Wednesday, 20. March 2013 20.03.13 09:25 Age: 5 Jahre

No Roads Lead to Profiles
Data Protection in Digital Rights Management

Digital rights management for software licenses: Ronald Petrlic blocks user profiles

User profiles – created by Internet transactions and generated for marketing and sales purposes. What is highly interesting for some people is unwanted by many users. Even software licenses, installed on a private computer, provide a wide breadth of information: Licensors can observe the software use and collect information. In cloud computing, the software will be installed in a data processing center in the cloud, where user profiles are created with even more details. For many users, that’s taking it a bit too far and contradicts data protection policies.

The Network Security research group led by Junior Prof. Christoph Sorge and his assistant Ronald Petrlic are following a new approach using on-the-fly computing, the future version of cloud computing. Their concept is to differentiate between the software providers, the executing data processing center and the payment itself. Although licensors and also the data processing centers are in the cloud, as usual, there are no common information channels between the parties: The providers work with digital rights management, meaning that users are completely protected under the data protection laws. It will no longer be possible to collect information about software use directly or through third parties – thus user profiles cannot be created any more.

That neither the providers nor the data processing centers receive information on the software usage, yet at the same time licensors receive security about the allowed duration and usage of the software sounds like a contradiction. But precisely this contradiction is what Sorge and Petrlic want to resolve and they combine both aspects with each other.

To implement digital rights management, the research group integrates an anonymous payment method where users do not need a credit card anymore: They register into a virtual bank in the cloud and then receive "digital coins" – strings that contain particular information about the amounts of money. With these coins, the user buys the software from the licensor. However, he does not pay the licensor, but rather redeems the coins at the bank. The bank can no longer use encryption methods to identify the original user. Finally, the user passes the software to the data processing center for installation. The providers, the data processing center and the bank receive only exclusively the information they need for their limited action – any data exchange between the parties above and beyond this is technically impossible.

For license management, the research group has implemented its own smart card. It is used to purchase the software license and, as safe hardware, to act as a "trust anchor": only authorized persons can trigger the data under their limited access.

The concept and programming of the individual components has already been completed. Currently underway, the next step is pursuing the implementation of individual cryptographic procedures into a larger overall system. The corresponding encryption processes are provided by the Codes and Cryptography research group led by Prof. Johannes Blömer. In the future, special legal aspects of the payment methods will also be considered.

The developments are part of the Collaborative Research Center (SFB) 901 "On-The-Fly Computing".

Ronald Petrlic, M.Sc.
Network Security
Tel: 05251 60-1764r

FiS_Mai2012.pdf427 K