DOWNLOAD
Freitag, 29. Januar 2010
Sonntag, 24. Januar 2010
Donnerstag, 21. Januar 2010
Anschein der Wichtigkeit
Man kann diese Besorgtheit, mit der sich Literatur um sich bekümmert, als schiere Selbstgefälligkeit verurteilen. Die Literatur mag, in all dieser Unrast, sich noch so sehr ihrer Nichtigkeit, ihres mangelnden Ernstes, ihrer Unaufrichtigkeit versichern; gerade dass sie zu solcher Übertreibung neigt, wirft man ihr vor. Sie gibt sich den Anschein der Wichtigkeit, indem sie sich zum Gegenstand des Zweifels macht. Sie bestätigt sich, indem sie sich entwertet. Sie sucht sich gar: das ist mehr, als sie darf. Denn sie ist vielleicht Teil der Dinge, die gefunden, nicht aber gesucht zu werden verdienen.
Von seinem ersten Schritt an, sagt Hegel sinngemäß, ist das Individuum, das schreiben will, in einen Widerspruch verstrickt: um zu schreiben, bedarf es des Talents zu schreiben; an sich betrachtet aber, ist Begabung ein Nichts. Solange er sich nicht an seinen Tisch gesetzt hat, hat er kein Werk geschrieben, ist der Schriftsteller nicht Schriftsteller und weiß nicht, ob er die Befähigung hat, es zu werden. Talent hat er erst, nachdem er geschrieben hat, aber er bedarf des Talents, um zu schreiben.
Der Schriftsteller ist kein idealistischer Träumer, er versenkt sich nicht in die Betrachtung der Innerlichkeit seiner schönen Seele, er vergräbt sich nicht in die Gewissheit seiner Talente. Seine Talente setzt er vielmehr ins Werk, d.h. er bedarf des Werks, das er hervorbringt, um sich ihrer und seiner selbst bewusst zu werden. Der Schriftsteller findet sich, verwirklicht sich nur durch sein Werk; ehe er sein Werk nicht geschaffen hat, weiß er nicht nur nicht, wer er ist, sondern ist er ein Nichts.
Wie aber kann, wenn er nur durch sein Werk existiert, dieses seinerseits existieren ? Das Individuum, sagt Hegel, kann nicht wissen, was es ist, ehe es sich durch sein Tun zur Wirklichkeit gebracht hat. – Es scheint aber hiermit den Zweck seines Tuns nicht bestimmen zu können, ehe es getan hat; aber zugleich muss es, indem es Bewusstsein ist, die Handlung vorher als die ganz seinige, d.h. als Zweck vor sich haben. Wie vermöchte der Schriftsteller sein Werk als bewussten Zweck seiner bewussten Handlungen zu setzen, wenn er dieses nicht schon als ausgebildeten Entwurf vor sich hätte ? Wenn aber das Werk in seinem Geiste schon vollkommen gegenwärtig ist und diese Gegenwart dem Werke wesentlich ist, warum sollte er es dann noch verwirklichen ? Entweder ist es als inneres Vorhaben alles, was es sein wird, und weiß der Schriftsteller von diesem Zeitpunkt an alles, was es ihn lehren kann, so dass er, ohne es in Worte zu übersetzen, ohne es zu schreiben, es in seinem Schattenreich belässt – dann aber wird er nicht schreiben und nicht Schriftsteller sein. Oder aber er sieht ein, dass sein Werk nur verwirklicht werden kann, dass es nur durch die Worte, die es in der Zeit entfalten und in den Raum einschreiben, Wert, Wahrheit und Wirklichkeit hat und beginnt zu schreiben, von nichts ausgehend, auf nichts hingehend und wie ein Nichts in das Nichts hinarbeitend.
Ein Autor, der auf ein Publikum hinschreibt, schreibt in Wahrheit nicht: dann ist das Publikum, das schreibt und es kann aus diesem Grund nicht länger Leser sein; sein Lesen ist bloßer Schein, in Wirklichkeit nichtig. Daher die Bedeutungslosigkeit von Werken die geschrieben wurden, um gelesen zu werden – niemand liest sie. Daher die Gefahr für andere zu schreiben, um anderen zur Sprache zu verhelfen und um sich selbst zu finden; denn die anderen verlangen nicht, die eigene Stimme zu hören, sondern eines anderen Stimme, eine wirkliche, unergründliche Stimme, die störend ist wie die Wahrheit.
Das Werk, das von dem Einsamen geschaffen wurde und in die Einsamkeit gebannt ist, enthält in sich einen Ausblick, der jedermann interessiert, fällt ein impliziertes Urteil über die anderen Werke und über die Probleme der Zeit; es macht sich zum Komplizen dessen, was es preisgibt und seine Gleichgültigkeit nimmt heuchelnd an der Leidenschaft aller teil.
Die Täuschung hat mehrere Ursachen. Die erste ist, wie wir so eben sahen, dass die Literatur aus unterschiedenen Momenten besteht, die auseinandertreten und sich einander entgegensetzen. Die Ehrlichkeit, analytischen Wesens, will diese Wahrheit durchschauen; sie scheidet die Momente. Vor ihrem Blick ziehen nacheinander der Autor, das Werk, der Leser vorüber; die Kunst des Schreibens, das Geschriebene, die Wahrheit des Geschriebenen oder die Sache selbst; der Schriftsteller, der Arbeit ist, Bewegung einer Verwirklichung, die gleichgültig ist gegenüber dem, was sie zu verwirklichen hat; der Schriftsteller, der das Resultat dieser Arbeit ist, seine Geltung die dem Resultat und nicht jener Arbeit verdankt, die ebenso wirklich ist wie der Gegenstand, den sie herstellt; schließlich der Schriftsteller, der durch dieses Resultat nicht mehr bejaht, sondern verneint wird und das vergängliche Werk zu retten sucht, indem er dessen Ideal, die Wahrheit des Werks rettet. Er ist die Bewegung, als gleichgültige Abfolge gesetzt, der versammelt und eint.
-Schreibe um Nichts zu sagen
-Schreibe um Etwas zu sagen
-Kein Werk, sondern die Erfahrung deiner Selbst, das Erkennen des dir Unbekannten
-Ein Werk ! Ein wirkliches Werk, das den anderen etwas bedeutet und anerkannt wird von ihnen
-lösche den Leser
-Erlösche vor dem Leser dich selbst
-Schreibe um wahrhaftig zu sein.
-Schreibe für die Wahrheit
-dann sei Lüge, denn in Ansehnung der Wahrheit schreiben heißt schreiben, was noch nicht wahr ist und vielleicht niemals wahr sein wird.
-Gleichviel. Schreibe um zu handeln.
-Schreibe,zumal du, der du Angst hast zu handeln.
-lass in dir die Freiheit sprechen.
-Ach, lass nicht zu, dass Freiheit dir zu einem bloßen Wort gerinnt.
- Maurice Blanchot
Mittwoch, 20. Januar 2010
Dienstag, 19. Januar 2010
Donnerstag, 14. Januar 2010
The Underground Myth
The Security Industry
---------------------
Then in the U.S. music scene there was big changes made
Due to circumstances beyond our control... such as payola
The rock n roll scene died after two years of solid rock
- The Animals, circa 1964
There is little doubt that the explosion of the security industry has
directly coincided with the decline of the hacking scene. The hackers
of the eighties and nineties became the security professionals of the
new millennium, and the community suffered for it.
The fact is that hackers, mostly on an individual basis, decided to
use their passion as a source of income. Whether this is good, bad,
or just pragmatic is completely irrelevant. Nearly all the hackers that
could get jobs did. For the individuals that decision has been made (for
better or worse), and in general there's nothing that will change this.
This was a hacker exodus. What really mattered was not the loss of any
individuals, but the cumulative effect this had on the underground. The
more hackers that left the underground for a corporate life, the fewer
that came in. And those who stayed became entrenched, increasingly
disconnected.
Collaboration in this new age of career hackers has all but ceased to
exist. Individuals are now obsessed with credit. For their career, for
their standing in the community, it must be absolutely clear who this
research, this vulnerability, or even this opinion belongs to.
There is no trust in this corporate community; an underground issue
greatly amplified by corporate motivations. A single person can go months
or even years without telling anyone exactly what he is working on, and
whats more, will be genuinely worried about someone "publishing" their
results before him. There is no respect for the information he holds,
no belief that information should be free, no belief that research should
be open. All that matters is credit; all that matters is fame and money,
their career.
This is purely the fault of the security industry, who has exploited
and cultivated this culture, designed it for their needs. The truly sad
thing is that the corporate security world hasn't realized that they are
sitting on a gold mine, and as a result the mine is likely to collapse;
and likely to take their industry down with it.
The security industry uses information as its sole commodity, information
about insecurity. Who has the information, and who doesn't is what
makes this economy work. Whats more, the economy has been founded on
the continued output of a finite group of hackers. For the most part,
founded on those hackers that came out of the underground scene at their
technical prime.
But these hackers are not going to continue their production
indefinitely. They will lose their technical edge, move on to other
industries, perhaps climb the ladder up to management, and then
retire. The question is, then what? Then it will be up to the new wave
of young security professionals, whose motivation is as much financial
as it is passion for the technology and the thrill of the hacking game.
To imagine that these new wave office workers, university trained and
disinterested, can match the creative output of a genuine hacker is
laughable. The industry will stagnate under these conditions. The rapid
technical advancement we have seen will end, no more breakthroughs:
no more new security products or services. Just the same old techniques
being rehashed again and again until the rock has been bled dry.
I am trying to show you the symbiotic nature of the security industry
and the hacking scene. Industry needs insecurity to survive, there is
no doubt about this. A secure and stable Internet is not profitable for
long. Hackers provided instability, change, chaos. So the industry became
a parasite on the hacking scene, devouring the talent pool without giving
anything back, not thinking of what will happen when there are no more
hackers to consume.
For this reason, the security industry, much like the hacker underground,
is doomed, perhaps even destined for failure. But for now, all that
matters is that we have a thriving industry and...
A hacker underground proclaimed to be dead.
Black Hat, Two Faces
--------------------
It would be easy to lay the blame squarely on the shoulders of the
security industry. A lot of people have. Unfortunately, its not that
simple. Perhaps the underground could have survived without the lure of
a six figure job, but one thing should be made clear. The self-proclaimed
black hat movement does nothing to help.
Various black hat groups have claimed to be the voice of the underground,
but the black hat scene was only ever a pale imitation of the actual
underground. The underground wasn't at all interested in public
self-aggrandizement, but this is all the black hats ever did. All that
their various rants and escapades accomplished was to show how desperate
they actually were for fame and recognition.
But whats worse, while they often talk a big game, they very rarely have
the pedigree to back it up. This is mostly because these self-proclaimed
black hats are really just as self-serving as the white hats they pretend
to detest. With few exceptions, those black hats that aren't already
working in the security industry are those that don't have the skills
to cut it.
The entire anti-security theme was simply embarrassing. This was just the
black hat movement admitting that they couldn't step up and represent
in an increasingly technical world. Where once hacking skill commanded
respect, now the black hats were promoting misinformation in order to
make what few hacks they managed to pull off easier. They couldn't step
up to a challenge, they couldn't outsmart the white hats they so detest.
This ineptitude and misguided fervor of the black hat scene had a
massive negative impact on the hacking underground. The true voice of
the underground was lost behind the noise and drama, until the voice
became a whisper.
And then eventually fell silent.
Technology
----------
The very nature of technology, a dynamic and intractable force, had a lot
to say in the demise of the hacking world. In many cases, if a black hat
had been active 5 or 10 years earlier they would have been technically
competent and may well have contributed significantly. This is because
with the utmost respect, and despite all the nostalgia, hackers of the
past had it easy.
In the early years, the problems hackers faced were largely related to the
availability of information. Isolated groups of people had their tricks
and techniques, and sharing this information was problematic. This is
in direct contrast with the situation today, where there is an excess
of information but a void of quality.
As a result of many differing factors, the world is becoming aware of the
threats posed by lax security. When there is money at risk, steps will
be taken to protect those assets. We see now an increasing move towards
technical security mechanisms being employed as part of a defense in
depth strategy, and as a result, to be a hacker today requires immense
technical ability in a broad range of disciplines. It takes years of
individual study to reach this level.
But unfortunately, fewer and fewer people are willing, or indeed capable
of following this path, of pursuing that ever-unattainable goal of
technical perfection. Instead, the current trend is to pursue the lowest
common denominator, to do the least amount of work to gain the most fame,
respect or money.
There has also been an increasingly narrow range in what is published. In
part this is because of the lack of accessibility of certain systems
(through obscurity or price), but this is also increasingly dictated by
fashion. In a desire to fit in with the community, to be accepted in
to conferences, to be seen doing the right things in the right places
with the right people, researchers are all too happy to slot in to this
pattern of predictable and narrow progress.
And even then, the standards of what makes acceptable research, or for
what makes a vulnerability interesting, drops with every year. The gap
between offensive research and defensive implementations continues to
grow, to the point where public vulnerability research has become a
parody of what it once was, a type of inside joke.
There is no creativity, no sense of arcana anymore.
Criminals
---------
From Operation Sundevil to cyber terrorism. The criminalization of
computer hacking and, by association, computer hackers had a devastating
impact on the underground. Hacking was criminalized in two ways, both
of near equal importance: by legislation of computer crimes, and by the
new trend of genuine criminals using hacking as a method for fraud.
There should be a clear separation between these two things. The fact
that the underground collectively became criminals under the law for
what they had been doing for, in some cases, decades. And the fact that
in public perception, even among professionals that should know better,
there was very little distinction between a genuine hacker and those
criminals using hacking purely as a method for profit.
Indeed, little of what organized crime and terrorist/activist groups
are doing could justifiably be labeled hacking. It is simply convenient
to make this simplification, in media and in industry. The security
industry knows the difference, but they have no economic interest in
there being any clarity on this point. Any sort of hacking, anything
they can sensationalize enough to scare their profit margin up suits
them perfectly.
For the underground, these issues largely affected individuals, not the
broader structure of things. Each person had to make a personal decision
on whether it was worth 1) being seen as a criminal under the law and
2) being seen as a criminal in public perception. Why should the hacker
face this when such an easy, safe, respectable alternative is available
in the security industry?
Even the term black hat has been twisted into something more closely
aligned to organized crime. For all their faults, black hats were not
(in theory) motivated by this type of money.
It comes down to an aging hacking population deciding, on an individual
basis, to settle down with their families, their material possessions,
their careers. No one can argue that there is anything wrong with this. It
is just a fact that these hackers left the scene behind.
Leaving a void too large to be filled.
Forgotten Youth
---------------
The forgotten aspect of this whole story is, without doubt, the importance
of new talent entering the world of hacking. Historically, hacking has
belonged to the young. With every passing year, the average age of hackers
collectively increases. Some would claim this is a sign of a maturing
discipline. For surely, what could youth possibly contribute in this
technological landscape? They call them kids, dismiss them as irrelevant.
Despite all of the issues facing the underground, if hackers had managed
to get this one aspect right, if they had recognized the importance
of those who would come after them, if they had given them something
to aspire to be, if they had directly or indirectly taught them the
accumulated wisdom that so often separates a hacker from the crowd;
then perhaps there still would be a hacker underground.
Nearly all of the situations surrounding the disestablishment of the
underground were circumstantial, there was nobody to blame, and nothing
that could be done. But one point for which this was not true was the
underground's obligations to young hackers. An entire generation of
talented hackers have lost the opportunity to become a part of something
bigger than themselves by participating in a functioning hacking
community, simply because hackers were too self-absorbed to notice.
The decline of the underground scene happened relatively quickly, and
also relatively quietly. The hacker who left the underground behind
for his new life was unlikely to justify or explain his choices. In
fact it was more likely he would deny being changed at all. It's likely
he'd even continue to have contact with his fellow ex-hackers, in some
imitation of the underground scene. This only helped to obscure what
was actually happening.
Today's youth, for the most part, have no true understanding of hackers
or hacking. They have no knowledge of the history, no knowledge that
a history even exists. Their hacker is the media's hacker, the cyber
terrorist, the Russian mafia. This is unfortunate, but the real trouble
begins for those few that somehow become interested enough to look a
bit deeper.
The average person requires some form of role model, something to aspire
to, to imitate and to an extent, to idolize. At this time, the only
visible efforts were the white hat researchers, the black hat horde or
various other technically inept self-proclaimed 'experts'. There is so
little inspiring research, and even less inspiring hacking, that anyone
new to the world of hacking is almost invariably left with a skewed
impression of things.
Indeed, for a lot of the young people that managed to acquire the
necessary technical base, hacking was seen as simply an interesting career
path. There is no passion in these people, no motivation to extend and
create. A competent professional, valued employee.
But no longer a hacker.
The Forward Link
----------------
The hacker underground has been systematically dismantled, a victim of
circumstance. There was no reason for this, no conspiracy, no winner. A
conquered people, but with no conqueror, no enemy to fight. No chance
of rebellion. Conquered by circumstance, if not fate.
At first this would seem to be a bleak message. What is the point of
even trying anymore? Why practice a dead art? But the truth is that the
art is not dead, just the circle that brought the artists together. The
hacker underground is broken, but the hackers are not.
Casualties have been high; but there still exists a scattered,
marginalized, and misrepresented people who are the hackers. Hackers,
not black hat nor white, not professionals, not amateurs (surely none
of this matters), are still out there in this world today, still with
all the potential to be something great.
The question is not then how to artificially group these people into a
new underground movement. The question is not how to mourn the passing of
the golden days, how to keep the memories alive. There are no questions
of this sort, no problems that can be solved or corrected by individual
action.
All that remains is to relax, to do what you enjoy doing; to hack purely
for the enjoyment of doing so. The rest will come naturally, a new
scene, with its own traditions, culture and history. A new underground,
organically formed over time, just like the first, out of the hacker's
natural inclination to share and explore.
It will take time, and there will be difficulties. Some will not be able
to let go of the past, and some will fail for not remembering it. But
in the end, after everything has been said and done, the equilibrium
will be restored.
A new world, at the frontier of cyberspace, belonging to the hackers
by right.
Montag, 11. Januar 2010
Samstag, 9. Januar 2010
Wahre Wohltäter der Menschheit
Mag das Problem der Freiheit auch unlösbar sein, wir können immerhin viel Redens davon machen und dabei entweder der Zufälligkeit oder der Notwendigkeit das Wort reden... Gemütsart und Vorurteile helfen uns, eine Entscheidung zu fällen, die das Problem vereinfacht, ohne es zu lösen. Keine wie immer geartete Spekulation ist imstande, es uns greifbarer zu machen und uns die Fülle und Widersprüchlichkeit seiner Realität erkennen zu lassen; eine besondere Intuition versetzt uns jedoch mitten ins Herz der Freiheit, allen sie ersonnenen Argumenten zum Trotz. Und wir haben Angst; - wir fürchten uns vor Unermesslichkeit des Möglichen, denn wir sind nicht gerüstet für eine so weittragende und so jähe Offenbarung, für dies gefährliche Gut, nach dem wir trachteten und vor dem wir nun zurückweichen. Wir, die wir an Ketten und Gesetze gewöhnt sind, was sollen wir nun beginnen angesichts dieser Unzahl von Initiativen und dieser Überfülle an Entscheidungen ? Das Verlockende der Willkür erschreckt uns. Können wir zu jeder beliebigen Tat schreiten und sind Eingebung und Laune keinerlei Grenzen mehr gesetzt, wie sollen wir da unseren Untergang im Rausch einer solchen Machtfülle vermeiden können ?
Erschüttert von dieser Offenbarung, fährt das Gewissen auf und beginnt sich selbst zu befragen. Wen hat nicht Schwindel befallen, wenn er in einer Welt stand, in der er nach Belieben schalten und walten durfte ? Der Mörder macht unbeschränkten Gebrauch von seiner Freiheit und vermag dem Bewusstsein seiner Macht nicht zu widerstehen. Es liegt in eines jeden Macht, einem Mitlebenden das Leben zu nehmen. Verschwänden alle jene, die wir in Gedanken umgebracht haben, auch in der Tat – die Erde hätte keine Bewohner mehr. In unserem Innern wohnt ein unschlüssiger Henker, ein nicht realisierter Verbrecher. Jedermann schleppt einen Friedhof voller Freunde und Feinde hinter sich her; und es hat weiter nichts zu bedeuten, ob dieser Friedhof in die Abgründe des Herzens verlegt oder an die Oberfläche der Begierden emporgerückt wird.
Allein nur manchmal, in jähem Aufschrecken, fühlen wir uns frei, erfassen wir Chance oder Gefahr. Und das Intermittierende, die Seltenheit dieser Zustände erklärt, warum diese Welt nichts weiter ist als ein mediokrer Schlachthof und ein fiktives Paradies. Über die Freiheit zu dissertieren bleibt ohne jede Konsequenz, weder zum Guten noch zum Bösen hin; und wir verfügen nur über kurze Augenblicke, um zu erkennen, dass alles von uns abhängt.
Ideen als solche sind neutral – oder sollten es zumindestens sein. Aber der Mensch haucht ihnen seinen Atem ein, entfacht sie mit seiner Glut und seinem Wahn; unrein, In Glaubenssätze verwandelt, schalten sie sich nun in die Zeit ein, werden Ereignis: der Schritt von der Logik zur Epilepsie ist getan... Es entstehen Ideologien, Doktrinen, blutiges Possenspiel.
Götzendiener aus Instinkt, münzen wir Erträumtes und Ersehntes in Unbedingtheiten um. Die Geschichte ist nur ein Nacheinander falscher Verabsolutierungen, eine lange Reihe von Tempeln, die Scheinbarem zu Ehren errichtet wurden, sie ist das Sicherniedrigen des Geistes vor dem Unwahrscheinlichen. Selbst wenn er von ihr abrückt, bleibt der Mensch im Banne der Religion, reibt er seine Kräfte auf im Ersinnen von Trugbildern, die er fieberhaft zu Götten erhebt: sein Fiktions- und Mythenhunger trägt dem Sieg über das Augenfällige und die Lächerlichkeit seines Tuns davon. Dass er der Anbetung fähig ist, trägt die Schuld an sämtlichen Verbrechen, die er begehrt: wer einen Gott über Gebühr liebt, zwingt auch die anderen zu dieser Liebe, ist entschlossen sie auszurotten, falls sie sich weigern sollten. Der Mensch gehe seiner Fähigkeit, gleichgültig zu sein, verlustig: virtuell ist er bereits ein Mörder. Er vergotte seine Idee: die Folgen davon sind unabsehbar. Nur im Namen eines Gottes oder einer seiner Nachbildungen wird getötet: Exzesse im Namen einer Nation, Rasse oder Klasse sind nah verwandt mit denen der Inquisitions- und Reformationszeit. Wir sind ungerecht gegen einen Nero oder Tiberius: sie haben nicht den Begriff der Ketzerei geprägt; sie waren nur entartete Träumer, die sich durch den Anblick von Massakern zu zerstreuen suchten. Die wahren Verbrecher sind diejenigen, die eine religiöse oder politische Orthodoxie stiften, diejenigen, die zwischen Rechtgläubigen und Schismatikern unterscheiden. Wird die Auswechselbarkeit der Ideen untereinander bestritten, so beginnt Blut zu fließen.
So entsteht der Fanatismus, jener Kapitalfehler, der den Menschen Geschmack finden lässt an Tatkraft, Prophetentum und Terror; so bildet sich jener Begeisterungsaussatz, mit dem der Mensch die Seelen verseucht, sie unterwirft, aufreibt und verzückt... Nur die Skeptiker, die Müßiggänger und die Ästheten entgehen ihm, weil sie nichts anbieten, weil sie wahre Wohltäter der Menschheit – die vorgefassten Meinungen der Fanatiker zerstören, weil sie deren Wahn analysieren.
Man hegt Misstrauen gegen den Schlaukopf, den Spitzbuben, den Possenreißer und dennoch kann ihnen keine einzige der großen Konvulsionen der Geschichte zur Last gelegt werden. Sie glauben an nichts und stöbern daher nicht in unseren Herzen, wühlen nicht in unseren verborgensten Gedanken; sie überlassen uns unserer Nachlässigkeit, unserer Verzweiflungen, unserem nutzlosen Sein, immer wieder waren sie die Retter der von Fanatikern gequälten und von Idealisten zugrunde gerichteten Völker.
- Emile Cioran
Freitag, 8. Januar 2010
Dienstag, 5. Januar 2010
Samstag, 2. Januar 2010
Freitag, 1. Januar 2010
Cryptanalysis of Contents Scrambling System
1 System overview.
Every DVD player is equipped with a small set of player keys. When presented with a new disc, the player will attempt to decrypt the contents with the set of keys it possesses. Every disk has a disk key data block that is organized as follows:
5 bytes hash of decrypted disk key ( hash )
disk key encrypted with player key 1 (dk1 )
disk key encrypted with player key 2 (dk2 )
...
disk key encrypted with player key 409 (dk409)
Suppose the player has a valid key for slot 213, it will calculate
(1) Kd = DA( dk213 , Kp213 )
To verify that Kd is correct, the following check is done, if the check fails, it will try the next player key.
(2) Kd = DA( hash , Kd )
An obvious weakness stems from this check, by trying all 240 possible Kd, disk key can be deduced without knowing any valid player key. As will be shown later, this attack can be carried out with a complexity of 225, making such an attack feasible in runtime applications. Another obvious attack is that by having 1 working player key, other player keys can be derived through a similar search. This can be done offline, also keys obtained from the former attack can be used as a starting point.
To decrypt the contents an additional key tk - the title key is decrypted with the now decrypted and verified disk key.
(3) Kt = DB( tk, Kd)
Each sector of the data files is the optionally encrypted by a key that is derived from Kt by exclusive or of specified bytes from the unencrypted first 128 bytes of the 2048 bytes sector. The decryption is done with the CSS stream cipher primitive described in section II.
2 CSS streamcipher primitive:
The CSS streamcipher is a very simplistic one, based on 2 LFSRs being added together to produce output bytes. There is no truncation, both LFSR are clocked 8 times for every byte output, and there are 4 ways of combining the output of the LFSRs to an output byte. These four modes are just settings on 2 inverter switches, and the modes operation are used for the following purposes.
Authentication to DVD drive ( not discussed )
Decryption of Disk key (DA)
Decryption of Title key (DB)
Decryption of data blocks.
LFSR1: 17 bits ? taps, and is initialized by the 2 first bytes of key, and setting the most significant bit to 1 to prevent null cycling.
LFSR2: 25 bits 4 taps, is initialized with byte 3,4,5 of the key shifting all but the 3 least significant bits up 1 position, and setting bit 4 to prevent null cycling.
As new bits are clocked into the LFSRs, the same bits are clocked in with reversed order to the two LFSRs output bytes. ( With optional inversion of bits. )
The output of LFSR1 is O1(1), O1(2), O1(3) ...
Likewise LFSR2 produces O2(1), O2(2), O2(3) ...
These two streams are combined through 8 bits addition with carry carried over to the next output. The carry bit is zero at start of stream.
(4) O(i) = O1(i) + O2(i) + c where c is carry bit from O(i-1)
This streamcipher is very weak, a trivial 216 attack is possible with output bytes known for i = {1,2,3,4,5,6}. Guess the initial state of LFSR1, and clock out 4 bytes. O2(1), O2(2), O2(3), O2(4) can then be uniquely determined, and from them the state at i=4 is fully known. The guess on LFSR1 can then be verified by clocking out 2 or more bytes of the cipher and comparing the result.
Another important attack is the case when only O(i) for i = {1,2,3,4,5} is known. Guess the initial state of LFSR1, and clock out 3 bytes. Now O2(1), O2(2) and O2(3) can be found as in the above attack. This will reveal all but the most significant bit of LFSR2s state at i=3. If both possible settings for MSB is tried, and LFSR2 is clocked backwards 24 steps, a state where bit 4 is set at i=1 can always be found. ( This is stated without proof ). Select the setting of the most significant bit for LFSR2 such that LFSR2 is in a legal state at i=1, and clock out two more bytes to verify the guess of LFSR1. For some values of O( i = {1,2,3,4,5} ) multiple start states can be found, and for others none. Selecting the correct start state is not a problem, as this attack is used in situations where only the first five output bytes are of significance ( encryption of keys ).
3 CSS mangling step:
When the CSS streamcipher is used to encrypt keys such as in DA(data,key) and DB(data,key), an additional mangling step is performed on the data. This cipher is best illustrated with the following block diagram:
A(1,2,3,4,5) are the input bytes (data)
C(1,2,3,4,5) are the output bytes (data)
ki = O(i) where O(i={1,2,3,4,5}) is streamcipher output from key
B(1,2,3,4,5) are temporary stages
The cipher is evaluated top down, with exceptions indicated by an arrow.
Examples of evaluating cipher:
B(j) = xor( F( A(j) ) , A(j-1) , kj ) for j = {2,3,4,5}
B(1) = xor ( F( A(1)) , B(5), k1 )
C(j) = xor( F( B(j) ) , B(j-1) , kj ) for j = {2,3,4,5}
C(1) = xor ( F( B(1)) , k1 )
F is a function, defined by a byte permutation table. With known cipher and plaintext, the whole cipher unravels with a minimal amount of work. Here is how:
Make a guess on k5
B(5) = xor( F( A(5) ) , A(4) , k5 )
B(4) = xor( F( B(5) ) , C(5), k5 )
k4 = xor( F( A(4) ) , A(3) , B(4) )
B(3) = xor( F( B(4) ) , C(4), k4 )
k3 = xor( F( A(3) ) , A(2) , B(3) )
B(2) = xor( F( B(3) ) , C(3), k3 )
k2 = xor( F( A(2) ) , A(1) , B(2) )
B(1) = xor( F( B(2) ) , C(2), k2 )
k1 = xor( F( A(1) ) , B(5) , B(1) )
verify by checking C(1) = xor ( F( B(1) , k1 )
Thus by trying 256 possibilities, we can recover 5 output bytes from the CSS streamcipher, and so recover the key by using the five known output bytes. This attack can be put to immediate use for recovering other player keys as in the notes to eqn. 2,3. Even if the player key is not recovered through the reversal of the stream cipher, the output of the streamcipher is known, and will still be usefull for decrypting disks that employ other player keys.
4 Attacking the hash of the disk key.
Reversing the hash at the start of the disc key block is somewhat more complicated. From (2) we see that only the hash value is known, the problem is finding a disk key such that the decrypted hash equals the disk key itself. An attack of complexity 225 proceeds as follows.
First some aspects on the value of k2 will have to be considered. A(1) and A(2) is known, and a table can be build by running through every possible combination of k2 and B(1) and calculate the resulting C(2). When trying to build a table of possible values k2 of indexed by C(2) and B(1) there will be many values that map to the same set of indices, so a the table must be able to hold several values of k2 in each location.
Guess the start state of LFSR1, calculate O1( i = {1,2,3,4,5} ) . Next guess B(1) and complete the following calculations:
k1 = xor( F( B( 1 ) ) , C(1) ) C(1,2) is known, they are the start state of LFSR1
B(5) = xor( F( A(1) ) , B(1), k1)
k5 = xor( F( A(5) ) , A(4), B(5) )
Through the table indexed by C(2) and B(1) all permissible k2 can be found, there can be from 0-8 , on average 1. For all permissible k2 calculate:
O2(1) , O2(2), and 2 possible O2(5). This is possible since k1,2,5 are found.
For every legal initial state of LFSR2 there exists a one to one mapping to O2(1,2,5) , by generating a table with 224 entries the start state of LFSR2 can be found. Thus C(1,2,3,4,5) is potentially known.
B(4) = xor( F( B(5) ) , C(5), k5 )
k4 = xor( F( A(4) ) , A(3) , B(4) )
B(3) = xor( F( B(4) ) , C(4), k4 )
k3 = xor( F( A(3) ) , A(2) , B(3) )
B(2) = xor( F( B(3) ) , C(3), k3 )
verify k2 = xor( F( A(2) ) , A(1) , B(2) ) , this holds for 1 / 256 tries ( 217 altogether ) and if the test holds, the key C(1,2,3,4,5) can be tested by eqn. (2). If eqn (2) holds, then a key has been found that will satisfy the hash. From experience it is possible to find from zero to a few such keys to any given hash value. When multiple disc keys are found trial decryption of the files will eliminate the false keys.
This attack when implemented on a Pentium III running 450 MHz, will recover a disk key from the hash alone in less than 18 seconds. This is clearly much less than what is to be expected of a 40 bits cipher.
5 Conclusion
The author has through email correspondence learned that attacks as described at (2) have indeed been carried out by brute force prior to this analysis. CSS was designed with a 40 bit keylength to comply with US government export regulation, and as such it easily compromised through brute force attacks ( such are the intentions of export control ). Moreover the 40 bits have not been put to good use, as the ciphers succumb to attacks with much lower computational work than which is permitted in the export control rules. Whether CSS is a serious cryptographic cipher is debatable. It has been clearly been demonstrated that its strength does not match the keylength. If the cipher was intended to get security by remaining secret, this is yet another testament to the fact that security through obscurity is an unworkable principle.
- Frank A. Stevenson
Every DVD player is equipped with a small set of player keys. When presented with a new disc, the player will attempt to decrypt the contents with the set of keys it possesses. Every disk has a disk key data block that is organized as follows:
5 bytes hash of decrypted disk key ( hash )
disk key encrypted with player key 1 (dk1 )
disk key encrypted with player key 2 (dk2 )
...
disk key encrypted with player key 409 (dk409)
Suppose the player has a valid key for slot 213, it will calculate
(1) Kd = DA( dk213 , Kp213 )
To verify that Kd is correct, the following check is done, if the check fails, it will try the next player key.
(2) Kd = DA( hash , Kd )
An obvious weakness stems from this check, by trying all 240 possible Kd, disk key can be deduced without knowing any valid player key. As will be shown later, this attack can be carried out with a complexity of 225, making such an attack feasible in runtime applications. Another obvious attack is that by having 1 working player key, other player keys can be derived through a similar search. This can be done offline, also keys obtained from the former attack can be used as a starting point.
To decrypt the contents an additional key tk - the title key is decrypted with the now decrypted and verified disk key.
(3) Kt = DB( tk, Kd)
Each sector of the data files is the optionally encrypted by a key that is derived from Kt by exclusive or of specified bytes from the unencrypted first 128 bytes of the 2048 bytes sector. The decryption is done with the CSS stream cipher primitive described in section II.
2 CSS streamcipher primitive:
The CSS streamcipher is a very simplistic one, based on 2 LFSRs being added together to produce output bytes. There is no truncation, both LFSR are clocked 8 times for every byte output, and there are 4 ways of combining the output of the LFSRs to an output byte. These four modes are just settings on 2 inverter switches, and the modes operation are used for the following purposes.
Authentication to DVD drive ( not discussed )
Decryption of Disk key (DA)
Decryption of Title key (DB)
Decryption of data blocks.
LFSR1: 17 bits ? taps, and is initialized by the 2 first bytes of key, and setting the most significant bit to 1 to prevent null cycling.
LFSR2: 25 bits 4 taps, is initialized with byte 3,4,5 of the key shifting all but the 3 least significant bits up 1 position, and setting bit 4 to prevent null cycling.
As new bits are clocked into the LFSRs, the same bits are clocked in with reversed order to the two LFSRs output bytes. ( With optional inversion of bits. )
The output of LFSR1 is O1(1), O1(2), O1(3) ...
Likewise LFSR2 produces O2(1), O2(2), O2(3) ...
These two streams are combined through 8 bits addition with carry carried over to the next output. The carry bit is zero at start of stream.
(4) O(i) = O1(i) + O2(i) + c where c is carry bit from O(i-1)
This streamcipher is very weak, a trivial 216 attack is possible with output bytes known for i = {1,2,3,4,5,6}. Guess the initial state of LFSR1, and clock out 4 bytes. O2(1), O2(2), O2(3), O2(4) can then be uniquely determined, and from them the state at i=4 is fully known. The guess on LFSR1 can then be verified by clocking out 2 or more bytes of the cipher and comparing the result.
Another important attack is the case when only O(i) for i = {1,2,3,4,5} is known. Guess the initial state of LFSR1, and clock out 3 bytes. Now O2(1), O2(2) and O2(3) can be found as in the above attack. This will reveal all but the most significant bit of LFSR2s state at i=3. If both possible settings for MSB is tried, and LFSR2 is clocked backwards 24 steps, a state where bit 4 is set at i=1 can always be found. ( This is stated without proof ). Select the setting of the most significant bit for LFSR2 such that LFSR2 is in a legal state at i=1, and clock out two more bytes to verify the guess of LFSR1. For some values of O( i = {1,2,3,4,5} ) multiple start states can be found, and for others none. Selecting the correct start state is not a problem, as this attack is used in situations where only the first five output bytes are of significance ( encryption of keys ).
3 CSS mangling step:
When the CSS streamcipher is used to encrypt keys such as in DA(data,key) and DB(data,key), an additional mangling step is performed on the data. This cipher is best illustrated with the following block diagram:
A(1,2,3,4,5) are the input bytes (data)
C(1,2,3,4,5) are the output bytes (data)
ki = O(i) where O(i={1,2,3,4,5}) is streamcipher output from key
B(1,2,3,4,5) are temporary stages
The cipher is evaluated top down, with exceptions indicated by an arrow.
Examples of evaluating cipher:
B(j) = xor( F( A(j) ) , A(j-1) , kj ) for j = {2,3,4,5}
B(1) = xor ( F( A(1)) , B(5), k1 )
C(j) = xor( F( B(j) ) , B(j-1) , kj ) for j = {2,3,4,5}
C(1) = xor ( F( B(1)) , k1 )
F is a function, defined by a byte permutation table. With known cipher and plaintext, the whole cipher unravels with a minimal amount of work. Here is how:
Make a guess on k5
B(5) = xor( F( A(5) ) , A(4) , k5 )
B(4) = xor( F( B(5) ) , C(5), k5 )
k4 = xor( F( A(4) ) , A(3) , B(4) )
B(3) = xor( F( B(4) ) , C(4), k4 )
k3 = xor( F( A(3) ) , A(2) , B(3) )
B(2) = xor( F( B(3) ) , C(3), k3 )
k2 = xor( F( A(2) ) , A(1) , B(2) )
B(1) = xor( F( B(2) ) , C(2), k2 )
k1 = xor( F( A(1) ) , B(5) , B(1) )
verify by checking C(1) = xor ( F( B(1) , k1 )
Thus by trying 256 possibilities, we can recover 5 output bytes from the CSS streamcipher, and so recover the key by using the five known output bytes. This attack can be put to immediate use for recovering other player keys as in the notes to eqn. 2,3. Even if the player key is not recovered through the reversal of the stream cipher, the output of the streamcipher is known, and will still be usefull for decrypting disks that employ other player keys.
4 Attacking the hash of the disk key.
Reversing the hash at the start of the disc key block is somewhat more complicated. From (2) we see that only the hash value is known, the problem is finding a disk key such that the decrypted hash equals the disk key itself. An attack of complexity 225 proceeds as follows.
First some aspects on the value of k2 will have to be considered. A(1) and A(2) is known, and a table can be build by running through every possible combination of k2 and B(1) and calculate the resulting C(2). When trying to build a table of possible values k2 of indexed by C(2) and B(1) there will be many values that map to the same set of indices, so a the table must be able to hold several values of k2 in each location.
Guess the start state of LFSR1, calculate O1( i = {1,2,3,4,5} ) . Next guess B(1) and complete the following calculations:
k1 = xor( F( B( 1 ) ) , C(1) ) C(1,2) is known, they are the start state of LFSR1
B(5) = xor( F( A(1) ) , B(1), k1)
k5 = xor( F( A(5) ) , A(4), B(5) )
Through the table indexed by C(2) and B(1) all permissible k2 can be found, there can be from 0-8 , on average 1. For all permissible k2 calculate:
O2(1) , O2(2), and 2 possible O2(5). This is possible since k1,2,5 are found.
For every legal initial state of LFSR2 there exists a one to one mapping to O2(1,2,5) , by generating a table with 224 entries the start state of LFSR2 can be found. Thus C(1,2,3,4,5) is potentially known.
B(4) = xor( F( B(5) ) , C(5), k5 )
k4 = xor( F( A(4) ) , A(3) , B(4) )
B(3) = xor( F( B(4) ) , C(4), k4 )
k3 = xor( F( A(3) ) , A(2) , B(3) )
B(2) = xor( F( B(3) ) , C(3), k3 )
verify k2 = xor( F( A(2) ) , A(1) , B(2) ) , this holds for 1 / 256 tries ( 217 altogether ) and if the test holds, the key C(1,2,3,4,5) can be tested by eqn. (2). If eqn (2) holds, then a key has been found that will satisfy the hash. From experience it is possible to find from zero to a few such keys to any given hash value. When multiple disc keys are found trial decryption of the files will eliminate the false keys.
This attack when implemented on a Pentium III running 450 MHz, will recover a disk key from the hash alone in less than 18 seconds. This is clearly much less than what is to be expected of a 40 bits cipher.
5 Conclusion
The author has through email correspondence learned that attacks as described at (2) have indeed been carried out by brute force prior to this analysis. CSS was designed with a 40 bit keylength to comply with US government export regulation, and as such it easily compromised through brute force attacks ( such are the intentions of export control ). Moreover the 40 bits have not been put to good use, as the ciphers succumb to attacks with much lower computational work than which is permitted in the export control rules. Whether CSS is a serious cryptographic cipher is debatable. It has been clearly been demonstrated that its strength does not match the keylength. If the cipher was intended to get security by remaining secret, this is yet another testament to the fact that security through obscurity is an unworkable principle.
- Frank A. Stevenson
Abonnieren
Posts (Atom)