[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: EFF misstatements in DeCSS brief

steve bryan <[email protected]> writes:

> Mr. Anonymity writes:
> >In this case, key size is not a valid metric for the security of
> >the system.  It might be fair to say that CSS is weak because it is
> >implemented in software which users can reverse engineer.  But it is
> >not valid to say that it is weak because it uses 40 bit keys.
> That was my initial reaction about the 40 bit key length. Then I read 
> a cryptanalysis (http://crypto.gq.nu/livid.html) which included a 
> discussion of an attack on the 40 bit hash which is included along 
> with the 400 encrypted keys.

This is true, but it requires knowledge of the hash function, which again
would most probably be obtained by reverse engineering the cipher.

(David Wagner has sketched a path by which CSS might conceivably have
been broken without reverse engineering, working with the advantage
of hindsight, but even if that attack can be made to work it would be
hugely more expensive and difficult than reverse engineering.)

> Even using a simple brute force attack 
> on the hash we can guarantee success in about a day. Because of 
> additional weaknesses in the CSS algorithm the complexity is reduced 
> to about 2^25 which allows the hash to be reversed in about a second 
> of computing time. If accurate, this reduces the significance of 
> Xing's exposed key to almost immaterial. For this reason their 
> ability to cauterize the attack by removing Xing's key is a hopeless 
> maneuver. On the other hand if they were to formally revoke Xing's 
> key and the DeCSS Windows binary uses Xing's key, then all the 
> distributed copies would stop working with new DVD's that are pressed 
> without Xing's key.
> If they had used 128 bit keys these calculations are entirely 
> different. Reversing the hash would probably be rendered ineffective 
> unless there is a severe weakness.

Again, the mere fact that it was a 40 bit cipher was not enough to let
you predict any of these facts.  Recall the quote from the EFF brief:

: Even from the very beginning, it was already widely known in the computer
: security community that CSS provides (at most) a very low level of
: security, because it uses 40-bit keys.

The point remains that the use of 40 bit keys did not in itself imply that
there would be a very low level of security.  The possibility of reverse
engineering did limit the security, and in fact it turned out that CSS was
weak enough that a very inexpensive attack was possible once the cipher
was reverse engineered and analyzed.  But after all, key length is no
guarantee of cipher strength, and it is entirely possible that even a
128 bit CSS would have had weaknesses which allowed keys to be recovered.