An Improved Authentication Scheme for Digital Rights Management System

With the increasing number and popularity of digital content, the management of digital access rights has become an utmost important ﬁ eld. Through digital rights management systems (DRM-S), access to digital contents can be de ﬁ ned and for this, an e ﬃ cient and secure authentication scheme is required. The DRM authentication schemes can be used to give access or restrict access to digital content. Very recently in 2020, Yu et al. proposed a symmetric hash and xor-based DRM and termed their system to achieve both security and performance e ﬃ ciency. Contrarily, in this study, we argue that their scheme has several issues including nonresistance to privileged insider and impersonation attacks. Moreover, it is also to show in this study that their scheme has an incorrect authentication phase and due to this incorrectness, the scheme of Yu et al. lacks user scalability. An improved scheme is then proposed to counter the insecurities and incorrectness of the scheme of Yu et al. We prove the security of the proposed scheme using BAN logic. For a clear picture of the security properties, we also provide a textual discussion on the robustness of the proposed scheme. Moreover, due to the usage of symmetric key-based hash functions, the proposed scheme has a comparable performance e ﬃ ciency.


Introduction
The rapid expansion of computer technology and media of various types such as software, music services, videos, photos, documents, and e-books is combined and manipulated as digital contents. With the invention of the low power devices, the distribution of such digital content along the globe is increased rapidly [1]. This rapid distribution demands an efficient digital rights management system to be utilized to preserve the digital rights associated with the content. A serious concern is the downloading of the contents by unauthorized users, which is a big problem and deprivation for the copyright owners. Thus, the protection of the digital contents is the major issue, and authentication is a very necessary security requirement for the prevention of unauthorized access and making the availability of the digital contents to the only legitimate users. Digital right management (DRM) systems are specifically designed environments that include some access control mechanism for the use of the digital content [2,3]. The main purpose of the DRM system is to provide protection to the digital contents and to make sure these are only accessible to valid users. Digital content services that include important data are conveyed through the public channels, which are fully accessible to malicious users. Hence, for the sake of secure transmission of the digital contents to the valid user through the public channel, strong authentication and key agreement schemes are needed [4][5][6].
In the immediate past, various authentication schemes have been proposed to make sure the privacy of the digital content and user. In 2008, Chen [7] proposed a biometricbased authentication scheme based on biometric for DRM environment. Later on, Chang et al. [8] pointed weaknesses such as attackers can steal keys and can access digital content without any permission and proposed an improved system. Later on, Chang et al. [9] pointed that [8] is insecure against stolen device attacks and proposed an improved scheme for DRM. Mishra et al. [10] proved that the scheme of Zhang et al. [11] was vulnerable to password guessing attacks and insider attacks and proposed an improved biometric-based scheme for DRM. In 2015, Jung et al. [12] proposed an ECC-based authentication scheme for DRM. In 2017, Jung et al. [12] presented a biometric-based authentication scheme for the DRM system. Later in 2018, Lee et al. [13] proved that the protocol of [10] is suspected to the secret key disclosure which leads to anonymity violation. Yu et al. [14] claimed that the method presented in [13] is insecure against user impersonation and device theft attack and proposed an improved scheme to overcome the flaws of [13].
1.1. Adversarial Model. The main purpose of authentication schemes for DRM systems is to provide a scalable solution for remote user successful authentication. However, the authentication protocols should oppose many active/passive attacks [15][16][17]. The analysis of attacks is based on the CK adversarial model [18], which is an extension of the DY model [19] with the following features: (1) A valid user can possess the login credentials, namely, identity, password, biometric, etc. The server keeps the master key [20,21] (2) A public communication channel is in full control of the adversary (3) A legal user can be dishonest [22,23] (4) Any malicious user can extract saved credentials in the smart card by applying a stolen attack 1.2. System Model of DRM. DRM system is a verification and access control method to access digital content. Figure 1 shows the DRMS common architecture comprising of four major entities: (1) the content writer/owner, (2) content server, (3) the user, and (4) license sever.
(1) The user who wants to obtain digital content transmits an authentication ask to the content and license servers. As soon as mutual authentication with the license server is successfully completed, reach to the encrypted digital content is issued with the help of a secret key (2) The content server saves the encrypted digital content in its database receive by the digital content creator and after that abstract of the content is accessible to the users on the internet (3) The content generator/provider provides content generation services. The digital content is generated and encrypted by the secret key. This key is transmitted to the license server using the public channel, and also encrypted digital content is also sent to the content server using a tunneled channel (4) The license server receives the secret key and stores it in its database. When a user requires the secret key of the encrypted digital content, the license server first authenticates that user and then sends the secret key of the content

The Scheme of Yu et al.: A Review
The scheme of Yu et al. [14] is reviewed and briefly explained in this section and the notation guide which is used in this paper is depicted in Table 1.
2.1. User Registration Phase. The process to register a user U m with the license server LS j is depicted in Figure 2 and explained through the following steps: A registered user U m who wants to utilize the digital content DC initiates a mutual authentication request with LS j with an aim to attain mutual authentication and obtain the secret key K C of the DC. The steps involved in the login and authentication procedure are detailed in Figure 3 and explained as follows:

Cryptanalysis of Yu et al.'s Scheme
In this section, through the informal analysis of Yu et al.'s scheme [14], it is affirmed that their scheme is secure against well-known attacks. However, the following subsections demonstrate that the scheme presented in [14] is having correctness issues, is weak against ephemeral secret leakage attacks, and does not provide anonymity.
Saves {d m , f m } in the memory  3 Wireless Communications and Mobile Computing and the license server may never create a session key. Hence, their scheme lacks the property of authentication and key agreement. The depiction of incorrectness case is as follows: (Inc 1) user U m sends a login request by entering password, identity, and biometric, and transmits Z 1 , Z 2 , Z 3 , Z US to LS j (the license server) (Inc 2) license server ðLS j Þ receives the request message and computes The computation of the above equation requires the X m corresponding requesting user identity ID m , which the license server does not know. Also, the request message sent by the user U m does not include the identity of the requesting user. The license server computes the request without the information of any designated user. In the same way, the license server sends the acknowledgment message without knowing to whom this message is to be sent.
The only case in which Yu et al.'s scheme can achieve the authentication and key agreement in the view is if the system has only one registered user. Hence, systems with a single registered user are not preferable in the real world. Therefore, Yu et al.'s scheme for facilitating digital rights management systems is incorrect, and this incorrectness shows that their system is not preferable for real-world deployments. Due to which it is susceptible to user impersonation, server impersonation attacks, and secret key leakage attacks. The attacks can be simulated in the following methods.
3.2.1. User Impersonation Attack. The internal adversary A gets IS m and X m from the database of the license server. Now the adversary A can impersonate as U m by adopting the following steps: (IUA 4) license server LS j accepts the message hZ 1 , Z 2 , Z 3 , Z AUS i and verifies the message legitimacy and verification will be successful as user verification on license server LS j is not taking place (IUA 5) LS j will fetch relevant K C and computes Z 4 = R 2 ⊕ X m , Z 5 = K C ⊕ X m and Z SU = hðID m kX m k K C kR 2 Þ. LS j sends the message fZ 4 , Z 5 , Z SU g to A (IUA 6) A receives the message sent by LS j and computes Adversary gets successfully the secret key K C 3.2.2. License Server Impersonation Attack. The privileged adversary SA steals the hID m , X m i from the database of the LS j . When U m sends the the message hZ 1 , Z 2 , Z 3 , Z AUS i to LS j through public channel; then, SA will intercept the message and and impersonate as a valid license server in the following ways.
If the condition is true, LS j picks relevant K C and creates random nonce (ISA 4) SA sends the message fZ 4 , Z 5 , Z ASU g to user U m (ISA 5) U m will verify the message and verification will be successful and as a result, get secret key K EY ADC which is in real a forged key and will not work

Proposed Scheme
To ensure privacy, security, and to remove the incorrectness in the scheme of Yu et al. [14], a new scheme is proposed in this section. The proposed scheme comprises three main phases, which are further divided into subphases. The detail of the scheme is given in the following subsections.

Registration Phase.
To get access to the digital contents, a user must register himself/herself to be a legitimate user. Following are the steps as mentioned in Figure 4 to be followed:

The Security Analysis
To describe the security of the proposed scheme, we have scrutinized the scheme through formal and informal security analysis in the following subsections.

Authentication Proof Based on the Burrows-Abadi-Needham Logic (BAN Logic).
The security of the proposed scheme is formally analyzed in the standard model using the widely accepted Burrows-Abadi-Needham logic [24].

Postulates for BAN Logic.
Some of the logical postulates of BAN logic and the meaning related to the postulates are given below in Table 2.

Security Goal Establishment.
Established security goals and logical notations of the BAN logic are given below in Table 3.   Figure 5: Proposed login and authentication scheme. 6 Wireless Communications and Mobile Computing

Proposed Schemes Idealized Form
Step 1. According to message 1: Step 2. From the message meaning rule according to P1 and A3: Step 3. According to the freshness rule with A1, we get Step 4. From the nonce verification rule with P2 and P3, we get Step 5. According to the belief rule with P4, we get Step 6. From the jurisdiction rule with P5 and A5, we get Step 7. According to M2, we obtain Step 8. From the message meaning rule with P7 and A4, we get Step 9. According to the freshness rule with A2, we get Step 10. From the nonce verification rule with P9 and P10, we get Step 11. According to the belief rule with P10, we get Step 12. From the jurisdiction rule with P11 and A6, we get According to Goal − X1 to Goal − X4, we proved that our scheme attains secure mutual authentication among U m and LS j .

Informal Security Analysis.
To assess the security of the introduced scheme, also we have inspected the scheme through informal security analysis procedures.

Mutual Authentication.
Our proposed scheme provides mutual authentication by making verification on both sides of participating entities. License server LS j receives the login request messages Msg 1 = ðZ 1 , Z 2 , Z US , PID m , T m Þ from U m , license server LS j verifies the authenticity of the user by verifying the M ′ US = ? Z US . If the condition is true, LS j authenticates U m and sends Z 3 , Z 4 , M5, Z SU , T cs to U m . U m receives the response messages from LS j , U m verifies whether M SU ′ ? = Z SU . If the condition is true, then, U m authenticates Sj; otherwise, terminates the request. Hence, the proposed scheme successfully achieves mutual authentication property.

Replay Attack.
Suppose that A hijacks the messages Msg 1 = ðZ 1 , Z 2 , Z US , PID m , T m Þ and Msg 2 = ðZ 3 , Z 4 , Z 5 , Z US , T cs Þ in a selective session and tries to replay these hijacked messages after a while. As it is evident that the all message contains current timestamps T m and T cs , the acceptance of the timeliness T m and T cs will be declined at the U m and LS j . Furthermore, ΔT value is fixed very small and due to which it will be very difficult for the attacker A to replay the hijacked messages within limit of the ΔT. Hence, the proposed scheme is stealth against the replay attack.   [25,26] of user U m or U m has lost the mobile device due to some reason. Then, A can extract the credentials fX m ′ , PID m ′ , Z m g from mobile device memory using the power analysis attacks. After getting all these parameters, the attacker A will not be able to get useful parameters ID m and PW m , as these are protected through a collision-resistant hash function. Therefore, if any mobile device will be lost/stolen will not affect the proposed authentication mechanism.
5.2.4. Anonymity and Untraceability. In the proposed scheme, all the messages Msg 1 = ðZ 1 , Z 2 , Z US , PID m , T m Þ and Msg 2 = ðZ 3 , Z 4 , Z 5 , Z US , T cs Þ in each session are explicit and nonrepeated, also all the message includes current timestamps T m and T cs , and random nonces R 1 and R 2 . Hence, A will not be able to trace U m and LS j . Moreover, even any single message does not contain identities ID m and ID c . Hence, the anonymity [27,28] is guaranteed in the proposed scheme.

Denial-of-Service Attack.
In the login and authentication phase, when a valid user U m inputs his/her identity I D m , password PW m , and imprints biometric BIO m into the mobile device. Mobile device retrieves the saved secret biometric key corresponding to BIO m as R m = RepðBIO m , P m Þ. Further mobile device computes Z m = hðID m kPW m kR m Þ and checks if Z m values are the same or not. If the condition is not met, the session is terminated immediately, and in case of success, the session proceeds normally. Therefore, in case of denial-of-service attack [29,30], the proposed scheme will resist it.

5.2.6.
Man-in-the-Middle Attack. In this type of attack, A grabs the messages being exchanged when the communication is taking place and tries to alter those messages to make other valid messages, to deceive the recipient from guessing the altered messages, and he/she considered these altered messages as normal as other original messages. Suppose A grabs the messages Msg 1 and Msg 2 . Due to lack of the some parameters knowledge such as ID m , ID c , X m , and K C , the attacker A will be unable to forge these messages Msg 1 and Msg 2 . Hence, the proposed scheme opposes man-inthe-middle attack [31].

User Impersonation Attack.
Assume an attacker A tries to impersonate a message on behalf of a user U m to license server LS j . A gets/X m ′ , PID m ′ , Z m , hð:Þ/ from mobile device and /Z 1 , Z 2 , Z US , PID m , T m / during the communication. At the moment, if A tries to construct message, but it will not possible as he/she does not know these parameters ID c , ID m , and X m , due to which it will be hard to produce these for attacker.
5.2.8. License Server Impersonation Attack. Assume an attacker A tries to impersonate a message on behalf of a license server LS j to user U m . A gets /X m ′ , PID m ′ , Z m , hð:Þ/ from mobile device and /Z 3 , Z 4 , Z 5 , Z US , T cs / during the communication. At the moment, if A tries to construct a reply message on the behalf of the license server LS j , but it will not possible as he/she does not know these parameters K C , ID m , and X m , due to which it will be hard to produce these for an attacker. Hence, the proposed scheme is secure against impersonation attacks.

Automated Security Verification through ProVerif. The
ProVerif is an automated security verification tool utilized to visualize the key agreement scheme to check mutual authentication and confidentiality of the session key among the participant entities of the authentication scheme [32][33][34]. To verify the security of the proposed scheme, we have simulated and verified it through ProVerif. For the sake of the experiment, we have used two events Ui and LS j to check the authentication codes of each entity, respectively. The participant U m uses two events, which are beginUi(bitstring) and endUi(bitstring) to authenticate the license server LS j . Similarly, the beginSj(bitstring) and endSj(bitstring) events are used by the license server to authenticate the user U m . The outcomes of the queries executed show that both participants are successfully communicating with each other. The simulation results are shown in Figure 6, which exhibits that the mutual authentication is successful and communication between the valid participants is secure from the reach of any potential attacker A.

The Comparisons
This section provides security attributes and performance comparisons among proposed and relevant schemes [10,13,14], in the corresponding subsections produced below.
6.1. Security Attributes. This subsection provides the security attribute comparisons of the proposed with relevant schemes presented in [10,13,14]. The comparisons of the proposed with recent, related, and compered schemes [10,13,14] are depicted in Table 4. Referring to Table 4, all the compared proposals [10,13,14] are deficient of at least one security attribute. As per Table 4, the scheme of Mishra et al. [10] is already argued in [14] that it does not provide mutual authentication and resistance to impersonation. Moreover, the scheme of [10] is prone to theft/stolen mobile device attacks. The scheme of Yu et al. [14] does not provide anonymity of the mobile/user. Similarly, in this paper, we proved that the scheme of Yu et al. [14] has incorrect login and authentication phase, which can work with only one user, and it has weaknesses against privileged insider and impersonation attacks and due to these crucial issues, it cannot extend mutual authentication among a user and a license server.

Computation Cost.
For computation cost, we consider the experiment executed through the MIRACL library over a mobile phone Redmo-Note-v8 with 4 GB RAM and octacore μ processor with 2.01 GHz. The operating system underlying Redmo-Note-v8 is v-9-Andriod-MIUI-V:11.0.7. Moreover, to simulate a license server, we consider the running time computed over an HP:Elite-Book: P-8460 μ processor with 2.7 GHz Intel-R-Core TM with 4 GB RAM and over LTS-16 Ubuntu-OS. Here, we denote T h for the execution time of a hash operation and T bh for computation of a biohash/fuzzy extraction operation. The T h ≈ 0:009 for mobile device and T h ≈ 0:004 for license server. Likewise, T f ≈ 0:16 over the mobile device. To complete a round of authentication in the proposed DRM scheme, the user U m executes f9T h + 1T f g operations, the server LS j executes f 6T h g, and the whole process completes in ≈0:265 ms. The scheme of Yu et al. [14] completes the same in ≈0:213 ms. Likewise, in the scheme of Lee et al. [13], the U m and LS j compute execution of a round in ≈0:216 ms, and the scheme of Mishra et al. [10] completes the process in ≈0:243 ms. The proposed scheme has a slightly higher computation cost. However, only the proposed scheme provides the required security features.

Communication Cost.
The proposed and the relevant scheme are mainly based on hash functions in addition to an exclusive-or. We adopted SHA-1 whose length is 160 bits, all other parameters including identities, pseudoidentities, timestamps, and passwords are fixed at 32 bit-size. In proposed, the user initiates the request by sending hZ 1 , Z 2 , Z US , PID m , T m i, and the size of request message is f160 + 160 + 160 + 32 + 32g = 544 bits. The response message sent by server hZ 3 , Z 4 , Z 5 , Z US , T cs i has the size f160 + 160 + 160 + 160 + 32g = 672. Therefore, the total communication cost of the proposed scheme is 1216 bits. The communication costs of the schemes of Yu et al. [14], Lee et al. [13], and Mishra et al. [10] are 1120 bits, 1120 bits, and 832 bits, respectively. The computation and com-  Table 5.

Conclusion
In this paper, we first reviewed and then cryptanalyzed a recent authentication scheme presented by Yu et al. for digital rights management systems (DRM-S). We have proven that the scheme of Yu et al. lacks scalability due to faulty design and is prone to privileged insiders and impersonation attacks. Based on the only symmetric hash function and xor, an improved scheme of DRM-S is then proposed. The proposed scheme can cope with the changing security requirements of the DRM-S, which is proved through formal BAN and informal textual explanations. The proposed DRM-S authentication scheme completes the process of authentication among a user and a license server in 0:265 ms and by exchanging 1216 bits among a user and a license server.

Data Availability
No data is available for this study

Conflicts of Interest
The authors declare that they have no conflicts of interest.