digital library transaction
Safeguarding Digital Library Contents and Users
Digital Library Security Requirements
At the beginning of each digital library transaction, both the publishers (or the custodians who take care of the transaction) and the readers will want to make sure that their respective partners really are the ones they claim to be, i.e. they have to authenticate each other.
In the commencement of digital library transaction, both the publishers (and a trustee who is involved in the transaction to take care of), and readers will want to ensure that their respective partners are indeed who they claim to be which mean that they have to authenticate each other.
Likewise, both publisher and reader will require that the content is authentic, i.e. that is has been really published by the given publisher, and that it is intact, i.e. that nobody has added to or deleted from the package. To be secure from eavesdroppers, the content never should be transmitted and stored in a readable format.
Similarly, the publisher and the reader will require that the content is authentic, the content has been really published by the given publisher that no one has added or removed from the package. To be secure from eavesdroppers, the content should not be transmitted and stored in a readable format.
It is often forgotten, but these authenticity and integrity requirements are not only applicable to the content, but also to a contract offer which may accompany the content and which states the terms and conditions under which a reader may use the content. The publisher may want to prove that the reader has accepted the terms, and the reader may want to have a signed copy of what he or is entitled to do.
It is often forgotten, but the requirements of authenticity and integrity not only applicable to the content, but also may bring the contents of the contract offer, and which provides the terms and conditions, under which the reader can use the content. Publishers may want to prove the reader to accept the terms and conditions and the reader may want to have a right to do signed copy.
Once a reader accepts the contract offer, both parties have to adhere to the terms and conditions. This may include the payment and the compliance to the copyright from the publisher's perspective, and the right to use the information from the reader's perspective.
Once readers accept the offer of the contract then both the publisher and the readers must adhere by the terms and conditions. That includes payment and compliance to the copyright from the perspective of publishers and the right to use the information from the reader's point of view. It may also be important for the privacy of the readers, no third party should be able to track that what content is being read by which reader.
Privacy of the readers may also be very important. No third party, and in some cases not even the publishers or custodians, should be able to track which piece of content is being read by which reader.
Digital library content items can be very large. In this case, it is often useful to decouple the distribution of information and its licensing by distributing encrypted bulk data and controlling the release of content through the key management. Then the distribution can take place over a cheap broadcast channel, and access to the content can be controlled via a separate non-broadcast channel. This separate channel is basically a "key-exchange" between a user's personal computer and a dedicated royalty/license clearing house. All conceivable ways of distributing the actual content data are now enabled; not just Internet, but also digital cable TV, satellite broadcast, CD-ROM publishing, etc. This concept, called "superdistribution" [MoKa90], gives the publisher a very flexible way to use the most appropriate distribution method.
The content items of the digital library may be very large so that the separation is often useful to distribute large amounts of data encryption and key management control content through the release of information distribution and licensing. Then, the distribution can take over a cheap broadcast channel to access the content can be controlled through a non-broadcast channels. This channel is basically a "key exchange" between the user's personal computer and dedicated the patent / license clearing house. The distribution of the actual contents of all the data, it is envisaged how to enable, not only the Internet, but also including digital cable TV, satellite broadcast, CD-ROM publication, and so this concept, known as "super distribution" that gives a very a flexible use of the most appropriate distribution method to the publisher.
The good news is that current technology provides enough building blocks to satisfy the requirements of both the readers and the publishers:
The good news is that the present technology provides a sufficient foundation to meet both the requirements of readers and publishers:
- Entity authentication provides for the authentication of publisher and reader.
- The authentication of the publisher and the reader are provided by the entity authentication.
- The integrity of content (and of any other information such as the contract offer and acceptance) can be checked using message authentication or by digital signatures.
- By using the message authentication or digital signatures, it can check the content, the contract offer and acceptance.
- Encryption provides for privacy and confidentiality of the content.
- The secrecy of the content is provided by encryption.
- Non-repudiation of an offer or contract can be provided by digital signatures (and a non-technical means to enforce the acknowledged contracts).
- The digital signatures can provide non-repudiation of offer or contract. ( and non-technical means, implementation of the recognized contracts). The non-offer, or tearing up the contract, you can provide a digital signature (and non-technical means, the implementation of a recognized contract).
- Copy protection of the content can be made at least less fragile by using digital marking on the content to identify the content owner, and/or to identify the user to whom the initial copy was given. Also, the user's computer program (his "viewer") may enforce copy protection. (Of course, this program should be trusted by the publisher and not (easily) tampered with.)
- The copy-protected content can be identified through the use of digital marking on the content to determine the content owner and identify the user to obtain a copy of the original. In addition, the user's computer program may be forced to copy protection.
There are diversity ways to deploy these techniques in the security systems and some of them are suitable for digital libraries.
If you are reading this paper with a Web browser like Netscape 3.0, you will notice the "key" icon in the lower left corner1.If the key is solid instead of broken, it means that you and the server are connected via an encrypted channel. You probably have encountered this state in the past if you have entered your credit card on a form. You may have wondered how this works.
If the user reading the file with the Web browser likes Netscape 3.0, there is the key at the bottom left corner. If the key is solid which indicate that the user and the server are connected by an encrypted channel.
At the beginning, your browser requested the server's public key certificate (from the server). This had been signed by a trusted agency. Your browser's manufacturer has seeded your browser with the public keys of agencies that you probably want to trust. Since the browser now knows and trusts the server's public key, it can now encrypt data sent to the server. However, rather than sending large amounts of data encrypted with these very slow public-key algorithms, your browser uses a very common technique: it picks a random key, encrypts it with the public key algorithm, sends it to the server, and proposes that the new secret key (called a session key) is used together with a fast symmetric encryption algorithm to protect the rest of the session.
At the beginning, the browser requests the server's public key certificate (from the server) which was signed by a trusted agency. The browser has been seeded by the browser's manufacturer with the public keys that you may want to trust. Because the browser now know and believe the server's public key, which can now encrypt the data sent to the server. However, rather than very slow with these public key encryption algorithm, your browser uses a very common technique- it will choose a random key, it is encrypted with the public key algorithm and send it to the server, and proposed that the new key (called a session key) is used together a fast symmetric encryption algorithm to protect the rest of the session.
It is also possible that the server could demand that your browser sent your personal public key certificate back to the server, so that it can be sure who it is talking to. Do you have one? If you are like most people, the answer is "no". (This feature has yet to be widely used by servers.)
It may also be a server can ask your browser to send your own public key certificate back to the server so that it can be sure who is talking to.
The key icon does not tell you whether you are using SSL or SHTTP, and in the broad brush above, both are equivalent. Secure Socket Layer, as its name implies, works at a very low level in the Internet Protocol, and all the protocols the Internet uses, like FTP, telnet, HTTP, etc., can be equally protected by SSL. In contrast, SHTTP is restricted to the HTTP protocol, the one used by the Web.
The key icon will not tell you whether to use SSL or SHTTP, a uniform above are equivalent. Secure Sockets Layer, by definition, works in a very low level of Internet protocols and all use of the Internet protocols such as FTP, Telnet, URL, etc. can also be protected by SSL. In contrast, SHTTP limited to HTTP protocol, the one used by the web.
SSL was initially developed by Netscape [FKK96], but is being submitted to the Internet Engineering Task Force (IETF) for validation. SSL is ignorant of the details of higher level protocols, and of what is being transported. This application-independence of SSL gives it much flexibility, but it has the disadvantage that it can only offer point-to-point protection of the data during the communication process itself. In both the source and destination systems, the data is in the clear. It is not within SSL's capabilities to protect the data when a host is compromised, or to detect and fix the problem when a key is compromised.
SSL was originally proposed by Netscape, but it is being submitted to the validation of the Internet Engineering Task Force (IETF). SSL is ignorant of the details of the higher level protocol and of what is being transported. This application to give it the independence of SSL for greater flexibility, but there is the disadvantage that point -to -point protection of the data can only be offered during the communication process. In the source and target systems, data is in the clear. It is not in SSL capabilities to protect the data when a host has been damaged, or detect and repair when the key is a compromised.
SHTTP [ReSch97] is more of an application protocol. SHTTP is a superset of HTTP and adds authentication, confidentiality, and integrity. The system is not tied to any particular cryptographic system, key infrastructure, or cryptographic format. Messages are encapsulated within SHTTP in various ways including encryption, signing, or authentication. Messages may encapsulated multiple times to achieve multiple security features. Header definitions for key transfer, certificate transfer, and similar administrative functions are provided.
SHTTP is more of an application protocol. SHTTP is a superset of HTTP, and to increase the authentication, confidentiality, and integrity. The system does not rely on any particular encryption system, key infrastructure, or encrypted format. Messages are encapsulated in SHTTP, including various forms of encryption, signing, or authentication. Messages may be encapsulated several packages to achieve a variety of security features. It can provide header definitions for key transfer, the transfer of certificates, and similar administrative functions.
SHTTP includes support for several key certification schemes. Key certifications can be provided in a message, or obtained elsewhere. As in SSL, client public keys are not required if client authentication is not needed.
SHTTP including several major certification program for their support. Certification can provide a critical information, or to obtain from elsewhere. Because SSL, the client's public key is not required if client authentication is not necessary.
A Secure HTTP message consists of a request or status line, followed by other Internet text message headers, and some content. The content can be raw data, a Secure HTTP message, or an HTTP message.
A secure HTTP message consists of a status line followed by Internet text message headers and some content. Content can be raw data, a secure HTTP message, or HTTP message.
So what is wrong with SSL/SHTTP for protecting the content and the users in the digital library? From the user's point of view, probably not much. In those protocols, your protection against eavesdroppers is excellent. The authenticity of the information is guaranteed, if you trust the server, because you know you are connected to it and not to an impostor. Perhaps the one drawback is that you are at the mercy of the server to describe the relationship: the terms and conditions.
What is wrong with SSL /SHTTP that protected content and digital library users? From viewpoint of the user, there may not much. In these protocols, the eavesdropping protection system is very good. The authenticity of the information is guaranteed, if the user trusts the server because they know that they are connected to it, not to an impostor. Perhaps the one drawback is that you are the mercy of the server to describe the relationship-- the terms and conditions.
But the major disadvantages of SSL/SHTTP are not to the user, but to the publisher and to the information custodian -- the librarian. In an SSL or SHTTP world, the publisher must run a secure server to guarantee authenticity. Many publishers are discovering that running, maintaining, and supporting servers are not their forte: they want to concentrate on the quality of their information, not to become a computer service bureau. Far better to let someone else worry about how their information gets sent to the end-users.
The main disadvantages of SSL / SHTTP are not to the user, but to publishers and information keeper - the library staff. Publishers must be running a secure server to ensure authenticity in an SSL or SHTTP world. Many publishers have found that operating, maintaining and supporting of the server are not their strengths—the publishers want to concentrate on the quality of the information, not to become as a computer services bureau. It is better to let someone else worry about how the information is sent to end-users.
Secondly, does encryption really provide copy protection? It protects against eavesdroppers, for sure, but the main attacks are likely to be from validly connected end-users who go on to redistribute the received data more than they are entitled to. End-users, of course, must be given the valid keys. Far better to protect content with digital marking (fingerprinting, watermarking). Because SSL and SHTTP both operate at too low a level, they cannot express the concept that a piece of content must be marked.
Secondly, the encryption that can provide the copyright protection? It is protection, yes, but the main attack on the possibility of an effective link from the end user who is on the re-allocation of the received data than they are entitled to against the eavesdropping. End-users must be given a valid key. It is far better in protecting content with digital marking (fingerprinting, watermarking). Because SSL and SHTTP are in too low operating, they cannot express the concept of content must be marked.
All the awkwardnesses that SSL and SHTTP present to publishers, they also present to librarians, with some additions. To provide the same integrity and authenticity guarantees to their patrons, the librarians must themselves run a secure server, managing not just the technical aspects the protocols, but also, to be responsible, physically secure environments -- locked rooms, electronic and physical limited access, etc. And how do the librarians possibly track the various terms and conditions of the different publishers and their various items of content?
All awkwardnesses of the SSL and SHTTP current publishers, they also present the librarians, some additional observations. In order to provide the same integrity and authenticity to ensure to their customers, librarians must operate a secure server, management is not only the technical aspects of the protocols, but also responsible to the physical secure environments: locked rooms, electronic and physical limited access, etc. And how the librarians could track a variety of terms and conditions of publishers and their various items of content?
Even in the digital world, the role of a library as a middle tier between publisher and consumer has many advantages. From a security point of view, the middle tier has to be fully integrated into the system in order to fulfill all security requirements of digital libraries.
We presented several possibilities for communication security systems and discussed their usability for digital library environments.
We have shown that the common security systems, which are useful to protect less complex, point-to-point transactions, have several weaknesses for digital libraries. On the other hand, secure container technology seems well suited to digital libraries. Secure containers also seem well suited to the old, established roles of information businesses, which more and more tend to be executed by digital means.
Even in the digital world, there are many advantages of the role of middle tier library among publishers and consumers and then from the viewpoint of security, the middle tier must be fully integrated into the system to meet all security requirements of digital libraries. In this paper, we demonstrated the various possibilities for communication security systems and discussed their usability for digital library environments. In the common security systems, which are useful to protect the not too complex, point-to-point transactions, a number of weaknesses in the digital library and then secure container technology seem well suited for digital libraries. Secure containers also seem to be suited to the old which more and more tend to be executed by digital means.
Need an essay? You can buy essay help from us today!