Saturday, January 25, 2020

Ebook Security With Adobe Adapt DRM

Ebook Security With Adobe Adapt DRM Abstract EBooks can be secured in various ways dependant on device or format. The report focuses on the encryption method used by Adobe in their Adept DRM used to secure EPUB and PDF formats. The report describes what a DRM is and its uses and purposes within the industry, how Adobe have adapted this for their purpose, the RSA and AES encryptions used, along with any advancements and vulnerabilities with the process. Recommendations are then given on how the process could be improved and conclusions drawn on the overall effectiveness of the system. Table of Contents 2. Literature review 2.1 What is DRM 2.2 RSA with PKCS#1 v1.5 padding 2.2.1 PKCS #1 2.2.2 RSA 2.2.2.1 GENERATE A PUBLIC KEY AND PRIVATE KEY 2.2.3 Padding 2.3 AES in CBC mode with a random generated IV 4. Vulnerabilities Security Known attacks Side-channel attacks NIST/CSEC validation Test vectors 5. Recommendations 6. Conclusion 7. References 2. Literature review 2.1 What is DRM? Digital Rights Management or DRMs restrict the ability to print, modify, lend or use the extended features of purchased digital media specifically EBooks. Restriction levels are dependent on publishers, distributors, device and even time. These restrictions are also used to limit the number of E-Readers a book can be viewed on and time restrictions on features can be added. DRMs come in different forms, at present there are eight main types, excluding obscure formats or those used in non-English countries, and a large proportion of these are incompatible with each other. While there is no de-facto standard, Adobe DRM is the most prolific, although Amazon Kindle and Apple iBooks use proprietary DRMs. The Adobe ADEPT DRM system has five key parts: Adobe Content server is responsible for the storage and management of EBooks. Adobe Activation Server is responsible for storing and tracking Adobe IDs and authorised devices. Adobe Content Server Message (ACSM) file carries the details of the book including name, synopsis and location. Adobe ID is the unique identification that is associated with the user. This is required to unlock the ACSM. Adobe Reader Software Development Kit (SDK) is used for distributers to create their own mobile reading apps. (Jenny Ellis and Kyle Cook (2013)) The following process is used when a purchased EBook with an Adobe Adept DRM is opened with Adobe Digital Editions. 1. A unique user key is created for the user account encrypted with RSA with PKCS#1 v1.5 padding by the E-Reader software. The account information not the device is used to create the key therefore allowing an EBook with DRM to be read on various devices. This is required to open the ACSM file. 2. Once an EBook is purchased a key for decryption known as the book key or ACSM is sent to the user. This book key is encrypted by the distributor using the unique user key created in step one. The book encryption is AES with Cipher Block Chaining with an Initialization vector that is randomly generated. 3.T he E-Reader software uses the user key to decrypt the book key and subsequently the book key is used to decrypt the EBook and allow access to the device or software. Copying is prevented by requiring the user key to decrypt the book key as it is not stored in a decrypted form on the device or software. To enable reading on another device it requires authorisation, once complete the user key is sent and the device is registered allowing EBook to be read on the newly enabled device. (Xiao Zhang 201) Image 01: The DRM Process 2.2 RSA with PKCS#1 v1.5 padding RSA with Public Key Cryptography Standards (PKCS) #1 and padding is used to encrypt the unique user account key, below is a description of how each part works to protect the user identification and eBook. 2.2.1 PKCS #1 PKCS #1 is the first standard of mathematical recommendations and properties for the correct implementation of RSA public and private keys. The key pairs are based on a modulus of two distinct large prime numbers. (Weisstein 2015) 2.2.2 RSA Image 02: How RSA Encryption Works (Page Don 2010) In 1977 Ron Rivest, Adi Shamir and Leonard Adleman first described RSA public key or asymmetric cryptography. RSA uses two keys, one public one private that are mathematically linked. As the name suggests public keys can be shared with anyone whereas the private key must be kept secure. Either key can be used to encrypt the data and the opposite key is used to decrypt. RSA if implemented correctly can provide confidentiality, integrity and non-reputability of electronic communications and data storage. (Rouse 2014) 2.2.2.1 Generating Public and Private Keys The first step to generating the public and private keys is two prime numbers. A prime number is a number greater 1 and is only divisible by 1 or itself. Examples of prime numbers are: 2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41. These two prime numbers p and q are multiplied together to give n and multiplied together minus one to give t. For Example: p = 29q= 31 n = p * q = 29 * 31 ∠´ n = 899 t = ( p -1 ) * ( q 1) = ( 29 1 ) * ( 31 1 ) ∠´ t = 840 Another prime number e is required, although e needs to be a relative prime to t, therefore t cannot be divisible by e. Since t = 840, e cannot be 2, 3, 5 or 7 ∠´ e can be 11, 13, 17 etc. 11 was selected as it was the first relative prime to t. ∠´ e = 11. The last figure required for the calculations is d. The formula used to ascertain d is: d * e = 1 mod t ∠´ (d * 11) / 840 will result in the remainder of 1. To find d the inverse of e mod t is required and is often computed using the Extended Euclidean Algorithm. ∠´ ( 611* 11) / 840 = 8 r 1 ∠´ d = 611. The public key is n and e ∠´ 899 and 11. The private key is n and d ∠´ 899 and 611. (Page Don 2010) 2.3 AES in CBC mode with a random generated IV AES with Cipher Block Chaining with an Initialization vector that is randomly generated is used to encrypt the book key or ACSM, below is a description of how each part works to protect the eBook to prevent unauthorised use. 3. Vulnerabilities On paper, this encryption scheme ensures a strong DRM mechanism. However, it was soon observed that the software used to read ePubs and PDFs, Adobe Digital Editions, uses a very weak obfuscation to hide the per-user key. An attack that uses reverse-engineering on the software reveals a rather easy method of retrieving the per-user key from the software and use it to decrypt other Adept encrypted PDF or ePub file. Newer versions of the Adobe Digital Editions use more cryptic ways of hiding the per-user key, but attacks still exist to retrieve it from the registry 4. Recommendations Adobe Digital Editions, uses a very weak obfuscation to hide the per-user key. An attack that uses reverse-engineering on the software reveals a rather easy method of retrieving the per-user key from the software and use it to decrypt other Adept encrypted PDF or ePub file. Newer versions of the Adobe Digital Editions use more cryptic ways of hiding the per-user key, but attacks still exist to retrieve it from the registry  for better useable security and privacy Write with  the  knowledge  you have gained during  the  lectures  and  also  sensible  intuition  about improvements that can be made to ensure better security and privacy of all involved state holders. à ¯Ã¢â‚¬Å¡Ã‚ §Ã‚  You are  not  asked to  provide  workable solutions there should be no limit  to your imagination; however with  sensible intuition. You can discuss systems, frameworks, protocols, tools, best practices, government  regulations etc. 5. Conclusion highlight important facts and findings. 6. References http://www.inthelibrarywiththeleadpipe.org/2013/building-a-community-of-readers-social-reading-and-an-aggregated-ebook-reading-app-for-libraries/ http://www.cse.wustl.edu/~jain/cse571-11/ftp/drm/#sec2.3.1 E-Book Security and Preventing Theft and Unauthorised Editing http://inkwelleditorial.com/prevent-ebook-theft http://ebookforum.info/how-can-i-stop-theft-of-my-ebook/ http://www.star-force.com/press/articles/?news=2562 DRM http://ebookarchitects.com/learn-about-ebooks/drm/ https://www.editionguard.com/

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.