Slashdot Mirror
Making and Breaking HDCP Handshakes
Cadre writes "Ed Felten describes the handshaking routine used by HDCP and how if any 40 devices conspire together, they can break the security of the system."
← Back to Stories (view on slashdot.org)
← Back to Stories (view on slashdot.org)
Also - anyone thinking the 40 'conspiring' devices makes it impractical to break HDCP/HDMI - think again. It just means 40 (or less) like minded hackers have to get together - not particularly hard to imagine these days.
There are shills on slashdot. Apparently, I'm one of them.
But I don't have room for the forty big-screen TVs.
Take the cheese to sickbay, the doctor should see it as soon as possible - B'Elanna Torres, "Learning Curve"
Four was an example for the article.
His attack methodology is correct, but it will take more than 40 devices to break the system. The chances are very low that all 40 devices being linearly independent, and therefore each one offering non-duplicate information about the system. If you read the comments, he actually inadvertantly ran into this problem with his small example of 4 keys.
However, in writing this, I realize that I do not know how many keys you would need to present a good probability of solving the system of equations. Anyone want to run a simulation?
As a poster said at TFA, why did they reveal this attack so soon? It would have been much better to wait another few months until HDCP displays and video cards were shipping in larger numbers. That being said, who's comes up with these lame cryptosystems anyway? First CSS, which was a joke, now this, and you know the Advanced CSS will have holes in it big enough to drive a truck through. The bad news is that some day they will start hiring people who know what they're doing with cryptosystems and then we're all screwed.
HDCP has been broken, and has been proved to be weak in 2001 twice. See http://apache.dataloss.nl/~fred/www.nunce.org/hdcp /hdcp111901.htm
In real life the devices have a vector of 40 secret numbers, he's using a vector of 4 to illustrate withour bogging down the reader.
The key is that with N variables (the number of different numbers in the vector), you need N equations to solve the set of equations for all of those variables - it's simple linear algebra.
When you purchase a licence, you get a bunch of 10000 keys for $16000, so S.O.Mebody could use this within an organisation to analyse the generation matrix, and actually produce 40 new keys and release them to the wild. No comeback.
Simon
Physicists get Hadrons!
I was checking the Sunday advertising fliers this morning, and see that many of the new TVs are advertising HDMI as well as PC connections. Can someone please explain my limitations?
1: Can I hook up my current VGA or DVI to one of these, and display the content I can currently display?
2: Is the only limitation/constraint the new HD/BlueRay DVDs with "double-plus-good super-duper copy-protection, put there to protect me AND the children"?
3: Related to both, assume I have MythTV running with an HD capture card. (I don't yet, but plan to, before they become illegal. What's the latest status?) Can I run my captured content out through one of these new displays?
The living have better things to do than to continue hating the dead.
There is one thing I hate worse than this DRM (Draconian Rights Management) crap: region encoding. DRM only effects me if I want to make a backup or play a disk I bought with Linux. Now if I buy a disk in Europe and want to play it in Canada it is not doable, officially. Unofficially I have to get a DVD player with a backdoor, or a PC DVD player with the Firmware hacked or rip the DVD - all this for a DVD I bought legitimately!?
And then there is something that scares me: how unaware of this many people I speak to are, even some people working in IT!
Jumpstart the tartan drive.
I had exactly the same thought. I think this attack may fail. Or rather not be as immediately successful as imagined. Ironically, the fatal flaw is contained in the same algebra mistake made in the orginal post.
In order to prevent this attack from being done easily, the central authority could deliberately hand out linearly dependent addition vectors to any company that applies. For example, suppose a company applies for 10,000 keys. The central authority gives them 10,000 keys and 10,000 addition vectors. But the addition vectors are all crammed into the first 14 or 15 bits of the 40 bit addition vector. (that is bits 16 to 40 are zero). This would assure that the addition vectors are linearly dependent and the code cannot be cracked.
In effect the 10,000 keys are hobbled to representing no more than 15 independent keys, not the requisite 40 to crack this.
Thinking even more globally, the central authority could reserve say the last 10 bits of the addition vector, so that all devices manufactured from 2008 to 2010 never used the last 10 bits. then all devices manufactured from 2010 to 2012 always used the 31st bit but none of the last 9. Then in 2013-2014, all devices always use the 32nd bit but none of the last 8. and so on.
thus they can prevent anyone from collecting all 40 so far into the future that they can assure that any crack that works this year will fail on all new devices.
Of course, the hackers only need to stay on the ball and update their hacks as they can. But it's going to take a very large consipiracy among multiple companies to collect large enough set of addition vectors to crack this.
Some drink at the fountain of knowledge. Others just gargle.
Wow so many folks sort of missed the point here...
Felton's description of the weaknesses of DHCP handshakes is of only one potential attack. Combined with other attacks and it's entirely possible that a group effort could crank out new secret vectors faster than the M.A.F.I.A.A. could revoke known compromised ones.
For example: If more was known (than I know) about the encryption algorithm used (AKA "the hdcpRngCipher") work could be started on creating dense & smart Time-Memory Trade-Off tables. This is a non-trivial task involving tens of thousands of CPU hours... a perfect thing for a validating distributed computing application (oh. this. has. so. been. done. before).
Also a HDMI repeater or splitter isn't very far from being a sniffer... I think all it lacks is a little I2C to USB help. This, the tables above, & a HDCP device will net you all the vectors you need to employ Felton's attack. Once one set has been compromised and the methodology worked out it's just a matter of turning the crank to get more and potentially very, very quickly.
The utility of these attacks goes well beyond being able to view 1080p on a non DHCP device... one could render revocation useless be attacking high-end components sold by M.A.F.I.A.A. members (i.e. Sony). This eventually must lead hardware devices running out of un-revoked vectors and becoming inoperable... an untenable situation for the M.A.F.I.A.A.
Now, if such a concerted attack is organized on the hi-def media... I feel that we will be right where we are now... a reasonably astute person can watch any DVD wherever they want and they can retain a backup of that media in a format of their choosing.
Nothing in the world is more dangerous than sincere ignorance and conscientious stupidity.
Someone will connect an oscilloscope to the wire(s) that connect(s) the devices and reverse engineer the communications signal. They will then construct a custom breadboard able to talk to any HDCP device while being able to impersonate a device with a programmable HDCP vector/rule. With a link (ethernet or serial) to any modern day PC they'll just brute force it.
It won't be difficult.
The government itself is not stealing your liberties. Their new programs are enabling criminals who will.
Did the moderators Read The Fine Article before giving the parent points?
Felten in talking about "a conspiracy of about forty devices" is not saying that (defectors at) forty device makers have to reveal secret keys. What he's saying is that you just need to the 40 devices themselves, or rather (as post above pointed out) enough to get 40 different key sets (and some math and programming ability). Then the crack is done by analysing the bit streams between the devices (between player and display, or whatevre).
The expense is the cost of all those tvs and players. Bribing the device makers is a *different* kind of attack which Felten rules out as impractical.
It used to be called "a cartel" and it used to be illegal.
TWW
"Encyclopedia" is to "Wikipedia" what "Library" is to "Some people at a bus stop"
Sorry, but in the age of global trade, nobody has a "right" to the type of region-controlling the media cartels do. In fact, this type of collusion is most likely illegal under lots of treaties and jurisdictions.
The solution is easy according to an anonymous physicist. I showed him the problem and it took him 2 min to do this. He laughed when I told him this is a multi-billion dollar cipher system.
Apparently any 1st year maths student can do this. This is not the best method however and using a matrix to solve for lambda is the best way, so he says. By the way it took me about 2 hours brute forcing it by logical trial and error using pen and paper.
The handshake algorithms allows a cool new business-strategy:
- get 40 secret vectors
- use these 40 vectors to recover the secret vector of a well-selling HD-DVD TV screen
- approach the vendor, and threaten to release the secret vector
- profit!: The vendor will have to pay, otherwise the TV screen will end up on the blacklist, and the owners won't be able to play HD-DVD's anymore.
Well, kicking down the front door of the central HDCP bureau and storming it with torches and pitchworks to get the master key is just another kind of brute force attack, no ?-)
Forget magic. Any technology distinguishable from divine power is insufficiently advanced.