Some thoughts on LCP eBook DRM

@edent drm ebook ereader · 1,650 words · Viewed ~1,356 times.

There's a new(ish) DRM scheme in town! LCP is Readium's "Licensed Content Protection".

At the risk of sounding like an utter corporate stooge, I think it is a relatively inoffensive and technically interesting DRM scheme. Primarily because, once you've downloaded your DRM-infected book, you don't need to rely on an online server to unlock it.

How does it work?

When you buy⁰ a book, your vendor sends you a .lcpl file. This is a plain JSON file which contains some licencing information and a link to download the ePub.

Here's a recent one of mine (truncated for legibility):

 JSON{

    "issued": "2025-03-04T12:34:56Z",

    "encryption": {

        "profile": "http://readium.org/lcp/profile-2.0",

        "content_key": {

            "algorithm": "http://www.w3.org/2001/04/xmlenc#aes256-cbc",

            "encrypted_value": "+v0+dDvngHcD...qTZgmdCHmgg=="

        },

        "user_key": {

            "algorithm": "http://www.w3.org/2001/04/xmlenc#sha256",

            "text_hint": "What is your username?",

            "key_check": "mAGgB...buDPQ=="

        }b

    },

    "links": [

        {

            "rel": "publication",

            "href": "https://example.com/96514dea-...-b26601238752",

            "type": "application/epub+zip",

            "title": "96514dea-...-b26601238752.epub",

            "length": 14364567,

            "hash": "be103c0e4d4de...fb3664ecb31be8"

        },

        {

            "rel": "status",

            "href": "https://example.com/api/v1/lcp/license/fdcddcc9-...-f73c9ddd9a9a/status",

            "type": "application/vnd.readium.license.status.v1.0+json"

        }

    ],

    "signature": {

        "certificate": "MIIDLTCC...0faaoCA==",

        "value": "ANQuF1FL.../KD3cMA5LE",

        "algorithm": "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"

    }

}

Here's how the DRM works.

Your client downloads the ePub from the links section.
An ePub is just a zip file full of HTML files, the client unzips it.
- The metadata and cover image are not encrypted - so you can always see the title and cover. All the rest - HMTL, images, fonts, etc - are encrypted with AES 256 CBC.
The .lcpl file is placed in the META-INF directory and renamed license.lcpl.
A new ePub is created by re-zipping the files together.

When your client opens the encrypted ePub, it asks you for a password. If you don't know it, you get the hint given in the LCPL file. In this case, it is my username for the service where I bought the book.

The password is used by Readium's super-secret BLOB to decrypt the file. You can then read the book.

But here's the nifty thing, the encrypted file is readable by any certified app. I used the LCPL to download the book in two different readers. I unzipped both of them and they were bit-for-bit identical. I copied the book from one reader to another, and it was read fine. I built my own by downloading the ePub and manually inserting the licence file - and it was able to be opened by both readers.

Apps and Certification

In order for this to work, the app needs to be certified and to include a binary BLOB which does all the decryption. Readium have a list of readers which are available, and there are plenty for all platforms.

On Linux, I tried Thorium and FBReader. Both were absolutely fine. For my eInk Android, I used FBReader Premium (available for free if you don't have Google Play installed). Again, it was a decent reading experience.

I took the file created by Thorium on Linux, copied it to Android, set the Android offline, typed in my password, and the book opened.

Open Source and DRM

To be fair to Readium, they publish a lot of Open Source code and the specification seems well documented.

But the proprietary BLOB used for the decryption is neither libre -

Thorium Reader supports LCP-protected publications via an additional software component which is not available in this open-source codebase

Nor gratis -

Our pricing is structured into tiers based on a company’s revenue

What's the worst that could happen with this DRM?

Ultimately, our fear of DRM comes down to someone else being able to control how, when, and even if we can read our purchased books. Could that happen here?

I'm going to go with a cautious maybe.

Positives

Once downloaded, the ePub is under your control. Back it up on a disk, store it in the cloud, memorise the bytes. It is yours and can't be forcibly deleted. You can even share it with a friend! But you'd have to tell them the book's password which would make it trivially linkable to you if it ever got shared widely.

At the moment, any LCP book reading app will open it. Even if your licence is somehow revoked, apps don't need to go online. So there is no checking for revocation.

ePub is an open standard made up of zipped HTML, CSS, images, and fonts. An unencrypted ePub should be readable far into the future. LCP is a (paid for) ISO Standard which is maintained by a foundation which is primarily run by an EU non-profit. So, hopefully, the DRM scheme will also be similarly long-lived.

Because the underlying book is an ePub, it should have the same accessibility features as a normal ePub. No restrictions on font-sizes, text-to-speech, or anything similar.

Privacy. The BLOB only checks with the issuer of the book whether the licence is valid. That's useful for library books where you are allowed to borrow the text for a specific time. If you bought books from a dozen sources, there's no central server which tracks what you're reading across all services.

Downsides

Will the proprietary BLOB work in the future? If it never gets ported to Android 2027 or TempleOS, will your books be rendered unreadable on your chosen platform?

The LCPL file contains dates and signatures related to the licence. Perhaps the BLOB is instructed to check the licence after a certain period of time. Will your books refuse to open if the BLOB hasn't gone online for a few years?

If you forget your password, you can't open the book. Thankfully, the LCPL does contain a "hint" section and a link back to the retailer. However, it's up to you to securely store your books' passwords.

The book seller knows what device you're reading on. When you load the LCPL file into a reader, the app downloads the ePub and sends some data back to the server. The URl is in the status section of the LCPL file. After opening the file on a few apps, mine looked like:

 JSON{

    "id": "fdcddcc9-...-f73c9ddd9a9a",

    "status": "active",

    "updated": {

        "license": "2025-03-04T12:34:56Z",

        "status": "2025-03-09T20:20:20Z"

    },

    "message": "The license is in active state",

    "links": [

        {

            "rel": "license",

            "href": "https://example.com/lcp/license/fdcddcc9-...-f73c9ddd9a9a",

            "type": "application/vnd.readium.lcp.license.v1.0+json"

        }

    ],

    "events": [

        {

            "name": "Thorium",

            "timestamp": "2025-03-04T15:49:37Z",

            "type": "register",

            "id": "7d248cae-...-c109b887b7dd"

        },

        {

            "name": "FBReader@framework",

            "timestamp": "2025-03-08T22:36:26Z",

            "type": "register",

            "id": "46838356-...-73132673"

        },

        {

            "name": "FBReader Premium@Boyue Likebook-K78W",

            "timestamp": "2025-03-09T14:54:26Z",

            "type": "register",

            "id": "e351...3b0a"

        }

    ]

}

So the book seller knows the apps I use and, potentially, some information about the platform they're running on. They also know when I downloaded the book. They may also know if I've lent a book to a friend.

It is trivial to bypass this just by downloading the ePub manually and inserting the LCPL file as above.

DRM Removal

As I've shown before, you can use OCR to rip an eBook. Take a bunch of screenshots, extract the text, done. OK, you might lose some of the semantics and footnotes, but I'm sure a bit of AI can solve that. The names of embedded fonts can easily be read from the ePub. But that's not quite the same as removing the DRM and getting the original ePub.

When the DeDRM project published a way to remove LCP 1.0, they were quickly hit with legal attacks. The project removed the code - although it is trivial to find on 3rd party sites. Any LCP DRM removal tool you can find at the moment is only likely to work on Basic Encryption Profile 1.0.

There are now multiple different encryption profiles:

In 2024, the EDRLab Encryption Profile 1.0 was superseded by 10 new profiles, numbered “2.0” to “2.9”. Every LCP license provider chooses one randomly and can easily change the profile.

If I'm reading the source code correctly¹, the user's password is SHA-256 hashed and then prefixed with a secret from the LCP code. That is used as the decryption key for AES-256-CBC.

I'm sure there's some digital trickery and obfuscation in there but, at some point, the encrypted ePub is decrypted on the user's machine. Maybe it is as simple as grabbing the binary and forcing it to spit out keys. Maybe it takes some dedicated poking about in memory to grab the decrypted HTML. Given that the key is based on a known password, perhaps it can be brute-forced?

I'll bet someone out there has a clever idea. After all, as was written by the prophets:

trying to make digital files uncopyable is like trying to make water not wet²

*sigh* yeah, technically licencing. ↩︎
Not a given! I have no particular skill in this area. If you know more, please correct me. ↩︎
Is water wet? I dunno. Take it up with Bruce! ↩︎