Welcome to Doom9's Forum, THE in-place to be for everyone interested in DVD conversion. Before you start posting please read the forum rules. By posting to this forum you agree to abide by the rules. |
10th March 2007, 14:30 | #181 | Link | |
Registered User
Join Date: Dec 2006
Posts: 142
|
Quote:
Let's say LA is using a matrix that has 2 columns and 2 rows, so there are 4 SKs. SK1 is at first row of first column, SK2 is at second row of first column, and so on. Key distribution is as follows: 25% of the players (group 1) have SK1 and SK3 25% of the players (group 2) have SK1 and SK4 25% of the players (group 3) have SK2 and SK3 25% of the players (group 4) have SK2 and SK4 Traitors tracing works as follows: Let's say LA release a new SKB. SK1 ouputs a link to the second column. SK2 decrypts the movie. Also SK3 and SK4 decrypt the movie, but at second column. When a player decrypts the movie: 50% of the players will use SK2 to decrypt it 25% of the players will use SK3 to decrypt it and all these players have SK1 25% of the players will use SK4 to decrypt it and all these players have SK1 Using more columns LA can determine the identity of any player, because each additional column reduces the probabilities if the SKs used to decrypt are from the same player. However if attackers publish just one SK from different players (one SK per player), LA can not reduce the probabilities from column to column. If attacker A publishes SK1 the movie is decrypted and his identity is not revealed because 50% of all players has this key. Nothing new here but this is just a reference case (just one column have been used to decrypt). I put this case here just for illustrative purposes (LA can force all the players to go to other columns). If attacker A publishes SK2 (yes, SK2), and attacker B publishes SK4 the movie is decrypted too. Of course LA knows that the player of attacker A is a member of groups 3 or 4 (50% of all players, no news here). Now the funny thing: LA just knows that the player of attacker B is a member of groups 2 or 4 (50% of all players). LA is not getting new information from attacker B, it is not getting aditional information from the fact that 2 columns are used to decrypt if SKs are from different players. If 2 columns are used to decrypt then a link to the second column is needed, but this link is the same for everybody, it always decrypt DEADBEEF. Peter just needs SK2 (to get the link) and SK4 (to decrypt). Last edited by xyz987; 10th March 2007 at 14:37. |
|
10th March 2007, 20:18 | #182 | Link | |
Registered User
Join Date: Mar 2003
Location: Germany
Posts: 215
|
Quote:
let's say the unconditional SK (SK1) was rejected. then SKB wants to have one conditional SK (SK2) form a specific column. why can't this SK (SK2) be from another player than SK1. SK2 beeing from the right colum obviously. i mean SKB just wants one SK from the right conditional column. how could SKB know these SK are from different columns? Last edited by ErazorTT; 10th March 2007 at 20:21. |
|
11th March 2007, 13:55 | #183 | Link | |
Registered User
Join Date: Jan 2007
Posts: 274
|
Quote:
Think about this question, previously mentioned in this thread, as you think about arnezami's comments. Suppose the LA began to assign their "sets of SKs" by giving the first device the first SK in every row, and the second device the first SK in every row except the last column (#256) where they assigned the SK from row 2. The third gets the same, except the SK in the third row for the last column. The first 2^16 devices get the same SK (from first row) in the first 155 columns and a different one in the last column only. Then the 2^16 plus one device gets the first SK in every row except the 255th column. He gets the SK from row one in column 256, the 2^16 plus 2 device increments the SK in the last column jsut like the second device did. He gets the second row SK in column 256. If you proceed this way, every device will get a "unique set of SKs" and yet we are done assigning Devices SKs when we fill the last two cloumns. Everyone got the same SK in the first 254 rows! The point is that there are only 2^32 devices, yet there are 2^4096 different "unique set of SKs" from the master matrix. The method described above made the sets of SKs as similar as possible. I don't think they assigned device multiple identical SKs, even though they could. I think they assigned them set of SKs that are as different as possible, not as similar as possible or something in between those limits. I think they made the sets as differnt as possible so that they could identify the device as easily as possible knowing as few as possible of their SKs. The question is: What happens if a device having a set of SKs that was not actually assigned by the LA tries to process an SKB by following the table (I see that arnezami has posted it for our convenience)? This is key to understanding your idea of mixing SKs from two different devices to hide where the SKs came from. A mixed set of SKs is likely to be one of the 2^4096 possible sets that was never actually assigned to any device. A related question is: How did the LA assign SKs to devices? More specifically, If device A has an SK and device B has the same SK, do they share any other SKs? Sorry - even my short post is long, and all I did was point out some key questions. (BTW, do you agree that every 64 bit SK in every one of the 2^24 cells is probably a unique number so that knowing the SK's 64 bit value uniquely identifies its row and column.) Last edited by FoxDisc; 11th March 2007 at 13:58. |
|
12th March 2007, 01:21 | #184 | Link | |||
Registered User
Join Date: Dec 2006
Posts: 142
|
Quote:
Any SK from an unrevoked player will output either a link to next column or the final Variant Data. There are no more posibilities. Quote:
Quote:
Last edited by xyz987; 12th March 2007 at 01:30. |
|||
13th March 2007, 16:19 | #185 | Link | ||
Registered User
Join Date: Jan 2007
Posts: 274
|
Quote:
You say: "All the players have a SK at column 5." That's true. Let's be clear on why you are saying that. A first player A has looked at column 1 in the SKB. He has a compromised SK for that column, so instead of getting a key K, he decrypts a link to column 5. OK, now we know that if this device is revoked, when he goes to column 5, he'll decrypt a zero in that column. If he's not revoked, he'll decrypt the key K from column 5. He could disclose his second uncompromised SK for column 5, but that requires disclosing two SKs from the same set of SKs. The more keys he discloses the more the LA knows about him. Every device has a unique set of SKs and as the specs say: "The fundamental principle is that no two devices have many [sequence] keys in common." The attacker wants to keep secret his SKs. Of course, the LA knows that is exactly what he wants to do. As they put it: "Attackers would prefer to use already-compromised Sequence Keys if they could, so that no new forensic information could be deduced by the licensing agency. Therefore, it is important that compromised keys are no longer usable by the attackers. The problem is that many thousands of devices might share a single compromised key." Anyway, back to your comment which is: "All the players have a SK at column 5." I believe you are saying this because you are not going to use player A's sequence key for column 5 (which will work to decrypt a valid key K) but instead, you are going to use someone else's SK from column 5. The problem is that when you look at column 5, you get a list of keys encrypted with SKs. You need one of the SKs that the LA actually used to encrypt the answer K in that column so you can decrypt it. However, they didn't use everyone's SK from column 5. They only used SK's from people who had the same SK in column 1 that player A had. If you have an SK in column 5 that can decrypt a key K in column 5, then you also had the same key that player A had in column 1. Perhaps you are lucky, and player B disclosed a key for column 5 that works. Then player B and player A both had the same key in column 1. It's true that player A remains anonymous, but so what? He didn't give out enough information to decrypt anything. Player B gave out enough info to decrypt, but he's no longer anonymous and will be revoked. Now, you can say this: There are only 2^16 keys in column 5. Everyone of 2^32 players gets a key in column 5, so 2^16 players (or more) share a key in this column. I'll just get one from someone who did not have player A's key in column 1. But is there any such player? The answer is no. More specifically, if their key in column 5 was used to encrypt the answer K, then they had the same key in column 1. Everyone has a key in column 5, but not everyone needs to go to column 5, and not every SK from column 5 will decrypt an answer K. Although we don't know exactly what they did with SK key assignment, we know what they wanted to do. Unless they made a serious stupidity mistake, they only encrypted with SKs from column 5 if that SK in column 5 was assigned to a player that had the SK in column 1 that sent them to column 5 via the link in column 1. Quote:
Sorry about the delay in responding. Last edited by FoxDisc; 13th March 2007 at 17:15. |
||
13th March 2007, 17:28 | #186 | Link |
Registered User
Join Date: Jan 2007
Posts: 274
|
SK2 can be from another player (call him "X"), but for it to be of any value, the LA must have encrypted the answer key K in the conditional column with the SK2 from player X. The only reason a player would be decrypting something in the conditional column is if it was sent there by the unconditional column. Why would the LA put the answer K there for an unauthorized player to decrypt?
|
13th March 2007, 20:27 | #187 | Link | |
Registered User
Join Date: Jan 2007
Posts: 274
|
Quote:
In contrast, attackers want to disclose only commonly assigned SKs to prevent identification. I think we'll have to wait to see the first SKBs to understand how they intend to implement the tracing system. I agree that there are limits imposed by the size of the SKB. As we know, they did a poor job with the initial implementation of the MKB system. Only one Processing Key was used. I doubt we'd have guessed that just by reading the specs. |
|
13th March 2007, 20:52 | #188 | Link |
Registered User
Join Date: Sep 2006
Posts: 390
|
On a sidenote: I think I have devised a (cryptographically sound) way for several people who have found sequence keys to see if they have any sequence keys in common without releasing the sequence keys themselves . Its pretty complicated and mainly uses some XOR techniques (and some private/public key pairs for each participant). But it could in principle be done on a forum or a specially designed website.
Anyway. Its not very practical yet and not very efficient. So I'm still trying to make it better. But since this is not needed yet I can take my time. But I think its a good idea to think about this stuff sooner than later. The more people we can get involved the better when it comes to finding and releasing common SKs (if/when we can't use Software Players for retrieving SKs anymore that is). If we can create a system that does it safely for people more will consider and do it. Regards, arnezami PS. It has some similarities with the techniques used for herbivore (but its different because herbivore focuses on privacy while we want to compare notes without actually releasing the notes). Which is hard btw . Last edited by arnezami; 13th March 2007 at 21:16. |
13th March 2007, 21:52 | #189 | Link |
Registered User
Join Date: Jan 2007
Posts: 274
|
I don't think I'd call it a "sidenote." As I was writing one of those posts about how the attacker wants to use only shared keys and the LA wants to reduce the number of shared keys I was thinking how hard it would be to find out how many keys were "shared" without disclosing/compromising them. As usual, it looks like you are thinking way ahead.
|
13th March 2007, 21:58 | #190 | Link | |
Registered User
Join Date: Sep 2006
Posts: 390
|
Quote:
|
|
14th March 2007, 01:33 | #191 | Link | |
Registered User
Join Date: Dec 2006
Posts: 142
|
Quote:
Let's say attacker A has published a SK that is at 12,543th row of 123th column (let's say 123th column was "first" column at Shrek1 SKB). Now you are LA, and you are designing the SKB of Shrek2. Please say me how is your SKB, and i will say you how it sinks when second attacker publishes his SK. Of course, you must specify all the data of a real SKB. For short you can start saying just some basic data, but if i ask you, you must say me any data that anybody can read on a SKB. Of course, you know nothing about attacker B. He has not published any SK yet. Of course, your SKB must allow any player to decrypt. You can choose any SK distribution on players, but there are more that 32 millions of them. There is just one SK per matrix cell (we agreed on it before) i.e. all the players that have a SK at row r of column c will have the same SK. Let's start the game... Last edited by xyz987; 14th March 2007 at 01:43. |
|
14th March 2007, 02:53 | #192 | Link | ||
Registered User
Join Date: Jan 2007
Posts: 274
|
It would help if you would explain more.
Quote:
Quote:
|
||
14th March 2007, 03:47 | #193 | Link | |
Registered User
Join Date: Dec 2006
Posts: 142
|
Quote:
How many columns are at Shrek1 SKB?. How many rows at each column?. You say that SK of attacker A is not enought to decrypt. This implies that all the players get at first column a link to another column. Do you agree?. Everybody knows the published SK, so everybody can know which column this SK outputs a link to. Which is this column at Shrek1 SKB? (second, third...). Which is its column number? (a link to this column can decrypt the column number that is stored on SKB). Note i am asking two different things. Last edited by xyz987; 14th March 2007 at 03:59. |
|
14th March 2007, 12:10 | #194 | Link | |
Registered User
Join Date: Mar 2003
Location: Germany
Posts: 215
|
Quote:
2. so you say the link key can be used only with one specific SK form the column? could you please say why you think that, and where it is written in specs? by the way, i don't see how LA could do this, technically. 3. for safty reasons i think i'd better explain how i interprete the picture of page 22 of prerecorded (the picture we have in this threat): "The first column will have an encryption of the output key (denoted ‘K’ in the figure) in every uncompromised Sequence Key’s cell" AND "The subsequent additional conditional columns are produced the same way as the first column: They will have an encryption of the output key in every uncompromised Sequence Key’s cell." what i understand by that: In each column (of the SKB) there is an "answer" for every SK of one column (from the master matrix). the answer can be either the output key (K) or the link key (link). So how does it work: "Devices that do not have compromised keys in that [unconditional] column immediately decrypt the output key." This answeres one question from xyz's last post! "Devices with a compromised key will get a further link key to another column instead of the output key." AND "If the header decrypts correctly, the device knows it has a link key and processes the column. If it does not decrypt correctly, the device knows it has either the output key or a link key for a different column." they don't say anything about SK's in right columns which are however wrong! so i think every (not compromised) SK from the right column can decrypt the output key. if you don't agree please explain by refering to specs. Last edited by ErazorTT; 14th March 2007 at 12:39. |
|
14th March 2007, 13:58 | #195 | Link | ||||||
Registered User
Join Date: Jan 2007
Posts: 274
|
Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
Last edited by FoxDisc; 14th March 2007 at 14:36. |
||||||
14th March 2007, 14:19 | #196 | Link | |||
Registered User
Join Date: Jan 2007
Posts: 274
|
Quote:
Quote:
Quote:
Remember, there are 2^4096 unique sets of SKs and only 2^32-512 devices. The LA knows which of the 2^4096 sets are valid and which are not valid. Broadly speaking, the question above is all about what happens when you try to decrypt with an invalid set of SKs. If they had used only 2 columns instead of 256, they could have issued 2^32 unique sets of SKs. Why do you think they used 256 columns? It's because the 2 column scenario uses too many shared keys. Every combination is valid for someone, so even though it's unique, you can't be sure if the keys were from the same attacker or from two attackers who shared their keys to look like an innocent user. You and xyz keep looking at the shared key situation and are not focusing on the fact that most combinations are not valid, were never issued, are known by the LA to be invalid and won't decrypt the title. Last edited by FoxDisc; 14th March 2007 at 14:35. |
|||
14th March 2007, 15:46 | #197 | Link |
Registered User
Join Date: Jan 2007
Posts: 274
|
@Erazor and xyz
Perhaps we can agree on some basics. Look at the graphic: Can we agree on what is required to decrypt column 4 and get a valid answer key K in that column? Tell me what minimum information you think is needed for just that one column. |
14th March 2007, 21:16 | #198 | Link |
Registered User
Join Date: Jan 2007
Posts: 274
|
It is amazing what you find on the web. We have been wandering in the dark on sequence keys as we don't know how they are assigned and we've never seen an actual SKB.
Try this link: http://domino.watson.ibm.com/library/CyberDig.nsf/papers/7158161AA398C8CE8525722200570F64/$File/rj10394.pdf It describes limitations of the SKB tracing system, anonymous colluding attacks and non-anonymous attacks (the literature calls them "clone decoder attacks"). It's apparently written by those who designed the AACS SK system. Part of it is word for word identical to the AACS spec description of the SK system. Fascinating reading. Last edited by FoxDisc; 15th March 2007 at 16:22. |
14th March 2007, 21:33 | #199 | Link | |
Registered User
Join Date: Sep 2006
Posts: 390
|
Quote:
|
|
15th March 2007, 16:38 | #200 | Link |
Registered User
Join Date: Jan 2007
Posts: 274
|
I had planned to discuss some of your really interesting comments/questions from one of your earlier posts - like how many different Dvs there are and how many different answer keys K are in a single column of an SKB and how different players and different disks would move through the SKBs. There are some hints to the answers to those questions in that paper.
As I read it, the system is probabilistic, not deterministic (they run some probability of revoking an innocent player when they revoke traitors.) They can set that probability as low as they want (they used one in a million in the paper). Another interesting thing was that attackers that are randomly distributed among devices were easier to defend against than attackers who all had the same manufacturer or model of player. You would think that one model would be weaker and that most attacks would be by that one compromised model, yet they designed it so that likely scenario puts the most strain on the system. At some point, given enough attacks by a single mnfr/model, they say the AACS system would fail. |
|
|