November 25, 2024

Making and Breaking HDCP Handshakes

I wrote yesterday about the HDCP/HDMI technology that Hollywood wants to use to restrict the availability of very high-def TV content. Today I want to go under the hood, explaining how the key part of HDCP, the handshake, works. I’ll leave out some mathematical niceties to simplify the explanation; full details are in a 2001 paper by Crosby et al.

Suppose you connect an HDMI-compliant next-gen DVD player to an HDMI-compliant TV, and you try to play a disc. Before sending its highest-res digital video to the TV, the player will insist on doing an HDCP handshake. The purpose of the handshake is for the two devices to authenticate each other, that is, to verify that the other device is an authorized HDCP device, and to compute a secret key, known to both devices, that can be used to encrypt the video as it is passed across the HDMI cable.

Every new HDCP device is given two things: a secret vector, and an addition rule. The secret vector is a sequence of 40 secret numbers that the device is not supposed to reveal to anybody. The addition rule, which is not a secret, describes a way of adding up numbers selected from a vector. Both the secret vector and the addition rule are assigned by HDCP’s central authority. (I like to imagine that the central authority occupies an undersea command center worthy of Doctor Evil, but it’s probably just a nondescript office suite in Burbank.)

An example will help to make this clear. In the example, we’ll save space by pretending that the vectors have four secret numbers rather than forty, but the idea will be the same. Let’s say the central authority issues the following values:

secret vector addition rule
Alice (26, 19, 12, 7) [1]+[2]
Bob (13, 13, 22, 5) [2]+[4]
Charlie (22, 16, 5, 19) [1]+[3]
Diane (10, 21, 11, ,14) [2]+[3]

Suppose Alice and Bob want to do a handshake. Here’s how it works. First, Alice and Bob send each other their addition rules. Then, Alice applies Bob’s addition rule to her vector. Bob’s addition rule is “[2]+[4]”, which means that Alice should take the second and fourth elements of her secret vector and add them together. Alice adds 19+7, and gets 26. In the same way, Bob applies Alice’s addition rule to his secret vector – he adds 13+13, and gets 26. (In real life, the numbers are much bigger – about 17 digits.)

There are two things to notice about this process. First, in order to do it, you need to know either Alice’s or Bob’s secret vector. This means that Alice and Bob are the only ones who will know the result. Second, Alice and Bob both got the same answer: 26. This wasn’t a coincidence. There’s a special mathematical recipe that the central authority uses in generating the secret vectors to ensure that the two parties to any legitimate handshake will always get the same answer.

Now both Alice and Bob have a secret value – a secret key – that only they know. They can use the key to authenticate each other, and to encrypt messages to each other.

This sounds pretty cool. But it has a very large problem: if any four devices conspire, they can break the security of the system.

To see how, let’s do an example. Suppose that Alice, Bob, Charlie, and Diane conspire, and that the conspiracy wants to figure out the secret vector of some innocent victim, Ed. Ed’s addition rule is “[1]+[4]”, and his secret vector is, of course, a secret.

The conspirators start out by saying that Ed’s secret vector is (x1, x2, x3, x4), where all of the x’s are unknown. They want to figure out the values of the x’s – then they’ll know Ed’s secret vector. Alice starts out by imagining a handshake with Ed. In this imaginary handshake, Ed will apply Alice’s addition rule ([1]+[2]) to his own secret vector, yielding x1+x2. Alice will apply Ed’s addition rule to her own secret vector, yielding 26+7, or 33. She knows that the two results will be equal, as in any handshake, which gives her the following equation:

x1 + x2 = 33

Bob, Charlie, and Diane each do the same thing, imagining a handshake with Ed, and computing Ed’s result (a sum of some of the x’s), and their own result (a definite number), then setting the two results equal to each other. This yields three more equations:

x2 + x4 = 18
x1 + x3 = 41
x2 + x3 = 24

That makes four equations in four unknowns. Whipping out their algebra textbooks, the conspiracy solves the four equations, to determine that

x1 = 25
x2 = 8
x3 = 16
x4 = 10

Now they know Ed’s secret vector, and can proceed to impersonate him at will. They can do this to any person (or device) they like. And of course Ed doesn’t have to be a real person. They can dream up an imaginary person (or device) and cook up a workable secret vector for it. In short, they can use this basic method to do absolutely anything that the central authority can do.

In the real system, where the secret vectors have forty entries, not four, it takes a conspiracy of about forty devices, with known private vectors, to break HDCP completely. But that is eminently doable, and it’s only a matter of time before someone does it. I’ll talk next time about the implications of that fact.

[Correction (April 15): I changed Diane’s secret vector and addition rule to fix an error in the conspiracy-of-four example. Thanks for Matt Mastracci for pointing out the problem.]

HDMI and Output Control

Tim Lee at Tech Liberation Front points out an interesting aspect of the new MovieBeam device – it offers its highest-resolution output only to video displays that use the HDMI format.

(MovieBeam is a $200 box you buy that lets you buy 24-hour access to recent movies. There is a rotating menu of movies. Currently video content is trickled out to MovieBeam boxes via unused broadcast bandwidth rented from PBS stations. Eventually they’ll use the Internet to distribute movies to the devices.)

This is a common tactic these days – transmitting the highest-res content only via HDMI. And it seems like a mistake for Hollywood to insist on this. The biggest problem is that some HDTVs have HDMI inputs and some don’t, and most consumers don’t know the difference. Do you know whether your TV has an HDMI input? If you do, you either (a) don’t have a high-def TV, or (b) are a serious video geek.

Consider a (hypothetical) consumer, Fred, who bought an early high-def set because he wanted to watch movies. Fred buys MovieBeam, or a next-gen DVD player, only to discover that his TV can’t display the movies he wants in full definition, because his TV doesn’t do HDMI.

Fred will be especially angry to learn that his MovieBeam box or high-def DVD player is perfectly capable of sending content at higher definition to the inputs that his TV does have, but because of a bunch of legal mumbo-jumbo that Hollywood insists upon, his set-top box deliberately down-rezzes the video before sending it to his TV. Just imagine what Fred will think when he sees news stories about how pirated content is available in portable, high-def formats that will work with his TV.

The official story is that HDMI is a security measure, designed to stop infringers. It’s been known for years that HDMI has serious security flaws; even Wikipedia discusses them. HDMI’s security woes make a pretty interesting story, which I’ll explore over several posts. First I’ll talk about what HDMI is trying to do. Then I’ll go under the hood and talk about how the critical part of HDMI works and its well-known security flaws. (This part is already in the academic literature; I’ll give a more accessible description.) Finally, I’ll get to what is probably the most interesting part: what the history of HDMI security tells us about the industry’s goals and practices.

Officially, the security portion of HDMI is known as High-bandwidth Digital Content Protection, or HDCP. The core of this security design is the HDCP handshake, which takes place whenever two devices communicate over an HDMI cable. The handshake has two goals. First, it lets each device confirm that the other device is an authorized HDCP device. Second, it lets the two devices agree on a secret encryption key which only those two devices know. Subsequent communication over the cable is encrypted using that key, so that eavesdroppers can’t get their hands on any content that is distributed.

In theory, this is supposed to stop would-be infringers. If an infringer tries to plug an authorized video source (like a MovieBeam box) into a device that can capture and redistribute video content, this won’t work, because the capture device won’t be able to do the handshake – the authorized video source will recognize that it is unauthorized and so will refuse to sent it content. Alternatively, if an infringer tries to capture content off the wire, between an authorized source and an authorized TV set, this will be foiled by encryption. That’s the theory at least. The practice is quite different, as I’ll describe next time.

Understanding the Newts

Recently I’ve been trying to figure out the politics of technology policy. There seem to be regularly drawn battle lines in Congress, but for the most part tech policy doesn’t play out as a Republican vs. Democratic or liberal vs. conservative conflict.

Henry Farrell, in a recent post at Crooked Timber, put his finger on one important factor. This was part of a larger online seminar on Chris Mooney’s book “The Republican War on Science” (which I won’t discuss here). Here’s the core of Henry Farrell’s observation:

There’s a strand of Republican thinking – represented most prominently by Newt Gingrich and by various Republican-affiliated techno-libertarians – that has a much more complicated attitude to science. Chris [Mooney] more or less admits in the book that he doesn’t get Newt, who on the one hand helped gut OTA [the Office of Technology Assessment] (or at the very least stood passively to one side as it was gutted) but on the other hand has been a proponent of more funding for many areas of the sciences. I want to argue that getting Newt is important.

What drives Newt and people like him? Why are they so vigorously in favour of some kinds of science, and so opposed to others? The answer lies, I think, in an almost blindly optimistic set of beliefs about technology and its likely consequences when combined with individual freedom. Technology doesn’t equal science of course; this viewpoint is sometimes pro-science, sometimes anti- and sometimes orthogonal to science as it’s usually practiced. Combining some half-baked sociology with some half arsed intellectual history, I want to argue that there is a pervasive strain of libertarian thought (strongly influenced by a certain kind of science fiction) that sees future technological development as likely to empower individuals, and thus as being highly attractive. When science suggests a future of limitless possibilities for individuals, people with this orientation tend to be vigorously in its favour. When, instead, science suggests that there are limits to how technology can be developed, or problems that aren’t readily solved by technological means, people with this orientation tend either to discount it or to be actively hostile to it.

This mindset is especially dicey when applied to technology policy. It’s one thing to believe, as Farrell implies here, that technology can always subdue nature. That view at least reflects a consistent faith in the power of technology. But in tech policy issues, we’re not thinking so much about technology vs. nature, as about technology vs. other technology. And in a technology vs. technology battle, an unshakable faith in technology isn’t much of a guide to action.

Consider Farrell’s example of the Strategic Defense Initiative, the original Reagan-era plan to develop strong defenses against ballistic missile attacks. At the time, belief that SDI would succeed was a pretty good litmus test for this kind of techno-utopianism. Most reputable scientists said at the time that SDI wasn’t feasible, and they turned out to be right. But the killer argument against SDI was that enemies would adapt to SDI technologies by deploying decoys, or countermeasures, or alternatives to ballistic missiles such as suitcase bombs. SDI was an attempt to defeat technology with technology.

The same is true in the copyright wars. Some techno-utopians see technology – especially DRM – as the solution. The MPAA’s rhetoric about DRM often hits this note – Jack Valenti is a master at professing faith in technology as solving the industry’s problems. But DRM tries to defeat technology with technology, so faith in technology doesn’t get you very far. To make good policy, what you really need is to understand the technologies on both sides of the battle, as well as the surrounding technical landscape that lets you predict the future of the technical battle.

The political challenge here is how to defuse the dangerous instincts of the less-informed techno-utopians. How can we preserve their general faith in technology while helping them see why it won’t solve all human problems?

Princeton-Microsoft Intellectual Property Conference

Please join us for the 2006 Princeton University – Microsoft Intellectual Property Conference, Creativity & I.P. Law: How Intellectual Property Fosters or Hinders Creative Work, May 18-19 at Princeton University. This public conference will explore a number of strategies for dealing with IP issues facing creative workers in the fields of information technology, biotechnology, the arts, and archiving/humanities.

The conference is co-sponsored by the Center for Arts and Cultural Policy Studies, the Program in Law and Public Affairs, and the Center for Information Technology Policy at the Woodrow Wilson School of Public and International Affairs and funded by the Microsoft Corporation, with additional support from the Rockefeller Foundation.

The conference features keynote addresses from Lawrence Lessig, Professor of Law at Stanford Law School, and Raymond Gilmartin, former CEO of Merck, Inc. A plenary address will be delivered by Sérgio Sá Leitão, Secretary for Cultural Policies at the Ministry of Culture, Brazil.

Six panels, bringing together experts from various disciplines and sectors, will examine the following topics:

  • Organizing the public interest
  • The construction of authorship
  • Patents and creativity
  • Tacit knowledge and the pragmatics of creative work: can IP law keep up?
  • Compulsory licensing: a solution to multiple-rights-induced gridlock?
  • New models of innovation: blurring boundaries and balancing conflicting norms

We expect the conference to generate a number of significant research initiatives designed to collect and analyze empirical data on the relationship between intellectual property regimes and the practices of creative workers.

Registration for the conference is strongly encouraged as space is limited for some events. For additional information and to register, please visit the conference web site. Online registration will be available beginning Friday, April 14.

We hope to see you in May.

Stanley N. Katz, Director, Center for Arts and Cultural Policy Studies
Paul J. DiMaggio, Research Director, Center for Arts and Cultural Policy Studies
Edward W. Felten, Director, Center for Information Technology Policy

Interoperability, and the Birth of the Web

Tim Berners-Lee was here yesterday, and he told some interesting stories about the birth and growth of the Web.

I was particularly intrigued by his description of the environment at CERN, where he worked during the relevant years. CERN was (and still is) the European nuclear physics research lab. It had a permanent staff, but there was also a constant flow, in and out, of researchers and groups from various countries and institutes. These people generally brought their own computers, or used the same kinds of computers as at their home institutions. This meant that the CERN computer network was a constantly changing hodgepodge of different systems.

In this environment, interoperability – the ability to make all of these systems work together, by using the same protocols and data formats – is necessary to accomplish much of anything. And so the computing people, including Tim B-L, were constantly working to design software that would allow disparate systems to work together.

This was, in some respects, the ideal environment for developing something like the web. You had a constant flow of people in and out, so institutional memory couldn’t just live in people’s heads but had to be written down. These people were scientists, so they wanted to write down what they knew in a way that would be accessible to many others. You had a diverse and constantly changing network, so your technical solution would have to be simple and workable across a range of architectures. And you had a clever technical staff.

One wonders where the equivalent place is today. Perhaps there is a place with the right ingredients to catalyze the growth of the next generation of online communication/collaboration tools. Perhaps CERN is still that place. Or perhaps our tools have evolved to the point where there doesn’t have to be a single place, but this can happen via some Wiki/chat/CVS site.