TUCoPS :: Truly Miscellaneous :: 5584.htm

Adobe eBooks can be copied from one computer to an other using Acrobat Reader
31th Jul 2002 [SBWID-5584]
COMMAND

	Adobe eBooks can be copied from one computer to an other  using  Acrobat
	Reader

SYSTEMS AFFECTED

	

PROBLEM

	ElcomSoft Co.Ltd. [http://www.elcomsoft.com] found following:
	

	Adobe  Content   Server   (http://www.adobe.com/products/contentserver/)
	makes it easy  for  you  to  sell  electronic  books  (eBooks)  securely
	online.  Adobe  Content  Server  packages  and   protects   eBooks   and
	distributes them in PDF format directly from any Web site.  Anyone  with
	the        free        Adobe        Acrobat         eBook         Reader
	(http://www.adobe.com/products/ebookreader/) can purchase  your  content
	with ease. When the file is encrypted, special master  voucher  for  its
	distribution is  being  created.  The  master  voucher  is  a  separate,
	XML-based file that contains an encrypted key to the eBook and  the  set
	of privileges that accompany it. When a customer purchases an Adobe  PDF
	eBook directly from an e-commerce site,  it's  automatically  downloaded
	into the customer's personal Acrobat eBook Reader library for  immediate
	viewing. Acrobat eBook Reader unlocks the encrypted key that  came  with
	the eBook and  its  master  voucher.  Now  the  eBook  is  tied  to  the
	customer's Acrobat eBook Reader and can't be transmitted  elsewhere  (by
	design) --  every  other  copy  of  the  Reader  uses  another  (unique)
	encryption keys, so eBook purchased from one computer cannot be open  on
	other computers.
	

	On January 29, Adobe representative (Mr.  Thomas  R.  Dıaz,  the  Senior
	Engineering  Manager  for  eBook  Development  Group  at  Adobe  Systems
	Incorporated), advised that it is possible  to  back  up  collection  of
	eBooks from one computer and restore them  to  a  different  machine  by
	making use of a back up  feature  built  into  the  Adobe  eBook  Reader
	(note: this process operates successfully  on  your  entire  library  of
	Adobe eBook Reader files regardless of where you obtained them from  and
	does not require you to consult with the ebookstore that  you  purchased
	from):
	

	

	  Backing Up Adobe Acrobat eBook Reader eBooks

	  http://www.planetebook.com/mainpage.asp?webpageid=279

	

	  1. Make a copy of the 'Data' folder (including 'Vouchers' subfolder)

	  2. Install Adobe eBook Reader on another machine

	  3. Restore the 'Data' folder over the corresponding 'Data' folder in your

	     freshly installed Adobe Acrobat eBook Reader

	  4. Open Adobe Acrobat eBook Reader and attempt to open one of the eBooks.

	     You will receive the following message:

	

	     Update Reader

	

	     Voucher Update Required (Version 2.2 Build 203)

	

	     You will not be able to read your eBooks until you update you

	     installation of Acrobat eBook Reader. Please contact Adobe Systems

	     Customer Support at http://www.adobe.com/suport/[...] for assistance

	     in completing this update.

	

	     Challenge: E7P6 4K2D 7MU3 VUDT

	

	  5. Ring Adobe, quoting the Challenge code, then receive an Activation code.

	  6. eBooks can now be reopened.

	

	

	However, activation code can be easily obtained for any given  Challenge
	without calling Adobe. Here is how Adobe Acrobat eBook  Reader  verifies
	the Activation code:
	

	

	  1. The 'Challenge' is being encrypted using popular symmetric block cipher;

	     the encryption key (actually, there are two keys: one in Reader 2.1 and

	     older, and another in Reader 2.2) is constant and stored inside the

	     Adobe eBook Reader executable.

	  2. Encrypted 'Challenge' is being hashed using another popular algorithm.

	  3. First 10 bytes of the hash value (converted from binary to text using

	     MIME-like encoding) is the proper Activation code -- the Reader just

	     compares it with the one entered to the Reader.

	

	

	The details (the names of the ciphers, and the encryption keys) are  not
	provided here for security reasons.
	

	

	 The impact of this vulnerability.

	 ---------------------------------

	

	Even  using  standard  method  (by  calling  Adobe  to  receive   proper
	Activation code), anybody  can  create  illegal  copies  of  "protected"
	Adobe eBooks. But even worse, any  person  with  a  basic  knowledge  of
	crypto algorithms can write a program  to  generate  an  Acivation  code
	from the Challenge, so eliminating 'calling Adobe' step completely.
	

	

SOLUTION

	 Workarounds and/or fixes.

	 -------------------------

	

	No ones available at the moment. But to implement  reliable  and  secure
	challenge-response scheme, it is not enough just to "use  sophisticated,
	industry-standard levels of software encryption" - it  is  necessary  to
	use them *properly*.
	

	The Activation code should  be  calculated  at  Adobe  using  asymmetric
	algorithm like RSA (with a private key, known only to Adobe), while  the
	Reader should decrypt it using public key, and compare the  result  with
	the Challenge. So the Reader itself will not contain enough  information
	needed to make proper Activation code from the Challenge.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH