This presentation was given at the EPUB summit on April 7th, 2016, by Bill Rosenblatt, from GiantSteps, US. It presents the status of the Licensed Content Protection DRM, to be implemented as a plug-in of the Readium SDK.
2. Why Readium LCP?
DRM used to protect content and implement access
models
– Retail
– Membership organizations
– E-textbooks
– Library lending
– Subscriptions
Need for DRM standard to help ensure interoperability
3. Current E-Book DRM Market
Leading Retailers’ Own DRMs
Amazon
Apple
Kobo
Nook (Barnes & Noble)
Independent DRMs
Adobe Content Server
VitalBooks DRM
(e-textbooks)
Marlin
(Intertrust, Sony)
Fasoo
MarkAny
4. Genesis of Readium LCP
Begun in 2012 within IDPF
– Subsequently integrated with Readium project
EPUB2 standard did not include DRM
– This has led to lack of interoperability and fragmentation
Limitations with third-party DRMs
– Costs, particularly for small retailers, libraries, non-profits
– Vendor instability or lack of commitment
– Complexity of implementation
5. Readium LCP Objectives
Low-cost, simple DRM for use with Readium
Seamless, friction-free reading experience
– E.g. offline reading, no “phone home”
Enable interoperability among EPUB3 reading systems
– While enabling other DRMs to integrate with Readium
– Minimize “walled gardens”
Support primary content access models:
– Permanent distribution (retail, giveaway)
– Time-based distribution (lending, subscription)
– Accessibility for print-disabled
Security comparable to commercial DRMs
Eliminate commercial vendor dependency
6. Components of Readium LCP
Specification
Encryption Profile
Open source client and server code
Key material
License agreements
Robustness rules
7. Open Source DRM?
Code can be open source
– Anyone can use or modify code
– But not anyone can join interoperable ecosystem
Other things required to join ecosystem
– Secret keys
– Digital certificates
– Compliance testing
– Robustness certification
8. Elements of LCP Security
Encryption algorithm
– AES-256, U.S. government standard
– Used in most commercial DRMs
Passphrase
– Assigned by distributor or chosen
by user
Encryption profile
– Specifies how encryption scheme
works
– Contains secret key for protecting
passphrase, to inhibit export of
content beyond LCP ecosystem
– Confidential to licensees
License Status Documents
– Files that store keys and rights
descriptions
Digital certificates
– Secure identifiers of distributors,
issued by trusted Certificate
Authority
– Establish and vouch for
distributors’ identity
9. Open Source and Security
To hack a DRM:
– Find unencrypted content
– Find encryption keys
Robustness (“hardening”) techniques:
– Obfuscate code at compile time to make reverse engineering hard
– Include “guards” to detect suspicious activity
– Require keys to be kept in secure memory
– Generally, make it so knowing source code doesn’t help much
– Analogous to using published crypto algorithm
Robustness rules:
– Requirements that implementations do the above
– Conditions of licensing
10. LCP and Interoperability
Passphrase required to open EPUB file
Any compliant reading system with LCP will open file
with passphrase
The reading system will observe rights on the file
(e.g. time limits, text-to-speech conversion)
11. Readium LCP Logo Program
Membership in Readium LCP interoperable ecosystem
Requires signing license agreement
Must pass compliance test suite (supplied by EDRLab)
– Tests conformance with Compliance Rules
– Ensures interoperability, among many other things
Access to encryption profile
Agree to comply with robustness rules
– Self-certification
– Publisher(s) may require third party audit
Fees charged
– To recover administrative costs
– TBD but will be lower than commercial DRMs
12. Implementation Partners
EDRLab
– Licensing
– Compliance test suite administration
– Key material supplier
Cartesian
– Robustness rule consultants
– Available for robustness audits as necessary
International Telecomm’s Union (ITU)
– Certificate authority
– Keepers of X.509 certificate standard