AACS Device Key Found

henrypijames writes "The intense effort by the fair-use community to circumvent AACS (the content protection protocol of HD DVD and Blu-Ray) has produced yet another stunning result: The AACS Device Key of the WinDVD 8 has been found, allowing any movie playable by it to be decrypted. This new discovery by ATARI Vampire of the Doom9 forum is based on the previous research of two other forum members, muslix64 (who found a way to locate the Title Keys of single movies) and arnezami (who extracted the Processing Key of an unspecified software player). AACS certainly seems to be falling apart bit for bit every day now."

Will they actually do it?

[LiquidCoooled]

Will they actually do it?

Will they actually revoke these software players from all new disks?
Its time for them to put their money where their mouth is and actually block access to these broken players.

If they allow it to continue, all their movies will be piratable (insert oh noes! here).

I wonder how pissed off people will be if they can't play their new movies?

Re:Will they actually do it?

[ijakings]

Of course they will. Remember who we are dealing with here. These people take old pensioners and small children to court over the flimsiest of evidence... they dont have much of a Public image left to lose.

Re:

[Sillygates]

They dont care about software players, people those people can always download a new "security fix" and not even know the difference. What we need is to have the keys for the most popular hardware players to be released, after there is widespread adoption.

Fortunately, it's still in infancy :)

[alisson]

I know that personally, I refuse to upgrade anything for Blu-Ray or HD-DVD. Even if it weren't for the content 'protection,' what's the real point? Sure, it's nice to put more per disc for PS3 or XB360, but should that really determine the format of movies, or music? The 'truth' that the xxAAs don't understand is that physical medium are on the way out.

So, of course; don't buy them. Tell your friends not to buy the, and spread the word. If technology was selected based on worth and merit, we'd all have been using beta-max and mini-discs. But consumers don't always go for quality, innovation or convenience. Most often they like whet their friends have, they like what they already have, and sometimes? They just follow the pr0n industry (uh oh, did i just predict the HD-DVD?) THe point being, this one is easy to 'nip in the bud.'

Now, if you were to start a large-scale boycott of xxAA products? That would rock the boat. But I'm not holding my breath for you.

Re:

[dangitman]

So, of course; don't buy them. Tell your friends not to buy the, and spread the word.

But then the Merch will turn into the Flesh Reaper and start collecting torsos!

If technology was selected based on worth and merit, we'd all have been using beta-max and mini-discs. But consumers don't always go for quality, innovation or convenience.

What the hell? Minidisc absolutely sucks. It's not a good example of a quality product.

Now, if you were to start a large-scale boycott of xxAA products? That would rock the boat. But I'm not holding my breath for you.

Sigh. Didn't I already mention the torsos?

Re:Fortunately, it's still in infancy :)

[dangitman]

Well who's torsos are we talking about here? I mean, is it my torso? Or perhaps Condoleeza Rice's torso?

Sooner or later it's going to be your torso, unless you keep buying product. I didn't want to have to do this, but as nobody seems tyo be getting the joke [penny-arcade.com]

Not the same quality as CDs, but certainly good enough for a portable player. They're much smaller than CDs, and don't skip as much.

I guess they aren't the worst format ever invented, but they don't really fit anywhere. They're not quite good enough for professional use, but they were too expensive and user-unfriendly for recreational use. Most people can't stand the interface of minidisc players. Some players made it really hard to work out how to even start a recording.

The other problem was that to get the audio off the device onto your computer, you had to play back the content in real-time. I don't know of anyone who had a minidisc drive in their computer which could read the disc as data. Same for transferring audio from the computer to disc. May as well use a proper DAT tape if you have to do that.

The blank discs were also expensive, and when they did introduce the "Net MD" that could connect to a computer, the Sony software sucked, and it was full of proprietary formats.

Compare to the CD - cheap, ubiquitous, and you can rip or burn an entire CD in minutes - which was standards-compliant and could be used almost anywhere. Plus it has better audio quality.

Of course, as I write this, I'm listening to my iPod, which would answer why MDs didn't take off

Which is why i don't understand why Sony made the MD format. It wasa obvious that hard drives and flash memory was the future - and they introduced a new optical audio disc right at the end of the optical audio disc's popularity and usefulness. Kind of like someone releasing a new line of 5.25" floppy disk drives with improved storage, at the same time as almost everybody had moved to 3.5" floppies.

Why didn't Sony just release their own "iPod" instead? They could have made a "pro" line of HD-based players that had professional quality audio inputs for recording, and a "consumer" line focused on playback, portability and fashion.

Re:Fortunately, it's still in infancy :)

[Fex303]

Which is why i don't understand why Sony made the MD format. It wasa obvious that hard drives and flash memory was the future - and they introduced a new optical audio disc right at the end of the optical audio disc's popularity and usefulness.

The MD format was originally introduced in 1992. USB wasn't released until 1996 and the iPod was still a long way off.

I think that where MD really fell down was that Sony hadn't quite realized that people were ready to start treating their music as a digital resource that could be manipulated by computer. MiniDisc is a format that is based around MD player/recorders functioning as single-use appliances. Most people changed how they thought about music somewhere between 1996-2002, depending on how wired they were. They realized that music formats were digital and that music could be downloaded, stored, and manipulated on computer. MD was a format that didn't allow these functions, and so it was useless. Not a bad format for what it did, but it missed a shift in how people thought about what music did.

As a side note, I think that the same shift is happening with television. It's taken longer to catch on, but now everyone's starting to understand that the episode of Lost they missed doesn't mean they have to beg to borrow a tape off some friend because it's on the internet and can be downloaded if they want to...

Re:Fortunately, it's still in infancy :)

[MP3Chuck]

"Why didn't Sony just release their own "iPod" instead? They could have made a "pro" line of HD-based players that had professional quality audio inputs for recording, and a "consumer" line focused on playback, portability and fashion."

A lot of the time it seems like Sony exists solely to push their proprietary formats ... and a HDD player wouldn't sell their Memory Sticks now would it?

I'm not quite sure what the logic is behind creating their own format for everything (Memory Stick instead of CF or SD, ATRAC instead of MP3 or Vorbis, Blu-Ray instead of HD-DVD)... seems to me that the R&D money could have been spent elsewhere, perhaps on more useful things.

Re:

[Air-conditioned cowh]

Originally, in the mid 70s [wikipedia.org], yes, but like all formats around at the time (such as the Philips VCR format), they soon found ways to get a decent number of hours out of a tape. Once past the three hour mark it was probably not such an issue since that was enough for most films. Stacking lots of 30min TV shows on one tape and then trying to find them after was a hassle so I remember we eventually just had lots of tapes and tended to use them on a one tape, one programme basis.

Re:Will they actually do it?

[MightyMartian]

It's a ludicrous game, and the industry has been told that over and over again by security experts. There is simply no way they're going to come up with a DRM scheme that isn't going to make life miserable for the average consumer, and still won't be cracked by someone with patience and know-how to do it. It's a colossal joke on the entertainment industry. They keep pouring money into this crap, and it just keeps getting flushed down the toilet.

Re:Will they actually do it?

[statusbar]

Of course there are is no technological way that DRM could be 100% effective.

Now we go one baby-step down the path where debugging tools like the ones used by these "hackers","pirates", and "anti-establishmentarians" require a license to own and use, because tools like this can apparently cause more damage to our society than an unlicensed firearm can do in a school...

From The Right To Read [gnu.org]:

Dan had had a classmate in software, Frank Martucci, who had obtained an illicit debugging tool, and used it to skip over the copyright monitor code when reading books. But he had told too many friends about it, and one of them turned him in to the SPA for a reward (students deep in debt were easily tempted into betrayal). In 2047, Frank was in prison, not for pirate reading, but for possessing a debugger.

--jeffk++

Re:

[Usquebaugh]

Where as licensed firearms are ok in school. "Johnny that 9mm better be licensed son or your in real trouble!"

Re:

[TheRaven64]

I was on my school's shooting team here in the UK. We had an armoury on the school grounds, with a load of .22 target rifles and L89s and a couple of LSWs (both SA 80 variants [wikipedia.org]. I used to shoot a couple of times a week. I haven't touched a gun since I went to university though; after a while they just got a bit boring (squeeze trigger, make hole in far-away thing gets old quickly).

It's those pesky users that are the problem.

[Kadin2048]

Simple on a computer today, sure. But if you follow the path laid by DRM and the desires of the studios and media companies, I'm not sure it would be so simple in a decade or so.

First they'll just make precompiled debuggers illegal. And then when that doesn't work, they'll make compilers illegal. And when people go after the hardware, they'll pot the whole motherboard in epoxy, doped with iron filing and wired with self-destruct mechanisms. And only signed code will run as root or system, so even if you do get a compiler, you'll have to somehow forge Microsoft Central Control's signature to run it on the bare metal. Oh, and the whole thing will probably brick itself if it doesn't dial in for re-verification and updates on a weekly basis. Hell -- don't even let the user install any software: if they want something, they can call Microsoft with their MasterCard in hand, pay for it, and it'll get downloaded to their machine overnight.

There's precedent for most of this already; the US government has already mandated that all VCRs look for and cripple themselves if they detect Macrovision signals, so it's really not much of a hop from there to a "full length" mandatory HDCP. Since the only way you can make DRM stick is by not letting the user actually do anything, that's the obvious solution. Just lock them out.

Re:Miserable?

[Anonymous Coward]

My parents bought a DVD with a narrated tour of some ruins they visited on vacation outside the country in order to show their friends. It wasn't region 1, so they couldn't play it. They, like the average non-geek, had no idea about region coding, and of course didn't know that they had to look for a certain "type" of DVD.

When I explained to them why their disc wouldn't play, they were mad. When I gave them a working copy of the disc, they were happy.

Re:Miserable?

[lgw]

Region Coding [arstechnica.com] seems to be the future for HD-DVD, however. Save your current player if you have one.

Re:

[smittyoneeach]

You may have a point. By the time they make the hardware components cheap enough, we can have a small unit that requires only power input to function, and all of this abstract property can remain safely under the control of those with feelings of ownership.
Those who just want to watch/listen/experience can do that.
Those cursed with natural human curiosity can watch the small unit self-destruct when tampered.
But does it sell?

Re:Miserable?

[Perseid]

Good luck playing that DVD overseas. Good luck playing that DVD in Linux. Good luck with your new fancy disks if your player gets revoked. And all of this while the people who really ARE doing things they shouldn't are just double-clicking their unrestricted .avi file.

Re:Miserable?

[dangitman]

But then, I'm not trying to do something with it that I shouldn't,

So, am I not "supposed" to watch my DVDs on my old TV? The macrovision protection makes the picture nearly unwatchable. The TV is very nice, and does the job well. Why should I have to throw away a perfectly good TV and buy a new one just to watch a DVD? It doesn't make any sense - if I have to buy a new TV, that's less money for me to spend on DVDs, so the copy protection would actually reduce their sales.

Likewise, have you never bought a DVD from another country? If you're not supposed to do that, then why can I buy DVDs from another country? Sure, you can get region-free DVD players, but not everybody has one - and with "RCE" protection, some titles won't even work on some region-free players. And region-free players are technically illegal in some places.

I also like to watch movies but some titles won't let me go straight to the movie, and instead force me to sit through unskippable ads and FBI warnings. I even had one disc that I bought, which made me sit through a quite long lecture about the evils of piracy, telling me how people who copy DVDs are funding terrorism and destroying the industry. Ironically, it was quite simple to make a copy of that DVD, with the anti-piracy ad removed. If they didn't have that unskippable propaganda at the beginning. If I ever get another disc with that ad, I'm going to return it as defective. I paid to watch the movie, not to be lectured by propaganda.

Re:

[TheoMurpse]

And region-free players are technically illegal in some places.

At least in the US, they are never illegal to possess. The only illegality involved with region-free players is that the manufacturer of the player signed an agreement to obey region encoding in order to license the technology (MPEG2 decryption probably, plus to use the DVD consortium's trademarks). Thus, manufacturing a regionless player may or may not be illegal. Possessing one is definitely legal in the United States.

Re:

[lgw]

You *do* know you can buy a RF encoder for like $20 and hook your DVD player in through that, right? Not thet you should have to, but things being what they are it might be handy.

Re:Miserable?

[cptgrudge]

But then, I'm not trying to do something with it that I shouldn't, like copying it when the purchase agreement clearly says I'm not suppose to...

What purchase agreement? I agreed to nothing when I bought it. And I'll do whatever the hell I want with the property that I own. Much like I don't use CDs anymore when playing audio content, I don't want to use DVDs when playing movies. So I rip and watch on a HTPC. The process is much more complex than ripping an audio CD, mostly because of the DRM.

The physical media that we buy can become scratched and broken, even when we take care of it. And thanks to the convenient duplicity of ideology that is held by the content companies, we are said to be buying only a license to the content, which happens to have a copy along with it on the media. Good luck getting replacement media so you can exercise that license if a disc happens to get scratched. They want to have their cake and eat it too, so we get, "You should take better care of your discs." and DRM protecting the content.

This is BULLSHIT. There's really no way to get the message across to them, so no more. I won't buy another movie on DRM-protected media. Until they change, or offer a (paid for) download of the video without DRM, I won't be buying another movie. I'll rent from an online source and rip to a media server. Yeah, I'll still watch them and get the content, but I won't purchase the discs anymore.

Illegal? Probably. Unethical? I don't think so, and really, I don't care.

Re:

[cpt kangarooski]

I'm not "miserable" at all...

Well, they do say that ignorance is bliss.

I'm not trying to do something with it that I shouldn't, like copying it when the purchase agreement clearly says I'm not suppose to

There is no purchase agreement, actually. When a DVD has a notice on it to the effect of 'copying this DVD is illegal' that isn't even arguably an attempt at forming a contract, it's just a simplistic and one-sided restatement of the law. Believe me, if they wanted to push a contract on you, you'd know it; l

Solution is easy, pity it's illegal.

[Kadin2048]

Rip the disc, disable Macrovision, and burn it back out to a blank DVD. Problem solved.

You can also get rid of the obnoxious "No UOP" functions, and other garbage. If you're like me, you can just do a title rip, and strip out all the crap besides the movie itself, and pretend you're in a theater. (Well, without the 15 minutes of ads and previews. So basically, not like a theater at all, anymore.)

I used to do this to most of my DVDs, but then I built a MythTV box, and started using its built-in DVD player, w

Re:Will they actually do it?

[rsmith-mac]

Yes, it's only a software player. Intervideo will work on better hiding the device key, and release a patch for all the current WinDVD8 owners whose players won't be able to play future disks. Breaking a major hardware player is a big deal, however breaking a software player is fairly trivial in the long-run as long as it can be upgraded.

Re:Will they actually do it?

[LackThereof]

But any update will only be a temporary fix. ANY software player will have to put their key in memory at some point while it's running, the new key will be found quickly. And the keys for almost all software players will be found.

Assuming they keep their word, and revoke the keys as they're found, software players will become nearly unusable, with patches every few weeks to update the key, attempt to obfuscate it more, and make it usable with new disks again. If they go that route, it's only a matter of time until software HD-DVD/BR players are permanently blacklisted and cease to exist. Consumers won't like that much. We'll see special cables running from new drives to new video cards, because consumers will not put up with a lack of being able to play HD discs on their computers. And the ones that bought software players will be ROYALLY pissed.

If they let it slide, or just sue the people who found the key in the memory dumps, but do not revoke software player keys there's STILL no way to put the cat back in the bag - HDDVD/BR content protection is finished.

Which way will it go?

key in memory - on some PCs yes

[davidwr]

Within 5-10 years, if DRM is still popular, you will need to have a dongle that does the decrypting of DRM'd materials. The dongle, in conjunction with "protection" circuitry in the video and audio channels, will provide a revocable key between the media player and the video output device.

It will work something like this:

There will be two channels of data, one from the media source to the dongle, and one from the dongle to the playback device.

The dongle will decrypt data from the media source, or possibly ordinary RAM. In some cases, will be done with the aid of software tokens purchased from rights owners. In others, it will merely verify region, time-expiration, and other restrictions embedded in the media are complied with. In some cases, part of the key will be downloaded from the Internet in real time, or a time-bombed key will be renewed at regular intervals.

The dongle will re-encrypt the data so the playback hardware can play it, but memory-snoopers can't access it.

The dongle will be a "black box," protected by hardware features and possibly legal protection: "Tamper with this for the purposes of understanding it and go to jail."

The dongles will be handed out like candy for little or not profit, but they will be revoked individually if any one is compromised. People concerned about privacy and tracking implications will trade dongles or simply buy them by the bucketful.

I don't know if these dongles will be USB dongles or if they will be on a faster bus or maybe even connected directly to the video playback circuitry.

Mark this post, it may prove useful in challenging future dongle patents.

Re:key in memory - on some PCs yes

[Anonymous Coward]

In future, patent your idea and give it to the FSF or some other fanatical anti DRM organisation. If you don't have the money to pay for the patent then I will donate (at least a large chunk) of it personally (via the FSF - make your need for money pubic, not what the patent is).

patent and publishing

[davidwr]

What I posted was insufficient for a patent. At least it should be, if the patent examiner isn't one of the BIGNUM% who are asleep at the switch.

However, it was sufficient to show that any such device is "obvious." I literally came up with it on the spur of the moment. Patenting such an obvious patent then donating it to a patent-freedom agency would itself be an abuse of the patent system.

"Finishing" the patent would - or should - require at least one real or paper implementation. Anyone with particular

Re:

[vadim_t]

That wouldn't work either.

At some point in the digital playback device, the data becomes cleartext. Given enough effort, that data could be extracted. Especially if it's a CRT, as AFAIK, the method used by a CRT monitor to drive the CRTs is quite simple. A LCD is probably more complicated, but it'd give you a 100% precise result.

Besides, I am fairly sure that with the right equipment you could do a decent analog recording anyway. Use a big, good quality LCD monitor with a DVI connection, and a camera pointe

Re:

[SteveAyre]

However, if you find a way to claim to the device that you're a legitimate player, then the dongle will be sending you the media stream in a form you can decrypt so it'll be no different to normal really.

As a refinement to the idea, the dongle could send the decrypted video straight to the video card to play on an overlay. That would probably work better since it wouldn't be so easily circumventable.
However even then 1) you could circumvent it using custom hardware snooping the video card's data bus and 2)

Re:key in memory - on some PCs yes

[rtechie]

Within 5-10 years, if DRM is still popular, you will need to have a dongle that does the decrypting of DRM'd materials.

First off, this isn't even remotely new. Dongles for copy protection are as old as the concept of copy protection. AutoCAD used a dongle. I'm sure there are dozens of other examples. But they haven't been widely implemented for the same reason this won't be. Cost.

It's too expensive to ship a sophisticated $20 part with a pressed disc that costs $1 to make and you're selling for $20. Dongles have only really been used in very expensive software packages for this reason.

Also, the whole content industry is moving to a "download over the Internet" model. Bill Gates was right when he said this is likely to be the last physical format war. Any solution that is not software only is a non-starter in this context.

The dongle will decrypt data from the media source, or possibly ordinary RAM. In some cases, will be done with the aid of software tokens purchased from rights owners. In others, it will merely verify region, time-expiration, and other restrictions embedded in the media are complied with. In some cases, part of the key will be downloaded from the Internet in real time, or a time-bombed key will be renewed at regular intervals.

If you're going to require an internet connection, what's the point of the dongle? Just make the user verify the key in real time against the server for every play. This would already have been implemented if they thought users would stand for it. They won't.

The dongle will re-encrypt the data so the playback hardware can play it, but memory-snoopers can't access it.

This makes no sense. The playback hardware presumably doesn't have encryption capability. If it does, and it has the encryption hardware built in, what is the point of the dongle? You're also expecting a DONGLE to decrypt, encrypt, and transfer HD video in full resolution all in real-time. That's a pretty beefy dongle. See above for the cost issues.

I think it's worth expanding on this point. Do you really understand how sophisticated the dongle you're talking about would have to be? It would have to include a CPU, memory, and storage to do the encryption. And how they're totally useless unless you ship a SEPERATE one attached to EACH video you want to play? The keys have to be individual for each "disc" (or instance of video) and ROM-burned, not flashable. The idea of some sort of "dongle vault" or multikey that allows you to used multiple stored keys is fatally flawed for a vast number of reasons. The most basic being that it would make hacking the dongles extremely attractive.

Now if you're thinking of "embedding" this dongle into the computer itself, it's been done. This is the whole concept of the TPM chip and concerns about it being used for DRM. This solution is also not feasible for any number of reasons.

I don't know if these dongles will be USB dongles

No, it will have to be a proprietary interface. USB is too easy to sniff.

maybe even connected directly to the video playback circuitry.

So users are going to have to crack their case open every time they want to play a video? I think not.

Mark this post, it may prove useful in challenging future dongle patents.

None of this is either novel or practical.

Re:

[Goaway]

But any update will only be a temporary fix. ANY software player will have to put their key in memory at some point while it's running, the new key will be found quickly. And the keys for almost all software players will be found.

The key will have to be in memory, but there is no reason for it to be unobfuscated. Any kind of simple obfuscation will stop the kind of attack used here. Sure, somebody can start reverse engineering the code to work out the obfuscation, but that takes a lot more skill and time th

Re:

[gormanly]

Except, of course, for Windows Media Player which already has (i) patches every few weeks or months anyway (and so its mean time between patches << the probable mean interval between key revocation and 99.99% of customers purchase of a new disc); and (ii) a mechanism for patch delivery that most users are already using and comfortable with.

I'm sure Microsoft would be very upset if 99.99% of the population's perceptions were that every other software movie disc player had issues playing some, mostly n

Re:

[vivaoporto]

Reverse engineering the eventual patch would be even easier than finding the key as they did, as all they would need to do is to look for the new key in the patch on in the relevant changed parts of the updated binaries.

Re:

[Goaway]

Breaking a major hardware player is a big deal

Nope. Hardware players can be individually revoked.

Re:Will they actually do it?

[Mad Marlin]

Someone needs to find the key for the PlayStation 3. That will really twist Sony's panties in a knot. Must protect BluRay ... Must protect PlayStation 3 ...

Re:

[Wesley Felter]

As the parent said, there is no such thing as THE key for the PS3. Each individual PS3 unit has a different key. Revoking one particular PS3 won't cause any collateral damage, so there's nothing stopping Sony from doing it.

Re:

[vadim_t]

IIRC, there's a key per player model, maybe at best per manufacturing run, not per player instance.

Making a key per player copy is infeasible. How would you do that? Basically, every disk would need to have the data encrypted with each player's key. That number would be in the millions.

Re:Will they actually do it?

[swillden]

Making a key per player copy is infeasible. How would you do that? Basically, every disk would need to have the data encrypted with each player's key. That number would be in the millions.

It's not only feasible, it's exactly what AACS does. Each player has about 500 keys from which it can derive billions more, all structured so that a disk only needs a small number of media keys encrypted with "processing" keys, which the players can derive from the device keys they have. The number of copies of the media key that must be present on each disk is guaranteed to be no more than 2r, where r is the number of individual players that have been revoked. On average, only 1.25r media keys are required.

Though the application is evil, the "subset-difference tree" concept used to make all this work is a very cool bit of math.

Re:

[swillden]

How large can r get before there's some serious performance issues (either filling up the disc or requiring a long boot-up time)?

Each copy of the media key consumes 32 bytes. 16 bytes for a descriptor and 16 bytes for the encrypted key. So, on average, the publishers have to use another 40 bytes of disk space per player key published. Given that single-layer HD-DVDs hold 15,000,000,000 bytes, they have plenty of space to handle any conceivable number of revoked players.

I went through some numbers in this comment [slashdot.org]

As for startup time, the process of comparing each descriptor in the MKB to the device's own "key path" is quite ef

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Kadin2048]

Each individual PS3 unit has a different key.

This is not the case. The media key block on the HD discs contains the media key, encrypted with several hundred device keys. There's not nearly enough room in the key block to have an individual key for each player produced, it's just enough for each model, or perhaps each hardware revision / production run of each model.

There are a finite number of keys on each disc. The way keys are "revoked" is by simply not using that key on any new disc pressings. A disc ma

Re:

[Jah-Wren Ryel]

There are a finite number of keys on each disc. The way keys are "revoked" is by simply not using that key on any new disc pressings. A disc made (prior to) today, on which the key block contains a compromised key, have been well and truly cracked.

It is actually more sophisticated than that, relying on each individual unit having a certain set of 512 keys out of a billion or so, and then providing only enabling a subset of possible keys on each disc in the MKB. The trick is once they know the specific unit

Re:

[ankarbass]

You first have to find someone who bought a playstation 3.

Re:

[Schraegstrichpunkt]

Hardware players individually, or entire models of hardware players?

Re:

[SteveAyre]

And that leaves the consumer where? A software player can be easily patched using the net in seconds, which almost everyone has now. A hardware player will need servicing or replacing.

Given the cheap price, I imagine most people would not bother and would just buy another. Of a different make, since it would damage that manufacturer's reputation. They probably wouldn't even know that it would need updating since while their new DVD won't play their old ones would still work.

Re:

[Above]

I believe your comment is only playing the probabilities. If one software player is broken they may well revoke the key and make that player upgrade. However, if the set of players making up 95% of the software player market are all broken on a monthly basis it will become increasinly costly and inconvenient to have them all revoked each month. Are there any limits on the size of the revokation list? If it got too long, would that break the hardware players?

While breaking one or more hardware players ma

Re:Will they actually do it?

[swillden]

Breaking a major hardware player is a big deal, however breaking a software player is fairly trivial in the long-run as long as it can be upgraded.

Breaking a single hardware device won't be a big deal, either, since the key revocation scheme allows that single player to be revoked (not the brand, not the model, not even the factory batch -- that single, specific physical player). What would be big would be finding a way to easily extract the keys from a model, or, even better, a whole class of players. Then, the hackers could just do a player every few weeks, and the worst case for those of us who like to back up the movies we buy is that we'd have to wait a few weeks after the release before we could back it up.

The way AACS key revocation works is that there is a massive binary tree of binary trees of possible encryption keys. The "main" tree is 31 levels deep (allowing for 2^31 possible player devices) and each node has a number of "shadow" trees associated with it (specifically, nodes in layer n of the main tree have n-1 shadow trees). Each player is given a carefully selected and unique set of ~500 keys, from which it can derive an enormous number of keys -- almost every key in that big tree of trees, in fact.

The "almost" in the last sentence is important.

Assuming no players are revoked, each disk needs only have few copies of the media key[1], each encrypted with a "processing" high up in the tree. All players have keys needed to derive[2] these processing keys. When a player is revoked, the publishers carefully select a set of processing keys to use so that every player *except* the revoked player can derive the processing keys. There's a fairly simple algorithm to select such a set of keys, and the structure of the trees ensures that for any set R of revoked players, no more than 2|R| processing keys need to be used (|R| means "size of R", in case that's not obvious).

Each encrypted copy of the media key consumes 32 bytes of disk space, so, assuming a million players have been broken and revoked, each new disk will "waste" 32 MB on encrypted media keys. Given the capacity of HD-DVD and Blu-Ray disks, 32MB is a pittance, so it really is practical for publishers to revoke every key that is extracted and published -- the hard part will be finding them all.

ANY software player will have to put their key in memory at some point while it's running, the new key will be found quickly. And the keys for almost all software players will be found.

Yep, that's a seriously hard problem to solve -- especially when you consider that time and manpower are 100% on the side of the attackers. The attackers have a disadvantage in that they have to work with binary-only code, but if this goes on for long enough, I'll bet the major software players will be so thoroughly reverse engineered that this will cease to be a very meaningful disadvantage.

Large-scale DRM simply cannot work. If you give the devices to enough interested and technically skilled people, they will be broken again, and again, and again.

And, of course, if publishers *did* somehow manage to get ahead of this game, it would just mean that the hackers would keep the keys to themselves, publishing them only to small groups of trusted friends -- all of whom would be ripping movies like mad and making torrents available so that everyone else can get them.

[1] The Media Key is used to encrypt the title keys, which are used to encrypt the titles. There are generally multiple titles per disk -- usually one for the main feature, and others for each of the extras, some for bits of the animated menus, etc. I've been puzzling over exactly how many copies of the media key are required in the no-devices-revoked case, and I haven't been able to figure it out yet. An answer and explanation from someone who understands this stuff well would be appreciated.

[2] The keys given to the players are called "device keys". The players l

Re:Will they actually do it?

[swillden]

Each encrypted copy of the media key consumes 32 bytes of disk space, so, assuming a million players have been broken and revoked, each new disk will "waste" 32 MB on encrypted media keys.

Correction -- If a million players are revoked, up to *two* million copies of the media key will be required, consuming 64MB of space on each disk. However, that's only if the million broken devices are selected so that revocation is maximally inefficient. If they're selected at random, on average only ~1.25M MKB entries are required, so only 40MB of the disk must be used for MKB entries. That's 0.2% of a single-layer HD-DVD and 0.08% of a dual-layer Blu-Ray. Or, it's about 20 seconds of HD video, assuming that a single-layer HD-DVD will hold two hours. If a dual layer Blu-Ray disk contained video encoded at such a high bit rate that it would only hold two hours, the MKB block would eat up space equivalent to six seconds of video -- and that's with a *million* revoked keys).

In practice, of course, the time unavailable for video will bever be a problem. If the movie and the MKB can't both fit, you just tweak the encoding to drop the average bitrate by a 10-20 kbps. When you're encoding normally at 8,000-20,000 kbps no one will be able to see the reduced quality. Also, even regular DVDs are rarely within 100MB of being full. There's plenty of room available for "large" MKBs.

Go to plan B

[TapeCutter]

I think the time has come for to give up on encryption and move to plan B, and no they don't mean plan A + panic, they mean they will be forced to randomly post armed gaurds on customers DVD player's.

Sure it will be somewhat inconvienient and more expensive for customers, but that's the price they are choosing to pay when they turn a blind eye to piracy.

Re:Go to plan B

[TapeCutter]

I was aiming at humour but somehow I hit insightfull?

Re:

[kimvette]

All it takes is a few cycles of this cat-and-mouse game, and the media companies will finally realize that DRM is only wasting THEIR money in terms of licensing the broken encryption technology, the retarded (as in slow) uptake of HD-DVD and Blu-Ray, and decreased sales overall while they're trying to make their customers pay per play, or at least play per player.

Eventually they will come to their senses and ship the content DRM-free. Didn't one of the Harry Potter movies ship DRM-free (no CSS) and still se

Re:

[Wesley Felter]

if the attacker doesn't publish the compromised player key, the AACS licensing authority doesn't know which key is compromised, and it can not revoke it.

That only applies if there are many keys, which there aren't. Hackers only reverse-engineer software players, and there are only two software players. Worst-case, AACS LA could just revoke both.

Also, cracking DRM is all about revealing secrets; how could you expect the hackers to agree to some kind of "code of silence" when it comes to their work?

Re:

[Schraegstrichpunkt]

Also, cracking DRM is all about revealing secrets; how could you expect the hackers to agree to some kind of "code of silence" when it comes to their work?

The academics won't, but the tradespeople will.

Introduction of hardware DRM

[gilesjuk]

I'm sure all this cracking of DRM by snooping memory will result in hardware protection being rolled out. Of course it woud need to be in the chipset and CPU.

Of course such restrictions would make debugging your own programs harder if it was always on.

Re:Introduction of hardware DRM

[necro2607]

"I'm sure all this cracking of DRM by snooping memory will result in hardware protection being rolled out. Of course it woud need to be in the chipset and CPU."

This is crackable anyways. The original Xbox was cracked by someone building their own data sniffer hardware installed on the system bus. No kidding. People will go to pretty much any length, including hardware modification, to break out of constricting usage limitations (aka DRM)...

what about memory encryption?

[vlad_petric]

The CPU can encrypt memory transactions on the bus. There are several research proposals that address this issue, btw (e.g. Xom [stanford.edu]). My point - they can continue the arms race as well.

Re:

[Helvick]

A well designed hardware cryptographic solution presents an extremely hard barrier if implemented well. The original X-Box failed because short cuts were taken in the architecture and keys were transmitted across a high speed bus but the same does not apply to the X-Box 360. It has thus far resisted all of the attempts to circumvent it, the minor hacks achieved to date have done little to break down the core security of that system despite significant efforts on the part of the X-Box hacking\mod community.

Re:

[Kjella]

It's not just Microsoft that's been pushing TCPA. There are a lot of companies involved with real experience making secure systems for the military and such. When they have all the pieces connected together, the bus will be encypted. The memory will be encrypted just like the hard disk, even if you try to use special double-access memory chips. The TCPA chip will be integrated into the southbridge (Intel 2008) and you have nothing going in the clear on the bus, it'll probably move to the processor so it'll

Wrong verb tense!

[mrchaotica]

What do you mean, "will result?" It already has resulted in hardware DRM -- if you have Vista and a machine with a TPM, it's already there!

Re:Wrong verb tense!

[swillden]

What do you mean, "will result?" It already has resulted in hardware DRM -- if you have Vista and a machine with a TPM, it's already there!

No, actually, it isn't. While the TPM could be used to "seal" the HD-DVD/Blu-Ray player device keys to a given boot state, the decryption of the disk contents would still have to be done using the main processor (TPMs don't do bulk decryption, don't know anything about AACS, and aren't programmable to teach them how to do the AACS key derivation/decryption scheme).

Also, I don't know that Vista is really TPM-aware.

In the near future, it may become the case that if you have (a) Vista + some service pack, (b) a TPM and (c) a processor with hardware virtualization support (Intel VT/AMD-V), then your HD-DVD/Blu-Ray player may run on a separate virtual machine which your main OS has no access to and which you therefore cannot debug, and the TPM may be used to seal the device keys to the particular software in that VM, so that no other piece of software has any reasonable hope of retrieving them.

Collectively, BTW, (a), (b) and (c) above are known as Palladium, aka NGSCB.

Personally, I think it's more likely that your video card may gain an AACS subsystem, so your PC would feed the data stream from the disk to your video card, which will decrypt the data and display it. The video card would then have to have a way to securely transfer the audio stream to your sound card. Or maybe your sound and video card will negotiate secure data connections to your HD-DVD-ROM drive and the drive would do the AACS stuff and feed it securely to your output devices, so that your main processor never gets to see an unencrypted copy.

There are ways to make software players more secure, but a TPM alone is insufficient, unless the OS is airtight, unhackable/modifiable even by the administrator. Given Microsoft's track record with making an OS unhackable by random people around the world with no privileges on the box at all, I don't think that's going to happen.

Re:

[Lumpy]

Problem is they now know a lot more information about the keys. Now you go and grab some firmware images of the popular Panasonic and Pioneer BluRay or HD-DVD players and start digging.

crack some device keys and that will toss monkey fecies in the face of every MPAA executive pretty hard. They dont DARE revoke any keys from the expensive hardware. Pissing off your early adopters, specifically the rich ones will guarentee doom.

selling a secret to consumers...

[LackThereof]

This was only a matter of time.

You can't sell a product with a "secret" key inside it to tech-savvy consumers and expect it to remain secret for any extended period of time.

It just won't work. It's time for this incovenience to end (not that it will).

Okay that does it

[Anonymous Coward]

Would someone PLEASE explain once and for all how AACS works? How is this any different from the previously found keys?

How many keys are there? Why aren't there just one? What's the difference? IS there any difference?

Is this better than the last key uncovered? Are there more keys to uncover?

What is the final ACCS "key"? How many levels are there?

I'm not being ignorant, I'm just confused, and I'm sure I'm not alone.

Thank you.

Re:Okay that does it

[guruevi]

http://forum.doom9.org/showthread.php?t=122363 [doom9.org]

Re:

[Anonymous Coward]

AFAIK, it goes as follows:

Each player (software or hardware) has a key, or actually a tree of keys. Some ingenious trickery is being used so that each player can have its own key, but that isn't done on software players (because it would be a pain to enforce it so each downloader gets a different key).

The disc contains title keys for various player keys. When the player wants to play a disc, it takes its player key, decrypts the disc's title key with it, and decrypts the content with the title key.

Now, two

Re:Okay that does it

[flooey]

How many keys are there? Why aren't there just one? What's the difference? IS there any difference?

AACS uses a bunch of different keys in a hierarchical structure. Gradually, the cracks have been revealing keys higher and higher up the food chain. As I understand it, this is a bottom-up description of AACS's key structure:

At the lowest level, every piece of content is encrypted with a Title Key, which is unique to at least an individual title, possibly a particular printing of the title. The original cracks revealed the Title Keys for individual titles one at a time. These can be used to decrypt the content, but don't break the scheme, just the encryption on an individual piece of content.

The Title Key is stored on the actual media, encrypted by the Volume Unique Key, which is unique to a given title.

The Volume Unique Key is the result of a keyed hash of the Volume ID (stored on the media) and a Media Key, which is unique per title.

The Media Key used is generated by combining the Media Key Block (stored on the media) with a key unique to the decrypting device. Each device has a different key, but generates the same Media Key.

I'm not entirely sure why so many keys are used, but that's basically how the scheme works. Previous cracks were based on revealing keys that were title-specific. This one has revealed a device-specific key, which means that until the key is revoked, which would cause all future discs to no longer play on that particular player, any piece of content can be completely decrypted.

Re:

[Kjella]

This key doesn't really add anything to what's already done. They could already decrypt every movie by simply sticking it in the player and extracting the key, all this does is make it possible to make a standalone tool to decrypt discs (until they revoke this key, anyway). But if you don't mind breaking the DMCA in the first place, how many would have moral problems getting a copy of WinDVD to extract the key anyway? This really is non-news.

Re:Okay that does it

[flooey]

This key doesn't really add anything to what's already done. They could already decrypt every movie by simply sticking it in the player and extracting the key, all this does is make it possible to make a standalone tool to decrypt discs (until they revoke this key, anyway). But if you don't mind breaking the DMCA in the first place, how many would have moral problems getting a copy of WinDVD to extract the key anyway? This really is non-news.

It's more news in that it could make HD content decryption as universally accessible as DVD decryption currently is. A lot of people might want to extract their HD content but not have the know-how or motivation to do anything beyond "download this program, hit start", though it's less news since I've heard there are already programs that will do that using a list of title keys that's periodically updated over the Internet.

Re:

[swillden]

Each device has a different key, but generates the same Media Key.

As I've mentioned in another post, each device has a whole bunch of keys, which can be used to derive any one of a few billion processing keys. Those processing keys are what are actually used to encrypt the media keys. Device revocation is done by choosing a set of processing keys which are not derivable by any of the revoked devices.

Re:Okay that does it

[RealSurreal]

"What is the final ACCS "key"? How many levels are there?"

It seems to go on and on forever. But then you get to the end and a gorilla starts throwing barrels at you.

I don't know what is the idea behind this

[vivaoporto]

If the idea is to "stick to the man", they are doing the right thing disclosing what is the player in question. But if the idea is to actually use they key, they should keep them in the dark and not to specify what player got corrupted, so the keymakers cannot revoke the key.

Re:

[DrKyle]

If any exploit becomes used, won't it be fairly obvious to find what key is being used and then look it up in the big list of player keys to figure out which one it came from?

Re:The "Man" is me.

[Catbeller]

You're not owed a damned thing. We own the discs. We'll reverse engineer them. This is the way the universe works. You don't get a say in what we do with things that we buy. Your connection to my home is not welcome.

And I believe player pianos were supposed to break musical profits. and TV was supposed to break movies' business model. and cassettes were supposed to destroy record companies. And Valenti compared VCRs to the Boston Strangler. And music and movie downloads are supposed to break the RIAA and MPAA members. Both outfits are making more money today than they did last year, and the year before.

You are wrong. And you've bought laws to invade our lives and put grandmothers in prison. The least we can do is break your balls, over and over and over.

and please, do, go out of business.

This is great news

[(H)elix1]

I've got one of those 30" dell monitors. Problem is it does not have the fancy encrypted link, so 'useless' as a blueray/hd-dvd monitor. With this stuff getting cracked, I am looking forward to VLC playing not only my stack of DVD and whatever the next generation of movies I end up buying and re-encoding.

One thing's for sure...

[reacocard]

...DRM just ain't all its cracked up to be.

Holy Neverwinternight...

[__aaclcg7560]

Atari must be doing really bad after releasing NWN2 to start hacking DRM keys.

Ugh

[Quantam]

I don't think this is as good as you think it is. I'm all for breaking DRM (and was extremely pleased when they broke the AACS process key), but I think releasing a player key was a BAD idea. I'm betting the MPAA's logic in regards to this will look like one of these two:

- WinDVD is not handling its device key in a secure manner
- WinDVD cannot be trusted
- WinDVD won't be getting another player key

Or even worse:

- WinDVD did its best to protect its device key
- It's impossible to protect a device key in a program that people can reverse-engineer [true]
- We'd better not allow any software to read AACS-protected content

Although this may all be moot anyway, as they can extract future process keys with relatively little effort (though it'll be a lot more effort if hackers have to break hardware systems instead of software).

Re:

[hugzz]

In a small, backwards and somewhat "revolutionary" feeling way, it's a good thing. If they break the DRM and force bluray/dvd to change the keys or ban the players, then the users will be inconvenienced. Although this should be a bad thing, it at least leads to the chance that consumers will rebel against DRM and DRM-free media will gain popularity

Re:

[Lumpy]

though it'll be a lot more effort if hackers have to break hardware systems instead of softwarethough it'll be a lot more effort if hackers have to break hardware systems instead of software

here is a little secret for you. Hardware players do not exist. every HD-DVD player and Blu Ray Player is a software player. and hacking those is not any harder, just requires different tools they have to be built or bought instead of warezed off of a bittorrent site.

DRM is provably insecure

[this great guy]

Revocation, obfuscation, TPM chips, hardware tricks ? Whatever, DRM is provably insecure.

Care to show a proof?

[vlad_petric]

I mean, a formal proof. You're making a pretty broad statement, after all. The fact that some DRMs were cracked doesn't necessarily mean that all of them are inherently crackable.

Re:

[jZnat]

Not in formal proof notation, but:

Encryption is used so that A can send a message to B in such a way that C cannot intercept and read what the message is. DRM sets B := C, thus defeating the purpose of encryption. It is therefore a logical impossibility.

Re:

[grammar fascist]

I mean, a formal proof. You're making a pretty broad statement, after all. The fact that some DRMs were cracked doesn't necessarily mean that all of them are inherently crackable.

At some point between the information and your eyes and ears, the information must be in "plaintext." (Otherwise you can't see it or hear it.) At that very point, the information stream can be intercepted and stored. This is true even if we have jacks in the backs of our heads to accept personal AV signals.

Here's another way to loo

Re:

[vlad_petric]

Well, the problem with the "plaintext" (i.e., photons traveling to your retina) is that recording it at that stage degrades its quality significantly (at least with today's recording technology). It's a bit better with sound, but some audiophiles would complain about that as well.

Re:

[this great guy]

Of course there is a formal proof, just ask any cryptographer or cryptanalyst. A basic sketch of it is that DRM makes use of conventional cryptography. However conventional cryptography has never been designed to prevent attacks in a threat model where the attacker has illimited physical access to the device performing the decryption operation.

Re:DRM is provably insecure

[SharpFang]

The problem with DRM is that no matter how poor it is, DMCA makes cracking it illegal. So if they included a single-byte XOR encryption with key written on the back wall of the device, still decrypting it is illegal, and that's enough for them.

fair-use community?

[XO]

While I don't at all agree with the insane forms of protection that the companies are putting on the media, Slashdot is definitely showing an editorial bias... "fair-use community"? No such thing. It's either hackers who are doing it to do it, or it's pirates.

Re:

[RealSurreal]

Or it's people who expect to be able to exercise their fair-use rights getting together and forming some kind of, you know, community in order to achieve that.

All your problems solved

[ElDuque]

I recommend books.

Glad it is broken

[flyingfsck]

For only M$5, I'll invent them a new one.

Of course

[JustNiz]

...there will now shortly be a new media format announced that supercedes blu-ray and HD-DVD.

Now that picture and audio quality is already better than humans can perceive, I wonder what new marketing bullshit feature they'll come up with this time to persuade the public they really need spend thousands more on yet newer hardware just because it has even more restrictive DRM and no bacwkard-compatability.

Look out for super ultra mega HD resolution media and players with 12.1 audio and smellyvision coming to your local store soon!

Re:All your video are belong to us

[sokoban]

Narrator: In A.D. 2007, war was beginning.

        MPAA: What happen ?
        RIAA: Somebody set up us the bomb.
        RIAA: We get signal.
        MPAA: What !
        RIAA: Main screen turn on.
        MPAA: It's you !!
        J.Q. Public: How are you gentlemen !!
        J.Q. Public: All your video are belong to us.
        J.Q. Public: Your revenue stream are on the way to destruction.
        MPAA: What you say !!
        J.Q. Public: Your business model have no chance to survive make your time.
        J.Q. Public: Ha Ha Ha Ha ....
        RIAA: MPAA !! *
        MPAA: Take off every 'Lawyer' !!
        MPAA: You know what you doing.
        MPAA: Move 'Lawyer'.
        MPAA: For great injustice.

Re:The hackers are moving too early...

[ScrewMaster]

That's a good point ... of course, if you make modifications of sufficient magnitude to frustrate existing decryption tools, odds are you just created a whole new set of security holes. Those will also be found. Also, like CSS before it, the technology will have to be implemented by every video hardware and software maker on the planet (well, in China anyway) and sooner or later the details will get out. Furthermore, if (and it's currently a big "if" given the childlike manner this whole media war is being played out by the likes of Sony, Microsoft and the rest) either HD-DVD or Blu-Ray actually does take off and manage to replace the DVD, they'll find themselves in the same situation they were in with CSS. Not that it matters: as the MPAA has admitted the goal is to keep the bar high enough that the vast majority of consumers have no way to bypass the DRM. There's a certain acceptance by these people that there will always be a some degree of infringement going on, they just don't want it too widespread.

Ultimately, the only real way to protect content is going to have remote-controlled content-monitoring LCD shutters surgically implanted in everyone's eyes as soon as they are old enough to enjoy TV (and these creeps would do just that if they could get away with it.) Anything else will be circumvented sooner or later, which they know perfectly well. It's also why the content companies are pushing so damned hard to export US/EU-style IP law around the world and have copyright infringement treated as a heinous crime akin to murder. Once the cops (everywhere) are accustomed to treating copyright infringers as serious criminals, the MPAA and their ilk are hoping and praying that people won't do it anymore.

I think they will be disappointed. I hope they will. There aren't enough jails to hold everyone that ever violated a copyright, or exercised fair-use rights in countries that support them.

Re:

[beelsebob]

1) This is a method of cracking what was supposed to be one of the best encryption algorithms there is out there - it doesn't matter if it's a simple hack, it's still impressive.

2) So they key gets revoked -- now that they've got the software key for one player they can start getting the disk keys for a lot of disks, based on that they can then use these known keys to get back to the software keys of a *lot* of players.

3a) Apparently it does - that's 3 seperate people now working on cracking this one, and

Re:

[Creepy Crawler]

AZPR and Advanced Disc Catalog.

Both use IDEA-encrypted data segments and extensive checking that munges data structures.

No-go protections are easy. Just JMP past them. Data corruption techniques are the nastiest to crack, if you can understand the format..

Re:

[Wesley Felter]

Except these people aren't cracking AACS for your benefit. They're either doing it so they can watch movies or for publicity; in either case they have no incentive to wait.

Not if you're trying to prove a point ...

[Schraegstrichpunkt]

If you're trying to demonstrate that DRM is futile waste of energy, it's in your best interests to release as early as possible.

Releasing an exploit a couple of years after the technology is first released gives people the impression that the DRM was "good" for those two years. On the other hand, releasing the exploit a week later drives home the point that the copy-protection racket is selling nothing but snake oil.

Re:Fair-use community?

[damiangerous]

Ok, I'm by a DVD player. What are you all doing?