hdcp主钥泄露

 

2010-09-18

本周一有人在网上贴出了据称是HDCP主密钥的一组数字。HDCP是用于DVD播放器、TV等消费电子设备的视频加密协议。我不知道是不是真的，但是为了方便讨论，先假设这个是真的。这对HDCP安全意味着什么？对于产业界，对于消费者又意味着什么？

HDCP is used to protect high-def digital video signals "on the wire," for example on the cable connecting your DVD player to your TV. HDCP is supposed to do two things: it encrypts the content so that it can't be captured off the wire, and it allows each endpoint to verify that the other endpoint is an HDCP-licensed device. From a security standpoint, the key step in HDCP is the initial handshake, which establishes a shared secret key that will be used to encrypt communications between the two devices, and at the same time allows each device to verify that the other one is licensed.

HDCP用于保护“线路上的”高清晰数字视频信号，例如你的DVD播放器和电视机之间的线路。HDCP做两件事情：加密传输的数据使得（明文）无法被捕获；允许两个终端节点验证对方是不是HDCP授权的设备。从安全角度来说，HDCP关键的一步是刚开始（两个设备之间）的握手阶段（译注：指建立连接），在这一步双方建立一个共享的密钥来加密通信内容，同时可以相互验证对方是不是HDCP授权的。

As usual when crypto is involved, the starting point for understanding the system's design is to think about the secret keys: how many there are, who knows them, and how they are used. HDCP has a single master key, which is supposed to be known only by the central HDCP authority. Each device has a public key, which isn't a secret, and a private key, which only that device is supposed to know. There is a special key generation algorithm ("keygen" for short) that is used to generate private keys. Keygen uses the secret master key and a public key, to generate the unique private key that corresponds to that public key. Because keygen uses the secret master key, only the central authority can do keygen.

按照惯例，当出现加密的时候，理解整个系统的出发点就是思考跟密钥有关的问题：有多少密钥，谁持有，如何使用。HDCP有一个主密钥，只有HDCP授权机构知道。每一个设备有一个公钥和一个私钥，公钥是公开的，私钥只有设备自己知道。一个特别的密钥生成算法（简称keygen）用主密钥和公钥为这个公钥生成一个唯一的密钥。由于这个算法使用到了主密钥，所以只有HDCP授权机构有能力颁发授权。

Each HDCP device (e.g., a DVD player) has baked into it a public key and the corresponding private key. To get those keys, the device's manufacturer needs the help of the central authority, because only the central authority can do keygen to determine the device's private key.

每一个HDCP设备（如DVD播放器）都被烧入了一个公钥和一个私钥。设备制造商需要从HDCP授权机构那里获得这些密钥对，因为只有HDCP授权机构能够生成密钥。

Now suppose that two devices, which we'll call A and B, want to do a handshake. A sends its public key to B, and vice versa. Then each party combines its own private key with the other party's public key, to get a shared secret key. This shared key is supposed to be secret---i.e., known only to A and B---because making the shared key requires having either A's private key or B's private key.

现在我们设想两台设备A和B想要建立连接。A把自己的公钥给了B，B把自己的公钥给了A。然后A和B各自把自己的私钥和对方的公钥拼起来，就够成了一个共享的密钥。这个共享的密钥是秘密的——只有A和B知道——因为这个密钥需要A或者B的私钥。

Note that A and B actually did different computations to get the shared secret. A combined A's private key with B's public key, while B combined B's private key with A's public key. If A and B did different computations, how do we know they ended up with the same value? The short answer is: because of the special mathematical properties of keygen. And the security of the scheme depends on this: if you have a private key that was made using keygen, then the HDCP handshake will "work" for you, in the sense that you'll end up getting the same shared key as the party on the other end. But if you tried to use a random "private key" that you cooked up on your own, then the handshake won't work: you'll end up with a different shared key than the other device, so you won't be able to talk to that device.

请注意这里A和B的共享密钥的计算方法是不同的。A用自己的私钥拼上B的公钥，B用自己的私钥拼上A的公钥。A和B的计算方法不同，为什么能够得到同样的值？简而言之就是那个keygen使用的数学原理。这种安排的安全性依赖于：如果你有一个keygen生成的私钥，HDCP握手（连接建立）就可以正常工作，A和B都计算出相同的通信密钥。如果你尝试自己山寨一个“私钥”，那么连接就无法建立了，因为两个设备之间的通信密钥算出来不一样。因此就无法连接到对方设备。

Now we can understand the implications of the master key leaking. Anyone who knows the master key can do keygen, so the leak allows everyone to do keygen. And this destroys both of the security properties that HDCP is supposed to provide. HDCP encryption is no longer effective because an eavesdropper who sees the initial handshake can use keygen to determine the parties' private keys, thereby allowing the eavesdropper to determine the encryption key that protects the communication. HDCP no longer guarantees that participating devices are licensed, because a maker of unlicensed devices can use keygen to create mathematically correct public/private key pairs. In short, HDCP is now a dead letter, as far as security is concerned.

现在我们可以理解HDCP主密钥泄漏意味着什么了。任何知道主密钥的人都可以用keygen生成私钥，所以主密钥泄漏意味着任何人都可以用keygen生成私钥。这就把HDCP所保护的两个安全属性都破坏了。HDCP加密失效了，任何（线路上的）监听者监听到了连接建立过程都可以用keygen确定相应设备的私钥，因此监听者可以获得通信密钥。HDCP也无法保证建立连接的设备都是经过授权的，因为未授权的制造商可以用keygen生成一个“正确”的公钥/私钥对。简单说，从安全角度而言，HDCP已经死了。

(It has been a dead letter, from a theoretical standpoint, for nearly a decade. A 2001 paper by Crosby et al. explained how the master secret could be reconstructed given a modest number of public/private key pairs. What Crosby predicted---a total defeat of HDCP---has now apparently come to pass.)

（从学术角度来看HDCP早在十年前就已经失效了。Crosby等研究人员2001年发表的一篇论文阐述了如何通过足够多的公钥/私钥对而重建主密钥。Crosby所预言的HDCP的彻底失败现在显然已经成为了现实。）

The impact of HDCP's failure on consumers will probably be minor. The main practical effect of HDCP has been to create one more way in which your electronics could fail to work properly with your TV. This is unlikely to change. Mainstream electronics makers will probably continue to take HDCP licenses and to use HDCP as they are now. There might be some differences at the margin, where manufacturers feel they can take a few more liberties to make things work for their customers. HDCP has been less a security system than a tool for shaping the consumer electronics market, and that is unlikely to change.

HDCP失效对于消费者的影响可能会很小。对消费者而言HDCP只不过是又一种让他们的电子设备无法跟电视机连接的方法。改变的可能性不大。主流的电子设备制造商可能还是会继续找HDCP授权机构进行授权并延续使用HDCP。可能至少会产生一些不同，例如制造商可以有更多的自由来为消费者生产设备。HDCP更多的是作为影响消费电子市场格局的工具而不是一个安全系统，这个看起来不会改变。