Title: Intel HDCP Authentication Linear Relation Between Keys Vulnerability
Severity: HIGH
Description:
Intel's High-bandwidth Digital Content Protection (HDCP) is a specification for authentication and encryption of multimedia streams. Content encryption and authentication of a playback device are based on a public/private key pair.
When a device attempts to authenticate, it exchanges public keys with a content provider. Both sides then use this public value to perform a linear combination of elements of their private keys, resulting in a shared secret K used for further communication.
Unfortunately, this is a linear combination. If an attacker knows a number of public/private key pairs Bi, he may be able to express an additional public key C as a linear combination of known Bi's. He may then use the same linear combination with shared secret values computed from the known private keys, and gain the shared secret appropriate for C. At this point, he may freely authenticate and access content as the device C.
As public keys are given freely in the initial stages of authentication, it should be assumed that they are indeed public and readily available.
This results in a large number of possible exploits, with varying degrees of computation required. As an example, an attacker able to eavesdrop on an encrypted stream may compute the shared secret, and view the decrypted content.
Although a computationally efficient algorithm has not yet been published, it may also be possible to create new, valid keys that are a linear combination of known values. Currently this may be done by enumerating all possible well formed public keys, and testing for validity.
Affected Products:
- Intel Corporation High-bandwidth Digital Content Protection 1.0.0
References:
- Intel Corporation: Digital Content Protection, LLC
- Scott A. Crosby <crosby@qwes.math.cmu.edu>: Apparent HDCP authentication protocol weaknesses
- Scott Crosby, Ian Goldberg, Robert Johnson, Dawn Song, David Wagner: A Cryptanalysis of the High-bandwidth Digital Content Protection System
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
