Forgot your password?
typodupeerror
This discussion has been archived. No new comments can be posted.

Making and Breaking HDCP Handshakes

Comments Filter:
  • American Hero. (Score:5, Interesting)

    by Whiney Mac Fanboy (963289) * <whineymacfanboy@gmail.com> on Sunday April 16, 2006 @10:56AM (#15138002) Homepage Journal
    Ed Felten is a true American hero - he's:
    * Convinced the Music Industry watermarking is unworkable (saving us from poor quality files)

    * Testified against predatory monopolists as a witness for the US govt.

    * Exposed holes in Sony's "fix" for XCP malware CDs (that turned out to be almost as dangerous as the original rootkit)

    * Given us the memorable quote Given a choice between dancing pigs and security, users will pick dancing pigs every time.
    (gleaned from wikipedia) [wikipedia.org]

    Also - anyone thinking the 40 'conspiring' devices makes it impractical to break HDCP/HDMI - think again. It just means 40 (or less) like minded hackers have to get together - not particularly hard to imagine these days.
    • actually it means you need one hacker and his less than civic minded buddy with a pickup truck and a crowbar to steal a shipment of HDDVD players from Joe's Electonics Shack
    • More so, you need 40 HDCP devices that have been hacked appropriately.
    • Also - anyone thinking the 40 'conspiring' devices makes it impractical to break HDCP/HDMI - think again. It just means 40 (or less) like minded hackers have to get together - not particularly hard to imagine these days.

      Furthermore, as Ed notes, once one key is found, we can generate keys on the fly (if I read that right. if not, we can still get quite a few keys before they can invalidate them all). At that point, an intelligent hacker can build a system to plug into anything with HDCP and determine the
  • by eclectro (227083) on Sunday April 16, 2006 @10:56AM (#15138003)

    But I don't have room for the forty big-screen TVs.
  • by weetjerm (637949) on Sunday April 16, 2006 @11:10AM (#15138049)
    His attack methodology is correct, but it will take more than 40 devices to break the system. The chances are very low that all 40 devices being linearly independent, and therefore each one offering non-duplicate information about the system. If you read the comments, he actually inadvertantly ran into this problem with his small example of 4 keys.

    However, in writing this, I realize that I do not know how many keys you would need to present a good probability of solving the system of equations. Anyone want to run a simulation?

    • You're right, I get 80 devices to get a 50/50 chance.

      OTOH, since the addition rules are public, you can target your cracking to devices that have the types of keys you want.
    • by Maljin Jolt (746064) on Sunday April 16, 2006 @11:58AM (#15138229) Journal
      Anyone want to run a simulation?

      No funny simulation is needed, a math paper refered by TFA contains the info you want: 50 KSV's have probability 0.999, by the properties of linear algebra over Z/2exp56Z.
    • I had exactly the same thought. I think this attack may fail. Or rather not be as immediately successful as imagined. Ironically, the fatal flaw is contained in the same algebra mistake made in the orginal post.

      In order to prevent this attack from being done easily, the central authority could deliberately hand out linearly dependent addition vectors to any company that applies. For example, suppose a company applies for 10,000 keys. The central authority gives them 10,000 keys and 10,000 addition vectors.
      • Ok, so help me out here. Doesn't that reduce the effective keyspace by an order of 2^16? Seems to me that would make a brute-force attack much more practical. (It doesn't matter if you set the first 16, last 16, or any arbitrary (but consistent) combination of bits to zero, it will still reduce the keyspace for all devices by the same amount.)

        Of course, I don't know much about the algorithm itself, but from the blog's example, it should be simple to test the validity of any arbitrary key with any device.
        • You have it partly right and partly wrong.
          First, HDCP does not require super security. It's not how the media is encoded it's just the transport from the player to the viewer that is being encoded. There's a whole nother more secure code for the media encryption. I think what they want to avoid is some gizmho you could put inline that would decode it. SO if they can create a situtation where there is no universal gizmho for every player/viewer combination or one that breaks every year when a new device
          • But one guesses that maybe the media will then come with something that recognizes that model number and refuses to play in high def. Not sure if they could get away with that as it would piss off some consumers.

            Not to mention the manufacturer, I cant imagine Sony being too happy when Fox puts a "cannot be played on Sony xxxxxx players" on its media, as consumers may buy another player instead. If this was to be attempted then we could see a wonderful end to the HDCP madness as Sony (or another player ma

          • I see what you mean, that makes more sense.

            So let's say, for the sake of argument, that the whole keyspace is tested; i.e., that for an arbitrary key that you create you have gathered the entire range of challenge responses from a particular device and stored each. Is an addition vector an NP problem that wouldn't give up the secrets of the key itself even if all the challenge responses were known?

            It would seem that it must be to serve the intended purpose. It's much more damaging to be able to spoof a pa
            • close but not quite.

              Here's how spoofing would fail. Suppose I tell a new device I'm a a sony xxxx and my addition key is 1,4,7, ... etc and it omitts the last ten bits. Okay that half of the process works. but then the player replys, I'm a panasonic yyyy and my addition key is 1,3,15,...39,40.

              Now you're screwed because your spoof device does not know what the keys for 39 and 40 are.

              Thus you can't work with the new device. You CAN work with any old device whose subspace of addition keys you have mapped,
              • Here's how spoofing would fail. Suppose I tell a new device I'm a a sony xxxx and my addition key is 1,4,7, ... etc and it omitts the last ten bits. Okay that half of the process works. but then the player replys, I'm a panasonic yyyy and my addition key is 1,3,15,...39,40.

                Now you're screwed because your spoof device does not know what the keys for 39 and 40 are.

                Thus you can't work with the new device. You CAN work with any old device whose subspace of addition keys you have mapped, but not any new de
                • to answer your question. If you only have a subspace of example keys (that is to say, you only have devices whose additiion mask bits span say 30 bits not the full 40) then at best you can only solve for the 30 corresponding key values. So the spoof Sony XXXX can answer correctly when queried with any addition mask that is contained in the 30 key values it knows. The first time it gets a query outside that range it cant come up with the correct decode secret. Now a real Sony XXXX can create the right sec
      • by Omaze (952134)
        Someone will connect an oscilloscope to the wire(s) that connect(s) the devices and reverse engineer the communications signal. They will then construct a custom breadboard able to talk to any HDCP device while being able to impersonate a device with a programmable HDCP vector/rule. With a link (ethernet or serial) to any modern day PC they'll just brute force it.

        It won't be difficult.
        • Someone's already mentioned this scenario in the comments on the blog, it seems plausible in theory but there's also very little reason for the HDCP chips not to limit handshake attempts to (say) one per second - you're not going to get more attempts than that legitimately anyway. Since the keys are 56 bit numbers and you're adding them together you've got a fair amount of ground to cover - it's going to take a hell of a lot of time going through x1+x2=1; fail; x1+x2=2; fail; ... x1+x2=379654; pass; x1+x3=1
        • Someone will connect an oscilloscope to the wire(s) that connect(s) the devices and reverse engineer the communications signal.

          There is no need to do this -- the signal itself would have to be according to some kind of standard or else a brand X DVD player couldn't work with a brand Y television. Just look up the communications protocol.

          With a link (ethernet or serial) to any modern day PC they'll just brute force it.

          Riiiiight. The DVD's addition rule is [1]+[3] and the TV's is [6]+[17]. What's

          • If they can't get to it from the case connector they'll open the box and find a different set of wires on the circuit board to tap into. Yes, it'll take more research into the chips on the board but eventually a weak point will be found.

            It's been going on for centuries. Keep arguing. Unless you're willing to bet that HDCP will be the be all and end all of encryption methods and no other better method will ever be needed then you'd best just pack up and shut up now. If you are willing to bet on it then I
            • If they can't get to it from the case connector they'll open the box and find a different set of wires on the circuit board to tap into. Yes, it'll take more research into the chips on the board but eventually a weak point will be found.

              Well, duh. The point is to prevent a descrambling device in the middle that end users can use, such as the cable descramblers that are used today. If you could descramble at will, you can copy the HD content all you want. However, most end users won't take apart their

        • No this scheme won't work. Here's why.

          the keys are never transmeitted only the addition rules. So here's a hypthetical exchange

          device 1: my addition rule is 17+13
          device 2: my addition rule is 24+5
          device 1: okay I computed the secret= key[24]+key[5] (which I alone know)
          device 2: okay I computed the secret = key[17]+key[13] (which I alone know)

          at this point both secrets are the same but neither secret has appeared on any tapable wire.

          now dev1 says:
          dev1: youre challenge is to encrypt this number: rand = 138
      • But the addition vectors are all crammed into the first 14 or 15 bits of the 40 bit addition vector. (that is bits 16 to 40 are zero). This would assure that the addition vectors are linearly dependent and the code cannot be cracked.

        Didnt the article say that the vectors always have 20 1's and 20 zeros? Doesnt that limit the permutability of the vector?

        Also, if you were to hand vectors out 10,000 keys like that to one manufacturer, woudln't you only need 14 or 15 of those types of devices to conspire to bre
        • okay then 20 not 15. whatever. they just don't release the full basis to any vendor. then you cant universally reverse emgineer it.

          and no. you are confusing devices with dimensionality. a 20 dimensional spaces spans much more then 10,000 devices.
  • by pla (258480)
    if any 40 devices conspire together, they can break the security of the system

    From TFA:

    it takes a conspiracy of about forty devices, with known private vectors, to break HDCP completely. But that is eminently doable, and it's only a matter of time before someone does it.

    Apparently Mr. Felten has a somewhat twisted idea of "eminently doable".


    The HDCP CA will certainly only give out keys to people who sign very very scary agreements not to engage in exactly the sort of activities described. While a fe

    • Most things are doable, though not necessarily in a lifetime. I am sure you could insert a sniffer device to monitor the data going through the cable. Also, apparently this technology will only prevent you access from the HD content. Maybe like aeroglass, the low quality content will be enough for many people.
      • Maybe like aeroglass, the low quality content will be enough for many people.
        But Aero Glass is the fully pretty one - you must mean plain Aero. Anyways, the whole purpose of buying HD media is for the HD. If it's then downscaled right back to just-slight-above DVD quality, I think people are going to be, pardon my French, pretty fucking pissed. Especially the early adopters who have the highest chance of getting screwed over.
        • by ultranova (717540) on Monday April 17, 2006 @07:30AM (#15141311)

          Anyways, the whole purpose of buying HD media is for the HD. If it's then downscaled right back to just-slight-above DVD quality, I think people are going to be, pardon my French, pretty fucking pissed. Especially the early adopters who have the highest chance of getting screwed over.

          Well, kicking down the front door of the central HDCP bureau and storming it with torches and pitchworks to get the master key is just another kind of brute force attack, no ?-)

    • The cipher is probably based on matricies (maybe even some sort of advanced hill cipher?). With 40 known matricies, it's merely a matter of multiplying them with the cipher text (or however it's encoded), and the main key pops out. That's why exactly 40 are needed - it's mathematics.
    • by Anonymous Coward
      I find it exceedingly unlikely that 40 such companies will pay for a key vector, just to take the risk of getting sued out of existence.
      According to the article, keys are being sold in quantities of 10000, which makes it sound like each physical device has its own unique key. If this is the case, then one not-quite-tamper-proof production run of some player will yield more than enough keys for the attack to be practical.
      • more importantly this is an ultimate

        mv /bag/cat /somewhereElse/

        situation. once you have the 40 keys you can extract the keys from as many good players as you wish, futher using those keys to extract more keys. and any 40 of the set of all extracted keys will work just fine.

        i am not an electrical engineer, but this seems to be the kind of thing once broken once that could be built into a single IC or for better features loaded onto a HDMI dongle with a USB port where you can upload any Keys.txt file if

    • by Anonymous Coward
      You don't need a license to obtain the secret keys. You can create your own thus making the approach extremely doable. Please read the article to see how this is done.
    • First, the HDCP CA gives a lot of keys to each company, I think. So you'd only need one crooked company.

      About your other idea: From the paper referenced in the article, it looks like the device sends a hash of the sum over the wire. So you'd have to invert a hash on each try (which may still be doable -- the input space isn't all that huge). But the attacker can cleverly choose a basis for the KSV space, thereby recovering the target's private key in exactly 40 tries. This attack would probably take a
      • Well, the hash is lossy (56 -> 16 bits, iirc), so you'd probably need ~4 attempts of the same challenge with 4 different seeds to recover the sum. Still very much in the realm of the doable.
        • I think you mean 2^(56-16) = a lot of attempts. Unless there's corresponding weakness in the hash.

          (I didn't realize it was a hash that short. But 16 bits sounds absurd -- the hash gives the shared secret and 16 bits is way too short.)
          • Mm. no. If the hash really is good, it'll yield ~16 new bits of information re the sum / hash. Hence the 4 different challenges, each allowing you to recover ~ 16 of the 56 bits.
    • by quentin_quayle (868719) <quentin_quayle AT yahoo DOT com> on Sunday April 16, 2006 @01:35PM (#15138676)
      Did the moderators Read The Fine Article before giving the parent points?

      Felten in talking about "a conspiracy of about forty devices" is not saying that (defectors at) forty device makers have to reveal secret keys. What he's saying is that you just need to the 40 devices themselves, or rather (as post above pointed out) enough to get 40 different key sets (and some math and programming ability). Then the crack is done by analysing the bit streams between the devices (between player and display, or whatevre).

      The expense is the cost of all those tvs and players. Bribing the device makers is a *different* kind of attack which Felten rules out as impractical.
      • Did the moderators Read The Fine Article before giving the parent points?

        Did you? Or did we somehow read entirely different articles?


        Felten in talking about "a conspiracy of about forty devices" is not saying that (defectors at) forty device makers have to reveal secret keys.

        The linked article specifically says exactly that! The described attack requires knowing the key vector of each of the 40 devices used in the attack:

        There are two things to notice about this process. First, in order to do it,

  • Why Reveal this Now? (Score:3, Interesting)

    by PingXao (153057) on Sunday April 16, 2006 @11:18AM (#15138074)
    As a poster said at TFA, why did they reveal this attack so soon? It would have been much better to wait another few months until HDCP displays and video cards were shipping in larger numbers. That being said, who's comes up with these lame cryptosystems anyway? First CSS, which was a joke, now this, and you know the Advanced CSS will have holes in it big enough to drive a truck through. The bad news is that some day they will start hiring people who know what they're doing with cryptosystems and then we're all screwed.
    • by Anonymous Coward on Sunday April 16, 2006 @11:50AM (#15138197)
      The bad news is that some day they will start hiring people who know what they're doing with cryptosystems and then we're all screwed.


      Rather unlikely. The whole concept of DRM is bankrupt as a cryptographic concept because you are handing over the ciphertext, the plaintext and last but not least the key over to your adversary (usually called "consumer" or "hacker"). Sure you can try to make it hard for him to actually get them but you already handed them over and it just remains a question of time until they are recovered.
      Meanwhile, a single break is a class break for at least all the content released up to the point of the break (even with "revokable" keys). Also, once a broke the system once, the content is freed forever and can be distributed at leisure (darknet hypothesis), which means even some small quality loss may be acceptable to the attacker since that loss would only occure once.

      In short, DRM is a DReaM indeed.
      • Interesting point. Why make it as AC? I wouldn't have even seen it except I wanted to read the replies to my post.
      • because you are handing over the ciphertext, the plaintext and last but not least the key over to your adversary

        Does it really have to be this way? What if a central body developed a chip whose interface is known but whose internals are highly secret. Anyone making playback equipment just has to be able to accept one of these chips.

        The function of the chip is to take an encrypted content stream and give out an unencrypted content stream.

        Hmmm... even as I write this I can see that it's absolutely full of hol
        • Yep, I think you answered your own question. :)

          In the case of your "black box" decryption chip, all you're doing is burying the "secret" that you hope the consumer can't access into a chip. If someone figures out how to extract the key off of your secret-decoder chip, though, your security is shot. It's not really a "secure" system in the mathematical, theoretical sense that cryptographers like to talk about; really all you're doing is hoping that that your adversaries, combined, don't have the resources to
          • Nicely put.

            If the decoder module was renewed frequently (yearly, monthly, whatever) then the race becomes a bit harder. There are two challenges then:
            1. Brute force the private key. It would need to be done fairly quickly though (not much use really if it takes 5 months to get it when the module is renewed semesterly). Key strength could easily be increased to keep the discovery time sufficiently long, as the decryption is completely contained within the device.
            2. Find a way to trick the module to give up t
            • If the decoder module was renewed frequently (yearly, monthly, whatever) then the race becomes a bit harder.

              If you need to buy a new decoder module monthly to watch legally purchased (sorry, licensed) content, then guess if anyone will buy that content legally or download cracked content from BitTorrent ?

    • by Anonymous Coward

      As others have pointed out, the attack is not new. What HDCP does is *not* protect content (at least, not seriously)... it forces the makers of consumer electronics to sign legal agreements with Intel, and more critically with the MPAA... and these legal agreements dictate what features the manufacturers can add. If you want to sell players legally, you have to make them they way you are told... not the way the consumer wants.

      It's about control, not copy protection (can't fast forward through adverts etc e

    • It doesn't matter how strong the crypto is; the real purpose is to allow the content industry to sue the heck out of anyone (In the US) who tries to excersize fair use. The DMCA doesn't care whether the crypto is strong or weak...
  • 'Old' news (Score:5, Informative)

    by bas.westerbaan (917678) on Sunday April 16, 2006 @11:28AM (#15138098) Homepage
    HDCP has been broken, and has been proved to be weak in 2001 twice. See http://apache.dataloss.nl/~fred/www.nunce.org/hdcp /hdcp111901.htm [dataloss.nl]
  • by dpilot (134227) on Sunday April 16, 2006 @11:54AM (#15138213) Homepage Journal
    I was checking the Sunday advertising fliers this morning, and see that many of the new TVs are advertising HDMI as well as PC connections. Can someone please explain my limitations?

    1: Can I hook up my current VGA or DVI to one of these, and display the content I can currently display?

    2: Is the only limitation/constraint the new HD/BlueRay DVDs with "double-plus-good super-duper copy-protection, put there to protect me AND the children"?

    3: Related to both, assume I have MythTV running with an HD capture card. (I don't yet, but plan to, before they become illegal. What's the latest status?) Can I run my captured content out through one of these new displays?
    • 1: Can I hook up my current VGA or DVI to one of these, and display the content I can currently display?
      I can only help answer your first question. I bought a 32" LCD with multiple inputs including HDMI for for my PC's. I have yet to find a graphics card that is HDMI compliant. Therefore, at this time I can not use the 1920 x 1080i @ 60Hz that the display can handle. I am using the RGB-PC inputs. There may be a card, but I have not found it yet.
      • I can only help answer your first question. I bought a 32" LCD with multiple inputs including HDMI for for my PC's. I have yet to find a graphics card that is HDMI compliant. Therefore, at this time I can not use the 1920 x 1080i @ 60Hz that the display can handle. I am using the RGB-PC inputs. There may be a card, but I have not found it yet.

        Try a graphics card with a DVI out - you should generally be able to connect a DVI out to a HDMI in. However, you can only connect a HDMI output to a DVI input if
      • HDMI compliance is not required, you just need a DVI to HDMI is just a rework of the DVI cable to allow for easier consumer connections and include audio.
        from http://www.ramelectronics.net/ [ramelectronics.net] "HDMI - Digital connection for Video and 8-channels of Digital Audio as well as device control features. Electronically better potential for supporting longer cable lengths than DVI for digital video.
        Specification supports up to 12 bit Y-Pr-Pb video (rarely implemented on equipment) as opposed to 8 bit limit of DVI RGB."
    • by nsayer (86181) <nsayer@k[ ]com ['fu.' in gap]> on Sunday April 16, 2006 @12:35PM (#15138425) Homepage
      1. There are HDMI to DVI cables. The only question mark is the type of DVI your card uses. There are 3 types, depending on which sets of signals the jack has: DVI-A, DVI-D and DVI-I. HDMI is all digital, but its backwards compatible with DVI-D (DVI-I is a combination of both A and D - analog and digital). So unless your card is DVI-A, you should be able to use a DVI-to-HDMI cable to hook up your display. You will need to make separate arrangements for audio, however, since DVI (unlike HDMI) has no provisions for it.

      This does presume that the card is able to put out a mode/timing that's compatible with the set, of course.

      2. What you're probably talking about is the requirement that non HDCP-hardened outputs from HD players are supposed to be down-resed to 480p (or whatever). I don't know for certain, but I'm willing to bet that this is not an absolute requirement, but that there's a bit that the disk can set to require this behavior. Not all studios or titles will make the decision to flip that bit on on their content, and I'd certainly expect them not to bother until/unless the technology to take DVI-B and rip it to MPEG4 becomes widespread. Unlike macrovision on analog outputs, which largely went unnoticed with DVDs, this bit does threaten to have a real impact on folks, so I would expect a site to pop up relatively shortly with a list of disks "not to buy" unless you have HDCP. The industry might even respond with a standardized icon on the box whose meaning is "HDCP required for full resolution."

      The other obvious restriction is that the HD media is itself encrypted, so when HD-DVD-ROM drives come out, you won't be able to read the data off of them (except in the context of an HD-DVD movie player app), at least not until it's reverse engineered and cracked like DVDs were.

      3. I may be wrong, but I am unaware of any HD video capture cards. There are HD tuner cards/boxes out there that will do HDTV, but they're decoding the RF from a TV station and getting MPEG2 streams. That's not the same thing as ripping 1080i from a DVI connector and turning THAT into MPEG2. Even if that were possible, the original source (HDTV, HD-DVD, DVD, whatever) was probably compressed in the first place, so you'll be recompressing it, which will degrade the picture some (more).

      • This is an interesting device:
        http://www.doremilabs.com/products/XDVI-20.htm [doremilabs.com]
        It converts a DVI signal into an SDI-HD signal.
        Then with a card like this -- http://www.blackmagic-design.com/products/hd/ [blackmagic-design.com]
        and a disk array that could handle about 1.5 gbits/sec you could record the high-def signal in an accessible form.
        With the drives we're in the $1500 range for all the gear, so it's not cheap, but it is 'prosumer' level.
        • Correct me if I'm wrong, but you would need to recompress the data on the fly before writing to disk. 1.5gb/sec would be approx 187MB/sec (1500/8) which I do not believe any consumer disk array can achieve. Also, is 1.5gb the standard data rate for 1280x720 + 5.1 audio?
      • A recent Ask Slashdot thread revealed several DVI capture cards on the market, but they're in the $3,000 range; and you'd need a pretty hefty computer to record uncompressed HD (and then recompress it).
      • 1: I'll have to check my connectors and specs to see exactly what I've got. In a way it's not terribly important, since I'm more interested in directing future purchases. It's a cinch that there will never be anything other than crippled Linux drivers for a card with HDMI output. Or put another way, I doubt there will ever be Linux HDCP capability.

        But that really doesn't bother me, as long as I can take MY sources, non-HDCP crippled, and display them fully. That's what this is really ALL about.

        2: See previo
  • by Midnight Thunder (17205) on Sunday April 16, 2006 @11:59AM (#15138231) Homepage Journal
    There is one thing I hate worse than this DRM (Draconian Rights Management) crap: region encoding. DRM only effects me if I want to make a backup or play a disk I bought with Linux. Now if I buy a disk in Europe and want to play it in Canada it is not doable, officially. Unofficially I have to get a DVD player with a backdoor, or a PC DVD player with the Firmware hacked or rip the DVD - all this for a DVD I bought legitimately!?

    And then there is something that scares me: how unaware of this many people I speak to are, even some people working in IT!
    • DRM only effects me if I want to make a backup or play a disk I bought with Linux. Now if I buy a disk in Europe and want to play it in Canada it is not doable, officially. Unofficially I have to get a DVD player with a backdoor, or a PC DVD player with the Firmware hacked or rip the DVD - all this for a DVD I bought legitimately!?

      If you were in Europe, you could also have bought a DVD player. They cost, what, $40 now?

      It would probably be easier to rip the CD.

    • by Benanov (583592)
      Ooh, a new definition of the "D" in DRM.

      Draconian Restrictions Management has a nice ring to it.
  • This is what the guy who originally said he could easily crack HDCP said. And the only reason he didn't release specifics (which could have allowed them to fix it before it went 'public') is because he'd have been in some boiling legal water thanks to the DMCA. As it is, the publisher of this story probably will be, but the system will still be cracked *very* quickly, and we'll all have AnyHDCP running in our trays so our computers are stupid-proof.
    • because he'd have been in some boiling legal water thanks to the DMCA. As it is, the publisher of this story probably will be

      Ed Felten has gone toe to toe with the xxAA before.
  • I may be totally misunderstanding, but won't the 40 devices need to have their private numbers assigned from the central authority as well (and presumably have to pay $$$$$ for it)? Otherwise, when they send [1]+[2] to the device they are cracking, and get back [3]+[4], it will be meaningless unless the hacker's internal numbers' 3+4 addition equals 1+2 of the remote device.
  • Oh, I see, breaking the security of the systems. Right. Didn't see that the first time. Sorry.
  • One attack in many (Score:5, Interesting)

    by bhima (46039) <Bhima.Pandava@gT ... m minus caffeine> on Sunday April 16, 2006 @01:12PM (#15138596) Journal
    Wow so many folks sort of missed the point here...

    Felton's description of the weaknesses of DHCP handshakes is of only one potential attack. Combined with other attacks and it's entirely possible that a group effort could crank out new secret vectors faster than the M.A.F.I.A.A. could revoke known compromised ones.

    For example: If more was known (than I know) about the encryption algorithm used (AKA "the hdcpRngCipher") work could be started on creating dense & smart Time-Memory Trade-Off tables. This is a non-trivial task involving tens of thousands of CPU hours... a perfect thing for a validating distributed computing application (oh. this. has. so. been. done. before).

    Also a HDMI repeater or splitter isn't very far from being a sniffer... I think all it lacks is a little I2C to USB help. This, the tables above, & a HDCP device will net you all the vectors you need to employ Felton's attack. Once one set has been compromised and the methodology worked out it's just a matter of turning the crank to get more and potentially very, very quickly.

    The utility of these attacks goes well beyond being able to view 1080p on a non DHCP device... one could render revocation useless be attacking high-end components sold by M.A.F.I.A.A. members (i.e. Sony). This eventually must lead hardware devices running out of un-revoked vectors and becoming inoperable... an untenable situation for the M.A.F.I.A.A.

    Now, if such a concerted attack is organized on the hi-def media... I feel that we will be right where we are now... a reasonably astute person can watch any DVD wherever they want and they can retain a backup of that media in a format of their choosing.
    • Not to be rude, but his name still isn't Felton, just like it hasn't been any other time some slashdotter misspells it.
    • In fact once you've cracked it you can build a device that generates keys on the fly when it's powered up... it doesn't matter how many are revoked - such a device is a permanent HDCP crack.

      I'll give it 6 months, then buy one from one of the many manufacturers in china.

  • First of all, let me admit that I'm not big into electronics. Best I can do is hook a cable onto my computer and pray that it gets the signal across. So please educate me.

    How is he going to find out what the device "wants to hear"? Is he going to sniff into the communication between two "legit" devices? Or is he going to try to "talk" with one of them and brute force through try and error (because it's unlikely the device will send him the "right" answer to the question as well)?

    How's he getting the informa
  • When you know the vectors of a machine, you only know what it can send you, but not what it expects from you. When the machine tells you to add [1] and [3], you have to know the index of this rule in its ruleset as well, so you know first of all what it wants to hear from you, and second which indexes it wants to get asked from you so it adds up to the same number.

    Technically you could of course go ahead and implement the same vectors and keys, which would of course yield the same results. But you need the
  • "If any 40 devices conspire together, they can break the security of the system."

    Ah, that explains the 40 suspicious looking toasters gathered in my basement whispering to each other.

  • Couldn't you get this without first gaining the secret vectors for 40 devices? Suppose you only knew the secret vector for just one device. Borrowing from the article's example, couldn't you do something like the following:

    Alice is a device whose secret vector has been obtained through means not addressed here. Bob is a commercially purchased device with an unknown secret vector.

    Known: Alice secret vector is (26,19,12,7)
    Known: Alice addition rule is [1]+[2]
    Known: Bob's addition rule is [2]+[4]
    Unknown: Bob's
    • Problem is step 2.

      "Hacker impersonating Alice receives data from Bob and decrypts it into DATA."

      That implies that the hacker can already decrypt the data. Unless you know what it is beforehand (eg. a special DVD that contains a known video sequence) you can't do that.
  • by nagora (177841) on Sunday April 16, 2006 @03:58PM (#15139233)
    This stuff, just like region encoding, is about price-fixing. That's why the security is crap: its only purpose is to prevent the 99.99% of consumers who will never crack even a trivial encryption from recording a TV programme instead of going out and buying the HDDVD of the series later in the year. That keeps the price of those DVD's up and that's all this is about.

    It used to be called "a cartel" and it used to be illegal.

    TWW

    • You are correct, but this principle is relevant in a much more general sense, this being that greed is nearly always the underlying factor in witch-hunts, business decisions, and government policy. People scream about things like "piracy", "corporate restructuring", and "terrorism" (to name a few), yet the underlying reasons are almost always love of money and power. Instead of debating whether or not the evil du jour is legitimate, we should instead be asking whether or not greed is a good enough explana
  • by mozu (862682)

    The solution is easy according to an anonymous physicist. I showed him the problem and it took him 2 min to do this. He laughed when I told him this is a multi-billion dollar cipher system.

    If (no. of eqns.) >= (no. of variables), the equations are solvable.

    Given

    x1 + x2 = 33 - (1)
    x2 + x4 = 18 - (2)
    x1 + x3 = 41 - (3)
    x2 + x3 = 24 - (4)

    Rearrange (4)
    --> x2 = 24 - x3

    Sub (5) into (1)
    x1 + ( 24 - x3 ) = 33
    x1 - x3 = 33 - 24
    x1 - x3 = 9


    (6) + (3) -

    • using a matrix to solve for lambda is the best way, so he says.

      He was just trying to impress you by saying lambda. The steps you have outlined are the row operations on a matrix you have to do to solve the matrix (because there is a one-to-one translation between a system of equations and a augmented matrix):

      x1 + x2 = 33 - (1)
      x2 + x4 = 18 - (2)
      x1 + x3 = 41 - (3)
      x2 + x3 = 24 - (4)

      translates to:

      [ 1 1 0 0 | 33 ] (1)
      [ 0 1 0 1 | 18 ] (2)
      [ 1 0 1 0 | 41 ] (3)
      [ 0 1 1 0 | 24 ] (4)

  • Hardware design costs: $6 Million
    User Interface software design: $1 Million
    DRM Engineering: $1 Million
    Having some wiseass kid from Sweden (Or wherever) render $1 million worth of DRM Engineering useless a month before your product ships: Priceless.
    • Having some wiseass kid from Sweden (Or wherever) render $1 million worth of DRM Engineering useless a month before your product ships: Priceless.

      The kid isn't a wiseass, he's an idiot. He should have waited until the product ships, when it's too widespread to do anything about the matter anymore. A month before the product ships you can still do last-minute desperate corrections; when the product has been sold for a year it's too late.

      Not that it matters to me. All this crap means is that I'll be get

      • I think you're overestimating the ability of the companies involved to change their course. It probably took them years to design their encryption scheme, there are a lot of companies all of whom have to be doing the same thing for the scheme to work, and the first devices are probably already in production. All the wheels have been set in motions, announcements made, ads purchased, etc. I don't think anyone's going to stop all that just because a theoretical weakness in the encryption scheme has been uncov
  • Collusion, In cryptography when more than one end of a
    "secure" protocol begins to act in a way with another
    end(s) of the protocol which is disadvantageous to the
    overall security of the protocol, this is known as
    collusion.

    Conspiracy is what UFO nuts and the alike prefer to use
    when talking about supposed government behavior which
    is meant to distort their reality. ie: taxes and elections.

    Arash
  • by tlk nnr (449342) on Monday April 17, 2006 @03:59AM (#15141099) Homepage
    The handshake algorithms allows a cool new business-strategy:

    - get 40 secret vectors
    - use these 40 vectors to recover the secret vector of a well-selling HD-DVD TV screen
    - approach the vendor, and threaten to release the secret vector
    - profit!: The vendor will have to pay, otherwise the TV screen will end up on the blacklist, and the owners won't be able to play HD-DVD's anymore.
  • This isn't about the keys themselves... this is about the fact that if you can pull off the attack you can render the "blacklisting" or "key-revocation" system completely inert, meaning the protection is now permanently broken.

    The whole idea behind the revocations was that when hackers inevitably get ahold of some keys they can just blacklist those keys and everything will be A-OK (no DeCSS). We now know that this system will never work.
  • It strikes me that if you ever get one secret list of numbers the whole system is broken because you can perform every addition correctly now. So Felten must be describing a system of breaking it when no secret numbers are known, unlike what some other posters have theorized where getting 40 companies to release their secret numbers would have been required. But read the Wikipedia article on HDCP for a good discussion of how they try to protect against this.

    I once heard a Secret defined as: Something yo

  • Ed Felten is surprisingly kinky, don't you think?
    Then, Alice applies Bob's addition rule to her vector.
    And we can just imagine what happens then...

Assembly language experience is [important] for the maturity and understanding of how computers work that it provides. -- D. Gries

Working...