Slashdot Mirror
HDCP Break Proven
zavyman writes: "I just noticed at Cryptome that the flaws in HDCP posted to Slashdot earlier this year, which one person refused to disclose due to possible threats from the DMCA, have been made public by different authors. Scott Crosby of Carnegie Mellon University, Ian Goldberg of Zero Knowledge Systems, and Robert Johnson, Dawn Song, and David Wagner of UC Berkeley have published a formal cryptanalysis of the High-bandwidth Digital Content Protection System that proves its fatal flaws. Interesting reading for those with some background with cryptanalysis."
I guess this means we need to start pooling bail money then, huh?
--nbvb
In summary...
Conclusion
HDCP's linear key exchange is a fundamental weaknesses. We can:
Why do people continue to think they can build a secure system designed to simultaneous distribute data publicly and prevent its distribution?
There are some goals that technology can solve, without anyone doing any enforcement. If I can choose my cryptosystem and key length, I can, with very high confidence, hide the content of my private communications, no matter who is trying to break it, no matter how hard.
It's just that "content protection" is not one of those goals. If I have enough information to show a movie, I also have enough to re-show or rebroadcast it. No matter what the technology involved (assuming I have enough computing power).
Policy makers need to understand this distinction, let technology do its thing where possible, and don't expect it to do much of anything where it's not.
IMHO.
I Can't Believe It's A Law Firm, LLP does not necessarily endorse the contents of this message.
The DMCA aims not only to protect companies who use crappy encryption from hackers, it aims to hide from the general public the potential dangers of using encryption that could have been deliberately made to be crackable. So the government could release some (easily crackable) encryption standard that gets added to a lot of hardware and software but the people won't know that their privacy could be easily violated because it would be illegal to try to crack the system. This then makes people vulnerable.
Perhaps I just thought of something that everyone knows already, but I wanted to voice it nonetheless.
Just in case the origonal authors' fears are justified, I've mirrored the page here [http://lookingglass.akardam.net/mirrored/hdcp-wea kness/hdcp111901.htm for the link wary].
Mirror early, mirror often.
The difference between this and Felten case is, that Felten "cracked" watermark system, which isn't encryption per se. Stupid, eh?
V.
From a part-time mathematician's perspective (ok, actually a physicist) this was the line that just made my jaw drop. What were they thinking?! If this text is correct, this algorithm may as well have been designed by a high-school student.
As several people have pointed out already, this is really one of the big threats of the DMCA -- that companies will go around using incredibly poor standards like this, and be immune to any pressure to improve their quality because their customers are legally forbidden to ask what they are receiving. It says a great deal about the present legal climate that anyone could get away with a mess like this cryptosystem in a commercial product.
*sigh*
Do you have anything to support this assertion, or only anecdotal evidence of specific crypto systems being cracked? If the latter, do you know for sure whether they were cracked because of (a) inherent weakness in assumptions upon which all cryptography is based, (b) weaknesses in the specific algorithms used, (c) weaknesses in the software architecture surrounding the encryption, or (d) bugs in the implementation? I think you'll find that most "cracks" are either (c) or (d).
So what about my 1024-bit RSA private key?
BTW, "even 128 bit keys" is an empty statement. Number of bits is to key strength as megahertz is to computer speed. You can't compare different crypto algorithms, or different models of CPU, with such numbers alone.
"How can you claim that you are anti-crack, while still writing a window manager?" — Metacity README
Your post is slightly off topic, but what the hell. Here we go.
Sorry to say it, but you'd have to have an awful lot of resources to break even a 128-bit encrypted message. As in, more resources than most corporations are prepared to devote to such a task, and more resources than the gov would dedicate without a fairly damned good reason (well, at least a "good reason" in *their* view).
Second, you'd have to have INSANE computing resources to break a 1024-bit or 4096-bit PKI encrypted message. As in, more resources than are practical to assemble in reality these days. Your argument just doesn't hold water. Yes, people who *claim* to use cryptography (when in fact their systems are fundamentally broken/flawed) are setting themselves up for a nasty fall, but folks who use encryption properly are far more immune.
Until, of course, the government decides to arrest folks for using crypto to begin with
Web hosting by geeks, for geeks. Now starting at $4/month (USD)!
Yes, this is my protest to the sig char limit
I think you may have hit upon a key step in fighting the DMCA: we need to point out that, stripped of all the falderal it is intended to let manufacturers pass shoddy goods off on us poor consumers.
If only some brave defender of the consumer/voter/masses would come forward to defend us from these cads (say, leading up to an election)...I'll bet the press would love it.
Remember, lobyists may give money, but they can be sold down the river in a heart beat if someone comes along offering votes.
-- MarkusQ
Perhaps they didn't realize it was a linear system. Many cryptosystems are broken when someone figures out "but your incredibly complex system is really mostly just doing X", for some well-known mathematical construct "X". Real cryptographers have made similar mistakes in the dim past, although in 2001, it is perhaps a little late for repeating this particular one.
Having a bit of formal training in Math, I'm just speechless. This is not crypto analisys, this is second semester of Algebra, Quiz question #2.
.. blech .. I do not know who designed this, neither I'm not sure if they even cared to independently evaluate it, but this is incredibly and incomprehensibly lame. It's like using XOR encryption or computing hash bytes multiplication.
Public/Private keys
3.243F6A8885A308D313
(This is the author of the slides, BTW)
Intel wanted a scheme that could be implemented in under 10,000 gates. IMHO, the designers were aware of the flaw, though not necessarily of the full impact of the flaw. Some of the attacks are subtle.
There were two versions posted on cryptome, the second (latex2html, much easier to read) omitted this statement the first version had:
h acks.html), and myself (www.cryptome.org/hdcp-weakness.htm). The last two have been available publically for 3 months and 3 weeks prior to Neils Ferguson's declaration. Neils declaration and the skylarov case were an eye-openeer for me and made fully realize what I had done, and what negative consequences I was in danger of experiencing.
`` The attacks on HDCP are neither complicated nor difficult. They are basic linear algebra. Thus, there have been at least 4 independent discoveries of these flaws. The four I know of are my co-authors, Neils Ferguson, Keith Irwin (http://www.angelfire.com/realm/keithirwin/HDCPAt
What wrathful gods one risks angering by a 20 minute straightforward application of 40 year old math. This was an accident, not a habit. Like other researchers, I do not want to be smited and thus do not expect to analyze any more such schemes as long as the DMCA exists in its current form.
(This statement is my own and does not represent the opinions of my co-authors.)''
So, for those of you who watch cryptome, I broke it there about 3 days after it was leaked, 6 months ago. Keith Irwin also put his observations up 3 months ago. All of this predates skylarov and ferguson.
So, this is only the official version of the break, the slides I presented 2 weeks ago.
http://censored.firehead.org:1984/hdcp/crack2/
I broke it over 6 months ago, go look at the cryptome archives, where its been sitting since May 9th.
:)
I know of at least 4 researchers who have independently discovered the flaws. (See my other slashdot post).
After Skylarov and Ferguson, I was reluctant to point out that my work had been sitting around on cryptome since May. I suspect Keith Irwin felt similarily.
Neils wasn't the first to go public or even second, though he did raise a wonderful stink.
to make a practically unhackable system.
I've thought over possible designs very carefully, but, given the DMCA, and my lack of a desire to aid, abet, or otherwise supply any support to any of these digital control technology schemes in any way.. But, with high confidence, I'd say that you could make something essentially hackproof.
I'll be mum, at least, but I can at least reference two proposed standards for you to read. See www.trustedpc.org (with CPRM hard drives, signed drivers, signed bioses, 'trusted windows'), or microsofts slides on the topic. Also, see DTCP, there they *did* use real public key crypto.
Read them, but don't try to break them; I don't want you to aid abet, or otherwise support the digital control freaks any way.
Scott
This is pretty basic, but for those who don't know, HDCP is the encryption scheme of choice for HDTV video signals. This is fairly huge news that it has been broken since all TV's and broadcasts in the US will supposedly eventually switch to the HDTV standard. Unless they pull a fast one and switch the standard (which would alienate everyone who has already bought expensive HDTV equipment), this means that DMCA or not, people are going to have guaranteed access to plaintext HDTV signals for as long as the standard is in use. Of course, I'm personally hoping that the DMCA is at least re-written, preferrably scuttled altogether.
OK, scenario for ya: I work in a small office (25 people) and one of them is a subject of an investigation. When you pick up the phone anywhere in our office, the phone system grabs the next free line. That means that the FBI will be listening to ALL CALLS into and out of our office because this person may be using that phone. The legislation does not limit this! There was a Senator (can't remember the name, can't find it on Google) who had wanted to add that the tap was not allowed to be monitored if the suspect was not on the phone at the time, but this got shot down.
Another question is how often does a suspect use a phone before it's wire-tapped? Should we expect all public to be tapped? If I throw a party and a friend-of-a-friend makes a call or two to order a pizza, should I wonder if my phone is now tapped?
Never never never smoke crack before geometry class!
So what about my 1024-bit RSA private key?
I've always thought that popular ecncryption schemes were sort of a boon to the people who need to decrypt them - instead of a million differing schemes, there is just a few with just a few differing amounts of 'bitness.' It makes their job so much easier to know that 80% of the people out there are using the same algorithm.
Moneyed corporations, non-working 'poor' and criminal prisoners are turning productive citizens into tax-slaves.
The conjecture was a method presented as a partial fix for the cryptography product.
It still has admitted failures.
However, it avoids the failures that require the ability of the attacker to spoof valid credentials
Most importantly, it was presented as the underlying method that may be the implementation of another, as yet unavailable, closed standard.
Of course... they should prove that *sarcasm*.
If you do the math you'll see that searching entire 128bit keyspace in a decades time would require the capability to test almost 22^100 keys per second, or roughly 10 million tillion times the computing power of the EFF's DES Cracker
that should read "2^100" and "10 million trillion", in any case, much more processing power than is concievable in the near future
I'm sure everyone in NSA shares your educated opinion.
Most likely, NSA fully subscribes to this idea and promotes peer review of top-secret work. They have plenty of scientists with security clearances for that. If NSA doesn't send a paper for review to me or to you it doesn't mean that someone else, better qualified, doesn't look at it.
Yeah, but thats exactly the attitude Microsoft has, and look how secure their products are :)
I gots ta ding a ding dang my dang a long ling long
Or rather, what 10 undereducated volunteers could never put together in 10 years, a professional mathematician will do over the course of many months, and then have reviewed by several more mathematicians review over a period of years :)
Sorry for the flamebait, but amateur coders simply cannot reproduce the kind of work that professional cryptography requires.
That's not to say that they cannot go ahead and implement any developed algorithm out there... likely better than most cryptographers could do it... but that's not the same as coming up with the system in the first place.
Living better through chemicals
For this purpose, it doesn't need to be mathematically valid, any more than a cash register needs to be fireproof and have a 28-digit combination lock. All that a cash register needs is to have a door that closes and stays closed. This means that you can't have things move from the cash register into your pocket by accident.
If there was a vulnerability in the standard which meant that you could access the signals without trying to, that would be bad news. As it is, the signals are only accessible by those who want to consciously make equipment designed for the purpose of veiwing them, which has no legitimate alternative use. In other words, the "crack" of this standard only refers to an attack which is against the laws relating to theft (in this case the DMCA).
This is not a "bad" or "stupid" encryption system; it's just an example of a company using the laws which protect them to cut a cost corner. After all, if one could trust people to pay for what they watched, they wouldn't need to encrypt the signal at all.
For a bunch of self-styled "engineers", slashdot has a really hard time understanding the basic concept of "fit for purpose".
-- the most controversial site on the Web
Just because its an algorithm that could be built by a blind monkey given a typewriter doesn't mean that the crack isn't an analysis.
:)
:)
I'm not disagreeing about its lameness, just claiming that I didn't do a cryptoanalysis.
Also, the slides do elide out a few things, the operations occur in the ring of the integers modulo 2^56, This is a ring, not a field because even numbers to not have multiplicative inverses. You also have to worry about mistakenly assuming that you can construct stronger attacks than are actually provable based on the specification.
Second semester algebra might be pushing it, but I'd agree that just about any junior in math could crack it in about 10 minutes after pointing out the relevant section of the specification.
BTW, the designer is Intel.
Want to read the DMCA again please?
You are allowed to hack the system and proove that it is broken (by showing exactly where is the flaw etc..) - but you cannot use the resulted crack for profit...
Enter ElcomSoft - they found a flaw in Adobe's eBook and made money from this hack by using it to make a "backup" program so you can "backup" your eBooks and in this case - the DMCA is right...
Lets be honest here - DMCA is a draconian law, but lets also be real here - Go read Adobe's statements, DMCA statements and other statements - if you're hacking in order to proof the world there is something wrong with the protection - then no one will sue you (did u see MS suing the guy who showed the flaw in their password? I didn't, what about the numereous flaws in HotMail? I didn't see them chasing those guys either)...
Hetz (Heunique)
Security by obscurity may or may not be effective - depends on who is trying to read your mail and how much time/money/effort they want to spend. In general I'm glad not to have to rely on it. Picking a weak but obscure crypto algorithm is a bad idea. (No pun intended, IDEA is neither weak nor obscure.)
RSA has stood the test of time - it has probably been through more hours of cryptanalysis by qualified professionals than almost any other algorithm, and nobody has found a serious flaw in it yet. Could it be cracked tomorrow? ("Cracked" in the practical rather than the academic sense.) Yes, but I'd bet serious money against it.
Now ... if 80% of the world used the same program to produce their RSA-encrypted e-mail, that's when it's time to worry. Because I have a lot less confidence in an individual program being bug-free than I do in RSA itself being secure. That's where the famous software monoculture (i.e. "everyone runs Microsoft Outlook in 1999, ergo Melissa", or "everyone runs Sendmail in 1988, ergo Morris worm") problem lies.
"How can you claim that you are anti-crack, while still writing a window manager?" — Metacity README
I have only one consolation... web searches for "Scott Crosby" reveal pictures of a strange man in drag. My embarassment will be your own!
-- Minds are like parachutes... they work best when open.
This is not quite what it's about.
The purpose is to prevent the consumer from intercepting the signal between the "set-top-box" and the TV, and doing something useful with it like making a digitally perfect copy of the material.
Ensuring payment by the consumer is a mechanism already in place - i mean, you've got the set-top-box, haven't you?
This sig left unintentionally blank.
Stalin and Hitler screwed their accademic communities for politics and it nearly ruined them. It can be argued that both geared their artists to propaganda and their science to warfare but failed. Hitler made good weapons for a while, but was unable to develop high altitude long range bombers and nuclear weapons. Stalin had tanks and planes designed from prison. As good as those designs were, they were not as good as US. While some of the failure of Soviet agriculture was intentional, who can say what effect Stalin's wierd insistence on evolution of individuals had?
Will the US be next? The DMCA is only part of the picture. When you can't say what you think, you can't trust anyone and therfore don't know what to believe ever. If you can't trust your teachers because they are afraid of being fired, what do you really know? Such distrust of your neighbor is central to autocatic control. Beware of people who scoff at things "un-official" and recomend central control.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
There was a story a couple days ago about IBM's crypto box being broken. That was broken by tricking the box to use a weak 3DES key which was equivalent to a 1DES key and brute forcing that.
The bruteforcing took 2 days on a sub $2000 FPGA running their published wiring schema.
Significantly cheaper than the EFF's machine, but then time does march on.
Don't you think that it might just be possible that the NSA was fully aware of the flaws in thier products, and was hoping that their standards would be widely adopted before anyone found out that they were peddling snake oil?
All cryptosystems boil down to trust. NSA can never be blindly trusted to give the general public a cryptosystem that they cannot themselves defeat. History bears this pattern out -- for example, NSA (and/or it's predecessor) flogged off Enigma machines to foreign governments and big businesses after WWII, touting them as "secure". Of course we now know that Enigma had been completely defeated by that time -- NSA and their British counterparts could break it, but (presumably) no one else could. NSA has no incentive whatsoever to promote or endorse a cryptosystem that they cannot defeat; any cryptosystem that the DO endorse must automatically be held suspect.
Also we must remember that just because there is no KNOWN (unclassified) attack on a particular cypher, that does not mean that NSA doesn't have an attack that hasn't been publicly re-discovered yet: there's substantial evidence that suggests NSA had developed differential cryptanalyis at least a decade before the technique was published openly.
Why is it that the proponents of "one nation under God" are so eager to get rid of "liberty and justice for all"?
Security by obscurity may or may not be effective - depends on who is trying to read your mail and how much time/money/effort they want to spend.
Agreed.
The point I was trying to make, was because people use the same algotithm, it's easy to just throw computing resources at a decryption problem. If everybody used ad-hoc encryption, a little rot13 here, a mix of RSA on top of that, followed by some bothched LZW compression - then you would have to throw human resources on the problem, and that gets expensive.
Beacuse RSA is perceived to be almost perfect, nobodty uses one time pads - and that would really piss off the powers that be. RSA.
Moneyed corporations, non-working 'poor' and criminal prisoners are turning productive citizens into tax-slaves.
Considering Ian Goldberg is probably still a Canadian citizen living in the U.S., he also has to worry about the new anti-terrorism laws.
-no broken link
I don't remember offhand whether Rivest, Shamir or Adleman had their PhDs in 1977, but I don't think that the RSA algorithm was "amateur" cryptography. It was certainly professional-level research work, done at MIT under government grants. Pioneering work is not necessarily amateur.
The only real example I've seen of good amateur cryptography was from the Irish student a few years back. I think the jury's still out on that one though, and she was still a student of mathematics.
The point I was trying to make was that amateur coders simply cannot come up with good crypto, no matter how good their hacking skills. Amateur mathematicians, on the other hand, might get lucky.
And no, being a "professional" doesn't mean anything, but having your work survive the sort of peer review that cryptographic algorithms are subjected to usually does.
Living better through chemicals
Lets, get together, and, all 10,000 of us start to sell crack cocain in our local neighborhoods. They can't arrest us all, right?
*STUPID*
Hey, I remember you.. You have my email address from the past, or its easy to find out.
And finding me online is trivial:
http://www.google.com/search?q=Scott+Crosby
Note the first two links.
Reading the document, the crack hinges on collecting a sufficient number of public keys. The solution is obvious:
Ban the sharing of public keys!
Oh, wait...
Don't worry, numerous universities offer courses in "Law & Economics" which can cure you of this deficiency.
-- the most controversial site on the Web