More on DeCSS.......................................
emediapro.net
Cease and DeCSS: DVD's Encryption Code Cracked
November 4, 1999
Copyright ¸ Online Inc.
Everyone's talking about it, but no one's really surprised. Wired magazine broke the news November 1 that the Content Scrambling System (CSS) used to encrypt DVD movies discs has been broken ( wired.com. A Windows-based utility called DeCSS, available for free download from several sites on the World Wide Web, allows a decrypted .VOB file to be stored on a local hard drive, as well as displayed to the computer screen. A one-gigabyte VOB file can reportedly be processed and stored in about 10 minutes on a 500mHz Pentium.
The CSS mechanism consists of two parts-authentication and encryption. Authentication restricts user access to the encryption keys needed for decryption, and to some of the actual data sectors of the disc. There are three keys on the disc: the authentication key and the disc key, which are located in the lead in, and the title key, which is located in the sector header. Starting with the authentication key, each key must be manipulated and checked before proceeding to the next. Each DVD decoder, whether hardware or software, has a unique 40-bit player key, which must be used to descramble the corresponding segment of the disc key, and the result is combined with the title key to unlock the movie for playback. While it has always been possible to copy the encrypted contents of a DVD to a hard drive or other storage medium, it was impossible to play them back without the original disc in the drive for authentication. [See Standard Deviations, "DVD Copy Protection: An Agreement At Last?", December 1996-Ed.]
Despite the perceived threat of piracy this poses to owners of copyrighted video, the genesis of DeCSS seems to have been innocent enough. Several groups of open-source Linux programmers, in the absence of DVD movie support for the Linux operating system, were working to create a DVD player for Linux. One of these groups, LSDVD, was created to collaborate on a fully licensed DVD movie player, which would be available for a small price-perhaps just enough to cover the licensing. Another group, LiViD, remained true to the Open Source credo that software should not have owners, and was trying to create a free, open source DVD movie player for Linux.
It should be stressed that the Linux programmers working on the project were not trying to break CSS in order to pirate DVD movie content-they only wanted to be able to play DVD movies on their computers. As one poster to the LiViD forum remarked, "We are not trying to duplicate DVDs, we are simply trying to view what we've paid good money to view." The DVD-on-Linux movement appears to have caught the attention of a Norwegian group calling itself Masters of Reverse Engineering (MoRE), who then reverse-engineered a software DVD player from Xing Technologies and discovered an unencrypted key that could be used to unlock DVD movies. Since the key was only 40 bits in length, it also enabled them to guess at up to 170 other keys, so that even if the Xing key is disabled on future DVD releases, there are plenty of others. MoRE also publicly released the trade secret CSS algorithm, which allowed the Linux programmers to discover the weaknesses that made the keys unnecessary.
One member of the LiViD community, Greg Maxwell, a network engineer and UNIX/Linux programmer in Martin County, Florida, says that the cracking of the CSS encryption was inevitable, but that the release of the CSS algorithm by the Norwegian group probably moved it up by a few months. "The Linux community was already making progress, but they were keeping a low profile about it," he said. "We didn't want to get sued by the hardware manufacturers or the DVD Forum, and we didn't want to give the movie studios any reason not to release DVD movies." According to Maxwell, the first stage of breaking CSS for Linux playback-authentication-had already been achieved by reverse engineering and released anonymously. A British programmer named Derek Fawcus converted this CSS authentication to C code. The addition of the decryption key, the CSS algorithm, and the announcement by the Norwegian programmers of the Windows-based DeCSS is what broke the story open. Once the MoRE programmers released the decryption keys and source code for the CSS decoder, the Linux programmers felt it was safe to speak up about their own work. As Maxwell says, "If there had been any way to watch DVD movies in Linux, this wouldn't have happened this soon, and it most likely wouldn't have come from this group." He pointed out that the MoRE programmers, who are Windows users, already had what the Linux community wanted-the ability to play DVD movies.
<p>
Perhaps the biggest question is why it took so long to sink CSS. DVD movies and discs have been available since mid-1997. The CSS algorithm used to encrypt DVD movies has always been recognized as a weak deterrent to serious pirates. An examination of the CSS algorithm, now that it is possible, reveals what some programmers are calling a "fatally flawed" approach to encryption. The consensus of the Linux community is that the three biggest weaknesses of CSS are that it was a proprietary algorithm, and therefore not reviewed by others; that it used player keys of only 40 bits; and that it was ever implemented in software.
As for the potential ramifications of DeCSS for the DVD industry, despite rumors of panic among Hollywood studios, the impact will probably not be that great. CSS was never intended to be a serious deterrent to piracy, but only to prevent "casual copying" and prevented fair use by ordinary users. The breach of CSS does facilitate such casual copying, but other factors will probably inhibit its usefulness as a tool for cottage-industry piracy. These factors include the size of the decrypted .VOB files (about 1GB each), the fact that each movie comprises several such files, the loss of navigational controls and interactive features, and the absence of a cheap, fully compatible, and high-capacity removable storage medium (DVD-R discs still costing more than retail movie titles and lacking compatibility with many players). Thus for the time being DeCSS should only prove useful for only a small percentage of casual copiers-specifically, those with plenty of cheap storage space and high-speed Internet access.
These deterrents, however, are minor and only temporary. Before higher bandwidth and writable DVD become more easily and universally accessible, content owners will have to find another way to protect their digital assets. Ironically, one way that might actually work would be to make DVD movies more available to those who want to watch them, not steal them.
--Dana J. Parker |
