April 18, 2014

avatar

AACS: A Tale of Three Keys

[Previous posts in this series: 1, 2, 3, 4, 5, 6, 7.]

This week brings further developments in the gradual meltdown of AACS (the encryption scheme used for HD-DVD and Blu-Ray discs). Last Sunday, a member of the Doom9 forum, writing under the pseudonym Arnezami, managed to extract a “processing key” from an HD-DVD player application. Arnezami says that this processing key can be used to decrypt all existing HD-DVD and Blu-Ray discs. Though currently this attack is more powerful than previous breaks, which focused on a different kind of key, its usefulness will probably diminish as AACS implementers adapt.

To explain what’s at stake, we need to describe a few more details about the way AACS manages keys. Recall that AACS player applications and devices are assigned secret device keys. Devices can use these keys to calculate a much larger set of keys called processing keys. Each AACS movie is encrypted with a unique title key, and several copies of the title key, encrypted with different processing keys, are stored on the disc. To play a disc, a device figures out which of the encrypted title keys it has the ability to decrypt. Then it uses its device keys to compute the necessary processing key, uses the processing key to decrypt the title key, and uses the title key to extract the content.

These three kinds of keys have different security properties that make them more or less valuable to attackers. Device keys are the most useful. If you know the device keys for a player, you can decrypt any disc that the player can. Title keys are the least useful, because each title key works only for a single movie. (Attacks on any of these keys will be limited by disc producers’ ability to blacklist compromised players. If they can determine which device has been compromised, they can change future discs so that the broken player, or its leaked device keys, won’t be able to decrypt them.)

To date, no device keys have been compromised. All successful breaks, before Arnezami, have involved extracting title keys from player software. These attacks are rather cumbersome–before non-technical users can decrypt a movie, somebody with the means to extract the title key needs to obtain a copy of the disc and publish its title key online. Multiple web sites for sharing title keys have been deployed, but these are susceptible to legal and technical threats.

So is the new attack on the processing key comparable to learning a venerable device key or a lowly title key? The answer is that, due to a strange quirk in the way the processing keys used on existing discs were selected, the key Arnezami published apparently can be used to decrypt every HD-DVD or Blu-Ray disc on the market. For the time being, knowing Arnezami’s processing key is as powerful as knowing a device key. For instance, someone could use the processing key to build a player or ripper that is able to treat all current discs as if they were unencrypted, without relying on online services or waiting for other users to extract title keys.

Yet this power will not last long. For future discs, processing key attacks will probably be no more valuable than title key attacks, working only on a single disc or a few discs at most. We’ll explain why in tomorrow’s post.

Comments

  1. jeremiah johnson says:

    so while a device key that would allow one to decrypt any movie playable by that device may never be found, other keys such as title keys and processing keys have been and will continue to be found and published. accurate summary?

  2. Crosbie Fitch says:

    What we need is a new law to prohibit anyone reverse engineering any device or protocol in the AACS communication chain, or employing any key or device manufactured with the benefit of any knowledge so obtained.

    Could call it something like:
    Delinquent Manipulation or Circumvention of AACS

    or DMCA for short eh?

  3. jeremiah johnson says:

    I believe that will be closer to the actual reaction than most guesses.

    I love that people call AACS and CSS “copy protection” schemes when they are simply “viewing restriction” schemes and nothing more. You can copy encrypted bits just as easy as any other bits, and you can use the copied encrypted bits anywhere the “original” bits can be used, so encryption is definitely not copy protection.

    For the benefit of any movie studio executives reading this, might I toss an idea into the discussions at your side of this webpage?

    a) We do not want viewing restrictions on our movies.
    b) The vast majority of movie viewers are honest people.
    c) Copyright law gives us the right to fair use.

    Why not remove your viewing restrictions and let us play movies we buy on the devices we own OTHER than the DVD player? I will *never* buy two copies of a movie just to play it on two different devices, I will instead exersize my fair-use rights and make a copy or copies for personal use. You make fair use very difficult and you cause a great deal of pain to those who do not know how to surpass your viewing restrictions. Your customers aren’t thieves, stop treating them like thieves. Those that are thieves are the street vendors who sell counterfeits. The thieves aren’t the ones who copy DVDs they own for viewing on portable devices. That is called “an untapped market.”

    Simply give us the movies we want in formats that we want, in our chosen delivery method, rather than DVDs only. We will buy them. Customers are more likely to buy what they need rather than what you prescribe. Give the customers what they want, choice, freedom, trust, and we will repay you with money, the substance our society provides in exchange for goods and services. Give us ways to obtain our favorite movies in ways that are useful to us. Let us play our movies on Linux. Let us play that same copy on our iPods. Let us play that same copy on our home theaters. Give the customer flexibility, save yourself the money on developing viewing restriction schemes and trust your customers to do the right thing and pay for the goods they obtain.

  4. John says:

    The AACSLA blamed the discovery of title keys on player software writers.

    But player software writers are not responsible for the “strange quirk in the way the processing keys used on existing discs were selected”.

    Who, then, is responsible for the “strange quirk in the way the processing keys used on existing discs were selected”

  5. John says:

    And another point which does not seem to have been made clear. Could it ever get to where it was necessary for keys to be revoked or changed in such a way as existing disks would no longer play on updated players?

  6. DanITman says:

    John,

    Processing keys are not on the disc. Processing keys are created by the specific player. This processing key that was leaked was sniffed from the USB of a specific player. I’m sure you can guess the player.

  7. arnezami says:

    I can confirm that it is possible for “them” to make found Processing Keys far less valuable.

    This is because they can use different but equivalent Explicit Subset-Difference Records. In order to decrypt discs with different of these Records you really need Device Keys (because they can choose different Processing Keys).

    But since that wasn’t required (AACS screwed up here big time) only the Processing Key was released (which doesn’t identify the software player it came from btw).

    Whether they will actually do this “shuffling” inside this Record in the near future (do they even underand how this works? I started to doubt when I saw this records for the first time) is not clear. Maybe they have some (stupid) policy or their program to create these records isn’t up to this yet. I don’t know. We’ll see :) .

    Not that any of this really/fundamentally matters though…

  8. J. Alex Halderman says:

    jeremiah johnson:
    > so while a device key that would allow one to decrypt any movie
    > playable by that device may never be found, other keys such as
    > title keys and processing keys have been and will continue to be
    > found and published. accurate summary?

    I’m sure device keys will be found too.

  9. J. Alex Halderman says:

    John:
    > And another point which does not seem to have been clear.
    > Could it ever get to where it was necessary for keys to be
    > revoked or changed in such a way as existing disks would no
    > longer play on updated players?

    There is a mechanism for revoking pieces of content, but it seems very unlikely that it will be used on discs that are in widespread circulation. The copyright holder would presumably be under an obligation to replace revoked discs, and the cost of doing so would almost certainly outweigh the marginal anti-piracy benefits.

  10. J. Alex Halderman says:

    arnezami:

    Yes, this is what we’re going to explain in tomorrow’s post. Indeed, it’s perplexing that all current discs use the same subset cover. Randomizing the covers would not only make the processing keys less useful but also improve traitor tracing against online oracles.

  11. boogled says:

    Arne:
    I haven’t had the time to read through / understand all the details of the AACS, so my understanding of the system may be way off here… but still…

    Is it really that hard to find out which player created the processing key?

    If I’m not mistaken, they need to keep copies of all keys/branches, or whatever, that is issued to an organization (they need this for the revocation lists right?).

    So if they have issued… say… 1 000 000 keys to software companies.

    How long does it take for them to brute force their way through the keys until they find the one that makes an identical processing key? If i’m not mistaken, they even know the one title that was used, they know the processing key… all they should need to do is to try all the device keys they have issued to software companies, and they will find the correct device given time.

    Again, my understanding of the system is limited, so I may be way off… Just want your coments on this one :P

  12. Steph says:

    To J. Alex Halderman :

    How many times must it be repeated that broadcast encryption is NOT a traitor tracing scheme but a key managment scheme ?

  13. John says:

    OK. I am a movie studio, and I have a warehouse full of HD disks of a movie, already made and packaged, ready to ship for a release date in a couple of weeks time. I now know that if I sell them, the movie will be on the torrent sites within a few hours.

    What do I do with those disks now, and who picks up the bill?

  14. boogled says:

    John:

    Don’t worry about the bill… studios always find a way to make people pay ;-)

    I say sell the HD-DVDs cheap and cut your loss… Who knows, maybe it will even work to your advantage (cheap prices = more movies sold = more happy customers).

    Heck… while you are at it, you might as well open a webshop and sell the movies online for even lower production cost (earning even more money again :P )…

  15. John says:

    I might get onto First 4 Internet (sorry, they have changed their name to Fortium Technologies) and ask them to develop a way of changing the encryption on disks that have already been pressed (without taking them out of the packaging).

  16. Anonymous says:

    Sorry but thats not even possible. Once pressed, the disc is done. Even if you used writable media (which you don’t) you could not write anything without taking the discs out of the package and inserting each and everyone of them in a burner.

    Just hear the advise and calm down. You should take this as a personal test. I’m sure that if someone takes one of your discs and shares them on the net, your sales won’t be affected at all.

    This is mainly because of two reasons:
    First: It is annoying. No, really. Downloading and burning +10gigs worth of data is cumbersome if you had the alternative to buy it easily for a reasonable price.

    Second: Those who would buy it, would regardless of the availability of a copy online. The opposite is also true: Those who would NOT buy it, would not, either because they don’t have the money, can’t give it to you even if they had it, or can’t order it because a country’s restrictions with imports, taxes, etc.

    Trying to “punish the burglars” will only lead you to frustration and a lot of money wasted in technological and legal expenses; while at the same time annoy your customers which might be trying to make a backup to prevent their kids from scratching the disc.

    You might want to investigate what happened to Sony when they tried their last attempt to “protect” CDs (Search for “Sony rootkit”). Long story short, all major record labels have stopped trying to implement technological measures to stop copies. You might choose to ignore these words now, and rather follow the advise of people trying to sell you magical snake oil, but in a number of years, you will come to the same conclusion: It is just not worth it.

    Your business model needs to be adapted to the new reality. iPods and broadband are not going back. Please watch the video “Download this Song” by MC Lars, if you care: http://www.mclars.com/v2/media.html

  17. stany says:

    John:

    Current frustration with HD-DVDs and Blu-Ray movies is not about copy protection. It is about inability to play a legal disk on an existing computer. One of the things that HD-DVD folks got right, is lack of regions. Currently I have Rambo I, II and III, produced by Studio Canal in France, sitting on my desk on the other side of Earth. However, currently my computer can’t play them back, even though I have a fast enough CPU, right software and compatible drive, because my video card doesn’t support DVI, and my monitor has analog inputs. I can watch the trailer and the ads, but I can’t watch the main feature itself.

    Am I hopeing that someone out there figured out how to decrypt these movies? Yes, I am. Should you, were you Studio Canal, care? I doubt it, since they got my money already. Will I buy any more of their movies? Well, it depends. Will I be able to play them back once I buy them?

    For what it’s worth, I am a content creator too. I film martial arts training videos. The fact that I practice myself probably helps, as this allowes me to have an idea as to what I’d want to see in a training video. My audience is rather scant, as only a small percentage of population is interested in topic, and small percentage of the interested people are willing to pay.

    For me, including a 10 second clip at the beginning of the movie, saying that “Thank you for buying this DVD. If you ended up downloading this film from internet, and liked it, consider donating 29.95 to such and such paypal account so we could continue releasing more work of similar quality. As a token of appreciation for your donation, we will send you a DVD of this movie” works. But then again, my target market is small, and everyone knows everyone. Now, something tells me that this will not work for you 8-(

  18. John says:

    Sorry – that was said tongue in cheek (I hoped the first 4 Internet reference would have indicated it – they created the XCP saga for Sony).

    The point is this. If, in order to close security holes, it becomes necessary to scrap manufactured material in the pipeline, or to revoke and replace already sold disks, then who foots the bill.

  19. bonapart says:

    The advantage that attackers have is real-time counterattack ability via the net. The discs have lead times, and whatever revocation they may contain will probably be old news by the time they are purchased. It seems that it will be trivial for the attackers to easily keep up with any changes.

    By the way, it has been confirmed that the beta version of AnyDVD-HD is using the DEVICE key from PowerDVD 6.5.

    If the device key from this software player was extracted once, there isn’t any reason to believe that it won’t be able to be extracted again, should it be changed. The way I see this playing out is that device keys will be repeatedly extracted from PC software players, and it will go on like this for the duration, unless PC software players are issued no new device keys.

  20. Hal says:

    I would assume that in current discs, no players have yet been revoked. The algorithm requires encryption to keys in the tree associated with revoked discs. Since there are none at present, they must have created a fake revoked player and are using that for the encryption. That is why all discs are encrypted to the same key.

    However it would have been easy to set aside a large number of such “fake” pre-revoked devices. Their key space supports billions of devices so they could have set aside a million without materially diminishing key space. This would allow them to use a different processing key for every title. However they have not done so yet; up to now they have been using the same processing key and the same Media Key Block for all disks.

    This probably represents a phasing-in of the technology, starting with the simplest variants and going to the more complex versions as needed. The lack of sequence keys is another manifestation of this; sequence keys are intended to allow watermarking and tracing of uploaded video, but they are not yet being used so no tracing is possible.

    The main mathematical question I wonder about is this: let’s suppose one device does get revoked. From what I understand they have to create a MKB entry that encrypts to a processing key associated with that device, and there are only about 12-15 of such keys (namely, the peer-leaf-node keys for each subtree that contains that device). This would seem to limit the AACS’ flexibility considerably.

  21. sadsac says:

    The big question is… from a public policy and/or philosophical perspective…

    Will this be enough to convince the industries that buy this technology that it is damn near worthless?

    Encryption of data is potentially secure only when it is sent without the key. If the encrypted data is sent with the key.. what’s the point?

  22. John says:

    I think that a bold movie studio needs to release a HD movie which is not protected at all. And see how much traffic and copying there is of it.

    I’ll bet that there would be less interest and copying activity in it, than there would be if it is “protected”. And because there would be no issues with equipment compatibility etc – it might even sell well.

  23. Hal says:

    devloop, each of the entries in the Media Key Data Record of the Media Key Block represents the Media Key encrypted to a different Processing Key. Initially there are 512 such records. As devices get revoked, more entries will be added to the MKB and there will be even more copies of the MK being encrypted to various Processing Keys.

    In principle there should be only one record entry which “works” for any given playback device. That is, given the device’s set of Device Keys, it has enough information to decrypt only one of the MKB records. So you are right that in the playback process, only one Processing Key is used and only one time. The device searches the records to find the one that works for it, it computes the Processing Key from its Device Keys, and it decrypts that record to get the Media Key, which then leads to the various Volume Keys, Title Keys and such.

  24. Linen says:

    Wow. Okay…It seems on this thread that some people just really super like to say Media Key. Let’s see if we can all get through one entire post without Media Key or Title Keys, or Volume Keys more than two times each. I honestly have a problem believing that this group could do it. Devloop, I understood it exactly the same way that you understood it so I’m really glad that a clarifying post was made or I would have been in your same boat when I was going through this on my own. Hal, thanks for clarifying that. And on that same note…why is it in this particular set that you want to only have one record entry? I’ve seen people with several record entries for the same items and I haven’t seen a problem yet. Can you tell me where this is going and how bad it’s going to get if it stays that way?