Presentation is loading. Please wait.

Presentation is loading. Please wait.

AACS, BD+, AND THE LIMITS OF DRM J. Alex Halderman Princeton → UMich.

Published bySilas Lucas Modified over 9 years ago

Similar presentations

Presentation on theme: "AACS, BD+, AND THE LIMITS OF DRM J. Alex Halderman Princeton → UMich."— Presentation transcript:

1 AACS, BD+, AND THE LIMITS OF DRM J. Alex Halderman Princeton → UMich.

2 DRM for HD Video Discs AACS BD+ AACS

3 A Case Study Why study AACS and BD+?  What is the state of the art in deployed DRM?  How do DRM systems fail in practice?  Do real-world constraints differ from our models?  Is research addressing the right problems? A work in progress…

4 In This Talk 1. AACS design 2. How AACS was initially broken 3. Why circumvention went commercial 4. BD+ design and hacks 5. Evaluation: Limits of DRM?

5 Content Scrambling System (CSS) DRM for traditional DVDs 1996  Toshiba and Matsushita  Secret design – security by obscurity  Severely gate-limited  Home-brew 40-bit cipher, based on LFSR  Each player-maker assigned one of 409 player keys  Each disc contains title key encrypted with each valid player key  Can revoke any player key if compromised

6 Attacks on CSS Algorithms reverse engineered from player apps  Motivation is can’t play DVDs under Linux  DeCSS: open source app decrypts video given disc key Cryptanalysis (Frank A. Stevenson, et al.)  Recover player keys w/ known plaintext 2 16  Recover disc key without plaintext 2 25 Complete failure  Every player key posted online within days  Attempts to legally suppress DeCSS unsuccessful  Can strip DRM from all DVDs forever with no additional hacking 1999

7 Advanced Access Control System (AACS) DRM for next-gen video discs (HD DVD and Blu-Ray) 2005 Major improvements:  Open design process, published specs, real cryptographers  Uses standard ciphers — AES  Fine-grained player key revocation employing NNL subset-difference method (can efficiently target individual devices)  Traitor tracing to identify compromised players

8 AACS Overview

9 Initial AACS Attacks  December 26, 2006 muslix64 posts decryption code to Doom9 forum  Implemented based on published specs  Doesn’t include any keys, but author claims to have found title/volume keys in memory of a software player  Motivation is can’t play movies on non-HDCP monitor

10 Initial AACS Attacks  December 26, 2006 muslix64 posts decryption code to Doom9 forum  January 12, 2007 first title key posted online, in the form of a riddle 2/Reavers are bad mmmmkay...Google 4TW! Mark Twain Intermediate School Restaurant & Lounge Cent Celtic Designs Dover Pictorial Science Online Special Feature Link Building Strategies Starlifter Solar periodicity Dawson's Creek Music Guide Decisions Duncan's F ways to market your small or solo business WBFF Olivia Quinn Food Stamp Leaver Dalmations CITI FM Skippyslist 239 -> EF 33 -> 21 50 -> 32 159 -> 9F 125 -> 7D 131 -> 83 141 -> 8D 154 -> 9A 112 -> 70 86 -> 56 136 -> 88 45 -> 2D 191 -> BF 102 -> 66 92 -> 5C 213 -> D5

11 Initial AACS Attacks  December 26, 2006 muslix64 posts decryption code to Doom9 forum  January 12, 2007 first title key posted online, in the form of a riddle  January-February 2007 volume keys extracted for all published discs  Improved attack method: attempt to use each 16-byte sequence from memory image as a key  Online key databases founded

12 Initial AACS Attacks  December 26, 2006 muslix64 posts decryption code to Doom9 forum  January 12, 2007 first title key posted online, in the form of a riddle  January-February 2007 volume keys extracted for all published discs  February 11, 2007 arnezami extracts a processing key from software player memory  Single key decrypts all current discs  Like title and volume keys, was not obfuscated

13 Initial AACS Attacks  December 26, 2006 muslix64 posts decryption code to Doom9 forum  January 12, 2007 first title key posted online, in the form of a riddle  January-February 2007 volume keys extracted for all published discs  February 11, 2007 arnezami extracts a processing key from software  February 24, 2007 ATARI Vampire extracts device keys from WinDVD  Public effort: < 2 months from scratch to device key

14 Industry Response and Limitations  February 24, 2007 ATARI Vampire extracts device keys from WinDVD  Keys leaked because software obfuscation failed to protect them – isn’t key revocation intended to recover from this?  Industry announced the compromised keys would be revoked on all future titles starting May 23 May 23 ???  Contracts with player vendors require 90-day notice for revocations  Possibly reasonable, but limits effectiveness

15 Industry’s Legal Response  Legal threats against sites showing processing key (09 f9 11 02 9d 74 e3 5b d8 41 56 c5 63 56 88 c0)  Online protests after Digg complies with takedown

16 Can You Own an Integer?

17 New Processing Keys  New processing key released same day as films that revoked the old key  90 day cycle seems to permit enough time to reverse engineer another player  Doesn’t have to be same player  Industry responds with proactive renewal, requiring all software to change keys every few months  Yet since then, at no time has any marketed disc been unplayable

18 Pirates of the Caribbean Antigua (trade dispute over Internet gambling)

19 SlySoft AnyDVD-HD Circumvention for the masses Only € 79

20 AnyDVD-HD Releases  Initial HD DVD support – February 2007  Blu-Ray support – March 2007  Response to revoked keys – May 2007  Partial BD+ support – November 2007  Full BD+ support – March 2008  Response to revoked keys – April 2008  Response to revoked keys – September 2008  All updates free to registered users  Uncertain which devices they’re reverse engineering Speculation: software players

21 A Market for Circumvention  CSS: Weak DRM completely broken Open source implementations widely available  AACS: Stronger DRM and working revocation Requires ongoing labor to attack  First to defeat latest refresh has period of exclusivity – profit  Repeated hacks = business model  Stronger DRM → Circumvention as a service!

22 1. Disc ID, Encrypted K V AnyDVD Serial No. Switch to an Oracle  AnyDVD-HD initially included processing keys  Competing circumvention products found it easier to reverse engineer AnyDVD than licensed players  SlySoft switched gears: ships with database of old volume keys plus server for new keys  Meta-DRM!  Advantage: traitor tracing more difficult (can restrict queries) AnyDVD-HD SlySoft Server Volume Key K V 3. (Antigua) 2. Decrypts with Device Keys (Secret)

23 Advanced Protection: BD+  Big idea: Players support a small VM that allows each disc to implement its own countermeasures  Based on the Self-Protecting Digital Content (SPDC) technology developed by Cryptography Research, Inc.  Acquired by Macrovision in 2007 for $45 million  Adopted by Blu-Ray but not HD DVD May have helped decide the format war  Unlike AACS, no public specification  Limited use so far, ~5% of Blu-Ray titles (mostly Fox)

24 BD+ Operation  Transformations – Alter content stream before decoding  Basic Countermeasures – Respond to attacks  Advanced Countermeasures – Execute native code Countermeasures

25 Public Attacks Against BD+  Significant progress this month on Doom9  Public effort to build a VM and debugging tools  Info. from R.E., patents, and other docs. (esp. patent application 20070033419 by Kocher et al.)  VM instruction set now known RISC, based on DLX by Hennessy and Patterson  Instruction Filter – 32-bit register XORed with each instruction prior to execution (protects against static analysis)  OS traps for symmetric and public key crypto, local storage, media I/O, native code execution, …

26 SlySoft Attacks BD+  November 2007: Partial BD+ support in AnyDVD  Convince software player a disc image is an original  March 2008: Full BD+ support in AnyDVD  Implements VM to support decryption  June 2008: Fox adds new countermeasures in release of film “Jumper”  7 days later, SlySoft updates AnyDVD to restore support Will future countermeasures buy more or less than a week?

27 Review: Strengths/Weaknesses  Standard crypto, designed by serious cryptographers  Fine-grained device key revocation  Multiple layers of protection, BD+ allows per-title countermeasures  Slow to revoke device keys: at least 90 days  PC software players ease reverse engineering  Renewal ensures market for circumvention

28 Prospects: Secret Weapons?  Sequence keys – improved traitor tracing  But… tracing probably not the weakest link  More aggressive BD+ deployment  But… so far seems to buy a limited window  Better protection for software players (TPM?)  But… limited by glacial deployment of Vista

29 Tracing/Revocation Overrated?  Traitor tracing  Small number of players are the usual suspects  Industry doesn’t even bother to use all its tracing abilities (instead does proactive renewal)  Key revocation  Slooooow / expensive in practice (seems necessarily so)  Attackers extracting new keys as fast as old ones are revoked  Not the weakest links today (obfuscation?)

30 What if… Faster Revocation?  Suppose perfect tracing and instant revocation  A new game:  When attacker compromises a device, can release selected title keys or publish device key  Studios decide whether to revoke the device key immediately or wait  Publishing the key: renders all past discs forever decipherable (can’t force attacker to retain state), but no effect on future discs after revocation  Rational studios may delay revocation anyway, to retain release window on some titles, since after revoked the attacker might as well publish it

31 Evaluation: Success or Failure?  AACS a clear failure  Virtually all discs copyable for past 21 months  Renewability seems to have no practical impact  BD+ … ?  Current breaks show won’t live up to hype (“secure for 10 years”)  Compare cost of building countermeasures to cost of breaking them  Industry has weapon of surprise: May help some films be secure for short release windows

32 Are We at the Limits of DRM?  AACS/BD+ designed by very smart people  Relatively few compromises  Yet quite limited success May be impossible to do much better within the model of disconnected players for content distributed on mass-produced physical media. Your predictions?

33 AACS, BD+, AND THE LIMITS OF DRM J. Alex Halderman Princeton → UMich.

Download ppt "AACS, BD+, AND THE LIMITS OF DRM J. Alex Halderman Princeton → UMich."

Similar presentations

Andy Daniëls 3 SWMA ICT03. Introduction History Technical Comparison Companies Security Why Blu-ray is On the Rise? Television: HD vs. Standard Conclusion.

Andy Daniëls 3 SWMA ICT03. Introduction History Technical Comparison Companies Security Why Blu-ray is On the Rise? Television: HD vs. Standard Conclusion.
White-Box Cryptography

White-Box Cryptography
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
Why the DMCA has the right to outlaw numbers

Why the DMCA has the right to outlaw numbers
VM: Chapter 5 Guiding Principles for Software Security.

VM: Chapter 5 Guiding Principles for Software Security.
Content Protection for Recordable Media Florian Pestoni IBM Almaden Research Center.

Content Protection for Recordable Media Florian Pestoni IBM Almaden Research Center.
In the last part of the course we make a review of selected technical problems in multimedia signal processing First problem: CONTENT SECURITY AND WATERMARKING.

In the last part of the course we make a review of selected technical problems in multimedia signal processing First problem: CONTENT SECURITY AND WATERMARKING.
1 DVD Copyright Management Schemes Tanveer Alam CVN.

1 DVD Copyright Management Schemes Tanveer Alam CVN.
DRM & Key Revocation By David Coleman. DRM & Key Revocation ► Digital Rights Management – A system for controlling the use of content ► Key Revocation.

DRM & Key Revocation By David Coleman. DRM & Key Revocation ► Digital Rights Management – A system for controlling the use of content ► Key Revocation.
Lecture 23 Symmetric Encryption

Lecture 23 Symmetric Encryption
SM3121 Software Technology Mark Green School of Creative Media.

SM3121 Software Technology Mark Green School of Creative Media.
CONTENT PROTECTION AND DIGITAL RIGHTS MANAGMENT

CONTENT PROTECTION AND DIGITAL RIGHTS MANAGMENT
4K CONTENT PLAN Sony Pictures Technologies. The 4k Consumer Value 4k has to offer all of these features: – Higher resolution – Richer colors (wider color.

4K CONTENT PLAN Sony Pictures Technologies. The 4k Consumer Value 4k has to offer all of these features: – Higher resolution – Richer colors (wider color.
C opyright Protection and Digital Rights Management 1.

C opyright Protection and Digital Rights Management 1.
4K CONTENT PLAN Sony Pictures Technologies. Consumer Offering Broadcast (Over the air, cable, satellite, IPTV) Premium Content (Movies, episodic TV) Premium.

4K CONTENT PLAN Sony Pictures Technologies. Consumer Offering Broadcast (Over the air, cable, satellite, IPTV) Premium Content (Movies, episodic TV) Premium.
Lecture 3: Cryptographic Tools modified from slides of Lawrie Brown.

Lecture 3: Cryptographic Tools modified from slides of Lawrie Brown.
DVD Decryption What happened and is it ethical?. DVD CSS n The purpose of encrypting data on DVD. n The CSS Security Model. n How that security model.

DVD Decryption What happened and is it ethical?. DVD CSS n The purpose of encrypting data on DVD. n The CSS Security Model. n How that security model.
MPEG-4 & Windows Media Dr. Jordi Ribas-Corbera Lead Program Manager, Codecs Digital Media Division Microsoft Corp

MPEG-4 & Windows Media Dr. Jordi Ribas-Corbera Lead Program Manager, Codecs Digital Media Division Microsoft Corp
FORESEC Academy FORESEC Academy Security Essentials (IV)

FORESEC Academy FORESEC Academy Security Essentials (IV)
Gord Larose Chief Engineer,Channelware.com The Unbearable Lightness of Content.

Gord Larose Chief Engineer,Channelware.com The Unbearable Lightness of Content.

Similar presentations

Ads by Google