Felix von Leitner on the DVD CSS crack

from TBTF for 1999-11-21

1. It is difficult (next to impossible) to copyright digital content. So the film industry decided to implement a copy protection scheme (it does not matter if it works or not) and legally protect that. Then, if anyone copies a DVD, they can sue him on violating the copy protection rights.

2. Like most clueless consortia, they did not ask an expert but defined their own encryption. This should remind everyone of the spectacular failures that previous consortia suffered with this strategy (notably the GSM mobile telephony "encryption" and the pay TV standards). Actually there is a conspiracy theory that the film industry deliberately made the standard weak so they more people would break it and they could get more money out of the combined lawsuits. An interesting side-note is that they actually did ask an expert (at least one expert, the Intel security officer who designed the DVD key exchange with the 409 player keys). That expert told them that their cryptography was weak and they did not listen to him.

3. The algorithm was proprietary and unpublished. But once software players can decrypt the DVD you can read the decryption key and binary code from your computer's RAM and look at it. It is vital to understand that no amount of obfuscation or "encryption" can prevent this. If the computer can decrypt the DVD, the decryption code must be visible to the processor and then it is also visible to the attacker. To blame the DVD crack on Xing shows an amazing amount of incompetence. Xing probably is the party with the least "guilt" (if you can talk about guilt in the first place).

4. Some warez cracker group disassembled the decryption code gleaned from the Xing player and decompiled it back to C code. This C code was anonymously published around the world. Among others, the mailing list of the Linux DVD development effort was one of the recepients.

5. A cryptographer got hold of this code and wrote a program that would crack the code by trying all the keys within a single day. That program would crack a key in at most 17 hours, that is after 8.5 hours average running time it would have found the key. This is notable because it shows just how bad the encryption is. The DES crack took eight days on 40 machines, this crack takes 8.5 hours on one machine. And DES is nowadays regarded as too weak because of that.

6. The next day the same cryptographer had found and implemented an attack that would find a key within a fraction of a second if you know 6 bytes of decrypted output.

7. It was later found that the attack can be enhanced to work with 5 known output bytes. These 5 bytes are known if you watch an encoder successfully decrypt a DVD! The new attack takes 5 seconds.

8. The DVD encryption works like this: each DVD is encrypted with a randomly generated session key. This key is encrypted with 408 different "player keys", each of the encrypted keys are stored in a sector on the DVD. Each player vendor must have registered with the DVD consortium and received a player key. It can then decrypt all the encrypted session keys with its player key and check if it got the right one against a hash value that is also stored on disk. The rationale is that, if a player key is compromised, you can fabricate future DVDs without the session key with that player key, i.e. you can retract keys.

9. 5 seconds and 408 keys means that you can decrypt all player keys in about 30 minutes. The next day someone published "a few hundred random numbers" with the comment that the generation took 30 minutes. That means that CSS has been completely broken. This was the event that caused the DVD consortium to unleash their lawyers. If the DVD consortium would replace all the player keys on future DVDs, then it would only take another 30 minutes to break them all, and all the people who have bought DVD players from Sony, Panasonic, whatever, would have to bring them in for replacement.

10. The absolute killing stroke was delivered the next day when it was found out that you can retrieve the session key just by using the hash value that players use for verification in a mere 20 seconds! That is even if the DVD consortium would change the DVD player keys every few months, CSS would still be broken, and there would even be no manual intervention when someone needs to invest the 30 minutes of CPU time to crack all the player keys.

Conclusion: CSS is amazingly weak. They did almost everything wrong. The only thing they did right was the retraction scheme for DVD player keys. I couldn't point at any other thing that they could have done worse than they already did.

What I find very worrisome about this is that the consumer has to pay all the money that was wasted on devising and implementing CSS. And now the film industry is hunting the wrong people with their lawyers. The reverse engineers posted the stuff anonymously, so the lawyers are going after the Linux developers who had nothing to do with the whole issue besides that it was posted on their mailing list.

It is interesting to note that the code came from different players. While the player key came from the Xing player, the authentication code came from another player, rumours say it was the Cinemaster player, and the CSS code comes from an unknown player. At any time there were at least 5 teams working on extracting the code from different players.

This was not just some kid stumbling upon on a weakly encrypted Xing key as the media reported.

Felix

Created 1999-11-19