Security of Advanced Access Content System

The security of Advanced Access Content System (AACS) has been a subject of discussion amongst security researchers, high definition video enthusiasts, and consumers at large since its inception. A successor to Content Scramble System (CSS), the digital rights management mechanism used by commercial DVDs, AACS was intended to improve upon the design of CSS by addressing flaws which had led to the total circumvention of CSS in 1999. The AACS system relies on a subset difference tree combined with a certificate revocation mechanism to ensure the security of high definition video content in the event of a compromise.

Even before AACS was put into use, security researchers expressed doubts about the system's ability to withstand attacks.



History of attacks
The AACS proposal was voted one of the technologies most likely to fail by IEEE Spectrum magazine's readers in the January 2005 issue. Concerns about the approach included its similarity to past systems that failed, such as CSS, and the inability to preserve security against attacks that compromise large numbers of players. Jon Lech Johansen, who was part of the team that circumvented CSS, said he expected AACS to be cracked by the end of 2006 or the beginning of 2007. In late 2006, security expert Peter Gutmann released "A Cost Analysis of Windows Vista Content Protection", a technical paper criticizing the implementation of various content protection technologies in Windows Vista. Providing this protection incurs considerable costs in terms of system performance, system stability, technical support overhead, and hardware and software cost. These issues affect not only users of Vista but the entire PC industry, since the effects of the protection measures extend to cover all hardware and software that will ever come into contact with Vista, even if it's not used directly with Vista (for example hardware in a Macintosh computer or on a Linux server).

Microsoft later claimed that the paper contained various factual errors.

While great care had been taken with AACS to ensure that content was encrypted along the entire path from the disc to the display device, it was discovered in July 2006 that a perfect copy of any still frame from a film could be captured from certain Blu-ray and HD DVD software players by using the Print Screen function of the Windows operating system. It was suggested that this approach could be automated to allow a perfect copy of an entire film to be made, in much the same way that DVD films were copied before the CSS was cracked, but to date no such copy has been discovered. This exploit has been closed in subsequent software versions.

Such approaches do not constitute compromises of the AACS encryption itself, relying instead on an officially licensed software player to perform the decryption. As such, the output data will not be in the form of the compressed video from the disc, but rather decompressed video. This is an example of the analog hole.

Both title keys and one of the keys used to decrypt them (known as Processing Keys in the AACS specifications) have been found by using debuggers to inspect the memory space of running HD-DVD and Blu-ray player programs. Hackers also found Device Keys, which are used to calculate the Processing Key, and a Host Private Key (a key signed by the AACS LA used for hand-shaking between host and HD drive; required for reading the Volume ID). The first unprotected HD DVD movies appeared on BitTorrent trackers soon afterwards. The Processing Key for the first Media Key Block version, which could be used to decrypt any AACS protected content released up to that point, was found and published on the Internet at the Doom9 forums. AACS Licensing Authority sent multiple DMCA takedown notices to web sites hosting the key. Some administrators of sites which consist of user-submitted content, such as Digg and Wikipedia, tried to remove mentions of the key fearing reprisals from AACS LA. Both sites' administrators eventually decided to allow publication of the key.

Cyberlink, the company which sells the PowerDVD player, stated that their software could not have been used as part of these exploits.

On April 16, 2007, the AACS consortium announced that it had revoked the Device Keys used by both Cyberlink PowerDVD and InterVideo WinDVD, and patches were made available for users which provided uncompromised encryption keys and better security for the keys. To continue having the ability to view new content users were forced to apply the patches, which also hardened the security of player applications.

On 23 May 2007 the Processing Key for the next version of the Media Key Block was posted to the comments page of a Freedom to Tinker blog post.

The use of encryption does not offer any true protection against memory snooping, since the software player must have the encryption key available somewhere in memory and there is no way to protect against a determined PC owner extracting the encryption key (if everything else fails the user could run the program in a virtual machine making it possible to freeze the program and inspect all memory addresses without the program knowing).

The only way to wholly prevent attacks like this would require changes to the PC platform (see Trusted Computing) or that the content distributors do not permit their content to be played on PCs at all (by not providing the companies making software players with the needed encryption keys).

On January 15, 2007 a website launched at HDKeys.com containing a database of HD DVD title keys. It also featured a modified copy of the BackupHDDVD software allowing for online key retrieval (the latter was later removed after a DMCA complaint).

SlySoft has released AnyDVD HD which allows users to watch HD DVD and Blu-ray movies on non-HDCP-compliant PC hardware. The movies can be decrypted on the fly directly from the disc, or can be copied to another medium. AnyDVD HD is also capable of automatically removing any unwanted logos and trailers. Slysoft has stated that AnyDVD HD uses several different mechanisms to disable the encryption, and is not dependent on the use of compromised encryption keys. They have also stated that AACS has even more flaws in its implementation than CSS; this renders it highly vulnerable, but they will release no details on their implementation. Users at Doom9 claim that the program makes use of the host certificate of PowerDVD version 6.5, but SlySoft has claimed that the program would be unaffected by the AACS revocation system.