[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: EFF misstatements in DeCSS brief

Mr. Anonymity writes:

>In this case, key size is not a valid metric for the security of
>the system.  It might be fair to say that CSS is weak because it is
>implemented in software which users can reverse engineer.  But it is
>not valid to say that it is weak because it uses 40 bit keys.  If in
>fact the decryption algorithm could somehow have been kept secret (say
>by keeping it in some kind of secure hardware) then 40 bit keys could
>represent very strong encryption.

That was my initial reaction about the 40 bit key length. Then I read 
a cryptanalysis (http://crypto.gq.nu/livid.html) which included a 
discussion of an attack on the 40 bit hash which is included along 
with the 400 encrypted keys. Even using a simple brute force attack 
on the hash we can guarantee success in about a day. Because of 
additional weaknesses in the CSS algorithm the complexity is reduced 
to about 2^25 which allows the hash to be reversed in about a second 
of computing time. If accurate, this reduces the significance of 
Xing's exposed key to almost immaterial. For this reason their 
ability to cauterize the attack by removing Xing's key is a hopeless 
maneuver. On the other hand if they were to formally revoke Xing's 
key and the DeCSS Windows binary uses Xing's key, then all the 
distributed copies would stop working with new DVD's that are pressed 
without Xing's key.

If they had used 128 bit keys these calculations are entirely 
different. Reversing the hash would probably be rendered ineffective 
unless there is a severe weakness. That might leave Xing as the only 
compromised key and they have a mechanism for limiting the damage 
done if that is the case for future discs. The known plaintext attack 
which provides the other player keys has a complexity of 2^16 when 
the keys are 40 bit. I don't know how that translates if the keys are 
128 bit (or if the cypher even has the ability to work with such key 
sizes) but it doesn't take a giant leap of faith to conclude the 
severity of the breach may have been minimal. I'm beginning to 
suspect the real lawsuit in this case might be by the content 
providers against DVD-CCA for their incompetent design work.

On the issue of reverse engineering of the algorithm there is 
considerable obfuscation, like the recording industry referring to 
all copies being "illegal copying". (Then why are Sony and Philips 
actively promoting that in several of their ads?) First it has been 
pointed out that the law in Norway, which cannot be revoked by any 
weak-ass click through "license", most likely does not hold the 
activity to be illegal. Also, even in the US, the law specifically 
provides for the legitimacy of reverse engineering which is done for 
the purpose of interoperability.