Slashdot Mirror
AACS Hack Blamed on Bad Player Implementation
seriouslywtf writes "The AACS LA, those responsible for the AACS protection used by HD DVD and Blu-ray, has issued a statement claiming that AACS has not been compromised. Instead, they blame the implementation of AACS on specific players and claim that the makers of those players should follow the Compliance and Robustness Rules. 'It's not us, it's them!' This, however, does not appear to be the entire truth. From the Ars Technica article: 'This is an curious accusation because, according to the AACS documentation reviewed by Ars Technica, the AACS specification does not, in fact, account for this attack vector. ...
We believe the AACS LA may be able to stop this particular hack. While little is truly known about how effective the key revocation system in AACS is, in theory it should be possible for the AACS LA to identify the players responsible for the breach and prevent later pressings of discs from playing back on those players until they are updated. As such, if the hole can be patched in the players, the leak of volume keys could be limited to essentially what is already on the market. That is, until another hole is found.'"
Did anybody really expect the AACS LA to say anything other than what they did? (Besides, maybe "we give up"?)
Part of me wants them to find a proper fix for these holes. My CableCo phoned me because I've already gone way over my quota this month.
Trolling is a art,
Of course it's not your fault. Your highly paid engineers are WAY smarter than anyone else.
You give them the lock.
You give them the key.
You hope that they can't figure out how to put one into the other.
High fives.
Powered by Web3.5 RC 2
It's a widely known fact that Canada is responsible for 50% of the HD DVD piracy.
Even worse, the AACS specification does not, in fact, account for this large sparsely populated country.
A12A.713 is the root of ASC('evil')
if the hole can be patched in the players
It cannot, ever, unless they disallow software players from any platform not running on Trusted Computing enabled hardware and a Trusted Computing enabled operating system.
Until then, no DRM scheme works.
None.
It's that simple.
it's in my head
all the windows security problems are caused by the computers these companies build to run it, I mean windows is perfectly secure so long as it sits in it's box there on the shelf....if these darn companies would just stop installing it on computers there would be no problem
A Smith & Wesson beats four aces -- Murphy's Law of Poker
Since July of last year I have basically cut out the mass media from my life. I sold my TV, gave away my DVD player, and donated my CDs and DVDs to a charity auction. For entertainment, I've taken up a number of sports, including basketball and skiing. I also now listen to local bands live at pubs and restaurants, rather than listening to the radio or CDs. I never had any gaming consoles to begin with, and I uninstalled and gave away the few computer games I do have. I do rely on the BBC for news, but even that's become limited these days.
I'm glad I made that decision. All this new crap involving DRM and frivolous from the entertainment industry just goes to show you how full of horseshit they are. I'm very pleased that my money does not go to them. They don't deserve it. Not only that, but now that I play sports rather than just watching them on TV, I've become much more fit and far healthier. Getting away from the mainstream media was one of the best things I've ever done.
AACS LA executive decision maker:
A. Test their player key detection procedures (prove they can't reverse Volume Unique Key)
B. Read the public forums that have trumpeted the players and methods involved directly.
...for this fight at freedom-to-tinker.com. The whole series on AACS is worth reading, as is every single thing he posts.
Carousel is a lie!
If they are really going to use the device revocation option, things are going to get way fun.
Players which will only play certain discs and not others, instant obsolescence for entire classes of $1000 players.
This makes the format wars look like a sales promotion!
Just wait until they start finding some *player* keys (not volume keys).
Gather enough of those and you can screw revocation by subverting the master key authority. Hopefully, they'll quietly hack the player key, get them to issue a new one, hack that and....
Don't forget that if you drink the *AA koolaid and bend over properly for them then you've hooked up your DRM infested HD-DVD or Blu-Ray player to the internet not only so that they can track what you watch but so that the players can automagically download updated keys so that you'll never even see any non-functioning disks. That, and monkeys may fly out of their respective butts.
If the players are non-patchable:
1) We will live in a universe in which, every year or so, an unknown number of players will play discs produced up to, but not after, a certain date.
Consider the sales/support implications of customers selecting products for Christmas 2008: "Well, sir, this Foobar-1000 plays discs up produced in 2006-2007, a Foobar-1130 plays discs produced from 2006-2008, and a Fonybaz-1900 plays discs produced from 2006 to August 2008."
If the players are patchable, it's even worse for the industry:
1) Your Foobar 1000 will play discs produced in 2006 and 2007. It ceases to work for discs produced between February 2007 until you buy a disc produced a few months later that happens to contains some code that query the player whether it's a Foobar 1000... and if so, to automatically/silently patch the firmware. Then all your discs work again.
That's a good thing for the user, and a bad thing for the industry, because as soon as you've got a firmware patch on a DVD, the obvious thing for an enterprising hacker to do is to put his own firmware patch on his own DVD, and your Foobar 1000, all of a sudden, ceases to implement the DRMish crap which the MPAA crammed onto it...
In short, if players can be patched in the field (and this applies to both hardware/firmware-based players in embedded systems and to PC-based disc-playing software), it's a long-term battle of the rootkits, and that's a battle that MPAA is likely to lose.
Why is Ars saying they believe they can stop this hack by revoking the player key? The original person who cracked it specifically didn't release the key I thought and was only releasing TITLE keys which will be much more dangerous to revoke yes?
Not that it matters much either way because this attack vector will always exist for any kind of system they come up with. Since it will always exist someone will rip it and post the movie on bittorrent.
They are actually probably pretty happy that this is the only possible hack anyways since it isn't anywhere near as useful as DeCSS.
Dear consumer:
Please check our website so you can download a patch and intall it on your DVD player.
BWahahaha..
That will go over like a lead balloon.
as will a machine that no longer playing new movies every few months so you have to buy a new player.
Which is good. DRM is just causing more consumer frustration and less value.
The Kruger Dunning explains most post on
You can play around with keys so that the same player won't play both old and new discs, but that doesn't change the fact that the old software will continue to be out there and will continue to be able to play old discs. And next time someone screws up, all the discs up to that point will be compromised, and on and on.
I don't understand the point of revoking a hacked key. Now the key has been found and discs have been hacked, the output of the process is an unencrypted file with no key. Until something like AnyDVD comes out that just silently and automatically strips encryption on the fly, the primary use of the program will be to get unencrypted content onto P2P networks.
Why bother revoking the key? I must be missing something. Sure, don't use the same key on future discs, but pirated copies will have no encryption - key revocation only seems to affect legitimate users of the disc.
Oh yeah, I'd forgotten, DRM isn't about piracy...
The express purpose of "Trusted" Computing is to distinguish an OS running on bare hardware from a virtualized OS. The virtualized Trusted Platform Module is issued not from a recognized mainboard manufacturer's keyspace but from VMware's.
This is the hole security expects have been telling them about since they started using cryptography in DRM.
Currently all encrypted content and keys must exist in unencrypted from at some point in memory.
Also, as long as the contents of memory are viewable this hole will exist. The strength of the
crypto doesn't matter if the user can get the key. Currently scanning the contents of memory and
trying each group bits against something known, like an encrypted MPEG headers is reasonably quick and effective.
"to identify the players responsible for the breach and prevent later pressings of discs from playing back on those players until they are updated."
wasnt this attack based on being able to extract the title-key from the disc, then run it through stock AACS decryption libraries? they could revoke whatever keys they wanted, but wouldnt the existing un-retractably released software still have to read the key (making it visible, unencrypted, in ram....) before it could deny playing it?
The way i understand it the "player" gets the title key, normal AACS libraries are used to decrypt into a format (no-drm) that any player will play back. it has no key to block!
Just because some 'software player' has been compromised and will get revoked, there are a few hardware models out there that also have 'weak' firmware and a JTAG port to jack into. I just wish this hacking business would get me some hotter lookin' chicks like in the movies..the ones we can decrypt now..and forever!
I hail our new hacker overloads!
All the focus, and for good reasons, has been on software-based DVD players. They're easy for any hacker to play around with. However there are plenty of people out there who happen to be hardware hackers as well. I wonder how long (probably just a matter of time) before some hardware/firmware hacker disects a standalone HD player and is able to extract keys from that. Hardware hacking hasn't been as glamourous as software hacking in recent years, but a mere 20 years ago it was all about hardware hacking. Read a book like the Cuckoos Egg - a sysadmin physically tapped into communication lines and directed the output to line printers so that a hacker he'd been hunting wouldn't know he was being tracked. I'd be willing to bet that some hardware/firmware gurus with the right tools would be able to hack a standalone HD player if they had the desire to do it. And if they can pull that off it'd be a LOT harder for the AACS LA to plug that hole.
How about adapting to the market, recognizing that Fair Use is allowed by Copyright Law, and arriving at the logical conclusion:
Given that Fair Use is a right protected by law (it's NOT a defense as some love to claim) in exchange for a limited monopoly on distribution of the work in entirety, make the product more attractive to paying customers. Don't try to make money on both ends; recognize that timeshifting and formatshifting and copying of excerpts for use in reviews, parodies, etc. are all allowed in exchange for your limited monopoly, and improve your packaging, product quality, and pricing. Also: recognize that you are selling a commodity product identical in every way to a book; first sale doctrine applies; it is NOT licensed. If you do not offer a refund after the transaction is made PRIOR TO acceptance of any such license, then it is clear that it is not licensed, but a commodity good sold as is, and as such, the purchaser can do with it as he or she damn well pleases after the point of sale. Otherwise, offer refunds and back your product with a warranty.
Also, when a DVD/Blu-Ray Disc/HD-DVD delaminates or becomes too scratched to use or breaks, happily replace it for the customer, or at least provide a mechanism for making a 1-for-1 backup, as provided for under Fair Use and many court precedents.
Also, you should also quit conveniently selectively reading and interpreting the DMCA: recall the exclusions allowing for interoperability, and that cracking it for exercising Fair Use such as format shifting and viewing on alternate platforms and devices is explicitly allowed even under the draconian DMCA.
I reiterate: The Best solution is to drop DRM and increase value for legitimate paying customers. Give them a reason to WANT to buy your product.
I usually buy at least five DVDs per month, usually closer to 15 (my DVD collection is rapidly approaching 500). This month I bought "only" 3 (well, seven, if you consider that the extended edition of The Lion, The Witch, and The Wardrobe is four DVDs, and another movie I bought was a two-DVD collectors edition) because I incurred large expenses (a vacation, new PDA and other electronic equipment, and promptly ripped 5 DVDs for viewing on the PDA while traveling - interoperability format shifting provided for by DMCA exclusions and Fair Use I might add).
I occasionally download in a "try before I buy" scenario. I purchased THX1138 and T3 and many other movies after I decided they were worth buying (honestly, there hasn't been anything I downloaded that I didn't end up deciding to buy, except for material which falls into public domain). Some I won't pay more than $7 for and look for used DVDs, but I buy most DVDs new.
I was holding out on HD-DVD and Blu-Ray pending cracks to enable Fair Use and Linux interoperability, but now I am going to wait longer to see how it pans out. Will they actually revoke the keys? Will downsampling be turned on? If so, then I'll stick with DVD's 720x480 resolution, and use Blu-Ray solely as a read-write medium for backing up data, and buy exactly zero high-definition discs. It is not as though the increased resolution improves poor writing, and makes a bad movie worth watching (although in some cases, such as Plan 9 from Outer Space, or Starship Troopers, it is possible that a movie is so horribly bad that it enters the must-own/must-see category). Futurama or Stargate (ignoring the seasons with the Ori) or Seinfeld is equally entertaining to watch at 320x240 (roughly VHS resolution), 720x480 (DVD), or 1920x1080p (high def's top resolution).
Posting anon for the benefit of litigious MPAA assholes. MPAA: FUCK YOU.
They talk about this on Security Now, Episode #76 (http://www.grc.com/securitynow.htm)
It seems muslix64 just had a snapshot of the entire .exe running in memory, then used selective keying - serially trying bytes 1-4, then 2-5, 3-6 etc as the keys until the mpeg frame decrypted. (which, of course this is much faster than a pure brute force attack, and took only seconds).
So as long as a software player has the key in the clear and is loaded in memory 'somewhere', this type of attack will continue to work.
AACS is still 'unbroken' but like many failed encryption schemes, it was circumvented due to poor implementation.
You would make sense if a money map of the industry didn't show that the vast majority of the profit goes to CxOs, VPs, board directors, and career stock investors who have little or no real interest in the actual entertainment content.
When you can separate honest entertainment interest from pure and erated business interest then you may pull your head from your backside.
the NPG electrode was replaced with carbon blac
If one hacker's player gets revoked, it won't affect regular users at all. And the hacker will probably just buy another one.
Open letter to the MPAA: I hope a true "CSS" style hack is found. Otherwise, I'm remaining on the sidelines and I won't be buying any HD-DVD or Blu-Ray discs.
Hear that, MPAA!?!?! I said BUYING. You claim piracy costs sales, but you MUST then subtract the lost sales due to your overbearing copy protection. I have about 2000 CDs and about 600 DVDs in my collection. I have no HD-DVD or Blu-Ray discs. And I don't plan on it either unless things change.
It's a new world. And in this new world, I have an expectation of device portability. That means when I buy a 5" media-containing silver platter, I expect to be able to store it on a server in my house to stream it to my living room or my computer or my bedroom. I expect to be able to re-compress it for my laptop or my ipod (or -like device) for watching when traveling. I have no desire to be tied to a specific (and expensive) playback device in a specific location. You're terrified of future storage capacity that will reach into the terrabytes on small devices, but to me, that's the thing that's keeping me interested at the moment in the stuff you have to sell... the knowledge that I can have that portability in movies and TV the same way I have it for the music that I've collected over the years. The RIAA freaked out when MP3's came along, but to be honest, my interest in music had waned significantly. But now, with so much available at my fingertips, I'm VERY interested in hearing new things and I'm buying probably more than ever before (though none through the DRM-crippled iTunes store).
I will gladly buy the media, but I expect that at that point, our relationship is OVER. Thanks, goodbye. Now if I want to extract images from the movie, print them out, and wall-paper my room with them, that's MY business, not yours.
-S
--- What parts of "shall make no law", "shall not be infringed", and "shall not be violated" don't you understand?
That AACS protection can be easily cracked because some player manufacturer did not make the player right goes to show just how ridiculous the whole proposition is in the first place.
It warms my heart to know that there are people out there watching out for my fair use rights. If it weren't for them, the people who (blah blah blah) my entertainment would be able to prevent me from taking actions which are supposedly explicitly protected by law, based on legislation which they bought and paid for. Now I don't have to worry about that happening, and I can do the things I'm supposed to be able to do with my entertainment collection.
There, fixed that for you.
I bet you are in favor of banning water since it's possible to drown someone in it, too.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
So magine the shit-storm when customers start flooding the Best Buy customer support aisle thinking that their machine is broken, when if fact it "works" just fine and the movie industry has shut down your player because some hacker is using its AACS key.
I can't wait.
The Hindenburg did not catch fire, it was merely the hydrogen in the Hindenburg that caught fire.
The Titanic did not sink, it was just that Captain Smith did not adhere to the specifications as to how the Titanic should be operated (it says clearly on page 216, "Do not allow icebergs to rip open more than four of the water-tight compartments.")
And talk of "blunders" in the Battle of Balaclava are hogwash.
"How to Do Nothing," kids activities, back in print!
quoting the weasels,
"in theory it should be possible for the AACS LA to identify the players responsible for the breach and prevent later pressings of discs from playing back on those players until they are updated. As such, if the hole can be patched in the players.."
which roughly translated into English means
"anybody hacks the Belchfire player, we just lock out new titles. Belchfire fixes it for you, or you pound tar, customers. Bwa-ha-ha-ha-ha!"
just what we all needed to hear to make us want to run out and dump a mortgage payment down the rathole on one of these things. thanks for clearing it all up for us, industry!
if this is supposed to be a new economy, how come they still want my old fashioned money?
AACS can revoke individual player keys. No need to revoke a whole line of players.
If they admitted this was in fact a miss in the AACS specification about protecting the keys, AACS LA could have their algorithm face a quite severe dent in its reputation. By blaming it on player implementations, it's not their problem. However, the real problem still remains despite whatever they say -- it's the end result that matters, not whom's fault it is.
Beware: In C++, your friends can see your privates!
I think you miss the point. By the very nature of how any of these encryption schemes HAVE to be used (ie, within someone's home with key and encrypted data all existing on some device), they can be broken. Always. Therefore, the pirates will break them. The more difficult the studios make it, the more sport it will become to the pirates. I honestly don't see a way they can solve the piracy problem this way.
...
On the other hand, I purchase my movies (currently on DVD) and am very happy that DeCSS exists. It allows me to watch legally-purchased DVDs on linux, and possibly back them up if I wish. I hope a similarly useful scheme for breaking AACS exists if/when I ever get a high-def drive for my computer (could be a big if).
At the same time, the only people really detrimentally affected by these schemes are legitimate consumers. Once hardware players start getting keys revoked, this is going to become even more apparent. The studios will achieve:
a) Not stopping piracy (and possibly adding to the "fun" by making it marginally more challenging)
b) Starting an ongoing war of revoke keys / break keys / revoke / break / revoke /
c) Monumentally frustrating their legitimate customers. Even more so than the few linux/etc users annoyed by CSS.
Then it is Not That Bad Because I Can Waste Time Burning And Reripping. Don't forget about this important exception!
So there simply won't be any more PC-based player software. The outcome of this will be that no more software-based HD players will be licenced. Only stand-alone boxes, and sealed black boxes that sit between your PC/Mac and an HDCP-compliant monitor.
Otherwise the next time a programmer complains to a cryptographer that his DVDs won't play, a bypass will be found. Google "My first experience with HD content being blocked" to see this in action - about 8 days later, AACS was bypassed.
As programmer, I can tell that it work both ways. Any deficiency (or bug) can be blamed on poor implementation. At the same time, big companies which actually looked and benchmarked development process (e.g. IBM) claim that 75% bugs are caused by erroneous specifications.
IOW, players were implemented as good as AACS has told what/how to implement.
Somehow, I doubt that documentation from AACS would be much better than that of Microsoft.
All hope abandon ye who enter here.
Now, see, this is the part I don't understand.
Even if the key is not loaded in memory, isn't reverse-engineering the exe enough to find that key, wherever it is?
Except that this is a "class break": it affects all players of the same type. If they revoke the cracker's player's individual key, the next 100 crackers continue blithely along unaffected. They have to revoke the keys for all players of the vulnerable type to stop the break. Which will always affect more legitimate customers than crackers.
What more can I say.
rgds
A smart industry would have learned from CSS and required a PCI hardware decoder for playback.
Yeah if you put up walls then someone will see if they can tear them down.
:)
I for example enjoy messing with certain MMORPGs as a hobby.
Its very theraputic.
Virtualisation does not save us from trusted computing - as the parent says, TCPA was designed with virtualisation in mind.
Every time a thread about DRM comes up, TCPA is mentioned, and a whole bunch of people get modded +5 Insightful for saying that they'll circumvent it using VMware or similar. But to do that, you have to make your own TCPA keys, which won't be signed by a trusted third party. Online services that require remote attestation will require you to use a key that has been signed in that way.
The key in your TCPA module will have been signed, but you can't get at that key by design. You can't use it to sign programs in your VM. That's the idea. They know that virtualisation is a hole. They are as smart as you.
However, perhaps we can get at the key in the TCPA module by getting the module to repeatedly sign something while monitoring its power consumption. This technique, differential power analysis, is apparently very hard to defeat. You can use it to get keys out of smart cards, given enough time: perhaps you can use it to get keys out of your own processor. The price of freedom in the future?
Get informed about TCPA here. http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html
>north
You're an immobile computer, remember?
The reason the title keys were retrieved is that the soft DVD player made it very easy to find the keys.
e
AACS (or any s/w based scheme) have an inherent flaw. Somehow/somewhere the decryption keys need to be brought into memory as clear text in order to decrypt the content. How do you protect them from prying eyes? One option is have the player play some kind of shell game, or try some form of obsfucation with the keys. Of course a determined hacker can track this down as well. You should never hide the secret in the content (see Kerckhoff's Principle) http://en.wikipedia.org/wiki/Kerckhoffs'_principl
Obviously, the player wasn't as defective as it was designed to be.
To crack a movie. Once it's been cracked and posted on Bittorrent fixing the key in the DVD player that was the culpret might keep the same hack from being used again, but it's toast for that movie.
I'm fairly certain that if at some point the **AAs ever visited slashdot that it didn't take long to figure out that this isn't the place for them to visit. Why don't you try actually sending them your thoughts DIRECTLY, as I have done in the past. If more people did, maybe they wouldn't think that the public actually wants DRM. Otherwise, you're just doing what the network exec in South Park said "please direct any further complaints to the brick wall over there". You're being just as effective.
today is spelling optional day.
DRM *is* a pain the ass. Even on DVDs, with copies you don't have to sit through those annoying ads and logos or the annoying main menu (which always leads to the movie). On the real-McCoy you must suffer. How many people with legal copies of Windows are using volume keys just because they don't want to call up Microsoft for permission whenever they change their config?
The MPAA (and Microsoft) are fighting the way their enemy fights best. If you make DRM inconvenient, and it *is* inconvenient, hackers will find a way around it. If you overcharge, or having play-one-time-only restrictions, people won't use it. If you make any system harder to use than what is out there already, people will go around it! And I'd bet my money on a bunch of teenager hackers over any boring, Microsoft wage serf.
My suggestion: make movies cheaper and drop DRM altogether. PC game companies are realising this. My Oblivion DVD says 'we didn't include any copy protection so please don't copy this'... and I didn't. They've got my goodwill. Some hackers probably did copy it, but DRM doesn't make it any more or less likely. Maybe even more?
hdkeys.com/
I await the Slashdot story introducing your implementation of this concept ;-)
What, exactly is "this"? Certainly nothing referred to in the parent posts that I can see.
Your parent's point is that if you obtain the player key for HDVision-1000 serial number ABCDE, just revoking the key for serial number ABCDE is not enough. Since you can obtain the key from one HDVision-1000, you can easily do it to any other amount of the same model, thus they keys for ALL of that model must be reversed, since the design* has been compromised.
Suffice it to say, the design of all of them is flawed from the get-go, so whatever.
"Nature doesn't care how smart you are. You can still be wrong." - Richard Feynman
It's probably not in plaintext in the exe, but they do have to have it in plaintext before they use it.
stay frosty and alert
Yes, but to be clever, the player might do something like encrypt the player key with some other key that it stores in plaintext. But, the bottom line is that *at some point* the player key will be in memory. I did basically the same thing for a project in an information security class. Our task was to locate a key in a 1MB memory dump to decrypt a GIF which was encrypted with AES-128. Java's crypto library was able to brute force test a million keys against the first 128 bits of the image (enough to see if the first 3 bytes are ASCII GIF) in about a minute and a half on 1 GHz G4. Decrypting one frame with all the keys in a memory dump can be quick. Even if you dumped all 1GB of your memory and tried it, thats 1500 minutes using the technique mentioned above. Not super quick, but you can improve that by only searching high entropy areas of memory (this could help a lot). In any event, this is most likely simpler than reverse engineering the EXE.
"Nature doesn't care how smart you are. You can still be wrong." - Richard Feynman
All you need is one very pissed-off average geek that can't watch their bought-n-paid-for movie and the whole non-DRM'ed movie is likely going to be out there for everyone else, that can't watch their own copy, to download it. In fact, the more players that they "revoke" the keys for, then the more pissed-off geeks there will be, and the more movies that will likely be available for download. Its a loosing proposition any way you look at it. With DRM the "fix" becomes "the problem". The only people that win are the ones writing the DRM and spoon feeding the Board room executives that don't know that DRM can't work.
When will they ever learn that you can't solve a SOCIAL PROBLEM using technology of any kind. In fact they should wise up and realize that its the professionals that build specialized hardware that copy the "protected" disk bit-by-bit, then burn a thousand copies, and are making big bucks off of all the boot-leg copies. Those are the ones they should go after, not the average people that paid for the movie and just want to watch what they paid for, when and where they want to. So, RIAA/MPAA, take it from a security geek, know thy enemy! You can't fix a problem if you don't even try to understand what the problem is!
It doesn't have to end up in the process memory in the clear; it could be kept in a register. Those register contents will end up on a kernel stack somewhere when you hit a process switch though. That could be limited by getting everything set up to decrypt, yeilding control back to the kernel (not sure exactly how) so that when you next run, you have a good chance at running a certain amount before being interrupted by another process. If you can decrypt in that time, the key still doesn't end up in RAM.
It is hard (and maybe impossible in this case) to do, but it could happen.
Two separate but important points:
1. The most devastating attack that can be done against software players would be to use malware to extract keys. There are many, many zombies out there. The malware could search for installed HD-DVD/Blu-Ray player software on the victims' machines that it knows how to break, extract the unique key from such software, and send to the malware author. There would then be enough keys known that only revocation of the entire product line's keys could get around the problem. I wonder whether they've considered this scenario. (However, one mitigating factor is that malware is done for profit, and this wouldn't be profitable. For-profit pirates just copy disks outright without bothering to decrypt.)
2. The reason the AACS made that wording about the players not following the "Compliance and Robustness Rules" is probably so that they can invoke the parts of the contract allowing them to fine the licensee millions of dollars.
"Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
Should they just make less profit? Should they require theaters to raise the price of popcorn?
Ridiculous!
I say they hire more lawyers, spend more on R&D, and keep changing DRM. That's the only way they can keep making the money they deserve. If all else fails, raise prices to make up for the loss of volume.
I'll be honest, I don't have a perfect idea of how this circumvention worked, but I had some thoughts about it and I would like if someone would be kind enough to access their validity.
What this article and the others related to this story basically show that a user can gain some control over this encryption and the other comments I see seem to indicate that a user can gain local control of most drm devices in question.
But what would happen if a greater degree of control was obtained though detailed analyses over time of the software and hardware. Say in six months, an organized group determines how revoke keys or force tainted upgrades on the user. Could you see electronics manufactures being forced to pay protection money to stop virus, or piles of HD players (I imagine they have decent computing power) being used to power a botnet?
But that is what DRM must do -- hide the "secret" in the content. The soft DVD player did NOT make it easy to find the key. However, HD has to work pretty much "to the metal". The key was not "identified", in the sense of being reversed.
The attack is simpler. We know the key must be in memory SOMEWHERE. So, try decrypting with all possible memory bytes. For each 1MB of memory the player takes, the keyspace is effectively only 20 bits. The key is "brute forced" across the player. The key of interest is not in the read-only portion of memory (not a player key), which reduces the search space.
How to protect against this: the key may be broken up and hidden in its construction. Instead of storing the bytes in sequence, they can be (say) separated. If the key is known to be in a 1MB region of memory, this can provide up to 20 bits additional keyspace for each byte. But, the pattern of access can be determined by watching the processor, so this would be defeated. Basically, the attack would be to watch all data accesses, and determine which is incoming encrypted. All other access would be potential keyspace, which can the be "bruted". I would estimate that only up to 12 key bits per byte would be added (watching page access is trivial). Which makes the brute force attack possible again. The AES crypto core itself could come under attack -- not to break AES encryption, but simply to determine where its key is coming from.
This attack cannot really be defended against. Except if we either (1) move the key storage to somewhere more secure, or (2) modify the "Operating System" to not allow content-vendor untrusted software. The soft player would need to survive all possible attacks that may result in other code to be executed (thus allowing injection of monitoring software). Which means the player software needs to be either "perfect" in a security sense, or that the OS cannot allow any "untrusted" drivers (ring 0 code) to be run WHILE the player is running, AND not permit any application access to the player (to prevent fuzzing attacks, etc.), AND not allow direct data recovery from (say) screen buffers (which means, in turn, that the entire GUI has to be hardened, as well as the fancy 3D drivers, etc.).
Much easier to just "sandbox" trusted applications by forcing them to run separately (in a sense) from all untrusted applications. Since a possible attack is to recover frame data from the (say texture memory) graphics subsystem, no display of other applications can be allowed.
The computer would need to be converted into a simple HD content player while the HD content is playing.
So, you are correct. Key-jacking will be possible and practical in the future (at least as long as it is needed)
Just another "Cubible(sic) Joe" 2 17 3061
Actually, the only thing I can see that DRM (or copy-protection) could help with is so called 'casual copying', i.e. the thing I know at least I did as a kid:
"Hey, you've got the new Doom II? Cool! I have a bunch of blank disks in my backpack, could I get a copy?"
But other than that, no, they will never stop piracy, only inconvenience their customers. Some companies understand that, like ID Software who eventually dropped the CD check in Quake 3, others do not, like Blizzard who recently made it so you can no longer play on Battle.Net if you are using any form of No-CD patch, regardless of your bought and valid CD Key.
mov ax, 4c00h
int 21h
> Blizzard ... can no longer play on Battle.Net if you are using any form of No-CD patch,
> regardless of your bought and valid CD Key.
I use no-cd on all my games, because I hate fumbling for disks from a stack whenever
I want to play something. I only have one drive you know. Some laptops have none!
Thanks for the warning. There are so many games out there now days and such little time
that you can afford to be choosy. If companies do this, lets name them and shame them
so at least buyers know they'll spend a week of their life this next year shuffling CDs.
Blizzard, you're evicted!!!
Quantum computers are only useful for a small set of problems, breaking AES isn't one of them.
There's a much simpler argument to show that 128 bit keys are big enough and that's to calculate the amount of energy needed to try all keys. Even if a key can be tried with the energy of a single electron transition then you still need to suck all the energy out of a couple of sun to do it.
2^128 is a *big* number!
No sig today...
AACS has such a large keyspace that every single player can get its own individual key.
AACS also allows cheap and secure revokation of just a single player key.
If the entire production run was flawed then all 10000 playerkeys can be revoked at the same cost as revoking a single player.
There is (sadly) no hostage situation possible with AACS.
-- To dream a dream is grand, but to live it is divine. -- Leto ][
Someone with a valid player key could set up a server that will decrypt title keys that HD customers send it.
That way the player key is never in the clear and the content mafia will not know what player key to revoke.
The tricky bit is that it's quite possible for the mafia to figure out what player key it is, because they can generate all the revocation trees they want and use that to perform a binary search for the player key.
So when someone does this they will need to make sure that the system refuses to even work on key blocks with strange revocation trees (previously unknown) that come from untrusted sources.
Alternatively the server could simulate that its key is everywhere in a huge part of the keyspace where there are no revoked keys, so if the attacker tries a keyblock that has any key in that entire range revoked, then the server will act as though it couldn't decrypt the keyblock and thus keep the attacker guessing.
-- To dream a dream is grand, but to live it is divine. -- Leto ][
This can be foiled by 'encrypting' the key by swapping the bytes and using a bit of assembly to 'decrypt' the key in a register before use and making sure the key never leaves the register at any time. Not really encryption I know, but it's not difficult (if you know the arcane art of assemly) to foil this type of attack.
Listen to my music.
I am no expert in these matters, so please correct my assumptions if they are wrong:
To play back, say, a movie stored on an encrypted HD-DVD, you need:
- The data on the HD-DVD
- A "known secure motherboard" with TPM-Chip
- A "known secure OS booted off and verified" by this motherboard
- Trusted drivers for all kernel-mode peripherals, signed off by OS-Vendor
- A software player recognized as "known secure and not yet revoked" by the HD-DVD and
launched under the OS
Now, let us assume that I program a kernel-mode peripheral such as a graphics card and put a backdoor in my driver that neither my employer nor microsoft notices.
Since a graphics card needs to handle uncompressed and unencrypted content, an image of each frame of the movie is in my memory.
With a few extra cpu cycles, i can re-encode it in plain jpeg or mpeg and write it at low bandwidth as digital noise to, say, a secondary LCD-Display connector, where another PC records it and writes it to disk.
Note that this works with any motherboard, any software player and any OS version up the point that my backdoor is detected.
Now i can:
a) Rip all movies released up to that point
b) Rip all later movies that do not expressly reject all prior OS versions
Since only one bad guy needs to do this to be able to pirate the movie, b) effectively means that any legitimate user cannot watch new HD-DVDs he bought, unless he periodically connects to the internet to keep his OS-Version up to date.
The interesting thing here is, that for driver development, there must also be developer hardware and software that does not enforce trusted drivers, because I cannot have them verified and signed off by the OS-Vendor between compile-cycles in development and debugging in any meaningful way.
I could possibly see how Apple, which controls drivers and Hardware for their boxes, could hope to pull off such a complicated scheme with at least a tiny chance of success.
But for Microsoft, relying on thousands of third party system and component vendors, this seems practically impossible to me.
-
No, you can most likely not "easily" do it. Usually, this kind of thing takes scanning electron microscopes and multi-million dollar equipment. The keys are not going to be sitting in some externally accessible memory you can just dump.
You underestimate the amount of people with skills to use an SEM and plentiful access to them. I'm within walking distance of two of them and while I couldn't use them, grad students are poor and would love to make a few bucks.
"Nature doesn't care how smart you are. You can still be wrong." - Richard Feynman
Who'd pay for a key that will only be revoked as soon as it is used? And it's not like the problem is the skills to use an SEM - that's just the basic tools. You need to be able to actually take the chip apart layer by layer, scan it, and then the real work starts, trying to reverse engineer it.
Granted, once you've done the reverse engineering once, doing the same thing again is significantly easier, but in the end, all you get is a key that will be revoked as soon as you start using it.
Daemon Tools still seems to work fine for me, as does a mounted image and Cedega.
Granted, once you've done the reverse engineering once, doing the same thing again is significantly easier, but in the end, all you get is a key that will be revoked as soon as you start using it.
This is certainly true. However, if it becomes common practice for player keys to be revoked, people will stop releasing them to the public and just release volume keys. While less useful, you really only need one volume key to unlock a lot of copies of a title.
"Nature doesn't care how smart you are. You can still be wrong." - Richard Feynman
True. Just saves you have to keep the ISO on your HDD. (BTW wikipedia says latest version of Daemon tools has spyware you need to deselect on install)
This is a good place for NO-CD patches. *Seem* virus/spyware free. Legal caveats apply:
http://gamecopyworld.com/
You're right. Unlike the typical proprietary software EULA, the GNU General Public License does not take away material rights of the owner of a copy, such as rights under Title 17, United States Code, sections 109 (right to resell a copy; right for nonprofit libraries to lend a copy) and 117 (right to copy computer software into RAM and to make backups). But unfortunately, United Kingdom law does not have anything directly corresponding to 117, so in that country, the GPL applies to plain users.
The logical next step is to allow only hardware and partial-hardware players.
Correct. Welcome to trusted platform computing. It's coming and Microsoft will be forcing it down your throat. See WMP 10's drm, Vista's DRM. Tip of the iceberg.
f the keys are truly embedded in the "trusted" ASIC: Making custom chips is expensive
Wrong wrong wrong! It's called a smart card module. A surface mount is simply another package.
If the keys are somehow individualized to each computer....
Smart card modules that are actually microprocessor are specifically designed for this kind of activity and very difficult to compromise.
The smart card module will make it sufficiently difficult to freely copy digital content very few will do it. That's the objective, not 100% air-tight DRM.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
"Your Foobar 1000 will play discs produced in 2006 and 2007. It ceases to work for discs produced between February 2007 until you buy a disc produced a few months later that happens to contains some code that query the player whether it's a Foobar 1000... and if so, to automatically/silently patch the firmware. Then all your discs work again.
That's a good thing for the user, and a bad thing for the industry, because as soon as you've got a firmware patch on a DVD, the obvious thing for an enterprising hacker to do is to put his own firmware patch on his own DVD"
An enterprising hacker *with the private keys of the AACS group* in order to sign their new firmware. Unlikely.
Look at BD+.
Now that we know some real title keys, somebody can play 20 different movies, take 20 memory dumps, and compare them to find the title keys.
This is certainly true, but it also means you are limited to the discs you can personally get your hands on. And while maybe you feel good about yourself for helping others by releasing a handful of keys, the effort required to reverse-engineer an entire microchip is maybe not worth it.
An even smarter industry would just have put the decoding and decryption chip in the disc reader itself.
I'm sure they've thought of this. The problem is that if you put the decryption there, then necessarily the reader must output a decrypted stream to the computer, which is anathema to the whole concept. If the drive just spits out a decrypted stream, why bother making the content on the disc encrypted at all?
No, the whole point is to carry it in encrypted form as far along the signal chain as possible. This is why the decryption is done in the computer/player, rather than in the drive itself. They want the computer/player to authenticate the rest of the downstream signal chain (the HDCP compliant monitor, generally) and only then decrypt the video content and send it onwards (and even then, re-encrypt it specifically for the display, so that you can't just attach some alligator clips to the HDMI cable and get the unencrypted hi-def version).
In the optimal arrangement, the decryption would be done as far "down" the signal chain as possible (where you, the viewer, are at the absolute bottom, where you belong), preferably in the display, just before the last-minute conversion to analog signals of some sort. However, for various technical (and political) reasons, this isn't practical, and so the decryption of the disc content is done by the player, which then decides what level of content to send out to the display device depending on its credentials.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
We don't need another bloated media player - WinAmp was horrible enough...
np: Radiohead - Morning Bell (I Might Be Wrong - Live Recordings)
"I'm not anti-anything, I'm anti-everything, it fits better." - Sole
Sure, it's possible to bury the key inside a dongle distributed with each software player.
However, it's annoying to work with and difficult to distribute
The video game industry and the mid-high end design industry tried dongles and both failed.
The only place I've seen it work was at a company which made textile design software
which was extremely specific and extremely expensive.
I seriously doubt any mass-media software will be tolerable with dongles.
Just my $0.02
Ben