Key selection vector

A Key Selection Vector (KSV) is a numerical identifier associated with a Device Key Set which is distributed by a Licensor or its designee to Adopters and is used to support authentication of Licensed Products and Revocation as part of the HDCP copy protection system. The KSV is used to generate confidential keys, specifically used in the Restricted Authentication process of HDCP. Restricted Authentication is an AKE method for devices with limited computing resources. This method is used by copying devices of any kind (such as DV recorders or D-VHS recorders) and devices communicating with them for authenticating protected content. The restricted authentication protocol uses asymmetric key management and common key cryptography, and relies on the use of shared secrets and hash functions to respond to a random challenge.

Restricted Authentication Protocol
The goal of Restricted Authentication is for a device to prove that it holds a secret shared with other devices. One device authenticates another by issuing a random challenge for which the response is generated by combining the shared secrets and multiple hashes. Formally, a Key Selection Vector is a 40-bit vector containing 20 ones and 20 zeros, and is used to specify the random challenge. The Device Key Set is a collection of 40 56-bit values, and is the set of shared secrets for this protocol

During the authentication process, both parties (a transmitter and a receiver) exchange their KSVs. Then each device adds (unsigned addition modulo $$2^{56}$$) its own device secret keys according to a KSV received from another device. If a particular bit in the KSV is set to 1, then the corresponding secret key is used in the addition and otherwise it is ignored. For each set of keys a special key called a KSV (Key Selection Vector) is created. Each KSV has exactly 20 bits set to 0 and 20 bits set to 1. Keys and KSVs are generated in such a way that during this process both devices get the same 56 bit number as a result. That number is later used in the encryption process.

Uniqueness and Revocation of KSVs
Since valid keys can become compromised (hacked, for instance through reverse engineering hardware), the HDCP scheme includes a mechanism to revoke keys. The KSV values are unique to each key set and, therefore to each device. The HDCP system can then compare these values to a revocation list, and authentication fails if either the transmitter or receiver appears on the revocation list. Updates to the revocation list arrive with new media and are automatically integrated into a device's revocation list. This means that damage can be limited if a key set is exposed or copied.

This revocation process does not affect other devices, even if the devices are of the same make and model. KSV values are similar to serial numbers in this sense. As an example of how this system works, if two customers were to buy the same model of television on the same day at the same store, and the first customer hacked their television, the first customer's key could be revoked without affecting the ability of the other customer's television to play content.

Attacks on Restricted Authentication
If an attacker can find 40 linearly independent vectors ($$A_1$$) keys ... ($$A_{40}$$)keys (i.e. the vectors generated by adding together a device's Device Key Set based on a KSV,) then they can completely break the HDCP system for all devices using a given Device Key Set. At this point, they can extract the secret key array for any number of KSVs, which allows them to access the shared secrets used in the HDCP authentication protocol. Since the keys generated from the KSVs are produced linearly in the given system (i.e. getting a key from a KSV can be viewed as matrix multiplication), someone could determine the Device Key Set matrix from any 40-50 different systems: $$A_1$$ .... $$A_n$$, and the associated KSV (this is public information from the protocol).

In other cases where the extracted keys are not linearly independent, it is still possible to create a new XKey for a new Xksv that is within the span of the ($$A_i$$)KSVs (by taking linear combinations) for which the private keys have been found. There will be, however, no guarantee of them satisfying the required property that a KSV must have; 20 ones and 20 zeros.

Setting up the Equations
Assuming there are 40 ($$A_i$$) KSVs that are linearly independent (and naming Xkeys the matrix of the keys in the Device Key Set), this gives a set of n linear equations on 40 unknowns –

[Xkeys] * (A1)ksv = = [(A1)keys] * Xksv[Xkeys] * (A2)ksv = = [(A2)keys] * Xksv...[Xkeys] * (A40)ksv = = [(A40)keys] * Xksv

By having acknowledgment on all the KSVs, and assuming the secret key vectors ($$A_i$$)keys are known, the above algorithm can be used to find the secret keys to produce a new derived key from arbitrary new KSV. If the space spanned by the ($$A_i$$)KSVs doesn't span the full 40 dimensional space, this may be okay because the KSVs were either not designed to not span the space, or only a small number of extra keys are needed to find a set of vectors spanning the full space. Each additional device has low odds of being linearly dependent with the existing set. (roughly 1/2^[40-dimensionality-of-spanned-space]. This analysis of probabilities of linear dependence is similar to the analysis of Simon's Algorithm).