This presentation was given at the EPUB summit on April 7th, 2016, by Bill Rosenblatt, from GiantSteps, US. It presents the status of the Licensed Content Protection DRM, to be implemented as a plug-in of the Readium SDK.

1. Readium Licensed Content
Protection (LCP)
Bill Rosenblatt
7th April 2016

2. Why Readium LCP?
DRM used to protect content and implement access
models
– Retail
– Membership organizations
– E-textbooks
– Library lending
– Subscriptions
Need for DRM standard to help ensure interoperability

3. Current E-Book DRM Market
Leading Retailers’ Own DRMs
 Amazon
 Apple
 Kobo
 Nook (Barnes & Noble)
Independent DRMs
 Adobe Content Server
 VitalBooks DRM
(e-textbooks)
 Marlin
(Intertrust, Sony)
 Fasoo
 MarkAny

4. Genesis of Readium LCP
Begun in 2012 within IDPF
– Subsequently integrated with Readium project
EPUB2 standard did not include DRM
– This has led to lack of interoperability and fragmentation
Limitations with third-party DRMs
– Costs, particularly for small retailers, libraries, non-profits
– Vendor instability or lack of commitment
– Complexity of implementation

5. Readium LCP Objectives
 Low-cost, simple DRM for use with Readium
 Seamless, friction-free reading experience
– E.g. offline reading, no “phone home”
 Enable interoperability among EPUB3 reading systems
– While enabling other DRMs to integrate with Readium
– Minimize “walled gardens”
 Support primary content access models:
– Permanent distribution (retail, giveaway)
– Time-based distribution (lending, subscription)
– Accessibility for print-disabled
 Security comparable to commercial DRMs
 Eliminate commercial vendor dependency

6. Components of Readium LCP
Specification
Encryption Profile
Open source client and server code
Key material
License agreements
Robustness rules

7. Open Source DRM?
Code can be open source
– Anyone can use or modify code
– But not anyone can join interoperable ecosystem
Other things required to join ecosystem
– Secret keys
– Digital certificates
– Compliance testing
– Robustness certification

8. Elements of LCP Security
 Encryption algorithm
– AES-256, U.S. government standard
– Used in most commercial DRMs
 Passphrase
– Assigned by distributor or chosen
by user
 Encryption profile
– Specifies how encryption scheme
works
– Contains secret key for protecting
passphrase, to inhibit export of
content beyond LCP ecosystem
– Confidential to licensees
 License Status Documents
– Files that store keys and rights
descriptions
 Digital certificates
– Secure identifiers of distributors,
issued by trusted Certificate
Authority
– Establish and vouch for
distributors’ identity

9. Open Source and Security
 To hack a DRM:
– Find unencrypted content
– Find encryption keys
 Robustness (“hardening”) techniques:
– Obfuscate code at compile time to make reverse engineering hard
– Include “guards” to detect suspicious activity
– Require keys to be kept in secure memory
– Generally, make it so knowing source code doesn’t help much
– Analogous to using published crypto algorithm
 Robustness rules:
– Requirements that implementations do the above
– Conditions of licensing

10. LCP and Interoperability
Passphrase required to open EPUB file
Any compliant reading system with LCP will open file
with passphrase
The reading system will observe rights on the file
(e.g. time limits, text-to-speech conversion)

11. Readium LCP Logo Program
 Membership in Readium LCP interoperable ecosystem
 Requires signing license agreement
 Must pass compliance test suite (supplied by EDRLab)
– Tests conformance with Compliance Rules
– Ensures interoperability, among many other things
 Access to encryption profile
 Agree to comply with robustness rules
– Self-certification
– Publisher(s) may require third party audit
 Fees charged
– To recover administrative costs
– TBD but will be lower than commercial DRMs

12. Implementation Partners
 EDRLab
– Licensing
– Compliance test suite administration
– Key material supplier
 Cartesian
– Robustness rule consultants
– Available for robustness audits as necessary
 International Telecomm’s Union (ITU)
– Certificate authority
– Keepers of X.509 certificate standard

13. Status
Github repositories (currently private)
Expected availability: November 2016

14. Current & Potential Implementers
 Bokbasen (NO)
 De Marque (CA)
 DRM Inside (KR)
 Eden Livre (FR)
 Feedbooks (FR)
 Learning Ally (US)
 Mantano (FR)
 NY Public Library (US)
 PNB (Pret Numerique en
Bibliotheque) (FR)
 TEA (FR)

15. Thank You!
Email: billr@giantstepsmts.com
LinkedIn: https://www.linkedin.com/in/billrosenblatt
Blog: copyrightandtechnology.com
Twitter: @copyrightandtec