AACS and Processing Key

Perry E. Metzger perry at piermont.com
Wed May 2 14:32:24 EDT 2007


hal at finney.org ("Hal Finney") writes:
> The interesting thing is that publishing a processing key like this does
> not provide much information about which device was cracked in order
> to extract the key.  This might leave AACSLA in a quandary about what to
> revoke in order to fix the problem.  However in this particular case the
> attackers made little attempt to conceal their efforts and it was clear
> which software player(s) were being used.  This may not be the case in
> the future.
>
> AACSLA has announced that they will be changing the processing keys used
> in disks which will begin to be released shortly.  Software players have
> been updated with new device keys, indicating that the old ones will be
> revoked.  In the context of the subset-difference algorithm, there will
> now probably be a few encryptions necessary to cover the whole tree while
> revoking the old software player nodes as well as the pre-revoked node.
> This will make the processing key which has been published useless for
> decrypting new disks.

However, it is still fine for decrypting old disks, and thus
revelation of this sort of information ruins inventory, which is very
expensive.

All cryptography is about economics. In crypto, we usually consider
what the best strategy for an attacker is in terms of breaking a
cryptosystem, but here I think the right question is what the optimal
strategy is for the attacker in terms of maximizing economic pain for
the defender. I'd be very interested in what the "optimal" strategy is
for the attacker in a system like this, and what possible changes
could be made to such a system to defeat such strategies.

At first glance, it would seem that, for the attackers, the right
strategy is not to flood the world with newly cracked keys but to
release them quite slowly. Lets say that the lifetime of the
technology in question is somewhere around ten years. Releasing one
key on the order of every two months or so -- only sixty keys in all
over the life of the technology -- would be crippling. It would render
all inventory in warehouses and the production pipeline useless, at
quite minimal cost to the attackers. The defenders then have a choice
-- destroy all your inventory, or give up. (Or, do they have alternate
strategies here?)

Anyone very familiar with AACS have ideas on what optimal attack and
defense strategies are? This seems like a fertile new ground for
technical discussion.

Perry

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list