[ISN] Re: Criminal conduct and "cryptography." (Adobe vs. Sklyarov)

From: Eric Rescorla (ekrat_private)
Date: Wed Jul 18 2001 - 14:54:33 PDT

  • Next message: Bill Scannell: "[ISN] www.boycottadobe.com is on the air"

    "Jay D. Dyson" <jdysonat_private> writes:
    > 	As Weld Pond of @stake (formerly the l0pht) has noted, the dire
    > predictions made on the quality of digital content protection in the
    > age of DMCA have come to fruition.  Where there could have been honest and
    > accurate peer review, we now have little but more snake oil being pawned
    > off as "secure."
    > 
    > 	To review Sklyarov's presentation on how trivial it is to bust
    > Adobe's "encryption," please see the following URL:
    > 
    > 	http://www.treachery.net/~jdyson/ebooks/
    > 
    > 	Take a look at the findings there.  You will be amazed as well as
    > sickened that any self-respecting company could call this tripe
    > "protection."
    > 
    > 	It's a sad day when it's cheaper to make a shoddy product and rely
    > on law enforcement to protect your product than it is to make a decent
    > product in the first place.  Bottom line is thus: all of us -- regardless
    > of whether we use Adobe's products -- are now paying fees (taxes) to
    > assure that their product is protected.
    It seems to me that the quality of the encryption is a side issue
    in this case.
    
    In general, DRM systems of this type need to be concerned with
    two classes of attacks:
    (1) content recovery by unauthorized users (i.e. random individuals
    who get access to the encrypted content)
    (2) content recovery by authorized users (i.e. people who are 
    authorized to view the content in some authorized device but
    not to extract the raw plaintext, etc.)
    
    The quality of the encryption being used only applies to attackers
    of type (1) since attackers who have the key will be able to recover
    the plaintext no matter what the encryption algorithm is, provided
    that they know the algorithm. It's not in principle any more difficult
    to reverse engineer a binary implementing a strong algorithm than one
    implementing a weak one.
    
    As far as I can tell, ElcomSoft's decryption utility requires the
    user to input the password. Therefore it would only be of use
    to attackers in class (2). While the encryption is admittedly bad
    the situation wouldn't be any better from Adobe's perspective
    if the encryption were good.
    
    Similar comments apply to CSS--although it uses a weak algorithm
    which could in principle be exhaustively searched, this isn't necessary
    since a key has been recovered by reverse engineering an authorized
    decoder.
    
    Why bother to make this distinction? Because eventually we'll run
    into a DRM system which uses a strong encryption algorithm. It will
    still be breakable since we don't know how to protect against attackers
    of class (2) but we won't be able to say "hey, these losers are
    using ROT13". We might as well start fighting that battle because
    we'll need to soon enough in any case.
    
    -Ekr
    
    
    
    
    
    ISN is hosted by SecurityFocus.com
    ---
    To unsubscribe email isn-unsubscribeat_private
    



    This archive was generated by hypermail 2b30 : Thu Jul 19 2001 - 02:41:50 PDT