[5999] in cryptography@c2.net mail archive
More on CSS
daemon@ATHENA.MIT.EDU (Frank Andrew Stevenson)
Mon Nov 1 14:17:40 1999
Date: Sat, 30 Oct 1999 21:27:50 +0200 (CEST)
From: Frank Andrew Stevenson <frank@funcom.com>
To: cryptography@c2.net
Message-ID: <Pine.SGI.3.96.991030210322.28175B-100000@odin>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Earlier this week, I posted a note about an attack on the recently
published CSS cipher, used for encrypting DVDs.
I published my first attack here:
http://livid.on.openprojects.net/pipermail/livid-dev/1999-October/000589.html
It has a workload 2^16 and recovers the 40 bits CSS key with 6 known
bytes.
I then directed my efforts against the TitleKey generation:
http://livid.on.openprojects.net/pipermail/livid-dev/1999-October/000609.html
Here a secondary mangling cipher falls with a workload of 2^8, and as
only 5 bytes of known plaintext is now needed, it is now possible to
extract numerous 'player keys' by correalating a few DVD titles.
It seems to have worked, for shortly afterwards there was a deluge of
playerkeys:
http://livid.on.openprojects.net/pipermail/livid-dev/1999-October/000657.html
My last attack is outlined in:
http://livid.on.openprojects.net/pipermail/livid-dev/1999-October/000671.html
It is an attack on a hash that is used to verify that the correct player
key has been used. This has was also weakness, and can be reversed with
2^25 work and 2^24 memory. A PIII/450 reverts such a hash in less than 20
seconds.
This particular attack is interesting as it will allow a DVD to viewed
without any known player key, or known / guessed plaintext.
This should be of concern when trying to design 'secure distributions'
of movies for In Flight Entertainment, such as is beeing discussed on:
http://www.waea.org/public/specs/DVD-WG/DVDWG%20Index.html
( Movies can be released much earlier for IFE, and the security of
these copies are a concern with regards to piracy. If they can
be decrypted, they provide a Digital Master )
frank
