Doom9's Forum - View Single Post - Understanding AACS (including Subset-Difference)

MartyMcNuts · 27th December 2018, 03:26

Hi all, I know this is an old thread and I have read it a few times over, which does provide some general information on how Subset-Differences work, however there doesn't seem to be anything with more detail. What I am trying to do is test a bunch of "possible device keys" against a MKB_RO.inf file to calculate a "processing key" for that MKB. I already understand the rest of the procedure to calculate the "media key" and the "VUK" but need assistance with the device key to processing key step.

So,according to the AACS specs (3.2.3 - 3.2.5), each subset-difference is encoded with 5 bytes. The first byte is the U mask and the last 4 bytes are the UV number (most significant byte first). So for example, I have a subset-difference 0B 00 00 0A 00, (0B) is the U Mask and (00 00 0A 00) is the UV Number. Now, that (first byte) is treated as a number, the number of low-order 0-bits in the mask. For example, the value 01 denotes a mask of FFFFFFFE; value 0A denotes a mask of FFFFFC00.

Question 1. How is this u_mask calculated?

From the AACS Specs, "For conciseness, the path number and the “v” mask are encoded in a single 32-bit number, referred to as the uv number. The mask for v is given by the first lower-order 1-bit in the uv number. That bit, and all lower-order 0-bits, are zero bits in the “v” mask."

The first sentence there I understand. The rest doesn't make sense to me, however, by using the code:

long v_mask = 0xFFFFFFFF;
while ((uv & ~v_mask) == 0) v_mask <<= 1;

to calculate the v_mask, for the example subset-difference "0B 00 00 0A 00", use the UV number, "00 00 0A 00" the v_mask equals "FF FF FC 00"

Parts I don't understand are:

"As a result, the u mask always has more 0 bits than the v mask. The subset-difference is the subtree rooted at node u minus the sub-tree rooted at node v."

Question 2: Can someone please show me this using the example subset-difference above?

From the AACS specs "A subset-difference applies to a device if the u node is on a path from the device’s node to the root of the tree, but the v node is not. This is simple to calculate using the uv number, the appropriate mask, and the device node number (D_node). By definition, a device “D_node” is on a path to a “uv” number with mask “m” if and only if:

(D_node & m) == (uv & m)

Thus, a subset-difference applies if and only if:

((D_node & u_mask ) == (uv & u_mask)) and ((D_node & v_mask) != (uv & v_mask))

Question 3: Where does this D_node come from?

AACS specs CONTINUED: The device searches through the Explicit Subset-Difference Record fields, looking at the identified subset-differences, until it finds the one that applies to it. At that point the device either has the Device Key, or is able to derive the subsidiary Device Key, associated with that subset-difference. It finds the appropriate stored Device Key as follows: assuming the Explicit Subset-Difference Record value is uv, u_mask, and v_mask, and the stored Device Key has uv’, m’u, and m’v, the appropriate Device Key is the one that meets the following condition:

(u_mask == m’u) and ((uv & m’v) == (uv’ & m’v))

If m’v equals v_mask, the starting Device Key is the final Device Key, and is used directly to derive the Processing Key, as described above. Usually, however, the starting Device Key’s node is further up in the tree, and the actual Device Key will have to be derived. The device does that as follows:

1. Initialization. m = the stored v mask m’v. Dk = the starting Device Key.
2. Use AES-G3 on Dk, as described above, to determine a left subsidiary Device Key, a Processing Key, and a right subsidiary Device Key.
3. Look at the most significant zero bit in m. If the corresponding bit in the incoming uv number is 0, Dk = left subsidiary Device Key from step 2. Otherwise, Dk = right subsidiary Device Key from step 2.
4. Iteration. Arithmetic shift m right one bit. If it does not equal the incoming v mask mv, repeat starting at step 2.

I understand steps 2 and 4. I do not understand steps 1 and 3.

Question 4: Since we are not an authentic device, how can we know / calculate / obtain the UV, u-mask and v_mask from a device key?
Question 5: If we cannot know these, how do we work around that?

Some answers including calculations (or possibly some code?) using the above example subset-difference would be greatly appreciated.

Thanks,
Marty

27th December 2018, 03:26	#262 \| Link
MartyMcNuts Registered User Join Date: Aug 2018 Posts: 16	Hi all, I know this is an old thread and I have read it a few times over, which does provide some general information on how Subset-Differences work, however there doesn't seem to be anything with more detail. What I am trying to do is test a bunch of "possible device keys" against a MKB_RO.inf file to calculate a "processing key" for that MKB. I already understand the rest of the procedure to calculate the "media key" and the "VUK" but need assistance with the device key to processing key step. So,according to the AACS specs (3.2.3 - 3.2.5), each subset-difference is encoded with 5 bytes. The first byte is the U mask and the last 4 bytes are the UV number (most significant byte first). So for example, I have a subset-difference 0B 00 00 0A 00, (0B) is the U Mask and (00 00 0A 00) is the UV Number. Now, that (first byte) is treated as a number, the number of low-order 0-bits in the mask. For example, the value 01 denotes a mask of FFFFFFFE; value 0A denotes a mask of FFFFFC00. Question 1. How is this u_mask calculated? From the AACS Specs, "For conciseness, the path number and the “v” mask are encoded in a single 32-bit number, referred to as the uv number. The mask for v is given by the first lower-order 1-bit in the uv number. That bit, and all lower-order 0-bits, are zero bits in the “v” mask." The first sentence there I understand. The rest doesn't make sense to me, however, by using the code: long v_mask = 0xFFFFFFFF; while ((uv & ~v_mask) == 0) v_mask <<= 1; to calculate the v_mask, for the example subset-difference "0B 00 00 0A 00", use the UV number, "00 00 0A 00" the v_mask equals "FF FF FC 00" Parts I don't understand are: "As a result, the u mask always has more 0 bits than the v mask. The subset-difference is the subtree rooted at node u minus the sub-tree rooted at node v." Question 2: Can someone please show me this using the example subset-difference above? From the AACS specs "A subset-difference applies to a device if the u node is on a path from the device’s node to the root of the tree, but the v node is not. This is simple to calculate using the uv number, the appropriate mask, and the device node number (D_node). By definition, a device “D_node” is on a path to a “uv” number with mask “m” if and only if: (D_node & m) == (uv & m) Thus, a subset-difference applies if and only if: ((D_node & u_mask ) == (uv & u_mask)) and ((D_node & v_mask) != (uv & v_mask)) Question 3: Where does this D_node come from? AACS specs CONTINUED: The device searches through the Explicit Subset-Difference Record fields, looking at the identified subset-differences, until it finds the one that applies to it. At that point the device either has the Device Key, or is able to derive the subsidiary Device Key, associated with that subset-difference. It finds the appropriate stored Device Key as follows: assuming the Explicit Subset-Difference Record value is uv, u_mask, and v_mask, and the stored Device Key has uv’, m’u, and m’v, the appropriate Device Key is the one that meets the following condition: (u_mask == m’u) and ((uv & m’v) == (uv’ & m’v)) If m’v equals v_mask, the starting Device Key is the final Device Key, and is used directly to derive the Processing Key, as described above. Usually, however, the starting Device Key’s node is further up in the tree, and the actual Device Key will have to be derived. The device does that as follows: 1. Initialization. m = the stored v mask m’v. Dk = the starting Device Key. 2. Use AES-G3 on Dk, as described above, to determine a left subsidiary Device Key, a Processing Key, and a right subsidiary Device Key. 3. Look at the most significant zero bit in m. If the corresponding bit in the incoming uv number is 0, Dk = left subsidiary Device Key from step 2. Otherwise, Dk = right subsidiary Device Key from step 2. 4. Iteration. Arithmetic shift m right one bit. If it does not equal the incoming v mask mv, repeat starting at step 2. I understand steps 2 and 4. I do not understand steps 1 and 3. Question 4: Since we are not an authentic device, how can we know / calculate / obtain the UV, u-mask and v_mask from a device key? Question 5: If we cannot know these, how do we work around that? Some answers including calculations (or possibly some code?) using the above example subset-difference would be greatly appreciated. Thanks, Marty