HD DVD, Blu-ray protection in question after attacks
Next week, new HD DVD movies will hit the shelves that won't play on some players, the first countermeasure by the content and software industries to combat intensive efforts by hackers to break copy-protection technology.
The move comes four months after hackers first poked a hole in AACS (Advanced Access Content System), the complex encryption scheme used to protect HD DVD and Blu-ray Discs. In the interim, they've been able to decrypt HD DVD movies and, theoretically, upload them to file-sharing networks.
That security gap will be closed, at least for some time, with the new discs. But earlier this month, hackers scored another success in compromising AACS technology, an effort cryptography experts say foreshadows a difficult road ahead in keeping pirates at bay.
The development, disclosed on the Doom9.org forum for video technology aficionados, ironically involved the use of an HD DVD drive within the Xbox, the gaming system from Microsoft Corp., one of the backers of the AACS system.
The new method uses the Xbox's HD DVD drive to read the volume ID for a disc, one piece of information needed to eventually decrypt and copy a disc.
AACS uses a system of numeric keys on playback software and discs to allow a movie to play. Once a hacker obtains a "device key" -- a numerical code within the playback software -- that key can unlock other mechanisms in place designed to block decryption of a movie.
Through sophisticated software probes, hackers found the device key in InterVideoDVD, a software program now owned by Corel Corp. On April 6, Corel issued an update for the InterVideo WinDVD playback software that refreshes and further obscures those device keys. New HD DVDs issued after April 23 will not work on players running the old software.
The technique is known as "device key revocation," a feature of AACS that allows it to block players running software whose device key has been compromised. The upgrade is mandatory, as new movies have been programmed to not play on the old software.
It's the first time the content industry has used the revocation feature, and probably not the last. But supporters of AACS said it is designed to roll with the punches from hackers.
"The attacks -- all of them -- represent only attacks on individual players," said Michael Ayers, an attorney who is chairman of the business group of AACS Licensing Administrator, the trade group that represents vendors supporting the technology, which include Sony Corp., Toshiba Corp., The Walt Disney Co. and Warner Bros.
"They don't represent hacks of AACS itself," he said, adding that the industry expects more hacking attempts.
Ayers said a lag between when a system is attacked and when the industry can respond is inevitable, given that it takes time to investigate what the hackers are doing and eventually give the film industry and manufacturers enough time to respond. He defended AACS as "robust."
Cryptography experts tend to differ since the determination of the hackers and the availability of tools to analyze software puts AACS at a disadvantage. They think hackers will be copying the new discs sooner rather than later.
That's because each time around, the hackers gain more and more knowledge about AACS, and efforts to restructure playback software to make it more impenetrable are more difficult, wrote Ed Felton, a professor of computer science and public affairs at Princeton University in New Jersey.
What Corel has essentially done with its update is obfuscate where the device key is now located in the software.
But "it's a game that inherently favors the attackers," Felton wrote on his blog, Freedom to Tinker. "My guess is that the attacks will extract keys from the new software within about three weeks of its availability."
That will require software makers to issue new software again, which will have to resist further attacks, Felton wrote.
Alex Halderman, a doctorate candidate in computer science at Princeton, said the latest Xbox attack showed a sophisticated level of reverse hardware engineering.
"This may be the test in whether AACS is going to provide any value to the movie studios in the long run," Halderman said. "If the new version is broken very shortly ... then it looks like the long-term prospects of AACS are very bleak. We'll probably see this game repeated forever."
IDG News Service
Symantec Backup Exec 12 and Backup Exec System Recovery 8 deliver industry leading Windows data protection and system recovery. Download this whitepaper to find out the top reasons to upgrade and how to get continuous data protection and complete system recovery.
Data and system loss — from a hard drive failure, malicious attack, natural disaster, or simple human error — can happen anytime. Don’t leave your business vulnerable. Make sure you have a secure recovery strategy in place. Symantec's latest backup and system recovery technology can efficiently restore critical applications, individual emails and documents and even restore your entire system in minutes in the event of a loss.
Businesses face a growing challenge to ensure that the IT environment is properly protected. Backup Exec 12 integrates with other applications in the Symantec family of products, to complement your current data protection strategy, keep your data securely backed up and make it recoverable when you need it most.
Enterprise 2.0 Implementation
By Aaron C. Newman, Jeremy Thomas
Published by McGraw-Hill
Learn more!
Deploying Cisco Wide Area Application Services
By Zach Seils, Joel Christner
Published by Cisco Press
Learn more!
