Making and Breaking HDCP Handshakes 144
Cadre writes "Ed Felten describes the handshaking routine used by HDCP and how if any 40 devices conspire together, they can break the security of the system."
"History is a tool used by politicians to justify their intentions." -- Ted Koppel
American Hero. (Score:5, Interesting)
Also - anyone thinking the 40 'conspiring' devices makes it impractical to break HDCP/HDMI - think again. It just means 40 (or less) like minded hackers have to get together - not particularly hard to imagine these days.
Re:American Hero. (Score:2)
Re:American Hero. (Score:2)
More importantly... (Score:2)
Furthermore, as Ed notes, once one key is found, we can generate keys on the fly (if I read that right. if not, we can still get quite a few keys before they can invalidate them all). At that point, an intelligent hacker can build a system to plug into anything with HDCP and determine the
I would do it (Score:4, Funny)
But I don't have room for the forty big-screen TVs.
Re:I would do it (Score:5, Funny)
Re:I would do it (Score:1)
A little tougher than that... (Score:5, Interesting)
However, in writing this, I realize that I do not know how many keys you would need to present a good probability of solving the system of equations. Anyone want to run a simulation?
Re:A little tougher than that... (Score:2)
OTOH, since the addition rules are public, you can target your cracking to devices that have the types of keys you want.
Re:A little tougher than that... (Score:5, Informative)
No funny simulation is needed, a math paper refered by TFA contains the info you want: 50 KSV's have probability 0.999, by the properties of linear algebra over Z/2exp56Z.
Re:A little tougher than that... (Score:2)
Exactly. Ed's math is borked. (Score:3, Insightful)
In order to prevent this attack from being done easily, the central authority could deliberately hand out linearly dependent addition vectors to any company that applies. For example, suppose a company applies for 10,000 keys. The central authority gives them 10,000 keys and 10,000 addition vectors.
Re:Exactly. Ed's math is borked. (Score:2)
Of course, I don't know much about the algorithm itself, but from the blog's example, it should be simple to test the validity of any arbitrary key with any device.
Re:Exactly. Ed's math is borked. (Score:2)
First, HDCP does not require super security. It's not how the media is encoded it's just the transport from the player to the viewer that is being encoded. There's a whole nother more secure code for the media encryption. I think what they want to avoid is some gizmho you could put inline that would decode it. SO if they can create a situtation where there is no universal gizmho for every player/viewer combination or one that breaks every year when a new device
Re:Exactly. Ed's math is borked. (Score:1)
Not to mention the manufacturer, I cant imagine Sony being too happy when Fox puts a "cannot be played on Sony xxxxxx players" on its media, as consumers may buy another player instead. If this was to be attempted then we could see a wonderful end to the HDCP madness as Sony (or another player ma
My math is borked, too. (Score:2)
So let's say, for the sake of argument, that the whole keyspace is tested; i.e., that for an arbitrary key that you create you have gathered the entire range of challenge responses from a particular device and stored each. Is an addition vector an NP problem that wouldn't give up the secrets of the key itself even if all the challenge responses were known?
It would seem that it must be to serve the intended purpose. It's much more damaging to be able to spoof a pa
Re:My math is borked, too. (Score:2)
Here's how spoofing would fail. Suppose I tell a new device I'm a a sony xxxx and my addition key is 1,4,7,
Now you're screwed because your spoof device does not know what the keys for 39 and 40 are.
Thus you can't work with the new device. You CAN work with any old device whose subspace of addition keys you have mapped,
Re:My math is borked, too. (Score:2)
Now you're screwed because your spoof device does not know what the keys for 39 and 40 are.
Thus you can't work with the new device. You CAN work with any old device whose subspace of addition keys you have mapped, but not any new de
Re:My math is borked, too. (Score:2)
Here's what will happen (Score:2, Insightful)
It won't be difficult.
Re: (Score:2)
Re:Here's what will happen (Score:1)
Re:Here's what will happen (Score:2, Insightful)
There is no need to do this -- the signal itself would have to be according to some kind of standard or else a brand X DVD player couldn't work with a brand Y television. Just look up the communications protocol.
Riiiiight. The DVD's addition rule is [1]+[3] and the TV's is [6]+[17]. What's
Re:Here's what will happen (Score:1)
It's been going on for centuries. Keep arguing. Unless you're willing to bet that HDCP will be the be all and end all of encryption methods and no other better method will ever be needed then you'd best just pack up and shut up now. If you are willing to bet on it then I
Re:Here's what will happen (Score:1)
Well, duh. The point is to prevent a descrambling device in the middle that end users can use, such as the cable descramblers that are used today. If you could descramble at will, you can copy the HD content all you want. However, most end users won't take apart their
Nope (Score:2)
the keys are never transmeitted only the addition rules. So here's a hypthetical exchange
device 1: my addition rule is 17+13
device 2: my addition rule is 24+5
device 1: okay I computed the secret= key[24]+key[5] (which I alone know)
device 2: okay I computed the secret = key[17]+key[13] (which I alone know)
at this point both secrets are the same but neither secret has appeared on any tapable wire.
now dev1 says:
dev1: youre challenge is to encrypt this number: rand = 138
Re:Exactly. Ed's math is borked. (Score:2)
Didnt the article say that the vectors always have 20 1's and 20 zeros? Doesnt that limit the permutability of the vector?
Also, if you were to hand vectors out 10,000 keys like that to one manufacturer, woudln't you only need 14 or 15 of those types of devices to conspire to bre
Re:Exactly. Ed's math is borked. (Score:2)
and no. you are confusing devices with dimensionality. a 20 dimensional spaces spans much more then 10,000 devices.
Cool, but nor practical (Score:1, Insightful)
From TFA:
Apparently Mr. Felten has a somewhat twisted idea of "eminently doable".
The HDCP CA will certainly only give out keys to people who sign very very scary agreements not to engage in exactly the sort of activities described. While a fe
Re:Cool, but nor practical (Score:2)
Re:Cool, but nor practical (Score:2)
Re:Cool, but nor practical (Score:4, Funny)
Well, kicking down the front door of the central HDCP bureau and storming it with torches and pitchworks to get the master key is just another kind of brute force attack, no ?-)
Re:Cool, but nor practical (Score:1)
Re:Cool, but nor practical (Score:2, Insightful)
Re:Cool, but nor practical (Score:2)
situation. once you have the 40 keys you can extract the keys from as many good players as you wish, futher using those keys to extract more keys. and any 40 of the set of all extracted keys will work just fine.
i am not an electrical engineer, but this seems to be the kind of thing once broken once that could be built into a single IC or for better features loaded onto a HDMI dongle with a USB port where you can upload any Keys.txt file if
Re:Cool, but nor practical (Score:1, Informative)
Re:Cool, but nor practical (Score:1)
About your other idea: From the paper referenced in the article, it looks like the device sends a hash of the sum over the wire. So you'd have to invert a hash on each try (which may still be doable -- the input space isn't all that huge). But the attacker can cleverly choose a basis for the KSV space, thereby recovering the target's private key in exactly 40 tries. This attack would probably take a
Re:Cool, but nor practical (Score:2)
Re:Cool, but nor practical (Score:1)
(I didn't realize it was a hash that short. But 16 bits sounds absurd -- the hash gives the shared secret and 16 bits is way too short.)
Re:Cool, but nor practical (Score:2)
Re:Cool, but nor practical (Score:5, Informative)
Felten in talking about "a conspiracy of about forty devices" is not saying that (defectors at) forty device makers have to reveal secret keys. What he's saying is that you just need to the 40 devices themselves, or rather (as post above pointed out) enough to get 40 different key sets (and some math and programming ability). Then the crack is done by analysing the bit streams between the devices (between player and display, or whatevre).
The expense is the cost of all those tvs and players. Bribing the device makers is a *different* kind of attack which Felten rules out as impractical.
Re:Cool, but nor practical (Score:2)
Did you? Or did we somehow read entirely different articles?
Felten in talking about "a conspiracy of about forty devices" is not saying that (defectors at) forty device makers have to reveal secret keys.
The linked article specifically says exactly that! The described attack requires knowing the key vector of each of the 40 devices used in the attack:
Why Reveal this Now? (Score:3, Interesting)
Re:Why Reveal this Now? (Score:5, Interesting)
Rather unlikely. The whole concept of DRM is bankrupt as a cryptographic concept because you are handing over the ciphertext, the plaintext and last but not least the key over to your adversary (usually called "consumer" or "hacker"). Sure you can try to make it hard for him to actually get them but you already handed them over and it just remains a question of time until they are recovered.
Meanwhile, a single break is a class break for at least all the content released up to the point of the break (even with "revokable" keys). Also, once a broke the system once, the content is freed forever and can be distributed at leisure (darknet hypothesis), which means even some small quality loss may be acceptable to the attacker since that loss would only occure once.
In short, DRM is a DReaM indeed.
Re:Why Reveal this Now? (Score:2)
Re:Why Reveal this Now? (Score:2)
Does it really have to be this way? What if a central body developed a chip whose interface is known but whose internals are highly secret. Anyone making playback equipment just has to be able to accept one of these chips.
The function of the chip is to take an encrypted content stream and give out an unencrypted content stream.
Hmmm... even as I write this I can see that it's absolutely full of hol
Re:Why Reveal this Now? (Score:2)
In the case of your "black box" decryption chip, all you're doing is burying the "secret" that you hope the consumer can't access into a chip. If someone figures out how to extract the key off of your secret-decoder chip, though, your security is shot. It's not really a "secure" system in the mathematical, theoretical sense that cryptographers like to talk about; really all you're doing is hoping that that your adversaries, combined, don't have the resources to
Re:Why Reveal this Now? (Score:2)
If the decoder module was renewed frequently (yearly, monthly, whatever) then the race becomes a bit harder. There are two challenges then:
1. Brute force the private key. It would need to be done fairly quickly though (not much use really if it takes 5 months to get it when the module is renewed semesterly). Key strength could easily be increased to keep the discovery time sufficiently long, as the decryption is completely contained within the device.
2. Find a way to trick the module to give up t
Re:Why Reveal this Now? (Score:2)
If you need to buy a new decoder module monthly to watch legally purchased (sorry, licensed) content, then guess if anyone will buy that content legally or download cracked content from BitTorrent ?
Re:Why Reveal this Now? (Score:1, Insightful)
As others have pointed out, the attack is not new. What HDCP does is *not* protect content (at least, not seriously)... it forces the makers of consumer electronics to sign legal agreements with Intel, and more critically with the MPAA... and these legal agreements dictate what features the manufacturers can add. If you want to sell players legally, you have to make them they way you are told... not the way the consumer wants.
It's about control, not copy protection (can't fast forward through adverts etc e
Re:Why Reveal this Now? (Score:1)
'Old' news (Score:5, Informative)
In a related question... (Score:3, Interesting)
1: Can I hook up my current VGA or DVI to one of these, and display the content I can currently display?
2: Is the only limitation/constraint the new HD/BlueRay DVDs with "double-plus-good super-duper copy-protection, put there to protect me AND the children"?
3: Related to both, assume I have MythTV running with an HD capture card. (I don't yet, but plan to, before they become illegal. What's the latest status?) Can I run my captured content out through one of these new displays?
Re:In a related question... (Score:1)
I can only help answer your first question. I bought a 32" LCD with multiple inputs including HDMI for for my PC's. I have yet to find a graphics card that is HDMI compliant. Therefore, at this time I can not use the 1920 x 1080i @ 60Hz that the display can handle. I am using the RGB-PC inputs. There may be a card, but I have not found it yet.
Re:In a related question... (Score:2)
Try a graphics card with a DVI out - you should generally be able to connect a DVI out to a HDMI in. However, you can only connect a HDMI output to a DVI input if
Re:In a related question... (Score:3, Interesting)
from http://www.ramelectronics.net/ [ramelectronics.net] "HDMI - Digital connection for Video and 8-channels of Digital Audio as well as device control features. Electronically better potential for supporting longer cable lengths than DVI for digital video.
Specification supports up to 12 bit Y-Pr-Pb video (rarely implemented on equipment) as opposed to 8 bit limit of DVI RGB."
Re:In a related question... (Score:5, Informative)
This does presume that the card is able to put out a mode/timing that's compatible with the set, of course.
2. What you're probably talking about is the requirement that non HDCP-hardened outputs from HD players are supposed to be down-resed to 480p (or whatever). I don't know for certain, but I'm willing to bet that this is not an absolute requirement, but that there's a bit that the disk can set to require this behavior. Not all studios or titles will make the decision to flip that bit on on their content, and I'd certainly expect them not to bother until/unless the technology to take DVI-B and rip it to MPEG4 becomes widespread. Unlike macrovision on analog outputs, which largely went unnoticed with DVDs, this bit does threaten to have a real impact on folks, so I would expect a site to pop up relatively shortly with a list of disks "not to buy" unless you have HDCP. The industry might even respond with a standardized icon on the box whose meaning is "HDCP required for full resolution."
The other obvious restriction is that the HD media is itself encrypted, so when HD-DVD-ROM drives come out, you won't be able to read the data off of them (except in the context of an HD-DVD movie player app), at least not until it's reverse engineered and cracked like DVDs were.
3. I may be wrong, but I am unaware of any HD video capture cards. There are HD tuner cards/boxes out there that will do HDTV, but they're decoding the RF from a TV station and getting MPEG2 streams. That's not the same thing as ripping 1080i from a DVI connector and turning THAT into MPEG2. Even if that were possible, the original source (HDTV, HD-DVD, DVD, whatever) was probably compressed in the first place, so you'll be recompressing it, which will degrade the picture some (more).
ripping HD from DVI (Score:1)
http://www.doremilabs.com/products/XDVI-20.htm [doremilabs.com]
It converts a DVI signal into an SDI-HD signal.
Then with a card like this -- http://www.blackmagic-design.com/products/hd/ [blackmagic-design.com]
and a disk array that could handle about 1.5 gbits/sec you could record the high-def signal in an accessible form.
With the drives we're in the $1500 range for all the gear, so it's not cheap, but it is 'prosumer' level.
Re:ripping HD from DVI (Score:1)
Re:ripping HD from DVI (Score:2)
Re:In a related question... (Score:2)
Re:In a related question... (Score:2)
But that really doesn't bother me, as long as I can take MY sources, non-HDCP crippled, and display them fully. That's what this is really ALL about.
2: See previo
One thing I hate worse ... (Score:3, Interesting)
And then there is something that scares me: how unaware of this many people I speak to are, even some people working in IT!
Re:One thing I hate worse ... (Score:2)
If you were in Europe, you could also have bought a DVD player. They cost, what, $40 now?
It would probably be easier to rip the CD.
Oo! (Score:2)
Draconian Restrictions Management has a nice ring to it.
Re:Region Coding vs. Fair Use (Score:2, Interesting)
This is what.... (Score:2)
Re:This is what.... (Score:2)
Ed Felten has gone toe to toe with the xxAA before.
not as easy as it seems, or am I misunderstanding? (Score:2)
What!? Hasn't he heard of the /. Effect? (Score:1)
One attack in many (Score:5, Interesting)
Felton's description of the weaknesses of DHCP handshakes is of only one potential attack. Combined with other attacks and it's entirely possible that a group effort could crank out new secret vectors faster than the M.A.F.I.A.A. could revoke known compromised ones.
For example: If more was known (than I know) about the encryption algorithm used (AKA "the hdcpRngCipher") work could be started on creating dense & smart Time-Memory Trade-Off tables. This is a non-trivial task involving tens of thousands of CPU hours... a perfect thing for a validating distributed computing application (oh. this. has. so. been. done. before).
Also a HDMI repeater or splitter isn't very far from being a sniffer... I think all it lacks is a little I2C to USB help. This, the tables above, & a HDCP device will net you all the vectors you need to employ Felton's attack. Once one set has been compromised and the methodology worked out it's just a matter of turning the crank to get more and potentially very, very quickly.
The utility of these attacks goes well beyond being able to view 1080p on a non DHCP device... one could render revocation useless be attacking high-end components sold by M.A.F.I.A.A. members (i.e. Sony). This eventually must lead hardware devices running out of un-revoked vectors and becoming inoperable... an untenable situation for the M.A.F.I.A.A.
Now, if such a concerted attack is organized on the hi-def media... I feel that we will be right where we are now... a reasonably astute person can watch any DVD wherever they want and they can retain a backup of that media in a format of their choosing.
Re:One attack in many (Score:2)
Re:One attack in many (Score:2)
I'll give it 6 months, then buy one from one of the many manufacturers in china.
Ok, fine, but where do you get the info? (Score:2)
How is he going to find out what the device "wants to hear"? Is he going to sniff into the communication between two "legit" devices? Or is he going to try to "talk" with one of them and brute force through try and error (because it's unlikely the device will send him the "right" answer to the question as well)?
How's he getting the informa
Knowing the vectors is only half the deal (Score:2)
Technically you could of course go ahead and implement the same vectors and keys, which would of course yield the same results. But you need the
If any 40 devices conspire together... (Score:2)
Ah, that explains the 40 suspicious looking toasters gathered in my basement whispering to each other.
Re:If any 40 devices conspire together... (Score:2)
Easier? (Score:2)
Alice is a device whose secret vector has been obtained through means not addressed here. Bob is a commercially purchased device with an unknown secret vector.
Known: Alice secret vector is (26,19,12,7)
Known: Alice addition rule is [1]+[2]
Known: Bob's addition rule is [2]+[4]
Unknown: Bob's
Re:Easier? (Score:2)
"Hacker impersonating Alice receives data from Bob and decrypts it into DATA."
That implies that the hacker can already decrypt the data. Unless you know what it is beforehand (eg. a special DVD that contains a known video sequence) you can't do that.
IT'S NOT ABOUT PIRACY! (Score:5, Insightful)
It used to be called "a cartel" and it used to be illegal.
TWW
Re:IT'S NOT ABOUT PIRACY! (Score:1)
Apparently this is easy. (Score:2, Insightful)
The solution is easy according to an anonymous physicist. I showed him the problem and it took him 2 min to do this. He laughed when I told him this is a multi-billion dollar cipher system.
Re:Apparently this is easy. (Score:2)
He was just trying to impress you by saying lambda. The steps you have outlined are the row operations on a matrix you have to do to solve the matrix (because there is a one-to-one translation between a system of equations and a augmented matrix):
translates to:
Engineering Cost Estimate (Score:2)
User Interface software design: $1 Million
DRM Engineering: $1 Million
Having some wiseass kid from Sweden (Or wherever) render $1 million worth of DRM Engineering useless a month before your product ships: Priceless.
Re:Engineering Cost Estimate (Score:2)
The kid isn't a wiseass, he's an idiot. He should have waited until the product ships, when it's too widespread to do anything about the matter anymore. A month before the product ships you can still do last-minute desperate corrections; when the product has been sold for a year it's too late.
Not that it matters to me. All this crap means is that I'll be get
Re:Engineering Cost Estimate (Score:2)
Conspiracy, I believe the correct word is... (Score:2)
"secure" protocol begins to act in a way with another
end(s) of the protocol which is disadvantageous to the
overall security of the protocol, this is known as
collusion.
Conspiracy is what UFO nuts and the alike prefer to use
when talking about supposed government behavior which
is meant to distort their reality. ie: taxes and elections.
Arash
New business-model: Blackmail your competitor! (Score:3, Interesting)
- get 40 secret vectors
- use these 40 vectors to recover the secret vector of a well-selling HD-DVD TV screen
- approach the vendor, and threaten to release the secret vector
- profit!: The vendor will have to pay, otherwise the TV screen will end up on the blacklist, and the owners won't be able to play HD-DVD's anymore.
This isn't about cracking keys themselves (Score:2)
The whole idea behind the revocations was that when hackers inevitably get ahold of some keys they can just blacklist those keys and everything will be A-OK (no DeCSS). We now know that this system will never work.
Does this mean...? (Score:2)
I once heard a Secret defined as: Something yo
Kinky... (Score:2)
And we can just imagine what happens then...
Re:Where did you get 40? (Score:2)
Re:Where did you get 40? (Score:2, Informative)
Four was an example for the article.
Re:Where did you get 40? (Score:2)
Re:It's 4 not 40 (Score:1)
'Nuff said.
No, it's 40, not 4 (Score:5, Informative)
The key is that with N variables (the number of different numbers in the vector), you need N equations to solve the set of equations for all of those variables - it's simple linear algebra.
When you purchase a licence, you get a bunch of 10000 keys for $16000, so S.O.Mebody could use this within an organisation to analyse the generation matrix, and actually produce 40 new keys and release them to the wild. No comeback.
Simon
Re:No, it's 40, not 4 (Score:1)
So, what they could do is sell you 10.000 linearly dependent keys.
Bert
A patent lawyer who detests software patents and DRM that
Re:No, it's 40, not 4 (Score:2)
Re:No, it's 40, not 4 (Score:2)
i hop it's SONY thant gets broken if they do use that method
Re:It's 4 not 40 (Score:1)