E-Book Security Assessment: NuvoMedia Rocket ebook TM

E-Book Security Assessment: NuvoMedia Rocket ebook TM July 1999 Prepared For: The Association of American Publishers Prepared By: Global Integrity Corporation 4180 La Jolla Village Drive, Suite 450 La Jolla, CA 92037 Copyright 1999, Global Integrity Corporation This document may be reproduced provided that copyright notices are not removed

Table of Contents TABLE OF CONTENTS 2 INTRODUCTION 2 1 BUSINESS MODEL AND DESIGN RATIONALE 2 2 SYSTEM OVERVIEW 3 2.1 PRODUCT 3 2.2 PUBLISHER INTERACTIONS 3 2.3 CUSTOMER INTERACTIONS 3 3 SECURITY FINDINGS 4 3.1 PUBLISHING SECURITY 4 3.2 SERVER SECURITY 4 3.3 TRANSMISSION SECURITY 5 3.4 E-BOOK DEVICE SECURITY 6 4 DISCUSSION OF MAJOR SECURITY AREAS 7 4.1 LACK OF DOCUMENTATION 7 4.2 PRIVATE KEY SECURITY 7 4.3 ENCRYPTION STRENGTH ANALYSIS 8 Introduction This assessment discusses the security features of the Rocket e-book TM by NuvoMedia. NuvoMedia, Inc. 310 Villa Street Mountain View, California 94041 Tel: (650) 314-1200 Fax: (650) 314-1201 Email: info@nuvomedia.com Web Site: www.nuvomedia.com This assessment was prepared following the methodology described in the Global Integrity Corporation E-Book Security Assessment: General Report dated July 1999. 1 Business Model and Design Rationale NuvoMedia provides a Web-conduit service and portable reader device (Rocket e-book TM ) allowing publishers to sell electronic versions of their content ( digital titles ). NuvoMedia intends for digital titles to be sold through conventional booksellers web sites as the electronic version of the paper title. A publisher can use the NuvoMedia system to maintain digital titles on specific servers running the NuvoMedia software that in some sense act as electronic printing presses. NuvoMedia allows publishers complete freedom in formatting the digital title as they see fit. The publisher (or a subcontractor) formats the digital title using a subset of industrystandard HTML. This formatted digital title is then uploaded to a secure server for eventual distribution to customers. Distribution to customers is a secure process: by packaging and protecting the digital title during transmission the publisher s digital title is secured from theft. Additionally, purchased digital Copyright 1999 Global Integrity Corporation 2 NuvoMedia

titles are encrypted in such a way as to be readable only on that customer s Rocket e-book TM. The customer shops for digital titles at bookseller web sites and upon purchase can download the content to their PC from the designated servers running the NuvoMedia software. Librarian software is used to manage digital titles on the customer s PC and download digital titles to the Rocket e-book TM via a cradle attached to the serial port or by infrared link. NuvoMedia developed the Rocket e-book TM with the intent to provide ease of use, readability, and security of the digital titles. 2 System Overview 2.1 Product NuvoMedia developed a proprietary reading device, the Rocket e-book TM, running on a 32-bit ARM RISC chip and proprietary embedded operating system. About the size of a paperback book, the Rocket e-book TM weighs approximately 22 ounces, has a 3-inch by 4.5-inch backlit black and white LCD touchscreen, and a 33-hour battery-life. On the face of the unit are four touch-sensitive buttons, in addition to two forward and backward buttons. A stylus is provided for tapping the touchscreen. The unit comes with a serial-port cradle, an infrared port, a battery charger unit, carrying case, librarian software for the customer s PC, and two digital titles. The librarian software for the PC is used to organize downloaded digital titles for the Rocket e- book TM. Digital titles can be maintained on the customer s PC and downloaded to the Rocket e- book TM with this software. The librarian software also is used for updating the firmware on the Rocket e-book TM when updates are made available. 2.2 Publisher Interactions Publishers who arrange with NuvoMedia for distribution of digital titles are responsible for formatting and uploading content to a secure NuvoMedia-maintained server, which may or may not reside at the publisher s location. Currently, all digital titles are maintained at a single site running the NuvoMedia software. While the equipment is owned by NuvoMedia, it is currently located at a third party hosting site that provides web server hosting services. Digital titles are formatted for the NuvoMedia reader device using a subset of HTML; support for including special tags specific for the Rocket e-book TM can be accommodated if necessary. Publishers may choose to use an outside subcontractor to perform this formatting service for them. Digital titles can be uploaded at any time to the server using a Web browser, along with associated metadata such as suggested retail price and copyright notices. Publishers can decide when digital titles on the server will be made available to the general public. Prior to general availability publishers can preview the digital title on their own Rocket e-book TM using a method similar to a normal customer download. 2.3 Customer Interactions Customers obtain digital titles for their Rocket e-book TM by shopping at established bookseller web sites. In this way, customers use standard methods for paying for digital titles. The bookseller, not NuvoMedia, is responsible for obtaining payment from the customer for the digital titles. Once a customer purchases a digital title, the bookseller, using a separate channel, informs the server, running the NuvoMedia software which digital title has been purchased by a customer. The customer is given a pick-up URL (a URL, containing random character portions, that points to the server) from which digital titles can be downloaded. By clicking on the URL in the Copyright 1999 Global Integrity Corporation 3 NuvoMedia

browser, a download session is started. The media type of the download causes the librarian software on the PC, supplied with the Rocket e-book TM, to initiate. The librarian software maintains the various digital titles that have been downloaded by that customer. The digital titles themselves are stored on the PC in unreadable, encrypted form. The librarian software is also used to download digital titles content from the customer s PC to the Rocket e-book TM. This process is performed either through a cradle attached to the serial port of the PC or through an infrared port. Customers can choose which digital titles to download into the memory of the Rocket e-book TM for viewing. During this entire download process, the digital title remains in encrypted form. 3 Security Findings 3.1 Publishing Security 3.1.1 Digital Title Protection Formatted content can be uploaded to the server running the NuvoMedia software for preview and post-sale delivery to customers in a secure manner. Interactions with the server are done through an encrypted SSL connection. Protection for the digital titles integrity once uploaded is not currently enforced. Previewing the digital title may allow any alteration to be detected, but there is no automated way to ensure that the digital title that is downloaded is the same as the one that was uploaded. There are procedures, such as computing a hash of the digital title upon upload, which would be simple to implement that would ensure digital title integrity. 3.1.2 User Authentication There are two types of authentication that are used to assure only legitimate publishers gain access to the server running the NuvoMedia software. The first type uses a login and password sequence that publishers must enter to access the server. In addition, only machines at specified IP addresses are permitted entry. 3.2 Server Security 3.2.1 System Administration NuvoMedia employs an industry recognized server system to act as the digital title server. A firewall is in place between the server and the Internet to prevent malicious access. NuvoMedia has adopted industry-accepted security practices to protect their server. 3.2.2 Digital Title Protection Digital titles that have been uploaded by publishers are stored in unencrypted form on the server running the NuvoMedia software. There are no specific safeguards for digital title integrity while the digital title is in this quiescent state. 3.2.3 User Authentication Customers access the server running the NuvoMedia software via the pick-up URL, issued by the bookseller upon purchase of a digital title. When accessing this URL, the customer provides the email address that was given during the initial registration process of the Rocket e-book TM. Using this information, the server is able to use the appropriate public key for that customer s specific Rocket e-book TM to encrypt the digital title s secret key prior to download. No additional checks Copyright 1999 Global Integrity Corporation 4 NuvoMedia

are performed on the identity of the user; i.e. the particular person using the pick-up URL is not verified. Booksellers must inform the digital title server when a customer has purchased a digital title. This allows the pick-up URL to be generated and returned to the bookseller for presentation to the customer. In its current implementation, this information exchange between the bookseller and the server does not include a mutual authentication exchange. This is a potential vulnerability for both parties, particularly as the number of booksellers increases. For example, a malicious attacker may pose as a legitimate bookseller and claim that a title has been purchased. 3.3 Transmission Security 3.3.1 Digital Title Protection The server running the NuvoMedia software knows the public keys of all currently authorized Rocket e-books TM. It is the use of these public keys that ensures that the digital title being transmitted can only be viewed by one particular Rocket e-book TM : the one with the matching private key. An important security feature of this system is that the digital title is encrypted uniquely each time it is downloaded by a new customer. This ensures that there is not a single point of failure for all the other copies of the same digital title on all the other Rocket e-books TM. When a consumer accesses a pick-up URL several process steps occur at that time: The digital title that the consumer is requesting is compressed. The compressed digital title to be protected is then encrypted with a symmetric algorithm using a random key. Other content, such as marketing materials and copyright notices, is left in the clear. The symmetric key used to encrypt the protected content is encrypted itself using the public key associated with the customer s Rocket e-book TM. The encrypted content (result of step 2) is digitally signed using the private key of the NuvoMedia server, for which the Rocket e-book TM knows the associated public key. A package that includes the results of steps 2 through 5 is downloaded to the customer s PC. These steps ensure that the content is protected during transmission, the content originates from an authorized server, and only the customer s Rocket e-book TM can decrypt the content. 3.3.2 User Authentication Before downloading any content, the customer is required to register his new Rocket e-book TM with NuvoMedia. This registration process involves both customer and Rocket e-book TM registration. At the time the customer registers their Rocket e-book TM, by giving such information as an email address, the Rocket e-book TM registers itself by uploading a specific set of data particular to that individual Rocket e-book TM. At this time, a particular public/private key pair is computed for the Rocket e-book TM on the server running the NuvoMedia software and a proprietary certificate mechanism is used to supply the private key to the Rocket e-book TM. This differs from industry best practices, in which the private key never leaves the device on which it is generated. Advertising the private key at all through such a mechanism potentially reduces its secrecy. At the same time, the Rocket e-book TM is configured with the public key of the server running the NuvoMedia software. These keys allow future exchanges to be done securely, as described in the previous section. Since Rocket e-books TM are configured with the public key of this server, the Copyright 1999 Global Integrity Corporation 5 NuvoMedia

protection of this key pair at the server is important. This key pair is used to authenticate the server s identity. Compromise of this one key pair invalidates the notion of the trusted server for all registered Rocket e-books TM. It is a potential single point of failure in the system, particularly during the registration of a new Rocket e-book TM with NuvoMedia. For instance, there is a possibility that a sophisticated attacker who had surreptitiously received this key pair could alter and sign the data intended for the new customer s device. One further method used to foil unauthorized accesses of the digital title server running the NuvoMedia software is the expiration of pick-up URLs after a certain amount of time. Once the bookseller issues a pick-up URL, it is only valid for a period of days. The pick-up URL validity period is tuneable by NuvoMedia, which tries to balance the customer s convenience of not having to immediately download the title against the security risk of leaving access to the title open for an extended period of time. 3.4 E-Book Device Security 3.4.1 Digital Title Protection As described in the previous sections, the digital title provided to the server running the NuvoMedia software is viewable only on one customer s Rocket e-book TM. This is true since the digital title can only be decrypted using the customer s private key to gain access to the digital title s symmetric encryption key. With the appropriate keys, the Rocket e-book TM follows the following steps to display the content: The signature on the encrypted digital title is verified using the public key of the server running the NuvoMedia software. The digital title s encryption key is decrypted using the reader device s private key. The compressed digital title is decrypted using the digital title s symmetric encryption key. The compressed digital title is then uncompressed. The digital title is formatted for viewing based on the current view of the Rocket e-book TM. During this process, only a small amount of the digital title is decrypted at any one time. The amount of decrypted digital title varies slightly depending on how the digital title was originally prepared by the publisher; however, the full decrypted text is never stored. Currently, a customer is permitted unlimited viewing of purchased digital title. The Rocket e- book TM itself can store several digital titles at one time. The software that the Rocket e-book TM uses to perform these functions can be updated from time to time via a download of new system software. NuvoMedia maintains the source code for all of the firmware (embedded OS, application, cryptographic algorithms) in house and occasionally makes updates available for the customer at time of digital title download. When such updates are available, the customer is prompted when a pick-up URL is accessed. The system software is encrypted during download. The proprietary nature of the Rocket e-book TM hardware gives it an added advantage in protecting content and decryption methods. The hardware is built around a Sharp LH77790A RISC microcontroller, presumably developed with the LU7790H2A ARM Hardware Development Toolkit. The LH77790A has many features integrated into the chip such as LCD controller, infrared services, and memory controller. These functions usually require additional onboard components, which would leave unencrypted content vulnerable while being transmitted to the screen controller or memory. While the development kit for the micro-controller is easily Copyright 1999 Global Integrity Corporation 6 NuvoMedia

obtainable, it lacks the tools required to disassemble or reverse-engineer the Rocket e-book TM software. 3.4.2 User Authentication The serial number of each Rocket e-book TM is publicized and displayed on the bottom of each Rocket e-book TM. This number, though, is not used for securing data transmission. Any information required for secure registration is stored securely on a tamper resistant chip within the Rocket e-book TM when it is manufactured. 4 Discussion of Major Security Areas There are three main areas of NuvoMedia s security that merit discussion: Lack of documentation of system s design and security policies and procedures. Best practices are not used for securing a customer s private key. Encryption strength cost/effort analysis. 4.1 Lack of Documentation Detailed up-to-date documentation describing the system s design and security policies and procedures were not available for this review. According to NuvoMedia, there is an extensive set of design documentation that is maintained internally though we were unable to verify it for this review. NuvoMedia has yet to fully document its security policies and procedures; they are aware of the necessity to address this in the future. Good documentation is a valuable asset for any system, whether or not any of the information is made public. A lack of documentation has the following drawbacks: Information regarding the system tends to be maintained in the heads of a few critical individuals Consistency of design and policy is not ensured between individuals Later design and policy decisions may not take into account earlier decisions There is no effective method of internal review of the design and policies The designs and policies are essentially closed, making external review difficult With respect to the last point, closed systems are inherently more difficult to trust. While there may be numerous business reasons why NuvoMedia does not want the details of its system discussed in public, there would be positive aspects to this type of openness. Take the development of the SSL protocol as an example. SSL is designed to make transactions across the Internet secure. This system is trusted, not because SSL internal security aspects are kept hidden, but exactly for the opposite reason. SSL was developed in the open and could be reviewed by the industry. This fostered its trusted status and the resulting rapid and extensive acceptance by the industry. 4.2 Private Key Security NuvoMedia does not follow industry best practices by generating the private key for the customer outside the Rocket e-book TM and then delivering that key over an open network. This approach was a result of a design tradeoff made by NuvoMedia as is often the case when considering the implications of good-enough security versus ease-of-use for their customers. Encryption using public/private keys is a powerful way of securing communication over the Internet. The Copyright 1999 Global Integrity Corporation 7 NuvoMedia

methodology is based on a set of practices that ensure maximal security for the parties involved in secure communication. An important facet of this methodology is the protection of the private key from exposure. The best way to accomplish this is to make sure the private key itself never leaves a secured store. The Rocket e-book TM does not generate its own keys and, therefore, the private key for the customer must be supplied to it from the external world. This currently happens during the registration process. While this process does encrypt the information being exchanged during transmission, it is less rigorous than doing the key generation on the device itself. Breaking the transmission encryption would result in exposure of the key. This process potentially exposes system security to unknown attack because the mechanism does not follow a recognized trusted methodology that is known to ensure security. 4.3 Encryption Strength Analysis This section provides an overview of the cost/effort analysis that was performed on the encryption technology used by NuvoMedia. The aim of this section is to show the factors that address the longer-term security of encrypted content basing the analysis on the encryption methods used by NuvoMedia. Encrypted digital titles will not remain secure forever. Computational capacity is always increasing. Moore s Law states that computational abilities double about every 18 months. It is not clear whether this pace of improvement will be sustained indefinitely, due to physical limitations or other barriers, but this law has been a fairly consistent predictor for two decades. Increased computational ability allows brute force attacks on encrypted content to be accomplished in increasingly shorter time frames. The faster you can try every possible decryption key, the easier it is to eventually crack the encryption. Today an encryption technique may have enough possible keys that attempting to find the correct one would take centuries or millennia or longer to try each one. However, eventually the increase in computation speed will chip away at that security. The exponential growth of computational speed, combined with the increasing sophistication of methods for breaking encryption, will eventually catch up with even the most forward-thinking encryption techniques. This concept should be well noted in terms of protecting copyrighted materials through the life of their copyright. Once a piece of copyrighted material is released in digital form, properly secured, it cannot be taken back. That digital version of the work can potentially be attacked years in the future with the advantage of increased computational speed. Encrypted copyrighted material, for which the copyright lasts 75 years, could be trivial to crack in the much nearer future. The graph below shows how the current encryption technique used by NuvoMedia stands up against Moore s Law over 50 years. Just as computational abilities are expected continue to improve, it is reasonable to assume that advances in cryptography will also provide better protection. NuvoMedia s security architecture accommodates this model by allowing newer encryption algorithms to be upgraded in the future by upgrading the server s software and the e- book s firmware, which would shift the lines on the graph to the right (i.e., increasing the time before the encryption is likely to be broken). The graph shows the expected number of years that it would take to crack a current e-book title using different levels of computational resources. The time it would take to exhaustively checked each possible encryption key for the encryption key size was calculated. The number of keys that can be scanned with current technology were based key scanning statistics public within the industry. From these baseline key searching speed, it was assumed that computational abilities would double every 18 months. The lines on the graph range from using a cheap approach, for example an average PC, to an expensive approach using multiple computers with higher Copyright 1999 Global Integrity Corporation 8 NuvoMedia

computational capabilities. The expensive solution would cost on the order of a million of today s dollars. The Cheap Personal Computer solution represents the average desktop computer. Copyright 1999 Global Integrity Corporation 9 NuvoMedia

Level of effort (in years) estimated for brute force attack 100000000 10000000 1000000 100000 10000 1000 100 10 1 1997 1999 2001 2003 2005 2007 2009 2011 2013 2015 2017 2019 2021 NuvoMedia Press Encryption Year 2023 2025 2027 2029 2031 2033 2035 2037 2039 2041 2043 2045 2047 2049 Cheap Low Medium Expensive 0 1 Figure 1: NuvoMedia Press Encryption As you can see, the encryption techniques that NuvoMedia uses to secure the publisher s digital titles are very secure today. Even with a million-dollar endeavor an encrypted digital title would be expected to withstand a brute force attack for over 25 years, and it is completely infeasible to crack a digital title with anything less. The playing field is continuously changing though. By the year 2011, that digital title is trivial to crack for the expensive solution. Continuing into the future, by 2040 halfway through the copyright term of the title the encryption will not offer any protection for the work. Copyright 1999 Global Integrity Corporation 10 NuvoMedia