session key. UC EKU C ,TS TS e( sH1 (U C ), sP) EKTS ,U e( H1 (U C ), sP) s (a) C SP1 TS EK SP ,TS e( sH1 ( SP1 ), sP) EKTS , SP e( H1 ( SP1 ), sP) s (b) 1 1 UC EKU C , SP1 SP1 e( sH1 (U C ), H1 ( SP1 )) (c) EK SP ,U e( sH1 ( SP1 ), H1 (U C )) 1 C Fig. 3. Key agreement between: (a) UC and TS (b) SP1 and TS (c) UC and SP1 3.3 Initial Connection Phase A content forwarder or publisher must perform this phase periodically to tell his superpeer what files are shared in the peer. In the beginning, for example, a user U C puts a original clear file file abc named abc , which he wants to share, in a sharing-folder. DRM module creates a unique content encryption key K abc hDRM (abc || K DRMC ) by hashes the concatenation of file name abc and the secret key K DRMC . Then, the K abc is encrypted by secret key K play to be a license key E K play [ K abc ] . Using K abc , DRM module encrypts file abc , and gets protected file version Fabc E Kabc [ fileabc ] . The Fabc is ready for offering on Internet. Except for preparing the encrypted files and license keys, the user needs to compute indexes about sharing files and content encryption keys. DRM module uses index generation hash function h I () to hash every file, and constructs a content index table Table 2. Also, another license key table is used to record the corresponding license key, and showed in Table 3. After these two tables being encrypted by the session key KUC ,SP1 , DRM module will send them to superpeer SP1 ’s database. Superpeer manages the entire sharing-file indexes in its domain, thus it can provide the real-time searching service for every user. Table 2. Content index table User UC IP address IPC Content name abc Content index H ( Fabc ) Content publisher Yes Table 3. License key table User UC IP address IPC Content name abc Content index H ( Fabc ) License key K play[ K abc ] 29 Journal of Computers Vol.20, No.3, October 2009 3.4 Content Searching Phase User can deliver the searching message to superpeer through the TDRM client installed on user’s computer. For example, the user U C wants to search a file filexyz . U C ’s DRM module sends the searching request to the manager superpeer SP1 . If SP1 can find available source in the database, SP1 will reply the source list to U C directly, otherwise, forwarding the searching request to other superpeers. This searching mode is based on the hybrid P2P structure [34-37], and it is proven that hybrid P2P structure has better searching efficiency. Table 4 shows the searching result. When TDRM client receives this table, U C can choose any one user to be his content forwarder, but U C can only get license from original content publisher U P . Table 4. Search result table User IP address Manager SPi Content name Content index Content publisher UD IPD SP1 xyz H ( Fxyz ) No UE IPE SP1 xyz H ( Fxyz ) No UP IPP SP1 xyz H ( Fxyz ) Yes 3.5 Download Contents Phase We assume that U C chooses U D in Table 4 to be the content forwarder, and separate the download contents phase into three parts, as showed on Fig.4: Part 1 ( U C side): 1) DRM module takes over the authentication data preparation process, and creates two kinds of data. The first one is the content order information COI including content name, content request, type, index, size, and related information. The other is the payment information PI DT1 , which is for U D in T1 time. PI DT1 is consisted of content forwarder’s identity U D and request number RNC1 . Request number is only known between content requester and TS. After content requester gets the protected content and license, he must show the request number to TS correctly to get some data for decrypting. 2) DRM module computes a message digest: T1 H ( H (COI ) || H ( PI DT1 ) || T1 ) , and creates a dual signature DS SignU C [ H ( H (COI ) || H ( PID ) || T1 )] by signing the message digest with U C ’s private key. Dual signature has the ability to control the different receiver getting different information, for example, we set that U D only need to know the content order information COI , and TS only know the detail of payment information PI DT1 . 3) DRM module computes a message M DT1 E KU C ,TS [ PI DT1 || H (COI ) || DS || T1 ] . Finally, DRM module sends content requester’s identity U C , content forwarder’s identity U D , content order information COI , dual signature DS , the hash value of payment information H ( PI DT1 ) , timestamp, and the message M DT1 to content forwarder U D . Part 2 ( U D side): 1) Upon receiving request from U C , U D verifies whether the timestamp T1 is in valid period. 2) If the verified result is positive, U D H ( H (COI ) || H ( PI DT1 ) || T1 ) . Then, UD uses decrypts the the received DS data to and gets the hash value compute T1 H ( PI D ) || T1 )' ? H ( H (COI ) || T1 H ( PI D ) || T1 )' the hash value T1 H ( PI D ) || T1 ) 3) Comparing H ( H (COI ) || . If both H ( H (COI ) || hash value are the same, U D can confirm that the content order information is correct, and prepare related parameters before replying U C ’s requested file. 4) U D generates a random number RD1 and a secret key K D2 . Then, U D computes an encrypted message RD EKU and TS. MACUT1 ,TS D 5) U D computes a message D ,TS digest [ RD1 K D2 ] by the session key KU D ,TS between U D H ( K D2 ) and a message authentication code H ( KU D ,TS || RD || H ( K D2 ) || T1 ) . 6) U D sends identity of content requester U C , timestamp, the message M DT1 , the encrypted message RD , message digest H ( K D2 ) , and the message authentication code MACUT1 D ,TS 30 to TS. 7) Finally, U D encrypts U C ’s requested file Fxyz by the secret key K D2 . Moreover, U D Yang et al: Trusted DRM on P2P Network encrypts RD1 with the encrypted file EK D [ Fxyz ] by session key of U C and U D . 8) U D sends the 2 E KU C ,U D [ RD1 , E K D [ Fxyz ]] back to U C , and waits for the profit distribution by TS in the future. U C will get the 2 random number RD1 and encrypted file EK D [ Fxyz ] from U D . 2 UC TS UD Compute message digest : H ( H (COI )||H ( PI DT1 )||T1 ) Create dual signature DS SignU C [ H ( H (COI )||H ( PI DT1 )||T1 )] Compute M DT1 EKU ,TS [ PI DT1||H (COI )||DS||T1 ] C U C , U D , COI , DS, H ( PI DT1 ), T1 , M DT1 Generate random RD1 and secret key K D2 Compute RD E KU ,TS [ RD1 K D2 ] D Compute message digest H ( K D2 ) Compute message authentication code MACUT1D ,TS H ( KU D ,TS||RD||H ( K D2 )||T1 ) U D , TS, UC , T1, M DT1 , RD, H(KD2 ), MACUT1D ,TS Verify H ( H (COI )||H ( PI DT1 )||T1 Encrypt EK D [ Fxyz ] 2 Encrypt EKU E KU C ,U D C ,U D Verify MACUT1D ,TS [ RD1 ,EK D [ Fxyz ]] 2 [ RD1 ,EK D [ Fxyz ]] 2 Fig. 4. Download contents phase Part 3 (TS side): 1) Upon receiving request from U D , TS verifies whether the timestamp T1 is in valid period. T1 2) TS decrypts M DT1 with the session key KU C ,TS and computes the hash value H ( H (COI ) || H ( PI D ) || T1 )' to T1 T1 verify H ( H (COI ) || H ( PI D ) || T1 )' ? H ( H (COI ) || H ( PI D ) || T1 ) . If both hash value are the same, TS can con- firm that the payment information is valid from U C . 3) TS uses the received data, RD , H ( K D2 ) , T1 , and the session key KU D ,TS , to compute MACUT1 D ,TS ' . If MACUT1 D ,TS ' is equal to MACUT1 D ,TS , TS can confirm that U D is the valid content forwarder for U C . 3.6 License Request Phase As in the Fig. 5, the original clear content filexyz was encrypted by the content key K xyz , so U C must perform this phase to get the license key E K play [ K xyz ] , and rely on DRM module to decrypt it by the secret key K play . According to the search result, U C sends a license request message to content publisher U P . In this phase, when U P receives the license request message, and executes the similar validation process successfully as U D in content transmission phase, U P generates two random numbers R P1 and RP2 to create a series of authentication data sending to TS. It’s showed on Fig. 5. Then, U P computes the reply message E KU ,U [ R P1 , ( E K play [ K xyz ] R P2 ), rules] and returns it with the identity of U P , U C . Using the session key P C between U P and U C , U C will get the random number R P1 , encrypted license key ( E K play [ K xyz ] RP2 ), and content usage rules from U P . 31 Journal of Computers Vol.20, No.3, October 2009 UC TS UP Compute message digest : H ( H ( LOI )||H ( PI PT2 )||T2 ) Create dual signature DS SignU C [ H ( H (COI )||H ( PI PT1 )||T2 )] Compute M PT2 E KU ,TS [ PI PT2||H ( LOI )||DS||T2 ] C U C , U P , LOI , DS, H ( PI PT2 ), T2 , M PT2 Generate random RP1 and RP2 Compute RP EKU ,TS [ RP1 RP2 ] P Compute message digest H ( RP2 ) Compute message authentica tion code MACUT2P ,TS H ( KU P ,TS||RP||H ( RP2 )||T2 ) U P , TS, U C , T2 , M PT2 , Encrypt EK play [ K xyz ] Encrypt EKU EKU P ,U C P ,U C RP, H(RP2 ), MACUT2P ,TS [ RP1 ,EK play [ K xyz ] RP2 , rules ] [ RP1 ,EK play [ K xyz ] RP2 , rules] Verify H ( H ( LOI )||H ( PI PT2 )||T2 Verify MACUT2P ,TS Fig. 5. License request phase 3.7 Payment Authentication Phase In TDRM P2P system, all the peers may login/logout dynamically except superpeers and trust server. Therefore, we set the central TS to handle the payment calculation, distribution, and record, promoting the degree of confidence of TDRM system for all content users. After U C receives encrypted content E K D [ Fxyz ] and encrypted license key ( E K play [ K xyz ] RP2 ), U C 2 needs to submit authentication data and payment to TS to buy the necessary parameters for decrypting license key. It is showed on Fig. 6. Part 1 ( U C side): 1) Content requester U C computes a payment message digest PayCT3 H ( H (COI ) || H ( LOI ) || RN C1 || T3 ) , which is the hash value of concatenation by content order infor- mation message digest H (COI ) , license order information message digest H ( LOI ) , request number RN C1 , and T timestamp T3 . 2) U C uses the identity-based private key to sign the payment message digest PayC3 and gets T signature SignUC [ PayC3 ] . 3) U C uses the session key KUC ,TS to encrypt the payment authentication message PA E KU C ,TS [ RN C1 , T3 , (U D , R D1 ), (U P , R P1 )] . 4) Finally, U C sends the identity of U C and TS, signature T SignUC [ PayC3 ] , and payment authentication message PA to TS. Part 2 (TS side): 1) When TS receives authentication message from U C , TS decrypts SignUC [ PayCT3 ] and PA , and verifies the timestamp T3 inside PA whether in legal period. If the timestamp is valid, TS gathers all the related data of this transaction RN C1 from U C , U D , and U P . 2) TS uses the gathered data to compute the T T T PayC3 ' , and compares PayC3 ' to PayC3 . If the two message digest are the same, it means that TS can confirm the transaction of content requester U C . 3) TS computes the XOR operation of the value ( RD1 K D2 ) sent from U D and the value RD1 sent from U C , to gets K D2 . In the same way, TS computes ( RP1 RP2 ) RP1 RP2 . 4) To check the correctness of K D2 and RP2 , TS hashes K D2 and RP2 respectively, 32 Yang et al: Trusted DRM on P2P Network and verifies H ( K D2 )' ? H ( K D2 ) , H ( RP2 )' ? H ( RP2 ) . 5) TS encrypts K D2 and RP2 by computing: K U C ,TS E K DRM [ K D2 , R P2 ] , and sends back to U C . 6) Finally, this transaction is completed entirely. TS will C distribute U C ’s payment to U D and U P . UC TS Compute Pay CT3 H ( H (C OI )||H ( LOI )||RN C1||T3 ) Compute SignU C [ Pay CT3 ] Compute PA E KU ,TS [ RN C1 ,T3 ,(U D ,R D1 ) ,(U P ,R P1 )] C U C , TS, SignUC [ PayCT3 ], PA Verify PayCT3 Compute ( RD1 K D 2 ) RD1 K D 2 Compute ( RP1 RP2 ) RP1 RP2 Verify H ( K D 2 ) and H ( RP2 ) Compute KU C ,TS E K DRM [ K D2 ,RP2 ] C Distribute U C ' s payment to U D and U P KU C ,TS E K DRM [ K D2 ,RP2 ] C Fig. 6. Payment authentication phase 3.8 Content Playing Phase As showed in Fig. 7, in the beginning, U C uses the session keys with U D , U P , and TS to decrypt secret messages, than gets the protected content E K D [ Fxyz ] , the encrypted license key ( E K play [ K xyz ] RP2 ) , and secret 2 value E K DRM [ K D2 , R P2 ] . Then, when U C wants to play filexyz every time, he needs to perform the following C steps: 1) U C inputs above data into DRM module. DRM module will decrypt the E K DRM [ K D2 , R P2 ] at first, C and use the K D2 to decrypt E K D [ Fxyz ] . 2) DRM module computes the XOR operation: 2 ( E K play [ K xyz ] RP2 ) RP2 E K play [ K xyz ] , getting the license key successfully. 3) DRM module decrypts license key and gets content key K xyz . Using K xyz , DRM module can decrypt and play original clear content filexyz . EK DRM [ K D2 , RP2 ] C DRM module Decrypt E K DRM [ K D2 , R P2 ] C EK D [ Fxyz ] 2 ( EK play [ K xyz ] RP2 ) Decrypt E K D [ Fxyz ] 2 Compute ( E K play [ K xyz ] R P2 ) R P2 E K play [ K xyz ] Decrypt E K play [ K xyz ] Decrypt Fxyz and play file xyz 33 Journal of Computers Vol.20, No.3, October 2009 Fig. 7. Content playing phase 4 Security Analysis The security of our scheme is based on identity-based cryptosystem and DRM technology. By using identitybased key pairs, DRM keys, and hash chain for data authentication, our proposed TDRM system can provide a reliable platform for both digital content seller and buyer. 4.1 Secure Transmission Based on identity-based (ID-based) cryptosystem, we can make sure that the session key will only be generated by the communication nodes. The session key is applied to protect following secret data: The payment information PI DT1 and PI PT2 should be only known by TS, so it is encrypted by the ID-based session key between U C and TS. For restricting the paid user only, although the content and license had been protected by some keys in DRM module, we use the ID-based session key to encrypt again. The message authentication code (MAC) is composed of the concatenation from the ID-based session key and other authentication data. Thus attackers a re unable to forge MAC. 4.2 Replay Attack The replay attack may cause authentication fault, network bandwidth congestion, or profit/charge error. So we adopt timestamp in every transmission step. In TDRM system, every component should verify timestamp upon receiving each message. 4.3 The Property of Non-repudiation Any electronic commerce system should possess the character of non-repudiation. It is the basic requirement for its customers. In our proposed TDRM system, for example, content requester U C can’t deny the request he ever T1 sent to U D because of the dual signature DS signUC [ H ( H (COI ) || H ( PI D ) || T1 )] was signed by U C ’s ID- based private key. Besides, U C sent the value M DT1 to U D , then U D forwarded it to TS. Duo to the M DT1 E KU C ,TS [ PI DT1 || H (C OI ) || DS || T1 ] is generated from encrypting data by the session key of U C and TS, M DT1 also plays an evidence role for U D . 4.4 Impersonation Attack If an adversary attempts to impersonate the content requester to request files and licenses, or tries to impersonate content forwarder / publisher to send fake reply, without the correct ID-based private key and session key, he will fail to process mutual authentication. 4.5 Modification Attack For integrity, TDRM system appends message authentication code (MAC) in each phase. Receivers can check messages correctness to detect any modified data. 4.6 Distribution Attack Our scheme also provides access control by employing the DRM module. A user bought the protected content and the content license that can only be played on his devices. The content license is encrypted with the device key and content play key. Only the DRM module can generate these keys, and these key are only stored inside 34 Yang et al: Trusted DRM on P2P Network the DRM module. Therefore, the user can’t reveal these key from DRM module and shares to other users. Even though he can share the protected content to other users, others’ DRM module can’t compute the right key to decrypt it and play. 5 Performance Analysis In this section, we compare the performance of TDRM with literature. When a user wants to join our scheme, he must register with TS to get his identity- based private key and use this key to generate session key. The security of identity-based system was based upon the difficulty of elliptic curve discrete logarithm problem (ECDLP). Compared with public key infrastructure (PKI), identity-based system offers a better performance because it can achieve the same security degree with a smaller key size. For example, a 160-bits key in identity-based cryptosystem and 1024-bits key in RSA have the same security level in practice. Using identity-based cryptosystem with bilinear pairing, a user can use his identity-based private key and the public key of communication peer to compute their session key. Identity-based cryptosystem makes the key management easier and minimize the cost of the conventional public key infrastructure. In Gu et al.’s paper [13], they use the public key infrastructure, modular operation, and modular exponentiation to protect content licenses and authenticate messages in their scheme. In Xinwen et al.’s protocol [14], they also use the same technologies with [13]. However, their scheme doesn’t protect and authenticate messages in message request phase. The attacker can implement modification attack to destroy the integrity of message. Therefore, our scheme is more efficient and secure. In our scheme, user keys his order information directly to search content and license. Then, he choose what he wants directly from search result. However, In Xinwen et al.’s protocol [14], their scheme embeds in the BitTorrent architecture. The user must get the track file to contact track server and finds content information in BitTorrent architecture. If the user can’t find the track file or the track server is crashed, the scheme doesn’t be implemented. Therefore, proposed TDRM system has more convenient than other scheme in search phase. We use the session key and hash function to authenticate messages. We can avoid the replay attack, modification attack, and forgery attack. In, Gu et al.’s paper [13], they use the technologies of multiplication and exponentiation operation to authenticate messages. However, if the value k of Shamir [k, n]-threshold secret sharing is too big, the content will be divided more pieces and the computational cost increases immensely. Therefore, TDRM is more efficient in message authentication phase than other schemes. TDRM employs a TS and many superpeers to be the system backbone. The user is managed by the superpeer and he doesn’t contact TS directly in content search and content transmission phase. User only needs to contact TS in the payment authentication phase. When TS helps content publisher to compute the device key of content requester, TS only operates one exclusive-OR operation and one hash operation to generate the device key. The required computation cost of the two technologies can be lower as far as possible. The hybrid P2P architecture is used in our scheme. When more and more users join TDRM, we can add more superpeers flexibly to preserve the property of scalability. In [14], if user wants to transmit the content to other content requester, he must request the encrypted key from track server. The track server employs the public key infrastructure, modular operation, and modular exponentiation to generate the encrypted key. When the user requests the piece of content one time, the track server must compute an encrypted key one time. Because the content is divided into pieces, it will lead heavy computing in track server. In [13], they employed public key system, the modular operation, and modular exponentiation to compute content license. These applications of technology will lead heavy computing of content publisher, license authorities, and customer. Besides, they employ the concept of Shamir’s [k, n]-threshold secret sharing scheme to design their architecture. Once the value k of Shamir [k, n]-threshold secret sharing increases, the content will be divided more pieces thus the computational cost of track server becomes heavy. Comparing with these two schemes, both their schemes have the bottleneck problem. TDRM is more scalability and better performance. Table 5 shows the comparisons of our scheme and [13], [14]. We show our scheme is more secure, efficient, scalability, and low computational cost. Table. 5. Performance comparison table Architecture Search Scalability Cryptosystem Authentication cost Our scheme Xinwen et al. [14] Gu et al. [13] Hybrid Convenience High ID-based+ Symmetric key+ Hash function 1 TMAC Client-server Not convenience Low asymmetric key + Modular exponentiation Multi-client-server None Low asymmetric key + Modular exponentiation None k*(TExp +Tmul) 35 Journal of Computers Vol.20, No.3, October 2009 Key agreement Search mechanism Payment mechanism License computing cost Yes Yes Yes 1 TXOR +2 Th +2Tsym No No No m*( Tasym + TExp) No No No k*(TExp +Tmul)+ 1Tasym m: the content is divided m pieces. k: the value of shamir [k, n]- threshold secret sharing scheme. TMAC: denotes the time complexity of one message authentication operation TXOR: denotes the time complexity of one Exclusive- OR operation. TExp: denotes the time complexity of one exponential operation. Th: denotes the time complexity of one hashing operation. Tsym: denotes the time complexity of one symmetric encryption or decryption. Tasym: denotes the time complexity of one asymmetric encryption or decryption. Tmul: denotes the time complexity of one multiplicative operation. 6 Conclusion In this paper, we try to solve the copyrights violation problem on P2P network. TDRM system adopts identitybased cryptosystem to implement a trusty DRM module. Through TDRM, users get what they want legally, or gain profit from what they want to sell. Moreover, we also consider about the transaction security carefully: data integrity, message confidentiality, and user authentication. TDRM has the properties that can be developed to a practical P2P business model. Acknowledgement This work was partially supported by the National Science Council, Taiwan, R.O.C., under contract no.: NSC962628-E-005-009-MY3. 36 Yang et al: Trusted DRM on P2P Network References [1] Internet World Stats, http://www.internetworldstats.com. [2] F. Vanier, “World Broadband Statistics: Q4 2008,” http://point-topic.com/contentDownload/operatorsource/dslreports/w orld%20broadband%20statistics%20q4%202008.pdf, 2009. [3] K. Taima, “Can We Ever Charge Napster Users?,” IEEE Multimedia, Vol. 9, pp. 76-81, 2002. [4] U. Lechner and B. F. Schmid, “Communities-Business Models and System Architectures: The Blueprint of MP3.com, Napster and Gnutella Revisited,” Proceedings of the 34th Hawaii International Conference on System Sciences, 2001. [5] “Napster Faces Copyright Charges,” Computer Fraud & Security, Vol. 2001, No.11, pp. 2-2, 2001. [6] J. S. Beuscart, “Napster Users between Community and Clientele: The Formation and Regulation of a Sociotechnical Group,” Sociologie du travail, Vol. 47, pp. 1-16, 2005. [7] R. Stern, “Napster: A Walking Copyright Infringement?,” IEEE Micro, Vol. 20, pp. 4-5, 2000. [8] M. F. Radcliffe, “Grokster: The New Law of Third Party Liability for Copyright Infringement under United States Law,” Computer Law & Security Report, Vol. 22, pp. 137-149, 2006. [9] S. Ortiz, “Proponents Try to Rehabilitate Peer-to-peer Technology,” Computer, Vol. 41, pp. 16-19, 2008. [10] Y. Cheng, L. Jianbo, Z. Yichun, S. Aina, “The Implementation Architecture of Content Protection in P2P Network,” International Conference on Computational Intelligence and Security Workshops, pp. 455-458, 2007. [11] J. Nutzel and R. Grimm, “Potato System and Signed Media Format - An Alternative Approach to Online Music Business,” Third International Conference on Web Delivering of Music, pp. 23-26, 2003. [12] T. Kalker, D. H. J. Epema, P. H. Hartel, R. L. Lagendijk, M. V. Steen, “Music2Share - Copyright-Compliant Music Sharing in P2P Systems,” Proceedings of the IEEE, Vol. 92, pp. 961-970, 2004. [13] G. Gu, B. Zhu, S. Li, S. Zhang, “PLI: A New Framework to Protect Digital Content for P2P Networks,” Applied Cryptography and Network Security, pp. 206-216, 2003. [14] Z. Xinwen, L. Dongyu, C. Songqing, S. Ravi, “Towards Digital Rights Protection in BitTorrent-Like P2P Systems,” Proceedings of the 15th ACM/SPIE Multimedia Computing and Networking, 2008. [15] I. Gupta, K. Birman, P. Linga, A. Demers, R. Renesse, “Kelips: Building an Efficient and Stable P2P DHT through Increased Memory and Background Overhead,” Peer-to-Peer Systems II, pp. 160-169, 2003. [16] I. Stoica, R. Morris, D. Karger, M. F. Kaashoek, H. Balakrishnan, “Chord: A Scalable Peer-to-Peer Lookup Service for Internet Applications,” Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communication, pp. 149-160, 2001. [17] S. Ratnasamy, P. Francis, M. Handley, R. Karp, S. Schenker, “A Scalable Content-Addressable Network,” Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications, pp. 161-172, 2001. [18] A. Rowstron and P. Druschel, “Pastry: Scalable, Decentralized Object Location, and Routing for Large-Scale Peer-toPeer Systems,” Proceedings of the IFIP/ACM International Conference on Distributed Systems Platforms (Middleware 2001), Heidelberg, Germany, pp. 329-350, 2001. [19] B. Zhao, J. Kubiatowicz, A. Joseph, “Tapestry: An Infrastructure for Fault-tolerant Wide-area Location and Routing,” University of California at Berkeley, 2001. 37 Journal of Computers Vol.20, No.3, October 2009 [20] M. Portmann, P. Sookavatana, S. Ardon, A. Seneviratne, “The Cost of Peer Discovery and Searching in the Gnutella Peer-to-Peer File Sharing Protocol,” Ninth IEEE International Conference on Networks, pp. 263-268, 2001. [21] M. Ripeanu, “Peer-to-Peer Architecture Case Study: Gnutella Network,” First International Conference on Peer-toPeer Computing, pp. 99-100, 2001. [22] I. Clarke, O. Sandberg, B. Wiley, T. Hong, “Freenet: A Distributed Anonymous Information Storage and Retrieval System,” Designing Privacy Enhancing Technologies, Vol. 2009, pp. 46-66, 2001. [23] P. L. Piccard, B. Baskin, C. Edwards, G. Spillman, M. H. Sachs, L. P. Paul, B. Brian, E. Craig, S. George, H. S. Marcus, “eDonkey and eMule,” Securing Im and P2P Applications for the Enterprise Burlington: Syngress, pp. 267-283, 2005. [24] W. Ku and C. H. Chi, “Survey on the Technological Aspects of Digital Rights Management,” Information Security, Vol. 3225, pp. 391-403, 2004. [25] A. Shamir, “Identity-based Cryptosystems and Signature Schemes,” Advances in Cryptology, pp. 47-53, 1985. [26] D. Boneh and M. Franklin, “Identity-based Encryption from the Weil Pairing,” Advances in Cryptology — CRYPTO 2001, pp. 213-229, 2001. [27] K. G. Paterson, “ID-based Signatures from Pairings on Elliptic Curves,” Electronics Letters, Vol. 38, pp. 1025-1026, 2002. [28] Q. Wang and Z. Cao, “Identity based Proxy Multi-Signature,” Journal of Systems and Software, Vol. 80, pp. 1023-1029, 2007. [29] Y. Ming, X. Q. Shen, Y. M. Wang, “Identity-based Encryption with Wildcards in the Standard Model,” The Journal of China Universities of Posts and Telecommunications, Vol. 16, pp. 64-68, 2009. [30] Y. Yu, B. Yang, Y. Sun, S. L. Zhu, “Identity based Signcryption Scheme without Random Oracles,” Computer Standards & Interfaces, Vol. 31, pp. 56-62, 2009. [31] C. C. Yang, T. Y. Chang, M. S. Hwang, “A New Anonymous Conference Key Distribution System based on the Elliptic Curve Discrete Logarithm Problem,” Computer Standards & Interfaces, Vol. 25, pp. 141-145, 2003. [32] C. Gorantla, R. Gangishetti, A. Saxena, “A Survey on ID-based Cryptographic Primitives,” 2005. [33] L. Chen, “An Interpretation of Identity-based Cryptography,” Foundations of Security Analysis and Design IV, pp. 183208, 2007. [34] M. Schlosser, M. Sintek, S. Decker, W. Nejdl, “HyperCuP - Shaping Up Peer-to-peer Networks,” 2002. [35] X. Shi, J. Han, Y. Liu, L. M. Ni, “Popularity Adaptive Search in Hybrid P2P Systems,” Journal of Parallel and Distributed Computing, Vol. 69, pp. 125-134, 2009. [36] S. S. Cao, W. Yin, X. Y. Chen, “A Robust Cluster-based Dynamic-Super-Node Scheme for Hybrid Peer-to-peer Network,” The Journal of China Universities of Posts and Telecommunications, Vol. 14, pp. 21-26, 2007. [37] S. G. M. Koo, K. Kannanb, C. S. G. Lee, “On Neighbor-selection Strategy in Hybrid Peer-to-peer Networks,” Future Generation Computer Systems, Vol. 22, pp. 732-741, 2006. 38