Thursday, January 11, 2007

AACS crack update

So I made some bad assumptions in my earlier post about the AACS crack. That's what I get for assuming and not hunkering down to read the spec. I know more about it now because of today's Freedom to Tinker post from J. Alex Halderman. He explains:
Blacklisting would be a PR and business disaster if it meant a lot of consumers had to throw away their fancy players as a result of a crack. That’s why AACS allows each individual player to be assigned its own unique set of device keys that can be uniquely blacklisted without adversely affecting other players.
So, the AACS people are smarter than I gave them credit for. If manufacturers follow recommendations and issue individual keys to each device, then only one person's device is disabled, and there's a good chance that person was involved in leaking the key, so maybe that's appropriate. Further, Halderman says that they only disable new discs with the revocation, and they don't brick the device. Hm, I guess they are nicer than I might be in their situation. ;)

Halderman refers to the process as "some serious crypto wizardry." Now, I still haven't read the spec, and he has. But I don't see why this should be significantly more complicated than the whole CA/PKI arrangement. The AACS guys probably are a master CA, the licensees are sub-CAs, and they issue a private key/cert pair to each device. When there's a leak, the AACS people can surgically revoke the leaked set.

Does this change the end game? I don't think so. Halderman talks about some possible things like a title key-issuing oracle. Sounds like too much trouble to me. Here's how I think I might do it:
  • Put in the hard work to find some software or hardware device that I know how to recover the keys from; leak those keys, and only the one set
  • At my leisure, stock up as many other keys as I think I'm going to need
  • Wait for the script kiddies to complain that Star Trek XV won't work with my keys
  • Leak the next set
I could stock up dozens or hundreds of keys, and they are probably good for months at a time. They are good until someone releases a HD DVD that anyone cares about.

Other potential problems that I foresee popping up:
  • Maybe I flood the Internet with tons of keys. The revocation list gets large and unwieldy. Maybe discs start to fill up, maybe players take forever to parse through them.
  • I don't expect the software players to cut a key for every single user, especially if it's like current DVD player software that gets thrown in the box of every Dell computer. They don't want to cut custom CDs, and I assume these keys are all too long to type in from a printed label. On the contrary, the Internet would work fine for some soft of "activation" scheme which gets you a key set right then and there. The problem with that is that you now have a website that essentially cuts keys for you at will, and they have their CA private key stored somewhere where it could get stolen.
  • I don't expect every Taiwanese hardware manufacturer to do what they are supposed to, and they will reuse player keys
  • Someone could leak or steal a CA keyset
  • There might be a crypto break like with CSS
  • And last but not least, how about I keep my keys to myself, and just release the decrypted movies?
(And as a disclaimer, I remind people that why I say "I" here, I'm writing from the point of view of a resourceful attacker. As a further disclaimer and future excuse, I still haven't read the AACS spec yet. I guess I need to get on that now.)

No comments: