Presentation is loading. Please wait.

Presentation is loading. Please wait.

HDCP1.4+ Material for Certification 10 August 2012 Sony Corporation 2012/8/10 Sony Confidential 1.

Published byThomasina Stokes Modified over 8 years ago

Similar presentations

Presentation on theme: "HDCP1.4+ Material for Certification 10 August 2012 Sony Corporation 2012/8/10 Sony Confidential 1."— Presentation transcript:

1 HDCP1.4+ Material for Certification 10 August 2012 Sony Corporation 2012/8/10 Sony Confidential 1

2 Introduction - What’s HDCP1.4+? HDCP1.4: Specification: http://www.digital-cp.com/files/static_page_files/DAD40C4C-1A4B-B294- D0E92C72CFE974A0/HDCP%20Specification%20Rev1_4_Secure.pdf http://www.digital-cp.com/files/static_page_files/DAD40C4C-1A4B-B294- D0E92C72CFE974A0/HDCP%20Specification%20Rev1_4_Secure.pdf Licensing(Compliance Rule and Robustness Rule): HDCP License Agreement: http://www.digital-cp.com/files/static_page_files/26D315BF-1A4B-B294- D04BB484EE81591E/HDCP%20License%20Agreement0831_2011_clean%20_2_.pdf http://www.digital-cp.com/files/static_page_files/26D315BF-1A4B-B294- D04BB484EE81591E/HDCP%20License%20Agreement0831_2011_clean%20_2_.pdf Addendum to HDCP License Agreement http://www.digital-cp.com/files/static_page_files/62BFCBA3-1A4B-B294- D09C885021187455/HDCP%202%200%20Addendum_Clean_FINAL2_04_30_11_ver2.pdf http://www.digital-cp.com/files/static_page_files/62BFCBA3-1A4B-B294- D09C885021187455/HDCP%202%200%20Addendum_Clean_FINAL2_04_30_11_ver2.pdf HDCP1.4 Purported Hack: It was reported that HDCP1.4 Master Key was published. HDCP1.4 technology provider, i.e. Intel confirmed the ability of the published Master Key to generate interoperable device key sets. HDCP1.4+: Some technical schemes will be added to enhance HDCP1.4. Note that all the HDCP1.4 schemes are applied as they are. In other words, HDCP1.4+ = HDCP1.4 & additional schemes. Compliance and Robustness Rule of HDCP1.4+ are same as latest HDCP (i.e. HDCP License Agreement and Addendum to HDCP License Agreement) 2012/8/10 Sony Confidential 2

3 HDCP1.4 HDCP1.4 (Slide#3): Data for HDCP1.4 Authentication (D 1.4auth ): Includes pseudo-random value(An), Key Selection Vector(KSV) etc. which are exchanged between Source and Sink as defined in HDCP1.4 specification. 1 st step: D 1.4auth are exchanged between Source and Sink as plain-text by HDCP1.4 Authentication scheme to share session key(Km/Km’). 2 nd step: Stream data is encrypted by Source and decrypted by Sink using key derived from D 1.4auth. HDCP1.4 Purported Hack: It was guessed that any session key(Km/Km’) can be calculated if the following conditions are met: Some sets (40?) of HDCP1.4 Device Key Sets are available, Reverse engineering or purchase from licensor? D 1.4auth between Source and Sink is available. Monitoring is easy because D 1.4auth is transferred as plain-text. If Session Key(Km/Km’) and D 1.4auth are available, HDCP1.4 protected stream can be decrypted. This means that man-in -the-middle-attack would be successful. 2012/8/10 Sony Confidential 3

4 HDCP1.4 (Illustrated) 2012/8/10 Sony Confidential 4 Source Device(A)Sink Device(B) HDCP1.4 Authentication 1. Share Session Key (Km/Km’) 2. Stream Encryption HDCP1.4 Encryption Plain baseband stream HDCP Enc HDCP Dec D 1.4auth D 1.4auth : Data for HDCP1.4 Authentication

5 HDCP1.4+ Problem for HDCP1.4: If an attacker has sufficient sets of HDCP1.4 Device Key Set, HDCP1.4 protected stream can be decrypted by the man-in-the-middle attack. Countermeasure: Use K auth ' instead of An K auth is shared securely between Source and Sink by Additional Authentication as described later. The least significant 64-bit of x-coordinate of K auth is used as K auth ’. Effect: 64-bit pseudo-random value An (i.e. K auth ’ in case of HDCP1.4+) can be protected from attacker. An is defined in HDCP1.4 specification, 2.2.1 First Part of Authentication Protocol. This means that an attacker cannot perform the HDCP Cipher successfully to decrypt HDCP1.4 protected contents. HDCP Cipher is defined in HDCP1.4 specification, 4 HDCP Cipher. Only way to attack would be a brute force attack for 64-bit key. Other data (e.g. KSV) than An could be monitored between Source and Sink during the normal HDCP1.4 Authentication, because most HDCP1.4+ capable Source/Sink are assumed to support both 1.4 and 1.4+. On the other hand, K auth ’ cannot be monitored because this value is shared by more robust Additional Authentication. 2012/8/10 Sony Confidential 5

6 HDCP1.4+ (Illustrated) 2012/8/10 Sony Confidential 6 Source Device(A)Sink Device(B) Additional Authentication HDCP1.4 Authentication 0. Share Additional Session Key (K auth ) 1. Share Session Key (Km/Km’) 2. Stream Encryption HDCP1.4 Encryption Replace An with K auth ’ HDCP Enc HDCP Dec Plain baseband stream K auth D 1.4auth (incl. An) D 1.4auth (incl. An) D 1.4auth ’ D 1.4auth : Data for HDCP1.4 Authentication K auth ’: The least significant 64-bit of x-coordinate of K auth D 1.4auth ’: D 1.4auth whose An is replaced by K auth ’ Replace An with K auth ’ D 1.4auth ’

7 Additional Authentication Purpose: To share Additional Session Key(K auth ) which is used instead of An Overview: Diffie-Hellman key distribution method using ECDSA algorithm Widely available method in various services Bit length of ECDSA private key is 160 bits. Both Source and Sink have the following issued by CA(Licensor): ECDSA private key (Secrecy required) ECDSA public key certificate signed by CA(Licensor) Revocation List is also issued by CA(Licensor). Source will stop transferring data if Sink is revoked. After the authentication, shared data will be K auth. 2012/8/10 Sony Confidential 7

8 Additional Authentication (Illustrated) 2012/8/10 Sony Confidential 8 Source(A)Sink(B) Revocation List Brand||Bcert Arand||Acert Av||Asig Bv||Bsig Apriv: Private key for A Acert: Certificate for A Generate random number Brand Verify Bcert and check if this is included in Revocation List Generate random number Arand Verify Acert Generate random number Ak Av=Ak G Asig=Sign(Apriv, Brand||Av) Generate random number Bk Bv=Bk G Bsig=Sign(Bpriv, Arand||Bv) Verify(Apub, Asig, Brand||Av) Verify(Bpub, Bsig, Arand||Bv) K auth = Ak Bv This is based on Diffie-Hellman key distribution using ECDSA. G: Base Point of Elliptic Curve K auth = Ak Bv Bpriv: Private key for B Bcert: Certificate for B Private key and Certificate are securely stored in device in advance. Updated if it is newer and the signature is verified

9 Replace An with K auth ’ Purpose: To protect An from an attacker Overview: K auth is shared between Source and Sink by robust Additional Authentication. K auth is a 320-bit value of (160-bit x-coordinate, 160-bit y-coordinate). To support current HDCP1.4 scheme as it is, An is exchanged between Source and Sink by HDCP1.4 Authentication. However, An is not used for HDCP1.4 Encryption/Decryption. K auth ’ (the least significant 64-bit of x-coordinate of K auth ) is used instead of An during HDCP1.4 process. 2012/8/10 Sony Confidential 9

10 Replace An with K auth ’ (Illustrated) 2012/8/10 Sony Confidential 10 Source(A)Sink(B) First Part of HDCP1.4 Authentication Protocol (refer to HDCP1.4 specification, Figure 2-1) Initiate Authentication: An, Aksv Bksv Generate random number An (Ks, M0, R0) = hdcpBlkCipher(Km, REPEATER || K auth ’) Additional Authentication Share K auth (Ks’, M0’, R0’) = hdcpBlkCipher(Km’, REPEATER || K auth ’) Plain-text

11 Revocation List for Additional Authentication Purpose: To revoke Sink by Source Overview: Revocation List is securely stored (i.e. cannot be replaced by an attacker) in Source device when shipping. Also, stored Revocation List is updated when Source device encounters a newer Revocation List. Before storing, Source device verifies the signature of the Revocation List signed by CA(Licensor). How is new Revocation List delivered?: Download latest revocation list with content Note: HDCP revocation of Source by Sink does not work. HDCP is optional for data transmission from Source device, because private contents are transferred as plain-text. Evil Source device would send pirated contents as plain-text, in other words, HDCP would not be initiated. That is why revocation does not work. 2012/8/10 Sony Confidential 11

12 Revocation List for Additional Authentication (Illustrated) 2012/8/10 Sony Confidential 12 Source(A)Sink(B)Server Content, Revocation List Version comparison Downloaded Revocation List Stored Revocation List Replace stored RL by downloaded RL, if downloaded RL is newer Signature verification If verified Additional Authentication Check if Sink is included in RL Revocation List

Download ppt "HDCP1.4+ Material for Certification 10 August 2012 Sony Corporation 2012/8/10 Sony Confidential 1."

Similar presentations

Chapter 3 Public Key Cryptography and Message authentication.

Chapter 3 Public Key Cryptography and Message authentication.
Key Management Nick Feamster CS 6262 Spring 2009.

Key Management Nick Feamster CS 6262 Spring 2009.
Security and Privacy over the Internet Chan Hing Wing, Anthony Mphil Yr. 1, CSE, CUHK Oct 19, 1998.

Security and Privacy over the Internet Chan Hing Wing, Anthony Mphil Yr. 1, CSE, CUHK Oct 19, 1998.
Using Cryptography to Secure Information. Overview Introduction to Cryptography Using Symmetric Encryption Using Hash Functions Using Public Key Encryption.

Using Cryptography to Secure Information. Overview Introduction to Cryptography Using Symmetric Encryption Using Hash Functions Using Public Key Encryption.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Cryptography and Network Security Chapter 13 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 13 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
1 Chapter 13 – Digital Signatures & Authentication Protocols Fourth Edition by William Stallings Lecture slides by Lawrie Brown (modified by Prof. M. Singhal,

1 Chapter 13 – Digital Signatures & Authentication Protocols Fourth Edition by William Stallings Lecture slides by Lawrie Brown (modified by Prof. M. Singhal,
Lecture 5: Email security: PGP Anish Arora CIS694K Introduction to Network Security.

Lecture 5: security: PGP Anish Arora CIS694K Introduction to Network Security.
Public Key Algorithms …….. RAIT M. Chatterjee.

Public Key Algorithms …….. RAIT M. Chatterjee.
Lesson Title: Introduction to Cryptography Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas

Lesson Title: Introduction to Cryptography Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 29 Cryptography and Network.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 29 Cryptography and Network.
Dr. Lo’ai Tawalbeh Summer 2007 Chapter 9 – Public Key Cryptography and RSA Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) Jordan’s Campus INCS.

Dr. Lo’ai Tawalbeh Summer 2007 Chapter 9 – Public Key Cryptography and RSA Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) Jordan’s Campus INCS.
First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown and edited by Archana Chidanandan Cryptographic Tools.

First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown and edited by Archana Chidanandan Cryptographic Tools.
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:

Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.

BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.

Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
Henric Johnson1 Chapter3 Public-Key Cryptography and Message Authentication Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter3 Public-Key Cryptography and Message Authentication Henric Johnson Blekinge Institute of Technology, Sweden
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Cryptography April 20, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Cryptography April 20, 2010 MIS 4600 – MBA © Abdou Illia.

Similar presentations

Ads by Google