Master HDCP Key Cracked

The master key for the High-Bandwidth Digital Content Protection standard -- that's what encrypts digital television between set-top boxes and digital televisions -- has been cracked and published. (Intel confirmed that the key is real.) The ramifications are unclear:

But even if the code is real, it might not immediately foster piracy as the cracking of CSS on DVDs did more than a decade ago. Unlike CSS, which could be implemented in software, HDCP requires custom hardware. The threat model for Hollywood, then, isn't that a hacker could use the master key to generate a DeCSS-like program for HD, but that shady hardware makers, perhaps in China, might eventually create and sell black-market HDCP cards that would allow the free copying of protected high-def content.

Posted on September 17, 2010 at 1:57 PM • 41 Comments

Comments

DavidSeptember 17, 2010 2:13 PM

"Requires custom hardware"? No such thing. Maybe "requires more processing power than most people will have lying around to implement on non-tailored hardware, for now..."

stepdownSeptember 17, 2010 2:16 PM

It only needs to be ripped once, then it can be copied across the internet.

I don't think it's home users making backups they're worried about.

GweihirSeptember 17, 2010 2:18 PM

This will be interesting to follow. I predict a usable software decrypter within 6 months. Not for real-time decryption, but good enough that lots of people will use it to make clean copies of locked content.

LisaSeptember 17, 2010 2:18 PM

This should hopefully allow me to buy a cheap and small converter box I can attach to my video cable that will allow me to view legally purchased HD content, such as BlueRay disks, on my current non-HDCP supported DVI monitor.

Why should I be forced to buy a new expensive monitor just because of copy-protection, when my current LCD monitor is large, bright, and supports full 1080p.

HoratioSeptember 17, 2010 2:21 PM

The whole set-top box thing has never seemed very fair to the consumer. I think the profit model for the entertainment industry needs a big overhaul. I'm not claiming to have a solution, but maybe someone as smart as Bruce should be able to figure something out.

Petréa MitchellSeptember 17, 2010 2:33 PM

Horatio:

Coming up with a new model is easy. Lots of people have done it. Fighting through the legal and political obstacles to get it implemented is the hard part.

Nick PSeptember 17, 2010 2:33 PM

I take issue with two points: requires custom hardware; Chinese suppliers as only likely threat model. These points seem uninformed. Although an ASIC takes average of $30 million to develop from scratch, this design could be put on a $300-$500 FPGA PCI card or done in software. It might not be real-time in software, but that's not inherently necessary. A computer could be running two processes: one that continuously records the encrypted shows the viewer is interested in; one that decrypts the content. The decryption system might not work in real time but many users would wait an extra 30 minutes to have a permanent copy of their favorite show. They already wait over an hour to crack a DVD, so this won't be a problem.

The FPGA board might also be a small appliance with USB or Ethernet support for Plug-n-Play-style ease of use. Pirates have been willing to pay $300 for free TV programming. Who says they wouldn't pay $300-$500 for the ability to crack HD? And FPGA's are often programmable, meaning the pirate boxes could be updated for future functionality and cracks. Hell, someone might even make software that lets users crack them using their PS3's Cell processor. Old PS3's go for around $300 right now and can substitute for a BluRay player. How's that for a cost-benefit analysis?

In summary, I see more market for this than simply Chinese custom hardware vendors. There's plenty of American pirates who could pull this off in a way that's cheap and convenient for their users.

EscapedWestOfTheBigMuddySeptember 17, 2010 2:34 PM

FPGAs.

In particle physics we now do much of our data acquisition with custom, high speed electronics implemented in FPGAs.

It's worse than "if ripped once, the content can spread through the internet" because there 's the even bigger threat of "one successful implementation in FPGAs can be propagated over the internet". Especially if it works on an evaluation board meaning that the secondary exploiter doesn't even need to solder.

Nick PSeptember 17, 2010 2:37 PM

@ EscapedWestOfTheBigMuddy

Funny how we posted the same solution at the same time on the same blog. Synchronicity or coincidence? We'll never know. ;)

billswiftSeptember 17, 2010 2:46 PM

@Nick P and @EscapedWestOfTheBigMuddy

You wouldn't even need that much. Use an old PC, or yours when its not otherwise in use, and save it to a HD, then watch it as often as you like. High speed is only an issue for real time decrypting.

periSeptember 17, 2010 2:58 PM

I have a few HDCP links. First up is the Wikipedia page which explains that HDCP means High-bandwidth Digital Content Protection and it attempts to protect digital data by keeping the data encrypted as it travels along cables (e.g. DVI and HDMI):
http://en.wikipedia.org/wiki/...

I generally trust Ars Technica for technical details but not only is the author, Peter Bright, not really a crypto person I didn't really see much in the comments either. Still here are the stories:

http://arstechnica.com/tech-policy/news/2010/09/...
http://arstechnica.com/tech-policy/news/2010/09/...

I kind of look to Wired as a last resort because they almost never say anything that Ars won't say much better but in this case I took a look and their article isn't exactly wonderful either:

http://www.wired.com/threatlevel/2010/09/...

kangarooSeptember 17, 2010 3:10 PM

stepdown: "I don't think it's home users making backups they're worried about."

No -- it's only home users they're worried about. It undermines the distortions in the market: "changes the perceived value".

The blackmarketers always can get a copy via alternate means --- hell, most movies are available on the streets of Shanghai before they've left the editor's office. It's the home user in the west who pays exorbitant prices who's the real object of interest here. Why do you think easily cracked region encoding is such an issue? Why would any producer bother to even put in region encoding?

periSeptember 17, 2010 3:13 PM

So the short version is that you have DVI and HDMI cables with signals that are encrypted but you still have to plug those cables into _something_ and you have to convince the thing that is sending the signal that you are a valid device and that is now possible with the HDCP master key's data being public. I'll leave the more nuanced explanation to Clive Robinson.

Clive RobinsonSeptember 17, 2010 3:15 PM

As I noted to Randall's original post ( http://www.schneier.com/blog/archives/2010/09/... ) there are two issues involved,

1, You can become an HDMI data source or sink.
2, You can get the secret key of the wire as it's negotiated between a source and sink.

The first option will require some custom hardware but I realy don't think a custom chip and maybe not even an FPGA (the logic is not that hard).

the second issue requires no custom hardware just the rental/ purchase of the appropriate test equipment to pull the data of the wire onto an HD or other media. Once the key is known it's game over.

You can then transcode the data to another format and also re-encrypt it for your particular HDMI monitor/sound system with little difficulty.

Thus the Intel spokes person was either ill-informed or makeing a false statment.

The problem with making such a silly false statment is it will now be bait to old fashioned hackers to prove him wrong and they will a lot lot faster than otherwise would have happened (Think back to the NSA and DES which prompted the DES Cracker hardware project)

Are the media owners actually that concerned wel to be honest I don't think so. They now have been given the excuse to go to HDCP2 or whatever with the latest generation tech and the industry will follow along quite happily as will many consumers.

We saw with DeCSS the actual loss to the industry was so small it would probably cost more to calculate it. This was because DeCSS was very late to the party when it came to cracking DVD's.

As long as whatever offline content protection lasts for a couple of technology generations the media owners will not realy care, they might mouth off about it but they know their bottom line will be better for having to go with "new improved technology". All the fuss they will create is effectivly an excuse to con more money out of you one way or another.

The simple fact is Off Line Content Protection with Retail Media is always going to be broken it is just getting past the physical barriers that stops it happening faster. And the media owners (should) know this.

If their bottom line was realy going to be effected then they would switch to an Online Media solution which could be made as secure as required.

Bruce (not that Bruce)September 17, 2010 4:08 PM

No disrespect, but I'm not sure about this statement from Clive, "We saw with DeCSS the actual loss to the industry was so small it would probably cost more to calculate it. This was because DeCSS was very late to the party when it came to cracking DVD's."

The DVD format was introduced into the US in mid 1997, and DeCSS came out in October 1999. According to CEA stats, sales of DVD players did not really take off in the US until late 2000, so it's kind of hard to say DeCSS came "late to the party." By far the vast majority of consumers have only ever owned DVD's in the period when they had effectively no copy protection.

With Blu-Ray, AACS got effectively cracked almost simultaneously with the introduction of the format. BD+ took a bit longer, but not by much.

I think it's somewhat mistaken to think that DRM only needs to last a short time in order for it to be commercially useful. To me it seems more as snake oil sold to gullible content owners.

KaiSeptember 17, 2010 5:38 PM

I don't think this makes as much of a difference as the entertainment industry (or those who sought to have their rights protected by DRM) is going to make out.

It will need some kind of hardware as you need to be able to receive a HDMI signal to decrypt it.

Also, it's not going to make much difference as far as protecting content such as blu-rays. You can already go to The Pirate Bay/Isohunt/mininova etc and get outstanding quality blu-ray rips.

It's easier to read the compressed video off the blu-ray and transcode it, generally faster than realtime, than it would be to play a disc and record or buffer the *uncompressed* video stream (we're talking on the order of a terabyte or more of data for a movie here) and then transcode it back to h.264.

Granted, what this will do is leave this as an option even if they manage to do the mathematically impossible and create a DRM scheme on disc that can't be cracked - a digital version of the analog hole.

Clive RobinsonSeptember 17, 2010 9:23 PM

@ Bruce (),

"No disrespect, but I'm not sure about this statement from Clive"

Fair comment, I worded it badly (that's the trouble with trying to sum it up in a single sentance).

DVD's have been 'ripped' since just about day one, one way or another in some cases by simply taking the video output and re-encoding it. Others by plain duplication after modification to the writer, and later by hacks to various DVD playing software on PC's (one of which is where DeCSS came from) again by getting at the decoded video.

DeCSS arived after other techniques where fairly well entrenched with those ripping "for profit" as oposed for "personal use". The International Intellectual Property Aliance (IIPA) wrote a report about Hong Kong etc and DVD ripping (google for rbc_hong_kong_301_99 )

The Big use for the DeCSS process and program originaly was (and still is ) the home user running *nix for which the media owners had little time. Later to transcode to other much better codecs to put DVD's onto various personal media players.

Jim Cardwell of Warner Home Video more or less said just this when interviewed on CNN's "Showbiz Today" back in Jan 2000 ( http://edition.cnn.com/TRANSCRIPTS/0001/11/... ),

"We expected the source code to be broken. We were surprised it wasn't broken earlier. We believe there is no economic incentive to hack this product. The cost of the blank is more expensive than the cos of the finished product, and the amount of time it takes to download is several hours. There's no real economic incentive for anyone to hack this product."

A big part of DeCSS was the fact that media owners where not interested in *nix and this stuck in some peoples craw so a German coder reversed engineered a DVD software player running under MS Windows to find out just how CSS worked and to get at some of the keys.

Although there where rumours in some places that MS did a tied deal with the media owners not to allow *nix DVD players, I have not seen evidence of this (but then if MS did do it I'm sure they would be very careful after other legal runnins they had had ;)

Nick PSeptember 17, 2010 10:26 PM

@ PackagedBlue

It's unlikely that UltraViolet has any connection. The recent key crack may be used as a justification to further push the UltraViolet standard. The UltraViolet standard is designed to create the illusion of consumer freedom while keeping content control in the hands of copyright owners. It's very much like the TCPA's trusted platform vision. The UltraViolet system will essentially bring DRM to every compatible device, many of which were largely non-DRM before. It's very bad.

Dio GratiaSeptember 18, 2010 1:55 AM

You could contemplate that there is a standardized interface between the cable interface supplying an HDCP protected connection and the LCD display panel on a monitor. At this point you have 'plain text' pixels. A user could obtain information necessary to develop their own version of an interface with some LVDS fanout buffers and an additional output connector. You might even find existing artwork for such a 'development' version with the additional connector for debug and analysis purposes. There are VESA standards for the interfaces, form factors and connector pin outs. Now all you need is high speed data acquisition with lots of storage, and some software to transform recovered and stored content into a more useful form.

How does this provide a different result than decrypting? The cryptographic boundary doesn't extend to the LCD panel nor is it likely to now. How effective can a protective measure be if it allows use at all and you are protecting content from the end user who can look beyond the extent of it's protection? HDCP protects uses of the interface cables and connectors (HDMI, DVI-D, (mini)DisplayPort) and not the data itself, and now that's broken too. We generally refer to this as security theater. The cryptographic security has been illusory all along. That it is possible is due to digital-cp.com licensing fees dominating implementation costs. The silicon costs are that low.

FredrikSeptember 18, 2010 5:14 AM

I don't see much point in cracking HDCP, because any content that it protects has already been cracked earlier.

Jenny JunoSeptember 18, 2010 6:39 AM

One type of HDCP protected content that was not previously cracked is SACD audio. Up to this point, no one has been able to extract the original DSD bitstream from a SACD disc.

There have been hardware mods to SACD players similar to what 'Dio Gratia' described for television - except they were only able to extract the audio bitstream after the conversion from DSD to PCM which is a lossy conversion (although it is unlikely to be audibly noticeable to even the most sensitive of ears).

HDMI allows for native transport of DSD audio so with this crack in hand it is now theoretically possible to extract the original DSD bitstream from the roughly 7000 SACD titles that have been published over the last decade or so.

Jonathan WilsonSeptember 18, 2010 7:59 AM

What will likely happen is that someone will build a circuit that implements the hack, using a FPGA or microprocessor or something and then post the circuit and code online. Likely there will be a PC program that will generate a device key based on the master key and insert it into the FPGA or microprocessor code. Then you load that onto the circuit and plug into your devices and boom, no more HDCP issues to worry about.

Once that happens and the code/circuits are published online, it will become impossible to stop and HDCP will be permanently broken.

Bob WebberSeptember 18, 2010 11:29 AM

The application of an HDCP cracking device that immediately comes to my mind is making bit-exact copies of digital television broadcasts from consumer-grade digital video recorders (Tivo, etc.).

I don't know how much DVD sets of recently broadcast television shows brings to the content providers, but the DVD sets are pricey and presumably quite profitable.

Right now, mass-produced, consumer-friendly devices respect copy protection flags. It's not possible for me to pass on pure-digital copies of Futurama's current season to my non-cable-subscribing friends. If they want to see HD video of the show, they have to pay for video on demand or buy DVDs.

If a consumer-friendly (just plug it in and it'll work!) circumvention device were available in retail stores,consumers would once again be able to pass along copies of HD broadcasts to their friends without further royalties to the content producer.

mashiaraSeptember 18, 2010 4:37 PM

Some people do not seem to realize just how much bandwidth HDMI has (as stated, we're talking about the uncompressed bitstreams here), HDMI 1.3 has max bandwidth of 10.3Gbit/s, now not all of it is used but based on some back of the envelope calculations and approximations 1080p@30fps and multichannel audio is about 170MBytes/s, you need a pretty hefty RAID array to be able to maintain that capture speed for the duration of the title.

So, don't expect a cheap set-top box fox capturing the data and then re-encoding it "at leisure".

A "HDCP stripper" (AFAIK these are already available but their keys tend to get revoked, being able to generate new keys as needed is definitely a plus) that claims full compliance to the player, strips the ecnryption and passes the signal onwards to display device that happens not to support HDCP or happens to be finicky (there are implementation issues etc that simply cause some HDCP devices not talk to each other).

Also in big AV installations (monitor matrices etc) the limit on for how many keys can the source encrypt the stream (if we want to show same stream on multiple monitors) is a question, forget PiP or other mixing, not allowed by compliant devices (of course with a stripper this becomes again possible...)

For professional (as in for-profit) piracy this means nothing, ditto for the amateurs (for fame, to the torrents), they too have other access to the HD source (sometimes they might have to wait for the BD to be released and rip it, but usually the rips hit the torrents way before that). And especially for the customers who just want a backup or format-shift (the "digital copy" thing is a bad joke for me: I don't run Windows and if I have a feeling that I would be sorely disappointed by the experience) cracking HDCP is just not worth the trouble, should there be a disk that the ripping tools cannot handle (old keys revoked, new one not yet cracked) the title is probably anyway available as a torrent.

mashiaraSeptember 18, 2010 4:40 PM

And to add, Moores law sadly does not apply to storage, even though storage size is (so far) increasing at steady pace the access speed if lagging behind the curve

You can have fast and very expensive/GB (the fast solid state drives) or you can have cheap/GB but it will be slow (spinning disks)

DaveSeptember 19, 2010 6:19 AM

>This should hopefully allow me to buy a cheap and small converter box I can
>attach to my video cable that will allow me to view legally purchased HD
>content, such as BlueRay disks, on my current non-HDCP supported DVI monitor.

You've been able to buy these for several years, they're called "cheap Chinese-made HDMI switches" (or repeaters, or whatnot). The cheapest one I've seen cost about $15, I have a $25 one that nicely removes any HDCP from an HDMI data stream.

(Maybe you can't buy them in the US, but I'm not in the US...).

DaveSeptember 19, 2010 6:32 AM

>One type of HDCP protected content that was not previously cracked is SACD
>audio. Up to this point, no one has been able to extract the original DSD
>bitstream from a SACD disc.

Does anyone care about extracting plaintext audio from an SACD disk?

periSeptember 19, 2010 2:02 PM

So I looked at the Hack A Day site I found while via this blog and the article itself isn't anything the comments are rather interesting:

http://hackaday.com/2010/09/18/...

Here are some of the comments:

EdZ suggested that HDCP-stripping isn't new and provided these links:
http://www.hdfury.com/
http://www.blackmagic-design.com/products/...


cornelius785 suggests (without link) "I’m still thinking the FPGA is ‘better’ route to go. I know FPGAs can handle LSFRs well. I would think the FPGA route would be simpler overall (DVI/HDMI interface, HDCP handshaking, HDCP decode, raw->mpeg conversion)."


devin suggests that only one only needs an $11 chip and your own private key (via the master):
http://www.analog.com/static/imported-files/...
$10.68 @ digikey (AD9393BBCZ-80-ND)

A ReaderSeptember 19, 2010 7:55 PM

In the 1990s, there was a case (Atari Games Corp. v. Nintendo of America, Inc.) where Atari had obtained a copy of the game cartridge authentication software for the Nintendo NES video game system. This software was meant to disallow the use of unlicensed games. In this case, however, Atari got into trouble because the software code had been obtained from the US Copyright Office under false pretenses (More information is at http://www.eff.org/issues/coders/... on the Web.)

In a more modern era, if a DRM-related global secret was to be leaked into the Internet, undoing the damage might not be easy...

John LamontSeptember 20, 2010 4:04 AM

@peri - the only hdfury product that 'strips' HDCP is the one that outputs analog. The blackmagic product doesn't even implement HDCP much less strip it - it is mostly for editing work with video sources that use HDMI/DVI instead of SMPTE's SDI

The only product that I am aware of that effectively strips HDCP is the Moome MUX-HD - which appears to accept an HDCP protected data-stream, decode the video as if it were going to hand it off to an LCD display-driver or the like but instead feeds it back out another HDMI port without HDCP enabled. In the process all non-video content, such as audio and CEC, is blocked from transmission out the cleartext HDMI port.

Here's a discussion of HDCP strippers - including some of the above:
http://www.digitalhome.ca/forum/showthread.php?...

As for Dave's assertion that cheap strippers are available in asia, that's news to me. I think that if such a product were available it would be mentioned on some website like DealExtreme (which has been known to sell other illegal-in-the-US items like cell-phone jammers).

AdamSeptember 20, 2010 7:25 AM

I don't think the crack will have an immediate effect except for more set top boxes to employ secondary protections such as watermarking.

After all, how much is an HDMI capture device going to cost (compared to composite for example), and how many people are going to patiently play their Blu Rays or STB through the device to capture the content?

The likely cost of these devices and the effort required to reencode that content in a usable form is a barrier to piracy in itself.

DaveSeptember 21, 2010 12:55 AM

>As for Dave's assertion that cheap strippers are available in asia, that's
>news to me. I think that if such a product were available it would be
>mentioned on some website like DealExtreme (which has been known to sell
>other illegal-in-the-US items like cell-phone jammers).

Oh, DX has them, they're just not advertised as such, they're sold as HDMI switches and repeaters, and some (many?) of these happen to remove HDCP on the way through. I've never seen any of these advertised anywhere as HDCP strippers, it's a case of "buy our no-name white-box HDMI switch and you might get a nice surprise". There's a guy who posted to the sci.crypt newsgroup a few days ago who said he's demo-ing one at a conference in Australia, so they're also available there.

o.s.September 21, 2010 2:06 PM

Any algorithm implemented with hardware can be implemented with software. I see no reason HDCP can't be emulated in software. Hmm it would make an interesting project to prove this wrong.

mashiaraSeptember 21, 2010 5:19 PM

re o.s:

It's not that HDCP cannot be decoded in software, but doing it fast enough is a different question alltogether, see above for some bandwidth approximations.

Now if you have a captured encrypted stream (some ~2TB for s medium lenght movie) on a disk you can take your time to decode it (provided you have also been able to sniff the session keys somehow without being able to do the HDCP handshake and occasional rekeying in realtime).

Just saving all the data you get from your HW decryptor is hurdle in itself (not insurmountable but not something that will be built into cheap appliances in the next few years)

cowardly-anonymousSeptember 21, 2010 5:26 PM

One of my senior projects in college was working on a team which cracked the HDCP master key. We did not publish due to legal fears, however, and I know the professor would not risk his career to "publish the key on twitter." I won't mention any names just in case, but I will mention it required several thousand dollars in HDCP-supporting hardware and a month of time on the university supercomputer (a bit more than Ferguson predicted...).

It has been several years, but if I remember correctly, the encryption just uses a simple LFSR-cipher, and generating a new keypair is just few matrix multiplications - both are *lightning* fast. I don't know where people are getting this "It would be too slow in software" idea from.

Clive RobinsonSeptember 21, 2010 5:40 PM

@ o.s.,

"Any algorithm implemented with hardware can be implemented with software. I see no reason HDCP can't be emulated in software."

I assume you mean "determanistic algorithm"?

The real issue of software -V- hardware is generaly one of speed, the software is frequently several orders of magnitude slower.

But speed is not of necessity important even in the "inline" case as the purpose is to discover the secret key which as it's a function of both the source and sink nodes "secrets" once known it can (if the hardware alows) be injected into existing hardware...

Likewise provided you have a storage system capable of keeping up with the data rate then no mater how slow the software emulation of the hardware is it will unlock (eventualy) the secret.

As I originaly said the Intel spokes person was either ill informed or making a false statment.

As has been noted by others a "HDCP stripper" could be made of first or second generation chip sets either unintentionally (as in a splitter box) or by deliberate design.

HDPC is effectivly "point to point" (node to node) not "end to end" encryption, which means the nodes have to have "plain text" in them. Thus if you can "probe out" the node there is a chance you will get access to the "plain text" (although it sounds easy in practice it may well not be).

However it is all fairly immaterial as the "Pirates" will have little interest in stripping HDCP as their business model and thus their methodology is different.

As has been noted HDCP is in reality little to do with security and a lot to do with licensing revenue...

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..