HDCP Encryption Cracked, Details Unreleased Due To DMCA

Lord_Pall writes: "There's a very good article on SecurityFocus about a Dutch cryptographer. He apparently has cracked the HDCP video encryption standard, but won't release the research for fear of reprisals under the DMCA." Update: 08/15 06:10 PM by J : Meanwhile, see Keith Irwin's paper which has been released despite the DMCA. Update: 08/15 07:00 PM by J : And someone else points out this old thing. Everyone who hasn't written a paper on cracking HDCP raise your hand.

Re:He is Dutch, DMCA doesn't apply

[Chelloveck]

I know this guy, though I haven't talked with him for about six months. He does come to the USA periodically. His girlfriend is American and while they're both living in the Netherlands now, they do come over here once in a while. After the Sklyarov thing I'm not terribly surprised about his reluctance to come forth.

Last I knew, he was working with Bruce Schneier and Counterpane. It's possible that his connection to a US corporation also enters into the decision.

Essay by Ferguson

[Apotsy]

Here [macfergus.com] is where Ferguson explains his position.

This is a very good essay. It does an excellent job of explaining the problem with the DMCA succinctly, and in a manner than anyone can understand. I'm going to keep this link and use it whenever I want to explain the problem with the DMCA to someone non-technical.

A method for this was posted a few weeks back

[Anonymous Coward]

A guy named Keith Irwin published a high level process for attacking HDCP a few weeks back and it sounds much the same (i.e. number of required devices, etc.)

See the links below for his whitepaper as well as a previous discussion regarding this on a popular HDTV forum...

http://www.angelfire.com/realm/keithirwin/HDCPAtta cks.html [angelfire.com]
http://www.avsforum.com/ubb/Forum11/HTML/015261.ht ml [avsforum.com]

Re:He didn't break it :)

[(void*)]

How asinine. He could make a video stream encoded with the master key for example. And we could all verify it with the public key.

That's the great about assymetric key encryption.

Re:Next DMCA test - prosecution for doing research

[Hallow]

Yes, but most of the time the courts don't rule against the person who wrote the manual on how to pick the lock, created the skeleton key, or sold the lockpicks to the crook.

It's the act of breaking the lock, not information, tools or ability that allow one to bypass the lock, that should be, and already was illegal.

Old news

[Insount]

Politics aside:

A description of a fatal weakness [cryptome.org] in HDCP's was published by Scott A. Crosby a few days after the specs was published, and was independently discovered by many others. Crosby's attack appears to have the capabilities claimed by Ferguson and has negligible computational cost (inversion of a 40x40 matrix). It requires the built-in keys of any 40 HDCP devices, but this is presumably easy to achieve in the presence of software-based HDCP implementations).

Thus the new feature of Ferguson's attack is probably a way to extract the keys without actually hacking any device, but rather by talking to intact devices via the normal protocol. While this is interesting, HDCP should already be considered broken in light of known attacks.

It's not just vanity

[rhincewind]

I was actually there (at HAL) when he expressed his anger about these procedings. When asked whether 'the paper was in his tent at the moment' (talking about anonymous posting ;-) he replied being serious about not publishing.

Imho his goal is not getting his paper published, but getting people to think about the consequences of these laws. Unfortunately, this the only way we foreigners can protect our rights abroad.

Linked to this, in Europe a 'law' is being prepared (due Sept 3rd I believe) which forces a country to assist another country to eavesdrop (snif Internet traffic) on a user if he (she) did an illegal act in that OTHER country. To link this with a previous link (thanks for the thought), if China were to be part of such agreement, every couple with 2 or more kids could forget its privacy...

Joost

Re:He is Dutch, DMCA doesn't apply

[Drone-X]

He is Dutch, DMCA doesn't apply

Maybe he doesn't want to lose the ability to travel to the USA, if he puts it up for download he'd be violating American law (at least in California they seem to think the Internet means you're *everywhere*).

The Complete Document

[Anonymous Coward]

The Complete Document can be found here:

http://www.macfergus.com/niels/dmca/index.html

Very good stuff. Too bad they didn't link it in the story.

DMCA-like legislation coming ot a country near you

[hillct]

Many countries are cinsidering DMCA type legislation to bring them into compliance with the WIPO [wipo.org] Intelectual Property Treaties [wipo.int]. For more on the the legal constructs being cinsidered by the World Intellectual Property Organization, see their whitepaper "Technical Protection Measures: The Intersection of Technology, Law, and Commercial Licenses [wipo.org]" (M$ Word or PDF). Take a good look at this stuff. It's important that people fully understand the actions being taken by WIPO and begin to realize that arguing about your rights or my rights isn't the critical issue. The critical issue is that if WIPO has their way, there will be no protection for citizens of any country, from potentially usurous and monopolistic IP practices.

--CTH

Crypto-Gram

[tiny69]

The recent newsletter [counterpane.com] from Crypto-gram [counterpane.com] talks about the DMCA and brings up a few good points:

Dmitry Sklyarov (age 27) landed in jail because the Digital Millennium Copyright Act (DMCA) makes publishing critical research on this technology a more serious offense than publishing nuclear weapon designs. Just how did the United States of America end up with a law protecting the entertainment industry at the expense of freedom of speech?

. . .

There are also provisions in the DMCA to allow for security research, provisions that I and others fought hard to have included. But these provisions are being ignored, as we've seen in the DeCSS case against 2600 Magazine, the RIAA case against Ed Felten, and this arrest.

It's a good read.

Re:He is Dutch, DMCA doesn't apply

[FreeUser]

However, even by claiming to have broken the encryption, he's placing himself at risk of being investigated, and possibly detained and questioned should he ever visit the US.

You are probably right, as the DMCA is clearly intended to be used as a club to squelch information and discussion under the (woefully thin) guise of protecting copyright holders.

However ...

(If I were to publicly announce that I had commited a crime, I would expect the authorities to take interest in me.)

... even the DMCA hasn't made it illegal to figure out how to decrypt encrypted copyright material, but rather has made the trafficking in devices using that knowledge illegal. By announcing he's done it, but not sharing the methodology, he cannot in any way be said to have "trafficked" in a circumvention device. To do so he would have to publish, and this he has not done. Not that that will stop Intel or someone else affiliated with the Copyright Cartels from swearing out a false afidavit and falsely imprisoning this individual (and, interestingly, while the Sklyrov case goes forward I do not see anyone from Adobe being arrested for Perjury, which swearing out a false affidavit is ... hence the term "swear").

Of course, it is only a matter of time until someone does publish, probably anonymously, and DHCP dies the death it so richly deserves.

The software world, which relies on restricted copy priveleges (copyright) far more heavilly than even the Media Moguls of Hollywood and New York, learned over a decade ago just how futil copy protection schemes were. Instead, they chose to go another route, making serial-numbered copies traceable rather than uncopiable (something which has been shown mathematically to be myth in any event). Interestingly enough, having people's names attached to serialized copies of software had a chilling effect on copyright violation that no amount of copy-protection schemes and hardware dongles was able to achieve. It didn't eliminate it, but it sure cut down on the number of people willing to share their copies of software with anyone other than, at most, their closest friends.

The Copyright Cartels and Media Conglomerates refused to learn this obvious lesson, prefering instead to believe they have purchased protection through the DMCA sufficient to allow even the most flawed "copy protection" to stand through artificial threat with a government gun in contradiction to both information theory and basic physics in the physical world.

Of course, when "casual copying" has been mostly eliminated and fair use is dead, the industrial copyright violators will still be producing illegale wares in quantity, until they in turn are shut down using methods and laws which have been around for decades. Which underscores the real motivation and target behind MPAA and RIAA purchased legislation such as the DMCA: the individual consumer, not the commercial copyright violator.

Crap.

[sn0wdude]

Why are you linking to a crappy article on Securityfocus.com ? Please go read the original document:

http://www.macfergus.com/niels/dmca/index.html

He talks about why DMCA sucks. The Copyright issues, Jurisdiction, Freedom of Speech etc.

A must read !

Re:Will the DMCA hurt encryption badly?

[chriscrowley]

Newsweek has also has a very anti-DMCA article on their now hosted MSNBC website.

http://www.msnbc.com/news/612847.asp [msnbc.com]

Read the article and give it a "10" at the bottom so that it might show up under the MSNBC Viewer's Top 10 list and people will find out about this.

Re:Will the DMCA hurt encryption badly?

[JebOfTheForest]

One could argue that the productivity gains over the last two decades that enabled the longest period of economic expansion in US history were due in a large part to the proliferation of inexpensive computer hardware, which was only possible because of Compaq's success (and victory in court) in reverse-engineering the IBM PC BIOS. If that were to happen today, Compaq would lose, cheap, competitive clones would not have appeared, the desire to connect them wouldn't have followed, and we'd have no giant public computer network, with record corporate tax returns providing lawmakers with a surplus to woo their constituents with.

jeb.