Download presentation
Presentation is loading. Please wait.
Published bySilas Lucas Modified over 9 years ago
1
AACS, BD+, AND THE LIMITS OF DRM J. Alex Halderman Princeton → UMich.
2
DRM for HD Video Discs AACS BD+ AACS
3
A Case Study Why study AACS and BD+? What is the state of the art in deployed DRM? How do DRM systems fail in practice? Do real-world constraints differ from our models? Is research addressing the right problems? A work in progress…
4
In This Talk 1. AACS design 2. How AACS was initially broken 3. Why circumvention went commercial 4. BD+ design and hacks 5. Evaluation: Limits of DRM?
5
Content Scrambling System (CSS) DRM for traditional DVDs 1996 Toshiba and Matsushita Secret design – security by obscurity Severely gate-limited Home-brew 40-bit cipher, based on LFSR Each player-maker assigned one of 409 player keys Each disc contains title key encrypted with each valid player key Can revoke any player key if compromised
6
Attacks on CSS Algorithms reverse engineered from player apps Motivation is can’t play DVDs under Linux DeCSS: open source app decrypts video given disc key Cryptanalysis (Frank A. Stevenson, et al.) Recover player keys w/ known plaintext 2 16 Recover disc key without plaintext 2 25 Complete failure Every player key posted online within days Attempts to legally suppress DeCSS unsuccessful Can strip DRM from all DVDs forever with no additional hacking 1999
7
Advanced Access Control System (AACS) DRM for next-gen video discs (HD DVD and Blu-Ray) 2005 Major improvements: Open design process, published specs, real cryptographers Uses standard ciphers — AES Fine-grained player key revocation employing NNL subset-difference method (can efficiently target individual devices) Traitor tracing to identify compromised players
8
AACS Overview
9
Initial AACS Attacks December 26, 2006 muslix64 posts decryption code to Doom9 forum Implemented based on published specs Doesn’t include any keys, but author claims to have found title/volume keys in memory of a software player Motivation is can’t play movies on non-HDCP monitor
10
Initial AACS Attacks December 26, 2006 muslix64 posts decryption code to Doom9 forum January 12, 2007 first title key posted online, in the form of a riddle 2/Reavers are bad mmmmkay...Google 4TW! Mark Twain Intermediate School Restaurant & Lounge Cent Celtic Designs Dover Pictorial Science Online Special Feature Link Building Strategies Starlifter Solar periodicity Dawson's Creek Music Guide Decisions Duncan's F ways to market your small or solo business WBFF Olivia Quinn Food Stamp Leaver Dalmations CITI FM Skippyslist 239 -> EF 33 -> 21 50 -> 32 159 -> 9F 125 -> 7D 131 -> 83 141 -> 8D 154 -> 9A 112 -> 70 86 -> 56 136 -> 88 45 -> 2D 191 -> BF 102 -> 66 92 -> 5C 213 -> D5
11
Initial AACS Attacks December 26, 2006 muslix64 posts decryption code to Doom9 forum January 12, 2007 first title key posted online, in the form of a riddle January-February 2007 volume keys extracted for all published discs Improved attack method: attempt to use each 16-byte sequence from memory image as a key Online key databases founded
12
Initial AACS Attacks December 26, 2006 muslix64 posts decryption code to Doom9 forum January 12, 2007 first title key posted online, in the form of a riddle January-February 2007 volume keys extracted for all published discs February 11, 2007 arnezami extracts a processing key from software player memory Single key decrypts all current discs Like title and volume keys, was not obfuscated
13
Initial AACS Attacks December 26, 2006 muslix64 posts decryption code to Doom9 forum January 12, 2007 first title key posted online, in the form of a riddle January-February 2007 volume keys extracted for all published discs February 11, 2007 arnezami extracts a processing key from software February 24, 2007 ATARI Vampire extracts device keys from WinDVD Public effort: < 2 months from scratch to device key
14
Industry Response and Limitations February 24, 2007 ATARI Vampire extracts device keys from WinDVD Keys leaked because software obfuscation failed to protect them – isn’t key revocation intended to recover from this? Industry announced the compromised keys would be revoked on all future titles starting May 23 May 23 ??? Contracts with player vendors require 90-day notice for revocations Possibly reasonable, but limits effectiveness
15
Industry’s Legal Response Legal threats against sites showing processing key (09 f9 11 02 9d 74 e3 5b d8 41 56 c5 63 56 88 c0) Online protests after Digg complies with takedown
16
Can You Own an Integer?
17
New Processing Keys New processing key released same day as films that revoked the old key 90 day cycle seems to permit enough time to reverse engineer another player Doesn’t have to be same player Industry responds with proactive renewal, requiring all software to change keys every few months Yet since then, at no time has any marketed disc been unplayable
18
Pirates of the Caribbean Antigua (trade dispute over Internet gambling)
19
SlySoft AnyDVD-HD Circumvention for the masses Only € 79
20
AnyDVD-HD Releases Initial HD DVD support – February 2007 Blu-Ray support – March 2007 Response to revoked keys – May 2007 Partial BD+ support – November 2007 Full BD+ support – March 2008 Response to revoked keys – April 2008 Response to revoked keys – September 2008 All updates free to registered users Uncertain which devices they’re reverse engineering Speculation: software players
21
A Market for Circumvention CSS: Weak DRM completely broken Open source implementations widely available AACS: Stronger DRM and working revocation Requires ongoing labor to attack First to defeat latest refresh has period of exclusivity – profit Repeated hacks = business model Stronger DRM → Circumvention as a service!
22
1. Disc ID, Encrypted K V AnyDVD Serial No. Switch to an Oracle AnyDVD-HD initially included processing keys Competing circumvention products found it easier to reverse engineer AnyDVD than licensed players SlySoft switched gears: ships with database of old volume keys plus server for new keys Meta-DRM! Advantage: traitor tracing more difficult (can restrict queries) AnyDVD-HD SlySoft Server Volume Key K V 3. (Antigua) 2. Decrypts with Device Keys (Secret)
23
Advanced Protection: BD+ Big idea: Players support a small VM that allows each disc to implement its own countermeasures Based on the Self-Protecting Digital Content (SPDC) technology developed by Cryptography Research, Inc. Acquired by Macrovision in 2007 for $45 million Adopted by Blu-Ray but not HD DVD May have helped decide the format war Unlike AACS, no public specification Limited use so far, ~5% of Blu-Ray titles (mostly Fox)
24
BD+ Operation Transformations – Alter content stream before decoding Basic Countermeasures – Respond to attacks Advanced Countermeasures – Execute native code Countermeasures
25
Public Attacks Against BD+ Significant progress this month on Doom9 Public effort to build a VM and debugging tools Info. from R.E., patents, and other docs. (esp. patent application 20070033419 by Kocher et al.) VM instruction set now known RISC, based on DLX by Hennessy and Patterson Instruction Filter – 32-bit register XORed with each instruction prior to execution (protects against static analysis) OS traps for symmetric and public key crypto, local storage, media I/O, native code execution, …
26
SlySoft Attacks BD+ November 2007: Partial BD+ support in AnyDVD Convince software player a disc image is an original March 2008: Full BD+ support in AnyDVD Implements VM to support decryption June 2008: Fox adds new countermeasures in release of film “Jumper” 7 days later, SlySoft updates AnyDVD to restore support Will future countermeasures buy more or less than a week?
27
Review: Strengths/Weaknesses Standard crypto, designed by serious cryptographers Fine-grained device key revocation Multiple layers of protection, BD+ allows per-title countermeasures Slow to revoke device keys: at least 90 days PC software players ease reverse engineering Renewal ensures market for circumvention
28
Prospects: Secret Weapons? Sequence keys – improved traitor tracing But… tracing probably not the weakest link More aggressive BD+ deployment But… so far seems to buy a limited window Better protection for software players (TPM?) But… limited by glacial deployment of Vista
29
Tracing/Revocation Overrated? Traitor tracing Small number of players are the usual suspects Industry doesn’t even bother to use all its tracing abilities (instead does proactive renewal) Key revocation Slooooow / expensive in practice (seems necessarily so) Attackers extracting new keys as fast as old ones are revoked Not the weakest links today (obfuscation?)
30
What if… Faster Revocation? Suppose perfect tracing and instant revocation A new game: When attacker compromises a device, can release selected title keys or publish device key Studios decide whether to revoke the device key immediately or wait Publishing the key: renders all past discs forever decipherable (can’t force attacker to retain state), but no effect on future discs after revocation Rational studios may delay revocation anyway, to retain release window on some titles, since after revoked the attacker might as well publish it
31
Evaluation: Success or Failure? AACS a clear failure Virtually all discs copyable for past 21 months Renewability seems to have no practical impact BD+ … ? Current breaks show won’t live up to hype (“secure for 10 years”) Compare cost of building countermeasures to cost of breaking them Industry has weapon of surprise: May help some films be secure for short release windows
32
Are We at the Limits of DRM? AACS/BD+ designed by very smart people Relatively few compromises Yet quite limited success May be impossible to do much better within the model of disconnected players for content distributed on mass-produced physical media. Your predictions?
33
AACS, BD+, AND THE LIMITS OF DRM J. Alex Halderman Princeton → UMich.
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.