A naive view of crypto

When I first became interested in cryptology, I made the acquaintance of a software engineer who was writing a European version of the (at the time) standard software toolkit from RSA, "RSARef".

Normally, this would be a futile exercise; why would you want a compatible library from a third party when the original is readily available?

In those days, however, it made perfect sense, because the US Government had declared that encryption software was a "dual-use" technology, and therefore exporting it was illegal.

Encryption software was classed as military goods, and its transfer was covered by the International Trafficking in Arms Regulations. It was all treated rather seriously, so there was a gap in the market for a compatible toolkit and my friend's product, RSAEuro, was a moderate commercial success. I ended up writing the developer's documentation.

The US embargo on exporting crypto was rather impractical in the days of the internet, and there was a thriving unofficial competition amongst crypto enthusiasts for the most amusing way to circumvent it.

Commercial users suffered too. We were stuck with 40-bit rather than 128-bit encryption for web applications, crippled firewall VPN modules and so forth. Then there were the inevitable compatibility issues when dealing with international links. It was a real pain.

They finally saw sense and, these days, unless you are in a country on the official "naughty list", you can happily download proper crypto. So you would think the world might have grown up and seen how futile such attempts to limit downloads are.

Enter the DVD community, or more specifically, the HD-DVD and Blu Ray lobby with their new protection scheme, AACS, used on the new high-definition movie formats. Given the embarrassing ease with which DVD encryption was broken, AACS was hailed as a much better solution.

Digital piracy is an interesting area for crypto people, because it is one of the few areas where crypto attacks are both highly profitable and well published, so it is a fertile ground for novel attacks.

A critical feature of AACS was the use of a "broadcast encryption" scheme. This scheme allows content to be distributed using keys that can be subsequently revoked, rather than the fixed key that was the main weakness in DVD's scheme. If a particular set of keys gets compromised, they can be disabled, defeating the pirates.

This is a nice idea if it works, and it's a pretty big "if". Needless to say, AACS has been attacked by a number of industry experts, and recently one of them succeeded in extracting the so-called "processing key" that allows the decryption of protected discs. This was an impressive technical achievement and led to a few pirate high-definition movies circulating on the net.

The response from the AACS crowd was legal rather than technical. They issued a number of legal threats to sites hosting the magic 128-bit number, despite claiming that the key in question had been revoked.

Given that the US Government failed to prevent the widespread export of entire cryptography toolkits, their optimism that they would be able to stop a 128-bit number leaking out is rather naive. The lawyers have since been playing an active game of "whack-a-mole" with the sites that publish the key.

The methods used to extract the key also demonstrate the futility of using general-purpose computers for high-grade crypto; the keys were found floating around in the PC's memory.

Many people have written on the futility of protection schemes for consumer media. There is certainly a benefit in making it difficult to copy media, but assuming it will be impossible is a poor tactic. Despite the ease with which DVDs and CDs can be duplicated, their price now makes it too much hassle for most consumers.

AACS was designed with failure in mind, which was a pragmatic decision. However, at the first hurdle, they have called in the lawyers, which gives me little faith in their technical solution.

- Nick Barron is a security consultant. He can be contacted at nikb@virus.org.

cryptonaiveofsecurityview