LCP Encryption Profiles

Readium LCP is an ISO standard and its reference is ISO_IEC_DIS_23078-2. The LCP specification is also freely available on the Readium project website.

It is split into two parts:
– Readium Licensed Content Protection: the structure of a JSON formatted LCP license.
– Readium License Status Document: a JSON formatted structure indicating the status of a license and the HTTP protocol used for retrieving status information from a server, as well as renewing and returning a license.

The LCP specification is an open standard but contains an extension point called Encryption Profiles. An encryption profile is a set of encryption algorithms used for encrypting content, signing licenses and encoding user passphrases.

The LCP specification defines a test Encryption Profile named “Basic Encryption Profile 1.0“. The Basic Encryption Profile is for testing only, as it does not provide the level of obfuscation required by a reliable protection mechanism. When integrators test the open-source LCP Server codebase and the LCP client libraries offered to prospects, this is the profile in use.

To secure the LCP ecosystem, EDRLab has created other Encryption Profiles for production. The original profile was created in 2017 and is named “EDRLab Encryption Profile 1.0”. This profile was breached in 2022 (after 5 years), and we had to request DMCA takedowns from several open-source platforms. Copies of the hack reappear occasionally; we ask for their removal as soon as we find them (a common whack-a-mole situation).

In 2024, the EDRLab Encryption Profile 1.0 was superseded by 10 new profiles, numbered “2.0” to “2.9”. Every LCP license provider chooses one randomly and can easily change the profile.

From mid-2024, every LCP client and server library delivered by EDRLab to integration has supported all profiles, including the basic profile used for test licenses. Integrators of the LCP technology are requested to update their software in the year following the release of new profiles and move to the latest profiles as soon as LCP-compliant reading apps in their sector have been updated.