Building Rights Management Enabled Applications For Windows "Longhorn" Steve Bourne Chandramouli Venkatesh Microsoft Corporation Steve Bourne Chandramouli Venkatesh Microsoft Corporation Session Code: CLI372
Agenda Introduction Microsoft Rights Management Technologies The Rights Management Problem Space RMS Fundamentals Certification/Publishing/Licensing Windows RMS v2.0 features Case Study: Longhorn documents Demo Sample Code Introduction Microsoft Rights Management Technologies The Rights Management Problem Space RMS Fundamentals Certification/Publishing/Licensing Windows RMS v2.0 features Case Study: Longhorn documents Demo Sample Code
Microsoft Rights Management Microsoft has a long history in the rights management space Digital music, eBooks, video There are two technologies for “DRM” at Microsoft Windows Rights Management Services (RMS) Windows Media Rights Manager (WM RM) Developers should use WM RM for: Video, Audio Streaming content Developers should use RMS for all other formats of data During this session we will focus on RMS Microsoft has a long history in the rights management space Digital music, eBooks, video There are two technologies for “DRM” at Microsoft Windows Rights Management Services (RMS) Windows Media Rights Manager (WM RM) Developers should use WM RM for: Video, Audio Streaming content Developers should use RMS for all other formats of data During this session we will focus on RMS
Defining The Problem… Have you ever encountered this?
Access Control List Yes No Perimeter Defining The Problem
Defining Our Solution A Rights Management system must… Allow individuals and organizations to project usage policy onto the data that they own Specify rights and users for digital information of any type Provide persistent protection for organizational information Rights Management cannot… Provide unbreakable, hacker-proof security There is no silver bullet in software Protect against the analog loophole See next slide… A Rights Management system must… Allow individuals and organizations to project usage policy onto the data that they own Specify rights and users for digital information of any type Provide persistent protection for organizational information Rights Management cannot… Provide unbreakable, hacker-proof security There is no silver bullet in software Protect against the analog loophole See next slide…
The Analog Loophole
Windows RMS Workflow Information Author The Recipient RMS Server SQL Server Active Directory Author defines a set of usage rights and rules for their file; Application creates a “publishing license” and encrypts the file 3.Author distributes file 4.Recipient clicks file to open, the application calls to the RMS server which validates the user and issues a “use license” 5.Application renders file and enforces rights 1.Author receives an identity certificate the first time they rights- protect information 1
RMS 2.0 Vision Flexible, powerful trust model Seamless inter-organization RMS protected information exchange Broad ecosystem Search, antivirus, mail servers, doc libraries Ease of use Simple and consistent RMS end user experience Simple RMS deployment and management Flexible, powerful trust model Seamless inter-organization RMS protected information exchange Broad ecosystem Search, antivirus, mail servers, doc libraries Ease of use Simple and consistent RMS end user experience Simple RMS deployment and management
RMS 2.0 Key Features Inter-organizational collaboration scenarios Cross-company delegation of license issuance Pluggable authentication/identity systems x.509, 3 rd party authentication Shared RM UX that you can build into your app Easy deployment and management of RMS clients and servers Support for managed applications Support for trusted server applications Inter-organizational collaboration scenarios Cross-company delegation of license issuance Pluggable authentication/identity systems x.509, 3 rd party authentication Shared RM UX that you can build into your app Easy deployment and management of RMS clients and servers Support for managed applications Support for trusted server applications
Longhorn Documents
Longhorn Documents Part one Windows Client Printer Driver - Authoring tool (generates Fixed Format LH Documents) Exposes rights UI Creates an unsigned Publish License (System.Security.RightsManagement.Unsign edPublishLicense) WCPD builds a project file for MsBuild to use. This project file refers to the unsigned PL file Windows Client Printer Driver - Authoring tool (generates Fixed Format LH Documents) Exposes rights UI Creates an unsigned Publish License (System.Security.RightsManagement.Unsign edPublishLicense) WCPD builds a project file for MsBuild to use. This project file refers to the unsigned PL file
Longhorn Documents Part two MsBuild MsBuild Containerize Task is invoked to package the document into the Avalon Container Task initializes RM environment, requests Signed Publish License and embeds it in the container Task creates and embeds Use License for author MsBuild encrypts content of the container using System.IO.CompoundFile.RightsManagementEncryp tionTransform MsBuild MsBuild Containerize Task is invoked to package the document into the Avalon Container Task initializes RM environment, requests Signed Publish License and embeds it in the container Task creates and embeds Use License for author MsBuild encrypts content of the container using System.IO.CompoundFile.RightsManagementEncryp tionTransform
Longhorn Documents Part three Consumption in LH browser Windows Client Platform Rights Enforcement Service (ES) initializes RM environment ES looks for a Use License in the file, requests one from the server if needed ES binds the Use License and decrypts content ES enumerates the Use License and disables/enables Longhorn Browser menu options Consumption in LH browser Windows Client Platform Rights Enforcement Service (ES) initializes RM environment ES looks for a Use License in the file, requests one from the server if needed ES binds the Use License and decrypts content ES enumerates the Use License and disables/enables Longhorn Browser menu options
Tools Client Application Model AvalonWindows Forms Web & Service Application Model ASP.NET / Indigo Win FS Compact Framework Yukon Mobile PC Optimized System.Help System.Drawing System.NaturalLanguageServices Data Systems Application Model Presentation Data Mobile PC & Devices Application Model Communication Command Line NT Service DataSet Mapping ObjectSpaces ObjectSpace Query Schema Item Relationship Media Audio Video Images System.Messaging System. Discovery System.DirectoryServices System.Remoting System.Runtime.Remoting Active Directory Uddi System.Web.Services Web.Service Description Discovery Protocols System.MessageBus Transport Port Channel Service Queue PubSub Router System.Timers System.Globalization System.Serialization System.Threading System.Text System.Design Base & Application Services Fundamentals System.ComponentModel System.CodeDom System.Reflection System.EnterpriseServices System.Transactions Security System.Windows. TrustManagement System.Web. Security System.Message Bus.Security Authorization AccessControl Credentials RightsManagement System.Web.Configuration System.MessageBus.Configuration System.Configuration System.Resources System.Management System.Deployment System.Diagnostics ConfigurationDeployment/Management System.Windows System.Windows.Forms System.Console System.ServiceProcess System.Windows.Forms System.Web System.Storage System.Data.SqlServer Animation Controls Control Design Panel Controls Dialogs SideBar Notification System.Windows Documents Text Element Shapes Shape Ink UI Element Explorer Media System.Windows.Forms Forms Control Print Dialog Design System.Web.UI Page Control HtmlControls MobileControls WebControls Adaptors Design Ports InteropServices System.Runtime System.IO System.Collections Generic System.Search Annotations Monitoring Logging Relevance System.Data SqlClient SqlTypes SqlXML OdbcClient OleDbClient OracleClient Core Contact Location Message Document Event System.Storage System.Web Personalization Caching SessionState System.Xml Schema Serialization Xpath Query Permissions Policy Principal Token System.Security System.Collaboration RealTimeEndpoint TransientDataSession SignalingSession Media Activities HttpWebRequest FtpWebListener SslClientStream WebClient System.Net NetworkInformation Sockets Cache System.Web Administration Management Navigation Peer Group Policy Serialization CompilerServices Recognition System.Speech Synthesis
RM API Basics Namespaces to include System.Security.RightsManagement Contains RM License services, RM License objects System.Security.SecurePlatform Core RM services, Content consumption classes Assembly to reference Microsoft.RightsManagement.Rmclient.dll In the GAC Namespaces to include System.Security.RightsManagement Contains RM License services, RM License objects System.Security.SecurePlatform Core RM services, Content consumption classes Assembly to reference Microsoft.RightsManagement.Rmclient.dll In the GAC
RMS Enabled App Outline Publishing Phase Content is being RM protected and distributed Consumption Phase RM protected content is obtained and consumed Publishing Phase Content is being RM protected and distributed Consumption Phase RM protected content is obtained and consumed
Publishing Phase Initialize RMS Environment Encrypt content with symmetric key & Author publish license Publish Content Distribute RMS- Protected content Information Author The Recipient RMS Server SQL Server Active Directory RM API App 3 4
Publishing Authoring publish license Describe the content you are RM protecting: UnsignedPublishLicense unsignedPublishLicense = new UnsignedPublishLicense(); //set the resource id Resource resource = new Resource(); resource.ID = “My Confidential IPO Memo"; resource.IDType = “Title"; //create a symmetric key to encrypt content with DESCryptoServiceProvider desCSP = new DESCryptoServiceProvider(); desCSP.GenerateKey(); //encrypt content with the above key; ”Hello World” EncryptMyContent(“Hello World”, desCSP ); //set the key resource.ContentKey = desCSP ; Describe the content you are RM protecting: UnsignedPublishLicense unsignedPublishLicense = new UnsignedPublishLicense(); //set the resource id Resource resource = new Resource(); resource.ID = “My Confidential IPO Memo"; resource.IDType = “Title"; //create a symmetric key to encrypt content with DESCryptoServiceProvider desCSP = new DESCryptoServiceProvider(); desCSP.GenerateKey(); //encrypt content with the above key; ”Hello World” EncryptMyContent(“Hello World”, desCSP ); //set the key resource.ContentKey = desCSP ;
Publishing Authoring publish license Setting Users and User Rights for this content: //create a grant and tie it to the content/resource being protected usignedPublishLicense.Grants.Add(new Grant()); usignedPublishLicense.Grants[0].Resource = resource; //add a new right and describe it unsignedPublishLicense.Grants[0].Right.Name = Right.WellKnownRightNames.EDIT; //add and describe the user being granted the right unsignedPublishLicense.Grants[0].User. SecurityIdentities[0].AuthenticationType = SecurityIdentity.WellKnownAuthenticationTypes. ; unsignedPublishLicense. Grants[0]. User. SecurityIdentities[0].Name = return upl; Setting Users and User Rights for this content: //create a grant and tie it to the content/resource being protected usignedPublishLicense.Grants.Add(new Grant()); usignedPublishLicense.Grants[0].Resource = resource; //add a new right and describe it unsignedPublishLicense.Grants[0].Right.Name = Right.WellKnownRightNames.EDIT; //add and describe the user being granted the right unsignedPublishLicense.Grants[0].User. SecurityIdentities[0].AuthenticationType = SecurityIdentity.WellKnownAuthenticationTypes. ; unsignedPublishLicense. Grants[0]. User. SecurityIdentities[0].Name = return upl;
Publishing //initialize environment securityContext = new SecurityContext(); securityContext.UserIdentity = securityIdentity; securityContext.InitContext(); //create unsigned publish license unsignedPublishLicense = AuthorPublishLicense(); //create PublishService object PublishService publishService = new PublishService(); //call Publish PublishLicense publishLicense = publishService.Publish(unsignedPublishLicense); //initialize environment securityContext = new SecurityContext(); securityContext.UserIdentity = securityIdentity; securityContext.InitContext(); //create unsigned publish license unsignedPublishLicense = AuthorPublishLicense(); //create PublishService object PublishService publishService = new PublishService(); //call Publish PublishLicense publishLicense = publishService.Publish(unsignedPublishLicense);
Consumption Phase Obtain RMS- protected content Initialize RMS Environment Obtain Use License for RMS- protected content Bind to Use License to consume content Information Author The Recipient RMS Server SQL Server Active Directory RM API App 3 1
Consumption Obtain use license from server //initialize environment securityContext = new SecurityContext(); securityContext.UserIdentity = securityIdentity; securityContext.InitContext(); //create UseLicenseService object UseLicenseService useLicenseSvc = new UseLicenseService(securityContext); //retrieve publishLicense from RM content //obtain UseLicense from the server UseLicense useLicense = useLicenseSvc.GetUseLicense(publishLicense,null); //initialize environment securityContext = new SecurityContext(); securityContext.UserIdentity = securityIdentity; securityContext.InitContext(); //create UseLicenseService object UseLicenseService useLicenseSvc = new UseLicenseService(securityContext); //retrieve publishLicense from RM content //obtain UseLicense from the server UseLicense useLicense = useLicenseSvc.GetUseLicense(publishLicense,null);
Consumption Bind to use license and consume content //create a BindRequest object BindRequest bindRequest = new BindRequest(securityContext); //bind to the Use License obtained from server GrantCollection grantCollection = bindRequest.Bind(useLicense); //commit the bind after examining grants if need be CommittedGrant committedGrant = bindRequest.Commit(grantCollection[0]); //decrypt the content. ” Hello World” byte[] decryptedData = committedGrant.Decrypt(encryptedData); //consume decrypted content //create a BindRequest object BindRequest bindRequest = new BindRequest(securityContext); //bind to the Use License obtained from server GrantCollection grantCollection = bindRequest.Bind(useLicense); //commit the bind after examining grants if need be CommittedGrant committedGrant = bindRequest.Commit(grantCollection[0]); //decrypt the content. ” Hello World” byte[] decryptedData = committedGrant.Decrypt(encryptedData); //consume decrypted content
What Is Coming… License Store – Better License Management CertStore.GetUseLicense(Resource); Publish License Templates – Power, Expressiveness, Convenience new PublishLicense(Templates[“confidential”]); Smart RM Id Mgmt – Seamlessly support inter-org collaboration for RM content Common UI License Store – Better License Management CertStore.GetUseLicense(Resource); Publish License Templates – Power, Expressiveness, Convenience new PublishLicense(Templates[“confidential”]); Smart RM Id Mgmt – Seamlessly support inter-org collaboration for RM content Common UI
The Fine Print Information protected on the PDC build will not be consumable on future builds Development purposes only Information protected on the PDC build will not be consumable on future builds Development purposes only
Summary Think about how you can enhance your own applications with the information protection and policy made possible with RMS Start building apps with the RMS APIs in the PDC build Plan for future RM features Tell us what you think! Think about how you can enhance your own applications with the information protection and policy made possible with RMS Start building apps with the RMS APIs in the PDC build Plan for future RM features Tell us what you think!
Community Resources Get Your Questions Answered! Send us comments and questions For WM RM: Send us feedback! What do you like? What’s missing? What did you have problems with? Send us comments and questions For WM RM: Send us feedback! What do you like? What’s missing? What did you have problems with?
© Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.