FC: Dutch crypto whiz broke dig-vid scheme -- but won't publish?

From: Declan McCullagh (declanat_private)
Date: Tue Aug 14 2001 - 13:50:13 PDT

  • Next message: Declan McCullagh: "FC: RAND author replies to Politech post on terrorism-facecam paper"

    Description of the "High-Bandwidth Digital Content Protection" scheme:
    
    http://www.dvddemystified.com/dvdfaq.html#1.11
    >The HDCP key exchange process verifies that a receiving device is 
    >authorized to display or record video. It uses an array of forty 56-bit 
    >secret device keys and a 40-bit key selection vector -- all supplied by 
    >the HDCP licensing entity... Once the authority of the receiving device 
    >has been established, the video is encrypted by an exclusive-or operation 
    >with a stream cipher generated from keys exchanged during the 
    >authentication process. If a display device with no decryption ability 
    >attempts to display encrypted content, it appears as random noise.
    
    This may be the spec itself, though I couldn't actually get to it:
    http://www.ddwg.org/data/dvi_10.pdf
    
    More background on HDCP:
    http://www.wired.com/news/print/0,1294,41045,00.html
    >The content is encrypted with a High Definition Copy Protection (HDCP) 
    >system JVC developed that is similar in function to the Content Scrambling 
    >System (CSS) on a DVD. The HDCP system can't be broken, however, because 
    >only high definition sets will have the HDCP decoder, according to Dan 
    >McCarron, national product specialist in JVC's color TV division... DVI 
    >ports on PCs will not have the HDCP decoder, so PCs can't be used to break 
    >HDCP like it did with CSS.
    
    -Declan
    
    *******
    
    Date: Tue, 14 Aug 2001 13:18:26 -0700
    From: Gabriel Rocha <grochaat_private>
    To: Declan McCullagh <declanat_private>
    
    http://www.securityfocus.com/templates/article.html?id=236
    
    Video crypto standard cracked?
    
        Noted cryptographer Niels Ferguson says he's broken Intel's vaunted
        HDCP Digital Video Encryption System, but fear of U.S. law is keeping
        him silent on the details.
    
        By Ann Harrison
        August 13, 2001 10:14 PM PT
        ENSCHEDE, NETHERLANDS--A Dutch cryptographer who claims to have broken
        Intel Corp.'s encryption system for digital video says he will not
        publish his results because he fears being prosecuted or sued under
        the Digital Millennium Copyright Act.
        Niels Ferguson announced last weekend that he has successfully
        defeated the High-bandwidth Digital Content Protection (HDCP)
        specification, an encryption and authentication system for the DVI
        interface used to connect digital cameras, high-definition
        televisions, cable boxes and video disks players.
        "An experienced IT person could recover the master key in two weeks
        given four standard PCs and fifty HDCP displays," said Ferguson. "The
        master key allows you to recover every other key in the system and
        lets you decrypt [HDCP video content], impersonate a device, or create
        new displays and start selling HDCP compatible devices."
        Ferguson, who announced his results at the Hackers At Large 2001 (HAL)
        security conference, is not providing details of how he defeated HDCP.
    
        [...]
    
       Intel has not threatened him in any way, says Ferguson. But he says he
        was informed by a lawyer from the San Francisco-based Electronic
        Frontier Foundation (EFF) that he could be sued or prosecuted under
        the DMCA for publishing his research, even on his own Web site. And if
        Intel chooses not to sue, Ferguson fears that the motion picture
        industry, whose movies are encrypted with HDCP, may haul him into
        court.
    
        [...]
    
    
    
    
    -------------------------------------------------------------------------
    POLITECH -- Declan McCullagh's politics and technology mailing list
    You may redistribute this message freely if you include this notice.
    Declan McCullagh's photographs are at http://www.mccullagh.org/
    To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
    This message is archived at http://www.politechbot.com/
    -------------------------------------------------------------------------
    



    This archive was generated by hypermail 2b30 : Tue Aug 14 2001 - 13:59:18 PDT