1.1. TechNet Security Summit 2004 Rights Management Services Jimmy Andersson Principal Advisor Q Advice AB [email protected]

TechNet Security Summit 2004 1.

Rights Management Services

Jimmy AnderssonPrincipal Advisor

Q Advice AB

[email protected]


AGENDA

• Part 1: Overview – Business Value

• Part 2: Components

• Part 3: Key Flow (if we got time)


Clarification

• DRM - Digital Rights Management

• RMS - Rights Management Services

• IRM - Information Rights Management

• RMA - Rights Management Add-on


Part 1: Overview• Define the problem

• Windows Rights Management Services– Overview– Scenarios– Demo– Infrastructure Requirements

TechNet Security Summit 2004 5.AC

L

Yes

No

PerimeterPerimeter

Today


Todays Policy

Today, most communication policies only exist on paperToday, most communication policies only exist on paperIts easy to unintentionally forward e-mails & documentsIts easy to unintentionally forward e-mails & documentsIts easy to intentionally share/sell plans w/competitors, press, InternetIts easy to intentionally share/sell plans w/competitors, press, Internet


Windows Rights Management Services (RMS)

Windows platform information protection technology • Better safeguard sensitive information

– Keeps Internal Information Internal• Protected information can only be viewed by authorized users

– Establishes an audit trail to track usage of protected files – Augments existing perimeter-based security technologies

• Persistent protection – Protects your sensitive information, no matter where it goes

• Protected information is encrypted with AES 128 bit encryption– Enforces organizational policy digitally via RMS templates– Users can easily define how the recipient can use their information

• Sample rights include view, read-only, copy, print, save, forward, modify, and time-based

• Flexible and customizable technology– Integrates with familiar applications and is easy to use

• Utilizes familiar e-mail names & groups (distribution lists in AD)– Provides the flexibility to designate full control to a

named group of users– Enables custom solutions through SDKs


Components (quick overview)• Server

– Windows Rights Management Services (RMS)• A Windows Server 2003 information protection service

• Desktop– Updates to Windows client

• Rights Management APIs for Windows 98SE+• “Rights Management Add-on for Internet Explorer”

– RMS-enabled applications• Any application which has utilized the RMS SDK• Office 2003 is the first Enterprise app to implement RM

• Software Development Kit– For both client-based and server-based development


Windows RMS Workflow

AuthorAuthor RecipientRecipient

RMS ServerRMS Server

Database Database ServerServer

Active Active DirectoryDirectory

2 3

4

5

2.2. Author defines a set of usage rights Author defines a set of usage rights and rules for their file; Application and rules for their file; Application creates a “publishing license” and creates a “publishing license” and encrypts the file.encrypts the file.

3.3. Author distributes file.Author distributes file.

4.4. Recipient clicks file to open, the Recipient clicks file to open, the application calls to the RMS server application calls to the RMS server which validates the user and issues a which validates the user and issues a “use license.”“use license.”

5.5. Application renders file and enforces Application renders file and enforces rights.rights.

1.1. Author receives a client licensor Author receives a client licensor certificate the “first time” they rights-certificate the “first time” they rights-protect information. protect information.

1


RMS Usage Scenarios

Control access to sensitive plansSet level of access: view, change,

print, etc.Determine length of access

Protect Sensitive Files

Word 2003, PowerPoint 2003Excel 2003, Windows RMS

Keep Executive e-mail off the InternetReduce internal forwarding of

confidential informationTemplates to centrally manage policies

Do-Not-Forward Email

Outlook 2003Windows RMS

Safeguard financial, legal, HR content Set level of access: view, print, exportView Office 2003 rights protected info

Safeguard Intranet Content

IE w/RMA, RMS SDKWindows RMS

Keep Internal Information Internal


DEMO


Scenario 1: Protecting Sensitive E-mail








Receiving rights-protected E-mail







Thank you for the advance notice of the pending changes. I will provide you with the requested feedback by noon tomorrow.

Carol


Protecting Sensitive Information in Word 2003





Research DivisionResearch Division (All)

Cynthia; AdamCynthia Randall; Adam Barr


12/03/2004




Opening a Rights-Protected Document














Intranet Scenario




















RMS Will NOT …• …provide unbreakable, hacker-proof security• …protect against analog attacks


Technology RequirementsServerServer

– Window Server 2003 running RMS• Standard, Enterprise, Web or

Datacenter Editions

– Active Directory® directory service• Windows Server 2000 or later• Provides a well-known unique

identifier for each user– E-mail address property for each user

must be populated

– Database Server• Stores configuration data & use

license requests• Microsoft SQL Server™ or similar

– Per Proc or with SQL CALs

• MSDE (single server deployments)

ClientClient

– Windows desktop with RMS client software

– An RMS-enabled application• Required for creating or

viewing rights-protected content.• Microsoft Office 2003

includes RMS-enabled applications – Word, Excel, PowerPoint, Outlook

– Office 2003 Professional is required for creating or viewing rights-protected content

– Office 2003 Standard allows users to view—but not create—rights-protected Office content.

• Internet Explorer with the Rights Management Add-on (RMA) allows users to view rights-protected content


Part 1: Summary• RMS enables customers to keep internal information

internal• Key benefits:

– Safeguards sensitive internal information– Augments existing perimeter security technologies– Digitally enforces organization policies– Persistently protects information– Easy to use

• RMS availability: www.microsoft.com/rms


Part 2: RMS Components


Components of RMS• RMS Client Lockbox • RMS Client APIs• RMS Certificates & Licenses• RMS-Enabled Applications• RMS Server• MSN RMS Services• Rights-Protected Information• Supporting Technologies for RMS• How Does RMS Client Validate Your Access?


RMS Client Lockbox• Lockbox is a unique, per-machine, Microsoft-generated DLL (by

servers at MSN)

• Lockbox contains private key for machine, bound to HWID for that machine

• HWID is based on computer parameters such as:– Disk geometry, network card address, processor type

• Lockbox (secrep.dll) performs critical RMS functions on the client:– Validate machine against HWID– Validate applications (manifest check)– Authenticate & validate users– Encryption/decryption (has own DES & AES128 implementations)


RMS Client Components & APIs• Client Components & their APIs are the glue between RMS-enabled

applications and the lockbox– Msdrm.dll, Msdrmhid.dll, Msdrmctrl.dll

• All RMS-enabled applications perform their work through these APIs, and any applications can program to these APIs (Client SDK), e.g.:– Requesting machine activation– Finding RMS services– Requesting, parsing licenses & certificates– Managing licenses (enumerate, store)– Creating offline publishing licenses

• Client components call the lockbox to perform the security operations


Certificates and Licenses• Machine Certificate – Identifies a trusted PC and contains the unique Public Key for

that machine (one for each PC)

• RM Account Certificate (RAC) – Names a trusted user identity (e-mail address) and contains the public-private key pair for that user (one per user on a PC); private key is encrypted with machine’s public key.

• Client Licensor Certificate (CLC) – Names a trusted user that is authorized to publish RMS-protected information without requiring connectivity to a RMS server. Allows the user to sign Publishing Licenses and owner use licenses via the Lockbox (one per user on a PC).

• Publishing License – Issued by either an RMS server or by a CLC through the lockbox, it defines the policy (names principals, rights & conditions) for acquiring a Use License for rights-protected information and contains the symmetric key that encrypted the rights-protected information encrypted to the public key of the RMS server that will issue Use Licenses

• Use License – Issued only by an RMS server, it grants an authorized principal (user with a valid RAC) rights to consume rights-protected information based on policy established in the Publishing License.

• Revocation Lists – Names principals (mainly public keys) that are no longer trusted by the RMS system. Use Licenses can require a fresh revocation list to be present prior to any RMS-enabled application being able to decrypt the information

RM Account

Certificate

MachineCertificate

Client Licensor

Certificate

RM AccountCertificate

RM Publishing License

RMS Licensor

Certificate (or CLC)

RM Use License

RM Publishing License

MachineCertificate

Lockbox DLL

Lockbox DLL

Revoke RAC key

RM Account Certificate

Revocation List


RMS-Enabled Applications• RMS-enabled applications may implement RMS features such as pre-

licensing, content access, certificate requests• Applications can be based on the Server SDK (e.g. sample “RMS-enabled

SPS server” from Server SDK)• Applications can be based on the Client SDK (e.g. Office Word 2003, Office

Outlook 2003, RMA)• Applications need to have all RMS-enabled libraries and executables listed in

the application manifest, which is signed with an RMS code-signing private key• The signature is included in a manifest (XML file) for the application

– The manifest is a signed XML file containing hashes of all listed files– The manifest should include all files that call RMS Client APIs

• RMS Client APIs validate the hashes in the manifest against all listed files before unlocking rights-protected information


RMS Server Architecture• RMS server is an ASP.NET Web service

– Protocol is SOAP over HTTP/HTTPS– Internet Information Server (IIS) 6 only– Single request/response transaction model– Stateless for most requests – all processing on front end– Relational database such as SQL Server (or MSDE) used for configuration

& logging• Requests

– Client Machine Activation: One time process to create and download lockbox per machine

– Certification and Client Enrollment: Binding a user key pair to a specific machine. One time per user per machine

– Licensing: requesting a license to use a piece of content (“Use License”); One time per content per user

• XrML-based input/output• Pluggable Crypto Provider


RMS Server components• RMS Server is an ASP.NET application

– Uses AD for authenticating users, determining email addresses for users, confirming membership of users in groups

– Uses MSMQ to forward logging entries to SQL Server– Uses SQL Server to store RMS configuration, AD group

expansion cache, and all logged client activities– Uses IIS (Windows Integrated authentication) to authenticate all

users


MSN RMS Services• MSN hosts necessary services to support Windows RMS

– Server enrollment & Machine activation service

• MSN also hosts the “trial” Passport certification service (for Office 2003 users)– Certification service– License service

• The trial service gives people a chance to try Rights Management Services features without deploying an Enterprise RMS


Rights-Protected Information

a

Rights Info w/ email addresses

Content KeyEncrypted with the server’s public key

Publishing License

The Content of the File(Text, Pictures, metadata, etc)

End User Licenses

Content Key(big random number)

Rights for aparticular user

Encrypted with the user’s

public key

Created when file is protected

Only added to the file after

server licenses a user to open it

Encrypted with Content Key, a

cryptographically secure 128-bit AES symmetric encryption key

Encrypted with the server’s public key

Encrypted with the user’s

public key

E-mail ULs are stored in the local RMS license cache, not in the e-mails directly


Technologies Supporting Windows RMS

• AD & LDAP– Store user accounts, DLs, provide directory of email addresses, SCP location

• .NET Framework & ASP.NET– Application environment for all critical RMS server application code

• MSMQ & DB– Stores RMS configuration information, user keypairs, activity logs, cache of AD

groups for expansion• XrML

– Standard* in which all the licenses, certificates are structured• SOAP

– Protocol standard for all message exchanges between client and server, server and MSN, and client and MSN

• UDDI– Directory for finding the MSN RMS services


How Does RMS Client Determine You’re Allowed to Access Content?

• Validate the RAC and UL are “trusted”– File hasn’t been altered since signing (encrypted hash matches current hash)– Digital signature on RAC/UL - validate the signing key matches the signature (RSA)– Check that signature chains to MSN root server– Lockbox knows which hierarchy (production, test) it’s a member of, and knows the public key

for the hierarchy

• Validate RMS-enabled application– Extract manifest for app (signed list of all DLLs and their hashes)– Check hash of all files in the manifest = hash listed in manifest

• Validates the user’s rights – each app has to request specific rights to open a doc – RMS Client ensures the user has those rights before granting access

• If it’s a Permanent Windows RAC, it also validates the logged on user’s SID with SID in RAC

• You can’t use a RAC or server private key to sign an app – RMS Client checks that the signing key was issued by the right kind of server (i.e. issued by an RMS App-signing CA)


Summary & More Information

http://www.microsoft.com/[email protected]


Q&A

Documents

1.1. TechNet Security Summit 2004 Rights Management Services Jimmy Andersson Principal Advisor Q Advice AB [email protected]