Академический Документы
Профессиональный Документы
Культура Документы
(CSS)
•It is not warranted for any purpose. Use at your own risk.
“Secret Key”
&c
taps
feedback path
Feedback Function
17 4
feedback 15 1 taps
path
Exclusive Or (XOR)
output
•This register is initialized, or salted with two bytes of or derived from the key
•During the salting, a 1-bit is injected a bit 4, to ensure that the register doesn’t start
out with all 0s and null-cycle.
•The value being shifted in is used as the output, not the typical output bit, which in the
case of CSS goes off into the ether.
CSS: LFSR-25
garbage
25
feedback 15 5 4 1 taps
path
Exclusive Or (XOR)
output
•This register is initialized, or salted with three bytes of or derived from the key
•During the salting, a 1-bit is injected a bit 4, to ensure that the register doesn’t start
out with all 0s and null-cycle.
•The value being shifted in is used as the output, not the typical output bit, which in the
case of CSS goes off into the ether.
CSS: LFSR Addition
key
1 byte
LFSR-17
8 ticks
Optional bit-wise inverter
Output byte
+ 8-bit add
key
1 byte
LFSR-25 carry-out
8 ticks
Optional bit-wise inverter
carry-out
from prior
addition
LFSR Output Inversion
Table-based
Input data byte substitution
• Sector LFSR-17 is seeded with bytes 0 and 1 of the title key XORed with byte 80 and
81 of the sector header. A 1 is injected at bit 4, shifting everything right by one bit.
• LFSR-25 is seeded with bytes 2, 3, and 4 of title key XORed with bytes 82, 83, and 84
of the sector header. A 1 is injected at bit 4, shifting everything right by one bit.
• The output of LFSR-17 is bit-wise inverted before adding to LFSR-25.
• Much as with DES, a table-based substitution is performed on the input data.
CSS: Key Decryption
Bytes of 2
0 1 3 4
Ciphertext
Table Table Table Table Table
lookup lookup lookup lookup lookup
Lk Lk Lk Lk
+ + + + + Lk
Note: Lk is the input byte decrypted using the same scheme as shown for data bytes,
with the inverters set for the key type.
Disk and Player Keys
• Each player has a small number of keys
• Each disk is encoded using a disk key.
• Each disk contains a hidden sector. This sector is pre-written to
all 0’s on writable DVDs.
• This sector holds a table containing the disk key encrypted will all
409 possible player keys.
• It also holds the disk key encrypted with the disk key.
• The player decrypts the appropriate entry in the table and then
verifies that it has correctly decoding the disk key, by decoding
the encrypted disk key.
• The encryption mechanism is the same as we discussed earlier
for other keys.
Mutual Authentication
Host Drive
Request AGID
AGID
Initialization done Initialization done
ChallengeH (nonce)
Encrypt
Encrypted ChallengeH ChallengeH
Decrypt and verify
ChallengeH
ChallengeD (nonce)
EncryptedD
•Encryption is similar to data encryption, but a permutation is done before the LFSR cipher.
•A different permutation box is used for each of the three keys.
•
Weakness #1: LFSR Cipher
Brainless:
– 240 isn’t really very big – just brainlessly brute-force the keys
With 6 Output Bytes:
– Guess the initial state of LFSR-17.
– Clock out 4 bytes.
– Use those 4 bytes to determine the corresponding 4 bytes of
output from LFSR-25.
– Use the LFSR-25 output to determine LFSR-25’s state.
– Clock out 2 bytes on both LFSRs.
– Verify these two bytes. Celebrate or guess again.
– This is a 216 attack.
Weakness #1: LFSR Cipher (cont)
With 5 Output Bytes:
• Guess the initial state of LFSR-17
• Clock out 3 bytes
• Determine the corresponding output bytes from LFSR-25
• This reveals all but the highest-order bit of LFSR-25
• Try both possibilities:
– Clock back 3 bytes
– Select the setting where bit 4 is 1 (remember this is the initial
case).
– It is possible that both satisfy this – try both.
• Verify as before
• This is a 225 attack
Weakness #2: Mangled Output
(You might want to refer to the key decryption slide)