WO2013079923A2 - A method of securing electronic information - Google Patents
A method of securing electronic information Download PDFInfo
- Publication number
- WO2013079923A2 WO2013079923A2 PCT/GB2012/052920 GB2012052920W WO2013079923A2 WO 2013079923 A2 WO2013079923 A2 WO 2013079923A2 GB 2012052920 W GB2012052920 W GB 2012052920W WO 2013079923 A2 WO2013079923 A2 WO 2013079923A2
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- information
- electronic information
- data
- storage device
- encryption
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 63
- 238000003860 storage Methods 0.000 claims abstract description 42
- 230000004044 response Effects 0.000 claims description 5
- 230000008569 process Effects 0.000 description 15
- 230000001419 dependent effect Effects 0.000 description 7
- 238000010586 diagram Methods 0.000 description 5
- 241001441724 Tetraodontidae Species 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 238000007792 addition Methods 0.000 description 2
- 230000000903 blocking effect Effects 0.000 description 2
- 238000012217 deletion Methods 0.000 description 2
- 230000037430 deletion Effects 0.000 description 2
- 230000006835 compression Effects 0.000 description 1
- 238000007906 compression Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 238000002360 preparation method Methods 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/101—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM] by binding digital rights to specific entities
- G06F21/1011—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM] by binding digital rights to specific entities to devices
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/101—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM] by binding digital rights to specific entities
- G06F21/1013—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM] by binding digital rights to specific entities to locations
Definitions
- This invention relates to a method of securing electronic information by encryption and a device for storing encrypted electronic information.
- Ebooks are offered to the public in a limited number of ways. Typically users buy a book such that they can download and keep the book to read as many times as they like in perpetuity. A second model that is becoming prevalent is the rental model, where a book is downloaded to an e-book reader and kept for a limited period of time before it is deleted from the reader device. There are two problems with these models. Firstly, users and publishers would like different ways in which to consume the book. Typically a user will read a book only once, and perhaps over a long period of time, such that these models do not match the mode of consumption. Secondly, the ebooks as currently distributed are easy to copy and redistribute at little or no cost. This makes them a common target for piracy and casual copying. Both of these issues lead to a loss of revenue for the original creators and distributors of the ebook.
- ebooks can be encrypted so that an appropriate key must be used to render the ebook comprehensible.
- the key is usually stored in some hidden location on the device or is held in a dedicated piece of hardware that must be accessed by the device. Once the key is applied to the ebook, the entire book is unencrypted presenting an opportunity for copying the book. When the ebook has been consumed, it typically remains on the ereader and can be re-read.
- a method of securing electronic information comprising encrypting electronic information with computing apparatus using an encryption key based on information data associated with a storage device, such as a device with a memory store.
- a storage device such as a device with a memory store.
- the encryption carried out is specific to each storage device concerned and decryption can only occur by knowing the information data. If electronic information encrypted in this way is copied to another device, access to the encrypted information is prevented as the key is only derivable from information associated with the original device. There is no way to precisely replicate this information on another device as it is unique to a specific storage device.
- the information data may comprise any data specific to a storage device, such as electronic addresses, geographic location identifiers, passwords, memory location identifiers such as inodes or inode numbers, variables associated with the specific state of one or more files, question responses of a user, user name and the like. Multiple pieces of information data may be used.
- the information data comprises a memory location identifier representing a position in an electronic memory of the storage device where purchased electronic information, such as music, audio-visual material, or written material such as an ebook, is to be stored.
- the memory location identifier may be an inode or inode number.
- the method may also comprise storing encrypted information on the storage device at a position associated with the location identifier.
- the storage device will be a customer device such as an ereader, PC, net book, laptop, smartphone or any other electronic storage means.
- Encrypting typically takes place on a computer server.
- information data unique to a customer device will be used by a computer server to encrypt the electronic information held by the merchant before downloading the encrypted electronic information to the customer.
- invention also lies in a method of securing electronic information comprising: communicating information data from a storage device to computing apparatus, such as that associated with a merchant or a plurality of merchants,
- the method further comprises decrypting the encrypted information at the storage device using the information data to provide the key for decryption.
- Encryption may be performed using a recursive encryption technique, where electronic information is encrypted in portions, such as portions corresponding to book chapters, with desirably each portion having a different encryption key.
- portions are converted into consecutive segments or sections where each segment contains one portion of content and an encrypted block.
- An encrypted block is decrypted to obtain the next portion plus a subsequent encrypted block.
- the encryption is carried out from an end portion and segment back towards a start portion and segment.
- decryption is performed on successive segments in turn, with a preceding decrypted data portion overwritten or deleted as the next portion is decrypted.
- This may be achieved by using a memory location state variable so that the successive segment is stored at, and so overwrites, the preceding segment by virtue of being allocated an identical memory state variable. In this way, a user using the storage device only ever has access to one data portion at a time and cannot return to a preceding data portion once the next data portion is accessed.
- each data portion contains some data that overlaps with the adjoining portion so that, for example, where a book is being read, a first data portion will be viewed as chapter 1 and chapter 2 and when a user decides to access the second data portion, the user will see chapters 2 and 3.
- the method also may further comprise modifying the electronic information into a plurality of portions containing overlapping information before encryption takes place.
- computing apparatus comprising an input device for receiving a location identifier, or data, from a storage device, such as a storage device associated with a customer, processing apparatus operatively coupled to the input device to receive a location identifier from the customer and to encrypt electronic information by generating a key based on the unique location information, and output apparatus operatively coupled to the processing apparatus for sending encrypted data to a storage device.
- a storage device such as a storage device associated with a customer
- processing apparatus operatively coupled to the input device to receive a location identifier from the customer and to encrypt electronic information by generating a key based on the unique location information
- output apparatus operatively coupled to the processing apparatus for sending encrypted data to a storage device.
- the invention also lies in a computer-readable medium adapted to store computer- executable code to secure electronic information, wherein the computer-executable code comprises computer code for:
- the invention also lies in a storage device bearing secure electronic information encrypted using an encryption key generated from a location identifier providing information about where electronic information is stored.
- the secure electronic information may be encrypted by a recursive encryption technique.
- the device may further comprise computer-executable code to decrypt stored electronic information using a decryption key based on a location identifier providing information about where electronic information is stored.
- the code may further undertake sequential decryption of portions of electronic information, deleting a preceding portion before decrypting a successive portion.
- Figure 1 is a schematic diagram illustrating use of the present invention
- Figure 2 is a flow diagram of steps in connection with the invention
- Figure 3 is a flow diagram of steps associated with encrypting information for storage on a user device
- FIGS. 4(a), (b) and (c) are explanatory diagrams for illustrating the encryption technique in accordance with the invention.
- FIG. 1 Diagrams illustrating use of the present invention are shown in Figures 1 and 2.
- a customer wishing to purchase electronic information, such as an ebook, from an online retailer communicates with the retailer's computer server 10 using an electronic device 11 such as a computer or an ebook reader 16 to select and purchase one or more ebooks, step 20.
- the online retailer confirms the transaction to the customer and communicates the purchase to an encryption server 12, step 22.
- Encryption server 12, if required, can be part of the retailer's server 10 or can be a server used by a plurality of retailers and includes an input device 13 for receiving signals from server 10 and a customer device 16 and which is operatively coupled to a processor 14 for performing encryption, with an output device 15 for downloading information to an external device.
- ebook reader 16 can be the same device and can be a dedicated device such as an ebook reader or devices such as smart phones, netbooks, laptops and PCs.
- Synchronisation takes place between ebook reader 16 and encryption server 12 using outline steps shown in Figure 3.
- 32, encryption server 12 and ebook reader 16 establish a connection, step 34, and reader 16 sends information data specific to reader 16 to the encryption server 12.
- This information data can be any appropriate device specific accessible information that uniquely identifies the device.
- the information data will include data conveyed as an inode or inode number so as to include reserved locations defining where downloaded ebooks can be stored on ereader 16.
- An inode is a data structure on a traditional Unix-style file system such as UFS which stores basic information about a regular file, directory, or other file system object.
- This basic information describing the file itself is known as "metadata" and includes such information as the size of the file, its physical location on a storage medium, the file's owner and group, access permissions, time stamps giving information on creation, modification and last access, and other information.
- the inode and its associated inode number uniquely identifies the device because it is extremely unlikely that any two devices will be able to place the same ebook in exactly the same location (i.e. at the same inode number) on their storage media.
- information data is stored by structures equivalent to an inode, such as a stat data.
- the required information data from the device 16 can be conveyed in an object known as a library card during step 36.
- the library card will be installed on device 16 when the appropriate ereader software plugin is installed.
- server 12 encrypts the purchased ebook with encryption at least partly based on the information data carried by the library card, step 40.
- encryption can be conducted using an inode number.
- the library card is typically a software file and can include functions allowing it to reserve inode locations for ebooks and to support synchronisation of device 16 with server 12.
- the encryption process usually also selects an inode location from reserved locations defined by the library card so that each encrypted ebook can be stored at a different inode location on device 16. The selected locations are stored on the library card as part of the encryption process.
- encryption server 12 communicates with ereader 16 to return the library card with the now defined location(s) where the encrypted book or books are to be stored and also to return the encrypted book or books.
- Each encrypted book is stored on the device 16 at a position reserved by the library card, steps 42 and 44.
- the software required to decrypt the ebook is also downloaded from server 12 to ereader 16 as server 12 returns the library card and ebook.
- the encrypted ebook can only be accessed in sections, with one section deleted as the next section is decrypted and accessed.
- the recursive encryption process of the present invention facilitates the production of ebooks where as the ebook is consumed, portions of it that are no longer required are deleted from the ereader ensuring that the book can only be consumed once.
- Figure 4(a) shows a diagrammatic representation of an ebook 50 containing five chapters, A, B, C, D and E with the ebook stored on the retailer's folder containing one file for each chapter.
- the contents of the folder can be encrypted with any algorithm that transforms its contents using a key such that the same key can be used to reverse the transformation.
- the key could be an arbitrary number added to the letter codes (this is known as rotating the letters and is a common 'schoolboy' encryption technique). For example, we could choose the key 2 and it would rotate A to C, B to D etc.
- the key is supplied. It could be a random string, the number 2 as discussed above, or it could be something like c578c273cedba32e28b f97b9a4ba28a3flfa98f6165181c 751e6a805ed7de6f which i s a special string made to uniquely 'summarise' arbitrary digital content using a hashing algorithm called SHA2.
- the device 16 can decrypt the entire book and get the book back into a state that a user can read by:
- recursive encryption is applied to an ebook using a key based on information data derived from device 16 on which the ebook will be stored.
- Recursive encryption takes a symmetric encryption process and applies it recursively to sections of the book for which deletion is required after reading.
- the inventive encryption method Rather than using a supplied key, the inventive encryption method generates the keys needed to encrypt and decrypt the sections dependent on the information data relating to the device.
- the encryption can be dependent on the location or the inode number on the device where the ebook will reside, explained in more detail below.
- any information specific to device 16 that can be conveyed to server 12 can be used for encryption as long as the decryption process on the device can also access the information to generate the correct decryption key.
- Examples of information that can be used for encryption/decryption are a user's name, random text string specific to a device, password, and/or user's response to one or more questions.
- the key can only be generated correctly if all the pieces of information are correct on the device at the time of decryption.
- Any encryption function can be used, including but not limited to Blowfish.
- Blowfish is a keyed, symmetric block cipher, designed in 1993 by Bruce Schneier and included in a large number of cipher suites and encryption products. Blowfish provides a good encryption rate in software and no effective cryptanalysis of it has been found to date. In the recursive encryption process of the present invention, the encryption key is not supplied or stored anywhere.
- SHA2 is a family of two similar hash functions, with different block sizes, known as SHA-256 and SHA-512. They differ in the word size; SHA-256 uses 32-byte (256 bits) words where SHA-512 uses 64- byte (512 bits) words. There are also truncated versions of each standardized, known as SHA-224 and SHA-384. These were also designed by the NSA.
- the encryption server by way of a functional subsystem known as a bundler, applies encryption to the ebook before it is downloaded by the user.
- an ebook 50 of Figure 4(a) containing 5 chapters A, B, C, D, E with unencrypted content are reconfigured into overlapping sections.
- Each section contains some information common to the preceding section, typically by including two chapters in each section, see Figure 4(b) where, for example section 1 contains chapter A and B, and section 2 contains chapters B and C.
- This preparation step typically takes place by analysing the ebook and breaking it down into the portions desired, typically using an automated process on the encryption server.
- the sections will be consumed one after the other by a reader and the overlapping content ensures continuity as a reader consumes the book.
- the encryption is generated from towards the end of the book.
- the last section in the book is section 5 (not shown). This is an empty folder, although an ebook author could choose to leave something in it if they wanted to, for example written material they didn't mind being kept in perpetuity.
- sections 1 to 5 as generalised sections 1 to N where N is any whole integer, the last section can be represented as:
- section 4 containing information DE
- this section can be represented in general as: alphabet book (sectionN- 1)
- a functional subsystem on server 12 otherwise known as a bundler, needs to generate a key which is done dependent on a set of state variables such as specified by the library card and will be described in more depth below.
- the bundler (and a decrypter used for decrypting the ebook on reading by a user and described below) generates its keys using the state of information carried in the ebook folder:
- the bundler adds information from the library card to the ebook folder, discussed in more detail below.
- the bundler process starts its work with the last but one section of the book, sectionN- 1, and the last section, sectionN, so that a key k N is generated dependent on the N-l portion content, and information data specific to device 16 such as location information denoted by inode number and/or other informational data relating to the device 16 and carried by the library card:
- the bundler uses this key to encrypt the last section:
- block N ENCRYPT(sectionN, k N ) where block N is a block that needs to be decrypted to access and read the data in the successive portion and then it places block N in sectionN-1 so that the block will need to be decrypted to access the last section.
- sectionN-1 in this case section 4, can be considered as:
- section N When a user reads the encrypted book, block N will need to be decrypted to obtain the next section.
- the last section, section N will not require an encrypted block because there are no more data portions after it. However it will usually be encrypted with k N to prevent access until sectionN-1 has been read and then overwritten.
- the bundler continues with the recursion for sectionN-2 by adding the encrypted section just created to the unencrypted sectionN-2.
- the combined file is then further encrypted using a second key k N -i generated with a second set of state variables.
- the first key and second key are different.
- k N- i GENERATE KEY(sectionN-2) and so creates another blocking section at the end of section N-2 which can only be unlocked by use of the key k N -i, with the blocking section represented as
- blockN-1 ENCRYPT(sectionN- 1 , k N- i)
- the first section, section 0, is not encrypted although if desired, the ebook could be further encrypted by conventional DRM (or other) means. To pass beyond this first section, decryption of block 1 will be required.
- each section positioned between the initial section and the end section, section N has been encrypted using a key dependent on but modified over the key for the preceding section.
- Each key used differs from the other keys.
- the encrypted ebook is then passed to ereader 16 and is typically stored at a set location or inode defined by the library card.
- a functional subsystem for reversing the encryption known as a decrypter, is downloaded from server 12 to the customer device 16.
- the folder now stored on device 16 is uncompressed by the decrypter using UNPACK(ebook_file, location) and the decrypter decrypts it so that it can be read.
- the decrypter is a functional subsystem that takes a recursively encrypted ebook section and replaces it with the next section.
- the GENERATE KEY functional part of the invention writes additional information to the section which is required to generate the correct key, as discussed above.
- This information is unique to device 16 and can include the location (i.e. inode number) of the ebook on the user's device as obtained from the library card and which is unique to the user's device.
- a user cannot copy sections to another device and decrypt them as the key information and device data would no longer match, making it impossible to generate an appropriate decryption key for the copy.
- a library card comprising information data is sent to the bundler at the start of the encryption process so that the information data can be used in the GENERATE KEY function to encrypt the sections appropriately.
- the GENERATE KEY function can use one or more items of information carried by the library card to complicate the encryption.
- the information will typically be personal data about the user or the device.
- location information carried by the library card such as the inode number, is particularly important information because it ensures that copies of the section cannot support the decryption of the next section because it is impossible to replicate the locational information on another device and so another device cannot generate the correct key.
- the decrypter uses a similar key generation algorithm to the one used by the bundler.
- the decrypter has access to the library card with the information that was used in the encryption. This provides the functional part required to run the decryption, and which must necessarily undo the encryption.
- the decrypter looks at the first section 58:
- Generation of the key can be achieved by modifying the information carried by the library card, for example the material at the inode location, by addition or removal of content.
- each subsequent section is decrypted using a key generated from the preceding section, and/or the location information, and/or device data and/or state of file.
- the key ki is generated and used to decrypt block 1 and supply the second section but in doing so overwrites the first section, sectionO, by ensuring that the next section is stored at the same location or inode number as the previous section.
- this is done by using a memory location state variable, such as an inode or inode number, to ensure that the new recently generated version of the file with decrypted and encrypted elements overwrites the pre-existing version of the file.
- alphabet_ebook file DECRYPT(blockl, ki)
Abstract
Description
Claims
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
GB1408847.0A GB2510764A (en) | 2011-12-01 | 2012-11-27 | A method of securing electronic information |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
GBGB1120700.8A GB201120700D0 (en) | 2011-12-01 | 2011-12-01 | A method of securing electronic information |
GB1120700.8 | 2011-12-01 |
Publications (2)
Publication Number | Publication Date |
---|---|
WO2013079923A2 true WO2013079923A2 (en) | 2013-06-06 |
WO2013079923A3 WO2013079923A3 (en) | 2013-11-07 |
Family
ID=45509022
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/GB2012/052920 WO2013079923A2 (en) | 2011-12-01 | 2012-11-27 | A method of securing electronic information |
Country Status (2)
Country | Link |
---|---|
GB (2) | GB201120700D0 (en) |
WO (1) | WO2013079923A2 (en) |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7017189B1 (en) * | 2000-06-27 | 2006-03-21 | Microsoft Corporation | System and method for activating a rendering device in a multi-level rights-management architecture |
DE10345454A1 (en) * | 2003-09-30 | 2005-04-28 | Infineon Technologies Ag | Private key generator for access to storage device e.g. chip card, has page pre-key calculating device and determines private key based on pre-key and word address |
WO2005121972A1 (en) * | 2004-06-14 | 2005-12-22 | Research In Motion Limited | Method and system for securing data utilizing redundant secure key storage |
WO2007058292A1 (en) * | 2005-11-18 | 2007-05-24 | Matsushita Electric Industrial Co., Ltd. | Recording/reproducing device, communication device, program, system lsi |
-
2011
- 2011-12-01 GB GBGB1120700.8A patent/GB201120700D0/en not_active Ceased
-
2012
- 2012-11-27 GB GB1408847.0A patent/GB2510764A/en not_active Withdrawn
- 2012-11-27 WO PCT/GB2012/052920 patent/WO2013079923A2/en active Application Filing
Non-Patent Citations (1)
Title |
---|
None |
Also Published As
Publication number | Publication date |
---|---|
GB2510764A (en) | 2014-08-13 |
WO2013079923A3 (en) | 2013-11-07 |
GB201408847D0 (en) | 2014-07-02 |
GB201120700D0 (en) | 2012-01-11 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8595488B2 (en) | Apparatus, system and method for securing digital documents in a digital appliance | |
US8345876B1 (en) | Encryption/decryption system and method | |
US20040039932A1 (en) | Apparatus, system and method for securing digital documents in a digital appliance | |
CN102073826B (en) | Utilize the system and method for the digital copyright management of lightweight digital watermark adding component | |
US8826036B1 (en) | Ebook encryption using variable keys | |
US8417966B1 (en) | System and method for measuring and reporting consumption of rights-protected media content | |
US20080310624A1 (en) | Encryption Apparatus and Method for Providing an Encrypted File System | |
US20150026456A1 (en) | Apparatus and method for managing digital copyright on epub-based content, and apparatus and method for providing epub-based content according to user's right | |
CN106919810B (en) | Registration code generation method and device and software registration method and device | |
JP2011138446A (en) | File encryption system which easily operable of encrypted independent file group on dedicated operation screen | |
CN109408486A (en) | File publishing method and system, publisher server and file creating apparatus | |
CN108256343B (en) | Encryption method and device and decryption method and device of Shader file | |
CN108256342B (en) | Encryption method and device and decryption method and device of Shader file | |
US9292698B1 (en) | Method and system for remote forensic data collection | |
US9124422B2 (en) | System and method for digital rights management with secure application-content binding | |
CN103379133A (en) | Safe and reliable cloud storage system | |
US8144876B2 (en) | Validating encrypted archive keys with MAC value | |
Mandhare et al. | A Proposal on Protecting Data Leakages In Cloud Computing | |
WO2013079923A2 (en) | A method of securing electronic information | |
CN101625702A (en) | Encryption method of data file with file allocation table format | |
CN112380559A (en) | Android file password box system based on dual-chaos hash file control | |
JP6703116B2 (en) | EPUB file encryption unit file compression and decompression method | |
Rhazlane et al. | Data alteration: A better approach to securing cloud data with encryption | |
WO2011047717A1 (en) | Method for securing and retrieving a data file | |
JP5539024B2 (en) | Data encryption apparatus and control method thereof |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 12808442 Country of ref document: EP Kind code of ref document: A2 |
|
ENP | Entry into the national phase |
Ref document number: 1408847 Country of ref document: GB Kind code of ref document: A Free format text: PCT FILING DATE = 20121127 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 1408847.0 Country of ref document: GB |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 12808442 Country of ref document: EP Kind code of ref document: A2 |