View Full Version : Microsoft e-book DRM revisited

Alexander Turcic
05-28-2006, 02:48 PM
Some people like to spend their weekends dressed up as Laurel and Hardy while blasting each other with paintball guns. And then there are others (truly yours included) who can think of nothing better than to go rummage online patent filings for something interesting. So this is how I came to discover that Microsoft has been awarded a couple of patents not so much time ago related to the generation and distribution of DRM-protected e-books. Some of them, but not all:

"Server for an electronic distribution system and method of operating same" ( - granted 05/16/2006
"System and method for accessing protected content in a rights-management architecture" ( - granted 02/07/2006
"System and method for client interaction in a multi-level rights-management architecture" ( granted 12/27/2005
"Inter-server communication using request with encrypted parameter" ( - granted 11/29/2005
”Method and system for binding enhanced software features to a persona" ( - granted 05/10/2005

I picked the latest one which was awarded just two weeks ago and which describes the invention of a particular server architecture to distribute DRM-protected content. It contains quite some revealing information that I now want to share with you.

DRM Levels

Microsoft has currently five different levels of DRM for e-books, which are (in order of increased protection):

DRM 1 - no protection

encryption: none
unsigned and unsealed (=clear-text)

DRM 2 - source sealed

encryption: contains a cryptographically sealed symmetric encryption key needed to decrypt the content
seal: cryptographic hash of the e-book's title's meta-data (tampering the content or its accompanying meta-data invalidates the seal)

DRM 3 - individually sealed ("inscribed")

encryption: like DRM 2
seal: cryptographically binds meta-data - includes information related to the purchaser, e.g. owner's name, credit card number, receipt number, transaction ID, etc. - to the content of the title

DRM 4 - source signed

cryptographically signed to guarantee authenticity of the copy
authenticity is defined in three varieties:

"tool signed" (guarantees that the e-book title was generated by a trusted conversion and encryption tool)
"owner signed" (a "tool signed" e-book that also guarantees the authenticity of the content (e.g., the owner may be the author or other copyright holder))
"provider signed" (a "tool signed" e-book that attests the authenticity of its provider (e.g., the publisher or retailer of the content))

DRM 5 - fully individualized ("owner exclusive")

limits the use of content to a finite number of installations
encryption: content not only sealed, but also requires decryption key that cannot be accessed in the absence of an "activation certificate" (a public key and an encrypted private key associated with the authenticatable device (e.g. through a unique identifier)) and a a "secure repository" (e.g. a program that accesses the private key in an activation certificate and uses it to decrypt the encrypted private key -> in lay-men's term: device is being "activated")
titles can only be opened by authenticated reader applications that are "activated" (i.e., the device on which the reader resides must have an activation certificate and a secure repository) for a particular user

In general, with DRM 2-5, content in an e-book is encrypted by a symmetric "content" key, which itself has been encrypted and/or sealed. The key is sealed with a cryptographic hash of meta-data, or, in the case of DRM 5 titles, with the public key of the user's activation certificate. This key is then stored either as a separate stream in a sub-storage section of the e-book file ("DRM Storage") or, in the case of DRM 5 titles, in the license (the license is a XML construct (based on the Extended Rights Markup Language XrML format which also defines the rights that the user can exercise upon purchase of the title). Attached figure 8 is a flow diagram illustrating the process of activation.

Note that most publishers provide their commercial e-books in DRM 5, where the encrypted license requires you to activate your computer for Microsoft Reader before purchasing and reading these e-books. In general, publishers also prohibit you from copying and pasting text from owner exclusive e-books into other applications, and also from using the Text-to-Speech functionality of Microsoft Reader. Well, according to totally baseless and unfounded rumors (crickets chirp) there are ways to circumvent ( these restrictions as well...

Server architecture

The server architecture of a typical Microsoft e-book distribution system includes

the activation site: it provides - upon valid authenticating credentials (e.g. username and password, Microsoft Password ID) - the "secure repository" and "activation certificate" required to access DRM 5 content; i.e., it "activates" a device
the distribution site: consist of retail and fulfillment servers which can be controlled by different operators, e.g., a retailer can sell content without the need to store or distribute the content

The patent filing goes on describing how retail and fulfillment sites communicate with each other through cryptographically secure channels, how content is prepared (encryption and sealing) and then (temporarily) offered for download. Attached figure 4 is a block diagram of the server architecture.

DRM Target Groups

Microsoft targets three user groups with its DRM system:

traditional publisher: concerned about losing revenue from their printed book publishing operation to e-book piracy
"leading edge" publisher: not necessarily concerned with isolated incidents of piracy, appreciates that e-books commerce will be most successful in a system where consumers develop habits of purchase
"hungry" author: interested in attribution (e.g., that the author's name be permanently bound to the work)

Some debatable statements

"There is need for an improved digital rights management system that allows of delivery of electronic works to purchasers in a manner that protects ownership rights, while also being flexible and ease of use."

The digital rights management system described claims to "protect the intellectual property rights of content owners and allow for authors or other content owners to be compensated for their creative efforts, while ensuring that purchasers are not over-burdened by the protection mechanism."

"The success of the electronic book industry will undoubtedly require providing the existing book-buying public with an appealing, secure, and familiar experience to acquire all sorts of textual material. This material may include "free" or low-cost material requiring little copy protection, to "premium-quality" electronic book titles (herein "eBooks") requiring comprehensive rights protection."

"The present invention makes purchasing an eBook more desirable than "stealing" (e.g., making an unauthorized copy of) an eBook. The non-intrusive DRM system minimizes privacy risk, while increasing the likelihood that any piracy will be offset by increased sales/distribution of books in the form of eBooks."

05-28-2006, 06:29 PM
Is it just me or does this sounds an awful lot like public key encryption?