jump to navigation

Assessing the HDCP Hack September 19, 2010

Posted by Bill Rosenblatt in DRM, Standards, Technologies, Video.
trackback

Intel confirmed last Thursday that a hack to its High Definition Content Protection (HDCP) link protection scheme for high-def video had been discovered and published online.  HDCP is used in Blu-ray players, DVD players, set-top boxes, and other devices to protect high-definition content when it is transferred to other devices, such as TV monitors.  After several days of conjecture and  dubiously informed blog posts, some facts have become clear that enable us to assess both the nature and impact of this hack.

First, given that Intel designed HDCP in the first place, we can take its word as authoritative.  Second, someone either leaked or discovered the master key* that is used within the “root of trust” for the HDCP system, which is the Intel subsidiary Digital Content Protection LLC (DCP). They also figured out a way to use that master key to generate the unique private keys that DCP normally generates per device, which enable HDCP-compliant devices to encrypt and decrypt content.

There are two big differences between the nature of this hack and that of the CSS encryption scheme for DVDs, to which DRM hacks are often compared. First, CSS was so weakly designed that all the hackers had to do was discover a single set of keys which are present on all DVD players; in contrast, HDCP does not actually store its master key on user devices. Hollywood has at least learned that lesson about key management.  In contrast, the HDCP hack depends on computing device private keys on a per-device basis.

Second, not only is computing device keys harder to do, but it can’t be done in software; it has to be done in silicon.  We’ll talk more about this shortly when we discuss the impact of the hack.

HDCP is designed to be able to revoke devices with compromised keys.  The hack, once someone actually implements it, makes this task essentially useless.  An HDCP ripper would keep generating new device private keys, which the overall HDCP scheme would have to revoke by constantly updating lists of revoked devices that are embedded into HDCP-encrypted content, such as Blu-ray discs.  It would be both inordinately expensive and ultimately futile to do this.

Worse, it’s only possible to revoke HDCP device keys, not renew them, as is possible in DRM schemes that take advantage of device connectivity, such as Marlin.  This design decision results from the fact that many current HDCP-compliant devices are unconnected devices such as Blu-ray players, and it’s only practical to renew keys over a network (just ask makers of SmartCard-based conditional access systems for cable TV, which have to physically ship new SmartCards if old ones are compromised).

The master key for HDCP, like that of other DRMs, was only supposed to be known to a “root of trust” (central security authority) — in this case DCP.  Either the key was leaked or it was discovered.

Researchers in 2001 had found a hack for discovery of the HDCP master key that involves collecting 40 different HDCP-compliant devices and working backwards from their private keys to calculate the master key.  The number 40 is a function of the configuration of the cryptographic algorithm that HDCP uses: Blom’s scheme, invented in the early 1980s.  It determines a data matrix that would have to be kept in memory, the size of which increases geometrically with the size of the number. So, the choice of 40 was a compromise — inevitable in all DRMs — between security and implementation cost.

The eminent cryptographer Paul Kocher — one of the brains behind the BD+ protection scheme for Blu-ray discs — says that the hack resulted from poor design.  But it’s also possible that a DCP insider leaked the key.   Even if the latter was the case, the system was designed with the weakness that knowing the master key makes it possible to use it outside of the root of trust environment to create device private keys.  This was another choice made in the interest of low implementation cost rather than security.

Now let’s talk about the practical impact of the hack.  It is just as wrong to suggest, as some have, that the HDCP hack has the same impact on high-definition video as the CSS hack has had on DVDs.  Part of the assessment of the strength of the security of a DRM system is that of the fallout when the system is inevitably cracked.

First of all, the impact of the HDCP hack is such that it would be necessary to create chips that implement it.  As some have pointed out, a fabrication facility somewhere in China may well be working on just such a chip as I write this, and soon Blu-ray players and other devices with the chip, or standalone HDCP ripper devices, could appear on the black market or outside the United States.

This is a “hardware speed bump” in the sense that someone has to manufacture the devices and sell them, presumably at a profit.  Such devices would be illegal in the US and various other countries under anticircumvention law.  People would have to find, buy, and use the devices; and the devices would require real-time playback of the video to make the decrypted content available.

In contrast, the CSS hack led to software DVD rippers that anyone could download over the Internet, and the odds of detecting such (also illegal) activity are virtually nil.  Furthermore, so-called DeCSS rippers work almost instantaneously and do not require real-time playback.  With movies, this is a big difference.

Intel’s stance on the HDCP hack is that it won’t affect their business.  You’d expect Intel to say that, but in this case it’s basically true.  Unencrypted, uncompressed movies appear on BitTorrent sites now; this process will become somewhat easier for dedicated rippers to do once HDCP rippers become available, but the average BitTorrent user won’t experience much difference.

Let me say this one more time: just because there’s a hack to a DRM scheme does not necessarily mean that every piece of content encrypted with that DRM scheme is suddenly in the clear.

Here is the analogy I like to use to explain this; it is not terribly accurate but illustrative anyway.  Let’s say I develop a technique for picking a certain popular brand of combination locks and publish it on a web page.  That does not mean that every school locker using that lock is suddenly open and millions of backpacks, sweatshirts and textbooks are stolen.  Even leaving aside the fact that a lock-picker has to physically go to each lock and operate on it, taking advantage of the hack may require special skills, special tools, and time to work.

I have not in recent years met anyone in the media industry who believes that any DRM is hackproof.  Furthermore, studios treat HDCP and other DRMs as just a few of many tools for keeping consumers buying their content and not infringing their copyrights.  Thus, this hack is unlikely to affect the attitudes that Hollywood studios have towards DRM.

*I made a comment on a popular tech blog that there wasn’t a single master key.  My comment was incorrect.  At the time, I did not properly understand the nature of the hack, and I did not make the distinction between master keys that are actually present on client devices by design (a la DVDs and CSS) versus those that are designed to exist only within the confines of the root-of-trust facility (DCP in the cast of HDCP).  However, the author of this blog piece also failed to make that distinction and generally under-researched and mischaracterized the hack, in his usual fashion.  For that reason, I won’t name the blog or author.

Comments»

1. John Erickson - September 20, 2010

Bill, thanks again for your in-depth, insightful analysis!

Regarding your statement that “…impact of the HDCP hack is such that it would be necessary to create chips that implement it,” I’m curious if the compute resources required are of a scale that it could be implemented on a modern field programmable gate array (FPGA).

To be brief: FPGAs are VLSI chips invented in the 1980’s whose logic is configured via software; they are used in both products and system prototypes. Today’s FPGAs allow many algorithms to be implemented faster that in software and often as fast as custom hardware.

I can see several potential implications if it were indeed possible to implement the HDCP Hack on FPGAs:

* No offshore HDCP Hack chip fab would be required
* HDCP Hack devices assembled offshore could be imported in an un-programmed state and programmed via download
* The FPGA-based HDCP Hack implementation could be updated via online distributions

But based on your arguments, it’s not clear to me that it would be worth the development expense…

John

2. Bill Rosenblatt - September 20, 2010

Thanks John.

One thing that just occurred to me, given your interesting comment, is that hardware speed bumps serve an important purpose: they probably eliminate hackers who hack DRMs just to show it can be done, prove their hacking skills, stick it to Hollywood, etc. Only professional pirates will bother to manufacture devices or engage in manual processes that result in unauthorized content.

I believe that the media industry knows very well that professional, large-scale pirates will continue their activities despite speed bumps. But taking steps to thwart “joy hackers” ought to be effective in and of itself. Once again this is a weakness of the CSS scheme for DVDs and (relatively speaking) a strength of the HDCP design.

As to your point about FPGAs, it’s even possible — I don’t know for sure — that the hack could be implemented purely in software at a reasonable cost once Moore’s Law enables it. But I would assume that if this is the case, the designers bet that by the time this is possible, HDCP will be obsolete technology.

3. James Gardiner - September 20, 2010

Very good article. I knew this to be the case but we need to make it known to the general public and specifically to the “shoot from the hip” bloggers,media people.
And like you say, at the end of the day this means very little to the general consumer.

Hollywood knows content will be pirated if not at the very least via the analog hole.
DRM is about inconvenience. This HACK makes it a little less inconvenient for hard core pirates, but in general means nothing to the average amateur hacker.

4. Jeff Power - September 21, 2010

I don’t get all the excitement, Blu-Ray disks have been copyable for some time. There is a company which I won’t name here that sells a driver that sits in your tray allowing you to rip the Blu-Ray disk at will.
This leak/crack only breaks the encryption between devices, Blu-ray rips have been on torrent sites for years now. The only thing limiting their popularity is download size, anywhere from 4 Gb -6 Gb (720p) to 12 to 20 Gb (1080p).
Even then you can find full rips that reach 50Gb but they aren’t very common due to size.

Bill Rosenblatt - September 21, 2010

Bear in mind that HDCP isn’t limited to Blu-ray. It’s used in cable STBs as well. There’s a lot of hand-wringing in Hollywood over how much early-window HD content to license to cable and satellite operators. This hack could affect how the studios license this content to those network operators… or not.

5. dan - September 23, 2010

Hi Bill,

Nice article, I tested some HDCP products in the past and had already found repeater devices that could be persuaded to strip HDCP protection on their output, but ok this is more fundamental than a questionable implementation

I’ve wondering since I did that testing though, what’s the impact of this to a content owner?

As you say, it’s not an attack that allows decryption of a blu-ray. Instead, i can strip HDCP from a video stream and then capture that stream. From that HDCP stream I can reconstruct an unprotected mpg4, but would it be original quality?

I guess the blu-ray player isnt sending the original mpg4 compressed data through the HDCP channel.. So probably an attacker has to do some transcoding, recompression and will consequently introduce artifacts in his reconstructed mpg

Also, in a HDCP channel, maybe the blu-ray player has probably already done some image processing? (e.g. perhaps related to characteristics of the connected display device, colour selection, aspect ratio, display size, ?).. this would result in additional artifacts in the content compared to HD source..

So any idea how the quality a copy resulting from such an attack compares to the HD source material? If it’s lowers maybe the content owners have extra reason to not lose sleep over this

6. Too late for an early VOD window? | Concurrent Media - September 30, 2010

[...] of piracy is a non-trivial matter. According to its inventor, Intel, HDCP still needs to be implemented in silicon, which means someone would have to start fabbing chips and building black boxes to do much damage, [...]

7. A first step toward Ultra HD adoption completed | nScreenMedianScreenMedia - February 2, 2014

[…] digital content protection) 1.4, which protects the video delivered via HDMI cables, has been hacked. It is likely the industry, principally driven by Hollywood, will demand a higher level of security […]


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 630 other followers

%d bloggers like this: