"We observe that attackers can exploit a well-known cryptographic design mistake: the shared secret generation is entirely linear. The attack only needs 40 public/private key pairs such that the public key pairs span M ⊂ (Z/256Z)40, the module generated by all public keys. Since HDCP devices divulge their public keys freely, one can easily test whether a set of 40 devices have public keys spanning M before expending the effort to extract their private keys. With these keys, the authority’s secret can be recovered in only a few seconds on any desktop computer."
Edited to add the next paragraph (paper was published in 2001):
"The consequence of these flaws is that, after recovering the private keys of 40 devices, we can attack every other interoperable HDCP device in existence: we can decrypt eavesdropped communications, spoof the identity of other devices, and even forge new device keys as though we were the trusted center. Note that this allows us to bypass any revocation list or “blacklisting”: such mechanisms are rendered completely ineffective by these flaws in HDCP. Therefore we recommend that the current HDCP cryptosystem should be abandoned and replaced with standard cryptographic primitives."
Therefore we recommend that the current HDCP cryptosystem should be abandoned and replaced with standard cryptographic primitives.
So does this mean that all new equipment will quickly switch to DisplayPort, necessitating another round of TV/monitor upgrades? Or will the HDMI organization add DPCP (AES) to the HDMI standard?
[Edit: it was mentioned elsewhere* in the thread that HDCP 2.0 uses AES]
For those not quite that curious, if you've ever tried to watch a Blu-Ray movie on your computer, and gotten an error about it being restricted from playing back on your display; there's a good chance that is because of HDCP.
If this is true (and there isn't really a good reason to believe that it isn't), this is pretty bad news for the content industry.
Yeah, I didn't mean for my comment to make it sound like I'm supporting the content industry. Rereading it makes it sound like I think this is a bad thing. It was meant more as rubbing salt in the wound.
<sarcasm>You don't understand. HDCP is great for consumers. It's what lets them view fantastic content from the creative industry. Without HDCP, that content wouldn't be available to consumers.</sarcasm>
It was this angle of attack, or one very similar to it, that I remember reading from an nVidia (or it might have been ATI) powerpoint deck a few years back.
Makes me wonder whether the author was blissfully ignorant of DeCSS, or hoped the readers would be. It's not as if they felt the need to pull DVDs off the market for the last decade.
To be fair, the release of DeCSS may very well have moved up the timetable for releasing BD+ and AACS (which isn't an argument against it, but these things don't exist in a vaccum).
My point was that it represents a headache for the content industry, not consumers. I'm a consumer; I'm thrilled that maybe now I won't have to go through such a clusterfuck to watch a Blu-ray that I've paid for on my monitor.
If I were a content provider, I wouldn't be so thrilled.
My single worst experience with iTunes was when I took the dive and spent that extra dollar to rent an HD movie. Just to find out a $5 movie on my $500 Mac Mini won't play on my $1,000 TV.
I haven't made a -single- Apple purchase since then. That's how badly HDCP pissed me off.
The problem of the price of goods in a competitive market falling to the marginal cost of production.
That's a problem for the people who produce goods that a new technology is busy reducing the marginal cost of production. It shouldn't be a problem for anybody else, but HDCP makes it so.
Which it failed spectacularly at by a) not doing anything to curb piracy, and b) pissing off actual consumers so much they'd rather pirate, c) being such "a bag of hurt" that it didn't get added to Apple's computers.
Blu-Ray on Windows is the single most user-hostile computing experience I've ever had. I stopped buying/renting blu-ray movies because I didn't feel like rebooting 3 times every time I wanted to play a disc, with the software treating me like a criminal the whole time.
Blu-Ray on standalone Blu-Ray players is the single most user-hostile entertainment experience I've had.
My Samsung BD-P1590 has had new fewer than 4 firmware updates, the last of which actually caused the player to crash on most of the Blu-Ray movies I try to watch. I rent from Netflix and I have literally had to rip the movie and stream it to my XBMC box in order to watch the movie because it wouldn't play on my Blu-Ray player.
Secondly, I've had to completely disable BD-Live because when the disc has those lame downloadable previews, it takes several minutes of just sitting at a spinning wheel or lame icon with nothing (apparently) happening. If I'm lucky the preview will download and play, but 90% of the time, the player just stays like that forever and the only button that works on the remote is Power.
Lastly, the unskippable previews really piss me off. I know that DVD had this as well, but it's seriously annoying that it takes 5+ minutes just to get to the menu to watch a movie. Many times I do sit and watch the previews while popcorn is popping or the wife isn't ready to watch yet, but when I want to skip them, I really should be able to.
So, despite the fact that I try to watch movie the authorized way, most of the time I find it easier to rip/stream the movie from a BD-ROM with XMBC than to actually use my Blu-Ray player.
I really feel bad for the non-techies that have to deal with all this mess without being able to find sneaky workarounds to get it to work properly.
I bought my first Blue-Ray the other day and the experience was terrible, I put the disk in and nothing happened.. I tried to play it in windows media center, no ball.. not in VLC.. there was no player included on the disk.
I had to download a 300meg trial of PowerDVD just to play a film I'd already paid for (I also had to update my graphics card for some reason, the computer had been playing HD content for months without needing that).
The experience on Blu-Ray is terrible. I have to sit through as much as 20 minutes of unskippable commercials before I get to the menu screen. They even show you commercials about how great movies are on Blu-Ray - even though they should know you already are a customer because you're watching a Blu-Ray. Not only that, some of the commercials are streamed over the Internet, which means they use your bandwidth without asking permission to download an unskippable commercial.
The experience is getting a bit ridiculous, and I personally hope someone writes a DeCSS for Blu-Ray so that we can uncripple this format.
Btw, I don't actually buy any Blu-Ray disks, I just have my Netflix account enabled for Blu-Ray and watch most movies in that format since it looks better on my HDTV.
I personally hope someone writes a DeCSS for Blu-Ray so that we can uncripple this format.
I've been using AnyDVD HD for a few years, but I have not had a Blu-Ray reader or writer until a couple of days ago and I have no Blu-Ray discs yet (Netflix, hurry up!). AnyDVD works great on DVDs and claims to work with Blu-Ray and HD-DVD formatted content. It's not free, unfortunately, but it's supposed to uncripple the format.
And before I get to far: I'm not a pirate, my use of AnyDVD HD is simple: I have a single SageTV Media Server (HTPC/DVR software) and I use extenders to play all of my video content on three televisions (meaning my TVs have one tiny low-power box yet all of my TVs can play a DVD or watch recorded content and live TV from my noisy HTPC tucked away in a rack in my basement). Without AnyDVD, I can't put a DVD in the basement server and play it on an extender upstairs. I was hoping to do the same with my new Blu-Ray player.
I think the problem with Blu-Ray, and AnyDVD has this issue as well, is that every disc has a slightly modified copy protection scheme that requires additional hacking to make a copy of it. I believe this requires a company like Slysoft, that makes AnyDVD, to constantly release updates for every new movie that is released.
For this reason, I doubt we'll ever see a public domain solution like DeCSS arrive. It's too bad.
... and Slysoft releases new versions about as often as the folks who write No Script do. Thankfully, for a while, they had a lifetime upgrade policy.
The funny thing is that I would have been a Blu-Ray early adopter if I didn't see this mess coming. I can't believe my parents purchased a player before I did.
To be slightly fair (and only slightly because I still think Blu-Ray sucks), Netflix does often get separate rental copies of movies that differ from the store-bought versions. They usually have more extraneous crap in front of the movie, since they are making less money off them in the long run.
But the load times alone make me want to throw my Blu-Ray player out of the window. It's a mind-numbingly slow experience in every way.
The load time with my old Sony Blu-Ray player was the same -- horribly slow. Unusable, IMHO.
Then I got a PlayStation 3. It made the kids happy and is radically faster playing Blu-Ray discs. If you're not a gamer be sure to get the optional "normal" bluetooth remote and you'll be all set.
I have a ps3 as well and most of my experiences with bluray have been pretty much the same as dvd with the exception of terminator 2 (skynet edition I think) which took forever to load.
The real problem is that I can't see much of a difference between the dvd version of a movie and the bluray version, if I have a choice for the same price I probably will buy bluray but otherwise the dvd upscaling works just as well for me.
This experience of quality differs greatly than that of a regular xvid rip and a hidef h264 rip which are actually quite noticeable.
The load times on my Sony PS3 are not that bad... But, I once had a Blu-Ray ask me if I wanted to download an update to it, and I was forced to download the update before I was able to watch the movie.
I think the bottom line is that Sony and the Blu-Ray disk manufacturers are treating our player devices like they own them. This is the same kind of thinking that caused the Sony Rootkit fiasco. What would people do if they found out that a Blu-Ray update caused their player to start reporting every movie they watched to a server (it probably already does)?
I wouldn't be so sure. This is exactly the experience I got in the first year of DVDs being available. (although the player was a bit lighter ;) ) After some time we got proper software for Windows and after that, there was DeCSS.
Just give it time. If there is useful content on Blue-Ray, people will use it and the experience will improve.
Just give it time. If there is useful content on Blue-Ray, people will use it and the experience will improve.
I thought we would have been there by now. DeCSS came out at about the time my parents upgraded from VHS to DVD. My parents just purchased a Blu-Ray player, so I'm thinking ... any day now. People have commented on how long it's taken to get the HDMI master key, but I'd argue it hasn't been that long. Despite some theoretical attack methods being published as early as 2001, there wasn't any reason because HDCP/HDMI was exotic for quite some time. Going back to the "My Parents" analogy: their first device to ever have an HDMI port on it was purchased earlier this summer. Both Panasonic devices, yet my dad has to power cycle the blu-ray player occasionally because the TV won't pick the picture up.
Here's my theory on how consumer electronic DRM cracking:
1) DRM or other scheme is created. It ticks off geeks/enthusiasts, but they largely deal with it. ...2) Despite itself, eventually it gains critical mass and a bunch of those geek's non-geeky parents buy devices and experience the same trouble. ...3) Geek children get constant phone calls from parents about why their new stuff doesn't work as well as their old stuff and ask said Geek Children to come over and fix it because they don't know what an HDCP Error is. ...4) One or more geeks get irritated enough with the phone calls to finally test that theoretical attack. ...5) Geeks everywhere find custom firmware for their parent's televisions and players and permanently solve the problem, while also recommending to their other non-technical friends precisely which model of TV and Blu-Ray to buy based entirely on its ability to have the play-back destroying copy-protection removed. The last part hasn't happened yet, but one can dream.
On one hand-side - yes, you're right. On the other - right now you have a choice of not seeing the movie at all, or maybe seeing it correctly in the next month thanks to this key.
One step at a time.
Also, there's a whole industry around copy-protection which won't go away in one day. Pretty much the best we can do right now, is make is obsolete by proving DRM is useless, while they will try to prove otherwise. DVD-s right now are a nice compromise where they did their job™, and we get the content as if it was not locked. (of course you still cannot skip the intros on "official players", but that's just an education issue - for example mplayer can play the movie itself without the added marketing crap)
Pretty much the best we can do right now, is make is obsolete by proving DRM is useless
The proof is in their own studies, really ... if they believe them. According to Big Media, piracy rates are incredible. It takes a few words in Google to find that everything that has ever been put behind DRM is available without it, for free (illegally, of course). The negative effects of DRM schemes are huge (see rest of comments).
There would be so many very cool things that have nothing to do with piracy if DRM wasn't part of the equation. And they can be done right now by breaking US law and circumventing whatever scheme is in place.
I guess Microsoft is still reeling about losing the HD format war to Sony! tbh, I think everyone knows that video streaming is the future and not physical disks. I give the format two years.
You know, some of us like to be able to watch a large block of multimedia data multiple times without chewing through bandwidth allocation, or spending exorbitant amounts of money on a high-end DOCSIS or crap-hardware VDSL connection.
I have several Blu-Ray discs, but I've loaned them (and my PS3) to my parents until I get around to getting a BD drive for my Linux box. I do miss watching video in 720p, though; interlaced DVD is unpleasant, to say the least.
Hulu and boxee would be nice for some things, if the streaming servers for baseball games wouldn't get bogged down, or something causes a stutter or pause as bandwidth runs thin.
Also, I get poor cell signal in my new ground-floor apartment, so my $80/mo cell bill providing service to my smartphone isn't doing me any good. I switched to using Google Voice for the time being, but that doesn't well if something's hogging bandwidth. (Just because I can rate control going out, doesn't mean I can rate control what's trying to come in from the other side of that pipe.)
I wired my apartment to avoid wifi noise, but 6Mb/s DSL just isn't good enough for some common network multitasking activities. DOCSIS in apartment contexts is a horrible choice; you quickly get too many people on the same loop. VDSL may or may not be available; tech says one thing after a test, phone company's system says another. With VDSL, though, I'll get tied to a crap router with a built-in 802.1x identifying key, so I can't use my own setup.
>(Just because I can rate control going out, doesn't mean I can rate control what's trying to come in from the other side of that pipe.)
Rate control of what's trying to come in from the other side of the pipe is half the point of putting voip traffic in its own QOS class. (The other half being rate control of data going out.) You may not be able to for some reason, but any good QOS system should let you do that.
Good point. Bluray will probably be the last optical media we'll have for movies, but I don't think it'll get replaced completely very soon, as there's a lot of places with consumers willing to pay for HD content, but without great enough bandwidth to stream them from the web.
Hi! I live in Australia, where the majority of people on ADSL2+ have speeds less than or equal to 4mb/s. Due to the geography (technically, topography) of our country, high-speed internet is particularly tricky to roll-out. Not for perhaps four years more will we have any speeds greater than there are now.
So your comment sounds particularly naive, in this part of the world.
I ostensibly have a 12Mbps connection, yet only get between 2-6Mbps depending on the time of day due to contention. And I live in an area with reasonably good broadband.
Things have a long way to go before a majority of westerners have access to solid, reliable 10Mbps connections.
You can't know that without knowing where I live. It's reasonably good by British standards, though perhaps not in an absolute sense.
My connection is somewhat above the surveyed "average" speeds and stability for the UK, as frequently reported in the media here. One such story puts the average true throughput of a 10-12Mbps DSL connection at around 3.3Mbps: http://www.digitalspy.co.uk/digitaltv/news/a251311/uks-avera... .. As mine is usually around 5-6Mbps (though dropping to 2-3 at peak, sometimes) my connection is, I believe, "reasonably good" by national standards.
> You can't know that without knowing where I live.
Yes, I can. It is an absolute measure. Yours may well be well above the average for the region or even the nation, but it is still not good. Mind, slightly tongue-in-cheek since estimating actual required level of service is a bit tricky. I meant it mostly in the sense of "do not let the telcos tell you that is 'good enough'".
Personally, I would put the "reasonably good" barrier for this day and age at about 20/10Mbps. (I pay about 40€ for a nominal 100Mbps - which, in a quick test right now, gives me 24/13Mbps to/from the UK, over Wi-Fi LAN).
I think the missing phrase is relative compared to the average. "Good" broadband in many parts (the majority?) of the US is still crap shoved upon citizens with no other choice but dialup.
Yeah, if you happen to live in a newly-wired building in a major city or suburb. But if you're talking about replacing TV or DVD/Blu-Ray, it's not about what the fastest guys have, it's about the slowest 5-10% have.
Even if you assume "everyone [and that's 1/3 the country] still on dial-up is such a late-adopter they're not even interested in HD yet", a lot of that broadband is less than 1 Mbps. And many broadband consumers have monthly bandwidth caps.
People with >1Mbps uncapped broadband is probably too small of a market to make purely digital distribution viable.
Yeah, if you happen to live in a newly-wired building in a major city or suburb.
The latter part of your statement is true. They're not wiring up rural areas. However, I live in a neighborhood that doesn't have a home newer than 30 years and am receiving AT&T U-Verse, 20Mbps down (and consistent).
I don't believe the future is in shiny discs. The near-future probably isn't in exclusive streaming video, but the longer term likely is. We're a few technological break-thrus away, perhaps, but for what my opinion is worth... I believe it'll get there.
That's certainly a very constructive and not at all trollish opinion to offer in a thread that is all about a popular distribution format for new movies.
I've had nothing but trouble with HDCP. I've used HDMI matrix switches to transport a video signal around the house. 40% of the time I get the HD snowstorm so have to reboot the TV to attempt a second handshake. This gives a low Wife Approval Factor. I believe they should stop torturing the paying punters, like me, and just be happy with the majority who pay and not the minority that don't. Also, before someone mentions the x billion lost per year, I doubt maybe the 100,000 that downloaded 'The Bounter Hunter' would of seriously bought it.
Also, before someone mentions the x billion lost per year
It's bizarre. Imagine a job where my customer complains about how ineffective my product is yet continues to shovel money at me. Wait, even worse, my product makes their customers miserable and yet they still shovel money at me. It sort of sounds like the business model of a crack dealer.
The comments so far are just about HDCP, Blu-Ray and playback difficulties.
The paste however contains the key matrix used to encrypt and decrypt the digital video signal. If this is valid, every transmission between a HDCP-secured playback device and the display can be decrypted, thus rendering every other encryption method, used in the playback chain, useless, including AACS and BD+.
This is serious, because the keys for AACS can be revoked, if compromised. HDCP keys however can't be revoked.
It doesn't completely render BD+ useless, as BD+ can be used to watermark the video signal according to the player model (and hypothetically other variables, like location, IP address, or player serial number). So, to avoid identification, pirates would need to crack BD+, or combine the output from multiple players to obscure the watermarking.
Another problem with cracking the transport instead of the storage medium, is that to rip from HDMI you have to play the movie at normal speed, while ripping straight from disc can be done much faster.
Worth noting (again, assuming this is credible): Version 2.0 of HDCP is likely not affected.
According to their FAQ: http://www.digital-cp.com/faqs
"HDCP revision 2.0 uses industry-standard public-key RSA authentication and AES 128 encryption. It also supports protection of compressed content, making it feasible to use relatively slow 50 to 200 Mbps interfaces."
... and ...
"HDCP 1.x technology offers protection for uncompressed content transmitted over several common wired interfaces including DVI, HDMI and DisplayPort. HDCP revision 2.0 adds strengthened encryption..."
"The wireless interfaces which utilize HDCP revision 2.0 so far include: Digital Interface for Video and Audio (DiiVA), NetHD, Wireless Home Digital Interface (WHDI), and Wireless HD (WiHD)."
Maybe it'd work better for folks like me who shop at big&tall stores... We have the perfect body for this t-shirt. Finally, all my McDonald's days are about to pay off!
I was a minor participant in the tvtime project years ago. HDMI and HDCP came around and made that kind of thing highly improbable for HD content. CPUs and GPUs are now at speeds that make advanced HD video manipulation practical. I hope this HDCP crack, if verified, makes a tvtime-like application for HDMI video possible. Better yet, a PC-based realtime compositing and overlay system, requiring only a $100 GeForce GPU and HDMI capture cards.
HDCP key exchange is very weird cryptosystem. Usually you generate some essentially random private key and trivially derive public key from it. In HDCP, it works other way around: central authority has ability to convert (random) public keys to private keys using some secret information (purpotedly this matrix). Motivation of this design is twofold: (a) actual hardware implementation is simple and (b) this central authority can impose varios policies about who gets private keys. On the other hand both these points make this cryptosystem very weak.
Therefore, this matrix may not even be leaked, but somebody might reconstruct it from relatively small number (I don't remember exact required number, but i recollect that it is at most thousands) of keypairs recovered from devices in circulation.
By the way similar mode of deployment was once recommended for RSA (having shared modulus whose factorization is known to central authority), but it is long known to be insecure (for RSA). I don't know of any non-HDCP related analysis of public key cryptography based on similar approach as HDCP (vector summing or matrix multiplication, depending on viewpoint), which probably means that it is very well known to be insecure.
Edit: and for the key update: you would have to update all deployed keys simultaneously, which is probably impossible. Moreover HDCP does not even specify any kind of infrastructure to accomplish this.
> Therefore, this matrix may not even be leaked, but somebody might reconstruct it from relatively small number (I don't remember exact required number, but i recollect that it is at most thousands) of keypairs recovered from devices in circulation.
According to Wikipedia, you only need to collect 39 Dragon Balls to reconstruct the master matrix.
They didn't actually invent their own crypto system. They used the scheme devised by Swedish cryptographer Rolf Blom, know as Blom's Scheme. Which is a form of "threshold secret sharing". It has been known for quite some time that the system falls apart once a particular number of keys are known.
I assume that each device should have it's own keypair, but it is only my assumption. I recall that HDCP somehow "does not work as intended" (whatever that means) when both devices have same key. And as for the ~50 number, that seems likely, I vaguely recollect that the required number was 40 (probably for 50% chance of success), but I don't remember the exact details and assumptions for this attack, so I take "at most thousands" as safe overestimation. Also I expect that time complexity of this attack (which is probably not exactly fast, as it entails solving pretty large system of equations) decreases with more known keys.
Credibility is less because it was posted anonymously as a dump of hex to paste-bin, therefore eliminating any authority that would come if this person was a well-known security researcher. If the author had credibility and wanted to use his/her reputation to make the post more credible, he'd have the pleasure of a herd of lawyers and law enforcement at his door, assuming that he lives in a country with anti-circumvention laws. So his only choice is to keep it to himself or post anonymously, taking away any credibility that comes with authority in a subject.
Regardless, someone will test this soon enough and determine if this non-credible post is credible or just a creative bunch of social engineering. That it's garnered this much attention this quickly (take a look at your major social news sites ... and tech blogs) should scare industry insiders. The mere HOPE that some random posting on pastebin would topple HDCP and bring a possible end to device interoperability would get this much attention truly highlights what a dismal mess HDCP is. If it's The Real Thing(tm), we'll know when the master key is used to generate a random device key and 80% of the time the signal is decrypted properly without having to turn both devices off and back on.
And if it is true, I hope our friend that posted it took some pretty serious precautions to protect his own anonymity.
That's the wonderful thing about math. You can verify its correctness without reference to anybody's reputation or personal opinion. Indeed, that's pretty much the definition of math.
Of course you can verify if it's valid, but that's remarkably short of what's being claimed here. Lots of folks here are talking as if this is the end of HDTV DRM. I'm simply advocating that someone with the means actually test it before we start singing "Ding Dong The Witch is Dead."
http://www.cs.rice.edu/~scrosby/pubs/hdcppaper.ps
http://www.cypherpunks.ca/~iang/pubs/hdcp-drm01.pdf
Here's the fun bit:
"We observe that attackers can exploit a well-known cryptographic design mistake: the shared secret generation is entirely linear. The attack only needs 40 public/private key pairs such that the public key pairs span M ⊂ (Z/256Z)40, the module generated by all public keys. Since HDCP devices divulge their public keys freely, one can easily test whether a set of 40 devices have public keys spanning M before expending the effort to extract their private keys. With these keys, the authority’s secret can be recovered in only a few seconds on any desktop computer."
Edited to add the next paragraph (paper was published in 2001):
"The consequence of these flaws is that, after recovering the private keys of 40 devices, we can attack every other interoperable HDCP device in existence: we can decrypt eavesdropped communications, spoof the identity of other devices, and even forge new device keys as though we were the trusted center. Note that this allows us to bypass any revocation list or “blacklisting”: such mechanisms are rendered completely ineffective by these flaws in HDCP. Therefore we recommend that the current HDCP cryptosystem should be abandoned and replaced with standard cryptographic primitives."