How does High-Bandwidth Digital Content Protection
attempts to achieve its goal?
is a content protection scheme designed to 'eliminate' the possibility of intercepting encrypted high definition digital data midstream between the source and the display.
But how does this digital content protection mechanism achieve this security, how is device authentication carried out, and why key-revocation is such a powerful feature within the high definition digital content protection protocol?
High-Bandwidth DCP Basics
HDCP uses of a three-stage content protection process:
- Device Authentication and Key Exchange
- Encryption of Content
- Key-revocation procedures
Through this process, the High-bandwidth Digital Content Protection protocol attempts to eliminate the interception of encrypted digital content midstream between source and sink devices.
In this article, we take a look at each of these steps for a better understanding of what goes on in a digital connection when this digital content protection is on board.
Device Authentication and Key Exchange Process
The cryptographic Authentication and Key Exchange (AKE) represents the first of a three stage security process used by this protection system to protect the content mid-stream between source and sink. AKE is designed such that it will not allow non-compliant devices to receive HD content.
This process makes use of a set of unique 'secret' keys as assigned by the HDCP licensing body.
The assignment of a unique set of secret keys to a licensee brings with it a number of conditions that need to be satisfied for the licensing body to grant the keys. These conditions are imposed by the licensing body to ensure that the integrity of HDCP would not be compromised.
In particular, companies wishing to produce an HDCP-compliant device, have to prove that their product has been designed in a manner robust enough to effectively frustrate attempts to defeat the content protection requirements. Further more, companies should do their utmost to protect the assigned keys. Failure to do so may be seen as a violation of the licensing agreement. If these keys end up used by some rogue device after leaking into the wild, owners of legitimate compliant devices may at some point, risk having their HD-gear functionality revoked by this protection mechanism.
Each set of unique keys assigned to a device model consists of 40 different 'secret or private' keys, each 56 bits long. For each set of keys, a special 'public' key called Key Selection Vector (KSV) is created. Each KSV has exactly 20 zero bits and 20 bits set to 1.
During the authentication stage, both parties exchange their KSVs. Then each device adds (without overflow) its own set of secret keys according to a KSV received from another device. If a particular bit in the vector is set to 1, then the corresponding secret key is used in the addition, otherwise it is ignored. Secret Keys and KSVs are generated in such a way that during this process both devices get the same 56 bit number as a result. It is this computed 56-bit number that is later used in the encryption of the data traveling between source and sink devices.
Article continues after this advertisement.
Encryption is done by a 'stream cipher'. This is a type of symmetric encryption algorithm that can be designed to be exceptionally fast, much faster than any block cipher as it usually operates directly on the incoming bit-stream rather than the larger blocks of data processed by block ciphers.
With a stream cipher, the transformation of the incoming data units will vary, depending on when they are encountered during the encryption process. Each decoded pixel is encrypted by applying an XOR operation with a pseudo random sequence produced by a generator. The HDCP specifications ensure constant updating of keys (after each encoded frame).
Key-revocation procedures are there to ensure that any device which violates the license agreement could be relatively easily blocked from receiving HD data.
If some particular model is considered 'compromised', its Key Selection Vector (KSV) is put into a blacklist, also referred to as revocation list. These lists are encoded onto the HD media e.g. on newly produced disks with HD content. This means that the newer the media (e.g. Blu ray disc), the larger will be the revocation list.
Each revocation list is signed with a digital signature using the Digital Signature Algorithm, or DSA. DSA is a United States Federal Government standard for digital signatures; it is used to prevent malicious users from both revoking legitimate devices as well as removing revocation for compromised devices from the list.
During the authentication process, if the receiver's KSV is found by a transmitter in the revocation list, then the transmitter considers the receiver to be compromised and refuses to send High Definition data to it.
It is this key revocation process that makes this DCP sort of 'future-proof' when it comes to combating the use of fake or rogue devices. Through key revocation, HDCP gives the media, content, or even other devices, the ability to invalidate keys of devices known to be a problem.
Is HDCP a 'flawless' content protection tool?
We have seen the various processes used to help protect HD content when the later is send from source to sink. It is clear that High-bandwidth digital content protection manages to achieve this objective through a number of measures taken over different fronts; it is not just encryption, but equally important through key revocation, as well as through licensing issues that prohibit manufactures from making devices that convert a protected source into an analog full high definition version of the digital content — unless the content providers determines so through the appropriate setting of the so called image constraint token (ICT flag).
If it were for the AKE or the encryption processes alone, this content protection system would easily loose its strength as a content protection mechanism. In fact, cryptanalysis researchers had already demonstrated fatal flaws in 2001 prior to its adoption in any commercial product, flaws that lead to fundamental weaknesses in the protection protocol, like the possibility of eavesdropping of data and cloning of a device through its public key only.
Even so, FCC still approved HDCP in August 2004 as the content protection protocol for use with High-definition content. Why?
It is difficult to give a simple straight answer. However, there is one peculiar thing about HDCP that must not be forgotten; this is key revocation and its black listing mechanism. This gives HDCP unique power to retroactively remove functionality of what may be considered compromised devices but...
In 2010, the High-bandwidth DCP master key was set loose! What does it mean?
Did the industry ever think that it is possible to come with an unbreakable protection mechanism? Well, in September 2010, Intel confirmed that the HDCP Master Key had been released into the wild. What does this mean to the high definition industry?
Though Intel immediately claimed that the master key alone would not work without the use of an appropriately designed chip, the truth is that there is nothing completely secure. Not only, this whole chip issue by Intel is a lie!
We have seen software applications like AnyDVD HD by SlySoft.com (based in Antigua) that allows you to watch movies over a digital display connection, without HDCP-compliant graphics card and without HDCP-compliant display; this software also also removes region codes from Blu ray media.
AnyDVD is in effect a content projection stripper that works on-the-fly in the background once loaded on a PC. So... there is no need to buy a more expensive HDCP-compliant monitor or replace your video card. Not only, with the software installed on your PC, you can even use your DVD copy software to backup your HDCP-restricted Blu ray discs!
The only problem is that as you would expect, AnyDVD/HD is not legal in the US (thus explaining why SlySoft.com is based in Antigua); yet it seems that it is still legal to buy!
Whether you like it or not, this content protection mechanism — with all its known flaws — is a reality and an integral part of today's HDTV world; either you comply or else, forget all about enjoying the awesome images brought about by HDTV and high definition DVDs... obviously, unless you go illegal!