Comment NOT HOW IT WORKS!!! (Score 5, Informative) 486
I'm a cryptographer, posting belatedly. I don't know if anyone will see this or read it but I had to comment.
Almost all of the assumptions in this thread are wrong. The system does not work cryptographically in the way people imagine. The technology makes it possible to efficiently revoke INDIVIDUAL DEVICES, not entire model lines. Every device can have a unique key, even if there are millions of them. There is no necessity or desire to make people's non-hacked players stop working. As others have pointed out, this would be INSANE. That's not how it works!
Cryptographically, this system allows the data to be encrypted to any of millions or even billions of devices, using a very short encrypted key block. What happens is that if some of those (individual!) devices get revoked, the size of the key block increases. Amazingly, the size is dependent on how many devices get revoked, not on how many devices there are. If extracting keys from a device is complicated and expensive, and not too many need to get revoked over the lifetime of the system, it will be a success.
The cryptographic technique is described in a paper from Crypto 2001 called Revocation and Tracing Schemes for Stateless Receivers by Naor et al and is available from http://www.wisdom.weizmann.ac.il/~naor/PAPERS/2nl_ no_fig.pdf. I will describe an over-simplified version.
Imagine creating a binary tree with enough leaf nodes to hold all of the devices (again, this is individual devices, not model lines). Each device is associated with a particular leaf node of the tree. Now we assign a random AES key to every node of the tree, leaf nodes and internal nodes.
At manufacture time, each device is given all of the keys corresponding to its branch of the tree; that is, the key for its leaf node, and the keys for the parent, grandparent, etc. of that node, all the way back to the root node of the tree. As long as the disk is encrypted to one of these keys, the device can play the disk. Note that even if there are a billion device nodes in the tree this is only about 30 keys that a device has to hold, which is trivial.
Now, to create a disk, initially it is encrypted to the root node of the tree. All devices have the key for that node so all devices can play it. The key block is very short. But now suppose that someone manages to extract the secret device keys in their device, they get published on the internet (as happened initially with DeCSS), and everyone is able to use them to decrypt HD-DVDs. (BTW this system is also being used for Blue-ray! Don't think that's going to be any different!) Now what do we do?
What happens is that new disks are no longer encrypted to the root key. Instead, we partition the tree into subtrees that include every leaf node except the one which got its keys published. Now we encrypt the disk data to the root nodes of those subtrees, rather than to the root node of the whole tree. This will allow every other device still to decrypt the data, but that one hacked device can no longer decrypt new disks. The size of the key block grows based on the number of hacked players.
This is an oversimplified version because the size of the key block is bigger than desired. The paper above shows a more complex system, which is actually being used, which makes the size of the key block linear in the number of hacked systems. Assuming that hacking them remains relatively difficult, this should be an effective and efficient content protection system.
Basically this is the same method being used in current satellite TV systems, and for the past few years it has been successful enough that satellite piracy in the U.S. at least is largely a thing of the past.
Almost all of the assumptions in this thread are wrong. The system does not work cryptographically in the way people imagine. The technology makes it possible to efficiently revoke INDIVIDUAL DEVICES, not entire model lines. Every device can have a unique key, even if there are millions of them. There is no necessity or desire to make people's non-hacked players stop working. As others have pointed out, this would be INSANE. That's not how it works!
Cryptographically, this system allows the data to be encrypted to any of millions or even billions of devices, using a very short encrypted key block. What happens is that if some of those (individual!) devices get revoked, the size of the key block increases. Amazingly, the size is dependent on how many devices get revoked, not on how many devices there are. If extracting keys from a device is complicated and expensive, and not too many need to get revoked over the lifetime of the system, it will be a success.
The cryptographic technique is described in a paper from Crypto 2001 called Revocation and Tracing Schemes for Stateless Receivers by Naor et al and is available from http://www.wisdom.weizmann.ac.il/~naor/PAPERS/2nl
Imagine creating a binary tree with enough leaf nodes to hold all of the devices (again, this is individual devices, not model lines). Each device is associated with a particular leaf node of the tree. Now we assign a random AES key to every node of the tree, leaf nodes and internal nodes.
At manufacture time, each device is given all of the keys corresponding to its branch of the tree; that is, the key for its leaf node, and the keys for the parent, grandparent, etc. of that node, all the way back to the root node of the tree. As long as the disk is encrypted to one of these keys, the device can play the disk. Note that even if there are a billion device nodes in the tree this is only about 30 keys that a device has to hold, which is trivial.
Now, to create a disk, initially it is encrypted to the root node of the tree. All devices have the key for that node so all devices can play it. The key block is very short. But now suppose that someone manages to extract the secret device keys in their device, they get published on the internet (as happened initially with DeCSS), and everyone is able to use them to decrypt HD-DVDs. (BTW this system is also being used for Blue-ray! Don't think that's going to be any different!) Now what do we do?
What happens is that new disks are no longer encrypted to the root key. Instead, we partition the tree into subtrees that include every leaf node except the one which got its keys published. Now we encrypt the disk data to the root nodes of those subtrees, rather than to the root node of the whole tree. This will allow every other device still to decrypt the data, but that one hacked device can no longer decrypt new disks. The size of the key block grows based on the number of hacked players.
This is an oversimplified version because the size of the key block is bigger than desired. The paper above shows a more complex system, which is actually being used, which makes the size of the key block linear in the number of hacked systems. Assuming that hacking them remains relatively difficult, this should be an effective and efficient content protection system.
Basically this is the same method being used in current satellite TV systems, and for the past few years it has been successful enough that satellite piracy in the U.S. at least is largely a thing of the past.
