Criminal conduct and "cryptography." (Adobe vs. Sklyarov)

Eric Rescorla ekr at speedy.rtfm.com
Wed Jul 18 17:54:33 EDT 2001


"Jay D. Dyson" <jdyson at treachery.net> writes:
> 	As Weld Pond of @stake (formerly the l0pht) has noted, the dire
> predictions made on the quality of digital content protection in the
> age of DMCA have come to fruition.  Where there could have been honest and
> accurate peer review, we now have little but more snake oil being pawned
> off as "secure."
> 
> 	To review Sklyarov's presentation on how trivial it is to bust
> Adobe's "encryption," please see the following URL:
> 
> 	http://www.treachery.net/~jdyson/ebooks/
> 
> 	Take a look at the findings there.  You will be amazed as well as
> sickened that any self-respecting company could call this tripe
> "protection."
> 
> 	It's a sad day when it's cheaper to make a shoddy product and rely
> on law enforcement to protect your product than it is to make a decent
> product in the first place.  Bottom line is thus: all of us -- regardless
> of whether we use Adobe's products -- are now paying fees (taxes) to
> assure that their product is protected.
It seems to me that the quality of the encryption is a side issue
in this case.

In general, DRM systems of this type need to be concerned with
two classes of attacks:
(1) content recovery by unauthorized users (i.e. random individuals
who get access to the encrypted content)
(2) content recovery by authorized users (i.e. people who are 
authorized to view the content in some authorized device but
not to extract the raw plaintext, etc.)

The quality of the encryption being used only applies to attackers
of type (1) since attackers who have the key will be able to recover
the plaintext no matter what the encryption algorithm is, provided
that they know the algorithm. It's not in principle any more difficult
to reverse engineer a binary implementing a strong algorithm than one
implementing a weak one.

As far as I can tell, ElcomSoft's decryption utility requires the
user to input the password. Therefore it would only be of use
to attackers in class (2). While the encryption is admittedly bad
the situation wouldn't be any better from Adobe's perspective
if the encryption were good.

Similar comments apply to CSS--although it uses a weak algorithm
which could in principle be exhaustively searched, this isn't necessary
since a key has been recovered by reverse engineering an authorized
decoder.

Why bother to make this distinction? Because eventually we'll run
into a DRM system which uses a strong encryption algorithm. It will
still be breakable since we don't know how to protect against attackers
of class (2) but we won't be able to say "hey, these losers are
using ROT13". We might as well start fighting that battle because
we'll need to soon enough in any case.

-Ekr







---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com




More information about the cryptography mailing list