can a random number be subject to a takedown?
Jon Callas
jon at callas.org
Tue May 1 17:33:01 EDT 2007
On May 1, 2007, at 12:53 PM, Perry E. Metzger wrote:
>
> A lot of sites have been getting DMCA takedowns for the HD-DVD
> processing key that got leaked recently.
>
> My question to the assembled: are cryptographic keys really subject to
> DMCA subject to takedown requests? I suspect they are not
> copyrightable under the criterion from the phone directory
> precedent.
My tongue is slightly in my cheek as I say this: once a random number
is known, it's not random any more. An idealized property of random
numbers like keys is that there be no algorithm for producing it that
is better than guessing. I can presently guess this key with
probability greater than 2^-128 using this algorithm in a C-like
pseudocode:
unsigned char* guess_key(void)
{
unsigned
char key[] = {0x0a, 0xFa, 0x12, 0x03,
0xD9, 0x42, 0x57, 0xC6,
0x9E, 0x75, 0xE4, 0x5C,
0x64, 0x57, 0x89, 0xC1};
return key;
}
(Or it would if I'd put the actual AACS key in there.)
The question is if a *specific* key can be taken down. This is open
to argument, because the DMCA only applies to things that are
copyrightable, and one can argue that keys are not copyrightable
convincingly. (Sketch of argument: if keys were copyrightable then I
could copyright a list of all keys. I can't copyright a database, or
even a phone book, so the notion that I could copyright a list of all
numbers in the set [0..N] is absurd.)
As far as anti-circumvention goes, keys themselves can't be used for
circumvention. Assuming that the above were the AACS key, I couldn't
use it to circumvent because I don't know the right protocol to use.
Consider another scenario: one can use a brick to smash a window, but
possessing a brick does not mean you've broken windows. If I have a
proper key, but no software, I am not capable of circumventing.
Likewise, if I had software that could do the crypto, but no key, I'm
not capable. It is only if I have both the software and the key that
I have something that *might* be a circumvention device. Even things
that might be circumvention devices are not always. The test in the
DMCA is if its primary purpose is for circumvention. This is why
debuggers are not circumvention devices. It is only when you use the
potential circumvention device to circumvent that you've done the
equivalent of throwing the brick through the window.
Jon
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list