[EMAIL PROTECTED] ("Hal Finney") writes: > The interesting thing is that publishing a processing key like this does > not provide much information about which device was cracked in order > to extract the key. This might leave AACSLA in a quandary about what to > revoke in order to fix the problem. However in this particular case the > attackers made little attempt to conceal their efforts and it was clear > which software player(s) were being used. This may not be the case in > the future. > > AACSLA has announced that they will be changing the processing keys used > in disks which will begin to be released shortly. Software players have > been updated with new device keys, indicating that the old ones will be > revoked. In the context of the subset-difference algorithm, there will > now probably be a few encryptions necessary to cover the whole tree while > revoking the old software player nodes as well as the pre-revoked node. > This will make the processing key which has been published useless for > decrypting new disks.
However, it is still fine for decrypting old disks, and thus revelation of this sort of information ruins inventory, which is very expensive. All cryptography is about economics. In crypto, we usually consider what the best strategy for an attacker is in terms of breaking a cryptosystem, but here I think the right question is what the optimal strategy is for the attacker in terms of maximizing economic pain for the defender. I'd be very interested in what the "optimal" strategy is for the attacker in a system like this, and what possible changes could be made to such a system to defeat such strategies. At first glance, it would seem that, for the attackers, the right strategy is not to flood the world with newly cracked keys but to release them quite slowly. Lets say that the lifetime of the technology in question is somewhere around ten years. Releasing one key on the order of every two months or so -- only sixty keys in all over the life of the technology -- would be crippling. It would render all inventory in warehouses and the production pipeline useless, at quite minimal cost to the attackers. The defenders then have a choice -- destroy all your inventory, or give up. (Or, do they have alternate strategies here?) Anyone very familiar with AACS have ideas on what optimal attack and defense strategies are? This seems like a fertile new ground for technical discussion. Perry --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]