Earlier this week, I posted a note about an attack on the recently published CSS cipher, used for encrypting DVDs. I published my first attack here: http://livid.on.openprojects.net/pipermail/livid-dev/1999-October/000589.html It has a workload 2^16 and recovers the 40 bits CSS key with 6 known bytes. I then directed my efforts against the TitleKey generation: http://livid.on.openprojects.net/pipermail/livid-dev/1999-October/000609.html Here a secondary mangling cipher falls with a workload of 2^8, and as only 5 bytes of known plaintext is now needed, it is now possible to extract numerous 'player keys' by correalating a few DVD titles. It seems to have worked, for shortly afterwards there was a deluge of playerkeys: http://livid.on.openprojects.net/pipermail/livid-dev/1999-October/000657.html My last attack is outlined in: http://livid.on.openprojects.net/pipermail/livid-dev/1999-October/000671.html It is an attack on a hash that is used to verify that the correct player key has been used. This has was also weakness, and can be reversed with 2^25 work and 2^24 memory. A PIII/450 reverts such a hash in less than 20 seconds. This particular attack is interesting as it will allow a DVD to viewed without any known player key, or known / guessed plaintext. This should be of concern when trying to design 'secure distributions' of movies for In Flight Entertainment, such as is beeing discussed on: http://www.waea.org/public/specs/DVD-WG/DVDWG%20Index.html ( Movies can be released much earlier for IFE, and the security of these copies are a concern with regards to piracy. If they can be decrypted, they provide a Digital Master ) frank
