The HDCP master key has just been cracked. For those unfamiliar with the abbreviation, this is the “High-bandwidth Digital Copy Protection” scheme that encrypts high definition video to reduce copying and piracy. I’m not going to delve into the question of whether HDCP should even exist or whether it’s right or wrong to use it; these are huge, open questions with vastly different answers depending on who’s answering. (Note that HDCP is distinct from the Advanced Access Content System (AACS) used to encrypt Blu-Ray disc content.)
HDCP attempts to do several things. First, it seeks to allow a “source”, such as an HD cable box, and a “sink”, like an HDTV, to authenticate each other as legitimate participants in a secure data transfer. Second, it establishes a key negotiation protocol so that the source can send encrypted content to the sink. Finally, it provides for key revocation via content media so that individual devices can be rendered unable to communicate.
In many regards HDCP sounds like it’s trying to solve the same types of problems that Public Key Infrastructure attempts to solve for browsers and servers, particularly when client certificates are used. However, while HDCP has been compromised, we haven’t seen a large scale crack for PKI, when such a crack would be far more valuable. What accounts for this difference, and does a crack of HDCP presage future PKI compromises?
Although we don’t yet know exactly how the HDCP master key crack happened, before HDCP was put into commercial devices, experts theorized that it would take knowledge of forty or so device keys, such as those in our A/V equipment, to calculate the master key. This property exists because the device keys themselves are all derived from that one master key: this design characteristic is meant to let two devices recognize each other’s shared lineage and, therefore, implied authorization to transfer media data. At the same time, though, it’s a significant weakness because so few keys are needed for a crack.
(For the record, 40 device keys to crack the master key is an awfully slim safety margin that would be intolerable under most circumstances. However, the industry appears to have relied on the difficulty in retrieving keys from equipment, along with legal agreements, to limit disclosure. Again, we don’t yet know how the HDCP crack happened, but it’s quite possible that one of these bars was not high enough: either someone found a bug that disclosed device keys then bought 40 devices and recovered their keys; or they found a way to figure out the keys based on other characteristics, such as changes in power consumption or signals in device circuitry; or they found a willing and knowledgeable human to help out in some way.)
PKI, in contrast, lets subjects, such as browsers and servers, choose their own keys independently of each other. With no mathematical relationship binding subject keys, collecting them does not facilitate a crack. Although the primary authenticating feature in PKI is the signature an issuer calculates using its private key, it’s also the case that amassing signatures does not lead to cracking the issuer’s private keys. Despite PKI’s numerous faults, this is one aspect that has withstood the test of time, and it’s one thing that keeps PKI safe from the mathematical weakness in HDCP.
It’s been said time and time again that cryptographic implementations and protocols that don’t benefit from public scrutiny frequently suffer from fatal flaws. And, it stands to reason that weak crypto provides a shaky foundation for security, while crypto that’s stood up to expert cryptanalysis is a safer bet for one’s fortunes. HDCP isn’t the first protocol to misjudge the risks, nor will it be the last.