By Sven Gossel, charismathics and member of the Silicon Trust
Digital Right Management protects the IP of the SW vendor, Identity Management protects the data and IP of the enterprise by identifying the user. Both require the identity of the user – so why not putting both into just one device?
Companies in the digital world do business by selling digital content, such as intellectual property in the form of software, documents or multimedia files, or communicate by exchange of sensitive information. An essential part of their daily business is determined by digital information – so ‘virtual goods / assets’ extend the traditional resources for the production industry. To protect their technological leadership many companies fight against imitators who copy their products or get advantage by knowing sensitive information.
Which merger exists between sensitive information / intellectual property and the Internet? Information can be passed in different ways via the Internet; for example: internally between headquarters and home-work employees or distribution partners, and externally between a company and banks, payment systems, public authorities, patent offices, research institutes or cooperation partners.
Quite often sensitive information is transported unprotected via the Internet so there is a danger that unauthorized persons might misuse them. So each unprotected communication is accompanied by questions such as: will somebody trap or read along this email? What are trustworthy methods for the protection of information? And in general: how can intellectual property be protected?
Technology public key infrastructure (PKI)
The encryption market raises such questions and develops answers. A very common authentication method for sensitive information is Public Key Infrastructure (PKI): it is a set of hardware, software, people policies, and procedures needed to create, manage, store, distribute, and revoke digital certificates.
A PKI binds public keys and private keys to a user’s identity for authentication. For transferring encrypted information the sender requires the public key of the addressee. In doing so, for the sender it is necessary to make sure that this public key really is the right addressee’s key and not a fake key by a fraud.
Therefore a digital certificate securing the addressee’s authentication is required. For security reasons the private key must not be disclosed to anybody.
Technology software protection
Another target of imitators is the intellectual property such as software. The market offers software based solutions and hardware based protection solutions. A company’s protection strategy depends on several factors such as the level of security, flexibility, usability or additional value. The perfect solution includes these different factors combined.
Software vendors spend a lot of time and money for software development. Besides, the protection of their development investment is of huge importance. Due to growing Internet access, more and more pirate copies become available all over the world: and they can be easily distributed. The copy has the same quality than the original has. Even self-assigned dealers sell pirate copies very professionally.
Similar to PKI solutions there are keys in the centre of software protection solutions: the level of security increases from serial numbers to keys used for encryption and decryption. The use of license numbers or personalized serial numbers for software protection is weak. Such a number could be distributed freely over the Internet. Another way is to bind a license to a specific PC. This offers a little bit more protection, but increases support efforts. Pure online solutions requiring permanent online access during use of the software are not practicable for many applications. Only the use of a hardware device offers the highest security level and provides mobile and offline usage of a software product.
A perfect licensing and protection solution for software, documents or media requires:
• A secure hardware to store many licenses, which contain cryptographic keys as well as information like expiration time, network floating licenses or pay per use counters;
• Tools that modify documents or software in such a way, that it can be used without hassle, but never stored unprotected. Therefore, the code or data must be never completely in plain in the computer memory. Furthermore, obfuscation, anti-debugging and locking at crack detection increase security.
• A back office integration to simplify logistics and integration in the sales chain and process.
Security of the future
The best security solution combines both worlds: PKI and software protection. Two German companies have set up a technological co-operation that is aimed at merging such expertise and generate an innovative solution. With this partnership, the DRM product range will be boosted by supporting all major identity management standards.
The upcoming USB stick will combine Digital Rights Management with the added security authentication features of a smart card. This product is designed to address the demands for a unique hardware device to serve both software protection and logical access control purposes at the same time.
The unit will show a high level of security, flexibility and usability. The X.509 certificates will be stored in the safest memory area, the smart card chip, which is embedded in the USB-interface based token. The private key is thus kept secret in a tamper-proof unit. And the middleware handles the PKI security, ensuring a 100% complete integration of worldwide common standards like Microsoft Crypto
Service Provider (CSP) and PKCS#11 command set. The new solution will run on all common operating systems such as Windows, Linux, and Mac OS X.
The unit will show a high level of security, flexibility and usability. The X.509 certificates will be stored in the safest memory area, the smart card chip, which is embedded in the USB-interface based token. The private key is thus kept secret in a tamper-proof unit. And the middleware handles the PKI security, ensuring a 100% complete integration of worldwide common standards like Microsoft Crypto Service Provider (CSP) and PKCS#11 command set. The new solution will run on all common operating systems such as Windows, Linux, and Mac OS X.
This device adds value and security to companies wanting to protect both their applications and laptops by a single secure modern token.