With the increasing number and popularity of digital content, the management of digital access rights has become an utmost important field. Through digital rights management systems (DRM-S), access to digital contents can be defined and for this, an efficient and secure authentication scheme is required. The DRM authentication schemes can be used to give access or restrict access to digital content. Very recently in 2020, Yu et al. proposed a symmetric hash and xor-based DRM and termed their system to achieve both security and performance efficiency. Contrarily, in this study, we argue that their scheme has several issues including nonresistance to privileged insider and impersonation attacks. Moreover, it is also to show in this study that their scheme has an incorrect authentication phase and due to this incorrectness, the scheme of Yu et al. lacks user scalability. An improved scheme is then proposed to counter the insecurities and incorrectness of the scheme of Yu et al. We prove the security of the proposed scheme using BAN logic. For a clear picture of the security properties, we also provide a textual discussion on the robustness of the proposed scheme. Moreover, due to the usage of symmetric key-based hash functions, the proposed scheme has a comparable performance efficiency.

1. Introduction

The rapid expansion of computer technology and media of various types such as software, music services, videos, photos, documents, and e-books is combined and manipulated as digital contents. With the invention of the low power devices, the distribution of such digital content along the globe is increased rapidly [1]. This rapid distribution demands an efficient digital rights management system to be utilized to preserve the digital rights associated with the content. A serious concern is the downloading of the contents by unauthorized users, which is a big problem and deprivation for the copyright owners. Thus, the protection of the digital contents is the major issue, and authentication is a very necessary security requirement for the prevention of unauthorized access and making the availability of the digital contents to the only legitimate users. Digital right management (DRM) systems are specifically designed environments that include some access control mechanism for the use of the digital content [2, 3]. The main purpose of the DRM system is to provide protection to the digital contents and to make sure these are only accessible to valid users. Digital content services that include important data are conveyed through the public channels, which are fully accessible to malicious users. Hence, for the sake of secure transmission of the digital contents to the valid user through the public channel, strong authentication and key agreement schemes are needed [46].

In the immediate past, various authentication schemes have been proposed to make sure the privacy of the digital content and user. In 2008, Chen [7] proposed a biometric-based authentication scheme based on biometric for DRM environment. Later on, Chang et al. [8] pointed weaknesses such as attackers can steal keys and can access digital content without any permission and proposed an improved system. Later on, Chang et al. [9] pointed that [8] is insecure against stolen device attacks and proposed an improved scheme for DRM. Mishra et al. [10] proved that the scheme of Zhang et al. [11] was vulnerable to password guessing attacks and insider attacks and proposed an improved biometric-based scheme for DRM. In 2015, Jung et al. [12] proposed an ECC-based authentication scheme for DRM. In 2017, Jung et al. [12] presented a biometric-based authentication scheme for the DRM system. Later in 2018, Lee et al. [13] proved that the protocol of [10] is suspected to the secret key disclosure which leads to anonymity violation. Yu et al. [14] claimed that the method presented in [13] is insecure against user impersonation and device theft attack and proposed an improved scheme to overcome the flaws of [13].

1.1. Adversarial Model

The main purpose of authentication schemes for DRM systems is to provide a scalable solution for remote user successful authentication. However, the authentication protocols should oppose many active/passive attacks [1517]. The analysis of attacks is based on the CK adversarial model [18], which is an extension of the DY model [19] with the following features: (1)A valid user can possess the login credentials, namely, identity, password, biometric, etc. The server keeps the master key [20, 21](2)A public communication channel is in full control of the adversary(3)A legal user can be dishonest [22, 23](4)Any malicious user can extract saved credentials in the smart card by applying a stolen attack

1.2. System Model of DRM

DRM system is a verification and access control method to access digital content. Figure 1 shows the DRMS common architecture comprising of four major entities: (1) the content writer/owner, (2) content server, (3) the user, and (4) license sever. (1)The user who wants to obtain digital content transmits an authentication ask to the content and license servers. As soon as mutual authentication with the license server is successfully completed, reach to the encrypted digital content is issued with the help of a secret key(2)The content server saves the encrypted digital content in its database receive by the digital content creator and after that abstract of the content is accessible to the users on the internet(3)The content generator/provider provides content generation services. The digital content is generated and encrypted by the secret key. This key is transmitted to the license server using the public channel, and also encrypted digital content is also sent to the content server using a tunneled channel(4)The license server receives the secret key and stores it in its database. When a user requires the secret key of the encrypted digital content, the license server first authenticates that user and then sends the secret key of the content

2. The Scheme of Yu et al.: A Review

The scheme of Yu et al. [14] is reviewed and briefly explained in this section and the notation guide which is used in this paper is depicted in Table 1.

2.1. User Registration Phase

The process to register a user with the license server is depicted in Figure 2 and explained through the following steps: (RG1)user chooses his/her identity , password , and marks biometrics . After that calculates , and = and dispatches to -license server via private channel(RG2)license server on receiving request containing by calculates =, =, and =. saves and within its database and replies the registration request message via private channel(RG3) receives the message from saves in its mobile device memory

2.2. Login and Authentication Phase

A registered user who wants to utilize the digital content initiates a mutual authentication request with with an aim to attain mutual authentication and obtain the secret key of the . The steps involved in the login and authentication procedure are detailed in Figure 3 and explained as follows: (LAA 1) enters his/her apir and submits . After that, calculates =, =, =, and = and compare if . If the condition is true, creates randomly and calculates , , , and . Then, the user initiates the request message through public channel to (LAA 2) receives the request message sent by and calculates , , , and and verifies if . If the condition is true, picks relevant , creates random nonce , and calculates , and . At the end, sends the message to user directly through public channel(LAA 3) receives the response message from and calculates , , and . At the end user, verifies if and saves in the device

3. Cryptanalysis of Yu et al.’s Scheme

In this section, through the informal analysis of Yu et al.’s scheme [14], it is affirmed that their scheme is secure against well-known attacks. However, the following subsections demonstrate that the scheme presented in [14] is having correctness issues, is weak against ephemeral secret leakage attacks, and does not provide anonymity.

3.1. Incorrectness

The authentication phase of Yu et al.’s scheme cannot end normally, and the license server and user may be unable to share any key at all. The user in the Yu et al. scheme after initiating an authentication message to the license server may never receive an acknowledgment, and the license server may never create a session key. Hence, their scheme lacks the property of authentication and key agreement. The depiction of incorrectness case is as follows: (Inc 1)user sends a login request by entering password, identity, and biometric, and transmits to (the license server)(Inc 2)license server receives the request message and computes

The computation of the above equation requires the corresponding requesting user identity , which the license server does not know. Also, the request message sent by the user does not include the identity of the requesting user. The license server computes the request without the information of any designated user. In the same way, the license server sends the acknowledgment message without knowing to whom this message is to be sent.

The only case in which Yu et al.’s scheme can achieve the authentication and key agreement in the view is if the system has only one registered user. Hence, systems with a single registered user are not preferable in the real world. Therefore, Yu et al.’s scheme for facilitating digital rights management systems is incorrect, and this incorrectness shows that their system is not preferable for real-world deployments.

3.2. Privileged Insider Attack

Yu et al.’s scheme stores the sensitive information in the database of the license server. Due to which it is susceptible to user impersonation, server impersonation attacks, and secret key leakage attacks. The attacks can be simulated in the following methods.

3.2.1. User Impersonation Attack

The internal adversary gets and from the database of the license server. Now the adversary can impersonate as by adopting the following steps: (IUA 1) picks a random number (IUA 2)computes , =, =, and =(IUA 3)transmits the message to license server (IUA 4)license server accepts the message and verifies the message legitimacy and verification will be successful as user verification on license server is not taking place(IUA 5) will fetch relevant and computes , and . sends the message to (IUA 6) receives the message sent by and computes , , and . Adversary gets successfully the secret key

3.2.2. License Server Impersonation Attack

The privileged adversary steals the from the database of the . When sends the the message to through public channel; then, will intercept the message and and impersonate as a valid license server in the following ways. (ISA 1) will compute = , = , = , and = (ISA 2)verify if . If the condition is true, picks relevant and creates random nonce (ISA 3)calculate = , = , and = .(ISA 4) sends the message to user (ISA 5) will verify the message and verification will be successful and as a result, get secret key which is in real a forged key and will not work

3.2.3. No Secret Key Secrecy

Only those users who have the secret key can access the digital content in the digital rights management system. But, as shown in Section 3.2.1, an adversary can acquire the secret key by impersonating as a valid user . Hence, Yu et al.’s scheme does not ensure the security of the secret key.

4. Proposed Scheme

To ensure privacy, security, and to remove the incorrectness in the scheme of Yu et al. [14], a new scheme is proposed in this section. The proposed scheme comprises three main phases, which are further divided into subphases. The detail of the scheme is given in the following subsections.

4.1. Registration Phase

To get access to the digital contents, a user must register himself/herself to be a legitimate user. Following are the steps as mentioned in Figure 4 to be followed:

RGD 3: the user picks the pair and engraves . Now computes =, and = and dispatches to license server by using secure channel

RGD 3: license server receiving the registration request by computes , , and saves and in its database and reply the registration request message by using channel

RGD 3: receives the message from and computes , , and stores in the mobile device memory

4.2. Login and Authentication

Following steps as mentioned in Figure 5 are executed to furnish login and authentication phase of the proposed scheme: (LAuth 1) inputs , password , imprints biometric , calculates , and checks if , and if the condition is true, then, select and and compute , , , and send the message containing to the (LAuth 2)after receiving the message verifies if , if the condition is true then fetch corresponding to and compute , , , and check if is true. If true pick , , and , fetches and calculate , , , , . Replace with , and send the message containing to (LAuth 3)after receiving the message from , check if the condition is true then calculates , , , , . Then, check if , if the condition is true, then, calculate and save

4.3. Password Change

If a valid user has lost/forgot his/her password then can change password by adopting the following steps: (PWD 1)user enters new pair and engraves . Now, computes , and = and dispatches to the mobile device(PWD 2)upon receipt of the message mobile check if , if true, it sends confirmation to the user (PWD 3) chooses new password and biometric and compute , and (PWD 4)Receiving the message mobile device calculates and and send and (PWD 5) computes , , and update .

5. The Security Analysis

To describe the security of the proposed scheme, we have scrutinized the scheme through formal and informal security analysis in the following subsections.

5.1. Authentication Proof Based on the Burrows–Abadi–Needham Logic (BAN Logic)

The security of the proposed scheme is formally analyzed in the standard model using the widely accepted Burrows–Abadi–Needham logic [24].

5.1.1. Postulates for BAN Logic

Some of the logical postulates of BAN logic and the meaning related to the postulates are given below in Table 2.

5.1.2. Security Goal Establishment

Established security goals and logical notations of the BAN logic are given below in Table 3.





5.1.3. Proposed Schemes Idealized Form

(M1) : (M2) :

5.1.4. Assumptions


Step 1. According to message 1:

Step 2. From the message meaning rule according to P1 and A3:

Step 3. According to the freshness rule with A1, we get

Step 4. From the nonce verification rule with P2 and P3, we get

Step 5. According to the belief rule with P4, we get

Step 6. From the jurisdiction rule with P5 and A5, we get

Step 7. According to M2, we obtain

Step 8. From the message meaning rule with P7 and A4, we get

Step 9. According to the freshness rule with A2, we get

Step 10. From the nonce verification rule with P9 and P10, we get

Step 11. According to the belief rule with P10, we get

Step 12. From the jurisdiction rule with P11 and A6, we get

According to to , we proved that our scheme attains secure mutual authentication among and .

5.2. Informal Security Analysis

To assess the security of the introduced scheme, also we have inspected the scheme through informal security analysis procedures.

5.2.1. Mutual Authentication

Our proposed scheme provides mutual authentication by making verification on both sides of participating entities. License server receives the login request messages from , license server verifies the authenticity of the user by verifying the . If the condition is true, authenticates and sends to . receives the response messages from , verifies whether . If the condition is true, then, authenticates ; otherwise, terminates the request. Hence, the proposed scheme successfully achieves mutual authentication property.

5.2.2. Replay Attack

Suppose that hijacks the messages and in a selective session and tries to replay these hijacked messages after a while. As it is evident that the all message contains current timestamps and , the acceptance of the timeliness and will be declined at the and . Furthermore, value is fixed very small and due to which it will be very difficult for the attacker to replay the hijacked messages within limit of the . Hence, the proposed scheme is stealth against the replay attack.

5.2.3. Stolen Mobile Device Attack

Suppose that has stolen mobile device [25, 26] of user or has lost the mobile device due to some reason. Then, A can extract the credentials from mobile device memory using the power analysis attacks. After getting all these parameters, the attacker will not be able to get useful parameters and , as these are protected through a collision-resistant hash function. Therefore, if any mobile device will be lost/stolen will not affect the proposed authentication mechanism.

5.2.4. Anonymity and Untraceability

In the proposed scheme, all the messages and in each session are explicit and nonrepeated, also all the message includes current timestamps and , and random nonces and . Hence, will not be able to trace and . Moreover, even any single message does not contain identities and . Hence, the anonymity [27, 28] is guaranteed in the proposed scheme.

5.2.5. Denial-of-Service Attack

In the login and authentication phase, when a valid user inputs his/her identity , password , and imprints biometric into the mobile device. Mobile device retrieves the saved secret biometric key corresponding to as . Further mobile device computes and checks if values are the same or not. If the condition is not met, the session is terminated immediately, and in case of success, the session proceeds normally. Therefore, in case of denial-of-service attack [29, 30], the proposed scheme will resist it.

5.2.6. Man-in-the-Middle Attack

In this type of attack, grabs the messages being exchanged when the communication is taking place and tries to alter those messages to make other valid messages, to deceive the recipient from guessing the altered messages, and he/she considered these altered messages as normal as other original messages. Suppose grabs the messages and . Due to lack of the some parameters knowledge such as , , and , the attacker will be unable to forge these messages and . Hence, the proposed scheme opposes man-in-the-middle attack [31].

5.2.7. User Impersonation Attack

Assume an attacker tries to impersonate a message on behalf of a user to license server . gets from mobile device and during the communication. At the moment, if tries to construct message, but it will not possible as he/she does not know these parameters , and , due to which it will be hard to produce these for attacker.

5.2.8. License Server Impersonation Attack

Assume an attacker tries to impersonate a message on behalf of a license server to user . gets from mobile device and during the communication. At the moment, if tries to construct a reply message on the behalf of the license server , but it will not possible as he/she does not know these parameters , and , due to which it will be hard to produce these for an attacker. Hence, the proposed scheme is secure against impersonation attacks.

5.3. Automated Security Verification through ProVerif

The ProVerif is an automated security verification tool utilized to visualize the key agreement scheme to check mutual authentication and confidentiality of the session key among the participant entities of the authentication scheme [3234]. To verify the security of the proposed scheme, we have simulated and verified it through ProVerif. For the sake of the experiment, we have used two events and to check the authentication codes of each entity, respectively. The participant uses two events, which are beginUi(bitstring) and endUi(bitstring) to authenticate the license server . Similarly, the beginSj(bitstring) and endSj(bitstring) events are used by the license server to authenticate the user . The outcomes of the queries executed show that both participants are successfully communicating with each other. The simulation results are shown in Figure 6, which exhibits that the mutual authentication is successful and communication between the valid participants is secure from the reach of any potential attacker .

6. The Comparisons

This section provides security attributes and performance comparisons among proposed and relevant schemes [10, 13, 14], in the corresponding subsections produced below.

6.1. Security Attributes

This subsection provides the security attribute comparisons of the proposed with relevant schemes presented in [10, 13, 14]. The comparisons of the proposed with recent, related, and compered schemes [10, 13, 14] are depicted in Table 4. Referring to Table 4, all the compared proposals [10, 13, 14] are deficient of at least one security attribute. As per Table 4, the scheme of Mishra et al. [10] is already argued in [14] that it does not provide mutual authentication and resistance to impersonation. Moreover, the scheme of [10] is prone to theft/stolen mobile device attacks. The scheme of Yu et al. [14] does not provide anonymity of the mobile/user. Similarly, in this paper, we proved that the scheme of Yu et al. [14] has incorrect login and authentication phase, which can work with only one user, and it has weaknesses against privileged insider and impersonation attacks and due to these crucial issues, it cannot extend mutual authentication among a user and a license server.

6.2. Computation Cost

For computation cost, we consider the experiment executed through the MIRACL library over a mobile phone Redmo-Note-v8 with 4 GB RAM and octa-core processor with 2.01 GHz. The operating system underlying Redmo-Note-v8 is v-9-Andriod-MIUI-V:11.0.7. Moreover, to simulate a license server, we consider the running time computed over an HP:Elite-Book: P-8460 processor with 2.7 GHz Intel-R-Core TM with 4 GB RAM and over LTS-16 Ubuntu-OS. Here, we denote for the execution time of a hash operation and for computation of a biohash/fuzzy extraction operation. The for mobile device and for license server. Likewise, over the mobile device. To complete a round of authentication in the proposed DRM scheme, the user executes operations, the server executes , and the whole process completes in ms. The scheme of Yu et al. [14] completes the same in  ms. Likewise, in the scheme of Lee et al. [13], the and compute execution of a round in  ms, and the scheme of Mishra et al. [10] completes the process in  ms. The proposed scheme has a slightly higher computation cost. However, only the proposed scheme provides the required security features.

6.3. Communication Cost

The proposed and the relevant scheme are mainly based on hash functions in addition to an exclusive-or. We adopted SHA-1 whose length is 160 bits, all other parameters including identities, pseudoidentities, timestamps, and passwords are fixed at 32 bit-size. In proposed, the user initiates the request by sending , and the size of request message is bits. The response message sent by server has the size . Therefore, the total communication cost of the proposed scheme is 1216 bits. The communication costs of the schemes of Yu et al. [14], Lee et al. [13], and Mishra et al. [10] are 1120 bits, 1120 bits, and 832 bits, respectively. The computation and communication costs along with running times of each of the proposed and schemes of Yu et al., Lee et al., and Mishra et al. are also depicted in Table 5.

7. Conclusion

In this paper, we first reviewed and then cryptanalyzed a recent authentication scheme presented by Yu et al. for digital rights management systems (DRM-S). We have proven that the scheme of Yu et al. lacks scalability due to faulty design and is prone to privileged insiders and impersonation attacks. Based on the only symmetric hash function and xor, an improved scheme of DRM-S is then proposed. The proposed scheme can cope with the changing security requirements of the DRM-S, which is proved through formal BAN and informal textual explanations. The proposed DRM-S authentication scheme completes the process of authentication among a user and a license server in  ms and by exchanging 1216 bits among a user and a license server.

Data Availability

No data is available for this study

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Authors’ Contributions

Sajid Hussain and Yousaf Bin Zikria are the co-first authors. Farruh Ishmanov and Shehzad Ashraf Chaudhry are the corresponding authors.


This research was conducted by the Research Grant of Kwangwoon University, Seoul, Korea, in 2021 and in part by Taif University Researchers Supporting Project number (TURSP-2020/126), Taif University, Taif, Saudi Arabia.