Digital rights management systems allow copyrighted content to be commercialized in digital format without the risk of revenue loss due to piracy. Making such systems secure is no easy task, given that content needs to be protected while accessed through electronic devices in the hands of potentially malicious end-users; in this context, intrusion tolerance becomes a very useful system property. In this paper we point out a limitation shared by all current DRM architectures, namely their weakness in reacting to possible device compromise and confining the damage caused by such a compromise. As a solution, we propose a paradigm shift - moving from the original DRM system model where all devices are equally trustworthy and have discretionary control over all protected content, to a new model where information flow is controlled through a multi-level security policy that differentiates between devices based on their tamper-resistance properties. We show that besides improved intrusion-tolerance, supporting such policies has other advantages, such as the ability to define more flexible business models for supplying content. We also show that for a given DRM architecture, the type authentication protocol used when accepting new devices in the system has a big impact on how well multi-level security policies can be supported, and that a number of protocols currently being considered are not very well suited for this job.
展开▼
