Making and Breaking HDCP Handshakes

Cadre writes "Ed Felten describes the handshaking routine used by HDCP and how if any 40 devices conspire together, they can break the security of the system."

American Hero.

[Whiney+Mac+Fanboy]

Ed Felten is a true American hero - he's:

* Convinced the Music Industry watermarking is unworkable (saving us from poor quality files)

* Testified against predatory monopolists as a witness for the US govt.

* Exposed holes in Sony's "fix" for XCP malware CDs (that turned out to be almost as dangerous as the original rootkit)

* Given us the memorable quote Given a choice between dancing pigs and security, users will pick dancing pigs every time.

(gleaned from wikipedia)

Also - anyone thinking the 40 'conspiring' devices makes it impractical to break HDCP/HDMI - think again. It just means 40 (or less) like minded hackers have to get together - not particularly hard to imagine these days.

A little tougher than that...

[weetjerm]

His attack methodology is correct, but it will take more than 40 devices to break the system. The chances are very low that all 40 devices being linearly independent, and therefore each one offering non-duplicate information about the system. If you read the comments, he actually inadvertantly ran into this problem with his small example of 4 keys.

However, in writing this, I realize that I do not know how many keys you would need to present a good probability of solving the system of equations. Anyone want to run a simulation?

'Old' news

[bas.westerbaan]

HDCP has been broken, and has been proved to be weak in 2001 twice. See http://apache.dataloss.nl/~fred/www.nunce.org/hdcp /hdcp111901.htm

Re:Why Reveal this Now?

The bad news is that some day they will start hiring people who know what they're doing with cryptosystems and then we're all screwed.

Rather unlikely. The whole concept of DRM is bankrupt as a cryptographic concept because you are handing over the ciphertext, the plaintext and last but not least the key over to your adversary (usually called "consumer" or "hacker"). Sure you can try to make it hard for him to actually get them but you already handed them over and it just remains a question of time until they are recovered.
Meanwhile, a single break is a class break for at least all the content released up to the point of the break (even with "revokable" keys). Also, once a broke the system once, the content is freed forever and can be distributed at leisure (darknet hypothesis), which means even some small quality loss may be acceptable to the attacker since that loss would only occure once.

In short, DRM is a DReaM indeed.

Re:Cool, but nor practical

[quentin_quayle]

Did the moderators Read The Fine Article before giving the parent points?

Felten in talking about "a conspiracy of about forty devices" is not saying that (defectors at) forty device makers have to reveal secret keys. What he's saying is that you just need to the 40 devices themselves, or rather (as post above pointed out) enough to get 40 different key sets (and some math and programming ability). Then the crack is done by analysing the bit streams between the devices (between player and display, or whatevre).

The expense is the cost of all those tvs and players. Bribing the device makers is a *different* kind of attack which Felten rules out as impractical.

IT'S NOT ABOUT PIRACY!

[nagora]

This stuff, just like region encoding, is about price-fixing. That's why the security is crap: its only purpose is to prevent the 99.99% of consumers who will never crack even a trivial encryption from recording a TV programme instead of going out and buying the HDDVD of the series later in the year. That keeps the price of those DVD's up and that's all this is about.

It used to be called "a cartel" and it used to be illegal.

TWW