[EMAIL PROTECTED] (Hal Finney) writes:
The interesting thing is that publishing a processing key like this does
not provide much information about which device was cracked in order
to extract the key. This might leave AACSLA in a quandary about what to
revoke in order to fix the problem. However in this particular case the
attackers made little attempt to conceal their efforts and it was clear
which software player(s) were being used. This may not be the case in
the future.
AACSLA has announced that they will be changing the processing keys used
in disks which will begin to be released shortly. Software players have
been updated with new device keys, indicating that the old ones will be
revoked. In the context of the subset-difference algorithm, there will
now probably be a few encryptions necessary to cover the whole tree while
revoking the old software player nodes as well as the pre-revoked node.
This will make the processing key which has been published useless for
decrypting new disks.
However, it is still fine for decrypting old disks, and thus
revelation of this sort of information ruins inventory, which is very
expensive.
All cryptography is about economics. In crypto, we usually consider
what the best strategy for an attacker is in terms of breaking a
cryptosystem, but here I think the right question is what the optimal
strategy is for the attacker in terms of maximizing economic pain for
the defender. I'd be very interested in what the optimal strategy is
for the attacker in a system like this, and what possible changes
could be made to such a system to defeat such strategies.
At first glance, it would seem that, for the attackers, the right
strategy is not to flood the world with newly cracked keys but to
release them quite slowly. Lets say that the lifetime of the
technology in question is somewhere around ten years. Releasing one
key on the order of every two months or so -- only sixty keys in all
over the life of the technology -- would be crippling. It would render
all inventory in warehouses and the production pipeline useless, at
quite minimal cost to the attackers. The defenders then have a choice
-- destroy all your inventory, or give up. (Or, do they have alternate
strategies here?)
Anyone very familiar with AACS have ideas on what optimal attack and
defense strategies are? This seems like a fertile new ground for
technical discussion.
Perry
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]