Is it possible to further encrypt an EPUB document by password

[ApK]

Quote:

Originally Posted by bill_mchale

Granted the NSA might have figured something out, but then again, they may not have.

--
Bill

Why, what have you heard?

Bill?

Bill?

Hmm...I wonder where he went. It's like in the middle of posting he just disa

[TES]

Hmmm, some might say that Australia is an oppressive place to live...but I digress. Im trying to figure out a way of being able to purchase and downloand an ebook and then prevent someone else from reading that on my device or another device once downloaded. I wondered whethere I could encrypt te book with my own personal password that I input everytime I open (like you can with a PDF file)>>> Thanks guys

[speakingtohe]

Maybe put a password on your device?
Helen

[6charlong]

Quote:

Originally Posted by TES

Hi - I am wondering whether anyone might know whether it is possible to further encrypt EPUB documents by a numeric password code? That is, in addition to the encryption that is possible under Adobe, can you then add a second protective layer by specifying a unique 4 digit code that enables you to open up the document? Thanks for your help.

I think you have something here. I assume you want to put unencrypted personal or employment documents on a reader and don't want unauthorized access to it thus exposing some personal or employer data. You'd want something that prompted for the password.

Your user handle here on Mobileread doesn't say what device you have (or are considering) but if you have a Kindle, they have it out of the box. They have a global password that blocks all access to the Kindle at startup until the correct password is entered.

With a Kindle 3, from the Home screen, press the "Menu" button then using your 4-way controller select "Settings" and page through 2 screens to the heading Device Password and click "turn on". It will prompt you for the password and a reminder phrase. From then on it will require a password to start it up from shutdown or from sleep. You can turn the feature off by following the same process only it will now say "edit" "turn off".

On the Kindle Touch, starting from the Home screen select Menu then Settings then Device Options and finally Device Passcode.

I haven't checked on this (and I probably should) but I think it's possible to set a Kindle to require a password to allow anyone using it to buy books directly from Amazon with the Kindle. This setting is done online through your My Account page at Amazon.com.

[Andrew H.]

Quote:

Originally Posted by QuantumIguana

If an oppressive government hacks into your computer, they can probably decrypt your files. It would probably be more productive to keep them out of your computer in the first place, or to store your books off of the computer.

It's easier for them to just arrest you.

[TES]

Hi, I appreciate that I can password protect the actual device, however what I am sending is proprietary information which whilst being encrypted by DRM, wouldn't stop whomever I am giving it to from downloading to another device which could be read by a third party. Therefore, I was hoping to provide this indivudal with a password for the document. I know this wont stop that individual revealing the "code" to someone else, but just another layer in te jigsaw which would hopefully prevent them from disclosing.

[ApK]

Quote:

Originally Posted by TES

what I am sending is proprietary information which whilst being encrypted by DRM, wouldn't stop whomever I am giving it to from downloading to another device which could be read by a third party.

That precisely what most DRM systems are designed to do.

But odds are, both the DRM system, and whatever additional password you might implement, can be easily bypassed by anyone with the desire to do so.

By putting two on, you double the inconvenience to the legitimate user, while doing virtually nothing to improve the real security of the information, all in the name of increasing a false sense of security.

How can you provide REAL security for your information? Good question. Assuming you are not prepared to go the military route and provide the information only to security-cleared personnel in a secured environment, you could start by distributing the information only to people you trust, who have be properly informed (via NDA, threat of lawsuit, etc) of how to handle the information. Then any one technological method would be an adequate "honest persons lock."

Relying completely on technology for information security is like relying on the safety lever for firearm security. (That's a very bad thing, for those not familiar with firearms....)

ApK

[QuantumIguana]

A password on the file isn't secure. It would prevent casual snooping, but if anyone has access to the file, and really wants to see what is in it, a password isn't going to stop them.

The bad guys need not know that the device contains sensitive information. Don't put a label on the reader which says "Sensitive information, do not open!" You could simply not make it obvious what the file is. Don't name it "Top Secret Plans for World-Wide Domination", that draws attention. Instead, name it "Grandma's 101 Favorite Turnip Recipes".

Even if the bad guys know that there is sensitive information on the device, you can protect the data by keeping physical custody of the device. If you trust the person not to give away the password, why not trust them to take care of the data? If you don't trust them with the device the data is on, why trust them with the password?

Nothing would prevent e-reader manufacturers from allowing you to put password protection on files, but there really isn't much demand for it, and it would probably just cause them problems, with people calling customer support because they forgot their password.

I would like to have password protected folders, not to keep out determined hackers, but to keep out casual snoopers. I might want to let someone use my Kindle, but I may very well not want them to have access to every book in my collection.

[bill_mchale]

Ok, lets remember no crypto system is going to stop the person who legitimately receives the information from redistributing it.

That being said, DRM would not be a great method of securing your data since most DRM formats basically require device registration. In other words, if the device falls into the hands of someone else, they automatically can decrypt the file (at least until you deregister the device).

What you probably want to do is look into something like GPG. Its a public-key crypto system. It basically works because each user has two keys. The public key is used by anyone who wants to send the message to the owner of said key. The private key is then used by the owner to decrypt their message. (By using your own private key to encrypt a document, you can also sign using the system, but that is another level). Rather than using a password, an arbitrary length pass phrase is used by the user to decrypt the files. The keys are very hard to break, the pass phrase is only useful if you otherwise have access to the private key.

This BTW, is essentially the method that is using for transmitting financial information from your browser to online stores (without the pass-phrase, and a bit more transparently... and they might also use one time keys... but still the logic applies).

--
Bill

[6charlong]

Quote:

Originally Posted by TES

Hi, I appreciate that I can password protect the actual device, however what I am sending is proprietary information which whilst being encrypted by DRM, wouldn't stop whomever I am giving it to from downloading to another device which could be read by a third party. Therefore, I was hoping to provide this indivudal with a password for the document. I know this wont stop that individual revealing the "code" to someone else, but just another layer in te jigsaw which would hopefully prevent them from disclosing.

I don't know if this will help but about 20 years ago in the days of MSDOS, at about the time PGP raised the neck hairs in the Intelligence Community, there was a product that decrypted a file one block at a time, cleared memory, re-encrypted it and decrypted the next block. That might do what you want but I don't know of a currently available product that does this but someone else might.

There is no eBook reader than could render a file encrypted this way and I doubt it would work right with ePub format on a computer either.

[TES]

Thank you for your feedback and help. It's much appreciated!

[dwig]

Given that the epub file would have to be readable by some epub reader (app or device) it isn't practical to add any additional encryption to the epub file. If you did, you'd have to create your own reader app that could handle the unlocking.

The most practical approach would be to put the epub inside of some other "locked box" (ZIP archive, ...) that could be password locked.

[ApK]

Quote:

Originally Posted by dwig

Given that the epub file would have to be readable by some epub reader (app or device) it isn't practical to add any additional encryption to the epub file. If you did, you'd have to create your own reader app that could handle the unlocking.

The most practical approach would be to put the epub inside of some other "locked box" (ZIP archive, ...) that could be password locked.

Once the epub is removed from the zip, which it must be to use it, it's utterly unprotected and distributable. That sounds like just what he doesn't want.

[DuckieTigger]

The only sure way to ensure no distribution beyond your control is to not publish it in the first place and keep it locked up in a safe in your home.