December 28, 2024

AACS: Extracting and Using Keys

[Posts in this series: 1, 2, 3, 4, 5, 6, 7.]

Let’s continue our discussion of AACS (the encryption scheme used on HD-DVD and Blu-Ray discs) and how it is starting to break down. In Monday’s post I gave some background on AACS and the newly released BackupHDDVD tool.

Recall that AACS decryption goes in two steps. First, the player device uses its device keys to decrypt the disc’s header, thereby getting a title key that is unique to the disc. Then the player uses the title key to decrypt the movie. The BackupHDDVD program does only the second step, so it is worthless unless you can somehow get the title key of the disc you want to access.

But decryption tools will evolve. Somebody will make an online database of title keys, and will modify BackupHDDVD so it automatically consults that database and gets the title keys it needs. This new decryption program will be able to decrypt any disc whose title key appears in the database. This decryption software and database don’t exist yet, but they seem inevitable.

It’s interesting to compare this system with an alternative that distributes decrypted movies. One difference is that a 16-byte title key is much smaller and easier to distribute than a huge movie file – even a dialup line will be able to download title keys in the blink of an eye. Of course, the title key is useful only if you have access to a disc (or a copy of the full encrypted contents of a disc), so some kinds of infringement will be easier with movie files than with title keys. Title keys will, however, be enough to enable in-home fair use.

But where will title keys come from? Probably they’ll be captured by reverse-engineering a player. Every player device, when decrypting a disc, must recover the title key and store it somewhere in the player’s memory, so that the title key can be used to decrypt the movie’s contents. A skilled engineer who works hard enough will be able to find and extract that stored title key. This will probably be easier to do for software players that run on PCs, and somewhat more difficult for dedicated player boxes; but in either case it will be possible. An engineer who extracts a key can upload it to the online database or share it with his friends.

There are economies of scale in key extraction. Having extracted the title keys for a few discs, the engineer will learn how and where the keys can be found and will have a much easier time extracting keys from other discs. Eventually, the extraction might be automated, so he need only insert a disc into his player and then activate a key-extractor device (or program) that he built.

Alternatively, he might try to extract the device keys from his player device. If he can do this, then he can write a software program that can do everything his player can do, including decrypting disc headers and extracting title keys from them. In other words, his program will be able to do both steps of AACS decryption.

Once he has device keys, he could in principle publish them (or equivalently publish a program containing them), thereby allowing everybody to extract title keys and decrypt discs. But if he does this, the AACS central authority will learn which device keys he is using and will blacklist those keys, which will prevent those keys from decrypting discs manufactured in the future. (The next post will discuss the blacklisting mechanism in more detail.)

So the engineer, if he is clever, won’t necessarily publish everything he knows. The more he publishes, the more he helps others freely use their discs – but the more he also helps the central authority fight back. This leads to an interesting strategic game between the engineer and the central authority, which we’ll explore in the next post.

AACS Decryption Code Released

[Posts in this series: 1, 2, 3, 4, 5, 6, 7.]

Decryption software for AACS, the scheme used to encrypt content on both next-gen DVD systems (HD-DVD and Blu-ray), was released recently by an anonymous programmer called Muslix. His software, called BackupHDDVD, is now available online. As shipped, it can decrypt HD-DVDs (according to its author), but it could easily be adapted to decrypt Blu-ray discs.

Commentary has been all over the map, with some calling this a non-event and others seeing the death of AACS. Alex Halderman and I have been thinking about this question, and we believe the right view is that the software isn’t a big deal by itself, but it is the first step in the meltdown of AACS. We’ll explain why in a series of blog posts over the next several days.

Today I’ll explain how the existing technology works: how AACS encrypts the content on a disc, and what the BackupHDDVD software does.

In AACS, each player device is assigned a DeviceID (which might not be unique to that device), and is given decryption keys that correspond to its DeviceID. When a disc is made, a random “title key” is generated and the video content on the disc is encrypted under the title key. The title key is encrypted in a special way that specifies exactly which devices’ decryption keys are able to extract the title key, and the result is then written into a header field on the disc.

When a player device wants to read a disc, the player first uses its own decryption keys (which, remember, are specific to the player’s DeviceID) to extract the title key from the disc’s header; then it uses the title key to unlock the content.

BackupHDDVD does only the second of the two decryption steps: you give it the title key and the encrypted content, and it uses the title key to decrypt the content. BackupHDDVD doesn’t do the first decryption step (extracting the title key from the disc’s header), so BackupHDDVD is useless unless you already have the disc’s title key. The BackupHDDVD download does not include title keys, so somebody who wanted to decrypt his own AACS-protected disc collection would have to get those discs’ title keys from elsewhere.

Typical users can’t extract title keys on their own, so BackupHDDVD won’t be useful to them as it currently stands – hence the claims that BackupHDDVD is a non-event.

But the story isn’t over. BackupHDDVD is the first step in a process that will eviscerate AACS. In the next post, we’ll talk about what will come next.

[Post updated (8 Jan 2007): Corrected the third-to-last paragraph, which originally said that BackupHDDVD came with a few sample title keys. The error was due to my misreading of the code distribution. Also added the second parenthetical in the first paragraph, as a clarification. Thanks to Jon Lech Johansen and Mark for pointing out these issues.]

2007 Predictions

This year, Alex Halderman, Scott Karlin and I put our heads together to come up with a single list of predictions. Each prediction is supported by at least two of us, except the predictions that turn out to be wrong, which must have slipped in by mistake.

Our predictions for 2007:

(1) DRM technology will still fail to prevent widespread infringement. In a related development, pigs will still fail to fly.

(2) An easy tool for cloning MySpace pages will show up, and young users will educate each other loudly about the evils of plagiarism.

(3) Despite the ascent of Howard Berman (D-Hollywood) to the chair of the House IP subcommittee, copyright issues will remain stalemated in Congress.

(4) Like the Republicans before them, the Democrats’ tech policy will disappoint. Only a few incumbent companies will be happy.

(5) Major record companies will sell a significant number of MP3s, promoting them as compatible with everything. Movie studios won’t be ready to follow suit, persisting in their unsuccessful DRM strategy.

(6) Somebody will figure out the right way to sell and place video ads online, and will get very rich in the process. (We don’t know how they’ll do it. If we did, we wouldn’t be spending our time writing this blog.)

(7) Some mainstream TV shows will be built to facilitate YouTubing, for example by structuring a show as a series of separable nine-minute segments.

(8) AACS, the encryption system for next-gen DVDs, will melt down and become as ineffectual as the CSS system used on ordinary DVDs.

(9) Congress will pass a national law regarding data leaks. It will be a watered-down version of the California law, and will preempt state laws.

(10) A worm infection will spread on game consoles.

(11) There will be less attention to e-voting as the 2008 election seems far away and the public assumes progress is being made. The Holt e-voting bill will pass, ratifying the now-solid public consensus in favor of paper trails.

(12) Bogus airport security procedures will peak and start to decrease.

(13) On cellphones, software products will increasingly compete independent of hardware.

2006 Predictions Scorecard

As usual, we’ll start the new year by reviewing the predictions we made for the previous year. After our surprisingly accurate 2005 predictions, we decided to take more risks having more 2006 predictions, and making them more specific. The results, as we’ll see, were … predictable.

Here now, our 2006 predictions, in italics, with hindsight in ordinary type.


(1) DRM technology will still fail to prevent widespread infringement. In a related development, pigs will still fail to fly.

We predict this every year, and it’s always right. This prediction is so obvious that it’s almost unfair to count it.

Verdict: Right.


(2) The RIAA will quietly reduce the number of lawsuits it files against end users.

Verdict: Right.


(3) Copyright owners, realizing that their legal victory over Grokster didn’t solve the P2P problem, will switch back to technical attacks on P2P systems.

They did realize the Grokster case didn’t solve their problem; but they didn’t really emphasize technical countermeasures. They didn’t seem to have a coherent anti-P2P strategy.

Verdict: mostly wrong.


(4) Watermarking-based DRM will make an abortive comeback, but will still be fundamentally infeasible.

The comeback was limited to the now-dead analog hole bill, which backed the dead-on-arrival CGMS-A + VEIL technology. Watermarking still looks infeasible for copy protection.

Verdict: mostly wrong.


(5) Frustrated with Apple’s market power, the music industry will try to cozy up to Microsoft. Afraid of Microsoft’s market power, the movie industry will try to cozy up to Washington.

The music industry was indeed frustrated by Apple’s market power. But they drove a hard bargain with Microsoft, shackling Zune’s most interesting features. The movie industry did cozy up to Washington, but no more than usual, and probably not due to Microsoft-fear.

Verdict: mostly wrong.


(6) The Google Book Search case will settle. Months later, everybody will wonder what all the fuss was about.

No settlement, but excitement about the Book Search case has definitely waned.

Verdict: mostly wrong.


(7) A major security and/or privacy vulnerability will be found in at least one more major DRM system.

Verdict: wrong.


(8) Copyright issues will still be stalemated in Congress.

Another easy one.

Verdict: right.


(9) Arguments based on national competitiveness in technology will have increasing power in Washington policy debates.

This didn’t happen. We thought the election would make economic health more salient; but the election focus was elsewhere.

Verdict: mostly wrong.


(10) Planned incompatibility will join planned obsolescence in the lexicon of industry critics.

Verdict: mostly wrong.


(11) There will be broad consensus on the the need for patent reform, but very little consensus on what reform means.

The main policy division, predictably, was between the infotech and biotech sectors.

Verdict: right.


(12) Attention will shift back to the desktop security problem, and to the role of botnets as a tool of cybercrime.

This should have happened, but commentators mostly missed the growing importance of this issue. Botnets were implicated in the spam renaissance.

Verdict: mostly wrong.


(13) It will become trendy to say that the Internet is broken and needs to be redesigned. This meme will be especially popular with those recommending bad public policies.

This trend mostly didn’t materialize, though there were wisps of this argument in the net neutrality debate.

Verdict: mostly wrong.


(14) The walls of wireless providers’ “walled gardens” will get increasingly leaky. Providers will eye each other, wondering who will be the first to open their network.

Verdict: mostly right.


(15) Push technology (remember PointCast and the Windows Active Desktop?) will return, this time with multimedia, and probably on portable devices. People won’t like it any better than they did before.

Push tried to bring the TV model to the Net, so it seemed logical that as TV moved onto the Net it would become more push-like. But this didn’t happen, at least not yet.

Verdict: wrong.


(16) Broadcasters will move toward Internet simulcasting of free TV channels. Other efforts to distribute authorized video over the net will disappoint.

Verdict: mostly right.


(17) HD-DVD and Blu-ray, touted as the second coming of the DVD, will look increasingly like the second coming of the Laserdisc.

The jury is still out, but this prediction is looking good so far.

Verdict: mostly right.


(18) “Digital home” products will founder because companies aren’t willing to give customers what they really want, or don’t know what customers really want.

Outside of promotional efforts in the trade press, we didn’t hear much about the digital home.

Verdict: mostly right.


(19) A name-brand database vendor will go bust, unable to compete against open source.

Verdict: wrong.


(20) Two more significant desktop apps will move to an Ajax/server-based design (as email did in moving toward Gmail). Office will not be one of them.

There seemed to be a trend in this direction, but I can’t point to two major apps that moved. But Google did introduce Office-like products in this category.

Verdict: mostly wrong.


(21) Technologies that frustrate discrimination between different types of network traffic will grow in popularity, backed partly by application service providers like Google and Yahoo.

These technologies didn’t develop, perhaps because of the policy stalemate over net neutrality.

Verdict: wrong.


(22) Social networking services will morph into something actually useful.

This one is hard to categorize. The meaning of “social networking” changed during 2006; it now refers to sites like MySpace and Facebook that are primarily webpage hosting services. That’s a useful and popular function; but it’s the term rather than the technology that morphed.

Verdict: mostly right (I guess).


(23) There will be a felony conviction in the U.S. for a crime committed entirely in a virtual world.

Commenters noted at the time that this prediction was poorly specified. Which didn’t matter, because it was wrong no matter how you interpret it.

Verdict: wrong.

Overall scorecard for 2006 predictions: four right, five mostly right, nine mostly wrong, five wrong. That’s more wrong than right, by a narrow margin, showing that our risk-taking strategy worked.

Stay tuned for our 2007 predictions.

Holiday Stories

It’s time for our holiday hiatus. See you back here in the new year.

As a small holiday gift, we’re pleased to offer updated versions of some classic Christmas stories.

How the Grinch Pwned Christmas: The Grinch, determined to stop Christmas, hacks into Amazon’s servers and cancels all deliveries to Who-ville. The Whos celebrate anyway, gathering in a virtual circle and exchanging user-generated content. When the Grinch sees this, his heart grows two sizes and he priority-ships replacement gifts to Who-ville.

Rudolph the Net-Nosed Reindeer: Rudolph is shunned by his reindeer peers for having a goofy WiFi-enabled nose. But he becomes a hero one foggy Christmas Eve by using the nose to access Google Maps, helping Santa navigate to the homes of good children.

Gift of the eMagi: Poor husband and wife find perfect gifts for each other and bid aggressively for them on eBay. Unbeknownst to them, they’re bidding against each other for the same gift. Determined to express their love by paying whatever it takes to get the gift, they bid themselves into bankruptcy.

NSA Claus is Coming to Town: He sees you when you’re sleeping. He knows when you’re awake. He knows if you’ve been bad or good, so be good or go to Gitmo.

The Little DRM-er Boy: A boy wants to share his recorded drum solo with Baby Jesus, but the file is tethered to a faraway computer. With the aid of three downloads from the East, he rips an MP3 and emails it the Mary and Joseph just in time for Christmas Night.

It’s a Wonderful Second Life: George Bailey believes that Second Life would have been better if he had never signed on at all. He jumps off a bridge … and floats slowly to the ground. Clarence Linden, George’s guardian avatar, restores the server backup from before George signed on, and watches with George while griefers run wild. George sees the error of his ways, and Clarence restores his account.

A Vista Carol: Ebenezer “Steve” Ballmer runs a coding shop in Merry Old Redmond. He forces programmer Bob Cratchit to work overtime on Christmas to meet the Vista ship date. At night, Ballmer is visited by three Ghost images: Windows Past, Windows Present, and Windows Future. [Fill in your own jokes here.] The next morning, Ballmer sends Bob home for Christmas, in exchange for a promise to keep his Blackberry on during dinner.

[Thanks to Alex Halderman and my family for help writing the stories.]