Slashdot Mirror

← Back to Stories (view on slashdot.org)

Making and Breaking HDCP Handshakes

Posted by ryuzaki0 on from the only-a-matter-of-time dept.

Cadre writes "Ed Felten describes the handshaking routine used by HDCP and how if any 40 devices conspire together, they can break the security of the system."

8 of 144 comments (clear)

  1. Cool, but nor practical by pla · · Score: 1, Insightful
    if any 40 devices conspire together, they can break the security of the system

    From TFA:
    it takes a conspiracy of about forty devices, with known private vectors, to break HDCP completely. But that is eminently doable, and it's only a matter of time before someone does it.
    Apparently Mr. Felten has a somewhat twisted idea of "eminently doable".


    The HDCP CA will certainly only give out keys to people who sign very very scary agreements not to engage in exactly the sort of activities described. While a few of them might "accidentally" leak their keys, I find it exceedingly unlikely that 40 such companies will pay for a key vector, just to take the risk of getting sued out of existence.


    Though I have to wonder about the actual security of these keys under the condition of physical access. That point might make Felten's proposed crack viable, if we just need to find a weaknedd in 40 devices out of the thousands that will eventually hit the market - ESPECIALLY if player software needs to have a valid key as well.



    I also wonder why we need to "know" even one, much less 40, secret keys beforehand, however... It doesn't sound like you need to come up with the correct answer to get a single response. If you faked 40 devices, couldn't you still get the target device to respond at least once to each, thereby getting the necessary 40 unknowns? Sure, this would reduce to 40 instances of cracking a 56(?) bit key, but a modern PC can brute-force that in under a day.
    1. Re:Cool, but nor practical by Anonymous Coward · · Score: 2, Insightful
      I find it exceedingly unlikely that 40 such companies will pay for a key vector, just to take the risk of getting sued out of existence.
      According to the article, keys are being sold in quantities of 10000, which makes it sound like each physical device has its own unique key. If this is the case, then one not-quite-tamper-proof production run of some player will yield more than enough keys for the attack to be practical.
  2. Exactly. Ed's math is borked. by goombah99 · · Score: 2, Insightful

    I had exactly the same thought. I think this attack may fail. Or rather not be as immediately successful as imagined. Ironically, the fatal flaw is contained in the same algebra mistake made in the orginal post.

    In order to prevent this attack from being done easily, the central authority could deliberately hand out linearly dependent addition vectors to any company that applies. For example, suppose a company applies for 10,000 keys. The central authority gives them 10,000 keys and 10,000 addition vectors. But the addition vectors are all crammed into the first 14 or 15 bits of the 40 bit addition vector. (that is bits 16 to 40 are zero). This would assure that the addition vectors are linearly dependent and the code cannot be cracked.

    In effect the 10,000 keys are hobbled to representing no more than 15 independent keys, not the requisite 40 to crack this.

    Thinking even more globally, the central authority could reserve say the last 10 bits of the addition vector, so that all devices manufactured from 2008 to 2010 never used the last 10 bits. then all devices manufactured from 2010 to 2012 always used the 31st bit but none of the last 9. Then in 2013-2014, all devices always use the 32nd bit but none of the last 8. and so on.

    thus they can prevent anyone from collecting all 40 so far into the future that they can assure that any crack that works this year will fail on all new devices.

    Of course, the hackers only need to stay on the ball and update their hacks as they can. But it's going to take a very large consipiracy among multiple companies to collect large enough set of addition vectors to crack this.

    --
    Some drink at the fountain of knowledge. Others just gargle.
  3. Here's what will happen by Omaze · · Score: 2, Insightful

    Someone will connect an oscilloscope to the wire(s) that connect(s) the devices and reverse engineer the communications signal. They will then construct a custom breadboard able to talk to any HDCP device while being able to impersonate a device with a programmable HDCP vector/rule. With a link (ethernet or serial) to any modern day PC they'll just brute force it.

    It won't be difficult.

    --
    The government itself is not stealing your liberties. Their new programs are enabling criminals who will.
    1. Re:Here's what will happen by tadmas · · Score: 2, Insightful
      Someone will connect an oscilloscope to the wire(s) that connect(s) the devices and reverse engineer the communications signal.

      There is no need to do this -- the signal itself would have to be according to some kind of standard or else a brand X DVD player couldn't work with a brand Y television. Just look up the communications protocol.

      With a link (ethernet or serial) to any modern day PC they'll just brute force it.

      Riiiiight. The DVD's addition rule is [1]+[3] and the TV's is [6]+[17]. What's our secret key? It could be 24 (7+17 and 9+15) or 57 (17+40 and 56+1) or 29387 (12412+16975 and 19280+10107).... Each is equally likely, so yes you could brute force it, but if the actual keys are big enough, it would take a Really Long Time to do it. This is the idea behind just about all forms of modern encryption; they can be broken by brute force, but it takes so long it's not worth it.

      Could this be broken on a modern PC? Assuming you could easily verify that you got the unencrypted form and the secret keys are 17 decimal digits, then on average it would take you 5e17 guesses to brute force it. If you assume checking 1,000,000 per second, that's 5e11 seconds > 15844 years. Don't hold your breath.

      This is why the attack in TFA is useful. Instead of having to try billions of possible keys, you can algebraically figure out a secret vector, so then cracking the encryption is a simple elementary school addition problem. Solving a set of linear equations to get the secret vector can be done in slightly less than thousands of years.

      It won't be difficult.

      Yes, it will. That's just like saying "cracking RSA is super-easy because it's just finding the prime factors of a number!!!!!!!11!!1one" So, why can't anyone with a modern PC bring RSA to its knees? After all, when you publish your public key, you're also publishing your private key, too.... if someone can figure out the factors of your modulus. You can just brute force it -- it won't be difficult.

  4. Re:Why Reveal this Now? by Anonymous Coward · · Score: 1, Insightful

    As others have pointed out, the attack is not new. What HDCP does is *not* protect content (at least, not seriously)... it forces the makers of consumer electronics to sign legal agreements with Intel, and more critically with the MPAA... and these legal agreements dictate what features the manufacturers can add. If you want to sell players legally, you have to make them they way you are told... not the way the consumer wants.

    It's about control, not copy protection (can't fast forward through adverts etc etc)... and getting your sticky royalty grabbing fingers into the equipment pie.

  5. IT'S NOT ABOUT PIRACY! by nagora · · Score: 5, Insightful
    This stuff, just like region encoding, is about price-fixing. That's why the security is crap: its only purpose is to prevent the 99.99% of consumers who will never crack even a trivial encryption from recording a TV programme instead of going out and buying the HDDVD of the series later in the year. That keeps the price of those DVD's up and that's all this is about.

    It used to be called "a cartel" and it used to be illegal.

    TWW

    --
    "Encyclopedia" is to "Wikipedia" what "Library" is to "Some people at a bus stop"
  6. Apparently this is easy. by mozu · · Score: 2, Insightful

    The solution is easy according to an anonymous physicist. I showed him the problem and it took him 2 min to do this. He laughed when I told him this is a multi-billion dollar cipher system.

    If (no. of eqns.) >= (no. of variables), the equations are solvable.

    Given

    x1 + x2 = 33 - (1)
    x2 + x4 = 18 - (2)
    x1 + x3 = 41 - (3)
    x2 + x3 = 24 - (4)

    Rearrange (4)
    --> x2 = 24 - x3

    Sub (5) into (1)
    x1 + ( 24 - x3 ) = 33
    x1 - x3 = 33 - 24
    x1 - x3 = 9


    (6) + (3) --> 2(x1) + 0 = 9 + 41
    2(x1) = 50
    x1 = 25

    Sub (7) into (1) --> 25 + x2 = 33
    x2 = 8

    Sub (8) into (2) 8 + x4 = 18
    x4 = 10

    Sub (8) into (4) 8 + x3 = 24
    x3 = 16

    Summary
    -->
    x1 = 25
    x2 = 8
    x3 = 16
    x4 = 10

    Apparently any 1st year maths student can do this. This is not the best method however and using a matrix to solve for lambda is the best way, so he says. By the way it took me about 2 hours brute forcing it by logical trial and error using pen and paper.