On various web sites today [boingbong, slashdot] it has been reported that the AACS (the copy protection scheme used in Blu-ray and HD-DVD) “processing key” has been found and the scheme has been fully broken.
Whilst this is the next logical step after finding title keys the scheme is far from broken.
As I discussed in my previous AACS post, the media keys that are used to encrypt each disc (and is specific to a disc print) have been recovered with relative ease from the WinDVD software player. As I noted, this was not surprising as the key has to exist somewhere in software player memory to allow the AES decryption of the content to be viewed! No revelation there.
Now, if you read my earlier post and indeed this excellent series of postings by Ed Felten and Alex Halderman, the media key is encrypted multiple times for each subset-difference set in the binary tree of keys. A player that has not been revoked will be able to compute the processing key for the subset it belongs to and then use this processing key to decrypt one of the encryptions of the media key.
WinDVD’s processing key has been found. Again, this is expected as at some point it has to exist in main memory for the software to function, although according to the postings at doom9 WinDVD does try to obscure this information.
There is now a processing key out there that can decrypt the media keys for any of the existing HD-DVD titles. The people who designed AACS were well aware that this is an inevitable reality - that eventually a player’s keys will be compromised. This is why AACS used the subset-difference revocation scheme in the first place. AACS could now potentially compute new subset-differences to include in the MKB of future HD-DVD and Blu-ray discs. This will effectively render WinDVDs keys useless for these future titles. And so the cat-and-mouse game begins…
So to summarize whilst this is an impressive feat of reverse-engineering/debugging on a specific AACS implementation, it is no breakthrough in defeating AACS cryptographically. AACS was designed with this in mind and WinDVD can be revoked.
For more information see the AACS specifications.
Posted in Encryption |