encryption schemes for copy protection of digital...

Encryption Schemes for Copy Protection of Digital Media:

High-bandwidth Digital Content Protection

Jeremy Barthélemy Anurag Kamat Haldonker

Introduction

Today we will discuss the following: • HDCPv1 Brief History • How HDCPv2 Functions •  Possible Weaknesses of HDCPv2

A Brief History of…HDCPv1

• Weakness of V1 announced as early as 2001 • Version 1 is susceptible to conspiracy attacks i.e.

obtaining the keys of at least 40 devices and reconstructing the secret symmetrical master matrix used to compute these keys.

• HDCP 1.3 encryption standard broken in November 2011.

HDCP v1 & v2 Co-existence •  HDCPv2 is NOT a continuation of HDCPv1 but is rather a different

protocol by itself

•  HDCPv2 devices natively support HDCPv1.

•  HDCPv1 device needs a dedicated converter to work with devices which run only version 2.

Authentication & Key Exchange HDCPv1 HDCPv2

Authentication & Key Exchange •  Transmitter generate 64-bit value rtx and sends it to the Receiver

along with its information. •  Receiver replies with its certificate & information (within 100ms). •  Transmitter sends master key km, encrypted with 128-bit key kh,

which may or may not be stored. •  If km stored then its encrypted and directly sent. •  If the km is not stored then the transmitter authenticates the

receiver using the 3072-bit RSA public key kpubdcp present with it.

•  Receiver generates rrx then generates hash H’ which it sends to Transmitter within 1ms.

•  Transmitter generates hash H and compares with H’. •  Only when master key is not stored Receiver sends encrypted master

key to the Transmitter.

Authentication & Key Exchange

•  HDCPv2 uses certificates instead of using plain public keys which provides added security

•  Master key is 128-bits instead of 56-bits and may or may not be stored with the transmitter

HDCPv2 Locality Check Feature 1.  Upstream transmitter sends signal to the receiver 2.  Timer at transmitter starts 3.  If timer expires before signal is returned, session terminates 4.  Feature not present in HDCPv1

Locality Check (2)

Locality Check (3)

•  rn is a Transmitter generated 64-bit pseudo-random number •  Receiver sends L’ = HMAC-SHA256(rn , kd XOR rrx)

•  A total of 1024 attempts allowed to ensure locality

Key Provisioning for Source Devices - Simplified

HDCPv1 Encryption

HDCP Cipher uses Linear Feedback Shift Registers, a block module and a compression function to produce a key stream.

HDCPv1 Encryption (2)

HDCP Cipher HDCP Block Module

HDCPv2 Encryption

Summary of HDCPv1 v/s HDCPv2 HDCPv1 HDCPv2

For wired scenarios, uncompressed data

For wired or wireless scenarios, compressed or uncompressed data

No locality check needed Locality check needed

Keys on source and sink devices Global constant on source devices, unique receiver ID and keys on sink devices

Seamless interoperability with HDCPv2 enabled devices

Seamless interoperability with HDCPv1 enabled devices

Robust cryptography Enhanced, state-of-the-art cryptography

HDMI, DVI, DisplayPort, GVIF, UDI TCP/IP, USB, Wi-Fi, WHDI

Possible Weaknesses of HDCPv2

• As of now no known attack on HDCP version 2. BUT: •  Possible weakness in the locality check

Conclusion

• HDCPv2 improves over its predecessor, although we are not convinced that it will offer long-lasting protection for intellectual media.

• HDCPv2 is applicable to only new technologies and has not replaced HDCPv1.

Questions??