3.6.5.3 Licensing Acquisition

  • Article

The following illustrates the exchange process of copying DRM licenses between an indirect license acquisition host and device during indirect license acquisition.

  1. The following steps are taken during indirect license acquisition:

    1. The indirect license acquisition host requests the device certificate.

    2. The device sends the device certificate, and the indirect license acquisition host validates it by checking against the certificate revocation list.

    3. The indirect license acquisition host creates a random session ID and an RC4 session key. The indirect license acquisition host encrypts the session key with the device public key from the device certificate.

  2. Assuming the AllowCopy right is enabled in the content license:

    1. The indirect license acquisition host verifies the device is capable of receiving the license. For instance, the device supports required features such as metering and enforcement of expiration dates.

    2. The indirect license acquisition host derives the device license—a license that is suitable for the device with similar or a subset of rights.

    3. The indirect license acquisition host encrypts the content key using the session key created in step 3.

    4. The indirect license acquisition host creates a hash of the license using SHA-1 and HMAC using the session key.

    5. The indirect license acquisition host builds a LICENSERESPONSE message including the encrypted=false attribute on each LICENSE node in the license response.

    6. The indirect license acquisition host calls the SetLicenseResponse MTP extension on the device. As part of the parameters, it includes the session key, session ID, and the DRM license.

  3. The device processes the response to SetLicenseResponse:

    1. The device derives a device symmetric key from the device private key using the SHA-1 algorithm.

    2. From the secure store, the device retrieves the previously stored session ID and encrypted session key (encrypted with the device symmetric key).

  4. The device compares the session ID in the secure store and the session ID in the response:

    1. If they match, the device uses the device symmetric key to decrypt the session key retrieved from the secure store.

    2. If they do not match, the device uses the device private key to decrypt the session key from the response, re-encrypts the session key using the device symmetric key, and stores the session ID and re-encrypted session key in the secure store.

    3. The device decrypts the content key using the session key from step 1-c.

    4. The device re-encrypts the content key using the device symmetric key.

    5. The device regenerates the license hash using SHA-1 and HMAC using the device symmetric key.

    6. The device stores the license in the license store.