December 28, 2024

Ed Talks in SANE

Today, I gave a keynote at the SANE (System Administration and Network Engineering) conference, in Delft, the Netherlands. SANE has an interesting group of attendees, mostly high-end system and network jockeys, and people who like to hang around with them.

At the request of some attendees, I am providing a PDF of my slides, with a few images redacted to placate the copyright gods.

The talk was a quick overview of what I used to think of as the copyfight, but I now think of as the technologyfight. The first part of the talk set the stage, using two technologies as illustrations: the VCR, and Sony-BMG’s recent copy-protected CDs. I then switched gears and talked about the political/regulatory side of the techfight.

In the last part of the talk, I analogized the techfight to the Cold War. I did this with some trepidation, as I didn’t want to imply that the techfight is just like the Cold War or that it is as important as the Cold War was. But I think that the Cold War analogy is useful in thinking about the techfight.

The analogy works best in suggesting a strategy for those on the openness/technology/innovation/end-to-end side of the techfight. In the talk, I used the Cold War analogy to suggest a three-part strategy.

Part 1 is to contain. The West did not seek to win the Cold War by military action; instead it tried to contain the other side militarily so as to win in other ways. Similarly, the good guys in the techfight will not win with lawyers; but lawyers must be used when necessary to contain the other side. Kennan’s definition of containment is apt: “a long-term, patient but firm and vigilant containment of [the opponent’s] expansive tendencies”.

Part 2 is to explain. This means trying to influence public opinion by explaining the benefits of an open and free environment (in the Cold War, an open and free society) and by rebutting the other side’s arguments in favor of a more constraining, centrally planned system.

Part 3 is to create. Ultimately the West won the Cold War because people could see that ordinary citizens in the West had better, more creative, more satisfying lives. Similarly, the best strategy in the techfight is simply to show what technology can do – how it can improve the lives of ordinary citizens. This will be the decisive factor.

In the break afterward, somebody referred to a P.J. O’Rourke quote to the effect that the West won the Cold War because it, unlike its opponents, could provide its citizens with comfortable shoes. (If you’re the one who told me this, please remind me of your name.) No doubt O’Rourke was exaggerating for comic effect, but he did capture something important about the benefits of a free society and, by analogy, of a free and open technology ecosystem.

Another American approached me afterward and said that by talking about the Cold War as having been won by one side and lost by the other, I was portraying myself, to the largely European audience, as the stereotypical conservative American. I tried to avoid giving this impression (so as not to distract from my message), calling the good side of the Cold War “the West” and emphasizing the cultural rather than military aspects of the Cold War. I had worried a little about how people would react to my use of the Cold War analogy, but ultimately I decided that the analogy was just too useful to pass up. I think it worked.

All in all, it was great fun to meet the SANE folks and see Delft. Now back to real life.

Happy Endings

Cameron Wilson at the USACM Policy Blog writes about a Cato Institute event about copyright policy, which was held Wednesday. The panel on the DMCA was especially interesting. (audio download; audio stream; video stream)

Tim Lee, author of the recent Cato paper on the ill effects of the DMCA, spoke first.

The second speaker was Solveig Singleton of PFF, who offered some amazing arguments. Here is her response to the well-documented list of DMCA misuses:

Even if you set aside some of the errors in the Cato paper, you’re left with a set of examples, many of which have happy endings, without any change to the law. Ed Felten’s case, for example. There are other cases. There were lawsuits that were threatened but not brought. Lawsuits that were brought but ultimately failed. Lawsuits that succeeded but on grounds other than the DMCA.

(This is my transcription from the audio stream.)

To call the case of my colleagues and me a “happy ending” takes some real chutzpah. Let’s catalog the happy consequences of our case. One person lost his job, and another nearly did. Countless hours of pro bono lawyer time were consumed. Anonymous donors gave up large amounts of money to support our defense. I lost at least months of my professional life, and other colleagues did too. And after all this, the ending was that we were able to publish our work – something which, before the DMCA, we would have been able to do with no trouble at all.

In the end, yes, we were happy – in the same way one is happy to recover from food poisoning. Which is not really an argument in favor of food poisoning.

She goes on to argue for the efficacy of the DMCA, using the example of Apple’s FairPlay technology (which is used by the iTunes music store):

But … are they [Apple] going to be able to get music developers to the table to negotiate with them to help create this library [of music] if they can’t make some reasonable assurances that that content isn’t going to show up free everywhere else?

Never mind that all of the songs Apple sells are available for free on P2P networks, despite FairPlay and the DMCA. Never mind that FairPlay has a huge and widely known hole – the ability to burn songs to an unprotected CD – which Apple created deliberately.

It’s understandable that DMCA advocates don’t want to give a realistic, straightforward explanation of exactly why the DMCA is needed. If they tried to do so, it would become clear that the DMCA, as written, is poorly suited for their purpose. Instead, we get strawmen and arguments from counterfactual assumptions.

I’ll close with a quote from Emery Simon of the Business Software Alliance, another speaker on the same panel, making a claim so far off-base that I won’t even bother to rebut it:

[If not] for copy protection technologies, whether it’s Macrovision or CSS or Fairplay, my VCR and my television set would be devices no more useful to me than my car without gasoline.

HDCP: Why So Weak?

Today I want to wrap up (I think) the discussion on security weaknesses in HDCP, the encryption scheme used for sending very high-def video from a device like a next-gen DVD player to a TV monitor. I wrote previously (1, 2, 3) about how HDCP will inevitably fail – catastrophically – when somebody manages to recover the master secrets that are the source of all power in the system, and publishes those secrets on the Internet. I wrote, too, about how this problem could have been avoided by using standard cryptographic primitives rather than custom-designed ones.

It seems very likely that the people in charge of HDCP knew what they were doing, and made a deliberate choice to use the less-secure scheme rather than the more secure, standard one. (I don’t have definite proof that they knew about the security problems, but it’s pretty hard to believe that their engineers failed to notice it.) Why did they choose the weak system?

The academic paper on HDCP, by Crosby et al., says that HDCP’s designers were given a “budget” of 10,000 gates. (Gates are one of the basic building blocks from which digital chips are designed.) Crosby estimates that a more secure design would have required about 30,000 gates, to fix the vulnerability I discussed earlier and some smaller vulnerabilities. How much does it cost to add gates to a design? That depends – the high end of the cost range is around $100 per 10,000 gates, but the low end might be much lower.

There are really two questions here. (1) Why did they think it was worth paying for 10,000 extra gates to have the weak system, rather than no encryption at all? (2) Why did they think it wasn’t worth 20,000 gates to have a stronger system, rather than the weak system? Let’s consider these questions in order.

First: Why is the weak system worth spending 10,000 gates for? The answer doesn’t lie in platitudes about speedbumps or raising the bar – any technical bumps or bars will be obliterated when the master secrets are published. It’s worth noting, too, that the data stream they are protecting – uncompressed super high-def (1080i) video – blasts so much data so fast that there’s no affordable way for a would-be pirate to capture it, at least today. About all that can be done with such data streams today, at reasonable cost, is to display them, or to run them through simple format converter boxes. In future years, capturing the video stream will become a viable piracy strategy, but by then the master secrets will almost certainly have been published. So temporary piracy prevention doesn’t seem like a good explanation.

A much more plausible answer is that HDCP encryption exists only as a hook on which to hang lawsuits. For example, if somebody makes unlicensed displays or format converters, copyright owners could try to sue them under the DMCA for circumventing the encryption. (Also, converter box vendors who accepted HDCP’s license terms might sue vendors who didn’t accept those terms.) The price of enabling these lawsuits is to add the cost of 10,000 gates to every high-def TV or video source, and to add another way in which high-def video devices can be incompatible.

The second question is why they weren’t willing to spend an extra 20,000 gates to use a more secure crypto scheme. Doing so would have reduced, in the long run, some types of P2P infringement. They apparently felt this would not be a good investment, presumably because other infringment scenarios were more troublesome. Why spend money strengthening one link in a chain, when other links are already weaker?

The bottom line is clear. In HDCP, “security” technologies serve not to disable pirates but to enable lawsuits. When you buy an HDCP-enabled TV or player, you are paying for this – your device will cost more and do less.

HDCP Could Have Been Better

I wrote Friday about weaknesses in the HDCP handshake protocol that is being used to set up encryption of very high-def TV content that is in transit from devices like next-gen DVD players to television monitors. This was not news to those who follow the area. The ideas in my post came from a 2001 paper by Crosby, Goldberg, Johnson, Song, and Wagner – all I did is abstract away some of the mathematical detail to simplify the explanation.

As far as I can tell, the publication of the Crosby paper, and the spread of the news about HDCP’s flaws, did not trigger any change in Hollywood’s plans for next-gen TV. They’re still relying upon HDCP, in the same way they seemed to be planning five years ago. As far as I can tell, HDCP’s vulnerability hasn’t changed anything – yet.

This is quite interesting, when we consider that the system as designed is almost certain to be completely broken. The security of the design relies entirely on the secrecy of 1600 special numbers (which form a 40-by-40 matrix), whose disclosure to the public would release the knowledge to build a device that could do absolutely everything that HDCP is supposed to prevent. It is well known how to extract these numbers – though it requires some technical effort – but once the numbers are published, HDCP’s security is shot forever. This is virtually certain to happen in the next few years.

There’s a good chance that the HDCP people knew beforehand that this would be the case. If they used a good due diligence process on the HDCP algorithm, they would almost certainly have discovered these weaknesses. But even if they didn’t know from the very beginning, they found out in 2001.

There’s no doubt that they could have done better. Instead of using the flawed homebrew algorithm they chose, the HDCP designers could have avoided this security problem by using a well-known algorithm known as offline Diffie-Hellman.

Recall from Friday that each HDCP device has a private value and a public value. When two devices – call them A and B – handshake, they send each other their public values. Then A combines its private value with B’s public value, and vice versa. The result of that computation is a secret key, which is guaranteed to be the same for both participants.

In HDCP as designed, the recipe for combining public and private values involves only addition. And because is uses only addition, a would-be attacker (like the conspiracy I discussed on Friday) can set up a series of N equations in N unknowns, and those equations involve only addition – not multiplication, division, or other mathematical operators. Because the equations are this simple (“linear” in math-speak), you can solve them by standard methods, assuming you have enough equations.

The offline Diffie-Hellman algorithm, which I mentioned above, combines the public and private values in a particularly nasty non-linear fashion, to prevent the equation-solving attack. (For more detail on how Diffie-Hellman works, see the entry in Wikipedia.) An adversary can set up equations, but as far as we know there is no practical way to solve them.

The Crosby paper suggests an explanation for the use of a homebrew algorithm: the HDCP design requirements said that the entire design had to implementable in hardware with no more than 10,000 logic gates. (Logic gates are one of the simplest building blocks used to design digital circuitry. In 2001, a state-of-the-art microprocessor chip would have contained tens of millions of gates.)

Indeed, the structure of the homebrew algorithm they used is so similar to that of offline Diffie-Hellman (with simpler mathematical structures replacing the more secure ones used by offline D-H) that it seems likely that the designers knew what they really wanted but couldn’t figure out how to fit it within the 10,000-gate budget they were given – so they settled for a less secure design.

The alternative, of course, would have been to increase the gate budget in order to allow a more secure design. Why didn’t that happen? I’ll discuss some possible reasons next time.

Making and Breaking HDCP Handshakes

I wrote yesterday about the HDCP/HDMI technology that Hollywood wants to use to restrict the availability of very high-def TV content. Today I want to go under the hood, explaining how the key part of HDCP, the handshake, works. I’ll leave out some mathematical niceties to simplify the explanation; full details are in a 2001 paper by Crosby et al.

Suppose you connect an HDMI-compliant next-gen DVD player to an HDMI-compliant TV, and you try to play a disc. Before sending its highest-res digital video to the TV, the player will insist on doing an HDCP handshake. The purpose of the handshake is for the two devices to authenticate each other, that is, to verify that the other device is an authorized HDCP device, and to compute a secret key, known to both devices, that can be used to encrypt the video as it is passed across the HDMI cable.

Every new HDCP device is given two things: a secret vector, and an addition rule. The secret vector is a sequence of 40 secret numbers that the device is not supposed to reveal to anybody. The addition rule, which is not a secret, describes a way of adding up numbers selected from a vector. Both the secret vector and the addition rule are assigned by HDCP’s central authority. (I like to imagine that the central authority occupies an undersea command center worthy of Doctor Evil, but it’s probably just a nondescript office suite in Burbank.)

An example will help to make this clear. In the example, we’ll save space by pretending that the vectors have four secret numbers rather than forty, but the idea will be the same. Let’s say the central authority issues the following values:

secret vector addition rule
Alice (26, 19, 12, 7) [1]+[2]
Bob (13, 13, 22, 5) [2]+[4]
Charlie (22, 16, 5, 19) [1]+[3]
Diane (10, 21, 11, ,14) [2]+[3]

Suppose Alice and Bob want to do a handshake. Here’s how it works. First, Alice and Bob send each other their addition rules. Then, Alice applies Bob’s addition rule to her vector. Bob’s addition rule is “[2]+[4]”, which means that Alice should take the second and fourth elements of her secret vector and add them together. Alice adds 19+7, and gets 26. In the same way, Bob applies Alice’s addition rule to his secret vector – he adds 13+13, and gets 26. (In real life, the numbers are much bigger – about 17 digits.)

There are two things to notice about this process. First, in order to do it, you need to know either Alice’s or Bob’s secret vector. This means that Alice and Bob are the only ones who will know the result. Second, Alice and Bob both got the same answer: 26. This wasn’t a coincidence. There’s a special mathematical recipe that the central authority uses in generating the secret vectors to ensure that the two parties to any legitimate handshake will always get the same answer.

Now both Alice and Bob have a secret value – a secret key – that only they know. They can use the key to authenticate each other, and to encrypt messages to each other.

This sounds pretty cool. But it has a very large problem: if any four devices conspire, they can break the security of the system.

To see how, let’s do an example. Suppose that Alice, Bob, Charlie, and Diane conspire, and that the conspiracy wants to figure out the secret vector of some innocent victim, Ed. Ed’s addition rule is “[1]+[4]”, and his secret vector is, of course, a secret.

The conspirators start out by saying that Ed’s secret vector is (x1, x2, x3, x4), where all of the x’s are unknown. They want to figure out the values of the x’s – then they’ll know Ed’s secret vector. Alice starts out by imagining a handshake with Ed. In this imaginary handshake, Ed will apply Alice’s addition rule ([1]+[2]) to his own secret vector, yielding x1+x2. Alice will apply Ed’s addition rule to her own secret vector, yielding 26+7, or 33. She knows that the two results will be equal, as in any handshake, which gives her the following equation:

x1 + x2 = 33

Bob, Charlie, and Diane each do the same thing, imagining a handshake with Ed, and computing Ed’s result (a sum of some of the x’s), and their own result (a definite number), then setting the two results equal to each other. This yields three more equations:

x2 + x4 = 18
x1 + x3 = 41
x2 + x3 = 24

That makes four equations in four unknowns. Whipping out their algebra textbooks, the conspiracy solves the four equations, to determine that

x1 = 25
x2 = 8
x3 = 16
x4 = 10

Now they know Ed’s secret vector, and can proceed to impersonate him at will. They can do this to any person (or device) they like. And of course Ed doesn’t have to be a real person. They can dream up an imaginary person (or device) and cook up a workable secret vector for it. In short, they can use this basic method to do absolutely anything that the central authority can do.

In the real system, where the secret vectors have forty entries, not four, it takes a conspiracy of about forty devices, with known private vectors, to break HDCP completely. But that is eminently doable, and it’s only a matter of time before someone does it. I’ll talk next time about the implications of that fact.

[Correction (April 15): I changed Diane’s secret vector and addition rule to fix an error in the conspiracy-of-four example. Thanks for Matt Mastracci for pointing out the problem.]