An Introduction to EPUBs, OverDrive Media Console, and Adobe ADEPT

Many libraries are finally entering the technology age and have started offering the ability to lend digital media to patrons including eBooks for use on compatible devices. While there are many companies which offer the services and infrastructure for your local library to enable this service one of the largest is OverDrive, Inc. with its Content Reserve system. Content Reserve is built on Adobe Content Server, and in order to enforce content protection where applicable OverDrive implements the ADEPT digital rights management scheme.

In order to view the protected content the Content Reserve system requires the use of OverDrive Media Console on a compatible device. This software allows the user to download a reserved title and view it for a library-defined loan period before revoking access and requiring the user to reserve the book again. However, how does one view these titles on an incompatible device or utilize otherwise non-approved software? In order to answer this question let’s break down the problem into its individual components and see if there is a way to work around the limits of the content protections.

EPUB Format

The EPUB (short for Electronic PUBlication) format is a free and open eBook standard managed by the International Digital Publishing Forum. The current 2.0.1 version of the EPUB standard defines three specifications:

• Open Publication Structure (OPS)
• Open Packaging Format (OPF)
• Open Container Format (OCF)

Although this separation of the standard may be confusing just know that any EPUB file that you may find is likely packaged in the OCF format which in turns uses the OPS and OPF specifications to define its internal data structure. In reality the OCF format is simply a ZIP archive of the documents adhering to an internal structure as defined by the OPS and OPF standards. Therefore if you’re a curious individual you can take most EPUB files, process them with an UnZIP utility, and view contents on the files.

Of note to us regarding the OCF specification is the optional support of a digital rights management (DRM) layer. When the DRM layer is present on an EPUB a rights.xml file must exist in the internal file structure within the META-INF directory. Additionally the OCF specification allows for the encryption of its content, but when present, an encryption.xml file must exist in the internal file structure also within the META-INF directory.

OverDrive Media Console

OverDrive Media Console is a freeware program distributed by OverDrive Inc. which enables end users to view digital media distributed through the Content Reserve system. While it is available for many platforms only the versions available for Android, Blackberry, and iOS support the EPUB formats.

For reasons which will become clear later in this article the workflow for checking out an EPUB document from the Content Reserve system and viewing it in the OverDrive Media Console is as follows:

1. Create an Adobe ID.
2. Install Adobe Digital Editions and activate the software with your Adobe ID.
3. Install OverDrive Media Console and activate the software with your Adobe ID.
4. Browse content at your library’s website and check out the desired EPUB title.
5. Download the EPUB with the provided URL that initiates a connection to the OverDrive Media Console to begin the download process.
6. Download the title to the OverDrive Media Console.
7. Open the title.

While quite the lengthy process every step has a very specific purpose. The reason for the tight coupling between the OverDrive software and Adobe is due to the fact that media downloaded through the Content Reserve system is protected using the ADEPT DRM scheme.

Of note to us is the fact that the OverDrive Media Console actually downloads the EPUB document to the device for viewing in offline mode. Additionally, a user is not require to authenticate with their Adobe ID ever time they open a title in the OverDrive Media Console.

ADEPT

ADEPT (Adobe Digital Experience Protection Technology) is a digital rights management scheme developed by Adobe and OverDrive Inc. While there is not much information publicly available concerning the technical implementation the author of the I♥CABBAGES blog was able to successfully reverse engineer the functionality of the system in early 2009.

ADEPT relies on the DRM and encryption layers as defined by the EPUB OCF standard. Specifically the EPUB content is encrypted using the Advanced Encryption Standard (AES) cipher operating in Cipher-Block Chaining (CBC) mode with a per-book 128-bit cipher key and a randomized Initialization Vector (IV). The stated AES cipher key is included in the distributed archive after being encrypted with a per-user RSA encryption key utilizing PKCS #1 v1.5 padding.

When an end user requests fulfillment of a title it is the job of the Adobe Content Server to retrieve the user’s encryption credentials from the ADEPT server and generate the rights.xml file to be included with the EPUB title according to the specification.

As noted by the author of the I♥CABBAGES blog the ADEPT system outlines a very good encryption scheme for content protection. By including the RSA encrypted AES cipher key as a part of the EPUB distributable itself the rights management of the scheme and more appropriately the entirety of the content protection scheme is effectively compromised.

In our next article we will begin our analysis of the OverDrive Media Console software itself and attempt to identify any available methods for accessing the EPUB content and a process for stripping any relevant DRM from the content.

[Thanks to Armin Tamzarian]