Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Encryption Schemes for Copy Protection of Digital Media:
High-bandwidth Digital Content Protection
Jeremy Barthélemy Anurag Kamat Haldonker
Introduction
Today we will discuss the following: • HDCPv1 Brief History • How HDCPv2 Functions • Possible Weaknesses of HDCPv2
A Brief History of…HDCPv1
• Weakness of V1 announced as early as 2001 • Version 1 is susceptible to conspiracy attacks i.e.
obtaining the keys of at least 40 devices and reconstructing the secret symmetrical master matrix used to compute these keys.
• HDCP 1.3 encryption standard broken in November 2011.
HDCP v1 & v2 Co-existence • HDCPv2 is NOT a continuation of HDCPv1 but is rather a different
protocol by itself
• HDCPv2 devices natively support HDCPv1.
• HDCPv1 device needs a dedicated converter to work with devices which run only version 2.
Authentication & Key Exchange HDCPv1 HDCPv2
Authentication & Key Exchange • Transmitter generate 64-bit value rtx and sends it to the Receiver
along with its information. • Receiver replies with its certificate & information (within 100ms). • Transmitter sends master key km, encrypted with 128-bit key kh,
which may or may not be stored. • If km stored then its encrypted and directly sent. • If the km is not stored then the transmitter authenticates the
receiver using the 3072-bit RSA public key kpubdcp present with it.
• Receiver generates rrx then generates hash H’ which it sends to Transmitter within 1ms.
• Transmitter generates hash H and compares with H’. • Only when master key is not stored Receiver sends encrypted master
key to the Transmitter.
Authentication & Key Exchange
• HDCPv2 uses certificates instead of using plain public keys which provides added security
• Master key is 128-bits instead of 56-bits and may or may not be stored with the transmitter
HDCPv2 Locality Check Feature 1. Upstream transmitter sends signal to the receiver 2. Timer at transmitter starts 3. If timer expires before signal is returned, session terminates 4. Feature not present in HDCPv1
Locality Check (2)
Locality Check (3)
• rn is a Transmitter generated 64-bit pseudo-random number • Receiver sends L’ = HMAC-SHA256(rn , kd XOR rrx)
• A total of 1024 attempts allowed to ensure locality
Key Provisioning for Source Devices - Simplified
HDCPv1 Encryption
HDCP Cipher uses Linear Feedback Shift Registers, a block module and a compression function to produce a key stream.
HDCPv1 Encryption (2)
HDCP Cipher HDCP Block Module
HDCPv2 Encryption
Summary of HDCPv1 v/s HDCPv2 HDCPv1 HDCPv2
For wired scenarios, uncompressed data
For wired or wireless scenarios, compressed or uncompressed data
No locality check needed Locality check needed
Keys on source and sink devices Global constant on source devices, unique receiver ID and keys on sink devices
Seamless interoperability with HDCPv2 enabled devices
Seamless interoperability with HDCPv1 enabled devices
Robust cryptography Enhanced, state-of-the-art cryptography
HDMI, DVI, DisplayPort, GVIF, UDI TCP/IP, USB, Wi-Fi, WHDI
Possible Weaknesses of HDCPv2
• As of now no known attack on HDCP version 2. BUT: • Possible weakness in the locality check
Conclusion
• HDCPv2 improves over its predecessor, although we are not convinced that it will offer long-lasting protection for intellectual media.
• HDCPv2 is applicable to only new technologies and has not replaced HDCPv1.
Questions??