Slashdot Mirror
HDCP Break Proven
zavyman writes: "I just noticed at Cryptome that the flaws in HDCP posted to Slashdot earlier this year, which one person refused to disclose due to possible threats from the DMCA, have been made public by different authors. Scott Crosby of Carnegie Mellon University, Ian Goldberg of Zero Knowledge Systems, and Robert Johnson, Dawn Song, and David Wagner of UC Berkeley have published a formal cryptanalysis of the High-bandwidth Digital Content Protection System that proves its fatal flaws. Interesting reading for those with some background with cryptanalysis."
It seems every day we hear about yet another thing that has been cracked...boring :(
Where's there's a whip, there's a way.
I guess this means we need to start pooling bail money then, huh?
--nbvb
They probably collaborated with Osama to ensure good crypto for Al Queda. Arrest them, shoot them... they are destroying the American way of life!
A crank is a little thing that makes revolutions
Some people have refused to make security problems bublic, thus weakeneing the security of HDCP (someone could have fixed it), and this works against the *AA media bunches. Ah, the irony of it....
This is fabulous work and points out the flawed approach of expedient development of crypto based products in a corporate environment.
Good crypto can only be developed in the open where it is subject to formal peer review and detailed scrutiny.
One of these days, this problem will solve itself when shareholders regject propriatary approaches becuase they don't work, are borken and don't make any money.
Shareholders need to be educated that the only way to make money of cryptographicaly protected products or information is the open way.
RGR
Jibe!
High-bandwidth Digital Content Protection System is flawed beyond repair and would have to be completely reworked.
In summary...
Conclusion
HDCP's linear key exchange is a fundamental weaknesses. We can:
Why do people continue to think they can build a secure system designed to simultaneous distribute data publicly and prevent its distribution?
...made possible thanks to a few good beers. :-)
I suppose this just goes to show that no matter what kind of system is implemented, there will always be a way to break in. One of the biggest mistakes made by corporate management and government folks is mistaking some so-called technology for a proactive all-around security policy. Although HDCP is but a single detail in a sea of systems geared towards security, the same rule applies to any system: There is no such thing as perfection. This is why I get annoyed when I read an advertisement for some encryption software, firewall product or whatnot that claims to be 100% secure against intruders. It's just glossy marketspeak, and it doesn't cut it for me.
My personal rule of thumb, when it comes to security, is this: Security software is in many ways similar to the laws put in place by the government. Unless someone enforces those laws (or regularly maintains the computer system), the system can be circumvented. Obviously, there are vast differences in the actual work someone has to do, but the concept is the same. If only the PHBs understood that.
It would be nice if the content cartels like the RIAA and MPAA would learn to adapt business models rather than rail against their own consumers. They would rather overturn the legal system than risk their established profit system.
Regards
I like teamwork. It's easier to assign blame that way.
Damn it, Scott Crosby... give me my name back! Now I'm going to get your damn mail again and... grr.
-- Minds are like parachutes... they work best when open.
that cryptography as we know it is obsolete. Innovations need to be made that would protect data from being sniffed, and packets cracked open. Encryption and cryptography as it stands at this moment is a joke, just pool together enough resources, and even 128 bit keys can be cracked and unlocked, I am looking for an open discussion on the future of data protection, cryptography, and encryption.
Insert Sig Here.
I hate sigs.
There are some goals that technology can solve, without anyone doing any enforcement. If I can choose my cryptosystem and key length, I can, with very high confidence, hide the content of my private communications, no matter who is trying to break it, no matter how hard.
It's just that "content protection" is not one of those goals. If I have enough information to show a movie, I also have enough to re-show or rebroadcast it. No matter what the technology involved (assuming I have enough computing power).
Policy makers need to understand this distinction, let technology do its thing where possible, and don't expect it to do much of anything where it's not.
IMHO.
I Can't Believe It's A Law Firm, LLP does not necessarily endorse the contents of this message.
Oh, good thing it's the video encryption stuff. When I read the headline I thought it would be insecure to get an IP address with DHCP, and that had me worried.
Under the DMCA it is highly illegal to do any of the above unless you are specifically authorized by the copyright owner. If you violate the DMCA you may find yourself being sent to federal prison. Dmitry Sklyarov as you probably know is looking at 25 years to life in federal maximum security prison. Obey the law and quit being such a baby. The DMCA is for your own good.
The DMCA aims not only to protect companies who use crappy encryption from hackers, it aims to hide from the general public the potential dangers of using encryption that could have been deliberately made to be crackable. So the government could release some (easily crackable) encryption standard that gets added to a lot of hardware and software but the people won't know that their privacy could be easily violated because it would be illegal to try to crack the system. This then makes people vulnerable.
Perhaps I just thought of something that everyone knows already, but I wanted to voice it nonetheless.
Just in case the origonal authors' fears are justified, I've mirrored the page here [http://lookingglass.akardam.net/mirrored/hdcp-wea kness/hdcp111901.htm for the link wary].
Mirror early, mirror often.
The difference between this and Felten case is, that Felten "cracked" watermark system, which isn't encryption per se. Stupid, eh?
V.
adobe withdrew charges, skylarov's out on bail. also, max sentance of 5 years, last time i checked, probably not going to happen at all.
Me lose brain? Uh, oh! (laughter) Why I laugh? -Homer Simpson
From a part-time mathematician's perspective (ok, actually a physicist) this was the line that just made my jaw drop. What were they thinking?! If this text is correct, this algorithm may as well have been designed by a high-school student.
As several people have pointed out already, this is really one of the big threats of the DMCA -- that companies will go around using incredibly poor standards like this, and be immune to any pressure to improve their quality because their customers are legally forbidden to ask what they are receiving. It says a great deal about the present legal climate that anyone could get away with a mess like this cryptosystem in a commercial product.
*sigh*
I'm sure he knew the knowledge would get out there eventually. I know I wouldn't want to take the rap for it!
Maybe someone will figure out that having honest people discover security flaws is a GOOD thing...
If the goverment released the system then the spec would be available for study. Remember, the goverment can't hold copyright to anything, but some times the contractors can...
I think you may have hit upon a key step in fighting the DMCA: we need to point out that, stripped of all the falderal it is intended to let manufacturers pass shoddy goods off on us poor consumers.
If only some brave defender of the consumer/voter/masses would come forward to defend us from these cads (say, leading up to an election)...I'll bet the press would love it.
Remember, lobyists may give money, but they can be sold down the river in a heart beat if someone comes along offering votes.
-- MarkusQ
Perhaps they didn't realize it was a linear system. Many cryptosystems are broken when someone figures out "but your incredibly complex system is really mostly just doing X", for some well-known mathematical construct "X". Real cryptographers have made similar mistakes in the dim past, although in 2001, it is perhaps a little late for repeating this particular one.
They separated key into public and private parts. But I guess they haven't got to the chapter on RSA in Applied Cryptography Handbook, when the design was due. Too bad.
3.243F6A8885A308D313
Second, shooting anybody trying to uncover knowledge is not the American way of life.
Finally, any supposed American way of life is false, and it should not be protected.
Freedom to do what you want as long as it isn't directly harming someone else is what should be
protected.
Having a bit of formal training in Math, I'm just speechless. This is not crypto analisys, this is second semester of Algebra, Quiz question #2.
.. blech .. I do not know who designed this, neither I'm not sure if they even cared to independently evaluate it, but this is incredibly and incomprehensibly lame. It's like using XOR encryption or computing hash bytes multiplication.
Public/Private keys
3.243F6A8885A308D313
(This is the author of the slides, BTW)
Intel wanted a scheme that could be implemented in under 10,000 gates. IMHO, the designers were aware of the flaw, though not necessarily of the full impact of the flaw. Some of the attacks are subtle.
"Good crypto can only be developed in the open where it is subject to formal peer review and detailed scrutiny".
I'm sure everyone in NSA shares your educated opinion. In case if you didn't know, these are the guy you should thank for DES, IKE and ISAKMP.
The only thing one needs to possess in order to develop strong and reliable cryptosystem. This thing is the formal training in cryptography. What 10 undereducated volunteers can put together in a month, professional mathematician will do in a week, not depending on whether he supports open community or is employed by evil corporation.
3.243F6A8885A308D313
There were two versions posted on cryptome, the second (latex2html, much easier to read) omitted this statement the first version had:
h acks.html), and myself (www.cryptome.org/hdcp-weakness.htm). The last two have been available publically for 3 months and 3 weeks prior to Neils Ferguson's declaration. Neils declaration and the skylarov case were an eye-openeer for me and made fully realize what I had done, and what negative consequences I was in danger of experiencing.
`` The attacks on HDCP are neither complicated nor difficult. They are basic linear algebra. Thus, there have been at least 4 independent discoveries of these flaws. The four I know of are my co-authors, Neils Ferguson, Keith Irwin (http://www.angelfire.com/realm/keithirwin/HDCPAt
What wrathful gods one risks angering by a 20 minute straightforward application of 40 year old math. This was an accident, not a habit. Like other researchers, I do not want to be smited and thus do not expect to analyze any more such schemes as long as the DMCA exists in its current form.
(This statement is my own and does not represent the opinions of my co-authors.)''
So, for those of you who watch cryptome, I broke it there about 3 days after it was leaked, 6 months ago. Keith Irwin also put his observations up 3 months ago. All of this predates skylarov and ferguson.
So, this is only the official version of the break, the slides I presented 2 weeks ago.
http://censored.firehead.org:1984/hdcp/crack2/
I broke it over 6 months ago, go look at the cryptome archives, where its been sitting since May 9th.
:)
I know of at least 4 researchers who have independently discovered the flaws. (See my other slashdot post).
After Skylarov and Ferguson, I was reluctant to point out that my work had been sitting around on cryptome since May. I suspect Keith Irwin felt similarily.
Neils wasn't the first to go public or even second, though he did raise a wonderful stink.
to make a practically unhackable system.
I've thought over possible designs very carefully, but, given the DMCA, and my lack of a desire to aid, abet, or otherwise supply any support to any of these digital control technology schemes in any way.. But, with high confidence, I'd say that you could make something essentially hackproof.
I'll be mum, at least, but I can at least reference two proposed standards for you to read. See www.trustedpc.org (with CPRM hard drives, signed drivers, signed bioses, 'trusted windows'), or microsofts slides on the topic. Also, see DTCP, there they *did* use real public key crypto.
Read them, but don't try to break them; I don't want you to aid abet, or otherwise support the digital control freaks any way.
Scott
W as in Why? ...
.... Doesnt people just drop off closed development of cryptographic tools and just make ssh bridges where they need security, follow the maillist carefully, update when needed, set up honeypots....etc.
Is that so hard? Is it too much to ask to the tipicall ages old solris expert that just trusts the next "Industry Standard ultra-orthogonal tool with retrokey-chalenged-public-private-semiprivate key changes, plus the added value of cryptocomponents that reduce TCO (or so gartner said)".
Computers are not for people.
Alex
NO SIG
This is pretty basic, but for those who don't know, HDCP is the encryption scheme of choice for HDTV video signals. This is fairly huge news that it has been broken since all TV's and broadcasts in the US will supposedly eventually switch to the HDTV standard. Unless they pull a fast one and switch the standard (which would alienate everyone who has already bought expensive HDTV equipment), this means that DMCA or not, people are going to have guaranteed access to plaintext HDTV signals for as long as the standard is in use. Of course, I'm personally hoping that the DMCA is at least re-written, preferrably scuttled altogether.
OK, scenario for ya: I work in a small office (25 people) and one of them is a subject of an investigation. When you pick up the phone anywhere in our office, the phone system grabs the next free line. That means that the FBI will be listening to ALL CALLS into and out of our office because this person may be using that phone. The legislation does not limit this! There was a Senator (can't remember the name, can't find it on Google) who had wanted to add that the tap was not allowed to be monitored if the suspect was not on the phone at the time, but this got shot down.
Another question is how often does a suspect use a phone before it's wire-tapped? Should we expect all public to be tapped? If I throw a party and a friend-of-a-friend makes a call or two to order a pizza, should I wonder if my phone is now tapped?
Never never never smoke crack before geometry class!
What if we had a group of say... 10K people "release" a paper like this.
:)
I'd love to see them start going down the list
What were they thinking?!
No, no, no. The correct question is: What were they drinking?!
If you do the math you'll see that searching entire 128bit keyspace in a decades time would require the capability to test almost 22^100 keys per second, or roughly 10 million tillion times the computing power of the EFF's DES Cracker
that should read "2^100" and "10 million trillion", in any case, much more processing power than is concievable in the near future
Reading the proof of this was really cool. I knew exactly what it was proving, how it got there, but damn. I feel like a dumb-ass (with a math minor) that I took that long to remember simple proofing techniques. Good work guys!!
"Days" is a better estimate, with hardware designed for the task. This was demonstrated in the second DES contest. The EFF's custom built machine found the key in 56 hours, after searching 25% of the keyspace.
Read here for details.
Up your butt and around the corner.. heh.. heh.
mirror here: http://www.universet.no/hdcp/
For this purpose, it doesn't need to be mathematically valid, any more than a cash register needs to be fireproof and have a 28-digit combination lock. All that a cash register needs is to have a door that closes and stays closed. This means that you can't have things move from the cash register into your pocket by accident.
If there was a vulnerability in the standard which meant that you could access the signals without trying to, that would be bad news. As it is, the signals are only accessible by those who want to consciously make equipment designed for the purpose of veiwing them, which has no legitimate alternative use. In other words, the "crack" of this standard only refers to an attack which is against the laws relating to theft (in this case the DMCA).
This is not a "bad" or "stupid" encryption system; it's just an example of a company using the laws which protect them to cut a cost corner. After all, if one could trust people to pay for what they watched, they wouldn't need to encrypt the signal at all.
For a bunch of self-styled "engineers", slashdot has a really hard time understanding the basic concept of "fit for purpose".
-- the most controversial site on the Web
I'm wondering why every crypto-geek is analyzing (and so publishing)the flaws of an upcomming standard, which - with those flaws - would allow us to circumvent the protection and watch/listen/... to everything as and how we like it, including the copying and distribution as we did long years of our youth with games.
Don't they get it - there is NO ABSOLUTE PROTECTION. And that's good(TM).
Re: 128bit keys: Do the maths. If attacking the keyspace is your only option, that's 340,282,366,920,938,463,463,374,607,431,768,211,46 keys my friend. That is a Large Number. Let's assume DNET come out with a client that checks 100 thousand keys per second per client, and there are 100 million clients. That's about 38 million times the age of the Universe (~14B) to search half the key space. I repeat, do the maths.
Re: 1024-bit keys: [sigh] That's the size of the prime modulus. When your counting bits, it is not the same measure of strength as symetric (eg. RC4, IDEA, Rijndael).
Just because its an algorithm that could be built by a blind monkey given a typewriter doesn't mean that the crack isn't an analysis.
:)
:)
I'm not disagreeing about its lameness, just claiming that I didn't do a cryptoanalysis.
Also, the slides do elide out a few things, the operations occur in the ring of the integers modulo 2^56, This is a ring, not a field because even numbers to not have multiplicative inverses. You also have to worry about mistakenly assuming that you can construct stronger attacks than are actually provable based on the specification.
Second semester algebra might be pushing it, but I'd agree that just about any junior in math could crack it in about 10 minutes after pointing out the relevant section of the specification.
BTW, the designer is Intel.
..at least, I *think* that's how you spell it...
Microsoft shares their software with their business experts to find flaws in their business model.
NSA shares their software with their security experts to find flaws in their security model.
You don't think this makes a big difference in the final product?
if you think anyone doing serious work in cryptology uses that layman book, you're fooling yourself. that is the "for dummies" book of crypto.
Um. HDCP is actually a standard being pushed by Intel, among others. It's the standard protection for DVI, which is used for digital cameras, etc. IIRC, they're also pushing it to be the standard video IO for PCs and as well as set-top boxes, there was a big thing on /. (here) about it when the HDCP details were first leaked. So it's about more than digiTV.
This is not quite what it's about.
The purpose is to prevent the consumer from intercepting the signal between the "set-top-box" and the TV, and doing something useful with it like making a digitally perfect copy of the material.
Ensuring payment by the consumer is a mechanism already in place - i mean, you've got the set-top-box, haven't you?
This sig left unintentionally blank.
Stalin and Hitler screwed their accademic communities for politics and it nearly ruined them. It can be argued that both geared their artists to propaganda and their science to warfare but failed. Hitler made good weapons for a while, but was unable to develop high altitude long range bombers and nuclear weapons. Stalin had tanks and planes designed from prison. As good as those designs were, they were not as good as US. While some of the failure of Soviet agriculture was intentional, who can say what effect Stalin's wierd insistence on evolution of individuals had?
Will the US be next? The DMCA is only part of the picture. When you can't say what you think, you can't trust anyone and therfore don't know what to believe ever. If you can't trust your teachers because they are afraid of being fired, what do you really know? Such distrust of your neighbor is central to autocatic control. Beware of people who scoff at things "un-official" and recomend central control.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
Haven't you?
Considering Ian Goldberg is probably still a Canadian citizen living in the U.S., he also has to worry about the new anti-terrorism laws.
-no broken link
I think that the fact that US congress think that the DMCA can be effective in "protecting" the "knowledge" of weak "control" systems such as CSS, eBook and HDCP makes a definate statement towards the quality of education in America. When weak mathatics that even a high school student should be able to see the flaws in are used as "copyright control methods," it is made clear that the US would rather treat those with the math skills to solve these trival artifical restrictions than to spend that money on educationing more people on the trival math skills to accomplish the "attack." It makes a sad statement towards the future of sciences and technology in America when it's own goverment's idea of "trained thought" is to go to war with mathematical concepts and skills rather than promote them.
Wow, I went to university with Ian Goldberg. Sat behind him in a few classes, but mostly as far away as possible. He was absolutely brilliant - almost frighteningly intelligent. Of course, he was also obnoxious as hell, and had the most incredible freaks as an entourage, so we tended to avoid him. Of course, we probably seemed like freaks to "normal" people too, so we never held it against him.
Glad to see he's still doing well for himself. Go Ian, go!
Lets, get together, and, all 10,000 of us start to sell crack cocain in our local neighborhoods. They can't arrest us all, right?
*STUPID*
Hey, I remember you.. You have my email address from the past, or its easy to find out.
And finding me online is trivial:
http://www.google.com/search?q=Scott+Crosby
Note the first two links.
Reading the document, the crack hinges on collecting a sufficient number of public keys. The solution is obvious:
Ban the sharing of public keys!
Oh, wait...
What in the hell are you talking about!?? you somehow made the leap from talking about Fascists and Dictators to business and capitalists, which i think could not be more wrong.
Capitalists believe in free market society!
They are not the propenents of the recent bills sweeping through congress! The true fascists are the anti-corporate people. Take for example the microsoft case, in a truly free society, they would be allowed to thrive or wither in the open market, however the DoJ, anti-corporate whiners, and companies unable to succeed on their own, are demanding Microsoft suffer for being better than everyone else!
Your arguement that the capitalists are the dictators makes no rational sense to me!
Don't worry, numerous universities offer courses in "Law & Economics" which can cure you of this deficiency.
-- the most controversial site on the Web