HDCP: The LEAK and the NOTES !

Hi,

This is the first official (read meaningful) post on this blog. And as the title suggests, it is about the recent HDCP key leak.

What is HDCP: High-Bandwidth Digital Content Protection. It is used as an encryption to protect digital formats( video/audio) so that the data being transferred over the wire (usually Digital Visual Interface -DVI , High Definition Multimedia Interface – HDMI) is secure and not copied off the wire.

How Does it work : It uses a very common trick : Identification. But to make sure that unscrupluous people don’t tamper, there is a protocol to identify. When a vendor makes a HDCP compliant device, he procures a license from Digital Content Protection LLC. The license contains two vectors u and v. u is the private key and v is a public key. v is also called the Key Selection vector(KSV) and as per HDCP specs, it must have a hamming weight of 20. Both u and v are 56-bits.

When two devices(transmitter and receiver) wish to communicate they exchange their public keys (v) or KSVs. Then they each compute the dot product of their private key (u) with the other device’s KSV. Then the transmitter sends a nonce(number used once) to the receiver. The receiver performs a non-invertible function h on the dot product it generated and the nonce. It replies back with a 16-bit number and the transmitter does the same. When these two numbers match, it assumes that the other device is HDCP compliant and begins the transfer of digital data (encrypted).

Now, for all this to work, both the dot products calculated must be the same. For that to happen, the private key must be made in a special way. They use a 40 by 40 matrix key generator which generates the private vector. This can be called as a master key. If anyone has this master key, he can open any lock he likes!

The Problem: All this sounds really good. The numbers are 56-bits and to that fact with a hamming weight of 20, it is near impossible to generate a key randomly by any processor in this era. BUT (In Computers, there is always a big BUT, isn’t it ?), what if we had 40 valid keys(private keys)- then would it be possible. YES. This fact has been known for a long time and there is a paper that shows this !

In reality what happens is that there are two private keys :; source and sink. Depending on whether the device is a transmitter or reciever it uses the source or sink keys as the private key.

LETS DO IT !! : Well, I would love to. But I don’t have 40 keys (darn!). However, we could use an example and see if this is infact possible !
Lets consider 4 devices – A, B, C, D. The private keys (source) are

A	9	13	0	4
B	12	1	4	8
C	6	5	9	15
D	15	12	15	5

 
and for sinks :

A	4	11	5	10
B	5	13	8	6
C	8	0	12	12
D	6	13	7	14

The corresponding KSV for the four devices  {1010, 0110, 0011,1001 } (in binary).

Now if A and B wish to communicate and A is source and B is sink. They would first exchange the KSV. Then it applies the other device’s KSV on its private key to get a number. For simplicity, lets assume they just check whether they are equal directly. So A would get = 13+0=13 (adding 2nd and 3rd elements) and B would get = 5+8=13 (adding 1st and 3rd). Since they are equal, they proceed !!

But now, we have a fourth Device E. We know the public key (since its public and all!) but the private key is unknown. We will assume that E is a sink device and its key is (a,b,c,d).
Now, if we pair every known device with E, we will be able to get simultaneous equations (four in number) and anyone who knows linear algebra knows that 4 equations and 4 variables = solvable!!

Thus to replicate a 40 element vector, we would only need 40 valid keys!

Thus we can replicate or rather impersonate any device as HDCP compliant without even being!

I hope you enjoyed reading it. Most of the information posted here has been collected from various blogs around the net, and I thank them all for explaining it in great detail.

I am also posting the links :
Crosby Paper
THE LEAKED KEY !