HDCP Break Proven

zavyman writes: "I just noticed at Cryptome that the flaws in HDCP posted to Slashdot earlier this year, which one person refused to disclose due to possible threats from the DMCA, have been made public by different authors. Scott Crosby of Carnegie Mellon University, Ian Goldberg of Zero Knowledge Systems, and Robert Johnson, Dawn Song, and David Wagner of UC Berkeley have published a formal cryptanalysis of the High-bandwidth Digital Content Protection System that proves its fatal flaws. Interesting reading for those with some background with cryptanalysis."

Re:Bail money

[trilucid]

One more note: it's sad how this nation (the U.S.) finds locking up scientists for publishing their research acceptable.

If seems awfully close to the practices of the old U.S.S.R. People can call me an extremist all they want for having this view, but many of the Iron Curtain policies don't seem so alien anymore. We lock up scientists, have mass media monopolies that manipulate the masses, and recently massively expanded "police powers" in government. Seems pretty nasty to me. For all those who think the recent intrusions upon civil liberties are "only temporary during our nation's hour of crisis", history shows us differently.

BTW, if you're gonna reply, please be polite. If you're gonna email, use my public key. Thanks.

Side effect

[Jucius+Maximus]

The fact that the original breaker of the code did not want to reveal their specific findings because of the DMCA reveals something interesting that was probably part of the original idea behind the law:

The DMCA aims not only to protect companies who use crappy encryption from hackers, it aims to hide from the general public the potential dangers of using encryption that could have been deliberately made to be crackable. So the government could release some (easily crackable) encryption standard that gets added to a lot of hardware and software but the people won't know that their privacy could be easily violated because it would be illegal to try to crack the system. This then makes people vulnerable.

Perhaps I just thought of something that everyone knows already, but I wanted to voice it nonetheless.

not so unbelievable

[mj6798]

Perhaps they didn't realize it was a linear system. Many cryptosystems are broken when someone figures out "but your incredibly complex system is really mostly just doing X", for some well-known mathematical construct "X". Real cryptographers have made similar mistakes in the dim past, although in 2001, it is perhaps a little late for repeating this particular one.

Re:Bail money

[TGK]

The German philosopher and author, Adorno, had some sage words on this topic. He argued that Facism was the outgrowth of a people with so fragile an ego that they lost the ability to belive in their capability of judging for themselves what was right and wrong. Adorno argues that when this happens we allow demagauges (sp?) to make those judgements for us, and the result is the concentration of an enourmous amount of power in the hands of a very very very few.

His argument can be expanded to deal with almost all forms of oppresive government. Bolshivism, Nazism, Maoism, to say nothing of the numerous military dictatorships the world over (yes, these count too. If the entire country decides that a ruler is just an asshole and that opposition is the only option, he will fall), all of these rely on their implicit ability to define right and wrong.

Are we letting big buisness and other corrupt hyper-capitalist interests define that for us? It's a question left up to history to decide, but I'm not above saying that it scares me sometimes.

Re:He he ... "fabulous work" he said ..

[tftp]

"Good crypto can only be developed in the open where it is subject to formal peer review and detailed scrutiny".

I'm sure everyone in NSA shares your educated opinion.

Most likely, NSA fully subscribes to this idea and promotes peer review of top-secret work. They have plenty of scientists with security clearances for that. If NSA doesn't send a paper for review to me or to you it doesn't mean that someone else, better qualified, doesn't look at it.

Cash registers, not fireproof safes

[streetlawyer]

I don't understand what the big deal is. This standard is not being used to encrypt medical records or nuclear missile codes. It's being used to encrypt digital television signals so that it is possible to charge for them. It's been designed for that purpose and to meet certain standards of simplicity which make it possible to use widely without making devices prohibitively expensive.

For this purpose, it doesn't need to be mathematically valid, any more than a cash register needs to be fireproof and have a 28-digit combination lock. All that a cash register needs is to have a door that closes and stays closed. This means that you can't have things move from the cash register into your pocket by accident.

If there was a vulnerability in the standard which meant that you could access the signals without trying to, that would be bad news. As it is, the signals are only accessible by those who want to consciously make equipment designed for the purpose of veiwing them, which has no legitimate alternative use. In other words, the "crack" of this standard only refers to an attack which is against the laws relating to theft (in this case the DMCA).

This is not a "bad" or "stupid" encryption system; it's just an example of a company using the laws which protect them to cut a cost corner. After all, if one could trust people to pay for what they watched, they wouldn't need to encrypt the signal at all.

For a bunch of self-styled "engineers", slashdot has a really hard time understanding the basic concept of "fit for purpose".