Enforcement for Usage Control - An Overview of Control Mechanisms

Executive Summary This document describes the results of the first two work packages of the research project " Enforcement for Usage Control " , carried out jointly by DoCoMo Euro-Labs and the Information Security group at ETH Zurich. The goal of the project is the development of a server-side architecture that enables the enforcement of usage control requirements at the data consumer's side. Data consumers can be both mobile phones and content providers. The goal of the first two work packages is to survey existing usage control mechanisms in order to identify which requirements are not yet supported, to create a systematic approach for classifying control mechanisms and describing their capabilities, and to define important areas of future work. The present report provides a taxonomy of usage control mechanisms, a survey of about twenty-five current Digital Rights Management (DRM) mechanisms and architectures, a comparison of these mechanisms on the grounds of the taxonomy, a discussion of the potential impact of heterogeneous client-side enforcement mechanisms on the server-side architecture, and a sketch of potential future work. The results can be summarized as follows. • The classification criteria for control mechanisms presented in this report can be used for systematically describing mechanisms and their capabilities. This is important for selecting the appropriate mechanism for a given use case. • There is a wide range of control mechanisms. However, many of them are very similar both in terms of the targeted applications and in terms of the usage requirements they can enforce. • There is a trend towards interoperability of DRM technologies and cross-industry standards. The industry seems to cater for the consumer's need to use content on any of their devices. The catalog of classification criteria can help determining if one mechanism can be safely replaced by another one that is available on a particular platform. • The weak links in encryption-based DRM mechanisms are key protection and protection of content after decryption. These problems can potentially be solved by means of hardware, e.g., trusted computing technology. • Client-side DRM mechanisms exist predominantly in the context of DRM for the protection of intellectual property. The areas of privacy and compliance are addressed only rudimentarily. • Observability and monitoring seem to be predominantly applicable when exchanging data between enterprises, e.g., telecommunication infrastructure providers and service/content providers. They have the potential of supporting usage requirements that are not enforced by control mechanisms. Observation mechanisms …