Privacy Digest

How Crypto Won the DVD War - Via Threat Level:

Sony's victory in the DVD format wars was largely due to its embrace and Toshiba's rejection of a sophisticated anti-copying scheme that promises to be relockable should it be cracked at some point in the future.

Toshiba earlier this week announced that it will stop making HD DVD players, surrendering the field in a five-year battle with Sony's Blu-ray to become the disc format of the future.

Support from studios has been widely cited as the reason for Blu-ray's victory, but few consumers know that the studios were likely won over by the presence of a digital lock on movies called BD+, a far more sophisticated and resilient digital rights management, or DRM, system than that offered by HD DVD.

“The adoption of BD+ as part of the Blu-ray disc specification … was a key factor in our decision to publish on the format,” Twentieth Century Fox Home Entertainment executive Mike Dunn said in a 2007 press release. “This added layer of content protection gives Blu-ray yet another distinct competitive advantage.”   

The triumph of DRM for video will almost certainly lead to continued attempts to hack the system, and risks alienating users who want to buy content once and have it available on whatever brand of TV, laptop, MP3 player and smartphone they own. That fight lasted for years in the music world, though it's now clear that DRM for music is in its final throes.

Both Blu-ray and HD DVD formats use an anti-copying system called AACS, which has already been cracked; but Blu-ray employs BD+ as an extra layer of protection. BD+ is optional -- not all Blu-ray discs use it -- and has not yet been compromised, despite claims to the contrary.

The BD+ system, invented by the San Francisco-based company Cryptography Research, embeds a virtual machine in Blu-ray discs that play only on authorized Blu-ray players.

When the player spins up the disc, the virtual machine software and
the DVD player view each other with mutual suspicion, but initiate a
complicated mating ritual involving checks of cryptographic keys.

Once the disc decides the player is legitimate and hasn't been
compromised, it allows the movie it contains to be decrypted for
playback.

But if the disc detects that the player has been modified to record
the movie, or it is using stolen keys from a different player, the disc
won't play. Unlike AACS, however, BD+ has no ability to disable a
player permanently, nor does its software linger after a disc is
ejected.

Paul Kocher, Cryptography Research's president and chief scientist,
thinks HD DVD's decision not to adopt his technology eventually tipped
the battle to Blu-ray.

"I don't want to pretend that security was the only thing that drove
the content war," Kocher said. "But from a content perspective, I think
security is the biggest overhang over the future of the studios and I
think they realize that and they are doing what they can to deal with
that."

While file sharers who hang out at forums like Doom9 might not
appreciate Kocher's latest effort, Kocher was also the co-author of the
SSL 3.0 specification, which allowed real security for online logins
and online credit card purchasing.

Kocher says he's a technologist who had no desire to get caught up
in a format war, and offered the technology to both camps. But Toshiba
decided that AACS was enough security.

"Instead of being on both formats, it became a differentiator and
attracted content to Blu-ray and gave Blu-ray some momentum," Kocher
said.

The BD+ system was cited by Lionsgate and Fox studios as the key reason they supported the format over HD DVD.

In October, Fox released the first discs to use BD+, but some
first-generation players couldn't handle the BD+ and required firmware
updates. Once the updates became available, users had to download a
file, and burn a CD from an .iso file to update their DVD players -- a
high technical hurdle for many.

That minor debacle has already led to a class-action suit against
Samsung, though Kocher dismissed the issue as something to be expected
when buying first-generation hardware.

The BD+ system protects movies if pirates should develop mod chips
for Blu-ray players or develop Blu-ray player software that allows
movies to be copied.

BD+ can surreptitiously insert data about a player into a playback
stream. If a movie is then pirated, studios can analyze the data and
come up with a way to prevent that machine from doing the same to
future releases.

Andrew Jaquith, a senior analyst at the Yankee Group, says the BD+ scheme appeals to studios because it can be patched.

"There is an element of renewability in BD+ and that is the path to
longevity," Jaquith said. "There are always implementation flaws. It's
an arms race and to stay agile, you have to have the ability to pull up
the gates when the ramparts have been breached."

"The people at Cryptographic Research are generally thought of as
the biggest, baddest cryptology designers around," Jaquith said. "If
you look at the latest generations of DirecTV, the P4 and P5 [access]
cards have not been broken. This is a testament to the skills they
possess."

But Jaquith says security was more likely an "influencing factor"
than a "leading factor" for studios, which he believes eventually chose
Blu-ray primarily for hardware and software reasons.

Kocher's company began brainstorming a better way to lock down DVDs shortly after the discs hit the market in the late 1990s.

His company already had some relationships with the movie industry,
having developed systems to let studios securely transfer movie files
inside a company while they were being worked on, and in a July 2003
workshop in Los Angeles, the company demonstrated their technology to
studios in a workshop meeting.

Hardware makers pay a nominal fee for the specs and must include the
technology in their players, while studios pay only when they include
BD+ code in their titles.

Cryptography Research sold BD+ and its core technology known as Self-Protecting Digital Content to Macromedia in November for $45 million cash plus unspecified stock options.

Kocher fully expects that the hacker community to attack BD+ and that its backup mechanisms will be needed.

"If you run a bank, someone will try to rob it someday," Kocher
said. "Just because no one has brought a gun in and pointed at your
teller, doesn't mean that they won't in the future."

When asked if he hoped to see how well BD+ holds up under the kinds
of sustained attacks that compromised HD DVD last year, Kocher
hesitated.

"You don't hope the first layers of defense go and you have to go to
the subsequent ones," Kocher said. "But that said, there's always a
piece of you that wonders how it is going to play out and when you look
forward 10 years from now -- did we drastically underestimate the
pirates?"

"At the same time, you don't want to encourage that," Kocher said. "It's what causes restrictive laws to get passed."

See Also:

• The pressure is on for HD DVD
• Is Apple Ready to Bust a Blu-ray Move?
• Samsung Sued Over Defective Blu-ray Players
• Barney Alliances and the Downfall of HD DVD
• HD-DVD Death Made Official. Downloads To Kill Blu-Ray Next ...

(Read Original Article - Via Threat Level.)