AACS Device Key Found

henrypijames writes "The intense effort by the fair-use community to circumvent AACS (the content protection protocol of HD DVD and Blu-Ray) has produced yet another stunning result: The AACS Device Key of the WinDVD 8 has been found, allowing any movie playable by it to be decrypted. This new discovery by ATARI Vampire of the Doom9 forum is based on the previous research of two other forum members, muslix64 (who found a way to locate the Title Keys of single movies) and arnezami (who extracted the Processing Key of an unspecified software player). AACS certainly seems to be falling apart bit for bit every day now."

Re:Will they actually do it?

[Anonymous Coward]

http://en.wikipedia.org/wiki/Advanced_Access_Conte nt_System [wikipedia.org]

I'd like to direct your attention to this excerpt: "This approach allows licensors to "revoke" individual players, or more specifically, the decryption keys associated with the player. Thus, if a given player's keys are compromised and published by an attacker, the AACS licensing authority can simply revoke those keys in future content, making the keys/player useless for decrypting new titles. However, if the attacker doesn't publish the compromised player key, the AACS licensing authority doesn't know which key is compromised, and it can not revoke it. An attacker can use his/her player key to get title keys of several movies, and publish the title keys or the decrypted movies, without risk of revocation of his/her player key."

So, thank you to whoever published the device key: You're an idiot.

Wrong verb tense!

[mrchaotica]

What do you mean, "will result?" It already has resulted in hardware DRM -- if you have Vista and a machine with a TPM, it's already there!

Re:Okay that does it

[guruevi]

http://forum.doom9.org/showthread.php?t=122363 [doom9.org]

Re:Okay that does it

[Anonymous Coward]

AFAIK, it goes as follows:

Each player (software or hardware) has a key, or actually a tree of keys. Some ingenious trickery is being used so that each player can have its own key, but that isn't done on software players (because it would be a pain to enforce it so each downloader gets a different key).

The disc contains title keys for various player keys. When the player wants to play a disc, it takes its player key, decrypts the disc's title key with it, and decrypts the content with the title key.

Now, two things can happen with hackers in the loop. Either the title key gets sniffed from memory, or the player key does. If the hackers get the title key, the disc can be decrypted by anyone. If the hackers get the player key, any disc that can be read by that player can also be decrypted by anyone.

The logical thing for the *AA to do once they discover that a player key has been leaked is to blacklis that player from future discs - just exclude that one player key. Because of the tree trickery, this is easier than it seems (though I'm not completely sure how it works), so they don't have to have billions of omitted keys.

So the hackers should release the (less powerful) title keys (which aren't bound to any particular players, and thus the *AA can't find out which player has been compromised), or give out player keys to software players they know can never be completely secured. In this case, it seems they've done the latter. If the *AA blacklists WinDVD 8, the hackers can just go download the update all the good consumers need to keep playing their discs, and then just coerce the new key out of it. Rinse and repeat. The only way to stop it is to have a watchman in your CPU - hardware DRM - to keep potential hackers from peeking at the player's memory.

Re:Miserable?

[dangitman]

But then, I'm not trying to do something with it that I shouldn't,

So, am I not "supposed" to watch my DVDs on my old TV? The macrovision protection makes the picture nearly unwatchable. The TV is very nice, and does the job well. Why should I have to throw away a perfectly good TV and buy a new one just to watch a DVD? It doesn't make any sense - if I have to buy a new TV, that's less money for me to spend on DVDs, so the copy protection would actually reduce their sales.

Likewise, have you never bought a DVD from another country? If you're not supposed to do that, then why can I buy DVDs from another country? Sure, you can get region-free DVD players, but not everybody has one - and with "RCE" protection, some titles won't even work on some region-free players. And region-free players are technically illegal in some places.

I also like to watch movies but some titles won't let me go straight to the movie, and instead force me to sit through unskippable ads and FBI warnings. I even had one disc that I bought, which made me sit through a quite long lecture about the evils of piracy, telling me how people who copy DVDs are funding terrorism and destroying the industry. Ironically, it was quite simple to make a copy of that DVD, with the anti-piracy ad removed. If they didn't have that unskippable propaganda at the beginning. If I ever get another disc with that ad, I'm going to return it as defective. I paid to watch the movie, not to be lectured by propaganda.

Re:Okay that does it

[flooey]

How many keys are there? Why aren't there just one? What's the difference? IS there any difference?

AACS uses a bunch of different keys in a hierarchical structure. Gradually, the cracks have been revealing keys higher and higher up the food chain. As I understand it, this is a bottom-up description of AACS's key structure:

At the lowest level, every piece of content is encrypted with a Title Key, which is unique to at least an individual title, possibly a particular printing of the title. The original cracks revealed the Title Keys for individual titles one at a time. These can be used to decrypt the content, but don't break the scheme, just the encryption on an individual piece of content.

The Title Key is stored on the actual media, encrypted by the Volume Unique Key, which is unique to a given title.

The Volume Unique Key is the result of a keyed hash of the Volume ID (stored on the media) and a Media Key, which is unique per title.

The Media Key used is generated by combining the Media Key Block (stored on the media) with a key unique to the decrypting device. Each device has a different key, but generates the same Media Key.

I'm not entirely sure why so many keys are used, but that's basically how the scheme works. Previous cracks were based on revealing keys that were title-specific. This one has revealed a device-specific key, which means that until the key is revoked, which would cause all future discs to no longer play on that particular player, any piece of content can be completely decrypted.

Re:Will they actually do it?

[swillden]

Breaking a major hardware player is a big deal, however breaking a software player is fairly trivial in the long-run as long as it can be upgraded.

Breaking a single hardware device won't be a big deal, either, since the key revocation scheme allows that single player to be revoked (not the brand, not the model, not even the factory batch -- that single, specific physical player). What would be big would be finding a way to easily extract the keys from a model, or, even better, a whole class of players. Then, the hackers could just do a player every few weeks, and the worst case for those of us who like to back up the movies we buy is that we'd have to wait a few weeks after the release before we could back it up.

The way AACS key revocation works is that there is a massive binary tree of binary trees of possible encryption keys. The "main" tree is 31 levels deep (allowing for 2^31 possible player devices) and each node has a number of "shadow" trees associated with it (specifically, nodes in layer n of the main tree have n-1 shadow trees). Each player is given a carefully selected and unique set of ~500 keys, from which it can derive an enormous number of keys -- almost every key in that big tree of trees, in fact.

The "almost" in the last sentence is important.

Assuming no players are revoked, each disk needs only have few copies of the media key[1], each encrypted with a "processing" high up in the tree. All players have keys needed to derive[2] these processing keys. When a player is revoked, the publishers carefully select a set of processing keys to use so that every player *except* the revoked player can derive the processing keys. There's a fairly simple algorithm to select such a set of keys, and the structure of the trees ensures that for any set R of revoked players, no more than 2|R| processing keys need to be used (|R| means "size of R", in case that's not obvious).

Each encrypted copy of the media key consumes 32 bytes of disk space, so, assuming a million players have been broken and revoked, each new disk will "waste" 32 MB on encrypted media keys. Given the capacity of HD-DVD and Blu-Ray disks, 32MB is a pittance, so it really is practical for publishers to revoke every key that is extracted and published -- the hard part will be finding them all.

ANY software player will have to put their key in memory at some point while it's running, the new key will be found quickly. And the keys for almost all software players will be found.

Yep, that's a seriously hard problem to solve -- especially when you consider that time and manpower are 100% on the side of the attackers. The attackers have a disadvantage in that they have to work with binary-only code, but if this goes on for long enough, I'll bet the major software players will be so thoroughly reverse engineered that this will cease to be a very meaningful disadvantage.

Large-scale DRM simply cannot work. If you give the devices to enough interested and technically skilled people, they will be broken again, and again, and again.

And, of course, if publishers *did* somehow manage to get ahead of this game, it would just mean that the hackers would keep the keys to themselves, publishing them only to small groups of trusted friends -- all of whom would be ripping movies like mad and making torrents available so that everyone else can get them.

[1] The Media Key is used to encrypt the title keys, which are used to encrypt the titles. There are generally multiple titles per disk -- usually one for the main feature, and others for each of the extras, some for bits of the animated menus, etc. I've been puzzling over exactly how many copies of the media key are required in the no-devices-revoked case, and I haven't been able to figure it out yet. An answer and explanation from someone who understands this stuff well would be appreciated.

[2] The keys given to the players are called "device keys". The players l

Re:Okay that does it

[flooey]

This key doesn't really add anything to what's already done. They could already decrypt every movie by simply sticking it in the player and extracting the key, all this does is make it possible to make a standalone tool to decrypt discs (until they revoke this key, anyway). But if you don't mind breaking the DMCA in the first place, how many would have moral problems getting a copy of WinDVD to extract the key anyway? This really is non-news.

It's more news in that it could make HD content decryption as universally accessible as DVD decryption currently is. A lot of people might want to extract their HD content but not have the know-how or motivation to do anything beyond "download this program, hit start", though it's less news since I've heard there are already programs that will do that using a list of title keys that's periodically updated over the Internet.

Re:Will they actually do it?

[swillden]

Each encrypted copy of the media key consumes 32 bytes of disk space, so, assuming a million players have been broken and revoked, each new disk will "waste" 32 MB on encrypted media keys.

Correction -- If a million players are revoked, up to *two* million copies of the media key will be required, consuming 64MB of space on each disk. However, that's only if the million broken devices are selected so that revocation is maximally inefficient. If they're selected at random, on average only ~1.25M MKB entries are required, so only 40MB of the disk must be used for MKB entries. That's 0.2% of a single-layer HD-DVD and 0.08% of a dual-layer Blu-Ray. Or, it's about 20 seconds of HD video, assuming that a single-layer HD-DVD will hold two hours. If a dual layer Blu-Ray disk contained video encoded at such a high bit rate that it would only hold two hours, the MKB block would eat up space equivalent to six seconds of video -- and that's with a *million* revoked keys).

In practice, of course, the time unavailable for video will bever be a problem. If the movie and the MKB can't both fit, you just tweak the encoding to drop the average bitrate by a 10-20 kbps. When you're encoding normally at 8,000-20,000 kbps no one will be able to see the reduced quality. Also, even regular DVDs are rarely within 100MB of being full. There's plenty of room available for "large" MKBs.

Re:Will they actually do it?

[swillden]

Making a key per player copy is infeasible. How would you do that? Basically, every disk would need to have the data encrypted with each player's key. That number would be in the millions.

It's not only feasible, it's exactly what AACS does. Each player has about 500 keys from which it can derive billions more, all structured so that a disk only needs a small number of media keys encrypted with "processing" keys, which the players can derive from the device keys they have. The number of copies of the media key that must be present on each disk is guaranteed to be no more than 2r, where r is the number of individual players that have been revoked. On average, only 1.25r media keys are required.

Though the application is evil, the "subset-difference tree" concept used to make all this work is a very cool bit of math.

Re:Wrong verb tense!

[swillden]

What do you mean, "will result?" It already has resulted in hardware DRM -- if you have Vista and a machine with a TPM, it's already there!

No, actually, it isn't. While the TPM could be used to "seal" the HD-DVD/Blu-Ray player device keys to a given boot state, the decryption of the disk contents would still have to be done using the main processor (TPMs don't do bulk decryption, don't know anything about AACS, and aren't programmable to teach them how to do the AACS key derivation/decryption scheme).

Also, I don't know that Vista is really TPM-aware.

In the near future, it may become the case that if you have (a) Vista + some service pack, (b) a TPM and (c) a processor with hardware virtualization support (Intel VT/AMD-V), then your HD-DVD/Blu-Ray player may run on a separate virtual machine which your main OS has no access to and which you therefore cannot debug, and the TPM may be used to seal the device keys to the particular software in that VM, so that no other piece of software has any reasonable hope of retrieving them.

Collectively, BTW, (a), (b) and (c) above are known as Palladium, aka NGSCB.

Personally, I think it's more likely that your video card may gain an AACS subsystem, so your PC would feed the data stream from the disk to your video card, which will decrypt the data and display it. The video card would then have to have a way to securely transfer the audio stream to your sound card. Or maybe your sound and video card will negotiate secure data connections to your HD-DVD-ROM drive and the drive would do the AACS stuff and feed it securely to your output devices, so that your main processor never gets to see an unencrypted copy.

There are ways to make software players more secure, but a TPM alone is insufficient, unless the OS is airtight, unhackable/modifiable even by the administrator. Given Microsoft's track record with making an OS unhackable by random people around the world with no privileges on the box at all, I don't think that's going to happen.

Re:Will they actually do it?

[Kadin2048]

Each individual PS3 unit has a different key.

This is not the case. The media key block on the HD discs contains the media key, encrypted with several hundred device keys. There's not nearly enough room in the key block to have an individual key for each player produced, it's just enough for each model, or perhaps each hardware revision / production run of each model.

There are a finite number of keys on each disc. The way keys are "revoked" is by simply not using that key on any new disc pressings. A disc made (prior to) today, on which the key block contains a compromised key, have been well and truly cracked.

Re:Okay that does it

[alphamugwump]

The ultimate key would be AACS-LA's Root Key. If they could find that one, hollywood would have to revoke everything. Every player in the world would stop playing new disks. If they had the balls to do it.

But this key is enough to decrypt any DVD currently on the market. Unlike before, you don't need a copy of windvd, you could write a standalone program for linux. Previous keys were specific to each movie, and you had to do a ram dump on windvd to find them.

Re:Will they actually do it?

[Jah-Wren Ryel]

There are a finite number of keys on each disc. The way keys are "revoked" is by simply not using that key on any new disc pressings. A disc made (prior to) today, on which the key block contains a compromised key, have been well and truly cracked.

It is actually more sophisticated than that, relying on each individual unit having a certain set of 512 keys out of a billion or so, and then providing only enabling a subset of possible keys on each disc in the MKB. The trick is once they know the specific unit they want to disable, they enable a set of keys in the MKB on the disc such that all the "good" players have at least one key in the MKB but the "bad" player does not.

See this about NNL in AACS [archive.org]

That's how it could work in theory. In practice its going to be hard to identify any compromised hardware players such that they can be revoked and chances are they have not been distributing keys with unique combos per player yet (if they ever do).

Re:Miserable?

[TheoMurpse]

And region-free players are technically illegal in some places.

At least in the US, they are never illegal to possess. The only illegality involved with region-free players is that the manufacturer of the player signed an agreement to obey region encoding in order to license the technology (MPEG2 decryption probably, plus to use the DVD consortium's trademarks). Thus, manufacturing a regionless player may or may not be illegal. Possessing one is definitely legal in the United States.

Re:Miserable?

[lgw]

Region Coding [arstechnica.com] seems to be the future for HD-DVD, however. Save your current player if you have one.

Re:Miserable?

[lgw]

You *do* know you can buy a RF encoder for like $20 and hook your DVD player in through that, right? Not thet you should have to, but things being what they are it might be handy.

Re:Fortunately, it's still in infancy :)

[Air-conditioned cowh]

Originally, in the mid 70s [wikipedia.org], yes, but like all formats around at the time (such as the Philips VCR format), they soon found ways to get a decent number of hours out of a tape. Once past the three hour mark it was probably not such an issue since that was enough for most films. Stacking lots of 30min TV shows on one tape and then trying to find them after was a hassle so I remember we eventually just had lots of tapes and tended to use them on a one tape, one programme basis.