?�
���
���
�L�
5�
�L�
<� Analysis of DVD ContentsScrambling System
��
W�
���
� �
�E�Cryptanalysis of Contents Scrambling System,
�3�
Frank A. Stevenson ( frank@funcom.com )
�K�
Abstract: CSS is a scrambling system used in the distribution
�M�for movies on DVD ( Digital Versatile Disc ) a high capacity CD like storage
�G�system. Its main purpose is to prevent the unauthorized duplication of
�J�disc contents. This is achieved through encrypting the files, and storing
G�keys in hardware. Here we will describe the system, and show that even
�O�if the keys can be securely stored in hardware, the data will not be protected
�H�from unauthorized copying. Severe weaknesses in the ciphers effectively
F�voids the need for the hardware keys when decrypting the content.
��
���
���
8th November 1999
(�
(updated 13th Nov.)
��
���
��
���
���
���
���
��
�/�
0 General disclaimer.
�Q�This information is provided as is, with no warranties
�M�on its accuracy or usability. It is based on a piece of source code claiming
�N�to be the css algorithms, and which have since been confirmed to interoperate
M�with the CSS system. The author has not read any official CSS documentation,
�H�and any errors in the terminology is a result of this. This information
L�has not to the knowledge of the author been made available through breaches
D�of the DVD consortium Non Disclosure Agreement.
��
�/�
1 System overview.
�H�
Every DVD player is equipped with a small set
H�of player keys. When presented with a new disc, the player will attempt
J�to decrypt the contents with the set of keys it possesses. Every disk has
;�a disk key data block that is organized as follows:
���
���-
�M�5 bytes hash of decrypted disk key ( hash )
���
���-
�X�disk key encrypted with player key 1 (dk1 )
��
���-
�X�disk key encrypted with player key 2 (dk2 )
��
���-
���...
��
���-
�[�disk key encrypted with player key 409 (dk409)
���
G�Suppose the player has a valid key for slot 213, it will
���calculate
�Q�
(1) Kd
�S�= DA( dk213
� �, Kp213 )
O�To verify that Kd is correct, the following
�K�check is done, if the check fails, it will try the next player key.
�Q�
(2) Kd
�G�= DA( hash
���, Kd )
�J�
An obvious weakness stems from this check, by trying all
H�240 possible Kd, disk
K�key can be deduced without knowing any valid player key.
�I�As will be shown later, this attack can be carried out with a complexity
�M�of 225, making such an attack feasible
�H�in runtime applications. Another obvious attack is that by having
G�1 working player key, other player keys can be derived through a
�M�similar search. This can be done offline, also keys obtained from the former
�/�attack can be used as a starting point.
�G�
To decrypt the contents an additional key tk -
�P�the title key is decrypted with the now decrypted and verified disk key.
P�
(3) Kt
`�= DB( tk, Kd)
K�
Each sector of the data files is the optionally encrypted
�P�by a key that is derived from Kt by exclusive or of specified
I�bytes from the unencrypted first 128 bytes of the 2048 bytes sector. The
�M�decryption is done with the CSS stream cipher primitive described in section
���II.
3�2 CSS streamcipher primitive:
�I�The CSS streamcipher is a very simplistic one,
�H�based on 2 LFSRs being added together to produce output bytes. There is
H�no truncation, both LFSR are clocked 8 times for every byte output, and
I�there are 4 ways of combining the output of the LFSRs to an output byte.
�I�These four modes are just settings on 2 inverter switches, and the modes
�6�operation are used for the following purposes.
��
���-
�H�Authentication to DVD drive ( not discussed )
��
���-
�y�Decryption of Disk key (DA)
���
���-
�z�Decryption of Title key (DB)
��
���-
�5�Decryption of data blocks.
���
G�LFSR1: 17 bits ? taps, and is initialized by the 2 first
�H�bytes of key, and setting the most significant bit to 1 to prevent null
��cycling.
H�
LFSR2: 25 bits 4 taps, is initialized with byte 3,4,5
H�of the key shifting all but the 3 least significant bits up 1 position,
2�and setting bit 4 to prevent null cycling.
G�As new bits are clocked into the LFSRs, the same bits
�I�are clocked in with reversed order to the two LFSRs output bytes. ( With
�%�optional inversion of bits. )
�O�
The output of LFSR1 is O1(1), O1(2),
� �O1(3) ...
Q�
Likewise LFSR2 produces O2(1), O2(2),
� �O2(3) ...
H�
These two streams are combined through 8 bits addition
K�with carry carried over to the next output. The carry bit is zero at start
���of stream.
H�
(4) O(i)
O�= O1(i) + O2(i) + c where
�-�c is carry bit from O(i-1)
�_�
This streamcipher is very weak, a trivial 216
�I�attack is possible with output bytes known for i = {1,2,3,4,5,6}.
�N�Guess the initial state of LFSR1, and clock out 4 bytes. O2(1),
N�O2(2), O2(3), O2(4) can then be uniquely
L�determined, and from them the state at i=4 is fully known. The guess
L�on LFSR1 can then be verified by clocking out 2 or more bytes of the cipher
!�and comparing the result.
�L�
Another important attack is the case when only O(i)
G�for i = {1,2,3,4,5} is known. Guess the initial state of LFSR1,
�I�and clock out 3 bytes. Now O2(1), O2(2) and
���O2(3)
K�can be found as in the above attack. This will reveal all but the most
�I�significant bit of LFSR2s state at i=3. If both possible settings
�I�for MSB is tried, and LFSR2 is clocked backwards 24 steps, a state where
�I�bit 4 is set at i=1 can always be found. ( This is stated without
�G�proof ). Select the setting of the most significant bit for LFSR2 such
�K�that LFSR2 is in a legal state at i=1, and clock out two more bytes
�G�to verify the guess of LFSR1. For some values of O( i = {1,2,3,4,5}
�I�) multiple start states can be found, and for others none. Selecting
�O�the correct start state is not a problem, as this attack is used in situations
�H�where only the first five output bytes are of significance ( encryption
��of keys ).
��
*�3 CSS mangling step:
G�When the CSS streamcipher is used to encrypt
�`�keys such as in DA(data,key)
U�and DB(data,key),
�J�an additional mangling step is performed on the data. This cipher is best
5�illustrated with the following block diagram:
���
���-
�B�A(1,2,3,4,5) are the input bytes (data)
��
���-
�C�C(1,2,3,4,5) are the output bytes (data)
���
���-
�]�ki = O(i) where O(i={1,2,3,4,5})
�,�is streamcipher output from key
��
���-
�<�B(1,2,3,4,5) are temporary stages
��
J�The cipher is evaluated top down, with exceptions indicated
!�by an arrow.
���
���
� �
�8�
��
���
�8�
Examples of evaluating cipher:
��
���-
�N�B(j) = xor( F( A(j) ) , A(j-1) , kj
+�) for j = {2,3,4,5}
���
���-
�K�B(1) = xor ( F( A(1)) , B(5), k1
���)
��
���-
�N�C(j) = xor( F( B(j) ) , B(j-1) , kj
+�) for j = {2,3,4,5}
���
���-
�W�C(1) = xor ( F( B(1)) , k1 )
���
K�F is a function, defined by a byte permutation
�G�table. With known cipher and plaintext, the whole cipher unravels with
�.�a minimal amount of work. Here is how:
��
���-
�8�Make a guess on k5
��
���-
�L�B(5) = xor( F( A(5) ) , A(4) , k5
��)
��
���-
�K�B(4) = xor( F( B(5) ) , C(5), k5
���)
��
���-
�L�k4 = xor( F(
'�A(4) ) , A(3) , B(4) )
���
���-
�K�B(3) = xor( F( B(4) ) , C(4), k4
���)
��
���-
�L�k3 = xor( F(
'�A(3) ) , A(2) , B(3) )
���
���-
�K�B(2) = xor( F( B(3) ) , C(3), k3
���)
��
���-
�L�k2 = xor( F(
'�A(2) ) , A(1) , B(2) )
���
���-
�K�B(1) = xor( F( B(2) ) , C(2), k2
���)
��
���-
�L�k1 = xor( F(
'�A(1) ) , B(5) , B(1) )
���
���-
�G�verify by checking C(1) = xor ( F( B(1)
�"�, k1 )
��
H�Thus by trying 256 possibilities, we can recover 5 output
J�bytes from the CSS streamcipher, and so recover the key by using the five
K�known output bytes. This attack can be put to immediate use for recovering
�I�other player keys as in the notes to eqn. 2,3. Even if the player key is
�G�not recovered through the reversal of the stream cipher, the output of
�J�the streamcipher is known, and will still be usefull for decrypting disks
3�that employ other player keys.
�;�4 Attacking the hash of the disk key.
�J�Reversing the hash at the start of the disc key
G�block is somewhat more complicated. From (2) we see that only the hash
�J�value is known, the problem is finding a disk key such that the decrypted
]�hash equals the disk key itself. An attack of complexity 225
���proceeds as follows.
I�First some aspects on the value of k2
�H�will have to be considered. A(1) and A(2) is known, and a
O�table can be build by running through every possible combination of k2
���and
��B(1)
��and
N�calculate the resulting C(2). When trying to build a table of possible
L�values k2 of indexed by C(2) and B(1) there
H�will be many values that map to the same set of indices, so a the table
U�must be able to hold several values of k2 in each location.
�M�
Guess the start state of LFSR1, calculate O1(
�J�i = {1,2,3,4,5} ) . Next guess B(1) and complete the following
��calculations:
���
���-
�L�k1 = xor( F(
N�B( 1 ) ) , C(1) ) C(1,2)
8�is known, they are the start state of LFSR1
��
���-
�\�B(5) = xor( F( A(1) ) , B(1), k1)
��
���-
�I�k5 = xor(
�
�F(
,�A(5) ) , A(4), B(5) )
��
���-
�G�Through the table indexed by C(2) and B(1)
�I�all permissible k2 can be found, there can be from 0-8
�P�, on average 1. For all permissible k2 calculate:
��
���
���-
�V�O2(1) , O2(2),
K�and 2 possible O2(5). This is possible since
�)�k1,2,5 are found.
���
���-
�H�For every legal initial state of LFSR2 there exists a one
K�to one mapping to O2(1,2,5) , by generating a table with
�I�224 entries the start state of LFSR2 can
�E�be found. Thus C(1,2,3,4,5) is potentially known.
���
���-
�K�B(4) = xor( F( B(5) ) , C(5), k5
���)
��
���-
�L�k4 = xor( F(
'�A(4) ) , A(3) , B(4) )
���
���-
�K�B(3) = xor( F( B(4) ) , C(4), k4
���)
��
���-
�L�k3 = xor( F(
'�A(3) ) , A(2) , B(3) )
���
���-
�K�B(2) = xor( F( B(3) ) , C(3), k3
���)
��
���-
�G�verify k2 = xor( F( A(2) ) ,
�l�A(1) , B(2) ) , this holds for 1 / 256 tries ( 217
G�altogether ) and if the test holds, the key C(1,2,3,4,5) can be
�J�tested by eqn. (2). If eqn (2) holds, then a key has been found that will
H�satisfy the hash. From experience it is possible to find from zero to a
I�few such keys to any given hash value. When multiple disc keys are found
�I�trial decryption of the files will eliminate the false keys.
���
��
H�This attack when implemented on a Pentium III running 450
J�MHz, will recover a disk key from the hash alone in less than 18 seconds.
_�This is clearly much less than what is to be expected of a 40 bits cipher.
�"�5 Conclusion
N�The author has through email correspondence learned
G�that attacks as described at (2) have indeed been carried out by brute
�G�force prior to this analysis. CSS was designed with a 40 bit keylength
�R�to comply with US government export regulation, and as such it easily compromised
H�through brute force attacks ( such are the intentions of export control
N�). Moreover the 40 bits have not been put to good use, as the ciphers succumb
I�to attacks with much lower computational work than which is permitted in
�H�the export control rules. Whether CSS is a serious cryptographic cipher
K�is debatable. It has been clearly been demonstrated that its strength does
�G�not match the keylength. If the cipher was intended to get security by
�J�remaining secret, this is yet another testament to the fact that security
B�through obscurity is an unworkable principle.
+�6 Further information
�J�I have collected links
I�to posts that were made to the Livid project mailing list. These include
�G�the original anonymous posting of the CSS algorithm, as well as full C
�@�source code for the attacks I outline here.
��
���
���
���
���
��