slide1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Content Scramble System for DVD PeiXian Yan,Bo Zhou,Gang Liu, ZongPeng Liu, Matthew Black PowerPoint Presentation
Download Presentation
Content Scramble System for DVD PeiXian Yan,Bo Zhou,Gang Liu, ZongPeng Liu, Matthew Black

Loading in 2 Seconds...

play fullscreen
1 / 52

Content Scramble System for DVD PeiXian Yan,Bo Zhou,Gang Liu, ZongPeng Liu, Matthew Black - PowerPoint PPT Presentation


  • 162 Views
  • Uploaded on

Content Scramble System for DVD PeiXian Yan,Bo Zhou,Gang Liu, ZongPeng Liu, Matthew Black December 6,2004 Supervised by Andy Brown. Content Scramble System. Introduction to CSS and DeCSS Encryption on the DVD in CSS How a DVD player plays DVD Cryptanalysis of CSS

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Content Scramble System for DVD PeiXian Yan,Bo Zhou,Gang Liu, ZongPeng Liu, Matthew Black' - carlos-cannon


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1
Content Scramble System for DVD

PeiXian Yan,Bo Zhou,Gang Liu, ZongPeng Liu, Matthew Black

December 6,2004

Supervised by Andy Brown

content scramble system
Content Scramble System
  • Introduction to CSS and DeCSS
  • Encryption on the DVD in CSS
  • How a DVD player plays DVD
  • Cryptanalysis of CSS
  • Comparison with other techniques
  • Conclusion
introduction
Introduction
  • What is CSS?

CSS: Content Scramble System.

It is the data scrambling method used to garble the content of a DVD disc.

Data on DVD is protected by CSS,DVD can not be copied.

Only be usable with licensed DVD playback mechanisms.

Windows and MAC have CSS licence. Linux does not.

introduction1
Introduction
  • How does CSS work?

Every DVD player on the market today is coded with a small set of "player keys"

Every DVD disc on the market today is coded with a "disk key", identifying that disc.

When a DVD player attempts to read a DVD, the player uses it's player key and proceeds down the list of encrypted disk keys on the disc .

introduction2
Introduction
  • Cannot play DVD under Linux OP
  • DeCSS introduced.
  • What is DeCSS ?

DeCSS is an executable binary utility, written for Microsoft Windows.

Unscrambled MPEG-2 video files can be copied to the user's hard drive by DeCSS.

MPEG-4 video files can be made from DVD very easily,which is very easy to transfer through the web.

introduction3
Introduction

How to store the DVD data in to PC

DVD PC

MPEG-2

file

(protected

By CSS)

‘ *.vob ’ file MPEG-4 file

(very large) (much smaller)

DeCSS

FlaskMPEG

introduction4
Introduction
  • Where does DeCSS come from?

An anonymous German hacker from MoRE(master of reverse engineering) was respons for writing the code.

Jon Johanson, a 16-year-old Norwegianput it on to the web in late September 1999.

MPAA(The Motion Picture Association of America )’s response.

introduction5
Introduction
  • How does DeCSS work ?

DeCSS operates much as any other DVD player operates - it uses a player key to unscramble the scrambled contents of a DVD to make playable MPEG-2 video files.

All versions of DeCSS currently in release are built around the Xing player key, which reportedly has been revoked. If this is true, no newly-released DVDs can be descrambled with this player key; DeCSS will not work on these DVDs.

introduction6
Introduction
  • Why was CSS made so weak?

CSS uses a 40-bit key. Even if the scrambling algorithm is well-designed, the short key length means that a brute-force search will quickly find the key !

Since at the time (in 1996) the U.S. export regulations banned export of strong encryption technologies.

introduction7
Introduction

CSS is different from other examples of cryptography such as encrypted e-mail. Unlike encrypted e-mail where the objective of the encryption is to maintain privacy, CSS has nothing to do with maintaining privacy or secrecy of the video. Anyone who buys a DVD containing a CSS "encrypted" movie can view that movie by placing it in a DVD player. This is totally unlike encrypted mail which only the intended recipients can read.

css overview
CSS Overview
  • Protection from piracy
  • Client-host authentication
  • Enforce region-based codes
  • Stream encryption
keys for in css
Keys for in CSS
  • Region key
  • Authentication key
  • Session key
  • Player key
  • Disk key
  • Title key
  • Sector Key- in bytes 80-84 of a sector (a logical or physical group of bytes recorded on the disc)
encryption in css
Encryption in CSS
  • System’s security depends entirely on the insides of the keystream generator.

(APPLIED CRYPTOGRAPHY, BRUCE SCHNEIER)

  • So……what keystream we need?
  • Pseudo-random bit stream
      • Generates unpredictable key-stream (at least in any reasonable amount of time, harder time to break it)
generic lfsr
Generic LFSR
  • A shift register
  • Tap sequence
  • Certain tap sequences will cycle through all 2^n-1 possible internal states (called maximal length LFSR)

Output

XOR

Feedback Path

css lfsr17

1

0

1

1

1

1

0

0

1

0

1

0

1

0

0

1

1

XOR

Output

CSS’ LFSR17
css lfsr171

1

0

1

1

1

1

0

0

1

0

1

0

1

1

0

1

1

XOR

Output

CSS’ LFSR17
css lfsr172

1

0

1

1

1

1

0

0

1

0

1

0

1

1

0

1

1

1

1

XOR

Output

CSS’ LFSR17
css lfsr173

1

0

1

1

1

1

0

0

1

0

1

0

1

1

0

1

1

0

XOR

Output

CSS’ LFSR17
css lfsr174

0

1

0

1

1

1

1

0

0

1

0

1

0

1

1

0

1

1

XOR

Output

0

CSS’ LFSR17
css lfsr175

0

1

0

1

1

1

1

0

0

1

0

1

0

1

1

0

1

1

0

XOR

Output

0

CSS’ LFSR17
css lfsr176

0

1

0

1

1

1

1

0

0

1

0

1

0

1

1

0

1

1

XOR

Output

0

CSS’ LFSR17
css lfsr177

1

0

1

0

1

1

1

1

0

0

1

0

1

0

1

1

0

1

XOR

Output

01

CSS’ LFSR17
css lfsr178

1

0

1

0

1

1

1

1

0

0

1

0

1

0

1

1

0

1

0

XOR

Output

01

CSS’ LFSR17
css lfsr179

1

0

1

0

1

1

1

1

0

0

1

0

1

0

1

1

0

XOR

1

Output

01

CSS’ LFSR17
css lfsr1710

1

1

0

1

0

1

1

1

1

0

0

1

0

1

0

1

1

0

XOR

Output

011

CSS’ LFSR17
css s lfsrs
CSS’s LFSRs
  • CSS: LFSR17 (2 bytes+1bit seeded in bit 4)
  • CSS: LFSR25 (3 bytes+1bit seeded in bit 4)
  • So……CSS uses a 40-bits key
  • Addition between the LFSRs
more on lfsr

LFSR-17

Optional bit-wise inverter

+8-bit add

1 byte

LFSR-25

Optional bit-wise inverter

Carry-out

Carry-out from

the previous

addition

More on LFSR
  • Bit-wise Inverter before addition

1 byte

Output-byte

  • Bit-wise Inverter before addition
data encryption
Data Encryption
  • LFSRs are seeded
  • Generates pseudo-random bit stream
  • Substitution on Video data byte
  • XORed the bitstream and Substitution
data encryption1
Data Encryption

XOR

Output byte from LFSRs

Output data bytes

Input data byte

Table-based substitution

key encryption decryption
Key Encryption/Decryption

CSS streamcipher used to encrypt/decrypt keys

Bytes of

Ciphertext

0

1

2

3

4

Permutation

table

Permutation

table

Permutation

table

Permutation

table

Permutation

table

+

K0

+

K1

+

K2

+

K3

+

K4

Permutation

table

Permutation

table

Permutation

table

Permutation

table

Permutation

table

+

+

+

+

+

K0

K1

K2

K3

K4

Bytes of

Plaintext

1

2

3

4

5

play a css protected disc
Play a CSS protected disc
  • DVD itself
  • Content delivery in between
  • DVD player
dvd and dvd player
DVD and DVD player
  • Encrypted content (hidden area)
  • A table of encrypted disk keys, disk hash
  • Player keys (used to decrypt the disk key)
  • Region code( identifies in where player should be used)
  • Another secret (used for authentication)
mutual authentication
Mutual Authentication
  • Between the Host and the Player.
  • With the authenticated device (licensed by the DVD Copy Control Association)
  • Verifies both sender and receiver are licensed to use the system
  • A session key is agreed on to prevent eavesdropping
mutual authentication1
Mutual Authentication

Request AGID

Drive

Host

AGID

Initiaization done

Initialization done

Chanllenge(H) (nonce)

Encrypted Chanllenge(H)

Encrypt Challenge

Decrypt and verify

Challenge(H)

Chanllenge(D) (nonce)

Encrypt Challenge(D)

Encrypted(D)

Success or Failure

Decrypt and verify

Challenge(D)

Session key is encrypted

Challenge(H) + Challenge(H)

Session key is encrypted

Challenge(H) + Challenge(H)

data transfer
Decrypt disk key

Verify disk key (hash)

Decrypt the title key

Data decrypted by the XOR of the title key and the sector

Data transfer
brute force attack on disk keys
Brute Force attack on disk keys
  • CSS only uses 40 bit keys
  • Possible to find disk key by looking at 240 possible disk keys.
  • This attack is in fact possible with a complexity of 225 by attacking the hashmaking it feasible in runtime applications
attack with 6 bytes of lfsr output
Attack with 6-bytes of LFSR output.
  • Not a terribly useful attack, we don’t normally have 6-bits lying around
  • Provides a 216 attack on the algorithm
    • Allows us to find 16(plus 1) bit register
    • Find input of LFSRS
    • Hence we have the key.
attack with 6 bytes of lfsr output1
Attack with 6-bytes of LFSR output.
  • For each Guess of the contents of LSFR-17
    • Clock out 4 bits
    • Get the output of LSFR-25 by subtracting
    • Workout the contents of LSFR-25 from the output
attack with 5 bytes of lfsr output
Attack with 5-bytes of LFSR output.
  • Much more practical here
  • For each guess of contents of LSFR-17
    • Clock out 3 bytes from LSFR
    • Determine corresponding bytes from LSFR-25
    • Reveals all but highest order bit from LSFR-25
    • Attempt to verify each final bit.
css mangling
CSS Mangling
  • When used to encrypt keys an additional mangling step takes place
  • By trying all 256 possibilities
  • Possible to recover 5 output bytes from LSFRS and hence find key from above attack
copy protection methods integrated within dvds
Copy protection methods integrated within DVDs
  • Copy Generation Management System (CGMS)
  • Analog Protection System (APS)
  • Content Scrambling System (CSS)
slide44
CGMS
  • Each sector of a DVD disc includes CGMS that defines how many times the data can be copied.
  • Three copying “states”:

--copy enable, copy one generation, copy

never

  • Two formats:

--analog(i.e., CGMS-A), digital(i.e., CGMS-D)

slide45
APS

A method of forcing copies to be degraded or inhibited when copies are made of video signals containing the Macrovision signals.

Two separate technologies:

Automatic Gain Control (AGC)

Color Stripe

slide46
CSS
  • A data encryption and authentication scheme intended to prevent copying video files directly from the disc.
the various approaches
The various approaches
  • Content Protection for Recordable Media (CPRM)
  • Content Protection for Pre-recorded Media (CPPM)
  • Content Protection System Architecture (CPSA)
  • Digital Transmission Content Protection (DTCP)
the various approaches1
The various approaches
  • High-bandwidth Digital Content Protection (HDCP)
  • Extended Conditional Access (XCA)
  • Advanced Access Content System (AACS)
css cppm
Protects video content distributed on DVD

Uses 40-bit key

Weak key management

Common weakness

Protect pre-recorded DVD audio content

Uses 56-bit key

Better key management

Common weakness

CSS CPPM
css vs aacs
CSS vs AACS
  • CSS uses a 40-bit key.

----brute force attack can be carried

out with a complexity of 240

  • AACS uses AES-128

----brute force attack can be carried

out with a complexity of 2128

css vs aacs1
CSS vs AACS
  • AACS uses advanced Media Key Block (MKB) to manage and revoke keys
  • AACS would potentially allow people to store copies of a movie on home computers and watch it on other devices connected to a network—or even transfer it to a portable movie player
conclusion
Conclusion
  • A Mechanism of encrypt data to DVD disk.
  • Still been used?