content scramble system for dvd peixian yan,bo zhou,gang liu, zongpeng liu, matthew black
DESCRIPTION
Content Scramble System for DVD PeiXian Yan,Bo Zhou,Gang Liu, ZongPeng Liu, Matthew Black December 6,2004 Supervised by Andy Brown. Content Scramble System. Introduction to CSS and DeCSS Encryption on the DVD in CSS How a DVD player plays DVD Cryptanalysis of CSS - PowerPoint PPT PresentationTRANSCRIPT
Content Scramble System for DVD
PeiXian Yan,Bo Zhou,Gang Liu, ZongPeng Liu, Matthew Black December 6,2004
Supervised by Andy Brown
Content Scramble System
Introduction to CSS and DeCSS Encryption on the DVD in CSS How a DVD player plays DVD Cryptanalysis of CSS Comparison with other techniques Conclusion
Introduction
What is CSS?CSS: Content Scramble System.It is the data scrambling method used to garble the cont
ent of a DVD disc.Data on DVD is protected by CSS,DVD can not be copied.Only be usable with licensed DVD playback mechanisms.Windows and MAC have CSS licence. Linux does not.
Introduction How does CSS work? Every DVD player on the market today is coded
with a small set of "player keys" Every DVD disc on the market today is coded
with a "disk key", identifying that disc. When a DVD player attempts to read a DVD, the
player uses it's player key and proceeds down the list of encrypted disk keys on the disc .
Introduction Cannot play DVD under Linux OP DeCSS introduced. What is DeCSS ?DeCSS is an executable binary utility, written for Micr
osoft Windows. Unscrambled MPEG-2 video files can be copied to the
user's hard drive by DeCSS.MPEG-4 video files can be made from DVD very easily,
which is very easy to transfer through the web.
Introduction
‘ *.vob ’ file MPEG-4 file (very large) (much smaller)
MPEG-2file
(protectedBy CSS)
DeCSS FlaskMPEG
How to store the DVD data in to PC
DVD PC
Introduction Where does DeCSS come from?
An anonymous German hacker from MoRE(master of reverse engineering) was respons for writing the code.
Jon Johanson, a 16-year-old Norwegian put it on to the web in late September 1999.
MPAA(The Motion Picture Association of America )’s response.
Introduction How does DeCSS work ?
DeCSS operates much as any other DVD player operates - it uses a player key to unscramble the scrambled contents of a DVD to make playable MPEG-2 video files.
All versions of DeCSS currently in release are built around the Xing player key, which reportedly has been revoked. If this is true, no newly-released DVDs can be descrambled with this player key; DeCSS will not work on these DVDs.
Introduction Why was CSS made so weak?
CSS uses a 40-bit key. Even if the scrambling algorithm is well-designed, the short key length means that a brute-force search will quickly find the key !
Since at the time (in 1996) the U.S. export regulations banned export of strong encryption
technologies.
Introduction
CSS is different from other examples of cryptography such as encrypted e-mail. Unlike encrypted e-mail where the objective of the encryption is to maintain privacy, CSS has nothing to do with maintaining privacy or secrecy of the video. Anyone who buys a DVD containing a CSS "encrypted" movie can view that movie by placing it in a DVD player. This is totally unlike encrypted
mail which only the intended recipients can read.
CSS Overview
Protection from piracy Client-host authentication Enforce region-based codes Stream encryption
Keys for in CSS Region key Authentication key Session key Player key Disk key Title key Sector Key- in bytes 80-84 of a sector (a
logical or physical group of bytes recorded on the disc)
Encryption in CSS
System’s security depends entirely on the insides of the keystream generator.
(APPLIED CRYPTOGRAPHY, BRUCE SCHNEIER)
So……what keystream we need? Pseudo-random bit stream
Generates unpredictable key-stream (at least in any reasonable amount of time, harder time to break it)
Generic LFSR
A shift register Tap sequence Certain tap sequences will cycle through all
2^n-1 possible internal states (called maximal length LFSR)
XOR
Output
Feedback Path
1 0 1 1 1 1 0 0 1 0 1 0 1 0 0 1 1
XOR
Output
CSS’ LFSR17
1 0 1 1 1 1 0 0 1 0 1 0 1 1 0 1 1
XOR
Output
CSS’ LFSR17
CSS’ LFSR17
1 0 1 1 1 1 0 0 1 0 1 0 1 1 0 1 1
XOR
Output
1 1
CSS’ LFSR17
1 0 1 1 1 1 0 0 1 0 1 0 1 1 0 1 1
XOR
Output
0
CSS’ LFSR17
1 0 1 1 1 1 0 0 1 0 1 0 1 1 0 10
XOR
Output
1
0
CSS’ LFSR17
1 0 1 1 1 1 0 0 1 0 1 0 1 1 0 10
XOR
Output
10
0
CSS’ LFSR17
1 0 1 1 1 1 0 0 1 0 1 0 1 1 0 10
XOR
Output
1
0
CSS’ LFSR17
1 0 1 1 1 1 0 0 1 0 1 0 1 1 01 0
XOR
Output
1
01
CSS’ LFSR17
1 0 1 1 1 1 0 0 1 0 1 0 1 1 01 0
XOR
Output
1 0
01
CSS’ LFSR17
1 0 1 1 1 1 0 0 1 0 1 0 1 1 01 0
XOR
Output
1
01
CSS’ LFSR17
1 0 1 1 1 1 0 0 1 0 1 0 1 11 1 0
XOR
Output 011
0
CSS’s LFSRs CSS: LFSR17 (2 bytes+1bit seeded in b
it 4) CSS: LFSR25 (3 bytes+1bit seeded in b
it 4) So……CSS uses a 40-bits key Addition between the LFSRs
More on LFSR
Bit-wise Inverter before addition Bit-wise Inverter before addition
1 byte
Output-byte
LFSR-17
LFSR-25
+8-bit add
Optional bit-wise inverter
Optional bit-wise inverter
Carry-out fromthe previous
addition
1 byte
Carry-out
inverter modes
Mode LFSR-17 LFSR-25
Authentication Yes No
Session Key No No
Title key No Yes
Data Yes No
Data Encryption
LFSRs are seeded Generates pseudo-random bit stream Substitution on Video data byte XORed the bitstream and Substitution
Data Encryption
Output byte from LFSRs
Input data byte Table-based substitution
XOROutput data bytes
Key Encryption/Decryption
0
Permutation table
+
Permutation table
K0
+ K0
1
1
Permutation table
+
Permutation table
K1
+ K1
2
2
Permutation table
+
Permutation table
K2
+ K2
3
3
Permutation table
+
Permutation table
K3
+ K3
4
4
Permutation table
+
Permutation table
K4
+ K4
5
Bytes of Ciphertext
Bytes of Plaintext
CSS streamcipher used to encrypt/decrypt keys
Play a CSS protected disc
DVD itself Content delivery in between DVD player
DVD and DVD player Encrypted content (hidden area) A table of encrypted disk keys, disk
hash Player keys (used to decrypt the disk
key) Region code( identifies in where
player should be used) Another secret (used for
authentication)
Mutual Authentication
Between the Host and the Player. With the authenticated device
(licensed by the DVD Copy Control Association)
Verifies both sender and receiver are licensed to use the system
A session key is agreed on to prevent eavesdropping
Mutual Authentication
Host Drive
AGID
Request AGID
Chanllenge(H) (nonce)
Encrypted Chanllenge(H)
Chanllenge(D) (nonce)
Success or Failure
Encrypted(D)
Initialization done
Encrypt Challenge
Decrypt and verify Challenge(D)
Session key is encrypted Challenge(H) + Challenge(H)
Decrypt and verify Challenge(H)
Encrypt Challenge(D)
Session key is encryptedChallenge(H) + Challenge(H)
Initiaization done
Data transfer Decrypt disk key Verify disk key (has
h) Decrypt the title ke
y Data decrypted by t
he XOR of the title key and the sector
Brute Force attack on disk keys
CSS only uses 40 bit keys Possible to find disk key by looking
at 240 possible disk keys. This attack is in fact possible with
a complexity of 225 by attacking the hash making it feasible in runtime applications
Attack with 6-bytes of LFSR output.
Not a terribly useful attack, we don’t normally have 6-bits lying around
Provides a 216 attack on the algorithm Allows us to find 16(plus 1) bit register Find input of LFSRS Hence we have the key.
Attack with 6-bytes of LFSR output.
1. For each Guess of the contents of LSFR-17
1. Clock out 4 bits2. Get the output of LSFR-25 by
subtracting3. Workout the contents of LSFR-25
from the output
Attack with 5-bytes of LFSR output.
Much more practical here For each guess of contents of LSFR-
17 Clock out 3 bytes from LSFR Determine corresponding bytes from
LSFR-25 Reveals all but highest order bit from
LSFR-25 Attempt to verify each final bit.
CSS Mangling
When used to encrypt keys an additional mangling step takes place
By trying all 256 possibilities Possible to recover 5 output bytes
from LSFRS and hence find key from above attack
Content Protection Technologies
Copy protection methods integrated within DVDs
Copy Generation Management System (CGMS)
Analog Protection System (APS) Content Scrambling System (CSS)
CGMS Each sector of a DVD disc includes CGMS
that defines how many times the data can be copied.
Three copying “states”: --copy enable, copy one generation, copy never Two formats: --analog(i.e., CGMS-A), digital(i.e., CGMS-D)
APS
A method of forcing copies to be degraded or inhibited when copies are made of video signals containing the Macrovision signals.
Two separate technologies: Automatic Gain Control (AGC) Color Stripe
CSS
A data encryption and authentication scheme intended to prevent copying video files directly from the disc.
The various approaches Content Protection for Recordable
Media (CPRM) Content Protection for Pre-
recorded Media (CPPM) Content Protection System
Architecture (CPSA) Digital Transmission Content
Protection (DTCP)
The various approaches High-bandwidth Digital Content
Protection (HDCP) Extended Conditional Access (XCA) Advanced Access Content System
(AACS)
CSS CPPM Protects video
content distributed on DVD
Uses 40-bit key Weak key
management Common
weakness
Protect pre-recorded DVD audio content
Uses 56-bit key Better key
management Common
weakness
CSS vs AACS
CSS uses a 40-bit key. ----brute force attack can be carried out with a complexity of 240
AACS uses AES-128 ----brute force attack can be carried out with a complexity of 2128
CSS vs AACS
AACS uses advanced Media Key Block (MKB) to manage and revoke keys
AACS would potentially allow people to store copies of a movie on home computers and watch it on other devices connected to a network—or even transfer it to a portable movie player
Conclusion
A Mechanism of encrypt data to DVD disk.
Still been used?