Tuesday, August 7, 2012

A missing post (updated)

Update (8/27): I've put the original post back up.

Update (8/9): I've re-written this post to include a vague, non-specific explanation of the bug. I've now confirmed the problem with one vendor, who has asked for a week to issue a patch. So far I haven't had a response from the DCP's technical people. And yes, I do realize someone PasteBinned the original post while it was up.

A few people have asked what happened to the post that was in this space just a few hours ago. No, you're not going crazy. It was here.

The post contained a long, detailed evaluation of the HDCP v2 protocol. My idea was to do real-time evaluation of an industry protocol that hasn't been deployed yet -- a kind of 'liveblogging' cryptanalysis. What I expected to find was some bad practices, which I would gently poke fun at. I didn't expect to find anything serious.

I was wrong in that initial judgement, with some caveats. I'm going to give a vague and non-specific summary here, and I hope to re-post the detailed technical post in a few days when I've heard (something, anything!) from DCP, the organization that maintains HDCP.

In case you've never heard of it, HDCP is a security protocol used to 'protect' video traveling over wired and wireless networks. There are two versions. Version 1 is in your TV today, and was seriously compromised in 2010. Version 2 is much better, but has only been deployed in a few products -- including those that implement MiraCast (formerly Wi-Fi Display).

Version 2 contains a key agreement protocol that's designed to establish a session encryption key between a transmitter (your phone, for example) and a receiver (a TV). Once this key is established, the transmitter can encrypt all video data going over the wire.

What I discovered in my brief analysis is a flaw in the key agreement protocol that may allow a man-in-the-middle to recover the session key (actually the 'master secret' used to derive the session key). This could potentially allow them to decrypt content. More on that in a minute, though.

I also discovered some slightly less serious flaws elsewhere in the protocol. It turns out that the DCP already knows about those, thanks to some enterprising work by a smart guy at an unnamed vendor (who deserves credit, and will get it once I put the original post back up).

Now for a few big caveats about the session key bug.

The bug I found does not get you all the way to decrypting HDCPv2 streams in practice, thanks to a tiny additional protection I missed while writing the original post. I don't think much of this protection, since it involves a secret that's stored in every single HDCPv2-compliant device. That's a pretty lousy way to keep a secret.

And of course I haven't personally verified this in any real HDCP devices, since I don't own any. Although if I did, I could use this nifty HDCP plugin for WireShark to do some of the work.

The issue has been confirmed by one vendor, who is working on a patch for their product. Their products are used in real things that you've heard of, so I'm trusting that they'd know.

The last thing I want to address is why I published this, and why I subsequently pulled it.

When I wrote the original post I thought HDCP v2 was just a 'paper spec' -- that there were no devices actually using it. Shortly after posting, I came across one commercial product that does claim to support HDCPv2. Later I discovered a few others. To be on the safe side, I decided to pull the post until I could notify the vendors. Then through sheer ineptitude I briefly re-posted it. Now I'm doing my best to put the toothpaste back in the tube.

As soon as I get some feedback I intend to put the post back up. A post which, incidentally, was not intended to break anything, but rather to serve as a lesson in just how complicated it is to design your own protocol. I suppose it's achieved that goal.

Anyway, I'm putting this up as a placeholder in case you're curious about what happened or why the heck I'm not blogging. Writing a long technical post and then having to can it is a drag. But hopefully we'll be back to our regularly-scheduled programming in no time at all.

7 comments:

  1. I think you're refering to the "Protocols are hard"-post, right? I don't follow your RSS feed, but I can still see the post without a problem (or doing anything special - just surfing to your blog is enough, I'm not using any caches or anything) on the blog.

    ReplyDelete
  2. Yes, I'm an idiot who can't use Blogger. I made some edits and accidentally re-published it for an hour. It's back down now.

    ReplyDelete
  3. Your blog entry is also still available in google cache...
    RS

    ReplyDelete
  4. you should have waited till this thing was distributed wide enough so that no patch was possible...

    ReplyDelete
  5. What a great blog post! Thanks for sharing it on your site.
    It And Telecom Company

    ReplyDelete
  6. Great blog post. The article affects a lot of urgent problems of our society. It is impossible to be untouched to these problems. This article gives good ideas and concepts. This was very interesting to read.Thanks for sharing Contact Lenses

    ReplyDelete
  7. This is a great inspiring article.I am pretty much pleased with your good work.You put really helpful information. Keep it up Virtual Assistant Service

    ReplyDelete