
HDCP master key allegedly posted - m0nastic
http://pastebin.com/kqD56TmU
======
js2
Here's a paper discussing how this key could have been derived:

<http://www.cs.rice.edu/~scrosby/pubs/hdcppaper.ps>

<http://www.cypherpunks.ca/~iang/pubs/hdcp-drm01.pdf>

Here's the fun bit:

"We observe that attackers can exploit a well-known cryptographic design
mistake: the shared secret generation is entirely linear. The attack only
needs 40 public/private key pairs such that the public key pairs span M ⊂
(Z/256Z)40, the module generated by all public keys. Since HDCP devices
divulge their public keys freely, one can easily test whether a set of 40
devices have public keys spanning M before expending the effort to extract
their private keys. With these keys, the authority’s secret can be recovered
in only a few seconds on any desktop computer."

Edited to add the next paragraph (paper was published in 2001):

"The consequence of these flaws is that, after recovering the private keys of
40 devices, we can attack every other interoperable HDCP device in existence:
we can decrypt eavesdropped communications, spoof the identity of other
devices, and even forge new device keys as though we were the trusted center.
Note that this allows us to bypass any revocation list or “blacklisting”: such
mechanisms are rendered completely ineffective by these flaws in HDCP.
Therefore we recommend that the current HDCP cryptosystem should be abandoned
and replaced with standard cryptographic primitives."

~~~
nitrogen
_Therefore we recommend that the current HDCP cryptosystem should be abandoned
and replaced with standard cryptographic primitives._

So does this mean that all new equipment will quickly switch to DisplayPort,
necessitating another round of TV/monitor upgrades? Or will the HDMI
organization add DPCP (AES) to the HDMI standard?

[Edit: it was mentioned elsewhere* in the thread that HDCP 2.0 uses AES]

* _<http://news.ycombinator.com/item?id=1691794> _

------
m0nastic
For those curious as to what this entails, the Wikipedia article:
<http://en.wikipedia.org/wiki/Hdcp#Cryptanalysis> Does a pretty good job
explaining.

For those not quite that curious, if you've ever tried to watch a Blu-Ray
movie on your computer, and gotten an error about it being restricted from
playing back on your display; there's a good chance that is because of HDCP.

If this is true (and there isn't really a good reason to believe that it
isn't), this is pretty bad news for the content industry.

~~~
nimai
You're joking, right? The only people HDCP has been affecting have been
legitimate customers. Pirates have had HD video for years.

~~~
barrkel
<sarcasm>You don't understand. HDCP is _great_ for consumers. It's what lets
them view fantastic content from the creative industry. Without HDCP, that
content wouldn't be available to consumers.</sarcasm>

It was this angle of attack, or one very similar to it, that I remember
reading from an nVidia (or it might have been ATI) powerpoint deck a few years
back.

~~~
prodigal_erik
Makes me wonder whether the author was blissfully ignorant of DeCSS, or hoped
the readers would be. It's not as if they felt the need to pull DVDs off the
market for the last decade.

~~~
m0nastic
To be fair, the release of DeCSS may very well have moved up the timetable for
releasing BD+ and AACS (which isn't an argument against it, but these things
don't exist in a vaccum).

------
seldo
Blu-Ray on Windows is the single most user-hostile computing experience I've
ever had. I stopped buying/renting blu-ray movies because I didn't feel like
rebooting 3 times every time I wanted to play a disc, with the software
treating me like a criminal the whole time.

~~~
thehodge
I bought my first Blue-Ray the other day and the experience was terrible, I
put the disk in and nothing happened.. I tried to play it in windows media
center, no ball.. not in VLC.. there was no player included on the disk.

I had to download a 300meg trial of PowerDVD just to play a film I'd already
paid for (I also had to update my graphics card for some reason, the computer
had been playing HD content for months without needing that).

That will be the last Blue-Ray disk I buy..

~~~
illumin8
The experience on Blu-Ray is terrible. I have to sit through as much as 20
minutes of unskippable commercials before I get to the menu screen. They even
show you commercials about how great movies are on Blu-Ray - even though they
should know you already are a customer because you're watching a Blu-Ray. Not
only that, some of the commercials are streamed over the Internet, which means
they use your bandwidth without asking permission to download an unskippable
commercial.

The experience is getting a bit ridiculous, and I personally hope someone
writes a DeCSS for Blu-Ray so that we can uncripple this format.

Btw, I don't actually buy any Blu-Ray disks, I just have my Netflix account
enabled for Blu-Ray and watch most movies in that format since it looks better
on my HDTV.

~~~
timdorr
To be slightly fair (and only slightly because I still think Blu-Ray sucks),
Netflix does often get separate rental copies of movies that differ from the
store-bought versions. They usually have more extraneous crap in front of the
movie, since they are making less money off them in the long run.

But the load times alone make me want to throw my Blu-Ray player out of the
window. It's a mind-numbingly slow experience in every way.

~~~
msisk6
The load time with my old Sony Blu-Ray player was the same -- horribly slow.
Unusable, IMHO.

Then I got a PlayStation 3. It made the kids happy and is radically faster
playing Blu-Ray discs. If you're not a gamer be sure to get the optional
"normal" bluetooth remote and you'll be all set.

~~~
wwortiz
I have a ps3 as well and most of my experiences with bluray have been pretty
much the same as dvd with the exception of terminator 2 (skynet edition I
think) which took forever to load.

The real problem is that I can't see much of a difference between the dvd
version of a movie and the bluray version, if I have a choice for the same
price I probably will buy bluray but otherwise the dvd upscaling works just as
well for me.

This experience of quality differs greatly than that of a regular xvid rip and
a hidef h264 rip which are actually quite noticeable.

------
flannell
I've had nothing but trouble with HDCP. I've used HDMI matrix switches to
transport a video signal around the house. 40% of the time I get the HD
snowstorm so have to reboot the TV to attempt a second handshake. This gives a
low Wife Approval Factor. I believe they should stop torturing the paying
punters, like me, and just be happy with the majority who pay and not the
minority that don't. Also, before someone mentions the x billion lost per
year, I doubt maybe the 100,000 that downloaded 'The Bounter Hunter' would of
seriously bought it.

~~~
reduxredacted
_Also, before someone mentions the x billion lost per year_

It's bizarre. Imagine a job where my customer complains about how ineffective
my product is yet continues to shovel money at me. Wait, even worse, my
product makes their customers miserable and yet they still shovel money at me.
It sort of sounds like the business model of a crack dealer.

~~~
joeyo
Or a monopolist.

------
js4all
The comments so far are just about HDCP, Blu-Ray and playback difficulties.

The paste however contains the key matrix used to encrypt and decrypt the
digital video signal. If this is valid, every transmission between a HDCP-
secured playback device and the display can be decrypted, thus rendering every
other encryption method, used in the playback chain, useless, including AACS
and BD+.

This is serious, because the keys for AACS can be revoked, if compromised.
HDCP keys however can't be revoked.

~~~
nitrogen
It doesn't completely render BD+ useless, as BD+ can be used to watermark the
video signal according to the player model (and hypothetically other
variables, like location, IP address, or player serial number). So, to avoid
identification, pirates would need to crack BD+, or combine the output from
multiple players to obscure the watermarking.

Another problem with cracking the transport instead of the storage medium, is
that to rip from HDMI you have to play the movie at normal speed, while
ripping straight from disc can be done much faster.

~~~
js4all
I agree with the second point.

Regarding on-the-fly watermarking, I see the hypothetical use, but current
watermarking algorithms are to complex for BD+. An interesting idea though.

------
reduxredacted
Worth noting (again, assuming this is credible): Version 2.0 of HDCP is likely
not affected.

According to their FAQ: <http://www.digital-cp.com/faqs> "HDCP revision 2.0
uses industry-standard public-key RSA authentication and AES 128 encryption.
It also supports protection of compressed content, making it feasible to use
relatively slow 50 to 200 Mbps interfaces."

... and ...

"HDCP 1.x technology offers protection for uncompressed content transmitted
over several common wired interfaces including DVI, HDMI and DisplayPort. HDCP
revision 2.0 adds strengthened encryption..."

~~~
wmf
"The wireless interfaces which utilize HDCP revision 2.0 so far include:
Digital Interface for Video and Audio (DiiVA), NetHD, Wireless Home Digital
Interface (WHDI), and Wireless HD (WiHD)."

In other words, no equipment that anyone has.

------
audidude
For some reason I don't think that will make such a good t-shirt this time
around.

~~~
daychilde
Maybe it'd work better for folks like me who shop at big&tall stores... We
have the _perfect_ body for this t-shirt. Finally, all my McDonald's days are
about to pay off!

------
Maakuth
Yes, "allegedly". This is definitely good news if it's the real thing. I
wonder how long does it take to confirm it's authenticity.

------
nitrogen
I was a minor participant in the tvtime project years ago. HDMI and HDCP came
around and made that kind of thing highly improbable for HD content. CPUs and
GPUs are now at speeds that make advanced HD video manipulation practical. I
hope this HDCP crack, if verified, makes a tvtime-like application for HDMI
video possible. Better yet, a PC-based realtime compositing and overlay
system, requiring only a $100 GeForce GPU and HDMI capture cards.

------
bcl
Has anyone verified that this actually works?

~~~
wmf
Time to light up the Bunnie signal.

------
andybak
Don't they have a contingency for this? I thought they could update the DRM
code in devices with a new key or some such thing.

~~~
nash
I believe the update of keys relies on the secrecy of the master key, which is
never released in a device.

Hence the master key pretty much kills it all.

~~~
dfox
HDCP key exchange is very weird cryptosystem. Usually you generate some
essentially random private key and trivially derive public key from it. In
HDCP, it works other way around: central authority has ability to convert
(random) public keys to private keys using some secret information (purpotedly
this matrix). Motivation of this design is twofold: (a) actual hardware
implementation is simple and (b) this central authority can impose varios
policies about who gets private keys. On the other hand both these points make
this cryptosystem very weak.

Therefore, this matrix may not even be leaked, but somebody might reconstruct
it from relatively small number (I don't remember exact required number, but i
recollect that it is at most thousands) of keypairs recovered from devices in
circulation.

By the way similar mode of deployment was once recommended for RSA (having
shared modulus whose factorization is known to central authority), but it is
long known to be insecure (for RSA). I don't know of any non-HDCP related
analysis of public key cryptography based on similar approach as HDCP (vector
summing or matrix multiplication, depending on viewpoint), which probably
means that it is very well known to be insecure.

Edit: and for the key update: you would have to update all deployed keys
simultaneously, which is probably impossible. Moreover HDCP does not even
specify any kind of infrastructure to accomplish this.

~~~
tlrobinson
I recall hearing ~50 keypairs would be required to reconstruct this matrix
thing. Certainly there are more than 50 HDCP devices (manufacturers?)

~~~
ams6110
Is this another lesson in why you should not invent your own crypto system?

~~~
logicalmind
They didn't actually invent their own crypto system. They used the scheme
devised by Swedish cryptographer Rolf Blom, know as Blom's Scheme. Which is a
form of "threshold secret sharing". It has been known for quite some time that
the system falls apart once a particular number of keys are known.

------
b3b0p
Comments keep mentioning Blu-ray playback, but it's referring to HDCP. That's
the connection between devices I thought?

I don't think this does anything for Blu-ray as it has it's own encryption
scheme.

Edit: Oops, I see someone mentioned this already. Missed that comment.

------
uuoc
The Cory Doctorow info-graphic is quite appropriate here:

<http://boingboing.net/2010/02/18/infographic-buying-d.html>

------
toodoo
And here come the T-Shirts <http://www.cafepress.com/HDCP>

------
yock
I can't believe people are willing to assign any credibility to an anonymous
dump of hex to pastebin.

~~~
mechanical_fish
That's the wonderful thing about math. You can verify its correctness without
reference to anybody's reputation or personal opinion. Indeed, that's pretty
much the definition of math.

~~~
yock
Of course you can verify if it's valid, but that's remarkably short of what's
being claimed here. Lots of folks here are talking as if this is the end of
HDTV DRM. I'm simply advocating that someone with the means actually test it
before we start singing "Ding Dong The Witch is Dead."

------
ra
And so the DRM Cold War continues.

