| Revision as of 06:21, 21 March 2007 edit198.144.202.254 (talk) →System overview← Previous edit | Revision as of 06:25, 21 March 2007 edit undo198.144.202.254 (talk) →Muslix64's exploit and BackupHDDVD / BackupBluRayNext edit → | ||
| Line 31: | Line 31: | ||
| ===Muslix64's exploit and BackupHDDVD / BackupBluRay=== | ===Muslix64's exploit and BackupHDDVD / BackupBluRay=== | ||
| On ] ] a person using the alias "muslix64" a utility named ] and its source code for a working AACS decryptor on the forums. | On ] ] a person using the alias "muslix64" a utility named ] and its source code for a working AACS decryptor on the forums. | ||
| The program is not an exploit or hack per se. Rather it is a tool that can be used to decrypt AACS |
The program is not an exploit or hack per se. Rather it is a tool that can be used to decrypt AACS-encrypted content once one knows the encryption key. As such, it is no surprise or indication of vulnerability that such a program is possible and it can be seen as merely an implementation of the publicly available standard . | ||
| However, Muslix64 claims to have found title keys in main memory while playing HD-DVD disks using a software player, and that finding them is not difficult<ref>{{cite web | date=] | url=http://www.techamok.com/?pid=1849 | title=HD-DVD Content Protection already hacked? | work=] | accessdate=2007-01-02 }}</ref>. Details of how to do this were later revealed<ref>{{cite web | date=] | url=http://forum.doom9.org/showthread.php?t=119871&page=33 | title=How to extract HD-DVD title keys from WinDVD's memory | accessdate=2007-01-19}}</ref>. | However, Muslix64 claims to have found title keys in main memory while playing HD-DVD disks using a software player, and that finding them is not difficult<ref>{{cite web | date=] | url=http://www.techamok.com/?pid=1849 | title=HD-DVD Content Protection already hacked? | work=] | accessdate=2007-01-02 }}</ref>. Details of how to do this were later revealed<ref>{{cite web | date=] | url=http://forum.doom9.org/showthread.php?t=119871&page=33 | title=How to extract HD-DVD title keys from WinDVD's memory | accessdate=2007-01-19}}</ref>. | ||
| Line 38: | Line 38: | ||
| ], developers of ] maintain that their software was not used as part of the exploit. However, it has been claimed that their key is used by ] and later the user "jx6bpm" on 's forums revealed ]'s ]'s key to be 4737676058d7029452514f0ab186dc4cca8c578f. | ], developers of ] maintain that their software was not used as part of the exploit. However, it has been claimed that their key is used by ] and later the user "jx6bpm" on 's forums revealed ]'s ]'s key to be 4737676058d7029452514f0ab186dc4cca8c578f. | ||
| The claimed attack (extraction of the encryption keys from a software player) highlights the inherent weakness of software movie players for the PC platform. The use of encryption doesn't offer any true protection in this scenario since the software player must have the encryption key available somewhere in memory and there's no way to protect against a determined |
The claimed attack (extraction of the encryption keys from a software player) highlights the inherent weakness of software movie players for the PC platform. The use of encryption doesn't offer any true protection in this scenario since the software player must have the encryption key available somewhere in memory and there's no way to protect against a determined PC owner extracting the encryption key. (If everything else fails the user could run the program in a ] making it possible to freeze the program and inspect all memory addresses without the program knowing). Avoiding such attacks would require changes to the PC platform (see ]) or that the content distributors do not permit their content to be played on PCs at all (by not providing the companies making software players with the needed encryption keys). Alternatively, they could use the AACS system's revocation mechanism to revoke a specific software player after it is known to have been compromised. In that case, the compromised keys could still be used to decrypt old titles, but not newer releases as they would be released without the encryption keys for the compromised software players. The latter alternative would result in legitimate users of compromised players being forced to upgrade or replace their player software in order to view new titles. | ||
| On ] ] "LordSloth" on Doom9 discovered how to grab the volume license keys from WinDVD's memory. With that discovery, it became possible to |
On ] ] "LordSloth" on Doom9 discovered how to grab the volume license keys from WinDVD's memory. With that discovery, it became possible to decrypt HD DVDs. Later that day, the first unscrambed HD DVD, '']'', was uploaded on a private torrent tracker. That marked the start of HD DVD piracy. | ||
| On ] ] "muslix64" published the alpha version of ]. | On ] ] "muslix64" published the alpha version of ]. | ||
Revision as of 06:25, 21 March 2007
 | This article documents a current event. Information may change rapidly as the event progresses, and initial news reports may be unreliable. The latest updates to this article may not reflect the most current information. Feel free to improve this article or discuss changes on the talk page, but please note that updates without valid and reliable references will be removed. (Learn how and when to remove this message) |
The Advanced Access Content System (AACS) is a standard for content distribution and digital rights management, intended to allow restricting access to and copying of the next generation of optical discs and DVDs. The specification was publicly released in April 2005 and the standard has been adopted as the access restriction scheme for HD DVD and Blu-ray Disc (BD). The group developing it includes Disney, Intel, Microsoft, Matsushita (Panasonic), Warner Brothers, IBM, Toshiba, and Sony.
Since appearing in devices in 2006, several successful attacks have been made on the format. The first known attack relied on the trusted client problem, and the decryption keys for a volume were able to be extracted from a weakly protected player (WinDVD). A more recent and so far unconfirmed attack claims to have spotted one of the required keys on the disks themselves.
System overview
AACS uses cryptography to control the use of digital media. It encrypts content under one or more title keys using the Advanced Encryption Standard (AES). Title keys are derived from a combination of a media key and several elements, including the volume ID of the media (e.g., a physical serial number embedded on a DVD), and a cryptographic hash of the title usage rules.
The principal difference between AACS and earlier content management systems such as CSS is in the means by which title-specific decryption keys are distributed. Under CSS, all players of a given model are provisioned with the same, shared decryption key. Content is encrypted under the title-specific key, which is itself encrypted under each model's key.
In CSS, each volume contains a collection of several hundred encrypted keys, one for each licensed player model. In principle, this approach allows licensors to "revoke" a given player model (prevent it from playing back future content) by omitting the encryption key corresponding to that model. In practice, however, revoking all players of a particular model is costly, as it causes many users to lose playback capability. Furthermore, the inclusion of a shared key across many players makes key compromise significantly more likely, as was demonstrated by a number of compromises in the mid-1990s.
The approach of AACS provisions each individual player with a unique set of decryption keys which are used in a broadcast encryption scheme. This approach allows licensors to "revoke" individual players, or more specifically, the decryption keys associated with the player. Thus, if a given player's keys are compromised and published, the AACS licensing authority can simply revoke those keys in future content, making the keys/player useless for decrypting new titles. However, if the attacker doesn't publish the compromised player key, the AACS licensing authority doesn't know which key is compromised, and it cannot revoke the key. An attacker can use his/her player key to get title keys of several movies, and publish the title keys or the decrypted movies without risk of revocation of his/her player key.
Security of AACS
You must add a |reason= parameter to this Cleanup template – replace it with {{Cleanup|section|reason=<Fill reason here>}}, or remove the Cleanup template.
Concerns of experts
The proposal was voted one of the technologies most likely to fail by IEEE Spectrum magazine's readers in the January 2005 issue . Concerns about the approach include its similarity to past systems that failed, such as Content Scrambling System (CSS), and the inability to preserve security against attacks that compromise large numbers of players. Jon Lech Johansen ("DVD Jon"), who defeated the original DVD CSS, expected AACS to be cracked by winter 2006/2007 .
In late 2006, security expert Peter Gutmann released A Cost Analysis of Windows Vista Content Protection, a technical paper criticizing the implementation of AACS on Windows Vista.
Providing this protection incurs considerable costs in terms of system performance, system stability, technical support overhead, and hardware and software cost. These issues affect not only users of Vista but the entire PC industry, since the effects of the protection measures extend to cover all hardware and software that will ever come into contact with Vista, even if it's not used directly with Vista (for example hardware in a Macintosh computer or on a Linux server).
Initial steps
In July 2006, the first steps towards enabling full AACS-encrypted films to be copied were taken. While great care has been taken with AACS to ensure that contents are encrypted right up to the display device, it was discovered that a perfect copy of any still frame from a film could be captured from certain Blu-ray and HD DVD software players made simply by utilizing the Print Screen function of the Windows operating system. It was hypothesized that this approach could be automated to allow a perfect copy of an entire film to be made, in much the same way that DVD films were copied before the advent of DeCSS, but to date no such copy has been discovered, and this exploit has been closed in subsequent software versions.
Such approaches do not constitute compromises of the AACS encryption itself, relying instead on an officially licensed software player to perform the decryption. As such, the output data will not be in the form of the compressed video from the disc, but rather decompressed video.
Muslix64's exploit and BackupHDDVD / BackupBluRay
On December 26 2006 a person using the alias "muslix64" posted a utility named BackupHDDVD and its source code for a working AACS decryptor on the doom9.org forums. The program is not an exploit or hack per se. Rather it is a tool that can be used to decrypt AACS-encrypted content once one knows the encryption key. As such, it is no surprise or indication of vulnerability that such a program is possible and it can be seen as merely an implementation of the publicly available standard AACS Guide. However, Muslix64 claims to have found title keys in main memory while playing HD-DVD disks using a software player, and that finding them is not difficult. Details of how to do this were later revealed.
On January 2 2007 "muslix64" published a new version of his/her program, with volume key support.
Cyberlink, developers of PowerDVD maintain that their software was not used as part of the exploit. However, it has been claimed that their key is used by AnyDVD and later the user "jx6bpm" on doom9.org's forums revealed Cyberlink's PowerDVD's key to be 4737676058d7029452514f0ab186dc4cca8c578f.
The claimed attack (extraction of the encryption keys from a software player) highlights the inherent weakness of software movie players for the PC platform. The use of encryption doesn't offer any true protection in this scenario since the software player must have the encryption key available somewhere in memory and there's no way to protect against a determined PC owner extracting the encryption key. (If everything else fails the user could run the program in a virtual machine making it possible to freeze the program and inspect all memory addresses without the program knowing). Avoiding such attacks would require changes to the PC platform (see Trusted Computing) or that the content distributors do not permit their content to be played on PCs at all (by not providing the companies making software players with the needed encryption keys). Alternatively, they could use the AACS system's revocation mechanism to revoke a specific software player after it is known to have been compromised. In that case, the compromised keys could still be used to decrypt old titles, but not newer releases as they would be released without the encryption keys for the compromised software players. The latter alternative would result in legitimate users of compromised players being forced to upgrade or replace their player software in order to view new titles.
On January 13 2007 "LordSloth" on Doom9 discovered how to grab the volume license keys from WinDVD's memory. With that discovery, it became possible to decrypt HD DVDs. Later that day, the first unscrambed HD DVD, Serenity, was uploaded on a private torrent tracker. That marked the start of HD DVD piracy.
On January 20 2007 "muslix64" published the alpha version of BackupBluRay.
Publishing of Volume Keys
In addition, on January 15 2007 a website launched at HDKeys.com containing a complete database of all known HD DVD volume keys, and a modified version of the BackupHDDVD software allowing for online key retrieval.
On January 26, 2007 the BBC reported "The AACS group has admitted that a hacker had managed to decrypt some discs and other people were now able to make copies of certain titles." In a recent interview muslix64 said the reason he hacked the AACS was he got angry when a HD-DVD he bought wouldn't play on his monitor because it didn't have the compliant connector. He says "Not being able to play a movie that I have paid for, because some executive in Hollywood decided I cannot, made me mad." Muslix64 also said "I'm just an upset customer. My efforts can be called 'fair use enforcement'."
AnyDVD HD
SlySoft have released AnyDVD HD which allows users to watch HD-DVD (and Blu-Ray in the current beta versions) movies on non-HDCP compliant PC hardware. The movies can be decrypted on the fly direct from the HD-DVD or can be copied to harddisk. AnyDVD HD also automatically removes any unwanted logos and trailers. They have stated that AnyDVD HD uses several different mechanisms to disable the encryption, and is not dependent on the use of compromised encryption keys. They have also stated that AACS has even more flaws in its implementation than CSS, rendering it highly vulnerable, but they will release no details for obvious reasons. Users at Doom9 claim that the program makes use of the host certificate of PowerDVD version 6.5, but SlySoft has confirmed that the program would be unaffected by the AACS revocation system.
Processing key retrieval and Arnezami contribution
A person known as Arnezami on the doom9 forums posted a processing key for AACS on 11 February 2007. This key is suitable to decrypt any HD-DVD or BluRay disc published to date. With the help of this key it is possible to generate a VUK (Volume Unique Key) for any disc. However, this requires knowledge of the Volume ID for each particular release.
The Volume ID structure has four fields, one byte which designates the MediaType (always equal to 0x40), one byte which is reserved (always zero so far), an array of 12 bytes (so-called "unique number" assigned by publisher), and two bytes which are reserved (again always zero so far).
At the moment known IDs could be easily guessed or brute-forced. Arnezami found out that the "unique" part of the ID on currently available releases is not randomly generated as it was originally anticipated. Actual values for the "unique" part of a Volume ID (the "unique number" in this structure is 12 bytes long) can be the date/time of release, part of the movie title in plain text (e.g. "SERENITY "), and so on.
Although Arnezami made a great advance, a fully automated solution for decrypting HD-DVD/BluRay is yet to be implemented with this approach. Publishers might introduce randomly generated Volume IDs in future releases (brute-forcing 12 bytes key is practically impossible on current systems). However, due to the specific structure of the volume id it is feasible to do an automated search of such a structure in a software player's memory (even if there are many - possibly thousands - of candidates, it is easy to find the VUK with a brute-force implementation).
Remarkably, Arnezami didn't dissassemble or even debug software player code and used a different technique to the one employed by muslix64. Volume IDs were intercepted by a USB sniffer only and the processing key was found in a memory dump taken at the appropriate moment (after VUK generation, the software player was found to erase the processing key from RAM). This hack was carried out using WinDVD and an XBox 360 HD-DVD drive, connected to a PC using its existing USB connection. This discovery is another major fault in the current AACS implementation (sending the Volume ID unencrypted from an HD-DVD reading device over an unprotected channel to a software player).
Legal agreements
The AACS web site notes that text for Final agreements regarding AACS licensing will be replacing the Interim agreements on January 31 2007. This applies to the Adopter Agreement, Content Participant Agreement, Content Provider Agreement, Reseller agreement.
- "Please note that, in anticipation of the Final AACS Content Participant Agreement being available, this Interim AACS Content Participant Agreement will no longer be available for download or execution after January 31, 2007, and the AACS LA will not accept submissions of this document after that date. Thank you for your understanding as AACS LA progresses toward offering the final license agreements.
Hardware products
AACS is implemented within Plextor's PX-B900A drive. Accompanying the drive is also this notice. It is unclear whether Plextor and/or WinDVD/Ulead software (included with the drive) is initiating and perhaps profiting from this charge, or if this is required by licensing AACS into product capabilities. Some argue it is grossly inappropriate that after you purchase a $900+ piece of hardware, that sometime in the future you would need to purchase a key to play back new Blu-ray Movies. This usage restriction is not indicated on the outside of the container, you must open it in order to discover it.
References
- "HD-DVD Content Protection already hacked?". TechAmok. 2006-12-28. Retrieved 2007-01-02.
{{cite web}}: Check date values in:|date=(help) - "How to extract HD-DVD title keys from WinDVD's memory". 2007-01-13. Retrieved 2007-01-19.
{{cite web}}: Check date values in:|date=(help)
External links
- 9-part interesting read about AACS
- AACS Key Repository
- AACS homepage
- Interview with Muslix64 (Slyck News)
- The Authoritative Blu-ray Disc (BD) FAQ by Hugh Bennett
- The Authoritative HD DVD FAQ by Hugh Bennett
- Some more technical information on the details of AACS by Jeff Lotspiech
- Understanding AACS (including Subset-Difference) - explanation of the various keys used in AACS