Friends of Fair Use, rejoice: it appears that the encryption on high-def movies, Blu-Ray and HD-DVD has been broken.
Consumer content encryption is a fool’s game
This looks like a war the movie industry can’t win. Why?
- Sell the consumer the encrypted content
- Sell the consumer the de-encryption device, i.e. a content player
- With access to the input, the output and the decryption device, it is only a matter of time before the encryption algorithm is broken.
This is analogous to the Allied breaking of the German military codes during WWII. When the Poles reverse-engineered the military Enigma, it was only a matter of time before a smart mathematician figured out how to recover the frequently changed encryption keys. The British, at Bletchley Park, turned this process into a computer-assisted industrial system for large-scale key recovery and decryption, but the essential math has been known for many decades.
The HD case is much simpler. With millions – eventually – of HD DVD players out there, the movie industry has no way of changing the encryption keys. Ergo, they have no hope of keeping the encryption system secure.
The StorageMojo take
I love movies. I have a collection of over 600 DVDs. I’ve bought a dozen DVDs in the last week alone and I’ve never bought a bootleg DVD. With the average HD movie file size 3000x that of the average MP3, it isn’t terribly likely I would any time soon, even if I could.
The movie industry’s challenge is to create content so compelling and priced so reasonably that the huge majority of the audience has no interest in pirate copies. Yes, there will always be revenue lost to pirates. The cure: give people a good product, reasonably priced and convenient. That, not encryption, is the long term solution.
Alert reader Wes Felter sent in this great link to an article describing the HD-DVD AACS systems. Well worth a scan! Naturally, I commented on the article in the comments section. Thanks, Wes!
Comments welcome, as always.
Bruce Schneier has been saying this for years:
http://www.schneier.com/crypto-gram-0105.html#3
Of course the various content organizations (RIAA, MPAA, etc.) are now moving from technical means of DRM to legal means.
The so called ‘entertainment industry’ (represented by RIAA and MPAA) as we know it is dead.
It used to be fun to watch movies, now most of my friends play computer games, write/read blogs and pretty much spend a LOT of time on their computers.
There is so much new things to do with computers these days – pirating movies is probably the least attractive one.
They need to stop blaming pirates for lost of revenue and face the reality – it is a dying business model (as it is at the moment). I know that it doesn’t sound very attractive as explanation in front of the shareholders as if one blames it on the pirates, but that is not my problem.
You can use all the encryption you want – somebody will break it, you can sue every pirate you can find – your revenue is not going to move up one bit; you can block computers with DRM and live Internet authorization, do all you want – at the end people will just do something else instead of watching/buying a move.
Most customers of the Internet era do not respond well to treads and limitations, so MPAA will have to find ways to attract people not to alienate them if they want to exist.
Wake up MPAA, it is XXI century… evolve or disappear.
Actually they do have a way of changing the keys, and it is fascinating reading. (Too bad this cool technology isn’t being used for good.)
http://web.archive.org/web/20060604054302/http://www.lotspiech.com/AACS/
David, I recommend Schneier to everybody who wants to learn more about security. I even have him in my blogroll, which for some reason refuses to publish.
Miro, there was a time when the publishing industry thought Xerox machines would destroy the book business. Still waiting for that to happen.
Wes, great link! I only understand about 20% of the article, but I did note this rather large loophole:
Which gets back to the point that David quoted: they’re just ones and zeros. I’m impressed by the AACS scheme: “The NNL key management scheme (also called the subset-difference scheme) is as efficient as a public-key system in revoking compromised devices, but unlike a public-key protocol, it does not require devices to have two-way conversation to establish a shared key.” Pretty smart!
Yet even Lotspiech – the L in NNL – admits that AACS relies upon non-technical means to defeat all attacks. And that, I submit, is the Achilles heel of the system, even if the AACS technology turns out to be every bit as good as NNL believe. People are flaky, so the system will be compromised in ways that no one has yet anticipated.
Finally, I’m not yet convinced that the world is going to move to HD DVDs as fast as the move from tape to DVD. My next home entertainment purchase is likely to be one of these up-converting DVD players to go with the HDTV. And while I love the DTS sound that is standard on HD DVDs, I won’t be in any big hurry to replace my current DVDs – especially since I don’t know which standard will be victorious. So all this effort may be for naught, at least commercially, for years to come.
Robin
DRM is not about stopping piracy, but about controlling licensing. As Universal Pictures’s Jerry Pierce said in an interview:
http://www.denguru.com/2006/08/04/tg_daily_interviews_universal_pictures/
Which some people say is simply about keeping honest users honest, but which is countered by saying that’s like keeping tall users tall. 🙂
‘DVD Jon’ even comments that DRM isn’t abou piracy:
http://nanocrew.net/2006/01/08/deaacscom/
Much like doors, gates, and locks DRM is not really effective–it just reminds the ‘unskilled’ on what they’re supposedly allow to do and what they’re not allowed to do. So if you want DRM, according to Ed Felten, you have to choose a threat model (this is after all security):
http://www.freedom-to-tinker.com/index.php?p=317
In general all of these technical measures are completely useless, so the various media organizations have resulting to legal means and now are suing the pants off of anyone they even suspect of download stuff (even grandmothers who don’t have a computer). AACS is actually is a form of NNL (broadcast encryption), but it seems there were situations that the designers may not have taken into account–and now we have BackupHDDVD.
In general there is less and less need for the *AA organizations. The main aspects in (say) music are: production, recording, promotion and distribution. All but promotion can be replaced by home studios and decent computers and software. Distribution is mostly solved via the Internet, as is promotion (do we need another manufactured boy band or pop princess?). The fact is that, for the major record companies at least, there is no longer a major need for them IMHO and they are simply following Pournelle’s Iron Law of Bureaucracy:
http://www.jerrypournelle.com/archives2/archives2mail/mail408.html#Iron
The MPAA doesn’t fear the Ukrainian mafia copying discs for profit, but they are working hard to reign in DVD Jon and BitTorrent. I guess this is just another case where people only worry about things they can control, even if the real risk is elsewhere.