Re: AACS and Processing Key

2007-05-04 Thread Steve Schear

At 11:32 AM 5/2/2007, Perry E. Metzger wrote:


Anyone very familiar with AACS have ideas on what optimal attack and
defense strategies are? This seems like a fertile new ground for
technical discussion.


Ed Felton wrote and excellent piece on AACS from the technical and 
economic/tactical standpoint.  This link is to the part that addresses your 
particular question:

http://www.freedom-to-tinker.com/?p=1107

Steve 


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: AACS and Processing Key

2007-05-02 Thread Perry E. Metzger

[EMAIL PROTECTED] (Hal Finney) writes:
 The interesting thing is that publishing a processing key like this does
 not provide much information about which device was cracked in order
 to extract the key.  This might leave AACSLA in a quandary about what to
 revoke in order to fix the problem.  However in this particular case the
 attackers made little attempt to conceal their efforts and it was clear
 which software player(s) were being used.  This may not be the case in
 the future.

 AACSLA has announced that they will be changing the processing keys used
 in disks which will begin to be released shortly.  Software players have
 been updated with new device keys, indicating that the old ones will be
 revoked.  In the context of the subset-difference algorithm, there will
 now probably be a few encryptions necessary to cover the whole tree while
 revoking the old software player nodes as well as the pre-revoked node.
 This will make the processing key which has been published useless for
 decrypting new disks.

However, it is still fine for decrypting old disks, and thus
revelation of this sort of information ruins inventory, which is very
expensive.

All cryptography is about economics. In crypto, we usually consider
what the best strategy for an attacker is in terms of breaking a
cryptosystem, but here I think the right question is what the optimal
strategy is for the attacker in terms of maximizing economic pain for
the defender. I'd be very interested in what the optimal strategy is
for the attacker in a system like this, and what possible changes
could be made to such a system to defeat such strategies.

At first glance, it would seem that, for the attackers, the right
strategy is not to flood the world with newly cracked keys but to
release them quite slowly. Lets say that the lifetime of the
technology in question is somewhere around ten years. Releasing one
key on the order of every two months or so -- only sixty keys in all
over the life of the technology -- would be crippling. It would render
all inventory in warehouses and the production pipeline useless, at
quite minimal cost to the attackers. The defenders then have a choice
-- destroy all your inventory, or give up. (Or, do they have alternate
strategies here?)

Anyone very familiar with AACS have ideas on what optimal attack and
defense strategies are? This seems like a fertile new ground for
technical discussion.

Perry

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]