First AACS Blu-Ray/HD-DVD Key Revoked

Thomas Charron writes "An update posted for Intervideo WinDVD 8 confirms that it's AACS key has been possibly revoked. WinDVD 8 is the software which had its device key compromised, allowing unfettered access to Blu-Ray and HD-DVD content, resulting in HD movies being made available via many torrent sites online. This is possibly the first known key revocation which has taken place, and little is known of the actual process used for key revocation. According to the release, 'Please be aware that failure to apply the update will result in AACS-protected HD DVD and BD playback being disabled,' which pretty much confirms that the key revocation has already taken place for all newly released Blu-Ray and HD-DVD discs."

let's have a vote

How many of you like to have your computers controlled by media corporations and Microsoft? Voting time is now. http://defectivebydesign.org/

Re:I don't completely get it.

[scottnews]

It means *NEW* HD-DVD and Bluray discs won't work on WinDVD 8. The key for WinDVD 8 has been revoked. Other players use different keys. Those have not been revoked. WinDVD has released a free update with a new key, and presumably an attempt to encrypt it.

This is why HD-DVD and Bluray players require a network jack. It allows for old keys to be removed and new ones to be implemented, among other things.

Re:I don't completely get it.

[Kjella]

What this means is that *NEW* HD-DVD and Bluray discs won't work on old players, unless patched.

Actually:
1. New discs won't play on the players who has had their keys revoked. Just to make that clear, this only has any effect for users of the WinDVD software player.
2. If I remember correctly, the player will keep a version of the revocation keys. So from what I've understood, once you put in a disc which says "Hey, you're supposed to be revoked" that player will stop working until you get an upgrade.

For a software player, this isn't more than what it just said - a required software update. It doesn't get nasty until hardware keys are found...

Re:Network jack??

[badfish99]

So when the key of your Samsung BD-P1000 is revoked, your player will no longer play any new disks that you buy. You will have to go out and buy a new player.

Re:Network jack??

[Dogtanian]

This entire thread is complete bullshit. Keys are not revoked via a network jack. Keys are revoked by the simple act of releasing new discs that don't support them. Well, yes; I believe that was the point. WinDVD is able to be updated over the Internet, but this option isn't available for the Samsung DVD player (etc). If that were the only way of updating the firmware, then the industry would be faced with a choice of revoking the keys (i.e. having future releases no longer support that player) or not revoking them, thus leaving the crack open for exploit.

Of course, this is not the case; there are likely other ways of updating firmware on "real" HD-DVD players, but they're likely to be less transparent to consumers.

Re:I don't completely get it.

[SiliconEntity]

once you put in a disc which says "Hey, you're supposed to be revoked" that player will stop working until you get an upgrade. This myth appears to have originated...

It's not a myth at all. Try reading section 4.8 of the AACS Introduction and Common Cryptographic Elements spec:

An AACS licensed drive shall retain in non-volatile storage, the most recent Host Revocation List (HRL) data which it encounters and has verified. To do this, for the first AACS drive authentication to the media inserted, the drive shall read an MKB recorded on the media to check if its version is higher than the version of HRL that it has stored in its non-volatile memory... If the version of MKB recorded on the media is higher than the version of HRL that the drive has stored in its non volatile memory, the drive verifies the signature in the Host Revocation List Record of MKB as specified in section 3.2.5.2. If the signature is successfully verified, the drive shall replace the previously stored HRL data, if any, with the newly read HRL data.

What this means is that disks are distributed with Host Revocation Lists on them, cryptographically signed by AACS. Whenever a disk is inserted, the drive checks to see if the HRL on the disk is newer than the one it has in nonvolatile memory, and if so, it checks the AACS signature on the new one and stores it in memory. This allows a drive to refuse to talk to a given host software. Likewise there is a drive revocation list that the hosts are supposed to hold which tells them not to talk to certain drive versions, in case an attack is found in some models of drives.

All HD DVD players have a network port

[benwaggoner]

Having a network port is a mandatory feature for all HD DVD players, so updated keys and other updates can be easily delivered. It's mainly there for downloadable content (like adding subtitles in a new langauge for an existing disc).

Blu-ray, however, has networking optional, and most Blu-ray players don't have a port.

Yet another way in which the baseline functionality in HD DVD is much higher than Blu-ray.

Re:I don't completely get it.

[Skreems]

It's not. Or more specifically, not in the way you want.

Storing the revocation list like this is likely only useful so that the device can give the user specific instructions to go look for an update, and maybe disable itself even for older discs. Every new disc will still fail to provide a disc key to the player, as the player key will not be included in the tree of allowed ones. You still couldn't play new discs, the best you might do is prevent the player from understanding that it needs an upgrade.

Updates for hardware players unnecessary

[swillden]

Well, yes; I believe that was the point. WinDVD is able to be updated over the Internet, but this option isn't available for the Samsung DVD player (etc). If that were the only way of updating the firmware, then the industry would be faced with a choice of revoking the keys (i.e. having future releases no longer support that player) or not revoking them, thus leaving the crack open for exploit.

None of that matters for hardware players, because each individual player can be revoked independently, without affecting the one that came off the line immediately before it, or the one that came right after it. They don't bother issuing unique keyset to each copy of a software player, for obvious reasons, but hardware players all have unique key sets so if the keys in one of them are compromised, and known to be compromised, then that specific player can be revoked so that future disks won't play on it. No updates to other players are required.

What makes this magic possible is a very clever and sophisticated key derivation scheme. Basically, there is an enormous tree of trees of possible keys, and each player is given a carefully-chosen subset of them, which allows that player to derive a large part of the possible keys, but not all of them. To revoke a key essentially just means choosing to encrypt future disks with a key that particular player cannot derive with keys.

The number of key blocks that must be placed on each disk to make this scheme work is linear in the number of revoked players. In fact, it can be shown mathematically that if r players have been revoked, then at most 2r+1 key blocks are required on each disk. Simulations show that assuming a random distribution of revocations, on average only 1.28r blocks are required. Each key block is 16 bytes in length, so they can revoke millions of players without significantly affecting the space available on the disk.