Página do jqr

On various web sites today [boingbong, slashdot] it has been reported that the AACS (the copy protection scheme used in Blu-ray and HD-DVD) “processing key” has been found and the scheme has been fully broken.

Whilst this is the next logical step after finding title keys the scheme is far from broken.

As I discussed in my previous AACS post, the media keys that are used to encrypt each disc (and is specific to a disc print) have been recovered with relative ease from the WinDVD software player. As I noted, this was not surprising as the key has to exist somewhere in software player memory to allow the AES decryption of the content to be viewed! No revelation there.

Now, if you read my earlier post and indeed this excellent series of postings by Ed Felten and Alex Halderman, the media key is encrypted multiple times for each subset-difference set in the binary tree of keys. A player that has not been revoked will be able to compute the processing key for the subset it belongs to and then use this processing key to decrypt one of the encryptions of the media key.

WinDVD’s processing key has been found. Again, this is expected as at some point it has to exist in main memory for the software to function, although according to the postings at doom9 WinDVD does try to obscure this information.

Implications

There is now a processing key out there that can decrypt the media keys for any of the existing HD-DVD titles. The people who designed AACS were well aware that this is an inevitable reality - that eventually a player’s keys will be compromised. This is why AACS used the subset-difference revocation scheme in the first place. AACS could now potentially compute new subset-differences to include in the MKB of future HD-DVD and Blu-ray discs. This will effectively render WinDVDs keys useless for these future titles. And so the cat-and-mouse game begins…

So to summarize whilst this is an impressive feat of reverse-engineering/debugging on a specific AACS implementation, it is no breakthrough in defeating AACS cryptographically. AACS was designed with this in mind and WinDVD can be revoked.

For more information see the AACS specifications.

A look at the algorithm at the heart of AACS copy protection’s revocation scheme

A lot of technical and mainstream media attention has recently turned towards the ‘cracking’ of the AACS copy protection on next generation media distribution formats Blu-ray and HD-DVD.

In actual fact nothing has been cracked – all that has been recovered is the media key from the memory of WinDVD, which was then fed into a piece of software that implements the AACS standard and decrypts the disc. Nothing is surprising about this – the content obviously exists in a decrypted form at some point in the chain for it to be viewed, and the key that encrypts the disc itself (the media key) has to exist in plain-text for the decryption to occur as well. So content can always be recovered given enough reverse engineering.

What is more interesting is AACS’s counter-measures against this inevitable reality. In simplest terms, AACS contains the ability to prohibit individual players (that are known to be compromised and leaking copyrighted content) from playing any future pressed discs. In fact for a very interesting overview of the capabilities and game theory behind AACS I highly recommend this series of blog articles by Ed Felten and Alex Halderman.

The technology is sophisticated enough to be able to eliminate any subset of players the copyright owners desire, and borrows from algorithms initially developed to protect pay-TV content. This contrasts with the CSS copy protection on DVD, which only can revoke a particular model of player. There exists some confusion I have seen on how this mechanism works. It does not involve new discs causing HD-DVD drives to modify some firmware and revoke themselves (although another part of the AACS specification employs this kind of idea). It is a purely cryptographic solution that no ‘firmware hacks’ can defeat. The rest of this post will concentrate on explaining the functioning behind the revocation algorithm at the heart of AACS - the subset-difference algorithm.

Read the rest of this entry »