IBM Cryptolopes, SuperDistribution and Digital Rights Management


Marc A. Kaplan
Affiliation: IBM
Abstract: We will present and discuss the concept and implementation of a method permitting the super distribution, sale and controlled access of digital documents using secure cryptographic envelopes which we call the Cryptolope architecture. The Cryptolope architecture integrates encryption, authentication, and key management for digital documents ("content") together with digital fingerprinting and watermarking and rights/royalties management to comprise a secure distributed system for managing digital content.

Cryptolope technology comprises a method for the controlled access to broadcasted information using cryptographic techniques including public and secret key cryptography, cryptographic hashes, and digital fingerprints.

Trust Relationships, Roles

Multiple, non-symmetric trust relationships exist among the entities playing several "roles" within a superdistribution system based on Cryptolopes.

The major roles are those of the publisher, the consumer, and the royalty clearing center (RCC). Ancillary roles are those of the local distributor, and the local DFWM (decryption, fingerprinting and watermarking) agent. Of course, there may be many entities each playing one or more roles.

A publisher packages and distributes Cryptolopes which comprise (encrypted) "content" along with licensing terms and conditions (T&Cs) and fingerprinting/watermarking instructions. The encryption keys are logically "escrowed" to one or more royalty clearing centers.

A consumer who wishes to "open" a Cryptolope engages in a transaction with a royalty clearing center (RCC) which collects licensing or usage fees from the consumer according to the T&Cs specified within the Cryptolope, and in exchange the RCC releases the decryption keys to a DFWM. For purposes of scalability and accessability a consumer and an RCC may interact via a local distributor. The DFWM in turn, releases decrypted but fingerprinted and/or watermarked content to the consumer.

Some of the "trust relationships" in this system are:

The RCC, consumer, distributor and DFWM must trust the integrity and authenticity of a Cryptolope, as attested to by the presence of a trusted Publisher's (digital) signature on the (table of contents of the) Cryptolope.

The publisher must trust the RCC and its agents (DFWMs and distributors) to enforce the T&Cs, including collection and payment of royalties to the proper intellectual property rights holders, and to never purposely divulge the decryption keys nor unmarked content to a consumer.

The consumer must trust the RCC (and its agents) to reveal the (decrypted) contents of a Cryptolope, in exchange for the royalty payments.

During each transaction, each party must trust the identity of the other. For example, the RCC and the consumer must "authenticate" each other - so that: the consumer is assured she is dealing with an RCC that is authorized to collect royalties on behalf of the publisher of the Cryptolope; the RCC is assured that the consumer has access rights to, and/or sufficient funds for, the contents of the Cryptolope.

Certificates and Credentials

We use conventional (RSA) public key signature technology to establish the integrity and authenticity of Cryptolopes. Public key certificates are used to "guarantee" signatures. Certificates may be carried by or pointed to (via URLs) by the Cryptolope.

A consumer may hold "digital credentials," which are signed digital records attesting to her memberships, affiliations or subscriptions. The RCC, when enforcing the T&Cs of a Cryptolope, takes the credentials of the consumer into account to check whether the consumer is allowed to read the contents, and if so, what is the correct royalty rate. Eg. a a member or subscriber may be offered a special discount or access privileges.

Key Management with a Lattice of Trust

The many cryptographic keys used for both encrypting the actual contents of Cryptolopes and for encrypting (escrowing) encryption keys can be viewed as existing in a "lattice" of keys.

A "lowest" level-0 or "leaf" key in the lattice can decrypt only a single document or page of content. A level-1 key may control access to all the contents of a single cryptolope. A level-2 key may control access to a set of cryptolopes. In general, a higher level key can be used to decrypt several (escrowed) lower level keys and thus gain access to many documents.

Typically, a DFWM is only trusted with access to level-0 and level-1 keys; a distributor is trusted only with access to keys that decrypt the Cryptolopes with which it deals; an RCC is trusted with access to keys that can be used to decrypt all the documents of all the publishers for which it is an authorized royalty collector.

Key-encrypting-keys can be either public (RSA) keys or symmetric secret (eg. 3-DES) keys. Using the public key of an RCC, a publisher can effectively escrow its Cryptolope key-encrypting-keys with an RCC without exchanging "secrets" - indeed, a publisher does need not to engage in any communication with an RCC, prior to issuing a Cryptolope.

A publisher can escrow its Cryptolope keys with multiple RCCs, each RCC using a different public key. It is this scenario which leads to a "broad" lattice of keys that has no single highest level key.

For more information, contact kaplan@watson.ibm.com