Bad Security 101   Leave a comment

Any security system that relies upon a secret key must include a revocation process. Why? Because sooner or later secrets get out, and once someone knows your secret key, you’re pretty much up the creek.

Somebody spilled the beans on the HD-DVD decryption key in February, which led the Advanced Access Content System Licensing Administrator, LLC to send cease and desist orders to have the 128 bit key taken down off of various sites.  This led to pretty massive civil disobedience, as the request to have the number removed from four sites prompted its rather quick publication on 9,410 new sites. Today the number is up to 248,000, according to a search I just performed on Google. (If you just search for “HD-DVD decryption key” you get 67,700 results as of right now, the 248,000 number is if you search for the actual key text).

On the face of it, this is simply absurd. You can’t claim intellectual property rights over a number simply by using it for a particular purpose. You can claim IP over a process (but quite frankly if the publication of 128 bits ruins your security, your process stinks on ice), that doesn’t give you ownership of a particular collection of numbers.

Of course, if you read Wikipedia’s entry about AACS, you’ll see that the entire DRM security scheme has suffered from several other massive flaws.

Advertisements

Posted May 2, 2007 by padraic2112 in news, security, software, tech

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: