March 28, 2024

Archives for 2007

AACS: Blacklisting, Oracles, and Traitor Tracing

[Posts in this series: 1, 2, 3, 4, 5, 6, 7.]

This is the third post in our discussion of AACS, the encryption scheme used for HD-DVD and Blu-Ray discs. Yesterday Ed explained how it is possible to reverse-engineer a player to learn its secret device keys. With the device keys, you can extract the title key for any disc that the device can play. Anybody with the same disc can use this title key to decrypt the movie.

We’ve already talked about two scenarios where this information could be used for widespread circumvention. One possibility is for the attacker to keep the device keys to himself and publish title keys for discs he has access to. This means anyone can decrypt those discs, but other discs remain secure.

Another option is for the attacker to publish the device keys outright. That would let anyone decrypt any available disc, but it would also tell the AACS central authority which device keys were compromised. Once the central authority knows which device keys to target, it can blacklist those device keys.

Blacklisting in AACS works like this: disc producers can change the way new discs are encrypted so that the blacklisted device keys cannot decrypt the new discs’ headers and therefore cannot extract title keys or decrypt the movies. Of course, blacklisted device keys can still decrypt all the older titles they could before, since the data on old discs doesn’t magically change, but they can’t decipher any new discs.

Blacklisting would be a PR and business disaster if it meant a lot of consumers had to throw away their fancy players as a result of a crack. That’s why AACS allows each individual player to be assigned its own unique set of device keys that can be uniquely blacklisted without adversely affecting other players.

(Some serious crypto wizardry is required to enable a huge number of distinct device keys with surgically precise blacklisting, while keeping device memories and disc headers manageably small.)

Can blacklisting be avoided? Here’s one way an attacker might try: He could keep his device keys secret and create a web site where people can upload header information from discs they want to decrypt. Then he would use his device keys to extract the title keys for those headers and post the title keys back to the site—a sophisticated attacker might automate this process. Cryptographers call this kind of site a decryption oracle.

As it turns out, the designers of AACS anticipated decryption oracles, so the system includes a way to track down and blacklist the device keys used to operate them. This process is called “traitor tracing,” and it works roughly like this: The central authority creates a phony disc header that can be decrypted by about half of the possible devices. (They just need the header, so there’s no need to press an actual disc.) They upload this to the oracle and see whether it can find the title key. The result lets the authority narrow down which devices the oracle’s keys might have come from. The authority repeats the process, creating a new header that will reduce the set of suspects by half again. With a few of these probes, the authority can home in on the oracle’s device keys.

(The full story is more complicated. The oracle might know keys from more than one device; it might try to trick the authority by pretending it can’t decrypt certain headers when it really can; it might try to detect the authority’s probing and change its behavior; and so on. Regardless, the authority can use a sequence of probes to devise a blacklist that will make new discs immune to decryption by the oracle, without affecting noncompromised players.)

The upshot is that if the attacker makes an oracle available to the public, the central authority can render the oracle useless for future discs. However, a clever attacker has another surprisingly effective strategy: limiting who can submit queries to his oracle. We’ll have more on that in tomorrow’s post.

AACS: Extracting and Using Keys

[Posts in this series: 1, 2, 3, 4, 5, 6, 7.]

Let’s continue our discussion of AACS (the encryption scheme used on HD-DVD and Blu-Ray discs) and how it is starting to break down. In Monday’s post I gave some background on AACS and the newly released BackupHDDVD tool.

Recall that AACS decryption goes in two steps. First, the player device uses its device keys to decrypt the disc’s header, thereby getting a title key that is unique to the disc. Then the player uses the title key to decrypt the movie. The BackupHDDVD program does only the second step, so it is worthless unless you can somehow get the title key of the disc you want to access.

But decryption tools will evolve. Somebody will make an online database of title keys, and will modify BackupHDDVD so it automatically consults that database and gets the title keys it needs. This new decryption program will be able to decrypt any disc whose title key appears in the database. This decryption software and database don’t exist yet, but they seem inevitable.

It’s interesting to compare this system with an alternative that distributes decrypted movies. One difference is that a 16-byte title key is much smaller and easier to distribute than a huge movie file – even a dialup line will be able to download title keys in the blink of an eye. Of course, the title key is useful only if you have access to a disc (or a copy of the full encrypted contents of a disc), so some kinds of infringement will be easier with movie files than with title keys. Title keys will, however, be enough to enable in-home fair use.

But where will title keys come from? Probably they’ll be captured by reverse-engineering a player. Every player device, when decrypting a disc, must recover the title key and store it somewhere in the player’s memory, so that the title key can be used to decrypt the movie’s contents. A skilled engineer who works hard enough will be able to find and extract that stored title key. This will probably be easier to do for software players that run on PCs, and somewhat more difficult for dedicated player boxes; but in either case it will be possible. An engineer who extracts a key can upload it to the online database or share it with his friends.

There are economies of scale in key extraction. Having extracted the title keys for a few discs, the engineer will learn how and where the keys can be found and will have a much easier time extracting keys from other discs. Eventually, the extraction might be automated, so he need only insert a disc into his player and then activate a key-extractor device (or program) that he built.

Alternatively, he might try to extract the device keys from his player device. If he can do this, then he can write a software program that can do everything his player can do, including decrypting disc headers and extracting title keys from them. In other words, his program will be able to do both steps of AACS decryption.

Once he has device keys, he could in principle publish them (or equivalently publish a program containing them), thereby allowing everybody to extract title keys and decrypt discs. But if he does this, the AACS central authority will learn which device keys he is using and will blacklist those keys, which will prevent those keys from decrypting discs manufactured in the future. (The next post will discuss the blacklisting mechanism in more detail.)

So the engineer, if he is clever, won’t necessarily publish everything he knows. The more he publishes, the more he helps others freely use their discs – but the more he also helps the central authority fight back. This leads to an interesting strategic game between the engineer and the central authority, which we’ll explore in the next post.

AACS Decryption Code Released

[Posts in this series: 1, 2, 3, 4, 5, 6, 7.]

Decryption software for AACS, the scheme used to encrypt content on both next-gen DVD systems (HD-DVD and Blu-ray), was released recently by an anonymous programmer called Muslix. His software, called BackupHDDVD, is now available online. As shipped, it can decrypt HD-DVDs (according to its author), but it could easily be adapted to decrypt Blu-ray discs.

Commentary has been all over the map, with some calling this a non-event and others seeing the death of AACS. Alex Halderman and I have been thinking about this question, and we believe the right view is that the software isn’t a big deal by itself, but it is the first step in the meltdown of AACS. We’ll explain why in a series of blog posts over the next several days.

Today I’ll explain how the existing technology works: how AACS encrypts the content on a disc, and what the BackupHDDVD software does.

In AACS, each player device is assigned a DeviceID (which might not be unique to that device), and is given decryption keys that correspond to its DeviceID. When a disc is made, a random “title key” is generated and the video content on the disc is encrypted under the title key. The title key is encrypted in a special way that specifies exactly which devices’ decryption keys are able to extract the title key, and the result is then written into a header field on the disc.

When a player device wants to read a disc, the player first uses its own decryption keys (which, remember, are specific to the player’s DeviceID) to extract the title key from the disc’s header; then it uses the title key to unlock the content.

BackupHDDVD does only the second of the two decryption steps: you give it the title key and the encrypted content, and it uses the title key to decrypt the content. BackupHDDVD doesn’t do the first decryption step (extracting the title key from the disc’s header), so BackupHDDVD is useless unless you already have the disc’s title key. The BackupHDDVD download does not include title keys, so somebody who wanted to decrypt his own AACS-protected disc collection would have to get those discs’ title keys from elsewhere.

Typical users can’t extract title keys on their own, so BackupHDDVD won’t be useful to them as it currently stands – hence the claims that BackupHDDVD is a non-event.

But the story isn’t over. BackupHDDVD is the first step in a process that will eviscerate AACS. In the next post, we’ll talk about what will come next.

[Post updated (8 Jan 2007): Corrected the third-to-last paragraph, which originally said that BackupHDDVD came with a few sample title keys. The error was due to my misreading of the code distribution. Also added the second parenthetical in the first paragraph, as a clarification. Thanks to Jon Lech Johansen and Mark for pointing out these issues.]

2007 Predictions

This year, Alex Halderman, Scott Karlin and I put our heads together to come up with a single list of predictions. Each prediction is supported by at least two of us, except the predictions that turn out to be wrong, which must have slipped in by mistake.

Our predictions for 2007:

(1) DRM technology will still fail to prevent widespread infringement. In a related development, pigs will still fail to fly.

(2) An easy tool for cloning MySpace pages will show up, and young users will educate each other loudly about the evils of plagiarism.

(3) Despite the ascent of Howard Berman (D-Hollywood) to the chair of the House IP subcommittee, copyright issues will remain stalemated in Congress.

(4) Like the Republicans before them, the Democrats’ tech policy will disappoint. Only a few incumbent companies will be happy.

(5) Major record companies will sell a significant number of MP3s, promoting them as compatible with everything. Movie studios won’t be ready to follow suit, persisting in their unsuccessful DRM strategy.

(6) Somebody will figure out the right way to sell and place video ads online, and will get very rich in the process. (We don’t know how they’ll do it. If we did, we wouldn’t be spending our time writing this blog.)

(7) Some mainstream TV shows will be built to facilitate YouTubing, for example by structuring a show as a series of separable nine-minute segments.

(8) AACS, the encryption system for next-gen DVDs, will melt down and become as ineffectual as the CSS system used on ordinary DVDs.

(9) Congress will pass a national law regarding data leaks. It will be a watered-down version of the California law, and will preempt state laws.

(10) A worm infection will spread on game consoles.

(11) There will be less attention to e-voting as the 2008 election seems far away and the public assumes progress is being made. The Holt e-voting bill will pass, ratifying the now-solid public consensus in favor of paper trails.

(12) Bogus airport security procedures will peak and start to decrease.

(13) On cellphones, software products will increasingly compete independent of hardware.

2006 Predictions Scorecard

As usual, we’ll start the new year by reviewing the predictions we made for the previous year. After our surprisingly accurate 2005 predictions, we decided to take more risks having more 2006 predictions, and making them more specific. The results, as we’ll see, were … predictable.

Here now, our 2006 predictions, in italics, with hindsight in ordinary type.


(1) DRM technology will still fail to prevent widespread infringement. In a related development, pigs will still fail to fly.

We predict this every year, and it’s always right. This prediction is so obvious that it’s almost unfair to count it.

Verdict: Right.


(2) The RIAA will quietly reduce the number of lawsuits it files against end users.

Verdict: Right.


(3) Copyright owners, realizing that their legal victory over Grokster didn’t solve the P2P problem, will switch back to technical attacks on P2P systems.

They did realize the Grokster case didn’t solve their problem; but they didn’t really emphasize technical countermeasures. They didn’t seem to have a coherent anti-P2P strategy.

Verdict: mostly wrong.


(4) Watermarking-based DRM will make an abortive comeback, but will still be fundamentally infeasible.

The comeback was limited to the now-dead analog hole bill, which backed the dead-on-arrival CGMS-A + VEIL technology. Watermarking still looks infeasible for copy protection.

Verdict: mostly wrong.


(5) Frustrated with Apple’s market power, the music industry will try to cozy up to Microsoft. Afraid of Microsoft’s market power, the movie industry will try to cozy up to Washington.

The music industry was indeed frustrated by Apple’s market power. But they drove a hard bargain with Microsoft, shackling Zune’s most interesting features. The movie industry did cozy up to Washington, but no more than usual, and probably not due to Microsoft-fear.

Verdict: mostly wrong.


(6) The Google Book Search case will settle. Months later, everybody will wonder what all the fuss was about.

No settlement, but excitement about the Book Search case has definitely waned.

Verdict: mostly wrong.


(7) A major security and/or privacy vulnerability will be found in at least one more major DRM system.

Verdict: wrong.


(8) Copyright issues will still be stalemated in Congress.

Another easy one.

Verdict: right.


(9) Arguments based on national competitiveness in technology will have increasing power in Washington policy debates.

This didn’t happen. We thought the election would make economic health more salient; but the election focus was elsewhere.

Verdict: mostly wrong.


(10) Planned incompatibility will join planned obsolescence in the lexicon of industry critics.

Verdict: mostly wrong.


(11) There will be broad consensus on the the need for patent reform, but very little consensus on what reform means.

The main policy division, predictably, was between the infotech and biotech sectors.

Verdict: right.


(12) Attention will shift back to the desktop security problem, and to the role of botnets as a tool of cybercrime.

This should have happened, but commentators mostly missed the growing importance of this issue. Botnets were implicated in the spam renaissance.

Verdict: mostly wrong.


(13) It will become trendy to say that the Internet is broken and needs to be redesigned. This meme will be especially popular with those recommending bad public policies.

This trend mostly didn’t materialize, though there were wisps of this argument in the net neutrality debate.

Verdict: mostly wrong.


(14) The walls of wireless providers’ “walled gardens” will get increasingly leaky. Providers will eye each other, wondering who will be the first to open their network.

Verdict: mostly right.


(15) Push technology (remember PointCast and the Windows Active Desktop?) will return, this time with multimedia, and probably on portable devices. People won’t like it any better than they did before.

Push tried to bring the TV model to the Net, so it seemed logical that as TV moved onto the Net it would become more push-like. But this didn’t happen, at least not yet.

Verdict: wrong.


(16) Broadcasters will move toward Internet simulcasting of free TV channels. Other efforts to distribute authorized video over the net will disappoint.

Verdict: mostly right.


(17) HD-DVD and Blu-ray, touted as the second coming of the DVD, will look increasingly like the second coming of the Laserdisc.

The jury is still out, but this prediction is looking good so far.

Verdict: mostly right.


(18) “Digital home” products will founder because companies aren’t willing to give customers what they really want, or don’t know what customers really want.

Outside of promotional efforts in the trade press, we didn’t hear much about the digital home.

Verdict: mostly right.


(19) A name-brand database vendor will go bust, unable to compete against open source.

Verdict: wrong.


(20) Two more significant desktop apps will move to an Ajax/server-based design (as email did in moving toward Gmail). Office will not be one of them.

There seemed to be a trend in this direction, but I can’t point to two major apps that moved. But Google did introduce Office-like products in this category.

Verdict: mostly wrong.


(21) Technologies that frustrate discrimination between different types of network traffic will grow in popularity, backed partly by application service providers like Google and Yahoo.

These technologies didn’t develop, perhaps because of the policy stalemate over net neutrality.

Verdict: wrong.


(22) Social networking services will morph into something actually useful.

This one is hard to categorize. The meaning of “social networking” changed during 2006; it now refers to sites like MySpace and Facebook that are primarily webpage hosting services. That’s a useful and popular function; but it’s the term rather than the technology that morphed.

Verdict: mostly right (I guess).


(23) There will be a felony conviction in the U.S. for a crime committed entirely in a virtual world.

Commenters noted at the time that this prediction was poorly specified. Which didn’t matter, because it was wrong no matter how you interpret it.

Verdict: wrong.

Overall scorecard for 2006 predictions: four right, five mostly right, nine mostly wrong, five wrong. That’s more wrong than right, by a narrow margin, showing that our risk-taking strategy worked.

Stay tuned for our 2007 predictions.