[edit] Specification
HDCP's main target is to prevent transmission of non-encrypted high definition content. Three systems were developed to achieve that goal:
- Authentication process disallows non-licensed devices to receive HD content.
- Encryption of the actual data sent over DVI or HDMI interface prevents eavesdropping of information. It also prevents "man in the middle" attacks.
- Key revocation procedures ensure that devices manufactured by any vendors who violate the license agreement could be relatively easily blocked from receiving HD data.
Each HDCP-capable device has a unique set of keys; there are 40 keys, each 56 bits long. These keys are confidential and failure to keep them secret may be seen as a violation of the license agreement. For each set of keys, a special key called a KSV (Key Selection Vector) is created. Each KSV consists of 40 bits (one bit for each HDCP key), with exactly 20 bits set to 0 and 20 bits set to 1.
During the authentication process, both parties exchange their KSVs. Then each device adds (without overflow) its own secret keys together according to a KSV received from another device. If a particular bit in the vector (KSV) is set to 1, then the corresponding secret key is used in the addition, otherwise it is ignored. Keys and KSVs are generated in such a way that during this process both devices get the same 56-bit number as a result. That number is later used in the encryption process.
This key exchanging procedure is known as
Blom's scheme.
Encryption is done by a
stream cipher. Each decoded
pixel is encrypted by applying an
XOR operation with a 24-bit number produced by a generator. The HDCP specifications ensure constant updating of keys (after each encoded frame).
If some particular model is considered "compromised", its KSV is put into revocation lists, which are written on newly-produced disks with HD content. Each revocation list is signed with a digital signature using the
DSA algorithm; this is supposed to prevent malicious users from revoking legitimate devices. During the authentication process, if the receiver's KSV is found by a transmitter in the revocation list, then the transmitter considers the receiver to be compromised and refuses to send HD data to it.
[edit] Cryptanalysis
Cryptanalysis researchers demonstrated fatal flaws in HDCP for the first time in 2001, prior to its adoption in any commercial product. Scott Crosby of
Carnegie Mellon University authored a paper with
Ian Goldberg, Robert Johnson, Dawn Song, and
David Wagner called "A Cryptanalysis of the High-bandwidth Digital Content Protection System". This paper was presented at ACM-CCS8 DRM Workshop on
November 5,
2001.
[1]
The authors conclude:
"HDCP's linear key exchange is a fundamental weakness. We can:
- Eavesdrop on any data
- Clone any device with only their public key
- Avoid any blacklist on devices
- Create new device keyvectors.
- In aggregate, we can usurp the authority completely."
It must be noticed, however, that for this attack you first have to break
Blom's scheme (the linear algebra-based key-exchange system). In the case of HDCP, you need a minimum of 39 device keys in order to reconstruct the secret symmetrical master matrix that has been used to compute all device keys.
Around the same time that Scott Crosby and co-authors were writing this paper, noted
cryptographer Niels Ferguson independently claimed to have broken the HDCP scheme, but he did not publish his research, citing legal concerns arising from the controversial
Digital Millennium Copyright Act [1].
The most well-known attack on HDCP is the
conspiracy attack, where a number of devices are compromised and the information gathered is used to reproduce the private key of the central authority.
[edit] Uses
HD DVD,
Blu-ray Disc and
DVD players (with
HDMI or
DVI connectors) use HDCP to establish an encrypted digital connection.
If the display device—or in the case of using a PC to decrypt and play back HD-DVD or Blu-ray media, the graphics card (hardware, drivers and playback software)—does not support HDCP, then a connection cannot be established. As a result, a black picture and/or error message will likely be displayed instead of the video content.
Content providers for HD-DVD and Blu-ray media can set an
Image Constraint Token (ICT) flag that will only output full-resolution digital signals using a digital HDCP connection. If an HDCP-enabled player is connected to a non-HDCP-enabled
television set with a non-HDCP-compliant analog connection (VGA or Component), and the content is flagged, the player will output a downsampled 960x540 pixel signal. If using a non-HDCP-compliant DVI connection (with an HDMI-to-DVI cable), the user will not get any picture at all. Many older high-definition television sets currently in use are not HDCP-capable, and this would negate some of the key benefits of HD DVD and Blu-ray Disc for those consumers. Also, the Microsoft Xbox360 game console, for which there is an HD-DVD add-on available, is only capable of analog non-HDCP-connections, although a new model of the Xbox360 called the "
Xbox 360 Elite" has HDMI support, which enables it to play such protected content at full resolution. If ICT would be forced, Microsoft's flagship console (note that MS is an integral part of the HD-DVD camp, currently providing the
VC-1 codec that is used in over 90% of all HD-DVD releases) would only be able to display a quarter of the actual resolution of the media, so movie studios are apparently in agreement not to include the ICT flag on any HD-DVDs or Blu-ray Discs in the immediate future.
[2][3]
Originally Posted by discus2000
Posting Permissions
LinkBack URL
About LinkBacks
Bookmarks