[Livid-dev] Successfull attack on CSS algorithm philburr@usa.net philburr@usa.net 27 Oct 99 10:36:10 MDT * Previous message: [Livid-dev] CSS Algorithms descriptions * Next message: [Livid-dev] Successfull attack on CSS algorithm * Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] ------------------------------------------------------------------------ Although this may not be too useful for forcing the stream decryption key= unless a section is known unencrypted, this algorithm can be useful to br= ute the private player keys. Here's how: First, some conventions: d =3D disk key from the disk = d' =3D encrypted disk key p =3D private player key d' =3D CSStitlekey1(d, p); t =3D title key from disk t' =3D Needed Master Key t' =3D CSStitlekey2(t, d'); CSStitlekey1 and CSStitlekey2 are very similar. It is important to note the part of code that looks like this: for (i=3D9; i>=3D0; i--) key[CSStab0[i+1]] =3D k[CSStab0[i+1]]^CSStab1[key[CSStab0[i+1]]]^key[CSStab0[i]]; It should be noted here that this is a fairly useless function as far as the encryption is concerned. It is 1 to 1 and is completely reversibl= e. = Also, I should note here that key is the first argument to both functions and k is a function of the second argument(im). Or in other words, k =3D f(im). Now, as I said, that snippet of code is reversible. That is given that CSStitlekey2 modifies t to become t' and we know what t' is and what t is (I am assuming that 1 private/public= key set is known and t' has been found), it is very easy to calculate k. As I said that snippet of code is stupid and simply could have used a simple xor and would have been just as effective. Now given that we now know k, and we know the relationship between k and im is k=3Df(im) we need to reverse f(). Which is what the supplied code does. Now look at the f() for CSSdescramble() and note that it is very = similar the f() for CSStitlekey2() and CSStitlekey1(). It should be very easy (and I've done it) to modify the algorithm to reverse k for CSStitlekey1() and CSStitlekey2(). Now, the only problem is that given k has 5 elements and im has 5 elements, there are MULTIPLE POSSIBILITIES of im which will produce k. In fact, under these circumstances, there are on average about 256 possibilities according to my test runs. Now, given that there are 2 funcions (CSStitlekey1 and CSStitlekey2), given d (the disk key from th= e disk)there should be approximately 65536, O(2^16), possible d' keys (private player keys). Calculating them is very easy. But which to use? For that, one would probably need to run the algorithm= on multiple DVDs and compare the results and find the common keys and keep eliminating until there is only 1 left. I predict that brute forcin= g the private player keys will be fairly easy. cheers, Phil ____________________________________________________________________ Get free email and a permanent address at http://www.netaddress.com/?N=3D= 1 ------------------------------------------------------------------------ * Previous message: [Livid-dev] CSS Algorithms descriptions * Next message: [Livid-dev] Successfull attack on CSS algorithm * Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]