« AACS and broadcast encryption | Main | Should I care about the estate tax? »
April 16, 2005
What DVD encryption can't solve
The thing about DVD encryption, whether it's CCS or AACS is that it's not going to stop copying DVDs. The obvious way to copy a DVD is simply to make an exact duplicate of all the data onto your hard drive or another piece of plastic. This requires that you be able to read the raw bits off the DVD, but there's no technical obstacle to making that kind of equipment and in fact it's fairly easy to get. No encryption can stop this from happening because it bypasses the encryption.DVD encryption accomplishes two major goals:
- It stops people from making third party players.
- It makes it hard to get access to the plaintext.
Why deny access to the plaintext when copying the ciphertext is so easy? Well, DVDs are fairly large, so they consume a lot of disk space and take a long time to transmit over the Internet. So, if you want to share files it pays to be able to compress them--even much smaller music files are generally compressed for transmission and storage after people copy them from CD. But encrypted data is essentially incompressible so getting access to the plaintext is the first step in doing the transcoding.
Because of the size issue, effective DVD encryption would make sharing movies over the Internet very difficult. But of course, this is a temporary situation. Given the rapid increase in disk space and network bandwidth it's only a matter of time before you can copy encrypted DVDs around.
And of course, AACS only works if you can identify which key was compromised. If people just rip their DVDs and post the compressed plaintext, there's no way of knowing1 which player was compromised and so you can't revoke it. Obviously, it's a lot of work for your average end user to compromise his own player (though you could imagine some hacker releasing a patch that would let you break any copy of some player) but it's not that much work for a pirate.
At the end of the day what you're left with is a technology that doesn't really stop piracy but that does stop people making unauthorized players.
1. Yes, I know about watermarking, but it's very inconvenient to use watermarking because that requires having each disk be different and tracking who buys which disks. I don't get the impression that AACS involves watermarking.
Posted by ekr at April 16, 2005 6:20 AM | Filed under:
Comments
You also forgot the Software Player gap: There will be software only players for Windows which are liscenced, and you can trivially get the keys from those in order to extract the plaintext.
I believe the first linux player someone hacked up just used one of these keys rather than DECSS.
Posted by: Nicholas Weaver at April 16, 2005 8:01 AM
Nick,
That's absolutely true, but if you have a revocation scheme, then it won't be possible to release a player that incorporates a single hacked key. You'll either need to keep releasing new hacked keys or have a piece of software that can extract the key from the user's machine.
Posted by: EKR at April 16, 2005 8:05 AM
The purpose of CSS is to ensure only members of the DVD CCA can make players. They in turn are contractually bound by provisions such as not being allowed to manufacture region-free players. And the DVD CCA can enforce its royalties on player manufacturers.
You can bet the $39 DVD players at Wal-Mart were made by Chinese vendors who are not paying royalties out of their razor-thin profit margins. AACS would allow the DVD CCA to selectively revoke keys for DVD player manufacturers who try and evade royalties.
In short, one of the primary purposes of DVD encryption is to maintain a fragmented global market so the content industry can keep their control over distribution, and keep on charging artificially inflated profit margins in markets like Europe or Australia.
Posted by: Fazal Majid at April 16, 2005 10:41 AM
It might not be that easy to pass around encrypted disks, even if the bandwidth were available. The spec seems to envision something like Trusted Computing being used in PC based players, otherwise capturing the decoded video would be relatively easy. That trusted software component could be set up to require an actual HD-DVD drive with a real disk in it, and not accept an image stored in a directory somewhere.
Also, apparently they intend every recorded disk to be unique. From page 3-4 of the crypto spec:
"Pre-Recorded Media Serial Number
"An identifier that will be unique to each instance of Pre-Recorded media. If the media is an optical disc, it might be recorded in the Burst Cutting Area to enable licensed replicators to record unique values for each disc. The Serial Number must be globally unique to ensure that network based transactions that enable the Enhanced Features defined in chapter 5 of this book can be utilized."
This could allow shared disk image to be traced to its source, under some circumstances.
Much of the PC spec in the recorded media book seems oriented towards having the PC validate the disk rather than vice versa. Disks are signed, hashes of subsets are stored, and PCs are supposed to check all that. I'm not sure if this adds any actual security, or if it simply protects the pocketbook of the AACS Licensing Administrator, making sure that non-AACS HD-DVDs can't exist.
Posted by: Cypherpunk at April 16, 2005 6:43 PM
Ah, I missed that about the serial number when I skimmed it. That's surprising--my impression was that that added substantially to the cost of the disks.
I don't really see that that makes much of a difference, though, seeing as you can buy DVDs for cash at WalMart....
Posted by: EKR at April 16, 2005 6:48 PM
If every player watermarks its device ID into its output, then a compromised player can be detected and revoked. Of course, this will eventually be defeated by using non-watermarking transcoding tools.
Tracing compromised discs is not a goal of AACS AFAIK; knowing which disc was copied doesn't solve anything. (Sure, maybe you could sue one guy, but N more would replace him.)
Posted by: Wes Felter at April 18, 2005 11:17 AM