- Email: [email protected]
Agent-based commercial dissemination of electronic information
Computer Networks 32 (2000) 753±765
www.elsevier.com/locate/comnet
Agent-based commercial dissemination of electronic information q Dimitri Konstantas *, Jean-Henry Morin Centre Universitaire dÕInformatique, University of Geneva, 24 rue General Dufour, CH-1211 Geneva 4, Switzerland
Abstract Information dissemination is slowly moving from printed media to electronic media. However this step cannot be completed if the electronic commercialization of information does not provide the same guarantees against copyright infringement as the printed media. In this paper we present the major requirement for the commercialization of electronic information and describe Hypermedia Electronic Publishing (HEP), an agent-based framework we developed for the commercialization of arbitrary electronic documents. Ó 2000 Elsevier Science B.V. All rights reserved. Keywords: Electronic commerce; Electronic documents; Agent technology; Secure content encapsulation
1. Introduction One of the most valuable commodities in todayÕs world is information. Business, as well as private persons, trade information every day in dierent forms, ranging from newspaper articles to highly specialized business reports, from information video clips to music logos, and from free advertisement to expensive commercial updates. A special class of information is what we call commercial information; that is information that is protected by copyright and intellectual property rights. In most cases commercial information is not freely re-distributable and its usage is bound to a certain policy de®ned by its copyright owner.
q This work was supported by the Swiss Federal Government with the FNRS SPP-ICS project HyperNews (5003-45333). * Corresponding author. E-mail address: [email protected] (D. Konstantas).
The target of commercial information dissemination is to generate revenue streams while protecting the rights of the owner. Today the dominant medium of commercial information dissemination is paper. The majority of information is disseminated in the form of printed documents, from lea¯ets, magazines and business reports to photographs and books. On the other hand the vast majority of printed information is prepared using electronic means (i.e., computers). However only a small percentage of the (electronically prepared) commercial information is commercialized in electronic form. For example the information found on the Internet consists of either non-commercial information, like information and messages exchanged between users, or commercial information of low or no value, like newspaper articles and excerpts, and advertisement and technical speci®cations of products. Information providers are very reluctant to commercialize their (valuable) information, for example books, in electronic form. The main rea-
1389-1286/00/$ - see front matter Ó 2000 Elsevier Science B.V. All rights reserved. PII: S 1 3 8 9 - 1 2 8 6 ( 0 0 ) 0 0 0 2 7 - X
754
D. Konstantas, J.-H. Morin / Computer Networks 32 (2000) 753±765
sons for this reluctance is the lack of ecient protection of author rights and of standard revenue collection mechanisms, similar to ones that apply to printed documents. Note that although we talk in this paper about printed documents as the major media for information dissemination, the same issues and reasoning holds for other physical media types for information dissemination, for example video tapes, music CDs and ®lms. 2. Towards the commercialization of electronic documents The commercialization of printed documents, like books, newspapers and reports, is a long established trade with well-de®ned and understood terms and conditions. Electronic documents on the other hand are considered as just a dierent representation of printed documents. Thus their commercialization should be achieved under similar terms [1] as printed documents in order to be accepted by both the information providers (publishers) and information consumers (readers). However due to the dierent nature of the electronic and printed documents one should de®ne what is considered similar in the commercialization terms. Document content advertising. The ®rst action of a reader is to identify if the document he is about to purchase interests him. With printed documents, like journals and newspapers, the reader ®nds in the front page the titles and possible few line abstracts describing the contents of the document. This information is provided free of charge (newspapers and journals are posted outside kiosks in order to attract the interest of the readers). With electronic information the reader should be able to obtain a brief summary of the content of the document without having to pay for it. The summary depends on the policy of the provider and can range from a simple title to a complete abstract. Document purchasing. The purchasing of a printed document and the payment of the corresponding fees are done at the moment the reader requests the document. It is at this moment that
the reader expresses his desire to read the printed document and consequently pays the corresponding fees. Thus with an electronic document the payment of the corresponding fees should be done at the moment the reader expresses his interest to read it, that is, when the reader attempts to open the document for reading. It is at this moment that payment of the corresponding fees should be made according to the policies attached to the document. Document reading. A person who purchased a magazine or book expects to be able to read it as many times as he wishes without having to pay again every time he wishes to re-read it. With an electronic document, where document purchasing is done at the moment that reader attempts to read the document, the reader should also pay once and be able to read it as many times as he wishes without having to pay for it again. Furthermore even if he possesses the electronic document (that is, the electronic data) he should not be able to read it without ®rst paying for it. Document re-distribution. It is quite common that a person passes a document he purchased to a friend. However this action results in the original purchaser loosing ownership of the document or at least of the right of usage (i.e., reading). If he wishes to read it again he has to buy a new one or retrieve the borrowed copy. Alternatively the owner of the document can give an indication of where the document can be acquired and paid for, keeping his own copy. What is important to note in this transaction is that we always have a single copy of the document which can be read at any given instant by one and only person. With electronic documents on the other hand the case is dierent. When one passes an electronic document to a friend he actually makes a (indistinguishable) copy of the original. As a result both persons have now a copy of the document. However considering the previous term (document purchasing) the second person should not be able to read, without paying, the copy of the electronic document he received, unless the original owner loses his right to read his copy of the document. Document lifetime. A reader buying a printed document today and preserving it in good condition is expecting to be able to (re-) read it after
D. Konstantas, J.-H. Morin / Computer Networks 32 (2000) 753±765
long time periods (in the order of decades or even centuries) without having to pay again for it. This should also be true for electronic documents. An electronic document which the reader bought today (that is, for which he paid the fees for reading it) should be readable free of charge after long time periods. Document copying. A common and (up to a level) tolerated practice with printed documents is photocopying. Photocopying is tolerated by the publishers for a number of reasons: ®rst of all the quality of the copy is (in general) lower than that of the original; second in many cases, for example, for books, photocopying the complete document is more expensive than buying a new copy; ®nally photocopies are easily identi®able and, if needed, legal action can be taken against the malefactor. Another way to copy a printed document is through Optical Character Recognition (OCR) systems. However the reproduction of a printed document using OCR is in most cases time consuming and costly. With electronic documents photocopying can be compared with the printing of the computer screen, something which is, as with photocopies, dicult to prevent. 1 In addition, as with printed documents, one can consider reproducing the electronic document from the captured screen dump using OCR techniques. However in both cases the quality of the document is lost and in addition any special features of the electronic document, for example, hypertext links, will disappear. Document purchaser identi®cation. A major issue in the commercialization of printed documents is the ability of the reader to buy the document without revealing his identity to anyone. One can buy, for example, any magazine, newspaper or book from a kiosk or book-store keeping his full anonymity from both the sales person and the publisher. On the other hand a reader can decide to reveal his identity to a publisher or reseller agent via, for example, a subscription and bene®t from any possible special oers, like price reduc-
1 Of course there are techniques that prevent one from making photocopies, for example, the use of special ink, but these are not often used due to their high cost.
755
tion, extra editions, advance copies, etc. Note the fact that a person is reading a speci®c document is in itself information. Thus it should be up to the reader to decide if he wishes this information be revealed or not. With electronic documents the reader should also be able to read a document without having to reveal his identity. The document provider should not be able to relate the collected document fees to a speci®c reader. Of course if the electronic document provider oers nominative subscriptions with possible side bene®ts, it should be up to the reader to decide if he wishes to subscribe and thus reveal his identity, or if he prefers reading the electronic document anonymously. Document authoritativeness. The cornerstone of a printed document is the indisputable identi®cation of the source of the information. The reader of a printed document knows with certainty who created the speci®c document and can easily identify modi®cations done on it, like corrections or additions. It is in general very dicult for one to modify or falsify a printed document in an untraceable way. Nevertheless given enough money, time or power any printed document can be untraceably modi®ed or falsi®ed. For example, someone with enough money can very easily print a false edition of a newspaper which is indistinguishable from the original. With electronic documents the reader should thus be able to indisputably identify the source of the document and verify its integrity. However, as with printed documents, a person or organization with enough money, time or power will always be able to falsify any electronic document. 2.1. Commercialization approaches for electronic documents Today the commercial dissemination of electronic documents and the revenue collection is primarily done with the use of techniques based on entry point protection and secure content distribution. With entry point protection the reader is given a password with which he is able to access the publisherÕs server and retrieve the required document, paying at the same time the corresponding fees. With secure content distribution the
756
D. Konstantas, J.-H. Morin / Computer Networks 32 (2000) 753±765
publisher distributes freely an encrypted version of its document and the interested reader purchases the decryption key, which can be even tailored to him. Once the reader has received the key he can decrypt the document with specialized software. Both of the above approaches however oer minimal copyright protection. The reader ®nally obtains the cleartext of the document which he can copy and distribute at will without any control. The publisher of the document relies on the detection at a later time of copyright infringements and punishment of the malefactor according to existing laws. However this kind of copyright protection is highly inecient since it is very dif®cult, if not impossible, to trace illegal copies of electronic documents stored in private computers. In the last few years, coupled with the general advent of the Internet and emerging electronic commerce, several commercial systems have appeared. Among the major, we ®nd IBMÕs cryptographic envelopes, Cryptolope [2,3], InterTrustÕs digital box, DigiBox [4], SoftLock of SoftLock [5] and Folio4 products of OpenMarket [6]. These systems have a strong emphasis on content commercialization, copyright protection and usage metering. However, their major limitation is that they bind their users to proprietary systems or commercial partners and networks. The main characteristic of such technology is to bind the usage policy to the content in a secure way. This approach of ``boxing up bytes'' is commonly known under many terms such as cryptographic content wrappers, boxology, secure content encapsulation, etc. Cryptolope is a Java-based software relying on three components. First, the Cryptolope Builder can be thought of as a packaging tool allowing
building the cryptographic envelope holding both the content and the business rules for its use. This tool is basically used by content providers. The second component which is intended to be used by information consumers, the Cryptolope Player is the interpreter for accessing the Cryptolope content. It uses a trusted HTML viewer and interacts with the Cryptolope Clearing Center, which is the third component of the architecture. It is basically a trusted third party providing key management, payment system and event logging/usage metering. The major problem faced with their approach was that it was a closed proprietary system. Users were forced to use IBMÕs InfoMarket infrastructure for the clearing center acting as a trusted third party thus binding them to IBM. This is probably the reason Cryptolope has not encountered the anticipated success. In fact, a key factor of success for this type of technology relies on how open it is to integrate other commercial partners, be they clearing centers for copyright and/or usage, ®nancial institutions or content providers. The DigiBox technology (by analogy to the idea of a digital box) is probably the leader in the ®eld currently. This technology developed by STAR Lab (Strategic Technologies and Architectural Research Laboratory) is also a secure content wrapper technology which is the foundation of a commercial product, Commerce 1.0 and Enterprise 1.0, of InterTrust Technologies Corp. See Fig. 1. The DigiBox architecture is a secure content wrapper. In their approach content is called properties and the policies de®ning their usage is called controls. A DigiBox can hold one or many properties as arbitrary data. The controls can be delivered in the same DigiBox or independently in
Fig. 1. The DigBox approach for binding policy to content.
D. Konstantas, J.-H. Morin / Computer Networks 32 (2000) 753±765
a separate DigiBox. Controls are linked to properties by cryptographic means. In a DigiBox, high level elements such as headers and general information are encrypted with a transport key. Properties are encrypted with other keys which can be delivered separately if needed. The transport key is composed of two parts. One of which is included in the digibox and will be combined (XOR) with another one stored locally in protected storage where the DigiBox is to be opened. The part included in the DigiBox is encrypted with a public key algorithm. The main advantage of this is that it protects against the threat of having either of the keys compromised. However this approach requires distributing the keys among the participating parties (i.e., key management). Moreover it requires secure storage on every host which is called an InterRights Point. The cryptographic algorithms used are Triple DES and RSA and integrity veri®cation is done with a cryptographic hash function. Once the DigiBox is opened according to the controls governing this process, two dierent ¯ows of information can occur. The ®rst one towards the ®nancial clearinghouse for billing purposes. The second one, if required within the control set of the DigiBox, towards the usage clearinghouse for collecting usage and metering information to be returned, hopefully, provided that the user is aware and has agreed on such a feedback loop. The key bene®ts of the DigiBox approach is its support for both superdistribution, provided the controls are within the same DigiBox as the properties they are linked to, and separate delivery of properties and controls. The architecture directly supports o-line transactions due to its key management policy. However this has a cost in terms of key management which must be distributed among the participating actors by means of special DigiBoxs called ``Directed DigiBox''. Applications that want to use the DigiBox architecture must be certi®ed by InterTrust. Within the InterTrust system, all participants have unique IDs. DigiBoxs are assigned unique identi®ers throughout the whole system. Thus it would also be possible to use content identi®cation schemes such as Digital Object Identi®ers (DOI) [7].
757
SoftLock [5] of SoftLock Services is a password-based locking mechanism for software and documents. SoftLockÕs technology ensures that the password which unlocks a particular product in one context diers from the password which will unlock the same product in another context. This is done by a proprietary scheme that generates a SoftLock ID based upon the context in which the document is used. When the User runs a SoftLocked program, SoftLock calculates a unique number called a SoftLockID (SLID), which is based by default upon the UserÕs Hard Drive. SoftLock then looks for a unique password which is appropriate to that SLID and the product. If the correct password is present, the product is unlocked; if it is not, the customer is invited to purchase the correct password. The SLID can be linked to anything: the userÕs name, a speci®c computer, or even, when technology becomes available the userÕs voice print. How these parameters are passed to SoftLock depends upon the authoring or programming environment. A document or program can thus be freely copied and widely distributed; the new user will be required to purchase a new password, since the context of the document has been changed. Password purchasing is facilitated by routines supplied with SoftLockÕs ProgrammerÕs ToolKits. The User can choose to purchase via encrypted E-mail, WorldWideWeb browser, or via a call to SoftLockÕs touch-tone robot. The User provides the required information (ProductNumber, SLID, Credit Card Number, etc.), and upon the reception of payment a password is delivered (over the phone, or by E-mail). When the password is received by the product, it is automatically stored on the UserÕs computer, and future access to the features of that product in that context is assured. The money debited from Customer credit cards is electronically transferred to SoftLockÕs bank account each day, and disbursed to the Publisher-clients each month. Note that for the time being passwords are generated and distributed only from SoftLock ; the Publishers cannot generate passwords at their site, but can only act as intermediaries between the Customer and SoftLock.
758
D. Konstantas, J.-H. Morin / Computer Networks 32 (2000) 753±765
SoftSEAL [8,9] of Breaker Technologies is a software toolkit for intellectual property protection and licensing services to Internet providers. the SoftSEAL toolkit is composed of three parts: the vendor-site toolkit, the client-side toolkit and the on-line purchasing/licence servers. Content providers use the vendor site toolkit to encrypt their products and manage the sealed information. The client-side integration comprises a programming API (with Java, C and C++ bindings) and a licensing class library that content providers can use to implement plug-ins that recognize the sealed content and implement their licensing policies. A set of plug-ins for the most common Internet formats (HTML, PDF, GIF, MP3, etc.) is already made available by Breaker Technologies Finally the on-line purchasing/licence servers are standalone applications that store and serve the licenses governing a customerÕs access to sealed content. With the SoftSEAL system, the vendor seals his product into a secure wrapper and associates it with a product code, which eventually de®nes the licensing type. The same product must be sealed and associated with dierent product codes in order to provide it with a dierent licensing schema. Feature codes, associate with a set of capabilities to a product code providing dierent access levels to the underlying product. When the customer downloads the Web page containing the sealed component, his browser should be able to recognize, handle the cryptographic wrapper and ``display'' the content. This is done by using browser plug-ins, which are either developed by the content provider or are the general purpose ones provided by Breaker Technologies The plug-in will contact, via the Internet, the purchasing/licence servers, where the user will identify himself and obtain, transparently, the stored license for opening the wrapper and viewing the content. Since the license is associated with the user and stored in the purchasing/licence server, the wrapped product can be widely distributed to other users. Folio [6] products of OpenMarket provides a whole set of tools for Internet based payment, content management and publishing. The SecurePublish product provides an enterprise solution for rights control and usage metering within an organizationÕs intranet. The operation of Secure-
Publish is based on the Rights Administration, a system for securing and managing protected content for a local environment. At the heart of the rights management system of SecurePublish, is the License Collection File (LCF) which contains one or more licenses. Each license controls access and limit rights for one or more rights managed infobases. Access rights include the tasks a user can perform or what a user may see once access has been given. For example, edit, export to disk, copy to clipboard, print and view term list, are all access rights. In SecurePublish, the limit rights are the most important. Limit rights control how long the title may be used and by how many users. For example, expiration on date, expiration after N hours of cumulative use, and enable soft concurrency are all limit rights. With SecurePublish once the commercial information for the corporate site is purchased and received, it can be mounted (along with the corresponding LCF ®les) on a corporate server. When a user wants access a rights managed title on the intranet, the system makes a request to open the appropriate title. The user is authenticated (identi®ed to the system and assigned an internal ID) if authentication has been enabled. Once the user is authenticated a request is passed to the Rights server. The Rights server ®nds the LCF associated with the requested title and searches for a license within the LCF to determine the limit rights. If the license if found, the rights ¯ag is passed back with the limits, and the user can access accordingly the document. The document access information is collected in a log ®le which is send to the publisher regularly scheduled intervals. The publisher uses this information for negotiation when the subscription is up for renewal or after a trial period. 3. The media approach for commercialization of electronic documents The aim of the Mobile Electronic Documents with Interacting Agents (MEDIA) [10] project is to develop the means that will allow protection, commercialization and dissemination of electronic documents under similar conditions as those for printed documents, as de®ned above. The MEDIA
D. Konstantas, J.-H. Morin / Computer Networks 32 (2000) 753±765
approach is based on the encapsulation of the documents in agents. The document is no longer a simple collection of data but a program which the reader must execute in order to be able to read it. The document agent can thus enforce the copyright control and payment at the time the reader requests to read the document. In the context of the MEDIA project we designed and developed the Hypermedia Electronic Publishing (HEP) [11±14] framework that implements the MEDIA electronic document commercialization model. The HEP framework enforces a pay per use scheme for the electronic documents. The reader pays only for what he requests explicitly to read and he cannot read a document which he has not payed for. The document distribution model of the HEP framework is based on public key encryption with a security schema that discourages infringements [15]. Information consumer anonymity and privacy are protected so that the reader need not reveal his identity to the document provider. Furthermore the HEP framework supports o-line operations for the payment of the document fees and the release of its contents to the reader, with the simultaneous delivery of receipts (proof of purchase) for subsequent accesses to the document. One of the most important points in the design of the MEDIA electronic document distribution model was the choice of agents as the means for the document dissemination. The reasons for this choice were many. First of all agent technology is not bound to a speci®c platform. The same agent can run on dierent heterogeneous platforms without need of modi®cation. A second reason is that the document is network aware. This way it can decide on its actions (release or not of its content and under which terms) depending on the node where it is executing, being responsible for its own security and the application of dierent policies. In addition the policies are implemented as programs allowing a far greater ¯exibility in de®nition of the terms and conditions of accessing the document content. Finally the agent metaphor allows the implementation of trust chains where each entity, like network provider, credit institution, publisher, etc., is responsible for a speci®c task in the commercialization chain.
759
3.1. The media document encapsulation and distribution model In the MEDIA model the document is packaged within an agent for full public distribution. The content, considered as a binary large object (BLOB), is encrypted with a symmetric key (K). This key is itself encrypted with the public key of the accredited credit institution along with information (I) identifying the publisher and the price of the document. A document information string (DIS) is added to the agent providing the necessary public (i.e., free) information about the content such as title, authors, price, abstract, etc. In addition we include the code (or its signature) (AC) implementing the operations and policies for accessing the content along with a hash of the encrypted blob (BH). Finally, both the encrypted key, the agent code and the DIS are signed by the information provider with his private key. This encapsulation, shown graphically in Fig. 2, binds all parts of the agent together and at the same time guarantees that the agent is coming from the (responsible) provider and has not been tampered with. The encapsulated document can be distributed without any restriction to potential readers. The copyright control will be triggered each time the reader asks to read the document. To achieve this we have devised a scheme for the commercial distribution of electronic documents that satis®es the de®ned security and distribution requirements. It is based on public key encryption and requires a trusted third party between the information consumers and providers, which may be, for example, a credit institution or a bank. Both parties trust the credit institution to authorize the unlocking of the article against payment from the information consumer which is credited to the information providers account. Upon successful payment to the credit institution, the article key is released to the agent platform and a receipt is given to the information consumer for subsequent access. This receipt is issued only for the information consumer that purchased the article. Thus the receipt is nominative. However this can also be bound to whatever commercial policy the providers wish
760
D. Konstantas, J.-H. Morin / Computer Networks 32 (2000) 753±765
Fig. 2. The electronic document agent packaging.
Fig. 3. HEP document distribution model overview.
to use. A general overview of the model is given in Fig. 3. In summary the process of both the access and the subsequent accesses to the content (i.e., unlocking) is done in to two steps. The ®rst step is to acquire a session key for the further secure communication with the accredited entity (i.e., credit institution or alike) which will process the access request and release the document key. The second step is the actual content access request and acquisition of the article key and receipt, as shown in Figs. 4 and 5. The request is formed by extracting from the article agent the encrypted key corresponding to the credit institution and the article information string. This is then signed by the user and the result is encrypted using the session key previously acquired in the ®rst step. Upon receiving such a message, the credit institution will be
able to decrypt it knowing the previously issued session key, verify the signatures of both the user and the provider and thus reveal the DIS and the encrypted key. At this point, billing occurs and if it is successful, the article key K will be decrypted with the private key of the credit institution and a signed receipt generated for this transaction. Finally, the article key and the signed receipt are encrypted with the session key and the result sent back to the user (i.e., to the agent platform which the article agent will instruct for releasing its content). Subsequent access to the article content is done in exactly the same way except that a receipt is appended to the request send to the credit institution. Upon successful veri®cation of the receipt by the credit institution (i.e., veri®cation of receipt issuer signature and user identi®cation match be-
D. Konstantas, J.-H. Morin / Computer Networks 32 (2000) 753±765
761
Fig. 4. Access request.
Fig. 5. Article key and receipt.
tween receipt holder and requester), the article key will be returned to the user. The use of receipts is an important item of the Hep framework since the reader should be able to access the article many times after the initial payment without having to pay again. 3.2. Key management The only keys that need to be exchanged between the participants (i.e., information providers and consumers, and credit institutions) are their
public keys and the session keys between the information consumers and the credit institutions. For the time being no use is made of certi®cation authorities for public key acquisition. However this can be integrated easily in future implementations. The session key acquisition is secured by using asymmetric cryptography for encryption and signatures. Every participating entity knows its own private key. The credit institutions need to know the public keys of both the information providers and consumers, which is a reasonable assumption for a
762
D. Konstantas, J.-H. Morin / Computer Networks 32 (2000) 753±765
trusted third party. Furthermore credit institutions are accustomed in handling very large numbers of independent records for their customers. The information consumers need to know the public keys of the information providers and the credit institutions. However, the information providers only need to know the public key of the credit institutions. Finally, the information providers know the document/article symmetric key that was used for content encryption, which is also a reasonable assumption since they own their content/added value; nevertheless this key need not be stored for each and every article and in fact it can be discarded once the article has been encrypted and packaged in the document agent. The key management principles are summarized graphically in Fig. 6. From a key management point of view, the major advantage of this document distribution scheme resides in the fact that there is no overhead for document key exchange or replication since the document key is encrypted with the public key of the accredited institutions and held by the article agent itself. Thus, even in case of information provider bankruptcy the content can still be accessed through one of the credit institutions.
3.3. Agent platform requirements One of the most important decisions in the conception of MEDIA and the design and implementation of the HEP framework, was the choice of agent technology and an agent platform as the basis for the system. This choice however was in¯uenced by a number of requirements for the agent platform. The ®rst one was that the agent platform should allow portability, and support architecture independence. That is, one should be able to port the agent platform on dierent architectures, from PCs to minis and high end computers, and, in addition, the ported platform should provide identical behavior on all architectures. In principle all existing agent platforms (MOLE [16,17], JDK, etc.) provide this feature. The second requirement, which for our needs was the most important, concerns the security offered by the platform. From one hand we ask that the platform protects the agent executing on it from other executing agents; that is, one agent should not be able to modify or alter another agent. On the other hand we ask that the platform be able to protect itself from malicious agents. In addition the agent platform should provide the means to control all accesses of the agents to
Fig. 6. Key management: who knows what.
D. Konstantas, J.-H. Morin / Computer Networks 32 (2000) 753±765
network, ®les or even other agents, provide a way to migrate agents from one platform to another and support agent persistence. Although the JVM is a prime candidate, its security model is insucient. Java agents can easily attack both the platform and other agents. Although in our ®rst implementation of Hep we used MOLE as the agent platform, the second implementation is based on JavaSeal. JavaSeal [18,19], is an agent platform designed and developed within the MEDIA project extending the security model of the JVM. JavaSeal is based on the notion of Seals which provide a secure communication model between agents. Each Seal behaves as a closed name space and agents can only communicate with their parent or child Seals. In this way, by placing agents in dierent Seals, one can monitor all message exchanges and tightly control the ¯ow of information and interactions between the agents. 4. Security issues In addition to the agent platform security requirements, a number of other security issues must be faced in order to provide a consistent commercial electronic document dissemination environment. A ®rst issue regards the copying of images from the screen. As we said screen dumps are allowed within the document dissemination model as being equivalent to photocopies. However a screen dump of an image or a photo reproduces an identical copy of the original. Thus we have a breach of the copyright enforcement. One solution to this problem is to use watermarking of the images of the electronic document so that we can at least detect, at a later time, copyright infringements. A second issue concerns access to documents distributed in arbitrary representation formats. Today electronic documents are created and distributed in dierent electronic representations requiring dierent viewers for their visualization, as, for example, Adobe PDF, Word, FrameMaker, or even more professional formats like QuarkExpress. It would be unrealistic to expect that in the future a single electronic document representation
763
format will impose itself on the market, but rather that new ones will appear ful®lling yet unde®ned needs of the readers and publishers. As a result a document might require a specialized reader for viewing, which might not be part of the document commercialization platform. The commercialization platform will thus have to pass the plaintext document to the external viewer, breaking in this way all the copyright protection of the document. By viewing the content in an external viewer the user will be able to simply store the document from within the viewer or even, if this is not possible, capture the data while it is transferred from the platform to the viewer. Possible solutions to the problem can be to either equip the commercialization platform with viewers that can render all possible (or at least the most common) electronic document formats, or de®ne APIs that will allow the collaboration of the platform and the viewer, restricting the actions of the reader (for example disabling the ``save'' function). A last security issue of the HEP framework is that the document key will, at some moment, stored in the memory of the host computer. That means that it would be possible, although not trivial, for the user to extract it. This problem can be solved with the combination of dierent techniques. First of all the platform can be implemented so that the encryption keys are not stored for long periods in memory. Furthermore scrambled memory techniques can be employed in order to obfuscate the encryption keys. Finally one can even consider specialized tamper resistant security devices, like the IBM 4758 PCI cryptographic coprocessor [20], attached to the computer and handling all encryption (and authentication) procedures. Nevertheless this kind of problem disappears if the viewing of the document is done on a dedicated machine, or for example, NewsPad [21], and SoftBook [22], instead on a general purpose computer. 5. Conclusion With the expansion and wide availability of networks and cheap powerful computers, electronic publishing and dissemination of electronic
764
D. Konstantas, J.-H. Morin / Computer Networks 32 (2000) 753±765
documents, ranging from letters to books and from photo-images to music and video, will slowly replace a large part of the hard copy market (companies are already selling music in MP3 format (MPEG2-layer 3) through the network). The most important issue in the commercialization of electronic information is to provide the electronic information providers similar guarantees for their intellectual rights protection and revenue collection as with hard copy information. The HEP framework provides an approach that allows information providers to distribute electronic information with sucient guarantees regarding the protection of their intellectual rights. The HEP approach is based in the encryption of the document content and its encapsulation in an agent. This way the interested reader needs to execute the agent which will control the access rights and perform the required steps for paying the corresponding fees before authorizing the presentation of the content to the user. A basic element in the HEP approach is that the user never receives the clear text document, but he can only visualize it via the HEP system. Of course we by no means claim that the HEP framework provides an absolute security for protecting the electronic documents. HEP, as well as all commercial systems, is based in the concept of calculated risk. A user with enough money/power/ time can bypass any type of security. What HEP does is to make the task of breaking the security and ``stealing'' the documents dicult enough so as to discourage the vast majority of readers. Furthermore, if we consider that in the future general purpose PCs will have crypto-chips and possibly copyright chips included, then the HEP approach can provide a solution for the dissemination of electronic documents. Alternatively with the appearance of dedicated machines with only function to access and read documents the HEP solution becomes even more interesting since many of the security problems disappear since the user no longer has direct access to the machine and thus stricter security on both hardware and software can be enforced. Our work in the development of the HEP system is ongoing. We have completed the development of the second prototype and we have
integrated o-line operations using Java smart cards. We are now investigating the issues related to long term high value documents, like books, and the commercialization of (life) streams of audio/video material, while at the same time we try to use the HEP infrastructure for the development of a business environment based on the idea of Active Business Objects (ABO): agents encapsulating business objects which become mobile active software entities, holding all the necessary data and code to take action according to the dierent situations that can occur in a business environment [23].
References [1] D. Konstantas, J.-H. Morin, Trading intangible goods: the rules of the game, in: Proceedings of Hawaii International Conference on System Sciences (HICSS 2000), 4±7 January 2000, Hawaii, USA. [2] M.A. Kaplan, IBM Cryptolopesä, SuperDistribution and Digital Rights Management, IBM Corporation, December 1996, http://www.research.ibm.com/people/k/kaplan. [3] U. Kohl, J. Lotspiech, A. Kaplan, Safeguarding digital library contents and users protecting documents rather than channels, IBM Research Division, San Jose, CA, and Hawthorne, NY, D-Lib Magazine, September 1997, http:// www.dlib.org/dlib/september97/ibm/09lotspiech.html,1997. [4] O. Sibert, D. Bernstein, D. Van Wie, The DigiBox: A selfprotecting container for information commerce, in: Proceedings of First USENIX Workshop on Electronic Commerce, New York, 11±12 July 1995. [5] Softlock Services Inc., SoftLock, http://www.softlock.com/. [6] OpenMarket Inc., Folio 4, http://www.folio.com/. [7] International DOI Foundation, The digital object identi®er system, http://www.doi.org/. [8] R. Mauth, Better copyright protection, BYTE Magazine (May 1998) 5±6. [9] SoftSEAL: Technical Brie®ng, Breaker Technologies, http://www.breakertech.com/breaker/docs.html. [10] D. Konstantas, J.-H. Morin, J. Vitek, MEDIA: A platform for the commercialization of electronic documents, in: D. Tsichritzis (Ed.), Object Applications, CUI, University of Geneva, August 1996. [11] J.-H. Morin, D. Konstantas, Towards hypermedia electronic publishing, in: Proceedings of Second IASTED/ ISMM International Conference on Distributed Multimedia Systems and Applications, Stanford, CA, 7±9 August 1995. [12] J.-H. Morin, Requirements for a hypermedia electronicnewspaper environment based on agents, in: D. Tsichritzis (Ed.), Objects at Large, Centre Universitaire d'Informatique, University of Geneva, July 1997, pp. 177±193.
D. Konstantas, J.-H. Morin / Computer Networks 32 (2000) 753±765 [13] J.-H. Morin, HyperNews: A hypermedia electronic-newspaper environment based on agents, in: Proceedings of Hawaii International Conference on System Sciences (HICSS-31), 6±9 January 1998, Kona, Hawaii, vol. II, pp. 58±67. [14] J.-H. Morin, D. Konstantas, HyperNews: A MEDIA application for the commercialization of an electronic newspaper, in: Proceedings of 1998 ACM Symposium on Applied Computing (SACÕ98), Atlanta, Georgia, 27 February±1 March 1998, pp. 696±705. [15] V. Prevelakis, D. Konstantas, J.-H. Morin, Issues for the commercial distribution of electronic documents, in: S. Katsikas (Ed.), Communications and Multimedia Security, vol. 3, Chapman&Hall, London, 1996. [16] J. Baumann, F. Hohl, K. Rothermel, M. Schwehm, M. Straûer, Mole 3.0: A middleware for Java-based mobile software agents, in: Proceedings Middleware'98, Chapman & Hall, London, 1998. [17] M. Strasser, J. Baumann, F. Hohl, Mole ± A Java based mobile agent system, in: Second ECOOP Workshop on Mobile Object Systems, University of Linz, 8±9 July 1996. [18] J. Vitek, C. Bryce, W. Binder, Designing JavaSeal or how to make Java safe for agents, in: D. Tsichritzis (Ed.), Electronic Commerce Objects, Centre Universitaire dÕInformatique, University of Geneva, July 1998, pp. 105±126. [19] J. Vitek, G. Castagna, Towards a calculus of secure mobile computations, in: IEEE Workshop on Internet Programming Languages, Chicago, IL, May 1998. [20] IBM 4758 PCI Cryptographic Coprocessor, http:// www.ibm.com/security/cryptocards/index.html. [21] NewsPAD Project, The Portable Multimedia Newspaper, http://ictnet.es/newspad/. [22] SoftBook, Electronic Book, http://www.softbook.com/ softbook_sys/csoftbook.html. [23] J.-H. Morin, C. Kobel, D. Konstantas, Active Business Objects (ABO): When agents meet ABC/ABM based management, in: Proceedings of Hawaii International Con-
765
ference on System Sciences (HICSS 2000), 4±7 January 2000, Hawaii, USA. Dimitri Konstantas is Assistant Professor of Multimedia Communication Systems at the Social and Economics Science Faculty of the University of Geneva. He obtained an electronic engineering degree at the National Technical University of Athens in Electrical Engineering in 1981, a M.Sc. in Computer Science at the University of Toronto in 1983 and a Ph.D. in Computer Science at the University of Geneva in 1993. From 1985 until 1987 he was researcher at Institute of Computer Science, FORTH, at Heraklio, Crete; from 1987 to 1993 he was research assistant at the University of Geneva and since 1993 he is Assistant Professor at the University of Geneva. Professor Konstantas is author of many articles on Object Oriented Systems, Computer communications and Multimedia Systems, has participated in numerous European and Swiss research and industrial projects and he has been a consultant to several European companies. His present interests include electronic commerce and speci®cally commercialization of intangible goods, multimedia applications and communication systems. Jean-Henry Morin holds a Ph.D. and a degree in Information Systems of the Economics and Social Sciences Faculty from the University of Geneva. Since 1999 he is lecturer in the Object Systems Group (OSG) of the Centre Universitaire d'Informatique (CUI) at the University of Geneva, where he worked as research assistant from 1993 to 1998. Prior to joining CUI-OSG, he worked as programmer-analyst in the banking industry and on various projects in the business and ®nancial ®eld. His present interest include electronic publishing, electronic commerce, mobile objects (agents), information services over open networks like Internet and multimedia communication systems.
www.elsevier.com/locate/comnet
Agent-based commercial dissemination of electronic information q Dimitri Konstantas *, Jean-Henry Morin Centre Universitaire dÕInformatique, University of Geneva, 24 rue General Dufour, CH-1211 Geneva 4, Switzerland
Abstract Information dissemination is slowly moving from printed media to electronic media. However this step cannot be completed if the electronic commercialization of information does not provide the same guarantees against copyright infringement as the printed media. In this paper we present the major requirement for the commercialization of electronic information and describe Hypermedia Electronic Publishing (HEP), an agent-based framework we developed for the commercialization of arbitrary electronic documents. Ó 2000 Elsevier Science B.V. All rights reserved. Keywords: Electronic commerce; Electronic documents; Agent technology; Secure content encapsulation
1. Introduction One of the most valuable commodities in todayÕs world is information. Business, as well as private persons, trade information every day in dierent forms, ranging from newspaper articles to highly specialized business reports, from information video clips to music logos, and from free advertisement to expensive commercial updates. A special class of information is what we call commercial information; that is information that is protected by copyright and intellectual property rights. In most cases commercial information is not freely re-distributable and its usage is bound to a certain policy de®ned by its copyright owner.
q This work was supported by the Swiss Federal Government with the FNRS SPP-ICS project HyperNews (5003-45333). * Corresponding author. E-mail address: [email protected] (D. Konstantas).
The target of commercial information dissemination is to generate revenue streams while protecting the rights of the owner. Today the dominant medium of commercial information dissemination is paper. The majority of information is disseminated in the form of printed documents, from lea¯ets, magazines and business reports to photographs and books. On the other hand the vast majority of printed information is prepared using electronic means (i.e., computers). However only a small percentage of the (electronically prepared) commercial information is commercialized in electronic form. For example the information found on the Internet consists of either non-commercial information, like information and messages exchanged between users, or commercial information of low or no value, like newspaper articles and excerpts, and advertisement and technical speci®cations of products. Information providers are very reluctant to commercialize their (valuable) information, for example books, in electronic form. The main rea-
1389-1286/00/$ - see front matter Ó 2000 Elsevier Science B.V. All rights reserved. PII: S 1 3 8 9 - 1 2 8 6 ( 0 0 ) 0 0 0 2 7 - X
754
D. Konstantas, J.-H. Morin / Computer Networks 32 (2000) 753±765
sons for this reluctance is the lack of ecient protection of author rights and of standard revenue collection mechanisms, similar to ones that apply to printed documents. Note that although we talk in this paper about printed documents as the major media for information dissemination, the same issues and reasoning holds for other physical media types for information dissemination, for example video tapes, music CDs and ®lms. 2. Towards the commercialization of electronic documents The commercialization of printed documents, like books, newspapers and reports, is a long established trade with well-de®ned and understood terms and conditions. Electronic documents on the other hand are considered as just a dierent representation of printed documents. Thus their commercialization should be achieved under similar terms [1] as printed documents in order to be accepted by both the information providers (publishers) and information consumers (readers). However due to the dierent nature of the electronic and printed documents one should de®ne what is considered similar in the commercialization terms. Document content advertising. The ®rst action of a reader is to identify if the document he is about to purchase interests him. With printed documents, like journals and newspapers, the reader ®nds in the front page the titles and possible few line abstracts describing the contents of the document. This information is provided free of charge (newspapers and journals are posted outside kiosks in order to attract the interest of the readers). With electronic information the reader should be able to obtain a brief summary of the content of the document without having to pay for it. The summary depends on the policy of the provider and can range from a simple title to a complete abstract. Document purchasing. The purchasing of a printed document and the payment of the corresponding fees are done at the moment the reader requests the document. It is at this moment that
the reader expresses his desire to read the printed document and consequently pays the corresponding fees. Thus with an electronic document the payment of the corresponding fees should be done at the moment the reader expresses his interest to read it, that is, when the reader attempts to open the document for reading. It is at this moment that payment of the corresponding fees should be made according to the policies attached to the document. Document reading. A person who purchased a magazine or book expects to be able to read it as many times as he wishes without having to pay again every time he wishes to re-read it. With an electronic document, where document purchasing is done at the moment that reader attempts to read the document, the reader should also pay once and be able to read it as many times as he wishes without having to pay for it again. Furthermore even if he possesses the electronic document (that is, the electronic data) he should not be able to read it without ®rst paying for it. Document re-distribution. It is quite common that a person passes a document he purchased to a friend. However this action results in the original purchaser loosing ownership of the document or at least of the right of usage (i.e., reading). If he wishes to read it again he has to buy a new one or retrieve the borrowed copy. Alternatively the owner of the document can give an indication of where the document can be acquired and paid for, keeping his own copy. What is important to note in this transaction is that we always have a single copy of the document which can be read at any given instant by one and only person. With electronic documents on the other hand the case is dierent. When one passes an electronic document to a friend he actually makes a (indistinguishable) copy of the original. As a result both persons have now a copy of the document. However considering the previous term (document purchasing) the second person should not be able to read, without paying, the copy of the electronic document he received, unless the original owner loses his right to read his copy of the document. Document lifetime. A reader buying a printed document today and preserving it in good condition is expecting to be able to (re-) read it after
D. Konstantas, J.-H. Morin / Computer Networks 32 (2000) 753±765
long time periods (in the order of decades or even centuries) without having to pay again for it. This should also be true for electronic documents. An electronic document which the reader bought today (that is, for which he paid the fees for reading it) should be readable free of charge after long time periods. Document copying. A common and (up to a level) tolerated practice with printed documents is photocopying. Photocopying is tolerated by the publishers for a number of reasons: ®rst of all the quality of the copy is (in general) lower than that of the original; second in many cases, for example, for books, photocopying the complete document is more expensive than buying a new copy; ®nally photocopies are easily identi®able and, if needed, legal action can be taken against the malefactor. Another way to copy a printed document is through Optical Character Recognition (OCR) systems. However the reproduction of a printed document using OCR is in most cases time consuming and costly. With electronic documents photocopying can be compared with the printing of the computer screen, something which is, as with photocopies, dicult to prevent. 1 In addition, as with printed documents, one can consider reproducing the electronic document from the captured screen dump using OCR techniques. However in both cases the quality of the document is lost and in addition any special features of the electronic document, for example, hypertext links, will disappear. Document purchaser identi®cation. A major issue in the commercialization of printed documents is the ability of the reader to buy the document without revealing his identity to anyone. One can buy, for example, any magazine, newspaper or book from a kiosk or book-store keeping his full anonymity from both the sales person and the publisher. On the other hand a reader can decide to reveal his identity to a publisher or reseller agent via, for example, a subscription and bene®t from any possible special oers, like price reduc-
1 Of course there are techniques that prevent one from making photocopies, for example, the use of special ink, but these are not often used due to their high cost.
755
tion, extra editions, advance copies, etc. Note the fact that a person is reading a speci®c document is in itself information. Thus it should be up to the reader to decide if he wishes this information be revealed or not. With electronic documents the reader should also be able to read a document without having to reveal his identity. The document provider should not be able to relate the collected document fees to a speci®c reader. Of course if the electronic document provider oers nominative subscriptions with possible side bene®ts, it should be up to the reader to decide if he wishes to subscribe and thus reveal his identity, or if he prefers reading the electronic document anonymously. Document authoritativeness. The cornerstone of a printed document is the indisputable identi®cation of the source of the information. The reader of a printed document knows with certainty who created the speci®c document and can easily identify modi®cations done on it, like corrections or additions. It is in general very dicult for one to modify or falsify a printed document in an untraceable way. Nevertheless given enough money, time or power any printed document can be untraceably modi®ed or falsi®ed. For example, someone with enough money can very easily print a false edition of a newspaper which is indistinguishable from the original. With electronic documents the reader should thus be able to indisputably identify the source of the document and verify its integrity. However, as with printed documents, a person or organization with enough money, time or power will always be able to falsify any electronic document. 2.1. Commercialization approaches for electronic documents Today the commercial dissemination of electronic documents and the revenue collection is primarily done with the use of techniques based on entry point protection and secure content distribution. With entry point protection the reader is given a password with which he is able to access the publisherÕs server and retrieve the required document, paying at the same time the corresponding fees. With secure content distribution the
756
D. Konstantas, J.-H. Morin / Computer Networks 32 (2000) 753±765
publisher distributes freely an encrypted version of its document and the interested reader purchases the decryption key, which can be even tailored to him. Once the reader has received the key he can decrypt the document with specialized software. Both of the above approaches however oer minimal copyright protection. The reader ®nally obtains the cleartext of the document which he can copy and distribute at will without any control. The publisher of the document relies on the detection at a later time of copyright infringements and punishment of the malefactor according to existing laws. However this kind of copyright protection is highly inecient since it is very dif®cult, if not impossible, to trace illegal copies of electronic documents stored in private computers. In the last few years, coupled with the general advent of the Internet and emerging electronic commerce, several commercial systems have appeared. Among the major, we ®nd IBMÕs cryptographic envelopes, Cryptolope [2,3], InterTrustÕs digital box, DigiBox [4], SoftLock of SoftLock [5] and Folio4 products of OpenMarket [6]. These systems have a strong emphasis on content commercialization, copyright protection and usage metering. However, their major limitation is that they bind their users to proprietary systems or commercial partners and networks. The main characteristic of such technology is to bind the usage policy to the content in a secure way. This approach of ``boxing up bytes'' is commonly known under many terms such as cryptographic content wrappers, boxology, secure content encapsulation, etc. Cryptolope is a Java-based software relying on three components. First, the Cryptolope Builder can be thought of as a packaging tool allowing
building the cryptographic envelope holding both the content and the business rules for its use. This tool is basically used by content providers. The second component which is intended to be used by information consumers, the Cryptolope Player is the interpreter for accessing the Cryptolope content. It uses a trusted HTML viewer and interacts with the Cryptolope Clearing Center, which is the third component of the architecture. It is basically a trusted third party providing key management, payment system and event logging/usage metering. The major problem faced with their approach was that it was a closed proprietary system. Users were forced to use IBMÕs InfoMarket infrastructure for the clearing center acting as a trusted third party thus binding them to IBM. This is probably the reason Cryptolope has not encountered the anticipated success. In fact, a key factor of success for this type of technology relies on how open it is to integrate other commercial partners, be they clearing centers for copyright and/or usage, ®nancial institutions or content providers. The DigiBox technology (by analogy to the idea of a digital box) is probably the leader in the ®eld currently. This technology developed by STAR Lab (Strategic Technologies and Architectural Research Laboratory) is also a secure content wrapper technology which is the foundation of a commercial product, Commerce 1.0 and Enterprise 1.0, of InterTrust Technologies Corp. See Fig. 1. The DigiBox architecture is a secure content wrapper. In their approach content is called properties and the policies de®ning their usage is called controls. A DigiBox can hold one or many properties as arbitrary data. The controls can be delivered in the same DigiBox or independently in
Fig. 1. The DigBox approach for binding policy to content.
D. Konstantas, J.-H. Morin / Computer Networks 32 (2000) 753±765
a separate DigiBox. Controls are linked to properties by cryptographic means. In a DigiBox, high level elements such as headers and general information are encrypted with a transport key. Properties are encrypted with other keys which can be delivered separately if needed. The transport key is composed of two parts. One of which is included in the digibox and will be combined (XOR) with another one stored locally in protected storage where the DigiBox is to be opened. The part included in the DigiBox is encrypted with a public key algorithm. The main advantage of this is that it protects against the threat of having either of the keys compromised. However this approach requires distributing the keys among the participating parties (i.e., key management). Moreover it requires secure storage on every host which is called an InterRights Point. The cryptographic algorithms used are Triple DES and RSA and integrity veri®cation is done with a cryptographic hash function. Once the DigiBox is opened according to the controls governing this process, two dierent ¯ows of information can occur. The ®rst one towards the ®nancial clearinghouse for billing purposes. The second one, if required within the control set of the DigiBox, towards the usage clearinghouse for collecting usage and metering information to be returned, hopefully, provided that the user is aware and has agreed on such a feedback loop. The key bene®ts of the DigiBox approach is its support for both superdistribution, provided the controls are within the same DigiBox as the properties they are linked to, and separate delivery of properties and controls. The architecture directly supports o-line transactions due to its key management policy. However this has a cost in terms of key management which must be distributed among the participating actors by means of special DigiBoxs called ``Directed DigiBox''. Applications that want to use the DigiBox architecture must be certi®ed by InterTrust. Within the InterTrust system, all participants have unique IDs. DigiBoxs are assigned unique identi®ers throughout the whole system. Thus it would also be possible to use content identi®cation schemes such as Digital Object Identi®ers (DOI) [7].
757
SoftLock [5] of SoftLock Services is a password-based locking mechanism for software and documents. SoftLockÕs technology ensures that the password which unlocks a particular product in one context diers from the password which will unlock the same product in another context. This is done by a proprietary scheme that generates a SoftLock ID based upon the context in which the document is used. When the User runs a SoftLocked program, SoftLock calculates a unique number called a SoftLockID (SLID), which is based by default upon the UserÕs Hard Drive. SoftLock then looks for a unique password which is appropriate to that SLID and the product. If the correct password is present, the product is unlocked; if it is not, the customer is invited to purchase the correct password. The SLID can be linked to anything: the userÕs name, a speci®c computer, or even, when technology becomes available the userÕs voice print. How these parameters are passed to SoftLock depends upon the authoring or programming environment. A document or program can thus be freely copied and widely distributed; the new user will be required to purchase a new password, since the context of the document has been changed. Password purchasing is facilitated by routines supplied with SoftLockÕs ProgrammerÕs ToolKits. The User can choose to purchase via encrypted E-mail, WorldWideWeb browser, or via a call to SoftLockÕs touch-tone robot. The User provides the required information (ProductNumber, SLID, Credit Card Number, etc.), and upon the reception of payment a password is delivered (over the phone, or by E-mail). When the password is received by the product, it is automatically stored on the UserÕs computer, and future access to the features of that product in that context is assured. The money debited from Customer credit cards is electronically transferred to SoftLockÕs bank account each day, and disbursed to the Publisher-clients each month. Note that for the time being passwords are generated and distributed only from SoftLock ; the Publishers cannot generate passwords at their site, but can only act as intermediaries between the Customer and SoftLock.
758
D. Konstantas, J.-H. Morin / Computer Networks 32 (2000) 753±765
SoftSEAL [8,9] of Breaker Technologies is a software toolkit for intellectual property protection and licensing services to Internet providers. the SoftSEAL toolkit is composed of three parts: the vendor-site toolkit, the client-side toolkit and the on-line purchasing/licence servers. Content providers use the vendor site toolkit to encrypt their products and manage the sealed information. The client-side integration comprises a programming API (with Java, C and C++ bindings) and a licensing class library that content providers can use to implement plug-ins that recognize the sealed content and implement their licensing policies. A set of plug-ins for the most common Internet formats (HTML, PDF, GIF, MP3, etc.) is already made available by Breaker Technologies Finally the on-line purchasing/licence servers are standalone applications that store and serve the licenses governing a customerÕs access to sealed content. With the SoftSEAL system, the vendor seals his product into a secure wrapper and associates it with a product code, which eventually de®nes the licensing type. The same product must be sealed and associated with dierent product codes in order to provide it with a dierent licensing schema. Feature codes, associate with a set of capabilities to a product code providing dierent access levels to the underlying product. When the customer downloads the Web page containing the sealed component, his browser should be able to recognize, handle the cryptographic wrapper and ``display'' the content. This is done by using browser plug-ins, which are either developed by the content provider or are the general purpose ones provided by Breaker Technologies The plug-in will contact, via the Internet, the purchasing/licence servers, where the user will identify himself and obtain, transparently, the stored license for opening the wrapper and viewing the content. Since the license is associated with the user and stored in the purchasing/licence server, the wrapped product can be widely distributed to other users. Folio [6] products of OpenMarket provides a whole set of tools for Internet based payment, content management and publishing. The SecurePublish product provides an enterprise solution for rights control and usage metering within an organizationÕs intranet. The operation of Secure-
Publish is based on the Rights Administration, a system for securing and managing protected content for a local environment. At the heart of the rights management system of SecurePublish, is the License Collection File (LCF) which contains one or more licenses. Each license controls access and limit rights for one or more rights managed infobases. Access rights include the tasks a user can perform or what a user may see once access has been given. For example, edit, export to disk, copy to clipboard, print and view term list, are all access rights. In SecurePublish, the limit rights are the most important. Limit rights control how long the title may be used and by how many users. For example, expiration on date, expiration after N hours of cumulative use, and enable soft concurrency are all limit rights. With SecurePublish once the commercial information for the corporate site is purchased and received, it can be mounted (along with the corresponding LCF ®les) on a corporate server. When a user wants access a rights managed title on the intranet, the system makes a request to open the appropriate title. The user is authenticated (identi®ed to the system and assigned an internal ID) if authentication has been enabled. Once the user is authenticated a request is passed to the Rights server. The Rights server ®nds the LCF associated with the requested title and searches for a license within the LCF to determine the limit rights. If the license if found, the rights ¯ag is passed back with the limits, and the user can access accordingly the document. The document access information is collected in a log ®le which is send to the publisher regularly scheduled intervals. The publisher uses this information for negotiation when the subscription is up for renewal or after a trial period. 3. The media approach for commercialization of electronic documents The aim of the Mobile Electronic Documents with Interacting Agents (MEDIA) [10] project is to develop the means that will allow protection, commercialization and dissemination of electronic documents under similar conditions as those for printed documents, as de®ned above. The MEDIA
D. Konstantas, J.-H. Morin / Computer Networks 32 (2000) 753±765
approach is based on the encapsulation of the documents in agents. The document is no longer a simple collection of data but a program which the reader must execute in order to be able to read it. The document agent can thus enforce the copyright control and payment at the time the reader requests to read the document. In the context of the MEDIA project we designed and developed the Hypermedia Electronic Publishing (HEP) [11±14] framework that implements the MEDIA electronic document commercialization model. The HEP framework enforces a pay per use scheme for the electronic documents. The reader pays only for what he requests explicitly to read and he cannot read a document which he has not payed for. The document distribution model of the HEP framework is based on public key encryption with a security schema that discourages infringements [15]. Information consumer anonymity and privacy are protected so that the reader need not reveal his identity to the document provider. Furthermore the HEP framework supports o-line operations for the payment of the document fees and the release of its contents to the reader, with the simultaneous delivery of receipts (proof of purchase) for subsequent accesses to the document. One of the most important points in the design of the MEDIA electronic document distribution model was the choice of agents as the means for the document dissemination. The reasons for this choice were many. First of all agent technology is not bound to a speci®c platform. The same agent can run on dierent heterogeneous platforms without need of modi®cation. A second reason is that the document is network aware. This way it can decide on its actions (release or not of its content and under which terms) depending on the node where it is executing, being responsible for its own security and the application of dierent policies. In addition the policies are implemented as programs allowing a far greater ¯exibility in de®nition of the terms and conditions of accessing the document content. Finally the agent metaphor allows the implementation of trust chains where each entity, like network provider, credit institution, publisher, etc., is responsible for a speci®c task in the commercialization chain.
759
3.1. The media document encapsulation and distribution model In the MEDIA model the document is packaged within an agent for full public distribution. The content, considered as a binary large object (BLOB), is encrypted with a symmetric key (K). This key is itself encrypted with the public key of the accredited credit institution along with information (I) identifying the publisher and the price of the document. A document information string (DIS) is added to the agent providing the necessary public (i.e., free) information about the content such as title, authors, price, abstract, etc. In addition we include the code (or its signature) (AC) implementing the operations and policies for accessing the content along with a hash of the encrypted blob (BH). Finally, both the encrypted key, the agent code and the DIS are signed by the information provider with his private key. This encapsulation, shown graphically in Fig. 2, binds all parts of the agent together and at the same time guarantees that the agent is coming from the (responsible) provider and has not been tampered with. The encapsulated document can be distributed without any restriction to potential readers. The copyright control will be triggered each time the reader asks to read the document. To achieve this we have devised a scheme for the commercial distribution of electronic documents that satis®es the de®ned security and distribution requirements. It is based on public key encryption and requires a trusted third party between the information consumers and providers, which may be, for example, a credit institution or a bank. Both parties trust the credit institution to authorize the unlocking of the article against payment from the information consumer which is credited to the information providers account. Upon successful payment to the credit institution, the article key is released to the agent platform and a receipt is given to the information consumer for subsequent access. This receipt is issued only for the information consumer that purchased the article. Thus the receipt is nominative. However this can also be bound to whatever commercial policy the providers wish
760
D. Konstantas, J.-H. Morin / Computer Networks 32 (2000) 753±765
Fig. 2. The electronic document agent packaging.
Fig. 3. HEP document distribution model overview.
to use. A general overview of the model is given in Fig. 3. In summary the process of both the access and the subsequent accesses to the content (i.e., unlocking) is done in to two steps. The ®rst step is to acquire a session key for the further secure communication with the accredited entity (i.e., credit institution or alike) which will process the access request and release the document key. The second step is the actual content access request and acquisition of the article key and receipt, as shown in Figs. 4 and 5. The request is formed by extracting from the article agent the encrypted key corresponding to the credit institution and the article information string. This is then signed by the user and the result is encrypted using the session key previously acquired in the ®rst step. Upon receiving such a message, the credit institution will be
able to decrypt it knowing the previously issued session key, verify the signatures of both the user and the provider and thus reveal the DIS and the encrypted key. At this point, billing occurs and if it is successful, the article key K will be decrypted with the private key of the credit institution and a signed receipt generated for this transaction. Finally, the article key and the signed receipt are encrypted with the session key and the result sent back to the user (i.e., to the agent platform which the article agent will instruct for releasing its content). Subsequent access to the article content is done in exactly the same way except that a receipt is appended to the request send to the credit institution. Upon successful veri®cation of the receipt by the credit institution (i.e., veri®cation of receipt issuer signature and user identi®cation match be-
D. Konstantas, J.-H. Morin / Computer Networks 32 (2000) 753±765
761
Fig. 4. Access request.
Fig. 5. Article key and receipt.
tween receipt holder and requester), the article key will be returned to the user. The use of receipts is an important item of the Hep framework since the reader should be able to access the article many times after the initial payment without having to pay again. 3.2. Key management The only keys that need to be exchanged between the participants (i.e., information providers and consumers, and credit institutions) are their
public keys and the session keys between the information consumers and the credit institutions. For the time being no use is made of certi®cation authorities for public key acquisition. However this can be integrated easily in future implementations. The session key acquisition is secured by using asymmetric cryptography for encryption and signatures. Every participating entity knows its own private key. The credit institutions need to know the public keys of both the information providers and consumers, which is a reasonable assumption for a
762
D. Konstantas, J.-H. Morin / Computer Networks 32 (2000) 753±765
trusted third party. Furthermore credit institutions are accustomed in handling very large numbers of independent records for their customers. The information consumers need to know the public keys of the information providers and the credit institutions. However, the information providers only need to know the public key of the credit institutions. Finally, the information providers know the document/article symmetric key that was used for content encryption, which is also a reasonable assumption since they own their content/added value; nevertheless this key need not be stored for each and every article and in fact it can be discarded once the article has been encrypted and packaged in the document agent. The key management principles are summarized graphically in Fig. 6. From a key management point of view, the major advantage of this document distribution scheme resides in the fact that there is no overhead for document key exchange or replication since the document key is encrypted with the public key of the accredited institutions and held by the article agent itself. Thus, even in case of information provider bankruptcy the content can still be accessed through one of the credit institutions.
3.3. Agent platform requirements One of the most important decisions in the conception of MEDIA and the design and implementation of the HEP framework, was the choice of agent technology and an agent platform as the basis for the system. This choice however was in¯uenced by a number of requirements for the agent platform. The ®rst one was that the agent platform should allow portability, and support architecture independence. That is, one should be able to port the agent platform on dierent architectures, from PCs to minis and high end computers, and, in addition, the ported platform should provide identical behavior on all architectures. In principle all existing agent platforms (MOLE [16,17], JDK, etc.) provide this feature. The second requirement, which for our needs was the most important, concerns the security offered by the platform. From one hand we ask that the platform protects the agent executing on it from other executing agents; that is, one agent should not be able to modify or alter another agent. On the other hand we ask that the platform be able to protect itself from malicious agents. In addition the agent platform should provide the means to control all accesses of the agents to
Fig. 6. Key management: who knows what.
D. Konstantas, J.-H. Morin / Computer Networks 32 (2000) 753±765
network, ®les or even other agents, provide a way to migrate agents from one platform to another and support agent persistence. Although the JVM is a prime candidate, its security model is insucient. Java agents can easily attack both the platform and other agents. Although in our ®rst implementation of Hep we used MOLE as the agent platform, the second implementation is based on JavaSeal. JavaSeal [18,19], is an agent platform designed and developed within the MEDIA project extending the security model of the JVM. JavaSeal is based on the notion of Seals which provide a secure communication model between agents. Each Seal behaves as a closed name space and agents can only communicate with their parent or child Seals. In this way, by placing agents in dierent Seals, one can monitor all message exchanges and tightly control the ¯ow of information and interactions between the agents. 4. Security issues In addition to the agent platform security requirements, a number of other security issues must be faced in order to provide a consistent commercial electronic document dissemination environment. A ®rst issue regards the copying of images from the screen. As we said screen dumps are allowed within the document dissemination model as being equivalent to photocopies. However a screen dump of an image or a photo reproduces an identical copy of the original. Thus we have a breach of the copyright enforcement. One solution to this problem is to use watermarking of the images of the electronic document so that we can at least detect, at a later time, copyright infringements. A second issue concerns access to documents distributed in arbitrary representation formats. Today electronic documents are created and distributed in dierent electronic representations requiring dierent viewers for their visualization, as, for example, Adobe PDF, Word, FrameMaker, or even more professional formats like QuarkExpress. It would be unrealistic to expect that in the future a single electronic document representation
763
format will impose itself on the market, but rather that new ones will appear ful®lling yet unde®ned needs of the readers and publishers. As a result a document might require a specialized reader for viewing, which might not be part of the document commercialization platform. The commercialization platform will thus have to pass the plaintext document to the external viewer, breaking in this way all the copyright protection of the document. By viewing the content in an external viewer the user will be able to simply store the document from within the viewer or even, if this is not possible, capture the data while it is transferred from the platform to the viewer. Possible solutions to the problem can be to either equip the commercialization platform with viewers that can render all possible (or at least the most common) electronic document formats, or de®ne APIs that will allow the collaboration of the platform and the viewer, restricting the actions of the reader (for example disabling the ``save'' function). A last security issue of the HEP framework is that the document key will, at some moment, stored in the memory of the host computer. That means that it would be possible, although not trivial, for the user to extract it. This problem can be solved with the combination of dierent techniques. First of all the platform can be implemented so that the encryption keys are not stored for long periods in memory. Furthermore scrambled memory techniques can be employed in order to obfuscate the encryption keys. Finally one can even consider specialized tamper resistant security devices, like the IBM 4758 PCI cryptographic coprocessor [20], attached to the computer and handling all encryption (and authentication) procedures. Nevertheless this kind of problem disappears if the viewing of the document is done on a dedicated machine, or for example, NewsPad [21], and SoftBook [22], instead on a general purpose computer. 5. Conclusion With the expansion and wide availability of networks and cheap powerful computers, electronic publishing and dissemination of electronic
764
D. Konstantas, J.-H. Morin / Computer Networks 32 (2000) 753±765
documents, ranging from letters to books and from photo-images to music and video, will slowly replace a large part of the hard copy market (companies are already selling music in MP3 format (MPEG2-layer 3) through the network). The most important issue in the commercialization of electronic information is to provide the electronic information providers similar guarantees for their intellectual rights protection and revenue collection as with hard copy information. The HEP framework provides an approach that allows information providers to distribute electronic information with sucient guarantees regarding the protection of their intellectual rights. The HEP approach is based in the encryption of the document content and its encapsulation in an agent. This way the interested reader needs to execute the agent which will control the access rights and perform the required steps for paying the corresponding fees before authorizing the presentation of the content to the user. A basic element in the HEP approach is that the user never receives the clear text document, but he can only visualize it via the HEP system. Of course we by no means claim that the HEP framework provides an absolute security for protecting the electronic documents. HEP, as well as all commercial systems, is based in the concept of calculated risk. A user with enough money/power/ time can bypass any type of security. What HEP does is to make the task of breaking the security and ``stealing'' the documents dicult enough so as to discourage the vast majority of readers. Furthermore, if we consider that in the future general purpose PCs will have crypto-chips and possibly copyright chips included, then the HEP approach can provide a solution for the dissemination of electronic documents. Alternatively with the appearance of dedicated machines with only function to access and read documents the HEP solution becomes even more interesting since many of the security problems disappear since the user no longer has direct access to the machine and thus stricter security on both hardware and software can be enforced. Our work in the development of the HEP system is ongoing. We have completed the development of the second prototype and we have
integrated o-line operations using Java smart cards. We are now investigating the issues related to long term high value documents, like books, and the commercialization of (life) streams of audio/video material, while at the same time we try to use the HEP infrastructure for the development of a business environment based on the idea of Active Business Objects (ABO): agents encapsulating business objects which become mobile active software entities, holding all the necessary data and code to take action according to the dierent situations that can occur in a business environment [23].
References [1] D. Konstantas, J.-H. Morin, Trading intangible goods: the rules of the game, in: Proceedings of Hawaii International Conference on System Sciences (HICSS 2000), 4±7 January 2000, Hawaii, USA. [2] M.A. Kaplan, IBM Cryptolopesä, SuperDistribution and Digital Rights Management, IBM Corporation, December 1996, http://www.research.ibm.com/people/k/kaplan. [3] U. Kohl, J. Lotspiech, A. Kaplan, Safeguarding digital library contents and users protecting documents rather than channels, IBM Research Division, San Jose, CA, and Hawthorne, NY, D-Lib Magazine, September 1997, http:// www.dlib.org/dlib/september97/ibm/09lotspiech.html,1997. [4] O. Sibert, D. Bernstein, D. Van Wie, The DigiBox: A selfprotecting container for information commerce, in: Proceedings of First USENIX Workshop on Electronic Commerce, New York, 11±12 July 1995. [5] Softlock Services Inc., SoftLock, http://www.softlock.com/. [6] OpenMarket Inc., Folio 4, http://www.folio.com/. [7] International DOI Foundation, The digital object identi®er system, http://www.doi.org/. [8] R. Mauth, Better copyright protection, BYTE Magazine (May 1998) 5±6. [9] SoftSEAL: Technical Brie®ng, Breaker Technologies, http://www.breakertech.com/breaker/docs.html. [10] D. Konstantas, J.-H. Morin, J. Vitek, MEDIA: A platform for the commercialization of electronic documents, in: D. Tsichritzis (Ed.), Object Applications, CUI, University of Geneva, August 1996. [11] J.-H. Morin, D. Konstantas, Towards hypermedia electronic publishing, in: Proceedings of Second IASTED/ ISMM International Conference on Distributed Multimedia Systems and Applications, Stanford, CA, 7±9 August 1995. [12] J.-H. Morin, Requirements for a hypermedia electronicnewspaper environment based on agents, in: D. Tsichritzis (Ed.), Objects at Large, Centre Universitaire d'Informatique, University of Geneva, July 1997, pp. 177±193.
D. Konstantas, J.-H. Morin / Computer Networks 32 (2000) 753±765 [13] J.-H. Morin, HyperNews: A hypermedia electronic-newspaper environment based on agents, in: Proceedings of Hawaii International Conference on System Sciences (HICSS-31), 6±9 January 1998, Kona, Hawaii, vol. II, pp. 58±67. [14] J.-H. Morin, D. Konstantas, HyperNews: A MEDIA application for the commercialization of an electronic newspaper, in: Proceedings of 1998 ACM Symposium on Applied Computing (SACÕ98), Atlanta, Georgia, 27 February±1 March 1998, pp. 696±705. [15] V. Prevelakis, D. Konstantas, J.-H. Morin, Issues for the commercial distribution of electronic documents, in: S. Katsikas (Ed.), Communications and Multimedia Security, vol. 3, Chapman&Hall, London, 1996. [16] J. Baumann, F. Hohl, K. Rothermel, M. Schwehm, M. Straûer, Mole 3.0: A middleware for Java-based mobile software agents, in: Proceedings Middleware'98, Chapman & Hall, London, 1998. [17] M. Strasser, J. Baumann, F. Hohl, Mole ± A Java based mobile agent system, in: Second ECOOP Workshop on Mobile Object Systems, University of Linz, 8±9 July 1996. [18] J. Vitek, C. Bryce, W. Binder, Designing JavaSeal or how to make Java safe for agents, in: D. Tsichritzis (Ed.), Electronic Commerce Objects, Centre Universitaire dÕInformatique, University of Geneva, July 1998, pp. 105±126. [19] J. Vitek, G. Castagna, Towards a calculus of secure mobile computations, in: IEEE Workshop on Internet Programming Languages, Chicago, IL, May 1998. [20] IBM 4758 PCI Cryptographic Coprocessor, http:// www.ibm.com/security/cryptocards/index.html. [21] NewsPAD Project, The Portable Multimedia Newspaper, http://ictnet.es/newspad/. [22] SoftBook, Electronic Book, http://www.softbook.com/ softbook_sys/csoftbook.html. [23] J.-H. Morin, C. Kobel, D. Konstantas, Active Business Objects (ABO): When agents meet ABC/ABM based management, in: Proceedings of Hawaii International Con-
765
ference on System Sciences (HICSS 2000), 4±7 January 2000, Hawaii, USA. Dimitri Konstantas is Assistant Professor of Multimedia Communication Systems at the Social and Economics Science Faculty of the University of Geneva. He obtained an electronic engineering degree at the National Technical University of Athens in Electrical Engineering in 1981, a M.Sc. in Computer Science at the University of Toronto in 1983 and a Ph.D. in Computer Science at the University of Geneva in 1993. From 1985 until 1987 he was researcher at Institute of Computer Science, FORTH, at Heraklio, Crete; from 1987 to 1993 he was research assistant at the University of Geneva and since 1993 he is Assistant Professor at the University of Geneva. Professor Konstantas is author of many articles on Object Oriented Systems, Computer communications and Multimedia Systems, has participated in numerous European and Swiss research and industrial projects and he has been a consultant to several European companies. His present interests include electronic commerce and speci®cally commercialization of intangible goods, multimedia applications and communication systems. Jean-Henry Morin holds a Ph.D. and a degree in Information Systems of the Economics and Social Sciences Faculty from the University of Geneva. Since 1999 he is lecturer in the Object Systems Group (OSG) of the Centre Universitaire d'Informatique (CUI) at the University of Geneva, where he worked as research assistant from 1993 to 1998. Prior to joining CUI-OSG, he worked as programmer-analyst in the banking industry and on various projects in the business and ®nancial ®eld. His present interest include electronic publishing, electronic commerce, mobile objects (agents), information services over open networks like Internet and multimedia communication systems.