CITP Blog - Formerly Freedom to Tinker

AACS: Title Keys Start Leaking

– by

Comments

[Posts in this series: 1, 2, 3, 4, 5, 6, 7.]

Last week we predicted that people would start extracting the title key (the cryptographic key needed to decrypt the contents of a particular next-gen DVD disc) from HD-DVD discs. Indeed, it turns out that WinDVD, a popular software player that runs on PCs, leaves the title key laying around in memory when it finishes playing a disc. This may seem like an elementary mistake, but it is more common and harder to avoid than you might think. Fairly easy methods for capturing these keys are already well known.

There are even websites, such as aacskeys.com and hdkeys.com, that claim to contain title keys for about fifty HD-DVD discs. (That’s about one-third of the discs available on Amazon.) At least some of these title keys are correct. Within days, expect to see a software program that downloads keys from such a site and uses the keys to play or copy discs.

So far the attackers have published most of what they know. We know which title keys they (claim to) have found, and we know they extracted those keys from WinDVD and possibly PowerDVD. As Alex explained on Thursday and Friday, a clever attacker will withhold some information strategically so as not to provoke a response from the AACS central authority.

The authority might respond by blacklisting the device keys assigned to WinDVD. To avoid angering honest WinDVD users, they might first push out a software update to WinDVD containing new keys along with new programming to better protect the keys.

But as Alex suggested last week the authority might not want to blacklist WinDVD, even if it can. As long as the attackers limit what they publish, the authority might be better off accepting the damage they see now rather than provoking more damage by cutting off the usefulness of WinDVD to the attackers. The result is a kind of uneasy equilibrium between the attackers and the central authority.

Even if the attackers want to cause maximum financial harm to Hollywood (which probably isn’t their goal), their most effective strategy is to limit how many title keys they publish. One way to do this is to give Hollywood a “release window” – a kind of grace period after each disc is released, in which the title key doesn’t get published. A site could let people upload the headers of a disc; the site would then wait N days before decrypting and releasing the title key.

Interestingly, this release window strategy resembles the studios’ current approach to extracting revenue from films, in which a film is available first in the highest-revenue format – in theaters – then later in a succession of lower-revenue formats – DVD and television. The idea is to extract more revenue from the most enthusiastic fans in early stages and pick up whatever revenue is available from everyone else later.

What’s the optimal length of the release window (for the attackers); and what is the financial effect on the studios? We can answer these questions with a simple economic model; but that’s a topic for another day.

Comments

15 responses to “AACS: Title Keys Start Leaking”

  1. marco

    Speaking of financial effects: What about the competition between HD-DVD AND blue-ray in this game? Wouldn’t it make an interesting rogue tactic for the member of one party (or any other entity with financial engagement), to fund (in secret) the disclosure of keys for the competing format?

    Reply
  2. DancingSamurai

    That of course is making the assumption that disclosing keys would actually have a detrimental financial impact. As has been pointed out, lots of people buy DVDs even though (perhaps because) CSS is broken.

    I know I would be much more likely to buy an HD format for which I had the means of exercising my fair use/fair dealing rights than one that was locked down. I’m certainly not the only one with this opinion.

    Reply
  3. Pedro

    Regarding players that do online key lookup: “There is now a modified version of BackupHDDVD for use on this site. If it does not find the volume key for your movie in your local keydb.cfg, it will attempt to retrieve a key from the online database here at HDKeys.com”

    Reply
  4. Pedro

    marco:
    If the DRM systems were different, maybe, but since Blu-Ray also uses AACS they would just be sabotaging themselves.

    Reply
  5. Brad Templeton

    Actually, Ed, there is another reason to delay releasing title keys. If you have a delay, even a short one like 2 weeks (too short for Hollywood) it makes the binary search attack on an oracle harder. They can’t iterate their binary search, so must upload all the test headers at once. Now the oracle has 2 weeks to figure out if a header is bogus. For example, if anybody else uploads the same movie as a bogus header claims to be, this will flag one of the uploads as bogus and this can be checked. Presumably you don’t just upload the header, you upload a snippet of the encrypted data too, to confirm you can actually decrypt.

    Then, during the 2 weeks the oracle can issue a call to anybody else who has the DVD — send us the same bit of encrypted text from your DVD. If there are mismatches, you can actually look at the short bit of footage. (Some copyright violation going on here but we doubt the oracle cares.)

    If the Oracle has come to trust some sources it’s even easier.

    As per Samurai’s comments — absolutely. I wish to play my DVDs on my linux box. The ability to do so with free software would increase my demand to buy DVDs.

    Because of this, funding cracking of the competition isn’t going to gain you anything and might backfire. I would much rather buy the DVD I know I can move around. For example, many people like to watch movies on their laptop on the airplane, and many laptops can display 720p now. However, very few laptops have hd-dvd or blue-ray drives, and it’s unlikely that today’s crop of laptops will be readily upgradable to these. I would much rather get a DVD I can play on my laptop, which would be the one without DRM in the way. I am not buying hd/blue-ray style drives for all my old computers, though many can readily play HD.

    Reply
  6. marco

    The situation is not comparable with DVD/CSS, because DVD had no competition at that time (VHS?). The DeCSS meltdown harmed the revenues of the movie industry, but not enough to let the market collapse.

    The state of emerging competition seems to have different rules. A content provider which is unhappy with one format has the option to switch, which would create serious damage to the abandoned format (think of the “porn on HD-DVD” only almost fiasco for blue-ray).

    And while it’s true blue-ray may exhibit the same problems, because it’s based on AACS too (except that the BD+ layer may be an additional obstacle, which could show off as a small, but deciding advantage), it doesn’t mean that key disclosure isn’t a strategy.

    It is still a strategy and the situation changes to something what looks like the generalized form of the prisoner’s dilemma. A cooperating (non-disclosing) format provider would suffer serious harm when faced with a disclosing competitor and will be tempted to disclose as well, in order to harm his competitor. This would usually lead to a “Tit for Tat” strategy for both parties, unless..

    ..one of the party thinks it can actually win, because they have better means to control the harm done to their party. In that case things could get interesting.

    Reply
  7. Steve R.

    The New York Times (1/17/2007) has an article titled: “A DVD Copy Protection Is Overcome by Hackers”. The Times reports “Last weekend, a loose-knit coalition of hackers around the world defeated the antipiracy software protecting several high-resolution movies in the HD DVD format. They then began distributing copies of the films — starting with Universal Pictures’ “Serenity” — using BitTorrent, a popular file-sharing tool.”

    http://www.nytimes.com/2007/01/17/technology/17movie.html?_r=1&oref=slogin
    Cnet is also reporting this: http://news.com.com/

    I have no idea if this story is truly new news or not.

    Reply
  8. Mark Davies

    I have the understanding from the fore going that a HD-DVD/BD Copy can be examined to the extent that the AACS authority can determine which host or device was used .Am I right in this assumption?

    This if correct would be a powerful tool against hackers in terms of control over revocation and prosecution.Of course there maybe a myriad of counter measures/defences to delay or circumvent this process.

    This is the only reason I can see why making keys public might be timed to some degree.

    Essentially though I am sceptical about this kind of self regulatory control over what is after all an non regulatory band of groups and individuals.

    It is also a competitive arena,where the first to get there hack out earns/holds some degree of respect within the community.

    Reply
  9. Steve R.

    New Article on ARS Technica by Jeremy Reimer: “First pirated HD DVD movie hits BitTorrent”.

    The movie “Serenity” is appropriate as a symbol. To quote Mr. Universe “You can’t stop the signal.”

    Reply
  10. Perty

    I think it’s pretty funny/tragic that so many people including a lot of programmers at MS and engineers at NVIDIA/ATI and probably a lot more has put such a big effort in creating this protection.

    And as they haven’t thought of the software players and the implementation of the title keys.

    It fails on such a silly error as keys left in memory.

    Even if the software players scrambles and obfuscate their code it will always be people with knowledge/time to crack it.

    The only solution to their problems will (without knowing to much about it) is the future of “trusted platforms” or “trusted computing” with hardware support for “invisible” memory.

    /Perty

    Reply
  11. John

    As regards what Mark Davies says above, the sequence key system would facilitate identifying a player whose output had been copied. But it doesn’t follow that the player is the player from which the title key was gleaned.

    But that raises another point. From a player’s point of view, isn’t an already decrypted movie which needs “sequencing” (if that is the term) a suspicious thing that could or should be trapped?

    Reply
  12. HDDVD

    [QUOTE]There are even websites, such as aacskeys.com and hdkeys.com, that claim to contain title keys for about fifty HD-DVD discs. (That’s about one-third of the discs available on Amazon.) At least some of these title keys are correct.[/QUOTE]
    These are NOT Title Keys, but Volume Unique Keys. A single Volume Unique Key per disc can be used by BackupDVD to extract all the Tilte Keys on that disc.

    [/QUOTE]Within days, expect to see a software program that downloads keys from such a site and uses the keys to play or copy discs.[/QUOTE]
    A modified BackupHDDVD version to retreive keys online from HDKeys.com was posted at the forum at doom9.org BBEFORE you published this blog entry.

    Reply
  13. billy

    Hello,

    Nice blog you got there, but i got one question:
    You sound like you know a lot about aacs and crypto in general, but keep talking about “title keys” (second step in aacs encryption) whereas the discussion is about “volume unique keys” (first step) that can give all title keys.
    The available software only need vuks so title keys are an non-issue.
    Why do you keep spreading mis-information instead of the basics ?
    Are you really that confused or don’t you want to spread usable info ?

    Reply
  14. testoe

    test

    Reply
  15. EltonMello

    Jeremy Reimer has no degree or certifications in computers and no professional hands on years to decades of experience in them either.

    Jeremy Reimer was caught email harassing, impersonating, & bother others online which ended up having his website have portions removed and his friends that helped him in it (a Mr. Jay Little of Atlanta Ga. USA) had their websites removed in their entirety. See here for that:

    http://www.windowsitpro.com/articles/index.cfm?articleid=41095&cpage=212#feedbackAnchor

    Also, others from educational institutions where actual professional journalism & writing are taught, are questioning Jeremy Reimer’s validity & credibility as a writer, period, here:

    http://www.cwrl.utexas.edu/node/933

    All Reimer does is spit back what others wrote already anyhow. He is an ambulance chaser at best.

    Jeremy Reimer and his friends were also caught here:

    http://www.windowsitpro.com/articles/index.cfm?articleid=41095&cpage=213#feedbackAnchor

    Posting as others (i.e. same person posting under multiple names/guises/nicks/handles) along with his friend Jay Little above to “support one another” when they were found SO technically inacurrate, they were laughed off that site and both of them outright left & that was after law enforcement were called on them both. Windows IT Pro is a widely read publication in the field of computers.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Categories