Re: Was a mistake made in the design of AACS?

2007-05-04 Thread Allen



Hal Finney wrote:

[snip]


http://www.freedom-to-tinker.com/?p=

By this point in our series on AACS (the encryption scheme used in
HD-DVD and Blu-ray) it should be clear that AACS creates a nontrivial
strategic game between the AACS central authority (representing the
movie studios) and the attackers who want to defeat AACS. Today I want
to sketch a model of this game and talk about who is likely to win...

Felten focuses on the loss of revenue due to extraction of device keys
and subsequent file sharing of decrypted content.  AACS has a mechanism
called sequence keys to watermark content and allow it to be traced
back to the player that created it.  Felten assumes that attackers would
publish decrypted movies, AACSLA would then trace them back to the broken
device, and revoke that device in future releases.


I know I'm in over my head on this so my apologies, but if the 
key is used in one machine in a product line - Sony DVD players 
say - then if they find the one machine that it came from and 
disable it, wouldn't figuring out the key for the next machine in 
the production run be relatively trivial as the algorithm and 
hardware implementation used by all machines of a give run be the 
same? Therefore, couldn't one buy several of them and use them 
one after another as they are discovered and disabled?


So, in order to prevent any of those machines from being used 
they'd have to disable a whole lot of machines owned by ordinary 
individuals, right? What are the downside risks for Sony in doing 
this?


What am I missing in this picture?

Thanks,

Allen

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Was a mistake made in the design of AACS?

2007-05-04 Thread Allen



Ian G wrote:

Hal Finney wrote:

Perry Metzger writes:
Once the release window has passed,
the attacker will use the compromise aggressively and the authority
will then blacklist the compromised player, which essentially starts
the game over. The studio collects revenue during the release window,
and sometimes beyond the release window when the attacker gets unlucky
and takes a long time to find another compromise.



This seems to assume that when a crack is announced, all revenue stops.  
This would appear to be false.  When cracks are announced in such 
systems, normally revenues aren't strongly effected.  C.f. DVDs.


However, the money spent in trying to enforce control comes 
straight from the bottom line and is therefore limited if they 
want to stay profitable in the long run. True, they do have deep 
pockets, but they could be nibbled to death by ducks as they are 
very big targets and the ducks are small and have wings.


Best,

Allen

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: The HD-DVD key fiasco

2007-05-04 Thread michael taylor

On 5/2/07, Perry E. Metzger [EMAIL PROTECTED] wrote:


cryptographic keys, and in further technical discussion of AACS
and similar DRM technologies.


Actually does anyhow have anything about the damage control process of
key management of AACS or SPDC (BD+).

Personally, I'm interested in knowing more about the technical side of
the key management problem. It does seems to be a good example of PKI
key management in the commercial world of multinational corporations
that form a consortium like the AACS, that span corporate entities and
multiple legal jurisdictions.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: AACS and Processing Key

2007-05-04 Thread Steve Schear

At 11:32 AM 5/2/2007, Perry E. Metzger wrote:


Anyone very familiar with AACS have ideas on what optimal attack and
defense strategies are? This seems like a fertile new ground for
technical discussion.


Ed Felton wrote and excellent piece on AACS from the technical and 
economic/tactical standpoint.  This link is to the part that addresses your 
particular question:

http://www.freedom-to-tinker.com/?p=1107

Steve 


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Public key encrypt-then-sign or sign-then-encrypt?

2007-05-04 Thread James A. Donald

Florian Weimer wrote:

With sign, then encrypt, it's also possible that the receiver decrypts
the message, and then leaks it, potentially giving the impression that
the signer authorized the disclosure.  There has been a fair bit of
buzz about this confusion.  But the lesson from that seems to be that
signature semantics are very hard to agree upon, and most marginally
successful standards sidestep the issue anyway, acting as a mere
transport protocol.


In my opinion, this is best solved by OTR style authentication without 
signing.


Ann knows that Bob sent the message, because it is authenticated, but 
cannot prove this to others.  So if Ann releases the message, it is 
*Ann* saying that Bob sent it, not Bob saying that Bob sent it.


Assume Ann's secret key is a, and her public key is A = G^a mod P

Assume Bob's secret key is b, and his public key is B = G^b mod P

Bob wants to send Ann a message.

Bob generates a secret random number x, and sends Ann X = G^x mod P

Ann responds with Y = G^y mod P, where y is another secret random number.

Ann calculates [(B*X)^(a+y)] mod P

Bob calculates [(A*Y)^(b+x)] mod P, which should be the same value Ann 
calculated


This shared secret is used to encrypt the message, and the message 
contains an authentication value constructed from the contents of the 
message and the shared secret, that only someone who knows both could 
construct.


Ann knows the message came from Bob, because only someone who knows b 
could discover the shared secret from the information exchanged, but 
cannot prove to anyone else that the message came from Bob.





-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Was a mistake made in the design of AACS?

2007-05-04 Thread Steve Schear

At 03:52 PM 5/2/2007, Ian G wrote:

Hal Finney wrote:

Perry Metzger writes:
Once the release window has passed,
the attacker will use the compromise aggressively and the authority
will then blacklist the compromised player, which essentially starts
the game over. The studio collects revenue during the release window,
and sometimes beyond the release window when the attacker gets unlucky
and takes a long time to find another compromise.


This seems to assume that when a crack is announced, all revenue 
stops.  This would appear to be false.  When cracks are announced in such 
systems, normally revenues aren't strongly effected.  C.f. DVDs.


Agreed.  But there is an incremental effect.  In the same way many people 
now copy DVDs they have rented many will gain access to HD content made 
available by those more technically sophisticated.  There a number of Bit 
Torrent trackers which focus on HD content.  All current released 
HD-DVD/BluRay movies are available for download. For those with 
higher-performance PCs for playback, broadband connections and who know how 
to burn a single- or dual layer DVD, the content is there for the talking.


A new generation of HD media players (initially from offshore consumer 
electronics and networking companies, for example, Cisco/LinkSys) are 
poised to enter the market.  These appliances will allow playback of all 
the common HD encoded media, including those ripped from the commercial HD 
discs.  This will place the content from pirates and P2P community in the 
hands of the less sophisticated Home Theater consumer.


Steve 


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Yet a deeper crack in the AACS

2007-05-04 Thread Sidney Markowitz
Article AACS cracks cannot be revoked, says hacker

http://arstechnica.com/news.ars/post/20070415-aacs-cracks-cannot-be-revoked-says-hacker.html

Excerpt: The latest attack vector bypasses the encryption performed
by the Device Keys -- the same keys that were revoked by the WinDVD
update -- and the so-called 'Host Private Key,' which as yet has not
been found. This was accomplished by de-soldering the HD DVD drive's
firmware chip, reading its contents, and then patching it. Once that
was done, the firmware was soldered back onto the drive.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


crypto comic of the day

2007-05-04 Thread Perry E. Metzger

http://www.xkcd.com/c257.html

-- 
Perry E. Metzger[EMAIL PROTECTED]

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Was a mistake made in the design of AACS?

2007-05-04 Thread Nicolas Williams
On Thu, May 03, 2007 at 10:25:34AM -0700, Steve Schear wrote:
 At 03:52 PM 5/2/2007, Ian G wrote:
 This seems to assume that when a crack is announced, all revenue 
 stops.  This would appear to be false.  When cracks are announced in such 
 systems, normally revenues aren't strongly effected.  C.f. DVDs.
 
 Agreed.  But there is an incremental effect.  In the same way many people 
 now copy DVDs they have rented many will gain access to HD content made 

Wait, are you saying that people copy rented DVDs onto DVD media?  Or
that they _extract_ the content?

There's a big difference: there's no need to crack the DVD DRM system to
do the former, but there is for the latter.

I expect the same to be true for HD-DVDs, unless the readers themselves
perform one-way transformations on the content and the readers are
tamper-resistant enough that DMCA protection for them as access control
devices can be claimed.

 available by those more technically sophisticated.  There a number of Bit 
 Torrent trackers which focus on HD content.  All current released 
 HD-DVD/BluRay movies are available for download. For those with 
 higher-performance PCs for playback, broadband connections and who know how 
 to burn a single- or dual layer DVD, the content is there for the talking.
 
 A new generation of HD media players (initially from offshore consumer 
 electronics and networking companies, for example, Cisco/LinkSys) are 
 poised to enter the market.  These appliances will allow playback of all 
 the common HD encoded media, including those ripped from the commercial HD 
 discs.  This will place the content from pirates and P2P community in the 
 hands of the less sophisticated Home Theater consumer.

So?  If breaking AACS has nothing to do with disk-to-disk copies then I
don't see how the coming market for HD players/writers is going to
affect that kind of piracy.  Or analog hole piracy.  Let's face it: DRM
only stops anyone from trying to make fair use of content (e.g.,
sampling) -- pirates might as well not even know that DRM is there,
unless you can create scarcity of media for the pirates (blank media
taxes), but that's harder than you think when in a couple of years
someone can be manufacturing blank media in some far off place that's
politically hard to reach.

Well, there's an idea: use different physical media formats for
entertainment and non-entertainment content (meaning, content created by
MPAA members vs. not) and don't sell writable media nor devices capable
of writing it for the former, not to the public, keeping very tight
controls on the specs and supplies.  Then finding, say, a Disney movie
on an HD-DVD of the data format would instantly imply that it's pirated.

Nico
-- 

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: The best riddle you wil hear today...

2007-05-04 Thread John Lowry

My favorite ...
http://www.geogreeting.com/view.html?zl1erV5i+mReSdx7+nTAh$$M+ohilV14 
+xq_G



On May 2, 2007, at 2:09 PM, Udhay Shankar N wrote:


At 10:27 AM 5/2/2007, Aram Perez wrote:


http://farm1.static.flickr.com/191/480556169_6d731d2416_o.jpg


From another list:


This was one of my faves bits of html from last night

tr
td bgcolor=#09f911/td
td bgcolor=#029d74/td
/tr
tr
td bgcolor=#e35bd8/td
td bgcolor=#4156c5/td
/tr
tr
td bgcolor=#635688/td
td bgcolor=#c0/td
/tr
/table

Makes a nice flag..fly it


--
((Udhay Shankar N)) ((udhay @ pobox.com)) ((www.digeratus.com))

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to  
[EMAIL PROTECTED]


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: can a random number be subject to a takedown?

2007-05-04 Thread David G. Koontz
Hal Finney wrote:
 My question to the assembled: are cryptographic keys really subject to
 DMCA subject to takedown requests? I suspect they are not
 copyrightable under the criterion from the phone directory
 precedent.
 
 A sample demand letter from the AACS Licensing Authority appears at:
 
 http://www.chillingeffects.org/notice.cgi?sID=03218
 
From what I can see, there is no claim that the key is copyrighted.
 Rather, the letter refers to the provisions of the DMCA which govern
 circumvention of technological protection measures.  It demands that
 the key be taken down in order to avoid legal liability.
 
 This seems odd to me because my understanding of the DMCA's
 anti-circumvention provisions is that they are criminal rather than civil
 law.  Violations would lead to charges from legal authority and not from a
 copyright owner.  So it's not clear that AACSLA has any power to enforce
 these demands, other than trying to get some government agency involved.
 
 The letter specifically cites 17 USC 1201(a)2 and (b)1, which can be read
 here:
 
 http://cyber.law.harvard.edu/openlaw/DVD/1201.html#a2
 

From an explanation of the justification for the take down notices:
http://www.out-law.com/page-8022

  Fred von Lohman, an attorney at the Electronic Frontier Foundation,
  said in his blog that sites which carry the code or links to it are
  unlikely to be able to use a traditional defence of 'safe harbor'.

  While no court has ruled on the issue, AACS will almost certainly
  argue that the DMCA safe harbors do not protect online service
  providers who host or link to the key, he said. The DMCA safe
  harbors apply to liabilities arising from 'infringement of copyright.'
  Several courts have suggested that trafficking in circumvention tools
  is not 'copyright infringement,' but a separate violation of a
  'para-copyright' provision.

  The AACS takedown letter is not claiming that the key is
  copyrightable, but rather that it is (or is a component of) a
  circumvention technology, said von Lohman. The DMCA does not require
  that a circumvention technology be, itself, copyrightable to enjoy
  protection.

One would think that the recent SCOTUS findings in Microsoft v. ATT
would demonstrate that intangibiles such as software (and perhaps large
integers) were not components or parts thereof, unless in place in a
device:

http://www.webster.com/cgi-bin/dictionary?sourceid=Mozilla-searchva=device

  f : a piece of equipment or a mechanism designed to serve a special
  purpose or perform a special function an electronic device

From http://cyber.law.harvard.edu/openlaw/DVD/1201.html#a2

17 USC 1201:

  (b) Additional Violations. -

  (1) No person shall manufacture, import, offer to the public,
provide, or otherwise traffic in any technology, product,
service, device, component, or part thereof, that -

 o (A) is primarily designed or produced for the purpose of
circumventing protection afforded by a technological measure
that effectively protects a right of a copyright owner under
this title in a work or a portion thereof;
 o (B) has only limited commercially significant purpose or use
other than to circumvent protection afforded by a
technological measure that effectively protects a right of a
copyright owner under this title in a work or a portion
thereof; or
 o (C) is marketed by that person or another acting in concert
with that person with that person's knowledge for use in
circumventing protection afforded by a technological measure
that effectively protects a right of a copyright owner under
this title in a work or a portion thereof.


I'd strongly suspect that most if not all of the 2 million hits would
not reveal another acting in concert with that person's knowledge.
While this instance is not indicative of a trend to the lawyer
equivalent of judicial activism, I don't see any protection under the
DMCA against distributing the Processing Keys as what appears to be a
political statement (which could be held to be protected speech).

(IANAL)

Freds blog entry:  http://www.eff.org/deeplinks/archives/005229.php




-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]