AACS processing key found, but scheme not broken
February 14th, 2007 by jqrOn various web sites today [boingbong, slashdot] it has been reported that the AACS (the copy protection scheme used in Blu-ray and HD-DVD) “processing key” has been found and the scheme has been fully broken.
Whilst this is the next logical step after finding title keys the scheme is far from broken.
As I discussed in my previous AACS post, the media keys that are used to encrypt each disc (and is specific to a disc print) have been recovered with relative ease from the WinDVD software player. As I noted, this was not surprising as the key has to exist somewhere in software player memory to allow the AES decryption of the content to be viewed! No revelation there.
Now, if you read my earlier post and indeed this excellent series of postings by Ed Felten and Alex Halderman, the media key is encrypted multiple times for each subset-difference set in the binary tree of keys. A player that has not been revoked will be able to compute the processing key for the subset it belongs to and then use this processing key to decrypt one of the encryptions of the media key.
WinDVD’s processing key has been found. Again, this is expected as at some point it has to exist in main memory for the software to function, although according to the postings at doom9 WinDVD does try to obscure this information.
Implications
There is now a processing key out there that can decrypt the media keys for any of the existing HD-DVD titles. The people who designed AACS were well aware that this is an inevitable reality - that eventually a player’s keys will be compromised. This is why AACS used the subset-difference revocation scheme in the first place. AACS could now potentially compute new subset-differences to include in the MKB of future HD-DVD and Blu-ray discs. This will effectively render WinDVDs keys useless for these future titles. And so the cat-and-mouse game begins…
So to summarize whilst this is an impressive feat of reverse-engineering/debugging on a specific AACS implementation, it is no breakthrough in defeating AACS cryptographically. AACS was designed with this in mind and WinDVD can be revoked.
For more information see the AACS specifications.
Posted in Encryption |
February 21st, 2007 at 3:39
Just as a question:
What if the procession key is changed, the WinDVD Player is revoked and somebody find another not-so-well-implementented player (software or even hardware), where he can get the new procession key(s).
Lets say, he will just publishe the procession keys and won’t tell where he get them, is there any way, that the comprimised player can be found? Will there be a effective way for revoking a unknown-player?
February 21st, 2007 at 8:57
This is more complicated. Depending on how the subset-differences exist (based on existing revocations), a single processing key could cover a single player or a huge subset-difference tree of players (potentially the whole tree at the start of the very scheme before players are revoked).
If you read the original research paper here the subset-difference scheme designed by Naor, Naor and Lotspiech (as adapted by AACS) has a mechanism for traitor tracing, given the algorithm enough queries. If the adversary published keys on a website, for example, and these keys were sourced from his player, then the traitor tracing algorithm could, given the traitor enough published keys (log(N) for a single traitor, where N is the number of players in the entire scheme) determine the information to block his player. If he used t players to compromise the system, then he could only publish t.log(N/t) keys before being caught out.
So to summarize, yes, people leaking keys can be caught (have their players blocked) if they leak enough of them.
There is also another mechanism in AACS called “Sequence Keys”, which allows traitors to be identified by the “rips” they release (again, given enough of them).