In article <[EMAIL PROTECTED]>,
John Gilmore <[EMAIL PROTECTED]> wrote:
> Just when you thought it was safe to come out from under the bed, and
> play your MP3's, or decode a few DVD's on your Linux box, comes...
>
> Dee Tee Cee Pee
>
> These guys are implementing a full blown encrypted session protocol
> that goes between consumer video & audio devices, to make sure that no
> more than the officially sanctioned number of copies will ever be
> made. They're using a custom (groan) 56-bit block cipher and 320-bit
> elliptic curve digital signatures and Diffie-Hellman (as defined by
> P1363).
Moreover, they seem to be using a design with known structural flaws.
Can the deployed block cipher resist concerted attack? Maybe not.
The DTCP web page says they use M6, the Firewire (IEEE 1394) cipher.
(More precisely, M6 is a family of ciphers. The exact cipher used in
consumer products remains a secret.)
What's notable is that some members of the M6 family have been found in
the academic literature to be severely broken. See the following paper:
``Mod n Cryptanalysis, with Applications Against RC5P and M6.''
John Kelsey, Bruce Schneier, and David Wagner. FSE'99.
http://www.cs.berkeley.edu/~daw/papers/
One attack shows how to recover 8 bits of key material using only a dozen
or so known plaintext-ciphertext pairs. Another attack shows how to convert
this to a ciphertext-only attack, using somewhat more ciphertexts, under the
assumption that the plaintext is ASCII-encoded text. These attacks apply to
many (but certainly not all) of the M6 ciphers.
Note that it is relatively rare to find efficient, practical shortcut
attacks on a modern cipher design. Instead, one typically is only able
to find unrealistic theoretical attacks. M6 is an exception, and this
should leave anyone dependent on the security of M6 a little unsettled.
I don't know whether these attacks apply to the versions of M6 actually
deployed in DTCP. But the discovery of serious structural flaws in the
cipher design, and the existence of practical shortcut attacks on some
designs in the family, should raise a red flag of caution.
Perhaps we'll see a reprise of the DVD break once DTCP becomes widespread.
Then again, perhaps that's not such a bad thing.
