Crypto-IT

• Key length = 40 bits

CSS was presented by the DVD Forum organization in 1996, as a means to encrypt DVDs content.

Because of its poor design, the effective key size is about 16 bits long.

It was compromised in 1999 by brute force attack. In this year, the DeCSS application was published, which was able to quite fast break the CSS protection.

CSS is a stream cipher. The internal state machine is initialized using a 5-byte long secret key. The state machine has 42 bits and contains two linear feedback shift registers - LFSR. The stream of bytes is generated by registers and added XOR to stream of input data. Before addition, data bytes are changing in a lookup table and keystream bytes move through optional inverters. There are some lookup tables defined and they contain different coefficients.

The CSS cipher is created to protect audiovisual data on DVDs. There are a few different keys in the whole CSS system. They are used to mutual authentication, encryption of sectors and whole files. Some keys are stored encrypted and they must be decrypted before usage (using CSS cipher, where the encrypted data are bytes of wanted secret key).

Because of many different types of tasks of CSS - working with audiovisual data and different kind of keys - a few modes of CSS algorithm exist. All of them are generally similar but there are some differences in detail (for example coefficients in tables).

When CSS algorithm decrypts one of the secret key, 5 encoded bytes of this key are mixed with bytes received from registers in more complicated way. Instead of simple lookup tables and addition XOR with keystream, there is a key mangling operation. Each byte goes through two lookup tables and is added XOR twice with one byte from keystream.

• authentication and establishing connection - the host establishes communication with DVD and both sides create a bus key,
• disc key decryption - the host receives and decrypts a disc key using one of its player keys,
• title key decryption - the host receives and decrypts a title key using the obtained disc key,
• audiovisual data decryption - using the obtained title key and a sector key read from a DVD, the host decrypts audiovisual data stored in one sector of the DVD.

• player keys - stored in a DVD driver; they are used for decryption of a disc key (which is stored on DVD),
• disk key - encrypted on DVD and decrypted by the DVD driver using its player keys; it is used for decryption of a title key,
• sector key - stored unecrypted in each sector of the DVD and read by the DVD driver; it is used together with a title key for decryption of audiovisual data in one DVD sector,
• title keys - encrypted on DVD and decrypted by the DVD driver using the disc key obtained ealier; they are used for decryption of audiovisual data,
• session key or bus key - random key created during authentication between the host and DVD drive; it is used for encryption of future communication between them.

The whole CSS system contains of three elements: a DVD, a DVD driver and a host (a computer, an application for playing DVDs).

Every DVD contains an encoded unique disc key. Similarly, each DVD driver has a few player keys. Each DVD has a hidden sector, which contains a disc key encrypted in many copies using each of the 409 existing player keys. On writeable DVDs, the hidden sector is cleared and can't be changed. A DVD driver tries to read a DVD and uses its player keys to decrypt one of the copy of the encrypted disc key on DVD.

After each try and obtaining a result, which may be a correct disc key, the DVD driver performs the following test: using received 5 bytes, which may be a disc key it tries to decrypt a test sequence (stored on DVD), which is the real disc key, encrypted using the real disc key. If the DVD driver receives the same 5 bytes like the 5 bytes it used as a key, then it is certain that those 5 bytes are the real and correct disc key.

A DVD contains usually a few encoded title keys. Each of them protect one part of the movie, called VTS (Video Title Set). Each VTS contains a set of files named as VTS_AA_B.CCC, where every A and B means one digit. CCC may be one of three possible file extensions: (.VOB, .BUP or .IFO). All the files which have the same number AA belong to the same VTS. Title keys are decrypted using the disc key.

Each data sector on DVD is 2048-byte long (so it has the same size as sectors on CD-ROMs). A sector starts with a MPEG-2 PACK header, 128-byte long. After the header there are either audiovisual data (called stream data; for example MPEG-2 data or AC-3 data) or other information (PCI or DSI). A sector key is stored unecrypted in bytes 80-84 in the header.

If a sector contains audiovisual data, then after the MPEG-2 PACK header it is stored a header of audiovisual data (stream header), which contains 2 bits determining encryption type.

• 00 - no encryption
• 01 - CSS encryption
• 10 - reserved/not used
• 11 - CPRM encryption

If a sector doesn't contain audiovisual data, those bits are not stored in this sector (because not-stream data are not encrypted).

For decryption of data stored on DVD, they are used two keys - a sector key (different value for every sector) and a title key (each DVD contains usually a few title keys, one for each VTS). First two bytes of the title key are added XOR with two first bytes of the sector key (bytes 80-81 of the sector header) and then passed into the LFSR-17 register. Last three bytes of the title key are added XOR with three last bytes of the sector key (bytes 82-84 of the sector header) and passed into the LFSR-25 register. The host obtains the title key using the disc key decrypted earlier.

On each DVD it is stored also a region code, which determine a part of world where the DVD can be played.

1. Mutual authentication

   For decryption of a DVD in a DVD driver, a host must authenticate itself to the DVD using a challenge-response protocol and CSS encryption. Theoretically, the DVD must also authenticate itself to the host, however a host's application usually skips this checking. During the authentication both sides use a predefined authentication key - F4 10 45 A3 E2.

   The authentication requires the following steps:

   1. The host receives an AGID (Authentication Grant ID) number from the DVD drive. AGID is used as a session ID for the current communication. Click here to find out more.
   2. The host generates 10 random bytes and sends them to the DVD driver. The driver encrypts them and sends back to the host 5-byte long sequence. Click here to find out more.
   3. The host decrypts driver's answer and checks if the result is the same as challenge previously sent to the driver. The DVD driver can answer using one of 32 variants, so the host must make 32 tests to check which of them has been chosen by the driver. Click here to find out more.
   4. The DVD driver generates a random 10-byte long sequence and sends it to the host. The host encrypts it. Click here to find out more.
   5. The host sends back to the driver the encrypted sequence - the new key KEY2. Click here to find out more.

   At this point, both the host and driver know all 10 bytes - two keys created by the host and the driver. The bus key is created by encryption using the 10-byte long sequence using CSS in mode 3. It is 5-byte long and prevents to eavesdrop future communication (particularly sending title and disc keys).

   6. The host reads a disk key from a hidden sector on DVD. Click here to find out more.

   If the last step is succeeded, the host will be able to read a DVD using ordinary commands SCSI read. Otherwise, the authentication fails.

2. Decoding a disk key

   A DVD driver decrypts a disc key from a DVD using all its player keys. Each manufacturer of DVD drivers usually possesses one or a few player keys and uses them in his products.

3. Reading and decoding title keys

   Encrypted title keys are sent from a DVD to a host. Transmitting of title keys, as well as the entire transmission in general, is encrypted using a bus key.

4. Sending encrypted data

   A host reads from a DVD the whole sector of encrypted data.

5. Decoding encrypted data

   A host decrypts the whole sector using an obtained title key and a sector key stored in the header of each DVD sector.

Based on the secret 40-bit long key, two linear feedback shift registers - LFSR, LFSR-17 (17-bit length) and LFSR-25 (25-bit length) and one more additional bit CC are created.

All 40 bits are divided into two LFSR registers. By assigning one letter to each bit of the key, the first order of bits may be presented as below:

  KEY = jklmnopq abcdefgh QRSTUWXY IJKLMNOP ABCDEFGH
  LFSR-17 = q ponmlkji hgfedcba
  LFSR-25 = Y XWVUTSRQ PONMLKJI HGFEDCBA

Bits in LFSR registers are filled in the reverse order as in the key.

Bits V and i are set to 1 (to prevent initialisation of the LFSR registers by zeros) and bit CC is set to 0.

Bits are shifted right by one position. A new bit which appears in the leftmost position of the register and at the output is a sum of the first and fifteenth bits.

LFSR-17 register operations

Bits are shifted right by one position. A new bit which appears in the leftmost position of the register and at the output is a sum of four bits from the register.

LFSR-25 register operations

Depending on the current CSS mode, the inverters reverse or do not reverse output bits from LFSR registers.

The following table presents which registers and in which CSS modes reverse order of bits in each byte.

Each byte for encryption or decryption is replaced by another byte, based on one of five lookup tables using in CSS. There are different tables for encryption and decryption and different tables for different CSS modes.