Advanced Access Content System

From Wikipedia, the free encyclopedia

AACS decryption process
AACS decryption process

The Advanced Access Content System (AACS) is a standard for content distribution and digital rights management, intended to restrict access to and copying of the next generation of optical discs and DVDs. The specification was publicly released in April 2005 and the standard has been adopted as the access restriction scheme for HD DVD and Blu-ray Disc (BD). It is developed by AACS Licensing Administrator, LLC (AACS LA), a consortium that includes Disney, Intel, Microsoft, Matsushita (Panasonic), Warner Bros., IBM, Toshiba and Sony. AACS has been operating under an "interim agreement" since the final specification (including provisions for Managed Copy) has not yet been finalised.

Since appearing in devices in 2006, several AACS decryption keys have been extracted from weakly protected software players and published on the Internet.

Contents

[edit] System overview

[edit] Encryption

AACS uses cryptography to control the use of digital media. It encrypts content under one or more title keys using the Advanced Encryption Standard (AES). Title keys are derived from a combination of a media key (encoded in a Media Key Block) and the Volume ID of the media (e.g., a physical serial number embedded on a pre-recorded disc).

The principal difference between AACS and CSS, the DRM system used on DVDs, lies in how the device decryption keys are organized.

Under CSS, all players of a given model are provisioned with the same, shared decryption key. Content is encrypted under the title-specific key, which is itself encrypted under each model's key. Thus each disc contains a collection of several hundred encrypted keys, one for each licensed player model.

In principle, this approach allows licensors to "revoke" a given player model (prevent it from playing back future content) by omitting to encrypt future title keys with the player model's key. In practice, however, revoking all players of a particular model is costly, as it causes many users to lose playback capability. Furthermore, the inclusion of a shared key across many players makes key compromise significantly more likely, as was demonstrated by a number of compromises in the mid-1990s.

The approach of AACS provisions each individual player with a unique set of decryption keys which are used in a broadcast encryption scheme. This approach allows licensors to "revoke" individual players, or more specifically, the decryption keys associated with the player. Thus, if a given player's keys are compromised and published, the AACS LA can simply revoke those keys in future content, making the keys/player useless for decrypting new titles.

AACS also has traitor tracing. If an attacker tries to keep a compromised key secret (by only publishing decrypted title keys), it can still be tracked down. The standard allows different versions of short sections of a movie to be encrypted with different keys. A certain player will only be able to decrypt one version of each section. By embedding a digital watermark in the different versions and analyzing what sections of the movie the attacker publishes, the compromised keys can eventually be identified and revoked (this feature is called Sequence keys in the AACS specifications).[1] [2]

[edit] Volume IDs

Volume IDs are unique identifiers or serial numbers that are stored on pre-recorded discs with special hardware. They cannot be duplicated on consumers' recordable media. The point of this is to prevent simple bit-by-bit copies, since the Volume ID is required (though not sufficient) for decoding content. On Blu-ray discs, the Volume ID is stored in the BD-ROM Mark.[3]

To read the Volume ID, a cryptographic certificate (the Private Host Key) signed by the AACS LA is required. However, hackers claim to have circumvented that particular protection by modifying the firmware of an HD DVD reader.[4] [5]

[edit] Decryption Process

To view the movie, the player must first decrypt the content on the disk. The decryption process is somewhat convoluted. The disk contains 4 items -- the Media Key Block (MKB), the Volume ID, the Encrypted Title Keys, and the Encrypted Content. The MKB is encrypted in a subset difference tree approach. Essentially, a set of keys are arranged in a tree such that any given key can be used to find every other key except its parent keys. This way, to revoke a given device key, the MKB needs only be encrypted with that device key's parent key.

Once the MKB is decrypted, it provides the Media Key, or the Km. The Km is combined with the Volume ID (which the program can only get by presenting a cryptographic certificate to the drive, as described above) in a one-way encryption scheme (AES-G) to produce the Volume Unique Key (Kvu). The Kvu is used to decrypt the encrypted title keys, and that is used to decrypt the encrypted content.[4][6]

[edit] Plugging the analog hole

AACS-compliant players must follow guidelines pertaining to outputs over analog connections. This is set by a flag called the Image Constraint Token (ICT), which restricts the resolution for analog outputs to 960×540. Full 1920×1080 resolution is restricted to HDMI outputs with HDCP. The decision to set the flag to restrict output ("down-convert") is left to the content provider. Warner Pictures is a proponent of ICT, and it is expected that Paramount and Universal will implement down-conversion as well.[7] As of March 2006, 5 of the 6 studios releasing HD DVD content have announced they will not use ICT/down-conversion for the time being.[8] AACS guidelines require that any title that implements the ICT must clearly state so on the packaging. The german magazine "Der Spiegel" has reported about an unofficial agreement between film studios and electronics manufacturers to not use ICT until 2010 - 2012.[9] However, some titles have already been released that apply ICT.[10]

[edit] Audio watermarking

It is possible to use Verance's audio watermarking technology[11] in conjunction with AACS. Studios may insert an inaudible mark in the soundtracks of theatrical motion pictures. If an AACS-compliant player detects this inaudible mark, it means the disc is playing back a copy made from a theatrical print (probably from illegal camcording), and will cause the player to refuse to play the disc. The mark is made by varying the waveform of speech and music in a regular pattern to convey a digital code. These variations are too subtle to be heard by the human ear. Another variation of this system can be used to discourage the playback of discs created through unauthorized duplication of audio watermarked discs purchased or rented by consumers. This variation for home entertainment utilizes a watermark that differs from the cinema mark in that it is permitted in media distributed to consumers.

[edit] Managed Copy

Managed Copy refers to a system by which consumers can make legal copies of films and other digital content protected by AACS. This requires the device to obtain authorization by contacting a remote server on the Internet. The copies will still be protected by DRM, so infinite copying is not possible (unless it is explicitly allowed by the content owner). It is mandatory for content providers to give the consumer this flexibility in both the HD DVD and the Blu-ray standards (commonly called Mandatory Managed Copy). The Blu-ray standards adopted Mandatory Managed Copy later than HD DVD, after HP requested it.[12]

Possible scenarios for Managed Copy include (but are not limited to):

  • Create an exact duplicate onto a recordable disc for backup
  • Create a full-resolution copy for storage on a media server
  • Create a scaled-down version for watching on a portable device

This feature was not included in the interim standard, so the first devices on the market did not have this capability.[13] It is expected to be a part of the final AACS specification[1].

[edit] History

On February 24, 2001, Dalit Naor, Moni Naor and Jeff Lotspiech published a paper entitled "Revocation and Tracing Schemes for Stateless Receivers", where they described a broadcast encryption scheme using a construct called Naor-Naor-Lotspiech subset-difference trees. That paper laid the theoretical foundations of AACS.[14]

The AACS LA consortium was founded in 2004.[15] The final AACS standard was delayed,[16] and then delayed again when an important member of the Blu-ray group voiced concerns.[17] At the request of Toshiba, an interim standard was published which did not include some features, like managed copy.[13] As of October 15, 2007, the final AACS standard had not yet been released.[18]

[edit] Open-source implementations

On December 26, 2006 a person using the alias "muslix64" published a working, open-sourced AACS decrypting utility named BackupHDDVD, looking at the publicly available AACS specifications. Given the correct keys, it can be used to decrypt AACS-encrypted content. A corresponding BackupBluRay program was soon developed.[19]

[edit] Security

Both title keys and one of the keys used to decrypt them (known as Processing Keys in the AACS specifications) have been found by using debuggers to inspect the memory space of running HD DVD and Blu-ray player programs.[20] [21] [22] [23] Hackers also claim to have found Device Keys [24] (used to calculate the Processing Key) and a Host Private Key [25] (a key signed by the AACS LA used for hand-shaking between host and HD drive; required for reading the Volume ID). The first pirated HD movies were available soon afterwards.[26] The processing key was widely published on the Internet after it was found and the AACS LA sent multiple DMCA takedown notices in the aim of censoring it.[27] Some sites that rely on user-submitted content, like Digg and Wikipedia, tried to remove any mentions of the key.[28] [29] The Digg administrators eventually gave up trying to censor submissions that contained the key.[30]

The AACS key extractions highlight the inherent weakness in any DRM system that permit software players for PCs to be used for playback of content. No matter how many layers of encryption are employed, it doesn't offer any true protection, since the keys needed to obtain the unencrypted content stream must be available somewhere in memory for playback to be possible. The PC platform offers no way to prevent memory snooping attacks on such keys, since a PC configuration can always be emulated by a virtual machine, in theory without any running program or external system being able to detect the virtualization. The only way to wholly prevent attacks like this would require changes to the PC platform (see Trusted Computing) which could provide protection against such attacks. This would require that content distributors do not permit their content to be played on PCs without trusted computing technology, by not providing the companies making software players for non-trusted PCs with the needed encryption keys.

On April 16, 2007, the AACS consortium announced that it had expired certain encryption keys used by PC-based applications. Patches were available for WinDVD and PowerDVD which used new and uncompromised encryption keys.[31] [32] The old, compromised keys can still be used to decrypt old titles, but not newer releases as they will be encrypted with these new keys. All users of the affected players (even those considered "legitimate" by the AACS LA) are forced to upgrade or replace their player software in order to view new titles.

Besides spreading processing keys on the Internet, there have also been efforts to spread title keys on various sites.[33] The AACS LA has sent DMCA takedown notices to such sites on at least one occasion.[34] There is also a commercial software player (AnyDVD HD) that can circumvent the AACS protection. Apparently this program works even with movies released after the AACS LA expired the first batch of keys. [35]

[edit] Patent challenges

On May 30, 2007, Canadian encryption vendor Certicom sued Sony alleging that AACS violated two of its patents, "Strengthened public key protocol"[36] and "Digital signatures on a Smartcard."[37] The patents were filed in 1999 and 2001 respectively, and in 2003 the National Security Agency paid $25 million for the right to use 26 of Certicom's patents, including the two that Sony is alleged to have infringed on. [38]

[edit] Trivia

  • The IEEE Spectrum magazine's readers voted AACS to be one of the technologies most likely to fail in the January 2005 issue.[39]
  • While great care has been taken with AACS to ensure that contents are encrypted right up to the display device, on the first versions of some Blu-ray and HD DVD software players a perfect copy of any still frame from a film could be made simply by utilizing the Print Screen function of the Windows operating system.[40][41] This was broken in later versions.

[edit] See also

[edit] References

  1. ^ Hongxia Jin, Jeffery Lotspiech, Nimrod Megiddo (2006-10-04). Efficient Traitor Tracing. Retrieved on 2007-05-02.
  2. ^ AACS Reference: Pre-recorded Video Book. Retrieved on 2007-05-02.
  3. ^ Blu-ray Disc Pre-recorded Book pp. 15. AACS LA (2006-07-27). Retrieved on 2007-11-01.
  4. ^ a b Reimer, Jeremy (2007-04-15). New AACS cracks cannot be revoked, says hacker. Ars Technica. Retrieved on 2007-05-04.
  5. ^ Geremia (2007-04-04). Got VolumeID without AACS authentication :). Doom9.net forums. Retrieved on 2007-05-04.
  6. ^ Advanced Access Content System (AACS): Introduction and Common Cryptographic Elements. AACS Licensing Administrator (2007-02-17). Retrieved on 2007-06-05.
  7. ^ Sweeting, Paul (2006-01-19). High-def ‘down-converting’ forced. Video Business. Retrieved on 2007-05-04.
  8. ^ Perton, Marc (2006-03-27). Universal won't downsample HD DVD content. Engadget. Retrieved on 2007-05-04.
  9. ^ Ken Fisher (2006-05-21). Hollywood reportedly in agreement to delay forced quality downgrades for Blu-ray, HD DVD. arstechnica.com. Retrieved on 2007-11-02.
  10. ^ HD DVD: "Resident Evil" nur in Standard-Auflösung via YUV (German). areadvd.de (2007-10-29). Retrieved on 2007-11-02.
  11. ^ Verance Content Management Solutions. Retrieved on 2007-05-02.
  12. ^ HP to Support HD-DVD High-definition DVD Format and Join HD-DVD Promotions Group (2006-02-05). Retrieved on 2007-05-03.
  13. ^ a b Perenson, Melissa J. (2006-03-21). Burning Questions: No Copying From First High-Def Players. PC World.
  14. ^ Dan Nicolae Alexa (2006-12-28). HD DVD's AACS Protection Bypassed. In Only 8 Days?!. playfuls.com. Retrieved on 2007-10-25.
  15. ^ Katie Dean (2004-07-15). Can Odd Alliance Beat Pirates?. wired.com. Retrieved on 2007-10-19.
  16. ^ Martyn Williams (2005-12-14). Toshiba Hints at HD-DVD Delay. pcworld.com. Retrieved on 2007-10-19.
  17. ^ Craig Morris (2006-02-14). AACS copy protection for Blu-ray disc and HD DVD delayed again. heise.de. Retrieved on 2007-10-19.
  18. ^ Paul Sweeting (2007-10-15). AACS still trying to manage copying. contentagenda.com. Retrieved on 2007-10-25.
  19. ^ Drawbaugh, Ben (2007-01-24). BackupBluray available now too. Engadget. Retrieved on 2007-05-03.
  20. ^ HD-DVD Content Protection already hacked?. TechAmok (2006-12-28). Retrieved on 2007-01-02.
  21. ^ Hi-def DVD security is bypassed. BBC news (2007-01-26). Retrieved on 2007-05-02.
  22. ^ Block, Ryan (2007-01-20). Blu-ray cracked too?. Engadget. Retrieved on 2007-01-22.
  23. ^ Leyden, John (2007-01-23). Blu-ray DRM defeated. The Register. Retrieved on 2007-01-22.
  24. ^ "ATARI Vampire" (2007-02-24). WinDVD 8 Device Key Found!. Doom9.net forums. Retrieved on 2007-05-04.
  25. ^ "jx6bpm" (2007-03-03). PowerDVD private key. Doom9.net forums. Retrieved on 2007-05-04.
  26. ^ Yam, Marcus (2007-01-17). First Pirated HD DVDs Released. DailyTech. Retrieved on 2007-05-03.
  27. ^ AACS licensor complains of posted key. Retrieved on 2007-05-02.
  28. ^ Boutin, Paul (2007-05-01). Wikipedia Locks Out "The Number". Retrieved on 2007-05-02.
  29. ^ Greenberg, Andy (2007-05-02). Digg's DRM Revolt. Forbes. Retrieved on 2007-05-04.
  30. ^ DVD DRM row sparks user rebellion. BBC news (2007-05-02). Retrieved on 2007-05-02.
  31. ^ Press Messages: AACS - Advanced Access Content System. Retrieved on 2007-05-02.
  32. ^ Yam, Marcus (2007-01-26). AACS Responds to Cracked HD DVD and Blu-ray Disc Protections. DailyTech. Retrieved on 2007-05-03.
  33. ^ Lindsay Martell (2007-01-26). Blu-ray and HD DVD Encryption Cracked. NewsFactor Network. Retrieved on 2007-05-29.
  34. ^ Alexander Kaplan (2007-04-05). Illegal Offering of Title/Volume Keys to Circumvent AACS Copyright Protection: hdkeys.com (pdf). DMCA takedown notice. Retrieved on 2007-05-29.
  35. ^ Ryan Paul (2007-05-07). Latest AACS revision defeated a week before release. Ars Technica. Retrieved on 2007-05-29.
  36. ^ Scott A. Vanstone et al (Apr 1, 1999). Strengthened public key protocol. US Patent Office. Retrieved on 2007-05-31.
  37. ^ Scott A. Vanstone et al (Aug 29, 2001). Digital signatures on a Smartcard. US Patent Office. Retrieved on 2007-05-31.
  38. ^ Nate Anderson (2007-05-31). Encryption vendor claims AACS infringes its patents, sues Sony. Ars Technica. Retrieved on 2007-05-31.
  39. ^ Tekla S. Perry (January 2007). Loser: DVD Copy Protection, Take 2. Spectrum Online. Retrieved on 2007-05-04.
  40. ^ Work Around for New DVD Format Protections. Slashdot (2006-06-07). Retrieved on 2007-05-02.
  41. ^ Edward Henning (2006-07-07). Copy protection hole in Blu-ray and HD DVD movies. heise Security. Retrieved on 2007-05-02.

[edit] External links