HD DVD User Claims to Have Bypassed AACS Encryption
In a separate matter perhaps inspired by, but otherwise unrelated to, last December's discovery of how a software-based HD DVD player may have left title keys exposed, giving users access to one of the key components necessary for them to back up their content onto separate discs, another user has posted the source code that may enable HD DVD users to determine the title keys for themselves.
In tests over the past few days by users of the Doom9 Forum, people putting this software to use appear to have isolated and identified title keys for their HD DVD movies - the cryptographic components necessary for players, or for anyone, to decrypt content. So while this method is technically not an "AACS crack," as some have been led to believe, though which the source code's author himself has never claimed, if this method does lead to the identification of title keys, conceivably at least some users may become armed with the tools they need to back up HD DVD content without cracking AACS.
One of the testers of this source code, who thus far reports success, described the situation this way: The producers of movie videodiscs, he wrote, have "a near hopeless task. They have to let people watch movies, so no matter how much advanced cryptography they use, they have to give the users the keys to decrypt the data. The keys have to be inside the player, so the best they can do is make it hard to get those keys. That's what's being done here - people are finding the keys that they give us. I see no sign that anyone is breaking any encryption by figuring out keys they don't give us (the master key held by the AACS [Licensing Authority]) or even calculating the keys they've already given us (device keys) as opposed to finding them in memory when being used."
In other words, the encryption scheme in AACS could theoretically be made infinitely stronger; in the end, it might not matter. Decrypted content must exist in memory at some point in order for it to be played, which means that the tools for that decryption must be addressable, if only briefly.
A February 2006 explanation of the cryptographic process by the AACS LA explains the interlocking mechanism of keys that are assigned to the disc's manufacturer and the player's manufacturer, the combination of which makes the disc's contents intelligible. As it describes, AACS LA provides both disc and player manufacturers with a common software decryption tool called a media key block (MKB). Using the device keys assigned to player manufacturers by AACS LA, players retrieve information from special locations on each disc that enables them to calculate the MKB. So the media key is never laid bare on the disc someplace.
Each AACS-capable recorder encrypts the contents of each disc using a title key that it generates in advance as a combination of the usage rules and other elements. That title key is then encrypted itself using what's called the volume unique key (VUK), and placed on a location on the disc where the player locates it and decrypts it using the media key. The title key is what the player then uses to decrypt the contents.
The author of the AACS bypass attempt code, whose screen handle is arnezami, described the process of locating the media key as a matter of creating a control program that slowed down the playback of an HD DVD disc, searching for changes in critical locations in memory. Once those changes are made, playback halts, and the changed memory contents are tested for a sequence of bytes that can be validated as a media key.
From there, arnezami needed a volume ID - a sequence which, when combined with the media key, could yield the VUK. In a bizarre twist, he learned the volume ID was actually guessable, at least for one disc: It was a decimal-encoded permutation of the production date of the disc (9/18/06).
After that, arnezami reported, finding the title key was a matter of simple math. He actually illustrated the process on the Doom9 forum using a version of a diagram created by AACS LA itself.
A recent discussion about arnezami's work on Digg.com quickly degenerated into an argument over the author's identity, the identity of somebody claiming to be the original claimant to the AACS crack, the identities of several other people - some of whom may actually be the same person, or perhaps no one at all - and the appropriate usage of certain derogatory adjectives.
The question on the minds of many HD DVD users is whether such actions as arnezami's - the validity of which seems moderately genuine at this point - could trigger the AACS LA to pull the proverbial trigger: specifically, to begin circulating revocation keys that disable once valid media keys from being able to locate the proper VUK.
Citing from AACS' own documentation: "If a set of device keys is compromised in a way that threatens the integrity of the system, an updated MKB can be provided by the AACS LA that will cause a product with the compromised set of device keys to calculate a different key than is computed by the remaining compliant products. In this way, the compromised device keys are 'revoked' by the new MKB."
Thus the media key block contains information that a device uses to decrypt future discs, written in such a way that their very use revokes the ability for that device to read existing discs. It doesn't keep a "blacklist" of cracked title keys, as some have described, but instead uses a trick of math to make title keys that have been distributed to the public fail to work. New MKBs could conceivably be acquired by players through dedicated Internet connections or, if not connected, through new discs that contain MKB updates along with their existing content.
If AACS LA does decide to pull the trigger for the first time, some HD DVD users who were never party to this action in the first place could discover their license to view the content they've purchased has been revoked. In such an event, the legal authority for an outside agency to declare purchased content invalid at will may receive its first major challenge.