Register Guidelines E-Books Search Today's Posts Mark Forums Read

Go Back   MobileRead Forums > E-Book General > News

Notices

Reply
 
Thread Tools Search this Thread
Old 03-23-2010, 07:18 PM   #1
anurag
Addict
anurag has a spectacular aura aboutanurag has a spectacular aura aboutanurag has a spectacular aura aboutanurag has a spectacular aura aboutanurag has a spectacular aura aboutanurag has a spectacular aura aboutanurag has a spectacular aura aboutanurag has a spectacular aura aboutanurag has a spectacular aura aboutanurag has a spectacular aura aboutanurag has a spectacular aura about
 
Posts: 236
Karma: 4066
Join Date: Feb 2009
Location: California
Device: Kindle 1 and DX, iPhone
Topaz developer discusses DRM implementation and cracking

From http://beesbuzz.biz/blog/e/2010/01/0...evelopment.php

Quote:
As I've mentioned in the past, I worked on Kindle. I think I've specifically said I worked on the Topaz format. If not, well, that's what I did on Kindle — I designed the Topaz file format and rendering/layout library, and did a lot of the work and problem-solving on the actual conversion process.
One of the (minor but important) parts of the Topaz format is, of course, the DRM, which has so far eluded being compromised, which is funny because it's actually a pretty trivial "secret-sauce" algorithm which was implemented under some pretty ridiculous constraints (I had limited time to implement it, wasn't allowed to pull in any external libraries, and had to keep it performing quickly without using much memory on an already-constrained device), and somehow it's eluded being cracked for a bit over two years.

Until now.

Earlier today, someone (who I will of course keep nameless) asked me about a bit of Python code (which I will of course not link to) that he'd found which ostensibly would strip the DRM from a Topaz file as downloaded by the KindleForPC app. I looked at it, and yes, it looked like a plausible DRM stripper; presumably it was developed by someone who had run a disassembler on KindleForPC. It did require being run on the same PC as the Topaz file was provisioned for, however. But of course, this enterprising experimenter did not stop there: he analyzed the (again, pretty trivial) encryption algorithm and found a weakness in it (one which I will not name, but which I was aware of as a possibility even when I wrote it), and after not too much time, he'd written a C++ program which would very quickly brute-force the underlying encryption key and completely strip the file of all DRM.

He said that he wasn't interested in releasing it himself (he mostly did it as an intellectual challenge), and for obvious reasons I won't be releasing it either (or even describing the nature of the exploit), but yes, Topaz DRM has been completely compromised at least once, and it wouldn't surprise me if someone else has also figured out the flaw in the algorithm.

I just want to say ahead of time (before everyone emails, IMs, etc.) me that I am aware that it's broken (and this is for real, not the many previous iterations of Mobi DRM being cracked that had nothing to do with Topaz) and also state in my defense:

I am pretty anti-DRM myself. Not that I went out of my way to make the DRM on Topaz fragile per se, but I was under enormous management and time pressures (as I stated above) and only did a minimum-effort job as a short-term solution with the intention of revisiting it later. I'm actually pretty shocked that nobody at Amazon improved the DRM since I left (or even made any changes to the file format at all, as far as I can tell); they didn't even bother to wrap KindleForPC downloads in an extra layer of DRM like they did for Mobi books (which is what the previous "KINDLE DRM CRACKED!!!" announcement was about).

I was expecting it to be cracked within weeks or months of Kindle's release, but it took over two years. Not bad for something that can be brute-forced in a few milliseconds if you know the secret sauce (and considering the filesystem had been dumped within days and people could have run a disassembler on it, why was the sauce a secret this long? IT IS RUSSIAN DRESSING, PEOPLE).

The primary weakness in any DRM mechanism is one with key exchange. Even if I had used a stronger encryption algorithm (which would have prevented the brute-force no-key attack, or at least slowed it down significantly), there's still the issue of keeping the device key secure (which is basically impossible).

...
anurag is offline   Reply With Quote
Old 03-23-2010, 08:47 PM   #2
Lemurion
eReader
Lemurion ought to be getting tired of karma fortunes by now.Lemurion ought to be getting tired of karma fortunes by now.Lemurion ought to be getting tired of karma fortunes by now.Lemurion ought to be getting tired of karma fortunes by now.Lemurion ought to be getting tired of karma fortunes by now.Lemurion ought to be getting tired of karma fortunes by now.Lemurion ought to be getting tired of karma fortunes by now.Lemurion ought to be getting tired of karma fortunes by now.Lemurion ought to be getting tired of karma fortunes by now.Lemurion ought to be getting tired of karma fortunes by now.Lemurion ought to be getting tired of karma fortunes by now.
 
Lemurion's Avatar
 
Posts: 2,573
Karma: 4095302
Join Date: Aug 2007
Device: iPhone 3GS; Kindle 4 (Black); Nook HD+
Very interesting - especially the part about Topaz being largely an image format (which I think was in the comments).
Lemurion is offline   Reply With Quote
 
Enthusiast
Old 03-23-2010, 09:26 PM   #3
Sonist
Apeist
Sonist ought to be getting tired of karma fortunes by now.Sonist ought to be getting tired of karma fortunes by now.Sonist ought to be getting tired of karma fortunes by now.Sonist ought to be getting tired of karma fortunes by now.Sonist ought to be getting tired of karma fortunes by now.Sonist ought to be getting tired of karma fortunes by now.Sonist ought to be getting tired of karma fortunes by now.Sonist ought to be getting tired of karma fortunes by now.Sonist ought to be getting tired of karma fortunes by now.Sonist ought to be getting tired of karma fortunes by now.Sonist ought to be getting tired of karma fortunes by now.
 
Sonist's Avatar
 
Posts: 2,060
Karma: 366234
Join Date: Oct 2008
Location: The sunny part of California
Device: Kindle DXG/iPad/iPhone 3G S/Nexus S/
Very interesting.

Although, I am still not buying Topaz - too much hassle.
Sonist is offline   Reply With Quote
Old 03-23-2010, 09:44 PM   #4
Ravensknight
Serpent Rider
Ravensknight ought to be getting tired of karma fortunes by now.Ravensknight ought to be getting tired of karma fortunes by now.Ravensknight ought to be getting tired of karma fortunes by now.Ravensknight ought to be getting tired of karma fortunes by now.Ravensknight ought to be getting tired of karma fortunes by now.Ravensknight ought to be getting tired of karma fortunes by now.Ravensknight ought to be getting tired of karma fortunes by now.Ravensknight ought to be getting tired of karma fortunes by now.Ravensknight ought to be getting tired of karma fortunes by now.Ravensknight ought to be getting tired of karma fortunes by now.Ravensknight ought to be getting tired of karma fortunes by now.
 
Ravensknight's Avatar
 
Posts: 787
Karma: 5859972
Join Date: Jun 2009
Device: Sony 505, 350; Nook STR; Kindle T, NT4B; Nexus 7; Superpad 10in tablet
Yay for scripts and such!
Ravensknight is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
The Topaz DRM Creator has a Blog! daffy4u Amazon Kindle 2 01-30-2010 03:50 PM
Seriously thoughtful What reader has the best epub implementation Ralph Sir Edward Lounge 3 12-07-2009 03:59 AM
Bug in Adobe EPUB implementation Lord KiRon ePub 3 09-05-2009 09:06 AM
The Chronicle discusses the Kindle Steven Lyle Jordan News 27 05-12-2009 05:47 PM


All times are GMT -4. The time now is 09:40 AM.


MobileRead.com is a privately owned, operated and funded community.