Agent Based Dissemination of Commercial Electronic Information

(1)

Book Chapter

Reference

Agent Based Dissemination of Commercial Electronic Information

KONSTANTAS, Dimitri, MORIN, Jean-Henry

Abstract

Information dissemination is slowly moving from printed media to electronic media. However this step cannot be completed if the electronic commercialization of information does not provide the same guarantees against copyright infringement as with the printed media. In this paper we present the major requirement for the commercialization of electronic information and describe Hep, an agent based framework we developed for the commercialization of arbitrary electronic documents over open networks.

KONSTANTAS, Dimitri, MORIN, Jean-Henry. Agent Based Dissemination of Commercial Electronic Information. In: Tsichritzis, Dionysios. Trusted objects = Objets de confiance . Genève : Centre universitaire d'informatique, 1999. p. 1-14

Available at:

http://archive-ouverte.unige.ch/unige:155925

Disclaimer: layout of this document may differ from the published version.

1 / 1

(2)

Agent Based Dissemination of Commercial Electronic Information

Dimitri Konstantas Jean-Henry Morin

Abstract

Information dissemination is slowly moving from printed media to electronic media.

However this step cannot be completed if the electronic commercialization of information does not provide the same guamntees against copyright infringement as with the printed media. In this paper we present the major requirement for the commercialization of electronic information and describe Hep, an agent based framework we developed for the commercialization of arbitrary electronic documents over open networks.

1 Introduction

One of the most valuable commodities in today's world is information. Business, as well as private persons, trade information every day in different forms, ranging from newspaper articles to highly specialized business reports, from information video clips to music logos, and from free advertisement to expensive commercial updates. A special class of information is what we call commercial information; that is information that is protected by copyright and intellectual prop·

erty rights. In most cases commercial information is not freely re-distributable and its usage is bound to a certain policy defined by its copyright owner. The target of commercial information dissemination is to generate revenue streams while protecting the Owener's rights.

Today the dominant medium of commercial information dissemination is paper. The majority of information is disseminated in the form of printed documents, from leaflets, magazines and business reports to photographs and books. On the other hand the vast majority of printed information is prepared using electronic means (i.e. computers). However, only a small percent- age of the (electronically prepared) commercial information is commercialized in electronic form. For example, the information found on the Internet consists of either non-commercial information, like information and messages exchanged between users, or commercial information of low or no value, like newspaper articles and excerpts, advertisements and technical specifi- cations of products. Information providers are very reluctant to commercialize their (valuable) information, for example books, in electronic form. The main reasons for this reluctancy is the lack of efficient protection of author rights and of standard revenue collection mechanisms, similar to ones that apply to printed documents. Note that although we talk in this paper about printed documents as the major media for information dissemination, the sil.me issues and reasoning hold for other physical media types for information dissemination, such as video tapes, music CDs and films.

In this paper we present the issues related to the design of electronic documents commercialization platforms and describe our approach in the MEDIA project. Section 2 gives an overview of the pertinent issues and outlines the most notable existing systems; section 3 describes

(3)

the MEDIA approach and section 4 discusses security related issues stemming from the MEDIA system. Finally section 5 presents our conclusions and directions.

2 Towards the Commercialization of Electronic Documents

The commercialization of printed documents, like books, newspapers and reports, is a long es- tablished trade with well defined and understood tetms and conditions. Electronic documents on the other band are considered as just a different representation of printed documents. Thus their commercialization should be done under similar terms as printed documents in order to be ac- cepted by both the information providers (publishers)·and infonnation consumers (readers).

However due to the different nature of the electronic and printed documents one should define what is considered similar in the commerci111ization terms.

Document content advertising. The first action of a reader is to identify if the document be is about to purchase interests him. With printed document, like journals and newspapers, the reader finds in the front page the titles and possible few lines abstracts describing the contents of the document. This information is provided free of charge (newspapers and journals are posted out- side kiosks in order to attract the interest of the readers). With electronic information the reader should be able to obtain a brief summary of the content of the docume.nt without having to pay for it The summary depends on the policy of the provider and can range from a simple title to a complete abstract

Document purchasing. The purchasing of a printed document and the payment of the payment of the corresponding fees is done at the moment the reader requests the document. It is at this moment that the reader expresses his will to ·read the printed document and consequently pays the corresponding fees. Thus with an electronic document the payment of the corresponding fees should be done at the mome1;1t the reader expresses his interest to read it. That is, when the reader attempts to open the document for reading. It is at this moment that paym.ent of the corresponding fees should be made according to the policies attached to the document

Document reading. A person who purchased a magazine or book expects to be able to read it as many times as he wishes without having to pay again every time he wishes to re-read it. With an electronic document, where document purchasing is done at the moment that reader attempts to read the document, the reader should also pay once and be able to read

it

as many times as he wishes without having to pay for it again. Furthermore even if he possesses the el.ectronic document (that

is,

the electronic data) he should not be able to read it without first paying for it.

Document re-distribution. It is quite common that a person passes a document he purchased to a friend. However this action results in the original purchaser loosing ownership of the document or at least of the right of usage (i.e., reading). If he wishes to read it again he has to buy a new one or retrieve the borrowed copy. Alternatively the owner of the document can give an in- dication of where the document can be acquired and paid for, keeping his own copy. What is important to note in this transaction is that we always have a single copy of the document which can be read at any given instan.t by one and only person. With electronic documents on the other band the case is different. When one passes an electronic document to a friend he actually makes a (indistinguishable) copy of the original. As a result both persons have now a copy of the doc-

(4)

D. Konstantas and J-H. Morin 3 ument. HQwever considering the previous term (document purchasing) the second person should not be able to read, without paying, the copy of the electronic document he received, unless the original owner looses his right to read his copy of the document.

Document life time. A reader buying a printed document today and preserving it in good condi- tion is expecting to be able to (re-) read it after long time periods (in the order of decades or even centuries) without having to pay again for it. This should also be true for electronic documents.

An electronic document which the reader bought today {that is, for which he paid the fees for reading it) should be readable free of charge after long time periods.

Document copying. A common and (up to a level) tolerated practice with printed documents is photocopying. Photocopying is tolerated by the publishers for a number of reasons: first of all the quality of the copy is (in general) lower than this of the original; second in many cases, like for example for books, photocopying the complete docum.ent is more expensive than buying a new copy; finally photocopies are easily identifiable and, if needed, legal action can be taken against the malefactor. Another way to copy a printed document is through Optical Character Recog11itio11 (OCR) systems. However, the reproduction ofa printed document using OCR is in most cases time consuming and costly. With electronic documents photocopying can be com- pared with the printing of the computer screen, something which is, as with photocopies, difficult to prevent1. In addition, as with printed documents, one can cons_ider reproducing the electronic document from the captured screen dump using OCR techniques. However, in both cases the quality of the document is lost and in addition any special features of the electronic document, like for example hypertext links, disappear.

Document purchaser identification. A major issue in the commercialization of printed documents is the ability of the reader to buy the document without revealing his identity to anyone.

One can buy, for example, any magazine, newspaper or book from a kiosk or book-store keeping his full anonymity from both the sales person and the publisher. On the other hand a reader can decide to reveal his identity to a publisher or reseller agent via, for example, a subscription and benefit from any possible special offers, like price reduction, extra editions, advance edition co_pies etc. Note that the fact that a person is reading a specific document is in itself in.formation.

Thus it should be up to the reader to decide if he wishes this information be revealed or not. With electronic documents the reader should al.so be able to read a document without having to reveal his identity. The document provider should not be able to relate the collected document fees to a specific reader. Of course if the electronic document provider offers nominative subscriptions with possible side benefits, it should be up to the reader to decide if he wishes to subscribe and thus reveal his identity, or if he prefers reading the electronic document anonymously.

Document authoritativeness. The cornerstone of a printed document is the indisputable identification of the source of the information. The reader of a printed document knows with certain- ty who created the specific document and can easily identify modifications done on it, like cor- rections or additions. It is in general very difficult for one to modify or falsify a printed document in an untraceable way. Nevertheless given enough money, time or power any printed document

I. Of course there are techniques that prevent one from making photocopies, like for example the use of special ink, but these are not so often used due their high cost

(5)

can be untraceably modified or falsified. For example, someone with enough money can very easily print a false edition of a newspaper which .is indistinguishable from the original. With electronic documents the reader should thus be able to indisputably identify the source of the document and verify its integrity. However, as with printed documents, a person or organization with enough money, time or power will always be able lo falsify any electronic docUIJlent

2.1 Commercialization Approaches of Electronic Documents

Today the commercial dissemination of electronic documents and the revenue collection is pri- marily done with the use of techniques based on entry point protection and secure content distribution. With entry point protection the reader is given'a password with which he is able to access the publisher's server and retrieve the required document, paying at the same time the corresponding fees. With secure conte.nt distribution the publisher distributes freely an encrypted version of its document and the interested reader purchases the decryption key, which can be even tailored to him. Once the reader has received the key he can decrypt the docUJ)'lent with specialized software.

Both of the above approaches however offer minimal copyright protection. The reader finally obtains the cleartext of the document which he can copy and distribute at will without any control. The publisher of the docum.ent relies on the detection at a later time of copyright infringements and punishment of the malefactor acc~rding to existing laws. However this kind of copyright protection is highly fnefficjent since it is very difficult, if not impossible, to trace ille- gal copies of electronic documents stored in private computers.

In the last few years, coupled with the general advent of the Internet and em,erging electronic commerce, several commercial systems for content commercialization have appeared.

Among the major, we find IBM's cryptographic envelopes, Cryptolope [I] [2], IntetTrust's digital box, DigiBox [3), SoftLock of SoftLock Inc.[4], SoftSeal of Breaker Technologies Ltd.[5][6] and Folio4 products ofOpenMarket Inc. [7]. These systems put a strong ernpbasis on content conunercialization, copyright pr-0tection and usage metering. However, their major lim- itation is that they bind their users to proprietary systems or commercial partners and networks.

The main characteristic of such technology is to bind the usage policy to the content in a secure way. This approach of "boxing up bytes" is commonly known under many terms such as cryptographic content wrappers, boxology, secure content encapsulation, etc.

Crypto/Qpe is a Java-based software relying on three components. First, the Cryptofope Builder can be thought of as a packaging tool allowing to build the cryptographic envelope holding both the content and the business rules for its use. This tool is basically used by content providers.

The second component which is intended to be used by information consumers, ·the Crypto/ope Player is the interpreter for accessing the Cryptolope content. It uses a trusted HTML viewer and interacts with the Cryptolope Clearing Center, which is the third component of

the

architecture. It is basically a trusted third party providing key management, payment system and event logging/usage metering. The major problem faced with their approach was that it c0nstituted a closed proprietary system. Users were forced to use IBM's InfoMarket infrastructure for the clearing center acting as a trusted third party thus binding them to IBM. This is probably the reason Cryptolope has not encountered the anticipated success. In fact, a key factor of success for

(6)

D. Konstantas and J-H. Morin 5 this type of technology relies on how open it is to integrate other commercial partners be they clearing centers for copyright and/or usage, financial institutions or content providers.

The Di'giBox techn.ology (by analogy to the idea of a digital box.) is probably the leader in the field currently. This technology developed by ST AR Lab (Strategic Technologies and Architec- tural Research Laboratory) is also a secure content wrapper technology which is the foundation of a commercial product, Commerce 1.0 and Enterprise 1.0, of InterTrust Technologies Corp.

... Dlgl&.t JIY '-. ^Digi~If,

Figure 1 The DigiBox approach for binding policy to

The DigiBox architecture is a secure content wrapper. In their approach content is called properties and the policies defining their usage are called controls.

A DigiBox can hold one or many properties as arbitrary data. The controls can be delivered in the same DigiBox or inde- pendently in a separate DigiBox. Con- content

l...-- - ---'

trols are linked to properties by cryptographic means.

In a DigiBox, high level elements such as headers and general information are encrypted with a transport key. Properties are encrypted with other keys which can be delivered separately if needed. The transport key is composed of two parts. One of which is included. in the digibox.

and will be combined (XOR) with another one stored locally in protected storage where the Di- giBox. is to be opened. The part included in the DigiBox is encrypted with a public key algo- rithm. The main advantage of this approachis that it protects against the threat ofhaving either of the keys compromised. However, this approach requires distribution of the keys among the participating parties (i.e., key management). Moreover, it requires secure storage on every host (called an lnterRights Point). The cryptographic algorithms used are Triple DES and RSA and integrity verification is done with a cryptographic hash function.

Once the DigiBox is opened according to the controls governing this process, two different flows of information can occur. The first one towards the financial cJearinghouse for billing pur- poses and the second one, if required within the control set of the DigiBox, towards the usage clearinghouse for collecting usage and metering information, provided that the user is aware and has agreed on such a feedback loop.

The key benefits of the DigiBox approach is.its supportforbothsuperdistribution (provided the controls are within the same DigiBox as the properties they are linked to) and separate delivery of properties and controls. The architecture directly supports off~line transactions due to its key management policy. However, this has a cost in terms of key management which must be distributed among the participating actors by means of a special DigiBox. called "Directed DigiBox". Applications that want to use the DigiBox architecture must be certified. by Inter- Trust. Within the Inter Trust system, aU participants have unique IDs. DigiBoxes are assigned unique identifiers throughout the whole system. Thus it would also be possible to use content identification schemes such as Digital Object Identifiers (DOI) [8).

(7)

SoftLock of SoftLock Services Inc. is a password-based locking mechanism for software and documents. SoftLock's technology ensures that the password which unlocks a particular product in one context differs from the password which will unlock the same product in another context.

This is done by a proprietary scheme that generates a SoftLock ID based upon the context in which the document is used.

When the User opens a SoftLocked product, SoftLock calculates a unique number called a SoftLockID (SLID), which is based by default upon the User's Hard Drive. SoftLock then looks for a unique password which is appropriate to that SLID and the product. If the correct password is present, the product is unlocked; if it is not, the customer is invited to purchase the correct password. The SLID c.an be linked to anything: the user's name, a specific computer, or even, when technology becomes available the user's voice print How these parameters are passed 'to SoftLock depends upon the authoring or programming environment. A document or program can thus be freely copied and superdistributed; the new user will be requested to purchase a new password, since the context of the document has been changed.

Pcu;i;wunl pm-ch<1:;i.ug is fo.cililated by routines supplied with SoftLock's Programmer's Tool.Kits. The User can choose to purchase via encrypted Email, World Wide Web browser, or via a call to SoftLock's touch-tone robot. The User provides the required information (Product- Number, SLID, Credit Card Number, etc.), and upon the reception of payment a password is delivered (over the phone, or by Email). When the password is received by the product, it is auto- matically stored on the user's computer, and future access to the features of that product in that context is assured. The money debited from Customer credit c.ards is electronically transferred to SoftLock's bank acc-0unt each day, and disbursed to the Publisher-clients each month. Note that for t:he time being passwords are generated and distributed only from SoftLock Inc.; the Publishers cannot generate passwords at their site, but can only act as inte.rmediaries between the Customer and SoftLock.

SoftSEAL ofBreaker Technologies Ltd. is a software toolkit for intellectual property protection and licensing services to Internet providers. The SoftSEAL toolkit is composed. of three parts:

the vendor-site toolkit, the client-side toolkit and the on-line purchasing/licence servers. Content providers use the vendor site toolkit to encrypt their products and manage the sealed information. The client-side integration comprises a progr8!Jllllatic API (with Java, C and C++ bindings) and a licensing class library that content providers can use to implement plug-ins that recognize the sealed content and implement their licensing policies. A set of plug-ins for the most common 1ntemet fonnats (HTML, PDF, GIF, MP3 etc.) is already available by Breaker Technologies Ltd. Finally the on-line purchasing/licence servers are stand-alone applications that store and server the licenses governing a customer's access to sealed content.

With the Soft.SEAL system, the vendor seals bis product into a secure wrapper and associ- ates it with a product code, which eventually defines the licensing type. The same product must be sealed and associated with different product codes in order to provide it with a different licensing schema. Fea.ture codes associate with a set of capabilities to a product code providing different access levels to the underlying producL When the customer downloads the Web page containing the sealed component, his browser should be able to recognize1 handle the cryptographic wrapper and "display" the content. This is done by using browser plug-ins, which are

(8)

D. Konstantas and J-H. Morin 7

either developed by the content provider or are the general purpose ones provided by Breaker Technologies Ltd. The plug-in will contact, via the Internet, the purcbasingllfoence servers, where t11e user will identify himself and obtain, transparently, the stored license for opening the wrapper and viewing the content. Since the license is associated with the user and stored in the purchasing/licence server, tlle wrapped product can be superdistributed to other users.

Fouo4 products of Open Market Inc. provide a whole set of tools for Internet based payment, content management and publishing. The Sec11reP11blish product provides an enterprise solution for rights control and usage metering within an organization's intranet The operation of Secure- Publish is based on tlle Rights Admi11istratlon, a system for securing and managing protected content for a local environment.

At tlle heart of tlle rights management system of SecurePublish, is tlle License Collection File (LCF) which contains one or more licenses. Each license controls access and limit rights for one or more rights managed infobases. Access rights include the tasks a user can perform or what a user may see once access has been given. For example, edit, export to disk, copy to clip- board, print and view term list, are all access rights. In SecurePublish, the limit rights are the most important. Limit rights control how long the title may be used and by how many users. For example, expiration on date, expiration after N hours of cumulative use, and enable soft concur- rency are all limit rights. With SecurePublish once fue coaunercial information for the corporate site is purchased and received, it can be mounted. (along with the corresponding LCF files) on a corporate server. When a user wants to access a rights managed title on the intranet, fue system makes a request to open fue appropriate title. The user is authenticated (identified to the system and assigned an internal ID) if authentication has been enabled. Once the user is authenticated a request is passed to the Rights server. The Rights server finds the LCF associated wifu the requested title and searches for a license within theLCF to determine tlie limit rights. If the license is found, the rights flag is passed back witli the limits, and the user can access accordingly the document. The document access information is collected in a log file which is sent to tlle publisher at regularly scheduled intervals. The publisher uses this information for negotiation points when tlle subscription is up for renewal or after a trial period.

3 The MEDIA Approach for Commercialization of Electronic Documents

The aim of the MEDIA (Mobile Electronic Documents with Interacting Agents) [9] project is to develop tlle means that will allow protection, commercialization and dissemination of electronic documents under similar conditions as tllose for printed documents, as defined above. The ME- DIA approach is based on tlle encapsulation of ~e documents in agents. The document is no longer a simple collection of data but a program which tlle reader must execute in order to be able to read it. The document agent can thus enforce fue copyright control and payment at the time the reader requests to read the document.

In the context of the MEDIA project we designed and developed the HEP (Hypermedia Electronic Publishing)[lO][l 1][12][13] framework tllat implements the MEDIA electronic doc- ument commercialization model. The Hep framework enforces a pay per use scheme for the

(9)

electronic documents. The reader pays only for what he requests explicitly to read and he cannot read a document which he has not payed for. The document distribution model of the Hep framework is based on public key encryption with a security schema that discourages infringements [ 14). Information consumer anonymity and privacy are protected so that the reader need not reveal his identity to the document provider. Furthermore the Hep framework supports off-line operations for the payment of the document fees and the release of its contents to the reader, with the simultaneous delivery of receipts (proof of purchase) for subsequent accesses to the document.

One of the most important points in the design of the MEDIA electronic document distribution model was the choice of agents as the means.for the document dissemination. The reasons for this choice were many. First of all agent technology is not bound to a specific platform. The same agent can run on different heterogeneous platforms without need of any modification. A second reason is that the document is network aware. This way it can decide on its actions (release or not of its content and under which terms) depending on the node where it is executing, being responsible for its own security and the application of different policies. In addition the policies are implemented as programs allowing a far greater flexibility in definition of the terms and conditions of accessing the document content. Finally the agent metaphor allows the implementation of trust chains where each entity, like network provider, credit institution, publisher, etc. is responsible for a specific task in the commercialization chain.

3.1 The MEDIA Document Encapsulation and Distribution Model

In the MEDIA model the document is packaged within an agent for full public distnbution. The content, considered as a binary large object (BLOB), is encrypted with a symmetric key (k). This key is itself encrypted with the public key of the accredited credit institution along with information (I) identifying the publisher and the price of the document. A document information string (DIS) is added to the agent providing the necessary public (i.e., free) information about the content such as title, authors, price, abstract, etc. In addition we include the code (or its signature) (AC) implementing the operations and policies for accessing the content along with a hash of the encrypted blob (BH). Finally, both the encrypted key, the agent code and the DIS are signed by the information provider with his private key. This encapsulation, shown graphically inFigure 2, binds.all parts of the agent together and at the same time guarantees that the agent is coming from the (responsible) provider and has not been tampered with.

The encapsulated document can be distributed without any restriction to potential readers.

The copyright control will be triggered each time the reader asks to read the document. To achieve this we have devised a scheme for the commercial distribution of electronic documents that satisfies the defined security and distribution requirements. It is based on public key encryption and requires a trusted third party between the infoanation consumers and providers, which may be, for example, a credit institution or a bank. Both parties trust the credit institution to au- thorize the unlocking of the article against payment from the information consumer which is credited to the information providers account. Upon successful payment to the credit institution, the article key is released to the agent platform and a receipt is given to the infonnation consumer for subsequent access. This receipt is issued only_ for the information consumer that purchased

(10)

D. Konstantas and J-H. Morin

O Blob is encrypted using Key k

Ek(BLOB)

f) Key k Is encrypted using public key of credft Institution Be (Jc, I J with article Information

@I Ec(Jc, I), AC and DIS are signed using private key

of provider Sp(Ec:(Jc,I), DIS)

Article information I

(

^~

I

^+-Agent code and

· ·-· -· · / encypted-BLOB hash Document lnfonnation String (Document ID, price, author, source, date, abstract, ... )

Figure 2 The electronic document agent packaging

9

the article. Thus the receipt is nominative. However this can also be bound to whatever commercial policy the providers wish to use. A general ov~ew of the model is given in Figure 3.

In summary the process of both the access and the subsequent accesses to the content (i.e., unlocking) is done in two steps. The first step is to acquire a session key for the further secure communication with the accredited entity (i.e., credit institution or alike) which wilJ process the access request and re.lease the document key. The second step is the actual content access request and acquisition of the article key and receipt, as shown in Figure 4 and Figure 5. The request is formed by extracting from th.e article agent the encrypted key corresponding to the credit institution and the article information string. This is then signed by the consumer and the result is encrypted using the session key previously acquired in the first step. Upon receiving such a message, the credit institution will be able to decrypt it knowing the previously issued session key, verify the signatures of both the consumer and the provider and thus reveal the DIS and the encrypted key. At this point, billing occurs and if it is successful, the article key k will be decrypted with the private key of the credit institution and a signed receipt will be generated for this trans-

•

Information

^~a~ging

^{' - )} Providers

on-line .., - _Eff:J.i~ ....

Delivery of Article Agent

Credit lnstitufioris ( trusted party J

User to User Forwarding

~

SmarlCard transaction

Figure 3 Hep document distribution model overview

I

(11)

action. Finally, the article key and the signed receipt are encrypted with the session key and the result sent back to the consumer (i.e., to the agent platform which the article agent wiU instruct to release its content).

-

O Sp(I&c(Jr.,I),DIS) ls signed using consmuer's private key Su(Sp(Ec(k,I),DIS})

• Su(Bp(Ec(k, I) ,DIS}) is encrypted using session key T

ET[Su(Sp(Ec(k,I),DIS))}

a

8,(lfc('li,Z) , DIS)

⁸

Credit Institution Figure 4 Access request

o

ET[Su(Sp(Ec(k,I),DIS)}] isdecryptedwithsessionkeyor _...

8 Su(Sp(Bc(k,r) ,DIS) J is verified against the consumer's public

keyllll

e

Sp (Ee< Jc, I J, DIS J Is verffied against the provider's public _ . -

key giving Ec(k.,r) and DIS Creditlnstitution

ii

^r

o

^Be^(Jc,^I^Jis decrypted using private key of credit institution

e

I is used for bllling and a receipt r Is created and signed using private key of credit Institution Sc (r) (r contains userlD,artJD,etc.) 0 The key_Jc_a_n_d_r_ec-=e~lp;;;t;;;s;;;<r~J;;a;;r;;:e::e=n=c=ry,=p-l_e_d_u-(sl q_~.eµho.D.,f$.ey T

lf1r<-JJ, ^s~t.r1,

ET(k,Sc<rJ) is decrypted with session key or

reveallng key 1c. and receipt Sc(rJ to be used for subsequent access Figure 5 Article key and receipt

Subsequent access to the article content is done in exactly the same way except that a receipt is appended to the request sent to the credit institution. Upon successful verification of the receipt by the credit institution (i.e., verification of receipt issuer signature and consumer identification match between receipt holder and requestor), the article key will be returned to the consumer. The use ofreceipts is an important item of the Hep framework since the reader should be able to access the article many times after the initii1l payment without having to pay again.

3.2 Key management

The only keys that need to be exchanged between the participants (i.e., information providers and consumers, and credit institutions) are their public keys and the session keys between the

(12)

D. Konstantas and J-H Morin 11 infonnation consumers and the credit institutions. For the time being no use is made of certifi- cation authorities for public key acquisition. However, this can be integrated easily in future im- plementations. The session key acquisition is secured by using asymmetric cryptography for encryption and signatures.

Every participating entity knows its own private key. The credit institutions need to know the public keys of both the information providers and consumers, which is a reasonable assumption for a trusted third party. Furthennore, credit institutions are accustomed in handling very large numbers of independent records for their customers. The information consumers need to know the public keys of the information providers and the credit institutions. However, the infonnation providers only need to know the public keys of the credit institutions.

Fin.ally, the information providers know the document symmetric key that was used for content encryption, which is also a reasonable assumption since they own their content/added value; nevertheless this key need not be stored for each and every article and in fact it can be discarded once the article has been encrypted and packaged in the document agent.

The key management principles are summarized graphically in Figure 6. From a key management point of view, the major advantage of this document distribution scheme resides in th.e fact that there is no overhead for document key exchange or replication since the document key is encrypted with the public key of the accredited institutions and held by the article agent itself.

Thus, even in case of information provider bankruptcy the content can still be accessed through one of the credit institutions.

•

A.rtic1e KeyO- Credi1 l11stitution 0-

lnformation Providers

't).w Article Key

.0--

^Public^Key

Remark Each actor knows its own private-public key pair

Credit Institution 0-~

Jefo-~ProW,,,__ . . .

!rlfonnation consumers

Cfedlt Institutions trusted party)

mfonnatlon Consum,...0.0-0-0- biformotion Providi,0-.

Figure 6 Key management: who knows what

3.3

Agent platform requirements

One of the most important decisions in the conception of MEDIA and the design and implementation of the HEP framework was the choice of agent technology and an agent platform as the basis for the system. This choi.ce however was influenced by a number of requirements for the agent platform. The first one was that the agent platform should allow portability, and support architecture independence. That is, one should be able to port the agent platform on different architectures, from PCs to minis and high end computers, and, in addition, the ported platform

(13)

should provide identical bebavior on all architectures. fu principle all existing agent platforms (MOLE [15][16], JDK etc.) provide this feature.

The second requirement, which for our needs was the most important, concerns the security offered by the platform. From one band we ask that the platfoJm protect the agent executing on it from other executing agents; that is, one agent should not be able to modify or alter another agent. On the other hand we ask that lhe platform be able to protect itself from malicious agents.

In addition the agent platform should provide the means to control all accesses of the agents to network, files or even other agents, provide a way to migrate agents from one platform to another and support agent persistence. Although the NM is a prime candidate, its security model is in- sufficient. Java agents can easily attack both the platform and other agents.

Although in our first implementation of Hep we used MOLE as the agent platform, the second implementation is based on JavaSeal. JavaSeal [ 17}[18} is an agent platform designed and developed within the :MEDIA project extending the security model of the JVM. JavaSeal is based on the notion of Seals which provide a secure communication model between agents. Each Seal behaves as a closed n11me ~JlH.OO and agents can only communicate with their parent or child Seals. This way by placing agents in different Seals one can monitor all message exchanges and tightly control the flow of information and interactiol!S between the agents.

4 Security issues

fu addition to the agent platform security requirements, a number of other security issues must be faced in order to provide a consistent commercial electronic document dissemination environment. A first issue regards the copying of images or photos from the screen. As we said screen dumps are allowed within the document dissemination model as being equivalent to photocopies. However, a screen dump of an image or a photo reproduces an identical copy of the original. Thus we have a breach of the copyright enforcement. One solution to this problem is to use watermarking of the images of the electronic document so that we can at least detect, at a later time, copyright infringements.

A second issue concerns access to documents distributed in arbitrary representation formats. Today electronic documents are created and distributed in different electronic representa- tions requiring different viewers for their visualization, as for example Adobe PDF, Word, FrameMaker, or even more professional formats like QuarkExpress. It would be unrealistic to expect that in the future a single electronic documeJ1t representation format will impose itself on the market, but rather that new ones will appear fulfilling yet undefined needs of the readers and publishers. As a result a document might require a specialized reader for viewing, which might not be part of the document commercialization platform. The commercialization platform will thus have to pass the plaintext document to the external viewer, breaking in this way all the copyright protection of the document. By viewing the content in an external viewer the consumer can be able to simply store the document from within the viewer or even, if this is not possible, cap- ture the data while they are transferred from the platform to the viewer. Possible solutions to the problem can be to either equip the commercialization platform with viewers that can render all possible (or at least the most common) electronic document formats, or define APls that will al-

(14)

D. Konstantas and J-H Morin 13 low the collaboration of the platform and the viewer, restricting the actions of the reader (for example disabling the "save" function).

A last security issue, specific to the Hep framework, is that the document key will, at some moment, be stored in the memory of the host computer. That means that it would be possible, although not trivial, for the consumer to extract it. This problem can be solved with the combi- nation of different techniques. First of all the platform can be implemented so that the encryption keys are not stored for long periods in memory. Furthermore scrambled memory techniques can be employed in order to obfuscate the encryption keys. Finally one can even consider specialized tamper resistant security devices, like the IBM 4758 PCI cryptographic coprocessor [19], attached to the computer and handling all encryption (and authentication) procedures. Neverthe- less this kind of problem disappears ifthe viewing of the document is done on a dedicated machine, like for example, NewsPad [20], and SoftBook [21], instead on a general purpose computer.

5 Conclusion

With lhe expansion and wide availability ofnetworks and cheap powerful computers, electronic publishing and dissemination of electronic documents, ranging from letters to books and from photo-images to music and video, will slowly replace a large part of the bard copy market ( com- panies are already selling music in MP'.3 format (MPEG2-layer 3) through the network). The most important issue in the commercialization of ele~tronic information is to provide the electronic information providers similar guarantees for their intellectual rights prote<ition and revenue collection as with hard copy information.

The Hep framework provides an approach that allows information providers to distribute electronic information with sufficient guarantees regarding the protection of their intellectual rights. The Hep approach is based on the encryption of the document content and its encapsulation in an agent This way the interested reader needs to execute the agent which will control the access rights and perform the required steps for paying the corresponding fees before authoriz- ing the presentation of the content to the consumer. A basic element in the Hep approach is that the consumer never receives the clear text document, but he can only visualize it via tb.e Hep system.

Of course we by no means claim that the Hep framework provides an absolute security for protecting the electronic documents. Hep, as well as all other commercial systems, is based in the concept of calc11/ated risk. A consumer with enough money/power/time can bypass any type of security. What Hep does is to make the task of breaking the security and "stealing" the documents difficult enough so as to discourage the vast majority ofreaders. Furthermore, if we consider that in the future general purpose PCs will have crypto chips and possibly copyright chips included, then the Hep approach can provide a solution for the dissemination of electronic documents. Alternatively with the appearance of dedicated machines with only function to access and read documents the Hep solution becomes even more interesting since many of the security problems disappear since the consumer no longer has direct access to the machine and thus stricter security on both hardware and software can be enforced.

(15)

Our work in the development of the Hep system is ongoing. We have presently completed the second prototype and we are in the process of expanding it for off-line operations using smart cards and studying the issues related to long term high value documents, like books, and live streaming of audio/video material.

References

[ l] Kaplan M.A .. "IBM Cryptolopes

™,

SupcrDistribution and Digital Rights Management", IBM CoipOration, December 1996, hltp:ttwww.research.lbm.com/people/k/kaplan

[2] Kohl U., Lotspiech J. and Kaplan A., 1997., "Safeguarding Digital Libnuy Contents and Users Protecting Documents Rather Than Channels", IBM Research Division Sao Jose, California, and Hawthorne, New York, D-Llb Magazine, September 1997, http://www.dllb.orgldlib/september97/ibml091otsplech.html [3] 0. Sibert, D. Bernstein and D. Van Wie, "The DigiBox: A Self-Protecting Container for Information Com-

merce'', proceedings of First USENIX Workshop on Electronic Commerce, New-Yorlc, July 11-12, 1995.

[4] Softlock Services Inc., SojlLock, http:llwww.softlock.coml

[5] Rainer Mauth, "Better Copyright Protection", BYTE Magazine, May 1998, pp. 5-6.

[6] SoftSEAL: Technical Briefmg, Breaker Technologies, http://www.breakertech.com/brMl<i!r/docs.html [7] Open Market Inc., Folio 4, http://www.folio.com/

[8] International DOI Foundation, "The Digital Object Identifier System", http://www.doi.org!

[9] Dimitri Konstantas, Jean-Henry Morin and Jan Vitek, "MEDIA : A Platform for the Commercializat.ion of Electronic Documents", in Object Applications, Ed. D. Tsichritzis, CUI, University of Geneva, August 1996.

[10] Jean-Beruy Morin and Dimitri Konstantas, " Towards Hypennedla Electronic Publishing'', Proceedings of second IASTED/ISMM International Conference on Distnlluted Multimedia Systems and Applications, Stanford, California, August 7-9 1995.

[ 11] Jean-Henry Morin, "Requirements for a Hypermedia Electronic-Newspaper Environment Based on Agents", in Objects at Large, D. Tsichril.Zis (Ed.}, Centre Univcrsitaire d'lnformatique, University ofGeneva, July 1997, pp. 177-193.

[12] Jean-Henry Morin, "HyperNews: a Hypermedia Electronic-Newspaper E nvironment Based on Agents", in Proceedings o/HICSS-31, Hawaii Jntemational Conference 011 System Sciences, lEEE 1998, January 6-9,

1998, Kona, Hawaii, Volume ll, pp 58-67.

[13] Jean-Henry Morin and Dimitri Konst:antas, "HyperNews: A MEDIA Application for the Commercialization of an Electronic Newspaper", in Proceeding.r ofSA.C'98. 1998 ACM Symposium on Applied Computing, At- lanta, Georgia, February 27 - March l , 1998, pp. 696-?,05.

[14] Vassilis Prevelalds, Dimitri Konstan.tas and Jean-Henry Morin, "Issues for the Commercial Distribution of Eleatronic Documents'', in Ccmmunicatians and Multimedia Security, Sokratis K.atsikas (Ed.), Vol 3, Chap- man & Hall, 1996.

[15] J. Baumann, F. Hohl, K. Rothermel, M. Schwehm, M. Straller, "Mole 3.0: A Middleware for Java-Based Mo- bile Software Agents", to appear in Proceedings Middleware'98, Chapman & Hall, 1998.

[16] Markus Strasser, Joachim Baumann and Fritz Hohl, "Mole -A Java Based Mobile.Agent System", Second ECOOP Workshop on Mobile Object Systems, University of Linz, July 8-9, 1996.

[ 17] Jan Vitek, Ciaran Bryce and Walter Binder, ''Designing JavaSeal or How to Make Java Safe for Agents", in Electronic Commerce Objects, D. Tsichritzis (Ed.}, Centre Universitaire d'Informatique, University of Gene- va, July 1998, pp. 105-126.

[18] Jan Vitek and Gi11seppc Castagna, "Towards a Calculus Q/Secure Mobile Computations", IEEE Worlcshop on Internet Programming Languages, Chicago, Illinois, M:ty 1998.

[19] IBM 4758 PCI Cryptographic Coprocessor, http:/lwww.ibm.comlsecurity/cryptocards/index.html [20] NewsP AD Project, The Portable Multimedia Newspaper, http://ictnet.es/newspadl

[21] SoftBook, Electronic Book, http:llwww.soltbook.com/softbook_sys/csoftbook.html