geographic digital rights management an alternate security implementation for incident management l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Geographic Digital Rights Management: An alternate security implementation for Incident Management PowerPoint Presentation
Download Presentation
Geographic Digital Rights Management: An alternate security implementation for Incident Management

Loading in 2 Seconds...

play fullscreen
1 / 15

Geographic Digital Rights Management: An alternate security implementation for Incident Management - PowerPoint PPT Presentation


  • 386 Views
  • Uploaded on

Geographic Digital Rights Management: An alternate security implementation for Incident Management John Herring ISO TC 211 / Oracle GeoDRM Security Architecture Public-key cryptosystem Identity based on crypto-keys Digital signature for XML documents (Geographic) Licensing systems

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Geographic Digital Rights Management: An alternate security implementation for Incident Management' - EllenMixel


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
geographic digital rights management an alternate security implementation for incident management

Geographic Digital Rights Management: An alternate security implementation for Incident Management

John Herring

ISO TC 211 / Oracle

geodrm security architecture
GeoDRM Security Architecture
  • Public-key cryptosystem
  • Identity based on crypto-keys
  • Digital signature for XML documents
  • (Geographic) Licensing systems
  • Service Oriented Architecture
standards 1 iso iec jtc 1 ieee w3c
Standards 1 ISO/IEC JTC 1, IEEE, W3C
  • PKI (public key infrastructure)
    • IEEE 1363 Public Key Cryptography
    • W3C XML Encryption Syntax and Processing
  • Digital Signature (DSIG)
    • W3C XML Signature Syntax and Processing
  • Digital Rights Management (MPEG 21)
    • ISO/IEC 21000 Information technology — Multimedia Framework
    • ISO/IEC 21000-5 Rights Expression Language
standards 2 ogc iso tc 211
Standards 2 OGC, ISO TC 211
  • Geographic Digital Rights Management
    • OGC, The OpenGIS Abstract Specification Topic 18: Geospatial Digital Rights Management Reference Model (GeoDRM RM)(submitted as ISO 19153 – working draft)
    • OGC Discussion Paper, Geographic information - Rights expression language for geographic information – GeoREL(submitted as ISO 19149 — out for DIS vote)
public key cryptography asymmetric encryption
Public Key Cryptographyasymmetric encryption
  • Two keys, one private, one public each decrypts what the other encrypts
  • They are not derivable from one another (produced as a pair)
  • Creates a secure communication infrastructure with no need for “private” key communications
  • Digital Signature comes for free
digital signature non repudiations of documents
Digital Signaturenon-repudiations of documents
  • Uses a cryptographic hash to checksum a document, and a private key to encrypt it
  • When attached to the document, it means that “key holder” was to last to have control of its content
digital rights management iso rel iso iec 21000 5
Digital Rights ManagementISO REL (ISO/IEC 21000-5)
  • License is a XML document that “grants” to a “principal” “rights” (acts) against “resources” under specific “conditions”
  • Currently in use mainly for multi-media files
  • A better business model fit for geographic resources
iso rel functionality
ISO REL functionality
  • Basic license functionality
    • Create licenses that “prove” membership in a [class]
    • Simple access to digital items (copy-print-display)
    • Specification and invocation of services during authorization
    • A “here or reference” elements for a style of pointers similar to GML
    • Related “conceptually abstract” type/element pairs for principal, right, resource, and condition derived from abstract license part
    • Restrictions on process for “render rights” i.e. limit service rights
  • Basic license validation techniques
    • Principals can subsume (contain others), rights must be equal
    • Inventories (lists in single place for reference elsewhere)
    • Variables (substitute for license parts, can limit by descriptions)
georel extends iso rel
GeoREL Extends ISO REL
  • Creating GeoProcess both as a principal (owner of a license) and as resource (service)
    • Element r:principal is already in the r:resource substitution group
    • Allows use of mx:renderer to specify GeoProcess as a principal
    • “Compliance as license” simplifying license validation.
    • GeoProcess as renderer
  • Conditions based on location, or spatial limits, parameter values, derived products rights, etc.
  • Side effects by using the pattern established by ISO REL tracking service calls
  • Basic Mantra: If ISO REL does it, Geo REL uses it, does not redefine it
basic principles of the design
Basic Principles of the Design
  • Service Oriented Architecture
    • Operations are request-response pairs, usually XML document pairs
  • Access and “rights” are determined at runtime through licenses aggregated with the request
  • Message encryption is optional
request message contents
Request Message Contents
  • Contain identity information, using one or more license.
  • Contain any “property” licenses that confer on the sender properties that might affect the evaluation of his licenses.
  • Contain any process or data licenses, associated to that identity that may be needed to complete the request.
  • Be signed as a unit by the sender to assure the correspondence between the request, the passed identity and the licenses.
  • Optionally encrypted using the server’s public key.
request handling sequence
Request Handling Sequence
  • Message routed to Security
  • Decrypted and disassembled
  • Message and parts signatures verified
  • Gatekeeper checks message and context returns “go/no-go” based on rights
  • If go, Service is invoked, response returned to Security. If not – error handling routines.
  • Security assembles message, any derived licenses, and encrypts – returns to sender
design advantage
Design Advantage
  • Each server is independently implemented – only needs to agree on common protocols for services, and a common PKI for encryption and/or signatures.
  • New user is fully enabled when he gets his “credential.” There is no information propagation lag.
  • No single point of failure. Most information can be “cached” on each server, so no “global sign-on.”
  • Performance can be increased by adding servers (the grid computing argument)