First AACS Blu-Ray/HD-DVD Key Revoked 254
Thomas Charron writes "An update posted for Intervideo WinDVD 8 confirms that it's AACS key has been possibly revoked. WinDVD 8 is the software which had its device key compromised, allowing unfettered access to Blu-Ray and HD-DVD content, resulting in HD movies being made available via many torrent sites online. This is possibly the first known key revocation which has taken place, and little is known of the actual process used for key revocation. According to the release, 'Please be aware that failure to apply the update will result in AACS-protected HD DVD and BD playback being disabled,' which pretty much confirms that the key revocation has already taken place for all newly released Blu-Ray and HD-DVD discs."
let's have a vote (Score:3, Informative)
Re:I don't completely get it. (Score:0, Informative)
Supposedly this is a lot easier to deal with on the software end, though.
Re:I don't completely get it. (Score:5, Informative)
This is why HD-DVD and Bluray players require a network jack. It allows for old keys to be removed and new ones to be implemented, among other things.
Re:I don't completely get it. (Score:5, Informative)
Actually:
1. New discs won't play on the players who has had their keys revoked. Just to make that clear, this only has any effect for users of the WinDVD software player.
2. If I remember correctly, the player will keep a version of the revocation keys. So from what I've understood, once you put in a disc which says "Hey, you're supposed to be revoked" that player will stop working until you get an upgrade.
For a software player, this isn't more than what it just said - a required software update. It doesn't get nasty until hardware keys are found...
Re:Network jack?? (Score:4, Informative)
Re:Network jack?? (Score:1, Informative)
Re:Network jack?? (Score:4, Informative)
Of course, this is not the case; there are likely other ways of updating firmware on "real" HD-DVD players, but they're likely to be less transparent to consumers.
Re:It's hard to upgrade hardware (Score:3, Informative)
No, it doesn't. Mathematics isn't nearly that primitive. You absolutely don't have to, nor does AACS store every individual key on a disk. It's called "broadcast encryption" and it existed before AACS. Each player doesn't have a single, globally unique key. It has several keys which, in combination, are globally unique. See: http://web.archive.org/web/20060604054302/http://
Sorry, you know nothing about cryptography. That is, in fact, how AACS works. Your ignorance of it doesn't change reality.
Re:I don't completely get it. (Score:5, Informative)
It's not a myth at all. Try reading section 4.8 of the AACS Introduction and Common Cryptographic Elements [aacsla.com] spec:What this means is that disks are distributed with Host Revocation Lists on them, cryptographically signed by AACS. Whenever a disk is inserted, the drive checks to see if the HRL on the disk is newer than the one it has in nonvolatile memory, and if so, it checks the AACS signature on the new one and stores it in memory. This allows a drive to refuse to talk to a given host software. Likewise there is a drive revocation list that the hosts are supposed to hold which tells them not to talk to certain drive versions, in case an attack is found in some models of drives.
All HD DVD players have a network port (Score:4, Informative)
Blu-ray, however, has networking optional, and most Blu-ray players don't have a port.
Yet another way in which the baseline functionality in HD DVD is much higher than Blu-ray.
Re:I don't completely get it. (Score:3, Informative)
It isn't a myth, but Host Revocation and Drive Revocation are trivial to bypass and are not what is being described in this article.
HRLs and DRLs only serve to stop Hosts (PCs) and drives (HD-DVD or Blu-Ray) from communicating with eachother. For example, if a host's certificate is revoked and the drive knows this, the drive will not read certain bits off of the data medium and pass them along the ATA bus back to the PC. The bits are still on the medium and they are not encrypted or anything like that. The drive will just refuse to read them. This has already been fixed in at least one instance by flashing the drive's firmware. In any case, all one would need to do to get around this for good would be to make an HD-DVD or Blu-Ray drive that just reads the bits off of the medium and passes them back to the host PC just like a CD-ROM or DVD-ROM drive does.
What's being described in this article is that the software player's "device keys" are being revoked. Here is how that works (basically):
Each disc contains video that is encrypted with a master key. Each player contains a set of "device keys". The subset difference tree algorithm (part of the AACS spec) is used to encrypt the master key so that it can only be decrypted by a certain set of device keys. Before WinDVD 8 was revoked, the subset difference tree algorithm was used to encrypt the master key for each disc so that it could be decrypted by any set of device keys. Now, according to the article (or at least the summary), new discs are being produced for which any set of device keys can be used to recover the master key except WinDVD 8's device keys.
So, if you managed to get a copy of WinDVD 8's device keys before today, you were set. You could decrypt, play, and copy any Blu-Ray or HDDVD disc. Now, you can't decrypt, play, or copy new Blu-Ray or HDDVD discs, at least until you get your hands on a new set of device keys...
Note: I have deliberately dumbed down my explanation of the spec for two reasons. First, there are several intermediate keys that are involved in the process. Explaining the function of each and every intermediate key between the device keys and the title key would take a long time and not contribute any real information about the "spirit" of how AACS works. Second, the AACS spec is not fully implemented. According to what I have read, the AACS spec includes the concept of sequence keys that can be used for "forensic" purposes. However, the Sequence Key Blocks required to get any benefit from that part of the spec are not present on current Blu-Ray and HDDVD media.
Re:right of first sale? (Score:3, Informative)
Since you are selling not original - but copy - no way it would classify as "first sale". IOW, private copies are reserved for private use - sale/rent/etc aren't private uses.
P.S. IANAL
Re:I don't completely get it. (Score:4, Informative)
Storing the revocation list like this is likely only useful so that the device can give the user specific instructions to go look for an update, and maybe disable itself even for older discs. Every new disc will still fail to provide a disc key to the player, as the player key will not be included in the tree of allowed ones. You still couldn't play new discs, the best you might do is prevent the player from understanding that it needs an upgrade.
Re:I don't completely get it. (Score:2, Informative)
Updates for hardware players unnecessary (Score:4, Informative)
None of that matters for hardware players, because each individual player can be revoked independently, without affecting the one that came off the line immediately before it, or the one that came right after it. They don't bother issuing unique keyset to each copy of a software player, for obvious reasons, but hardware players all have unique key sets so if the keys in one of them are compromised, and known to be compromised, then that specific player can be revoked so that future disks won't play on it. No updates to other players are required.
What makes this magic possible is a very clever and sophisticated key derivation scheme. Basically, there is an enormous tree of trees of possible keys, and each player is given a carefully-chosen subset of them, which allows that player to derive a large part of the possible keys, but not all of them. To revoke a key essentially just means choosing to encrypt future disks with a key that particular player cannot derive with keys.
The number of key blocks that must be placed on each disk to make this scheme work is linear in the number of revoked players. In fact, it can be shown mathematically that if r players have been revoked, then at most 2r+1 key blocks are required on each disk. Simulations show that assuming a random distribution of revocations, on average only 1.28r blocks are required. Each key block is 16 bytes in length, so they can revoke millions of players without significantly affecting the space available on the disk.