High-bandwidth Digital Content Protection

HDCP uses three systems: • Authentication prevents non-licensed devices from receiving content. • Encryption of the data sent over DisplayPort, DVI, HDMI, GVIF, or UDI interfaces prevents eavesdropping of information and man-in-the-middle attacks. • Key revocation prevents devices that have been compromised and cloned from receiving data. Each HDCP-capable device has a unique set of 40 56-bit keys. Failure to keep them secret violates the license agreement. For each set of values, a special private key called a Key selection vector (KSV) is created. Each KSV consists of 40 bits (one bit for each HDCP key), with 20 bits set to 0 and 20 bits set to 1. During authentication, the parties exchange their KSVs under a procedure called Blom's scheme. Each device adds its own secret keys together (using unsigned addition modulo 256) according to a KSV received from another device. Depending on which bits are set to 1 in the KSV, a corresponding secret key is used or ignored in the addition. The generation of keys and KSVs gives both devices the same 56-bit number, which is later used to encrypt data. Encryption is done by a stream cipher. Each decoded pixel is encrypted by applying an XOR operation with a 24-bit number produced by a generator. The HDCP specifications ensure constant updating of keys after each encoded frame. If a particular set of keys is compromised, their corresponding KSV is added to a revocation list burned onto new discs in the DVD and Blu-ray formats. (The lists are signed with a DSA digital signature, which is meant to keep malicious users from revoking legitimate devices.) During authentication, the transmitting device looks for the receiver's KSV on the list, and if it is there, will not send the decrypted work to the revoked device. == Uses ==

in an Apple TV device HDCP devices are generally divided into three categories: ;Source: The source sends the content to be displayed. Examples include set-top boxes, DVD, HD DVD and Blu-ray Disc players, and computer video cards. A source has only an HDCP/HDMI transmitter. In the United States, the Federal Communications Commission (FCC) approved HDCP as a "Digital Output Protection Technology" on 4 August 2004. The FCC's Broadcast flag regulations, which were struck down by the United States Court of Appeals for the District of Columbia Circuit, would have required DRM technologies on all digital outputs from HDTV signal demodulators. Congress is still considering legislation that would implement something similar to the Broadcast Flag. The HDCP standard is more restrictive than the FCC's Digital Output Protection Technology requirement. HDCP bans compliant products from converting HDCP-restricted content to full-resolution analog form, presumably in an attempt to reduce the size of the analog hole. On 19 January 2005, the European Information, Communications, and Consumer Electronics Technology Industry Associations (EICTA) announced that HDCP is a required component of the European "HD ready" label. Microsoft Windows Vista and Windows 7 both use HDCP in computer graphics cards and monitors. == Circumvention ==

HDCP strippers decrypt the HDCP stream and transmit an unencrypted HDMI video signal so it will work in a non-HDCP display. It is currently unclear whether such devices would remain working if the HDCP licensing body issued key-revocation lists, which may be installed via new media (e.g. newer Blu-ray Discs) played-back by another device (e.g. a Blu-ray Disc player) connected to it. Cryptanalysis In 2001, Scott Crosby of Carnegie Mellon University wrote a paper with Ian Goldberg, Robert Johnson, Dawn Song, and David Wagner called "A Cryptanalysis of the High-bandwidth Digital Content Protection System", and presented it at ACM-CCS8 DRM Workshop on 5 November. The authors concluded that HDCP's linear key exchange is a fundamental weakness, and discussed ways to: • Eavesdrop on any data. • Clone any device with only its public key. • Avoid any blacklist on devices. • Create new device key vectors. • In aggregate, usurp the authority completely. They also said the Blom's scheme key swap could be broken by a so-called conspiracy attack: obtaining the keys of at least 40 devices and reconstructing the secret symmetrical master matrix that was used to compute them. Around the same time, Niels Ferguson independently claimed to have broken the HDCP scheme, but he did not publish his research, citing legal concerns arising from the controversial Digital Millennium Copyright Act (DMCA). In January 2011, Rob Johnson, Mikhail Rubnich, and Andres DelaCruz of Stony Brook University revealed they had implemented the "conspiracy attack" proposed by Crosby et al. in real life, and successfully recovered the HDCP master key by extracting the private keys from 41 HDCP-capable monitors. In November 2011, Benno Lomb and Tim Güneysu of Ruhr-Universität Bochum revealed they had broken the HDCP 1.3 encryption standard with a commercially-available field-programmable gate array. Master key release On 14 September 2010, Engadget reported the release of a possible genuine HDCP master key which can create device keys that can authenticate with other HDCP compliant devices without obtaining valid keys from The Digital Content Protection LLC. This master key would neutralize the key revocation feature of HDCP, because new keys can be created when old ones are revoked. Intel has threatened legal action against anyone producing hardware to circumvent the HDCP, possibly under the DMCA. The attack used the fact that the pairing process sends the Km key obfuscated with an XOR. That makes the encryptor (receiver) unaware of whether it encrypts or decrypts the key. Further, the input parameters for the XOR and the AES above it are fixed from the receiver side, meaning the transmitter can enforce repeating the same operation. Such a setting allows an attacker to monitor the pairing protocol, repeat it with a small change and extract the Km key. The small change is to pick the "random" key to be the encrypted key from the previous flow. Now, the attacker runs the protocol and in its pairing message it gets E(E(Km)). Since E is based on XOR it undoes itself, thus exposing the Km of the legitimate device. V2.2 was released to fix that weakness by adding randomness provided by the receiver side. However the transmitter in V2.2 must not support receivers of V2.1 or V2.0 in order to avoid this attack. Hence a new erratum was released to redefine the field called "Type" to prevent backward compatibility with versions below 2.2. The "Type" flag should be requested by the content's usage rules (i.e. via the DRM or CAS that opened the content). In August 2015, version 2.2 was rumored to be broken. An episode of AMC's series Breaking Bad was leaked to the Internet in UHD format; its metadata indicated it was an HDMI cap, meaning it was captured through HDMI interface that removed HDCP 2.2 protection. On 4 November 2015, Chinese company LegendSky Tech Co., already known for their other HDCP rippers/splitters under the HDFury brand, released the HDFury Integral, a device that can remove HDCP 2.2 from HDCP-enabled UHD works. On 31 December 2015, Warner Bros and Digital Content Protection LLC filed a lawsuit against LegendSky. Nevertheless, the lawsuit was ultimately dropped and settled out of court in May 2016, after LegendSky argued that the device did not "strip" HDCP content protection but rather downgraded it to an older version, a measure permitted by the DMCA as an exception. == Problems ==

HDCP can cause problems for users who want to connect multiple screens to a device; for example, a bar with several televisions connected to one satellite receiver or when a user has a closed laptop and uses an external display as the only monitor. HDCP devices can create multiple keys, allowing each screen to operate, but the number varies from device to device; e.g., a Dish or Sky satellite receiver can generate 16 keys. The technology sometimes causes handshaking problems where devices cannot establish a connection, especially with older high-definition displays. Edward Felten wrote "the main practical effect of HDCP has been to create one more way in which your electronics could fail to work properly with your TV," and concluded in the aftermath of the master key fiasco that HDCP has been "less a security system than a tool for shaping the consumer electronics market." Additional issues arise when interactive media (i.e. video games) suffer from control latency, because it requires additional processing for encoding/decoding. Various everyday usage situations, such as live streaming or capture of game play, are also adversely affected. There is also the problem that all Apple laptop products, presumably in order to reduce switching time, when confronted with an HDCP-compliant sink device, automatically enable HDCP encryption from the HDMI / Mini DisplayPort / USB-C connector port. This is a problem if the user wishes to use recording or videoconferencing facilities further down the chain, because these devices most often do not decrypt HDCP-enabled content (since HDCP is meant to avoid direct copying of content, and such devices could conceivably do exactly that). This applies even if the output is not HDCP-requiring content, like a PowerPoint presentation or merely the device's UI. Some sink devices have the ability to disable their HDCP reporting entirely, however, preventing this issue from blocking content to videoconferencing or recording. However, HDCP content will then refuse to play on many source devices if this is disabled while the sink device is connected. When connecting a HDCP 2.2 source device through compatible distribution to a video wall made of multiple legacy displays the ability to display an image cannot be guaranteed. == Versions ==

The 2.x version of HDCP is not a continuation of HDCPv1, and is rather a completely different link protection. Version 2.x employs industry-standard encryption algorithms, such as 128-bit AES with 3072 or 1024-bit RSA public key and 256-bit HMAC-SHA256 hash function. HDCP 2.x features a new authentication protocol, and a locality check to ensure the receiver is relatively close (it must respond to the locality check within 7 ms on a normal DVI/HDMI link). Version 2.1 of the specification was cryptanalyzed and found to have several flaws, including the ability to recover the session key. There are still a few commonalities between HDCP v2 and v1. • Both are under DCP LLC authority. • They share the same license agreement, compliance rules and robustness rules. • They share the same revocation system and same device ID formats. == See also ==