November 30, 2023

Search Results for: aacs

AACS: Extracting and Using Keys

[Posts in this series: 1, 2, 3, 4, 5, 6, 7.]

Let’s continue our discussion of AACS (the encryption scheme used on HD-DVD and Blu-Ray discs) and how it is starting to break down. In Monday’s post I gave some background on AACS and the newly released BackupHDDVD tool.

Recall that AACS decryption goes in two steps. First, the player device uses its device keys to decrypt the disc’s header, thereby getting a title key that is unique to the disc. Then the player uses the title key to decrypt the movie. The BackupHDDVD program does only the second step, so it is worthless unless you can somehow get the title key of the disc you want to access.

But decryption tools will evolve. Somebody will make an online database of title keys, and will modify BackupHDDVD so it automatically consults that database and gets the title keys it needs. This new decryption program will be able to decrypt any disc whose title key appears in the database. This decryption software and database don’t exist yet, but they seem inevitable.

It’s interesting to compare this system with an alternative that distributes decrypted movies. One difference is that a 16-byte title key is much smaller and easier to distribute than a huge movie file – even a dialup line will be able to download title keys in the blink of an eye. Of course, the title key is useful only if you have access to a disc (or a copy of the full encrypted contents of a disc), so some kinds of infringement will be easier with movie files than with title keys. Title keys will, however, be enough to enable in-home fair use.

But where will title keys come from? Probably they’ll be captured by reverse-engineering a player. Every player device, when decrypting a disc, must recover the title key and store it somewhere in the player’s memory, so that the title key can be used to decrypt the movie’s contents. A skilled engineer who works hard enough will be able to find and extract that stored title key. This will probably be easier to do for software players that run on PCs, and somewhat more difficult for dedicated player boxes; but in either case it will be possible. An engineer who extracts a key can upload it to the online database or share it with his friends.

There are economies of scale in key extraction. Having extracted the title keys for a few discs, the engineer will learn how and where the keys can be found and will have a much easier time extracting keys from other discs. Eventually, the extraction might be automated, so he need only insert a disc into his player and then activate a key-extractor device (or program) that he built.

Alternatively, he might try to extract the device keys from his player device. If he can do this, then he can write a software program that can do everything his player can do, including decrypting disc headers and extracting title keys from them. In other words, his program will be able to do both steps of AACS decryption.

Once he has device keys, he could in principle publish them (or equivalently publish a program containing them), thereby allowing everybody to extract title keys and decrypt discs. But if he does this, the AACS central authority will learn which device keys he is using and will blacklist those keys, which will prevent those keys from decrypting discs manufactured in the future. (The next post will discuss the blacklisting mechanism in more detail.)

So the engineer, if he is clever, won’t necessarily publish everything he knows. The more he publishes, the more he helps others freely use their discs – but the more he also helps the central authority fight back. This leads to an interesting strategic game between the engineer and the central authority, which we’ll explore in the next post.

AACS Decryption Code Released

[Posts in this series: 1, 2, 3, 4, 5, 6, 7.]

Decryption software for AACS, the scheme used to encrypt content on both next-gen DVD systems (HD-DVD and Blu-ray), was released recently by an anonymous programmer called Muslix. His software, called BackupHDDVD, is now available online. As shipped, it can decrypt HD-DVDs (according to its author), but it could easily be adapted to decrypt Blu-ray discs.

Commentary has been all over the map, with some calling this a non-event and others seeing the death of AACS. Alex Halderman and I have been thinking about this question, and we believe the right view is that the software isn’t a big deal by itself, but it is the first step in the meltdown of AACS. We’ll explain why in a series of blog posts over the next several days.

Today I’ll explain how the existing technology works: how AACS encrypts the content on a disc, and what the BackupHDDVD software does.

In AACS, each player device is assigned a DeviceID (which might not be unique to that device), and is given decryption keys that correspond to its DeviceID. When a disc is made, a random “title key” is generated and the video content on the disc is encrypted under the title key. The title key is encrypted in a special way that specifies exactly which devices’ decryption keys are able to extract the title key, and the result is then written into a header field on the disc.

When a player device wants to read a disc, the player first uses its own decryption keys (which, remember, are specific to the player’s DeviceID) to extract the title key from the disc’s header; then it uses the title key to unlock the content.

BackupHDDVD does only the second of the two decryption steps: you give it the title key and the encrypted content, and it uses the title key to decrypt the content. BackupHDDVD doesn’t do the first decryption step (extracting the title key from the disc’s header), so BackupHDDVD is useless unless you already have the disc’s title key. The BackupHDDVD download does not include title keys, so somebody who wanted to decrypt his own AACS-protected disc collection would have to get those discs’ title keys from elsewhere.

Typical users can’t extract title keys on their own, so BackupHDDVD won’t be useful to them as it currently stands – hence the claims that BackupHDDVD is a non-event.

But the story isn’t over. BackupHDDVD is the first step in a process that will eviscerate AACS. In the next post, we’ll talk about what will come next.

[Post updated (8 Jan 2007): Corrected the third-to-last paragraph, which originally said that BackupHDDVD came with a few sample title keys. The error was due to my misreading of the code distribution. Also added the second parenthetical in the first paragraph, as a clarification. Thanks to Jon Lech Johansen and Mark for pointing out these issues.]

The Future of News: We're Lucky They Haven't Tried Macropayments

Regular readers will know that the newspaper industry is in dire shape: revenues off by 20% in just the last year, with more than 15,000 jobs lost in that period. This map tells the story better than any writing could. The market capitalizations of newspaper firms, which reflect investor expectations about future performance, have fallen even more precipitously. In short, it’s hard to exaggerate how dire the situation facing the industry is. If you were in charge of a newspaper, survival in any form possible would rationally be your all-consuming focus.

Walter Isaacson, the former editor of TIME magazine and current President of the Aspen Institute, wrote a column last week arguing that newspapers should squeeze revenue out of their web sites through “micropayments.” It’s an idea with a long, but not very successful, history: Isaacson himself points out that Ted Nelson, the inventor of hypertext, imagined micropayments for written content back in the early 1960s.

Small payments, on the order of a dollar, work well for some kinds of highly valued, contextualized content, like a book to your Kindle or a song to your iPod. But “micro” payments on the order of a nickel—the figure Isaacson mentions for a hypothetical news story—have never taken off. Transaction costs, caused by things like credit card processing, are usually cited as the reason, but I’ve never found that view persuasive: It’s not hard to set up a system in which micro transactions are aggregated into parcels of at least a few dollars before being channeled through our existing credit card infrastructure.

The Occam’s razor explanation for the persistent failure of micropayments is much simpler: People hate them. The niggling feeling of being charged a marginal amount for each little thing you do exacts a psychological cost that often suffices to undermine the pleasure of the good or service you receive on an a la carte basis. That’s why monthly gym memberships, pay-one-price amusement parks, and subscription services like Netflix or, come to think of it, regular cable are popular, even when a la carte options would be (financially) cheaper for consumers.

Michael Kinsley, the former editor of Slate, responded to Isaacson in a piece headlined You Can’t Sell News by the Slice. His basic message: We tried getting users to pay for content online—in Slate’s case, as an inexpensive annual subscription—and it didn’t work. One problem noted by both Isaacson and Kinsley is that readers have come to expect content to be free, and when individual papers have tried to start charging, they’ve failed.

What can the papers do? Isaacson is on to something when he says:

Another group that benefits from free journalism is Internet service providers. They get to charge customers $20 to $30 a month for access to the Web’s trove of free content and services. As a result, it is not in their interest to facilitate easy ways for media creators to charge for their content. Thus we have a world in which phone companies have accustomed kids to paying up to 20 cents when they send a text message but it seems technologically and psychologically impossible to get people to pay 10 cents for a magazine, newspaper or newscast.

If struggling news outlets were really bold—and grimly realistic about how little they have to lose, from a business point of view—they might decide to seek revenue at the ISP level. The plan: Begin segmenting site visitors by ISP, and charge ISPs for content. Under this plan, if your ISP has paid the news syndicate, you get to see the news. If you try to visit one of the participating sites and your ISP has not paid the syndicate, then you see a different page, possibly a page that urges you to call your ISP and demand access to the syndicated content. It’s the same model controversially adopted by ESPN360.com (go ahead, check and see if you have access or not). I imagine a hypothetical where a handful of top papers, such as the New York Times, Washington Post, and LA Times, jointly with TIME and Newsweek, form a syndicate that charges ISPs a fixed rate per user-month of access. ISPs, in other words, would make a small number of large (“macro”) payments to content providers, and these would be a primary source of revenue for these outlets, along with advertising.

I am, as Paul Ohm might urge me to say, NAL (Not a Lawyer), but I suspect that such a syndicate might well pass antitrust scrutiny. The syndicate would certainly not make it hard to find news on the web: it would simply make it hard to find certain high quality sources. Participating publications might elect to offer free access to certain population segments, who cannot pay or would experience a concentrated public interest harm, such as users from developing countries. ESPN360, for example, reportedly gives free access to anyone who surfs in from a .edu domain. (No doubt this is also a marketing tactic.)

For some definitions of the term “net neutrality,” such a move by news providers would be a violation of net neutrality. Other definitions of the term would place this behavior outside of its scope. But no matter how you look at it, the substance of such a move would be troubling: it would amount to removing these great sources of journalism from the Internet proper, and placing them instead in a kind of walled garden. If that trend took off and became very widespread, it could amount to a return to the bad old days of walled garden services like AOL and Prodigy.

A second good argument that this situation would be undesirable is that it would force all users of a particular ISP to pay for content that only some users want to access. There’s a sense in which such cross-subsidies are already the norm: those who use their ISP subscriptions for email and web browsing subsidize the heavier network usage of video aficionados and other leading-edge consumers who are way out on the tail and use the lion’s share of the bandwidth. But this, in its deliberateness, would be a new and different level.

A third good argument against this idea is that it would introduce awkward relationships between news outlets and ISPs, in a manner that would impair news coverage of the Internet and telecommunications industries.

Fourthly, there’s the possibility that people will pirate the blocked content systematically by using systems like TOR to access the news content via approved endpoints. (My own thought is that this probably isn’t the strongest argument, since many users are uninterested in this sort of maneuver or even the easy Firefox plugin that would likely arise to enable it. Plus, the content syndicate would pool its resources toward aggressive litigation to stem this trend. Plus, the payments would be extracted from law abiding ISPs, not individual users.)

I can imagine a potentially compelling case being made that such behavior by content providers should be regulated or outlawed. But today I think it is neither. And given the news industry’s desperation, the fact that such a move would be unpopular could turn out to be moot if they can persuade ISPs to pay. If someone capable and hardworking set out to sell the idea to a group of newspaper and newsmagazine publishers, I fear they might prove quite persuasive.

2007 Predictions Scorecard

As usual, we’ll start the new year by reviewing the predictions we made for the previous year. Here now, our 2007 predictions, in italics, with hindsight in ordinary type.

(1) DRM technology will still fail to prevent widespread infringement. In a related development, pigs will still fail to fly.

We predict this every year, and it’s always right. This prediction is so obvious that it’s almost unfair to count it. Verdict: right.

(2) An easy tool for cloning MySpace pages will show up, and young users will educate each other loudly about the evils of plagiarism.

This didn’t happen. Anyway, MySpace seems less relevant now than it did a year ago. Verdict: wrong.

(3) Despite the ascent of Howard Berman (D-Hollywood) to the chair of the House IP subcommittee, copyright issues will remain stalemated in Congress.

As predicted, not much happened in Congress on the copyright front. As usual, some bad bills were proposed, but none came close to passage. Verdict: right.

(4) Like the Republicans before them, the Democrats’ tech policy will disappoint. <ionly a few incumbent companies will be happy.

Very little changed. For the most part, tech policy issues do not break down neatly along party lines. Verdict: right.

(5) Major record companies will sell a significant number of MP3s, promoting them as compatible with everything. Movie studios won’t be ready to follow suit, persisting in their unsuccessful DRM strategy.

Two of the four major record companies now sell MP3s, and a third announced it will soon start. I haven’t seen sales statistics, but given that Amazon’s store sells only MP3s, sales can’t be too low. As predicted, movie studies are still betting on DRM. Verdict: right.

(6) Somebody will figure out the right way to sell and place video ads online, and will get very rich in the process. (We don’t know how they’ll do it. If we did, we wouldn’t be spending our time writing this blog.)

This didn’t happen. Verdict: wrong.

(7) Some mainstream TV shows will be built to facilitate YouTubing, for example by structuring a show as a series of separable nine-minute segments.

I thought this was a clever prediction, but it didn’t happen. The biggest news in commercial TV this year was the writers’ strike. Verdict: wrong.

(8) AACS, the encryption system for next-gen DVDs, will melt down and become as ineffectual as the CSS system used on ordinary DVDs.

AACS was defeated and you can now buy commercial software that circumvents it. Verdict: right.

(9) Congress will pass a national law regarding data leaks. It will be a watered-down version of the California law, and will preempt state laws.

There was talk about doing this but no bill was passed. Verdict: wrong.

(10) A worm infection will spread on game consoles.

To my knowledge this didn’t happen. It’s a good thing, too, because the closed nature of many game consoles would make a successful worm infection particularly challenging to stamp out. Verdict: wrong.

(11) There will be less attention to e-voting as the 2008 election seems far away and the public assumes progress is being made. The Holt e-voting bill will pass, ratifying the now-solid public consensus in favor of paper trails.

Attention to e-voting was down a bit. Despite widespread public unhappiness with paperless voting, the Holt bill did not pass, mostly due to pushback from state and local officials. Rep. Holt is reportedly readying a more limited bill for introduction in January. Verdict: mostly wrong.

(12) Bogus airport security procedures will peak and start to decrease.

Bogus procedures may or may not have peaked, but I didn’t see any decrease. Verdict: unclear.

(13) On cellphones, software products will increasingly compete independent of hardware.

There was a modest growth of third-party software applications for cellphones, including some cross-platform applications. But there was less of this than we predicted. Verdict: mostly wrong.

Our overall score: five right, two mostly wrong, five wrong, one unclear. Next: our predictions for 2008.

Slysoft Commercializes Next-Gen DVD Circumvention

We’ve been following, off and on, the steady meltdown of AACS, the encryption scheme used in HD-DVD and Blu-ray, the next-generation DVD systems. By this point, Hollywood has released four generations of AACS-encoded discs, each encrypted with different secret keys; and the popular circumvention tools can still decrypt them all. The industry is stuck on a treadmill: they change keys every ninety days, and attackers promptly reverse-engineer the new keys and carry on decrypting discs.

One thing that has changed is the nature of the attackers. In the early days, the most effective reverse engineers were individuals, communicating by email and pseudonymous form posts. Their efforts resulted in rough but workable circumvention tools. In recent months, though, circumvention has gone commercial, with Slysoft, an Antigua-based maker of DVD-reader software, taking the lead and offering more polished tools for reading and ripping AACS discs.

You might wonder how a company that makes software for playing DVDs got into the circumvention business. The answer has to do with AACS’s pickiness about which equipment it will work with. My lab, for example, has an HD-DVD drive and some discs, which we have used for research purposes. But as far as I know, none of the computer monitors we own are AACS-approved, so we have no way to watch our lawfully purchased HD-DVDs on our lawfully purchased equipment. Many customers face similar problems.

If you’re selling HD-DVD player software, you can tell those customers that your product is incompatible with their equipment. Or you can solve their problem and make their legitimately purchased discs play on their legitimately purchased equipment. Of course, this will make you persona non grata in Hollywood, so you had better hire a few reverse engineers and get to work on some unauthorized decryption software – which seems to be what Slysoft did.

Now Slysoft faces the same reverse engineering challenges that Hollywood did. If Slysoft’s products contain the secrets to AACS decryption, then independent analysts can extract those secrets and clone Slysoft’s AACS decryption capability. Will those who live by reverse engineering die by reverse engineering?