2007-05-03

AACS hacked irevokably

AACS, the new encryption system designed by the movie industry to replace CSS in the new generation of high resolution DVDs, has already had one of its secret keys broken, despite the fact that there are barely any AACS-protected products yet on the market. This encryption key allows the No-Intellectual-Property types to make perfect copies of the new generation of DVDs. My response, as a cryptography guy myself, is "what took them so long?"

When the assault on AACS began, the first victory was won by the hackers who successfully extracted a secret hexadecimal key used to decrypt the movies inside the players into a viewable form. This, in itself, is not devastating, although it is an extremely expensive problem to fix. The MPAA (Motion Picture Association of America) could simply revoke that one key from the keyspace and their problem is solved. Of course, all the HD-DVD players out in the world that use that key for decryption would not be able to play any movies factory-pressed from the date of revocation forward, and that's where the cost occurs. Annoying, yes. Devastating, no.

It is the nature of the attack used to discover that first secret key that makes this devastating. By inserting a modified chip into their player, they can observe the device's handshaking with the message and the invocation of the cryptosystem to verify and decrypt the video. From this chip they can obtain Volume IDs, from which they can derive an unlimited number of valid secret keys. According to the hackers (a most trustworthy group), the infrastructure they have in place cannot be destroyed without tearing the entire AACS encryption scheme to the ground and starting back from scratch. In the words of Elzar: "movie industry, Bam."

The funny thing is that I wouldn't be surprised if they had this hack completed months ago, when the announcement of it would have forestalled the rollout of this new technology. Instead, just as with the original DVD protection, CSS, they wait until the standards are all finalized and millions of players have shipped. At that point, there's really nothing to be done.

Interestingly, tying this back to governance, this little AACS episode represents a stunning victory against the utterly vacuous DMCA. Mass civil disobedience against dumb laws strikes me as a good thing. People have produced songs, T-shits, animated gifs, and heavily obfuscated programs containing these codes. You cannot suppress this speech, and it's pointless to try.

No comments: