|
COMMAND Adobe eBooks can be copied from one computer to an other using Acrobat Reader SYSTEMS AFFECTED PROBLEM ElcomSoft Co.Ltd. [http://www.elcomsoft.com] found following: Adobe Content Server (http://www.adobe.com/products/contentserver/) makes it easy for you to sell electronic books (eBooks) securely online. Adobe Content Server packages and protects eBooks and distributes them in PDF format directly from any Web site. Anyone with the free Adobe Acrobat eBook Reader (http://www.adobe.com/products/ebookreader/) can purchase your content with ease. When the file is encrypted, special master voucher for its distribution is being created. The master voucher is a separate, XML-based file that contains an encrypted key to the eBook and the set of privileges that accompany it. When a customer purchases an Adobe PDF eBook directly from an e-commerce site, it's automatically downloaded into the customer's personal Acrobat eBook Reader library for immediate viewing. Acrobat eBook Reader unlocks the encrypted key that came with the eBook and its master voucher. Now the eBook is tied to the customer's Acrobat eBook Reader and can't be transmitted elsewhere (by design) -- every other copy of the Reader uses another (unique) encryption keys, so eBook purchased from one computer cannot be open on other computers. On January 29, Adobe representative (Mr. Thomas R. Dıaz, the Senior Engineering Manager for eBook Development Group at Adobe Systems Incorporated), advised that it is possible to back up collection of eBooks from one computer and restore them to a different machine by making use of a back up feature built into the Adobe eBook Reader (note: this process operates successfully on your entire library of Adobe eBook Reader files regardless of where you obtained them from and does not require you to consult with the ebookstore that you purchased from): Backing Up Adobe Acrobat eBook Reader eBooks http://www.planetebook.com/mainpage.asp?webpageid=279 1. Make a copy of the 'Data' folder (including 'Vouchers' subfolder) 2. Install Adobe eBook Reader on another machine 3. Restore the 'Data' folder over the corresponding 'Data' folder in your freshly installed Adobe Acrobat eBook Reader 4. Open Adobe Acrobat eBook Reader and attempt to open one of the eBooks. You will receive the following message: Update Reader Voucher Update Required (Version 2.2 Build 203) You will not be able to read your eBooks until you update you installation of Acrobat eBook Reader. Please contact Adobe Systems Customer Support at http://www.adobe.com/suport/[...] for assistance in completing this update. Challenge: E7P6 4K2D 7MU3 VUDT 5. Ring Adobe, quoting the Challenge code, then receive an Activation code. 6. eBooks can now be reopened. However, activation code can be easily obtained for any given Challenge without calling Adobe. Here is how Adobe Acrobat eBook Reader verifies the Activation code: 1. The 'Challenge' is being encrypted using popular symmetric block cipher; the encryption key (actually, there are two keys: one in Reader 2.1 and older, and another in Reader 2.2) is constant and stored inside the Adobe eBook Reader executable. 2. Encrypted 'Challenge' is being hashed using another popular algorithm. 3. First 10 bytes of the hash value (converted from binary to text using MIME-like encoding) is the proper Activation code -- the Reader just compares it with the one entered to the Reader. The details (the names of the ciphers, and the encryption keys) are not provided here for security reasons. The impact of this vulnerability. --------------------------------- Even using standard method (by calling Adobe to receive proper Activation code), anybody can create illegal copies of "protected" Adobe eBooks. But even worse, any person with a basic knowledge of crypto algorithms can write a program to generate an Acivation code from the Challenge, so eliminating 'calling Adobe' step completely. SOLUTION Workarounds and/or fixes. ------------------------- No ones available at the moment. But to implement reliable and secure challenge-response scheme, it is not enough just to "use sophisticated, industry-standard levels of software encryption" - it is necessary to use them *properly*. The Activation code should be calculated at Adobe using asymmetric algorithm like RSA (with a private key, known only to Adobe), while the Reader should decrypt it using public key, and compare the result with the Challenge. So the Reader itself will not contain enough information needed to make proper Activation code from the Challenge.