[NEWS] Protected Adobe eBooks can be copied between Computers

From: support@securiteam.com
Date: 07/31/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Wed, 31 Jul 2002 15:40:16 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Protected Adobe eBooks can be copied between Computers
------------------------------------------------------------------------

SUMMARY

Adobe Content Server (now in use by more than 300 online retail sites)
enables the distribution of eBooks and electronic documents from any Web
site as PDF files with complete Digital Rights Management (DRM). To
prevent unauthorized reading or copying of eBooks, the Acrobat eBook
Reader (client software for reading eBooks) does not allow to read the
same eBooks from more than one computer or to copy eBook and data files
from one computer to another. However, there are a few defects in the
implementation of this protection in Acrobat eBook Reader, so eBooks can
be still copied across different computers.

DETAILS

Vendor status:
Adobe has been notified about this vulnerability on July 23, 2002, but
have chosen not replied.

 <http://www.adobe.com/products/contentserver/> Adobe Content Server makes
it easy for you to sell electronic books (eBooks) securely online. Adobe
Content Server packages and protects eBooks and distributes them in PDF
format directly from any Web site. Anyone with the free Adobe
<http://www.adobe.com/products/ebookreader/> Acrobat eBook Reader can
purchase your content with ease. When the file is encrypted, special
master voucher for its distribution is being created. The master voucher
is a separate, XML-based file that contains an encrypted key to the eBook
and the set of privileges that accompany it. When a customer purchases an
Adobe PDF eBook directly from an e-commerce site, it is automatically
downloaded into the customer's personal Acrobat eBook Reader library for
immediate viewing. Acrobat eBook Reader unlocks the encrypted key that
came with the eBook and its master voucher. Now the eBook is tied to the
customer's Acrobat eBook Reader and can't be transmitted elsewhere (by
design) -- every other copy of the Reader uses another (unique) encryption
keys, so eBook purchased from one computer cannot be open on other
computers.

On January 29, Adobe representative (Mr. Thomas R. Diaz, the Senior
Engineering Manager for eBook Development Group at Adobe Systems
Incorporated), advised that it is possible to back up collection of eBooks
from one computer and restore them to a different machine by making use of
a back up feature built into the Adobe eBook Reader (note: this process
operates successfully on your entire library of Adobe eBook Reader files
regardless of where you obtained them from and does not require you to
consult with the eBookStore that you purchased from):

Backing Up Adobe Acrobat eBook Reader eBooks
<http://www.planetebook.com/mainpage.asp?webpageid=279>
http://www.planetebook.com/mainpage.asp?webpageid=279

1. Make a copy of the 'Data' folder (including 'Vouchers' subfolder)
2. Install Adobe eBook Reader on another machine
3. Restore the 'Data' folder over the corresponding 'Data' folder in your
freshly installed Adobe Acrobat eBook Reader
4. Open Adobe Acrobat eBook Reader and attempt to open one of the eBooks.
You will receive the following message:

      Update Reader

      Voucher Update Required (Version 2.2 Build 203)

      You will not be able to read your eBooks until you update you
      installation of Acrobat eBook Reader. Please contact Adobe Systems
      Customer Support at http://www.adobe.com/suport/[...] for
      assistance in completing this update.

      Challenge: E7P6 4K2D 7MU3 VUDT

5. Ring Adobe, quoting the Challenge code, and then receive an Activation
code.
6. eBooks can now be reopened.

However, activation code can be easily obtained for any given Challenge
without calling Adobe. Here is how Adobe Acrobat eBook Reader verifies the
Activation code:

1. The 'Challenge' is being encrypted using popular symmetric block
cipher; the encryption key (actually, there are two keys: one in Reader
2.1 and older, and another in Reader 2.2) is constant and stored inside
the Adobe eBook Reader executable.
2. Encrypted 'Challenge' is being hashed using another popular algorithm.
3. First 10 bytes of the hash value (converted from binary to text using
MIME-like encoding) is the proper Activation code -- the Reader just
compares it with the one entered to the Reader.

The details (the names of the ciphers, and the encryption keys) are not
provided here for security reasons.

Impact:
Even using standard method (by calling Adobe to receive proper Activation
code), anybody can create illegal copies of "protected" Adobe eBooks.
However, even worse, any person with a basic knowledge of crypto
algorithms can write a program to generate an Activation code from the
Challenge, so eliminating 'calling Adobe' step.

Workarounds and/or fixes:
None is available now. However, to implement reliable and secure
challenge-response scheme, it is not enough just to "use sophisticated,
industry-standard levels of software encryption" - it is necessary to use
them *properly*.

The Activation code should be calculated at Adobe using asymmetric
algorithm like RSA (with a private key, known only to Adobe), while the
Reader should decrypt it using public key, and compare the result with the
Challenge. Therefore, the Reader itself will not contain enough
information needed to make proper Activation code from the Challenge.

ADDITIONAL INFORMATION

The information has been provided by <mailto:info@elcomsoft.com>
Elcomsoft.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages