Content Scrambling System (CSS) Gregory Kesden, Carnegie Mellon University, 15-412/Fall 2000 This is a draft document. Please report errors, omissions,

Slides:

Advertisements

Similar presentations

Computer Security Set of slides 4 Dr Alexei Vernitski.

Advertisements

Lecture 5: Cryptographic Hashes

“Advanced Encryption Standard” & “Modes of Operation”

RTL Design Introduction Decoder Encoder Multiplexer Tri-state Buffer

CS470, A.SelcukStream Ciphers1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

Encipherment Using Modern Symmetric-Key Ciphers. 8.2 Objectives ❏ To show how modern standard ciphers, such as DES or AES, can be used to encipher long.

Modern Symmetric-Key Ciphers

Modern Symmetric-Key Ciphers

Syed Safi Uddin Qadri BETL/F07/0112 GSM Stream Cipher Algorithm Presented To Sir Adnan Ahmed Siddiqui.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

Last Class: The Problem BobAlice Eve Private Message Eavesdropping.

1 Lecture 3: Secret Key Cryptography Outline concepts DES IDEA AES.

1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.

Content Scramble System for DVD PeiXian Yan,Bo Zhou,Gang Liu, ZongPeng Liu, Matthew Black December 6,2004 Supervised by Andy Brown.

Digital Kommunikationselektroink TNE027 Lecture 6 (Cryptography) 1 Cryptography Algorithms Symmetric and Asymmetric Cryptography Algorithms Data Stream.

Data Encryption Standard (DES)

1 The AES block cipher Niels Ferguson. 2 What is it? Block cipher: encrypts fixed-size blocks. Design by two Belgians. Chosen from 15 entries in a competition.

First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown and edited by Archana Chidanandan Cryptographic Tools.

Chapter 5 Cryptography Protecting principals communication in systems.

Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.

McGraw-Hill©The McGraw-Hill Companies, Inc., Security PART VII.

EECC694 - Shaaban #1 lec #16 Spring Properties of Secure Network Communication Secrecy: Only the sender and intended receiver should be able.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 5 Wenbing Zhao Department of Electrical and Computer Engineering.

Computer Networking Lecture 21: Security and Cryptography Thanks to various folks from , semester’s past and others.

Stream Ciphers 1 Stream Ciphers. Stream Ciphers 2 Stream Ciphers  Generalization of one-time pad  Trade provable security for practicality  Stream.

Chapter 13: Electronic Commerce and Information Security Invitation to Computer Science, C++ Version, Fourth Edition SP09: Contains security section (13.4)

Lecture 4 Cryptographic Tools (cont) modified from slides of Lawrie Brown.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

Data Encryption Standard (DES). Symmetric Cryptography  C = E(P,K)  P = D(C,K)  Requirements  Given C, the only way to obtain P should be with  the.

Applied Cryptography Spring 2015 DVD and CSS encryption.

© Neeraj Suri EU-NSF ICT March 2006 DEWSNet Dependable Embedded Wired/Wireless Networks MUET Jamshoro Computer Security: Principles and Practice Slides.

9/01/2010CS 686 Stream Cipher EJ Jung CS 686 Special Topics in CS Privacy and Security.

Slide 1 Stream Ciphers uBlock ciphers generate ciphertext Ciphertext(Key,Message)=Message  Key Key must be a random bit sequence as long as message uIdea:

COEN 350 Mobile Security. Wireless Security Wireless offers additional challenges: Physical media can easily be sniffed. War Driving Legal? U.S. federal.

CS1Q Computer Systems Lecture 8

A Survey of Authentication Protocol Literature: Version 1.0 Written by John Clark and Jeremy Jacob Presented by Brian Sierawski.

CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.

Module 3 – Cryptography Cryptography basics Ciphers Symmetric Key Algorithms Public Key Algorithms Message Digests Digital Signatures.

Bit Cipher 1. Example of bit Cipher 2 Practical Stream Cipher 3.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 2 – Cryptographic.

Data Encryption Standard (DES) © 2000 Gregory Kesden.

Dr. Reuven Aviv, Nov 2008 Conventional Encryption 1 Conventional Encryption & Message Confidentiality Acknowledgements for slides Henric Johnson Blekinge.

Modes of Usage Dan Fleck CS 469: Security Engineering These slides are modified with permission from Bill Young (Univ of Texas) 11 Coming up: Modes of.

Modes of Operation INSTRUCTOR: DANIA ALOMAR. Modes of Operation A block cipher can be used in various methods for data encryption and decryption; these.

CRYPTANALYSIS OF STREAM CIPHER Bimal K Roy Cryptology Research Group Indian Statistical Institute Kolkata.

Linear Feedback Shift Register. 2 Linear Feedback Shift Registers (LFSRs) These are n-bit counters exhibiting pseudo-random behavior. Built from simple.

Introduction to Modern Symmetric-key Ciphers

Encryption No. 1  Seattle Pacific University Encryption: Protecting Your Data While in Transit Kevin Bolding Electrical Engineering Seattle Pacific University.

Chapter 3 Encryption Algorithms & Systems (Part D)

DES Analysis and Attacks CSCI 5857: Encoding and Encryption.

DATA & COMPUTER SECURITY (CSNB414) MODULE 3 MODERN SYMMETRIC ENCRYPTION.

Various Attacks on Cryptosystems slides (c) 2012 by Richard Newman.

Module :MA3036NI Symmetric Encryption -3 Lecture Week 4.

Wired Equivalent Privacy (WEP) Chris Overcash. Contents What is WEP? What is WEP? How is it implemented? How is it implemented? Why is it insecure? Why.

University of Malawi, Chancellor College

COEN 350 Mobile Security. Wireless Security Wireless offers additional challenges: Physical media can easily be sniffed. War Driving Legal? U.S. federal.

Lecture 5 Page 1 CS 236 Online More on Cryptography CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Slide 1 Vitaly Shmatikov CS 378 Stream Ciphers. slide 2 Stream Ciphers uRemember one-time pad? Ciphertext(Key,Message)=Message  Key Key must be a random.

Information and Network Security Lecture 2 Dr. Hadi AL Saadi.

Cryptography services Lecturer: Dr. Peter Soreanu Students: Raed Awad Ahmad Abdalhalim

Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Problem Set 1: Cryptography.

Department of Computer Science Chapter 5 Introduction to Cryptography Semester 1.

หัวข้อบรรยาย Stream cipher RC4 WEP (in)security LFSR CSS (in)security.

Content Scramble System for DVD

Content Scrambling System (CSS)

PART VII Security.

Introduction to Modern Symmetric-key Ciphers

Stream Cipher Structure

Presentation transcript:

Content Scrambling System (CSS) Gregory Kesden, Carnegie Mellon University, /Fall 2000 This is a draft document. Please report errors, omissions, or ambiguities. This is a teaching tool, not a specification or technical document. It is overly simplified, incomplete, and likely inaccurate (see above). It is not warranted for any purpose. Use at your own risk.

System Overview DVD Player DVD Hidden Area Player Keys “Secret” Key Region Code &c Computer/Host Bus “Secret Key” Bus Key Per title Title Key Table of Encrypted Disk Keys Disk Key Hash Region Code

Overview of Keys Authentication Key This “secret” is used as part of the mutual authentication process. Session Key (Bus Key) This key is negotiated during authentication and is used to encrypt the title and disk keys before sending them over the unprotected bus. The encryption is necessary to prevent eavesdropping. Player Key This key is Licensed by the “DVD Copy Control Association” to the manufacturer of a DVD player. It is stored within the player. It is used to establish the trustworthiness of the player. It is used to decrypt the disk key. Disk Key This key is used to encrypt title key. It is decrypted using the player key. Sector Key Each sector has a 128-byte plain-text header. Bytes of each sector’s header contain an additional key used to encode the data within the sector. Title Key This key is XORed with a per-sector key to encrypt the data within a sector

Overview of Process Step 1: Mutual Authentication –The host and the drive use a challenge-response system to establish their trustworthiness to each other. In the process, they negotiate a session key. Step 2: Decoding disk –The DVD player tries each of several player keys until it can decode the disk key. The disk key is a disk-wide secret. Step 3: Send disk and title keys –The title and bus keys are sent from the player to the host. The session key is used to encrypt the title and disk keys in transit to prevent a man-in-the-middle attack. Step 4: –The DVD player sends a sector to the host. Step 5: –The host decodes the title key using the disk key. Step 6: –The host decodes the sector using the title key, and a the sector key in the sector’s header.

Linear Feedback Shift Register (LFSR) Pseudo-random bit stream –One technique used to encode a stream is to XOR it with a pseudo- random bit stream. If this random-looking bit stream can be regenerated by the receiver of the message, the receiver will be able to decode the message by repeating the XOR operation. Linear Feedback Shift Register (LFSR) –The LFSR is one popular technique for generating a pseudo-random bit stream. After the LFSR is seeded with a value, it can be clocked to generate a stream of bits. –Unfortunately, LFSRs aren’t truly random – they are periodic and will eventually repeat. –In general, the larger the LFSR, the greater its period. There period also depends on the particular configuration of the LFSR. –If the initial value of an LFSR is 0, it will produce only 0’s, this is sometimes called null cycling –LFSRs are often combined through addition, multiplexers, or logic gates, to generate less predictable bit streams.

Generic LFSR output Feedback Function feedback path taps The register is seeded with an initial value. At each clock tick, the feedback function is evaluated using the input from the tapped bits. The result is shifted into the leftmost bit of the register. The rightmost bit is shifted into the output. Depending on the configuration (taps and feedback function), the period can be less than optimal.

CSS: LFSR-17 garbage Exclusive Or (XOR) feedback path taps output This register is initialized, or salted with two bytes of or derived from the key During the salting, a 1-bit is injected a bit 4, to ensure that the register doesn’t start out with all 0s and null-cycle. The value being shifted in is used as the output, not the typical output bit, which in the case of CSS goes off into the ether.

CSS: LFSR-25 garbage Exclusive Or (XOR) feedback path taps output This register is initialized, or salted with three bytes of or derived from the key During the salting, a 1-bit is injected a bit 4, to ensure that the register doesn’t start out with all 0s and null-cycle. The value being shifted in is used as the output, not the typical output bit, which in the case of CSS goes off into the ether. 5

CSS: LFSR Addition LFSR-17 LFSR-25 1 byte key Optional bit-wise inverter + 8-bit add carry-out Output byte carry-out from prior addition 8 ticks Optional bit-wise inverter

LFSR Output Inversion Bit-wise Invert Output Of LFSR LFSR-17LFSR-25 AuthenticationYes Session keyNo Title KeyNoYes DataYesNo

CSS: Data Decryption Output byte from LFSRs Input data byte Exclusive Or (XOR) Output data byte Sector LFSR-17 is seeded with bytes 0 and 1 of the title key XORed with byte 80 and 81 of the sector header. A 1 is injected at bit 4, shifting everything right by one bit. LFSR-25 is seeded with bytes 2, 3, and 4 of title key XORed with bytes 82, 83, and 84 of the sector header. A 1 is injected at bit 4, shifting everything right by one bit. The output of LFSR-17 is bit-wise inverted before adding to LFSR-25. Much as with DES, a table-based substitution is performed on the input data. Table-based substitution

CSS: Key Decryption Bytes of Ciphertext Bytes of Plaintext Table lookup LkLk LkLk LkLk LkLk LkLk LkLk LkLk LkLk LkLk LkLk Note: L k is the input byte decrypted using the same scheme as shown for data bytes, with the inverters set for the key type.

Disk and Player Keys Each player has a small number of keys Each disk is encoded using a disk key. Each disk contains a hidden sector. This sector is pre-written to all 0’s on writable DVDs. This sector holds a table containing the disk key encrypted will all 409 possible player keys. It also holds the disk key encrypted with the disk key. The player decrypts the appropriate entry in the table and then verifies that it has correctly decoding the disk key, by decoding the encrypted disk key. The encryption mechanism is the same as we discussed earlier for other keys.

Mutual Authentication Host Drive Request AGID AGID Challenge H (nonce) Encrypted Challenge H Challenge D (nonce) Encrypted D Success or Failure Decrypt and verify Challenge H Decrypt and verify Challenge D Encrypt Challenge H Encrypt Challenge D Session key is encrypted Challenge H + Challenge H Initialization done Encryption is similar to data encryption, but a permutation is done before the LFSR cipher. A different permutation box is used for each of the three keys. The “secret key” is used for the encryption.

Weakness #1: LFSR Cipher Brainless: –2 40 isn’t really very big – just brainlessly brute-force the keys With 6 Output Bytes: –Guess the initial state of LFSR-17. –Clock out 4 bytes. –Use those 4 bytes to determine the corresponding 4 bytes of output from LFSR-25. –Use the LFSR-25 output to determine LFSR-25’s state. –Clock out 2 bytes on both LFSRs. –Verify these two bytes. Celebrate or guess again. –This is a 2 16 attack.

Weakness #1: LFSR Cipher (cont) With 5 Output Bytes: Guess the initial state of LFSR-17 Clock out 3 bytes Determine the corresponding output bytes from LFSR-25 This reveals all but the highest-order bit of LFSR-25 Try both possibilities: –Clock back 3 bytes –Select the setting where bit 4 is 1 (remember this is the initial case). –It is possible that both satisfy this – try both. Verify as before This is a 2 25 attack

Weakness #2: Mangled Output (You might want to refer to the key decryption slide) With Known ciphertext and plainttext –Guess L k4 –Work backward and verify input byte –This is a 2 8 attack. –Repeat for all 5 bytes – this gives you the 5 bytes of known output for prior weakness.

Region Code One other detail: Each DVD contains a region code that indicates the region of the world in which it is intended to be viewed. Each player knows the region in which it was to be sold. If the region code of the player doesn’t match the region code on the DVD, the player won’t deliver the data. This is to help the MPAA ensure that DVDs don’t leak out into parts of the world ahead of the “first showing”, &c.

References Axboe, Jens, dvd Linux patch, Fawcus, D. and Roberts, Mark, css-auth package, December, Schneider, Bruce, Applied Cryptography, 2ed, Wiley, 1996, p Stevenson, Frank A., “Cryptanalysis of Content Scrambling System”, 8 Nov. 1999, as updated 13 Nov Please note: You should be aware that, in light of a recent federal circuit court decision, it is probably unlawful for you to obtain the the first two sources. To the best of my non-expert and incomplete knowledge, the fourth source has not yet been subject to judicial review in the United States. These works are cited to “give credit where credit is due”. This citation should be viewed as proper attribution – not “suggested reading”. It is my understanding that the recent decision did not incriminate presentations of CSS, such as this one, in detail and form insufficient to constitute a working implementation. But, case law in this area is underdeveloped. As the meaning of the law is further exposed, we (you and I) may find ourselves unable to lawfully distribute or communicate this presentation or its content. Another note: Take legal advice from a licensed attorney, not from me.