HDCP Master Key Revealed 747
solafide writes "The HDCP Master Key has allegedly been revealed. If true, this information will allow anyone to create their own source or sink keys, essentially making HDCP useless for content protection permanently. No word yet on how it was obtained, but if true, this is a great day for content freedom around the world!"
Odd (Score:3, Interesting)
On twitter, the original link to the pastebin is from 'IntelGlobalPR'. Is that a fake account, hacked, or is this actually a publicity stunt from Intel for something?
So can someone answer this: (Score:5, Interesting)
How will this actually become practical?
From my understanding this breaks the HDMI cable protection, more than anything re-opening 'the analog hole' except with full digital goodness if someone hacks the firmware on a player they can then use the signal freely. Expect many more downloads from 'the usual sources' of HD content....
Will be interesting to see how the industry reacts to this. As all these machines today have upgradeable firmwares and internet connection that wont be able to totally close this break in the hardware spec itself but may cause problems for those seeking to exploit this leak. As we know these companies are more than used to harassing customers for their own interests.
I for one welcome the new freedoms that come with this. Too many devices out now based on the standard for the industry to change overnight - the cat is out of the proverbial bag.
Maybe a manufacturer gets my money now (Score:2, Interesting)
Re:Hooray for freedom (Score:3, Interesting)
The more permanent freedom is a matter of time. At some point, lawmakers will be from the generation that also posts on forums, that downloaded mp3's when they were younger (or still do), and that watched 2 or 3 movies illegally when they were students.
The current lawmakers and judges are of a different generation altogether. they paid the equivalent of a good night out (bar / club) for just 10 songs on a piece of plastic that wouldn't last for more than 10 years of you use it frequently.
So, anything that postpones or reverses silly laws and technology is worth a "hooray", as it brings the solution closer.
-- At least, that's the future I hope for. Don't sue me if it turns out differently! ;-)
Re:So can someone answer this: (Score:4, Interesting)
Upgrading the firmware of players to disable HDMI altogether isn't possible at this point. I'm not sure of the exact process, but since you can make new displays, you can create a device that just makes up a random one if it doesn't handshake in five seconds. Also, you can impersonate any existing device- and blocking every existing monitor on the market isn't feasible either.
No (Score:2, Interesting)
This is not a good day for content freedom. If true, this is a good day for the entertainment industry to try and lock-down media even more, or simply make it unavailable in a way consumers want. Piracy goes up, and they attempt to figure-out what's wrong while honest consumers suffer.
This is premature (Score:3, Interesting)
Re:Hooray for freedom (Score:3, Interesting)
Yeah, Bonded and authorized.
A lot of good that actually does. It's easy to make DIY lockpicks from the pieces of spring steel that come off of the metal brushes that street-cleaning vehicles use. Once someone has those, they can make an electric lockpick out of them and a $10 (or less) electric flossing tool.
Re:Isn't this like AACS (Score:3, Interesting)
No, it's a complex way to publish 147,846,528,820 keys ( http://www.wolframalpha.com/input/?i=40+C+20 [wolframalpha.com] ).
The initial input to the algorithm is a 40-bit random integer, selected so that the binary representation contains exactly 20 zeros and 20 ones. These bits are then used to select rows in the matrix.
Re:Who revealed it (Score:5, Interesting)
Actually the master key doesn't exist on all devices. The master key is theoretically kept private and managed by the consortium that oversees HDCP. When a new vendor comes along then the HDCP consortium generates a sub-key from the master key and assigns it to that vendor. The vendor then uses that sub-key to create "sub-sub-keys" for each device they manufacture.
If a device key is compromised then the vendor can revoke it and issue a new sub-sub-key for the device. The HDCP consortium could also revoke the sub-key for the vendor, thereby invalidating all the vendor devices, if necessary.
The problem with the HDCP encryption is that if you have enough of those device keys (50 or so according to reports) then with a bit of grunt work you can reverse-engineer the HDCP consortium master key. That's apparently what happened in this case.
Re:Hooray for freedom (Score:5, Interesting)
In general anyone can buy and use lockpicks for legitimate purposes. It's when you possess them with the intent to commit a crime that they are classed as "burglary tools" and get you some extra time.
Re:Was this a leak or reverse-engineering? (Score:3, Interesting)
Copy protection using encryption is inherently insecure, because you have to give genuine customers some way of viewing material, thus some way to break the encryption. The second you do that, you are going against the established design criteria of modern encryption. No encryption specifically guards against multiple genuine recipients having multiple, genuine, valid decryption keys for ever and ever, and preventing *ANYONE* (even the genuine recipients) from ever decrypting that content.
Copy protection requires a WHOLE different design, one which no one has really bothered with, and any copy-protection system that advertises that it "uses AES" or any other such nonsense can possibly be taken seriously. That's *NOT* what it was designed to not and *NOT* what it will do. Hell, even DES, AES, etc. had stated lifetimes which were much shorter than the current copyright extension terms. Encryption and copy-protection try to solve different problems. Their combined use can complicate but not prevent such things from happening.
Re:Hooray for freedom (Score:3, Interesting)
Would you have an ethical problem with someone using one of these devices to access their own car if they lost the key? Do you have any idea how ridiculous that is?
I'm not talking about the law here (which often has little relation to ethics), I'm just talking about what you think is right and wrong. I've always hated the sound of devices which won't let you setup your AV equipment the way you want without paying for a HDCP licensed device. I hate how Apple devices use proprietary connectors and DRM formats to make it awkward to play the movie you rented or purchased on any device you want without doing something illegal. I hate lock-in. I buy all my music, movies and books legally, but I'll only buy from sources that allow me to consume my media in a way that I consider reasonable and convenient.
Re:Monetization != bulletproof protection (Score:3, Interesting)
The seem to ignore the real commercial pirates that might actually be "stealing" paying customers from the industry.
They only "seem" to be ignoring these people because either the stories don't make a frontpage headline or you are just being willfully ignorant. The MPAA/RIAA go after commercial pirates, such as Hong Kong and Russian bootleggers, on a regular basis.
Originally cracked in 2001.... (Score:2, Interesting)
....but took another 9 years to develop an implementation of it:
http://www.macfergus.com/niels/dmca/cia.html
There is also a repost of this info available @ John Young's Cryptome, that someone else in this thread already posted.
One question: I noticed in the 2001 papers that this was designed against the 1.0 version of HDCP. Will it also work against it's revisions?
Re:Read beyond the summary. (Score:5, Interesting)
As far as I can tell, yes. Which is almost mind-bogglingly stupid. Keep in mind that it's not enough to just have 40 HDCP devices, you also have to crack them all, which involves either some really clever known-plaintext attacks or disassembling the firmware on each device. But if you can do it once, you can do it 40 times, so the only way to avoid having the master key leak is to never release that 40th manufacturer's key.
Re:Read beyond the summary. (Score:3, Interesting)
This is the key used to *make* individual manufacturers' keys.
I haven't paid much attention to the whole HDCP mess as I've seen that movie before, but this simple fact is the most astonishing thing in the whole account.
There are only two possible outcomes to a set-up that depends on a single master key like this:
1) the key gets out. For a technology that is supposed to be around for decades this is as near to inevitable as can be, even if it couldn't be reverse-engineered. Even if 99.99% of the attempts to find or leak it fail, only one has to succeed and the key is out there forever.
2) the key gets lost. Most organizations suck at data management, and if there are few enough copies to be safe there are few enough copies to lose over the course of decades. My only regret now is we'll never see headlines that read, "MPAA asks hacker community to reverse engineer lost secret key".
I'm half-way tempted to go into the DRM business. If you're being paid buckets of money to build something that you know won't work it never matters if you fail. Wouldn't that be nice?
Re:Hooray for freedom (Score:2, Interesting)
Current lawmakers all smoked dope when they were students. That doesn't mean that they are all in favor of legalizing marihuana.
Because the alcohol and tobacco lobbies, collectively known as "The partnership for a drug-free America", pay damn good money to buy the lawmakers opinions.
Re:Hooray for freedom (Score:4, Interesting)
To be fair, entertainment is a need. People who aren't getting any will start doing unbelievable stupid things just for fun, quite likely getting themselves and bystanders hurt. Boredom might not seem like much a threat, but it is.
Of course, making movies would likely be far more interesting than just watching them, and with computing power increasing, it's becoming available to a more and more common person. The biggest obstacle right now is the lack of a suitable program; we need some kind of digital actor system to take out the drudgery of 3D animation.
Re:Hooray for freedom (Score:5, Interesting)
Also, police like having drugs be illegal as it helps prop up their power structure.
I'm not sure how far you are talking about when you say power structure, but it goes much further than just the people employed by pig forces all over the place.
Politicians get a very useful bogeyman with (some) drugs being illegal. The military have something to fight, keeping them busy (ever noticed how one of the biggest welfare systems in many countries is the military? There are places all over the western world where there are next to no jobs available, but the military. Threaten to take away the military, and these people will be as upset as perceived "dole scroungers". The biggest irony is that those who support the existence and use of monstrous militaries often are opposed to any forms of social security!).
The legal system and industry is one of the biggest beneficiary of the prohibition of some drugs. Lawyers write laws against substances, lawyers prosecute those breaking the rules, lawyers defend those breaking the rules, lawyers judge if you have broken the rules or not. And good luck trying to understand the law if you aren't in their club. The legal industry is one of the biggest rackets in the world! You can't call yourself a lawyer or solicitor unless you have a law degree and belong to a bar society, and the gate keepers to both what is a good law degree and who gets into bar societies are all lawyers. I don't see any accountability to the people when it comes to lawyers, yet we have to deal with them if we want to be in anyway successful in this world. And we have to deal with them if we are destined to be unsuccessful (by the usual social-success yard sticks).
Throw in other factors, like for-profit prisons, the legal drug industries (tobacco, drink, caffeinated products, medicine[1]), a press who's business is driven by shouting about the downfall of society, and the pressure to keep some drugs illegal becomes pretty big!
[1] If people could legally grow a plant in their garden that could be used for many, maybe even a majority, of minor ailments the market for paracetamol/Tylenol would shrink massively.
Re:Hooray for freedom (Score:1, Interesting)
Yes, but then again, copyright infringement doesn't cause lung cancer.
Re:Who revealed it (Score:3, Interesting)
Why did they bother to use weak encryption? Is it not trivial to make longer formulas etc. ?
A Won Battle, an Indeterminate War (Score:2, Interesting)
Proponents of open video have potentially won a battle here, but I have to agree with the commenters that say that this may just push the content companies to add new controls elsewhere in the content ecosystem. For example, DTCP [wikipedia.org] (and particular the IP-oriented DTCP-IP) is already widespread in newer "TV Anywhere" style devices. It may also have cryptographic weaknesses [ucmss.com], but compared to HDCP it is even more closed and it is controlled by an independent cabal of corporations.
See Engadget's summary of the comments on the FCC's set-top-box competition proceeding [engadget.com] for a sense of what is to come.
Meet the new boss.
Re:Who revealed it (Score:4, Interesting)
Why did they bother to use weak encryption? Is it not trivial to make longer formulas etc. ?
There are two possible answers.
1. They didn't get smart enough people to design the system (see DVD CSS).
2. The complexity of the key system was limited so as to allow small/cheap/embedded devices to implement it with limited processing power and speed.
I'd say option 2 is more likely, but wouldn't be surprised with option 1.
Re:How to stop buying into HDCP? (Score:1, Interesting)
Most computer monitors above a certain physical size are marketed as TVs, and instead of a DVI-D input, they have an HDMI input intended for use with a DVI-to-HDMI cable.
Oh yeah, I know that. I'm hoping that there are others without DRM features out of the view of the general public. As I'm not in the market for a big flat panel TV/monitor, I haven't looked into what is really in existence.
My rule is that I don't pay for anti-features, so if my imagined monitor isn't out there somewhere, I'll just have to do without. Or come up with a workaround. With DVDs, due to the presence of DRM I will not pay for them. My workaround is piracy. If the anti-feature of CSS weren't there (that doesn't work anyway!), I would be more willing to pay, but to be honest it's too late now: piracy is just too convenient in every way.
Eventually your monitor will stop working, at which point you will replace it or do without.
Or recycle an existing redundant monitor back into use, without the anti-features. It might be smaller, but so what? Just sit closer :)
Re:Hooray for freedom (Score:5, Interesting)
You know, that's not necessarily true. Some people, like me for example, just want to be able to connect devices through my home stereo equipment. I am the unfortunate owner of a NewEgg.com-sold Yamaha AV receiver that sports HDMI 1.0 in and out. I am not trying to be a pirate. I just want to connect my stuff through my amplifier.
This is great news for me because this will enable the creation of inexpensive [read: Unlicensed] conversion devices that will enable me to make use of my AV receiver as intended.
I really don't appreciate that copyright interests have decision-making ability to determine how I can connect my home AV system. They did it with Macrovision which disabled my ability to connect my DVD player through my VCR. (I had a cheap TV with only channel 3/4 as the input method and my VCR was using that... the VCR had RCA audio and video in, though, and I could use that to connect my very first-ever DVD player to my TV via the VCR... but no... I "might" copy a DVD to a VHS tape, so they decided to break it.) They tried to do the same thing with "broadcast flag" legislation to force all devices in the U.S. to respect the broadcast flag and not record programs from over the air. (What ever became of that? Did it fade away or return silently?)
I am a copyright violator. I'm not denying that. But my first experience with HDCP was by trying to connect my XBox360 to my TV through my AV amp which is, in my opinion, a perfectly legitimate use... before that time, as with my first experience with Macrovision, I didn't even know what HDCP was! HDCP is part of a paranoid market's desire to control how and where content is accessed. It shouldn't be their right to dictate this. They shouldn't even be able to prevent me from copying things as "fair use" is a legally acceptable reason for doing so... and yet they are allowed to attempt to block it.
I don't like it when legitimate purposes and uses are blocked because someone might use those methods for illegitimate purposes and uses.
Re:Isn't this like AACS (Score:3, Interesting)
It depends how ACTA works out. Say a Chinese manufacturer makes a device that decodes HDCP content but does not pay the license fee for a key. They can sell it cheaper than anyone else because the cost of the license is taken out. The US has been trying to add a clause to ACTA that would prevent that kind of product being imported.
Fortunately it looks like the EU has killed it. In the EU such a product would be perfectly legal in many countries (maybe all, not 100% sure) because circumventing copy protection for the purposes of interoperability is allowed.