Presentation is loading. Please wait.

Presentation is loading. Please wait.

Content Scramble System for DVD PeiXian Yan,Bo Zhou,Gang Liu, ZongPeng Liu, Matthew Black December 6,2004 Supervised by Andy Brown.

Published byGabriel Wilday Modified over 9 years ago

Similar presentations

Presentation on theme: "Content Scramble System for DVD PeiXian Yan,Bo Zhou,Gang Liu, ZongPeng Liu, Matthew Black December 6,2004 Supervised by Andy Brown."— Presentation transcript:

1 Content Scramble System for DVD PeiXian Yan,Bo Zhou,Gang Liu, ZongPeng Liu, Matthew Black December 6,2004 Supervised by Andy Brown

2 Content Scramble System Introduction to CSS and DeCSS Encryption on the DVD in CSS How a DVD player plays DVD Cryptanalysis of CSS Comparison with other techniques Conclusion

3 Introduction What is CSS? CSS: Content Scramble System. It is the data scrambling method used to garble the content of a DVD disc. Data on DVD is protected by CSS,DVD can not be copied. Only be usable with licensed DVD playback mechanisms. Windows and MAC have CSS licence. Linux does not.

4 Introduction How does CSS work? Every DVD player on the market today is coded with a small set of "player keys" Every DVD disc on the market today is coded with a "disk key", identifying that disc. When a DVD player attempts to read a DVD, the player uses it's player key and proceeds down the list of encrypted disk keys on the disc.

5 Introduction Cannot play DVD under Linux OP DeCSS introduced. What is DeCSS ? DeCSS is an executable binary utility, written for Microsoft Windows. Unscrambled MPEG-2 video files can be copied to the user's hard drive by DeCSS. MPEG-4 video files can be made from DVD very easily,which is very easy to transfer through the web.

6 Introduction ‘ *.vob ’ file MPEG-4 file (very large) (much smaller) MPEG-2 file (protected By CSS) DeCSS FlaskMPEG How to store the DVD data in to PC DVD PC

7 Introduction Where does DeCSS come from? An anonymous German hacker from MoRE(master of reverse engineering) was respons for writing the code. Jon Johanson, a 16-year-old Norwegian put it on to the web in late September 1999. MPAA(The Motion Picture Association of America ) ’ s response.

8 Introduction How does DeCSS work ? DeCSS operates much as any other DVD player operates - it uses a player key to unscramble the scrambled contents of a DVD to make playable MPEG-2 video files. All versions of DeCSS currently in release are built around the Xing player key, which reportedly has been revoked. If this is true, no newly-released DVDs can be descrambled with this player key; DeCSS will not work on these DVDs.

9 Introduction Why was CSS made so weak? CSS uses a 40-bit key. Even if the scrambling algorithm is well-designed, the short key length means that a brute-force search will quickly find the key ! Since at the time (in 1996) the U.S. export regulations banned export of strong encryption technologies.

10 Introduction CSS is different from other examples of cryptography such as encrypted e-mail. Unlike encrypted e-mail where the objective of the encryption is to maintain privacy, CSS has nothing to do with maintaining privacy or secrecy of the video. Anyone who buys a DVD containing a CSS "encrypted" movie can view that movie by placing it in a DVD player. This is totally unlike encrypted mail which only the intended recipients can read.

11 CSS Overview Protection from piracy Client-host authentication Enforce region-based codes Stream encryption

12 Keys for in CSS Region key Authentication key Session key Player key Disk key Title key Sector Key- in bytes 80-84 of a sector (a logical or physical group of bytes recorded on the disc)

13 Encryption in CSS System ’ s security depends entirely on the insides of the keystream generator. (APPLIED CRYPTOGRAPHY, BRUCE SCHNEIER) So …… what keystream we need? Pseudo-random bit stream Generates unpredictable key-stream (at least in any reasonable amount of time, harder time to break it)

14 Generic LFSR A shift register Tap sequence Certain tap sequences will cycle through all 2^n-1 possible internal states (called maximal length LFSR) XOR Output Feedback Path

15 10111100101010011 XOR Output CSS ’ LFSR17

16 1011110010101 1 011 XOR Output CSS ’ LFSR17

17 1011110010101 1 011 XOR Output 11

18 CSS ’ LFSR17 1011110010101 1 011 XOR Output 0

19 CSS ’ LFSR17 1011110010101 1 010 XOR Output 1 0

20 CSS ’ LFSR17 1011110010101 1 010 XOR Output 1 0 0

21 CSS ’ LFSR17 1011110010101 1 010 XOR Output 1 0

22 CSS ’ LFSR17 1011110010101 1 010 XOR Output 1 01

23 CSS ’ LFSR17 1011110010101 1 010 XOR Output 10 01

24 CSS ’ LFSR17 1011110010101 1 010 XOR Output 1 01

25 CSS ’ LFSR17 1011110010101 1 110 XOR Output011 0

26 CSS ’ s LFSRs CSS: LFSR17 (2 bytes+1bit seeded in bit 4) CSS: LFSR25 (3 bytes+1bit seeded in bit 4) So …… CSS uses a 40-bits key Addition between the LFSRs

27 More on LFSR Bit-wise Inverter before addition 1 byte Output-byte LFSR-17 LFSR-25 +8-bit add Optional bit-wise inverter Carry-out from the previous addition 1 byte Carry-out

28 inverter modes ModeLFSR-17LFSR-25 AuthenticationYesNo Session KeyNo Title keyNoYes DataYesNo

29 Data Encryption LFSRs are seeded Generates pseudo-random bit stream Substitution on Video data byte XORed the bitstream and Substitution

30 Data Encryption Output byte from LFSRs Input data byteTable-based substitution XOR Output data bytes

31 Key Encryption/Decryption 0 Permutation table + Permutation table K0 + 1 1 Permutation table + Permutation table K1 + 2 2 Permutation table + Permutation table K2 + 3 3 Permutation table + Permutation table K3 + 4 4 Permutation table + Permutation table K4 + 5 Bytes of Ciphertext Bytes of Plaintext CSS streamcipher used to encrypt/decrypt keys

32 Play a CSS protected disc DVD itself Content delivery in between DVD player

33 DVD and DVD player Encrypted content (hidden area) A table of encrypted disk keys, disk hash Player keys (used to decrypt the disk key) Region code( identifies in where player should be used) Another secret (used for authentication)

34 Mutual Authentication Between the Host and the Player. With the authenticated device (licensed by the DVD Copy Control Association) Verifies both sender and receiver are licensed to use the system A session key is agreed on to prevent eavesdropping

35 Mutual Authentication Host Drive AGID Request AGID Chanllenge(H) (nonce) Encrypted Chanllenge(H) Chanllenge(D) (nonce) Success or Failure Encrypted(D) Initialization done Encrypt Challenge Decrypt and verify Challenge(D) Session key is encrypted Challenge(H) + Challenge(H) Decrypt and verify Challenge(H) Encrypt Challenge(D) Session key is encrypted Challenge(H) + Challenge(H) Initiaization done

36 Data transfer Decrypt disk key Verify disk key (hash) Decrypt the title key Data decrypted by the XOR of the title key and the sector

37 Brute Force attack on disk keys CSS only uses 40 bit keys Possible to find disk key by looking at 2 40 possible disk keys. This attack is in fact possible with a complexity of 2 25 by attacking the hash making it feasible in runtime applications

38 Attack with 6-bytes of LFSR output. Not a terribly useful attack, we don ’ t normally have 6-bits lying around Provides a 2 16 attack on the algorithm Allows us to find 16(plus 1) bit register Find input of LFSRS Hence we have the key.

39 Attack with 6-bytes of LFSR output. 1. For each Guess of the contents of LSFR-17 1. Clock out 4 bits 2. Get the output of LSFR-25 by subtracting 3. Workout the contents of LSFR-25 from the output

40 Attack with 5-bytes of LFSR output. Much more practical here For each guess of contents of LSFR-17 Clock out 3 bytes from LSFR Determine corresponding bytes from LSFR- 25 Reveals all but highest order bit from LSFR-25 Attempt to verify each final bit.

41 CSS Mangling When used to encrypt keys an additional mangling step takes place By trying all 256 possibilities Possible to recover 5 output bytes from LSFRS and hence find key from above attack

42 Content Protection Technologies

43 Copy protection methods integrated within DVDs Copy Generation Management System (CGMS) Analog Protection System (APS) Content Scrambling System (CSS)

44 CGMS Each sector of a DVD disc includes CGMS that defines how many times the data can be copied. Three copying “ states ” : --copy enable, copy one generation, copy never Two formats: --analog(i.e., CGMS-A), digital(i.e., CGMS-D)

45 APS A method of forcing copies to be degraded or inhibited when copies are made of video signals containing the Macrovision signals. Two separate technologies: Automatic Gain Control (AGC) Color Stripe

46 CSS A data encryption and authentication scheme intended to prevent copying video files directly from the disc.

47 The various approaches Content Protection for Recordable Media (CPRM) Content Protection for Pre-recorded Media (CPPM) Content Protection System Architecture (CPSA) Digital Transmission Content Protection (DTCP)

48 The various approaches High-bandwidth Digital Content Protection (HDCP) Extended Conditional Access (XCA) Advanced Access Content System (AACS)

49 CSS CPPM Protects video content distributed on DVD Uses 40-bit key Weak key management Common weakness Protect pre-recorded DVD audio content Uses 56-bit key Better key management Common weakness

50 CSS vs AACS CSS uses a 40-bit key. ----brute force attack can be carried out with a complexity of 2 40 AACS uses AES-128 ----brute force attack can be carried out with a complexity of 2 128

51 CSS vs AACS AACS uses advanced Media Key Block (MKB) to manage and revoke keys AACS would potentially allow people to store copies of a movie on home computers and watch it on other devices connected to a network — or even transfer it to a portable movie player

52 Conclusion A Mechanism of encrypt data to DVD disk. Still been used?

Download ppt "Content Scramble System for DVD PeiXian Yan,Bo Zhou,Gang Liu, ZongPeng Liu, Matthew Black December 6,2004 Supervised by Andy Brown."

Similar presentations

Chapter 3 Public Key Cryptography and Message authentication.

Chapter 3 Public Key Cryptography and Message authentication.
ECE454/CS594 Computer and Network Security

ECE454/CS594 Computer and Network Security
Encipherment Using Modern Symmetric-Key Ciphers. 8.2 Objectives ❏ To show how modern standard ciphers, such as DES or AES, can be used to encipher long.

Encipherment Using Modern Symmetric-Key Ciphers. 8.2 Objectives ❏ To show how modern standard ciphers, such as DES or AES, can be used to encipher long.
Modern Symmetric-Key Ciphers

Modern Symmetric-Key Ciphers
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
Sri Lanka Institute of Information Technology

Sri Lanka Institute of Information Technology
Content Scrambling System (CSS) Gregory Kesden, Carnegie Mellon University, 15-412/Fall 2000 This is a draft document. Please report errors, omissions,

Content Scrambling System (CSS) Gregory Kesden, Carnegie Mellon University, /Fall 2000 This is a draft document. Please report errors, omissions,
Digital Kommunikationselektroink TNE027 Lecture 6 (Cryptography) 1 Cryptography Algorithms Symmetric and Asymmetric Cryptography Algorithms Data Stream.

Digital Kommunikationselektroink TNE027 Lecture 6 (Cryptography) 1 Cryptography Algorithms Symmetric and Asymmetric Cryptography Algorithms Data Stream.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
Analog Protection System A Presentation to the Analog Reconversion Discussion Group March 5, 2003 Analog Protection System A Presentation to the Analog.

Analog Protection System A Presentation to the Analog Reconversion Discussion Group March 5, 2003 Analog Protection System A Presentation to the Analog.
Lesson Title: Introduction to Cryptography Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas

Lesson Title: Introduction to Cryptography Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas
First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown and edited by Archana Chidanandan Cryptographic Tools.

First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown and edited by Archana Chidanandan Cryptographic Tools.
Content Protection for Recordable Media Florian Pestoni IBM Almaden Research Center.

Content Protection for Recordable Media Florian Pestoni IBM Almaden Research Center.
Chapter 5 Cryptography Protecting principals communication in systems.

Chapter 5 Cryptography Protecting principals communication in systems.
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.

BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.

SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.
McGraw-Hill©The McGraw-Hill Companies, Inc., 2004 1 Security PART VII.

McGraw-Hill©The McGraw-Hill Companies, Inc., Security PART VII.
1 DVD Copyright Management Schemes Tanveer Alam CVN.

1 DVD Copyright Management Schemes Tanveer Alam CVN.
Introduction to Symmetric Block Cipher Jing Deng Based on Prof. Rick Han’s Lecture Slides Dr. Andreas Steffen’s Security Tutorial.

Introduction to Symmetric Block Cipher Jing Deng Based on Prof. Rick Han’s Lecture Slides Dr. Andreas Steffen’s Security Tutorial.
DRM & Key Revocation By David Coleman. DRM & Key Revocation ► Digital Rights Management – A system for controlling the use of content ► Key Revocation.

DRM & Key Revocation By David Coleman. DRM & Key Revocation ► Digital Rights Management – A system for controlling the use of content ► Key Revocation.

Similar presentations

Ads by Google