It this paper, we’ll go into more details about how Readium LCP works, without diving in technical details.
Back to basics!
One could summarize Readium LCP as being a password-based protection.
A Content Provider encrypts the content of an EPUB file, and provides a password to a User who has acquired the right to read the content. The User loads the Protected Content in a dedicated application, enters the password and can enjoy the EPUB content. So far so good.
But such a simple solution would not fulfill all the goals listed in the Readium LCP Overview. It would not provide a solution for library lending because the publication would be accessible without time limits. It would not be so easy to use because the end user would have to enter his password each time he wants to open the publication. It would not be able to avoid oversharing (a.k.a. pirating) because anybody could upload the protected content plus the password to the web with no way to stop the dissemination of the content.
We’ll see in the coming sections that Readium LCP provides solutions for all of these limitations; Readium LCP is really more than a password based protection scheme.
The protection of some EPUB publication is applied in two phases:
- First the EPUB content is encrypted;
- Then a personal license is generated for each user who acquires the protected EPUB content.
Content encryption is applied by a simple encryption software module, which is part of the Readium LCP Server open-source solution.
The encryption scheme is based on the US Government standard AES (Advanced Encryption System), which is known to be secure. Encryption details are part of the confidential information provided by EDRLab to the Readium LCP Provider.
This module may be implemented in several ways, e.g. as a command line executable or a daemon triggered by the upload of an EPUB file in a dedicated folder.
Functionally, it takes as an input an unprotected EPUB file and generates a protected EPUB file and a content encryption key. The reference to the protected EPUB publication and corresponding content encryption key are then moved to the Readium LCP license server.
Generation of an LCP licence
The Readium LCP License Server generates LCP licenses on the fly via a simple API.
A Readium LCP license is a small document which contains:
- A set of rights; standard rights are:
- A start and end access date and time, especially useful for library lending;
- The number of pages the user is allowed to print;
- The number of characters the user is allowed to copy/paste;
- The passphrase hint; this information is important; more details below, in section “Interaction with the Reading System”;
- The content key, encrypted; the reading system will use the user passphrase in order to get this data in clear;
- The provider certificate and a digital signature; this information will be used by the reading system for checking that the license has not been modified by anyone other than the provider;
- Some limited personal data; LCP can act as a “social DRM”; such information is encrypted for privacy protection, and the License Server does not store this information.
- Optionally, the URL of the protected content associated with this license, used if the license is delivered as a stand-alone file (.lcpl).
Note: Initially, a fourth type of rights indicated if the reading system was allowed to use a built-in text-to-speech (tts) read-aloud engine (this potential restriction has been historically part of most DRM models). The presence of this restriction was going against the accessibility requirements of EPUB. This feature has therefore been suppressed from the specification, which is another proof that users’ needs are critical for Readium LCP creators.
Distribution of protected EPUB files
A protected EPUB file is simply the association of protected content with a license. The license file can be embedded in the EPUB container, or be distributed standalone.
We will illustrate the distribution of protected EPUB files with two use cases: in the first case, a Bookseller sells ebook products, but does not directly provide the EPUB files; these are managed by a Distributor (one or more). Each distributor has installed a Readium Content Server in its infrastructure, and receives “master” EPUB files from different Publishers. In the second case, the Bookseller also acts as Distributor, i.e. he gets “master” content from Publishers and encrypts them in its infrastructure.
In the first case, we’ll consider that each time a user buys an ebook from his reading system, he gets a Readium LCP license in return. The user does not handle the license file manually, because his reading system takes care of it. The reading system finds the URL of the protected content in the license, automatically downloads this EPUB publication and includes the license inside the EPUB file. From this moment, the EPUB file with its included license can be opened by the reading system, archived, exported to another reading system etc. and the user has only one file to care about.
In the second case, the Distributor has decided to include the license in the EPUB publication before sending it to the user reading system. The reading system gets the monolithic file and handles it directly.
Interaction with the reading system
The end user has downloaded (e.g. bought, borrowed) a protected EPUB publication (let’s call it ebook) from a bookstore or public library. The ebook is now loaded in his Readium LCP compliant reading system (dedicated e-reader or application), and the user wants to read it.
In practice there are different use cases:
- The user has purchased the ebook via a reading system that is specific to the bookseller. The user is authenticated via a login and password; in such a case, the user experience will be exactly the same as the experience he would have if buying an ebook in a closed environment; the passphrase associated with this ebook will automatically be downloaded by the reading system, the book will be automatically decrypted and be readable without any user action. This is what happens today with the TEA CARE solution.
- The user has already downloaded several protected books in his reading system, from the same bookstore. The good practice is for a provider to provide a single passphrase for all books purchased on its store by a given user. Therefore, the reading system will try the passphrase it has kept in his cache, and if it works, the book will be automatically decrypted and be readable without any user action. If no usable passphrase is found, the third use case will apply.
- The user has never opened a protected ebook from the given provider in his generic reading system, and therefore no usable passphrase is found in cache. In this case, a pop-up will appear to the user, with a message we call the “passphrase hint”, a text field and a validation button. The user will read the hint, he will then know which passphrase he has to enter, he’ll click ‘validate’; the book will be automatically decrypted and immediately readable.
It is important to notice that the passphrase processing doesn’t need any online connection; the user will be able to open the ebook even after the bookseller has disappeared for years.
Note: the assertion we made here about the passphrase being cached by the reading system is an oversimplification of the real process, but sufficient for an explanation of the principles of Readium LCP.
From the passphrase to the content decryption key
A user knows a passphrase (something he has chosen or which has been given to him by a license provider).
The software transforms the passphrase into a user key (h = hash(pp) then uk = userkey(h), with “userkey” a simple string transfom). The user key can decrypt the content key provided in the user license. The content key can decrypt the content.
The Readium LCP library software is mostly open-source, only uk = userkey(h) isn’t (in the open-source version it is void). Only trusted licence providers and trusted app developers know what this string transform is. Therefore one cannot take the open-source software and simply add a “save as clear epub” feature applied on ebooks provided by certified servers.
Certified applications must be hardened, so that hackers don’t easily find the secret “userkey” transform.
About the passphrase and passphrase hint
The passphrase is the “key” which opens a Readium LCP protected ebook; Readium LCP names it passphrase just because it can contain several words.
A user will have one passphrase per bookstore or public library (only perverse providers would change the passphrase for each book it sells to a user); because the Readium LCP ecosystem is distributed, it is not possible to have a unique passphrase for all ebook bookstores in the world.
The passphrase must be easy to remember or find. It may be freely chosen by the user, or generated by the bookstore. In the case of a public library, it may be the user identifier, which can easily be found on the library card.
The passphrase hint – which is included in the LCP license as described previously – is a message which helps the user finding the passphrase needed for a given ebook. It must be very clear for the user; for instance “Enter your passphrase” is the worst hint you could get, and no LCP licence provider will be allowed to do such a thing. But “Enter your favorite aventure book” or “Enter the 11 digits of your New York Public Library identifier, which you’ll find on your 2016 NYPL card” seems a pretty precise hint.
The passphrase hint gives a short textual indication; it can be completed in the license by a hyperlink pointing to a page, on the bookseller website, where more detailed information and assistance can be found.
Note that the best way to remember passphrases forever may be the old way, i.e. store them in a password manager (Dashlane, LastPass …). Just in case…
Protection against oversharing
Friendly / family sharing is not prohibited, and people may freely give their passphrase to their relatives. But there must be a protection against people who could be tempted to store protected publications and associated passphrase on public Cloud servers.
Each time a user opens a protected ebook for the first time on a given device, and if the reading system is online, the reading application may register the device for this license, via a request to the License Server which served the license.
The License Server will maintain a list of registered devices; if an uncommonly large number of registered devices shows that the protected publication has been “overshared”, the license may be revoked a posteriori by the Distributor; after such action, each device opening the publication, if online, will then cease being able to read it. Details of such measure are left to contractual clauses between the Distributor and the publisher of the protected publication. In such a case, a message will advise the user of the problem, and will list all currently active devices.
Note that putting a protected ebook plus passphrase on the open web is not something people should do blindly, as the license included in the EPUB file will usually contain minimal personal information (encrypted for privacy protection).
Library lending, return and renewal
Each time a user opens a protected ebook, if the reading system is online, the application will also check if the license has been updated via a request to the Readium License Status server which served the license. This feature will be used by public library for easing early return or renewal.
Let’s imagine that, as a public library user, you can borrow three ebooks simultaneously, for 30 days each. After 10 days, you’ve finished them, and want to borrow other ebooks without waiting 20 more days. A reading system compatible with the return and renewal feature will offer a button by which you’ll be able to “return” your ebook immediately. Technically, the license will be automatically updated with a new date of expiration (now), and each reading system that is used for reading the ebook will download the new license as soon as it tries to open it. The library will know that you can borrow new ebooks and let you act accordingly; it will also be able to let other people lend the returned ebook.
The same applies to renewal, which is a simple extension of the date of expiration of the license.
To know more about Readium LCP, read the FAQ or