Felten on DRM and Security through Obscurity

by on April 13, 2007 · 14 comments

Ed Felten describes the latest phase of the cat-and-mouse game between the HD-DVD/Blu-Ray cartel and hackers trying to crack their AACS encryption scheme:

To reduce the harm to law-abiding customers, the authority apparently required the affected programs to issue free online updates, where the updates contain new software along with new decryptions keys. This way, customers who download the update will be able to keep playing discs, even though the the software’s old keys won’t work any more.

The attackers’ response is obvious: they’ll try to analyze the new software and extract the new keys. If the software updates changed only the decryption keys, the attackers could just repeat their previous analysis exactly, to get the new keys. To prevent this, the updates will have to restructure the software significantly, in the hope that the attackers will have to start their analysis from scratch.

The need to restructure the software explains why several months expired between the attacks and this response. New keys can be issued quickly, but restructuring software takes time. The studios reportedly postponed some planned disc releases to wait for the software reissue.

It seems inevitable that the attackers will succeed, within a month or so, in extracting keys from the new software. Even if the guts of the new software are totally unlike the old, this time the attackers will be better organized and will know more about how AACS works and how implementations tend to store and manage keys. In short, the attackers’ advantage will be greater than it was last time.

This illustrates a point I’ve made before: “open” DRM is a contradiction in terms. The encryption keys have to be on the user’s computer, which means (at least on general purpose hardware) that they can always be extracted by an attacker, if the attacker knows where to look. To stop that, the programmer has to use obfuscation to make it difficult for the attacker to figure out where it’s located.

This is completely opposite the usual way computer security is done. Normally, computer security is based on public algorithms and a small number of private secrets. This allows security researchers to examine the algorithm and prove (or at least fail to disprove after much effort) that the algorithms are reasonably secure provided that the relevant secrets are kept secret. But because DRM schemes involve storing the secrets on the attacker’s computer, they’re inherently brittle. They’ll always fail to withstand serious scrutiny, which means it’s a waste of time to even try to design algorithms that could be evaluated by serious security researchers. Instead, the goal is to make the algorithm as difficult to evaluate as possible, in the hopes that attackers will find it too tedious to figure out how it works and where the keys are hidden. Obviously, this approach doesn’t scale, because the more high-profile your DRM scheme is, the bigger the payoff (in reputation, media attention, etc) for cracking it. When it’s as prominent as AACS, no amount of obfuscation is likely to stop determined attackers or even slow them down for more than a couple of weeks.

Comments on this entry are closed.

Previous post:

Next post: