Beyond Good & Evil

The Nuts and Bolts of DRM

Dave Cramer / Hachette

<nav  role="doc-­‐toc"><ol><li>Toolbox:  nuts  and  bolts  <ol><li>Ciphers      <li>Symmetric  key  cryptography      <li>Public  Key  Encryption      <li>Hashes      <li>Digital  Signatures      <li>Certificates</ol>      <li>Application:  Secure  Browsing      <li>Copyright      <ol><li>ebook  DRM          <li>Readium  LCP

Ciphers

Rot13

ABCDEFGHIJKLMNOPQRSTUVWXYZ

NOPQRSTUVWXYZABCDEFGHIJKLM

PNYY  ZR  VFUZNRY

CALL  ME  ISHMAEL

Cqll ,e Ish,qel: So,e yeqrs qgo]never ,ind hoz long)exqtly

Vigenère Cipherle chiffre indéchiffrable

text C A L L M E I S H M A E L

key E B O O K C R A F T E B O

cipher G B Z Z W G Z S M F E F Z

key E B O

text C A

Symmetric Key Cryptography

echo  "Call  me  Ishmael"  |  openssl  enc  -­‐e  -­‐aes-­‐256-­‐cbc  -­‐a  -­‐p  

enter  aes-­‐256-­‐cbc  encryption  password:  

salt=364338BE2F9FE6FC  key=AE99F254C8F7D4314494B62736AD3E97ACCC454134F48D486FCA9C248F138C45  

iv  =A3FCB694B8CEFA792854874826F6D415  

U2FsdGVkX182Qzi+L5/m/PdnBH6KrzpCgW92xFCQbUXSpwGg0t7p3XrjNNyqEZOl  

echo  "U2FsdGVkX182Qzi+L5/m/PdnBH6KrzpCgW92xFCQbUXSpwGg0t7p3XrjNNyqEZOl"  |  openssl  aes-­‐256-­‐cbc  -­‐d  -­‐a  

enter  aes-­‐256-­‐cbc  decryption  password:  

Call  me  Ishmael

Public Key Cryptography

135066410865995223349603216278805969938881475605667027524485143851526510604859533833940287150571909441798207282164471551373680419703964191743046496589274256239341020864383202110372958725762358509643110564073501508187510676594629205563685529475213500852879416377328533906109750544334999811150056977236890927563

The Math

1. Pick two large prime numbers P and Q

2. Multiply them together to form N = P*Q

3. Pick E, an odd number between 3 and N-1 that’s relatively prime to (P-1)(Q-1)

4. Compute D such that DE = 1 mod (P-1)(Q-1)

Do The Math

1. P = 11, Q = 13

2. Multiply them together to form N = 143

3. E = 7, which is not a factor of (P-1)(Q-1)=120

4. 7D= 1 mod 120 = 103

5. D = 103

Public Key is (143, 7) Private Key is (143, 103)

The Magic

ciphertext = messageE mod PQ

message = ciphertextD mod PQ

Encrypt(m) = mE mod PQ

Message is “99” (ascii code for “c”)

Encrypt(99) = 997 mod 143

Encrypt(99) = 93206534790699 mod 143

Encrypt(99) = 44

Decrypt(ciphertext) = message = cD mod(PQ) m = 44103 mod 143 m = 18863647751783874097093622186761307641671395896510124670027581034745115835900579054247760433265371183425069323507066622936418037086042241347409034030626680951825376477184 mod 143 m = 99

Hashes

ISBN Multiplier Result9 1 97 3 218 1 81 3 39 1 92 3 66 1 68 3 245 1 55 3 157 1 78 3 24

(3) 137

137  mod  10  =  7  10  -­‐7  =  3  

ISBN Multiplier Result9 1 97 3 218 1 81 3 39 1 92 3 68 1 86 3 185 1 55 3 157 1 78 3 24

(3) 133

133  mod  10  =  3  10  -­‐  3  =  7

WRONG

Adler-32 Hash Exampletext ascii A B

c 99 1  +    99 100 0  +    100 100a 97 100  +    97 197 100  +    197 297l 108 197  +  108 305 297  +    305 602l 108 305  +  108 413 602  +    413 1015

32 413  +    32 445 1015  +    445 1460m 109 445  +  109 554 1460  +    554 2014e 101 554  +  101 655 2014  +    655 2669

32 655  +    32 687 2669  +    687 3356i 105 687  +  105 792 3356  +    792 4148s 115 792  +  115 907 4148  +    907 5055h 104 907  +  104 1011 5055  +  1011 6066m 109 1011  +  109 1120 6066  +  1120 7186a 97 1120  +    97      

971217 7186  +  1217 8403

e 101 1217  +  101 1318 8403  +  1318 9721l 108 1318  +  108 1426 9721  +  1426 11147

1426  =  hex  0592  11147  =  hex  2b8b Hash  =  2b8b0592

Digital Signatures

• Authentication

• Integrity

• Non-repudiation

message public key cipher text

cipher text messageprivate key

message ciphertext

ciphertext message

message+

message

Signing

Verifying

message=

private key

public key

message hashed message

Signing

hashed message signature

hash

private key

signature hashed message

Verification

message hashed message

compare

public key

hash

REM15M:~  cramerd$  openssl  genrsa  -­‐aes128  -­‐passout  pass:ebookcraft  -­‐out  private.pem  4096  Generating  RSA  private  key,  4096  bit  long  modulus  ........................++  ...........................................................................................................++  e  is  65537  (0x10001)  

REM15M:~  cramerd$  openssl  rsa  -­‐in  private.pem  -­‐passin  pass:ebookcraft  -­‐pubout  -­‐out  public.pem  writing  RSA  key  

REM15M:~  cramerd$  openssl  dgst  -­‐sha256  -­‐sign  private.pem  -­‐out  /tmp/sign.sha256  text-­‐  to-­‐sign.txt  Enter  pass  phrase  for  private.pem:  

REM15:~  cramerd$  openssl  base64  -­‐in  /tmp/sign.sha256  -­‐out  text-­‐signed.txt

REM15M:~  cramerd$  openssl  base64  -­‐d  -­‐in  text-­‐signed.txt  -­‐out  /tmp/sign.sha256  

REM15M:~  cramerd$  openssl  dgst  -­‐sha256  -­‐verify  public.pem  -­‐signature  /tmp/sign.sha256  text-­‐to-­‐sign.txt  

Verified  OK

Intermission: Baby Break!

Certificates

Signing Request

REM15M-­‐CRAMERD:readium-­‐lcp-­‐server  cramerd$  openssl  req  -­‐out  CSR.csr  -­‐new  -­‐newkey  rsa:2048  -­‐nodes  -­‐keyout  privateKey.key  Generating  a  2048  bit  RSA  private  key  ...........................................+++  .+++  writing  new  private  key  to  'privateKey.key'  -­‐-­‐-­‐-­‐-­‐  You  are  about  to  be  asked  to  enter  information  that  will  be  incorporated  into  your  certificate  request.  What  you  are  about  to  enter  is  what  is  called  a  Distinguished  Name  or  a  DN.  There  are  quite  a  few  fields  but  you  can  leave  some  blank  For  some  fields  there  will  be  a  default  value,  If  you  enter  '.',  the  field  will  be  left  blank.  -­‐-­‐-­‐-­‐-­‐  Country  Name  (2  letter  code)  [AU]:CA  State  or  Province  Name  (full  name)  [Some-­‐State]:Ontario  Locality  Name  (eg,  city)  []:Toronto  Organization  Name  (eg,  company)  [Internet  Widgits  Pty  Ltd]:ebookcraft  appreciation  society  ltd  Organizational  Unit  Name  (eg,  section)  []:  Common  Name  (e.g.  server  FQDN  or  YOUR  name)  []:ebookcraftrocks.com  Email  Address  []:  

Please  enter  the  following  'extra'  attributes  to  be  sent  with  your  certificate  request  A  challenge  password  []:123456  

-­‐-­‐-­‐-­‐-­‐BEGIN  CERTIFICATE  REQUEST-­‐-­‐-­‐-­‐-­‐  MIIC2TCCAcECAQAwfTELMAkGA1UEBhMCQ0ExEDAOBgNVBAgTB09udGFyaW8xEDAO  BgNVBAcTB1Rvcm9udG8xLDAqBgNVBAoTI2Vib29rY3JhZnQgYXBwcmVjaWF0aW9u  IHNvY2lldHkgbHRkMRwwGgYDVQQDExNlYm9va2NyYWZ0cm9ja3MuY29tMIIBIjAN  BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+mOAIZG8lP+OIBuk6J6bPCqhT+Gx  jEKzwFpOIGIV6B/uRtUJX/BF8nb6KAaoOuRab0a4yIdPNlEgvExbkGkdQdDVsc+K  Qxub1SeJF2zNFlAhtmuvsLbm9ONoAFfcn0O/pwMZzbQj0bZy7U3srNee8/OvGCD5  bQdu6+ZKH+OeC5QUmPpbjv5uOmGIcT5Q0hUBP33T4XTj5vhVzSgdmhGY02T+BTC5  3V1sB+glJ11lCpTTjmdEUcVfUeagZ1UZtLHC7zMXiJuSYurCYproXIADVGvKRe4C  /otZQm/T6ULReYzw7w8YygyxgRvHJAjvZKU47/wm+ShuX/A1H4D8iUKmqQIDAQAB  oBcwFQYJKoZIhvcNAQkHMQgTBjEyMzQ1NjANBgkqhkiG9w0BAQUFAAOCAQEAgNDm  Znf5GPCyb4Y2600/SFPioOui4BZucsip+QQpj0zNx1oo3Jlrng9vqcT78KniCGNv  Zn/Un+FBXy2kOI9IQe4wYWg+u0ggVxVNTP52x5Ug3RXvAT5iTm3q1AojeIU7FYBT  aZD/GNsDAEecyb5xB3T97MJCo4HtH+vLVrRXPnUgAXg9HGm4tSi6oQOsVYy+y6xU  LUbWO97sWNmKTxzXkDfDbSYYTsB1PzTbDFWzX1ed+jZZFynUUavktS8ky7ImlYH0  yvpaZP3MCVE1xQCLjqAua9FmR4H6ns0y9haWxCVzXHzseyRRzfyBmXD7AkSuElVI  dpOUa7WVxwra4uXIRw==  -­‐-­‐-­‐-­‐-­‐END  CERTIFICATE  REQUEST-­‐-­‐-­‐-­‐-­‐

HTTPS

Acronyms

• HTTPS = HTTP over TLS or HTTP over SSL

• TLS = Transport Layer Seurity

• SSL = Secure Sockets Layer

Hi! What ciphers do you know?

Can we try AES-256-CBC?

that’s my favorite.

Great!

Are you really the White Whale?

Ah, let me check the

signature… Wow, it’s really you!

MRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQ

YiBDQTEjMCEGCSqGSIb3DQEJARYUc3Vwc

LOL!

Intermission: Pirates!

Copyright

–The Statute of Anne, 1710

Whereas Printers, Booksellers, and other Persons, have of late frequently taken the Liberty of Printing, Reprinting, and Publishing, or causing to be Printed, Reprinted, and Published Books, and other Writings, without the Consent of the Authors or Proprietors of such Books and Writings, to their very great Detriment, and too often to the Ruin of them and their Families: For Preventing therefore such Practices for the future, and for the Encouragement of Learned Men to Compose and Write useful Books; May it please Your Majesty, that it may be Enacted…

DRM

–Defective by Design

“the practice of imposing technological restrictions that control what users can

do with digital media.”

ebook DRM systems

Scheme Users

Apple FairPlay iBooks

Kindle Kindle

Adobe B&N, Kobo, Overdrive, Google Play

Sony UMRS Numilog (France)

Readium LCP just getting started

Readium LCP

Readium LCP Goals• Avoid vendor lock-in

• Support library use cases

• Relatively simple and inexpensive to operate

• Support for a11y

• Allow offline use; still function if a provider goes out of business

EPUB lcpencrypt

Passphrase

LCP License Server

encrypted EPUB

LCP License encrypted EPUB

content key

+

DO NOT ENCRYPT

• package  file  (OPF)  • nav  • cover  image  • container.xml

encryption.xml

Good

Evil

Alternatives to

DRM

Free AdviceWho Are You? What Should You Do?

Library Use DRM, but make it as user-friendly as possible.

Trade PublisherScrew DRM. Make it easier to buy your

books than pirate them. Look at watermarking.

Put books on the web.

Educational Publisher You already made a pact with the Devil. Use DRM.

Legislator, lobbyist, rule-maker, judge Hang your head in shame.

Thank You!

Dave Cramer / Hachette Book Group / @dauwhe