Re: EFF misstatements in DeCSS brief

[lcs Mixmaster Remailer <mix@anon.lcs.mit.edu>]

In the spirit of offering constructive criticism of the EFF brief, here are
some more mistakes and misleading statements:

> Even from the very beginning, it was already widely known in the computer
> security community that CSS provides (at most) a very low level of
> security, because it uses 40-bit keys.

Although there is a general presumption that 40 bit encryption is weak,
in fact the key size is not that relevant in this particular application.
This is because the decryption key is stored with the decryption
algorithm.  As David Wagner points out, no system of this type can
be secure, as long as users have the ability to reverse engineer the
decryption program.  Even if 128 or 256 bit keys had been used, the task
of finding the decryption key would not have been significantly more
difficult.

In this case, key size is not a valid metric for the security of
the system.  It might be fair to say that CSS is weak because it is
implemented in software which users can reverse engineer.  But it is
not valid to say that it is weak because it uses 40 bit keys.  If in
fact the decryption algorithm could somehow have been kept secret (say
by keeping it in some kind of secure hardware) then 40 bit keys could
represent very strong encryption.

> Forty-bit keys are widely recognized as providing only low
> security. Public demonstrations have shown that they can be cracked
> within hours using the computing power available to students.

While the second part is true, it is misleading because many people
will assume that "students" have been chosen as an example because of
their well known poverty and limited resources.  In fact, the students
in this example have access to vastly greater computing resources than
the typical person.  Colleges have large numbers of computers hooked
into networks, many of which are unused much of the time.  It is by
exploiting hundreds or thousands of unused computers that students have
been able to perform some of their rapid key searches.

> In addition, all 400 keys that CSS has used or ever will used [sic]
> is on each DVD.

What is probably meant is that the set of 400 CSS keys is fixed and
unchanging by design.  However those 400 keys are not stored on DVDs,
instead the key for decrypting the DVD is stored, encrypted separately
with each of the 400 keys.

> The DeCSS source code made it possible for the cryptographic community
> to analyze the security of the DVD security system without undertaking
> any tedious reverse engineering work.

This presupposes that no tedious reverse engineering work was done to
create DeCSS, which is highly unlikely.  Few people will doubt that
tedious reverse engineering was involved in the creation of DeCSS.
It is true that this process only has to be done once, and then when
the fruits of this effort are distributed, the rest of the cryptographic
community can then skip this step.

> One cryptographer, David Wagner regards CSS so flawed that it would make
> a fine homework exercise for a university level class in cryptography
> and codebreaking.

Yes, but only once the algorithm is in hand.  Analyzing CSS without
being able to reverse engineer a decryption program would be a far more
difficult matter.

> CSS was designed as weak cryptography.  CSS's 40-bit key-length fell
> below what is generally considered to be secure.

See comments above re the inappropriateness of the 40 bit standard in this
application.

> This inherent vulnerability was aggravated by the fact that each one of
> the millions of DVDs circulated around the globe contains all 400 keys

See comment above about what DVDs actually contain.  They do not contain
"all 400 keys".