Extending an OMA-based DRM Framework with Non-Repudiation Services Jose A. Onieva 1 , Javier Lopez 1 , Jianying Zhou 2 ,and Rodrigo Roman 1 1 Computer Science Department, Univ. of Malaga, 29071 - Malaga, Spain {onieva,jlm,roman}@lcc.uma.es 2 Institute for Infocomm Research 21 Heng Mui Keng Terrace, Singapore 119613 jyzhou@i2r.a-star.edu.sg Abstract - Digital Rights Management (DRM) is an umbrella term for any of several arrangements which allows a vendor of content in electronic form to control the material and restrict its usage in various ways that can be specified by the vendor. These arrangements are provided through security techniques, mainly encryption, and the distribution, in a detached manner, of content and rights. This allows free access to the content by the consumers, but only those carrying the proper Right Object (RO) will be able to process such content. As a security service considered in different layers of the security framework defined by ITU X.805, almost all applications need to consider non-repudiation in the very beginning of their design. Unfortunately this has not been done so far in DRM specifications due to practical issues and the type of content distributed. We analyze this service for the a DRM framework and provide a solution which allows the right objects acquisition to be undeniable. Keywords - digital rights management, non-repudiation, secure electronic commerce, mobile applications. I. I NTRODUCTION The traditional industry for multimedia contents has used classical technologies for distribution and consumption. Nev- ertheless, with the introduction of digitalized multimedia and the use of telecommunication networks, content production and distribution has become easier and faster than ever before. These contents demand more protection from theft and prying eyes. This increasing need of content protection is driven by two trends. The first is mass piracy and theft of intellectual property and proprietary information. The second is that more “sensitive information” such as financial statement, medical records, and contracts are available in digital form and must be securely stored, shared, or distributed within and between organizations. This is precisely the niche in which DRM comes out to offer us a solution. Technically, DRM is defined as a set of tech- nologies and systems that can collectively support the entire life cycle of contents (creation, manipulation, distribution and consumption) by preventing illegal copying, imposing fees, processing payments, tracking contents, and protecting each principal’s right and profit. In these systems, content and rights are distributed in a detached manner. This technique simplifies the download of content and its management. No protection of the content is needed, such that any user can download it. But, of course, in order to consume it, a user needs to access (purchase) the corresponding digital right object. Here, two possible approaches for rights management exist: Centralized: A user needs to access the corresponding right from a central manager each time it wants to consume content. It is very effective against malicious users, but not so against malicious rights managers. Additionally, this approach suffers from scalability problems. Distributed: A user maintains its rights and just makes use of them when needed. It overcomes the existing drawbacks of centralized systems, but nevertheless, in order to avoid illegal use of the rights, a tamper-resistant hardware or Trusted Personal Device (TPD) is needed (that locally manages the rights in a certified and tamper-proof way). With the advent of cellular networks, the distributed ap- proach allows the convergence of user and industry needs. Combining DRM solutions with mobile networks, users can access the digital rights by using their mobile handset as a TPD. Telecom operators can drive the users for accessing or purchasing digital rights as well as certifying the secure management of digital rights in the handset (see Figure 1). Content provider Content provider Content provider mobile network operator (service provider) mobile user mobile user Content provisioning Content download mobile user mobile user mobile user mobile user protected content right Fig. 1. Content Distribution We modified a platform based on the OMA DRM specifi- cation 2.0 [10] (which has become an approved standard from the Open Mobile Alliance) for the distributed rights manage-