Was a mistake made in the design of AACS?

Expanding my last message to make it clearer:

Schemes like the AACS one work quite well for satellite TV
broadcast
protection. In such systems, one's goal is to disable the
units owned
by rogue subscribers, but the only "inventory"
that one might ruin by
a key invalidation is a bit of electromagnetic radiation in
transit
from the broadcast site to the subscribers. Little is lost
by
performing a revocation.

An ongoing business relationship exists with the legitimate
subscribers as well, so they can receive updates in the form
of
hardware tokens that are difficult to reverse engineer
"quickly
enough". Further, the users of unauthorized decoders
are in a bit of a
bind -- they cannot retrieve last months' broadcasts while
waiting for
new keys, so if they want entertainment now they need to
have a
continuous supply of keys fed in real time.

In the HD-DVD/Blu Ray case, the model is very different. End
users of
hardware players have no ongoing relationship with the
provider, so
one cannot be guaranteed the ability to update. All old
disks sold can
be compromised, and they constitute a substantial risk, as
does the
actual inventory of disks waiting to be sold. Additional
economic
hardship comes from the fact that there is non-zero effort
involved in
sending new masters to production houses and in tracking
dead
inventory.

As I noted, in the direct broadcast satellite case
"slow leaks" of keys
over extended periods of time are not of much use to the end
users and
are not of much damage to the system owners, but in the AACS
case
"slow leaks" are actually exceptionally damaging.
Were the bad guys to
release just one key every couple of months it would
effectively
destroy the system.

There is also the issue of differing threat models. In a
broadcast
system, you are attempting to assure that people watching
the real
time broadcast are paying you money. In the high def video
disk case,
you have several quite different goals from the broadcast
case. One is
to enforce region encoding so that you can charge U.S.
customers a
large multiple of what you charge, say, a Chinese customer
for exactly
the same material. The second is to prevent people from
retrieving the
content in a form they can send to their friends over the
internet. A
third goal is to keep customers from being able to use
content in
unplanned ways so you can up-sell them to a newer format
later
on. (Note that the DRM scheme does *not* prevent actual
commercial
piracy of disks, since pirates can simply press bit for bit
identical
disks.)

Goals one through three are all failures even if key data
leaks only
quite slowly to the public. You will be just as interested
in
preventing people from watching different region HD-DVDs
that are
three months old as you will in preventing them from
watching ones
that are only days old. You will be just as interested in
preventing
people from uploading the contents of Blu Ray disks that are
a few
months old as you will in preventing uploads that are from
brand new
releases. On part three, the failure would be quite complete
--
collectors of HD discs will be able to transfer their old
discs to
their new UltraVideoPseudoPods in ten years, thus
eliminating the
lucrative business of selling them content they have
previously bought
in a new format.

My feeling, then, is that the entire HD protection scheme
was a
miscalculation. Methods like this worked just fine for
satellite TV,
and they were then applied without sufficient thinking about
threat
models to a new domain where things are quite different.

This seems to me to be, yet again, an instance where failure
to
consider threat models is a major cause of security failure.
It is not
enough to throw clever algorithms at things -- you have to
consider
what it is that you are trying to defend against
specifically, and how
those algorithms will lead to the specific security goals.

I will again solicit suggestions about "optimal"
strategies both for
the attacker and defender for the AACS system -- I think we
can learn
a lot by thinking about it. It would be especially
interesting if
there were modifications of the AACS system that would be
more hardy
against "economic attacks" -- can you design the
system so that slow
key revelation is not an economic disaster while still
maintaining an
offline delivery model with offline players entirely in the
enemy's
control? I don't think you can, but it would be very
interesting to
consider the problem in detail.

-- 
Perry E. Metzger		perrypiermont.com

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com

* Perry E. Metzger:

> This seems to me to be, yet again, an instance where
failure to
> consider threat models is a major cause of security
failure.

Sorry, but where's the security failure?  Where can you buy
hardware
devices that can copy HD disks?  Or download software that
does, with
a readily usable interface?

In that sense, even CSS hasn't really been broken.

Even the flurry of DMCA takedown notices isn't necessarily a
bad move.
It might help to shape the future of how access to content
is
regulated in some very particular way.

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com

Florian Weimer <fwdeneb.enyo.de> writes:
> * Perry E. Metzger:
>> This seems to me to be, yet again, an instance
where failure to
>> consider threat models is a major cause of security
failure.
>
> Sorry, but where's the security failure?  Where can you
buy hardware
> devices that can copy HD disks?  Or download software
that does, with
> a readily usable interface?

You can't, but I think that is more a question of the
market
size. Right now there are very few HD-DVDs and Blu Ray discs
on the
market, and most people have DVD drives but not HD-DVD or
Blu Ray
drives. (I don't know that I've ever even seen such a drive
to date,
but that will surely change in a year.) Until there is a
significant
percentage of the user community with an "itch to
scratch" the
software will not appear. However, it is now very clear that
the
software is quite doable once people want it.

> In that sense, even CSS hasn't really been broken.

I watch DVDs all the time on my open source OS laptop using
software
that depends on DeCSS. It is quite nice software -- the UI
is more or
less as good as any of the Windows DVD players. (If the MPAA
or DVD
copy control folk want to try prosecuting me for watching
DVDs I've
bought legitimately using software they don't approve of,
they are
welcome to try -- I suspect that they don't have much of
chance of
winning.)

I haven't used extraction software myself for real (I have
no need for
it at the moment -- I don't need my DVD library online) but
there are
a number of programs out there that allow you to extract the
content
from DVDs to your hard drive as easily as you can do it for
a
CD. They're pretty easy to find, even for Windows and OS X,
and in my
tests the UIs appeared to be pretty much easy enough for an
ordinary
person to use. These programs also depend on DeCSS, of
course.

> Even the flurry of DMCA takedown notices isn't
necessarily a bad move.
> It might help to shape the future of how access to
content is
> regulated in some very particular way.

I doubt they'll get very far. Their best bet for suppression
is to sue
a selected subset of people for publishing the process key,
but beyond
bad publicity I don't see what practical benefit they might
get.

Especially in the US, they may also eventually run up
against the
first amendment. I know that one judge in the 2600 case
believed that
"the constitution is not a suicide pact", but
those were different
days. That case happened when the community was far less
prepared, was
not shepherded by ideal people, and did not set a real
precedent. I
think it might be harder to ramrod a similar case through
the courts
now, especially given that the Supreme Court has never ruled
on this,
and especially since programs like the ones I use to watch
DVDs are
clear and obvious legitimate uses and can be demonstrated to
and
understood even by members of the judiciary.

-- 
Perry E. Metzger		perrypiermont.com

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com