Government kept Xing from encrypting key!

OK, check out this article at Wired. According to the author, it’s all the government’s fault that DVD got cracked. Why? Because of 40-bit encryption. Let’s review, people. Some industrious Norwegians looking to write a Linux DVD player were trying to figure out how to get around the encryption scheme. They started looking at Windows-based players to figure out how they did it, but they hit a wall, because the decryption key in each one was encrypted so it couldn’t be read. All except for Xing Technologies’ XingDVD player, of course, because they forgot to encrypt their key. The result? The programmers read the key out of the XingDVD executable and thus cracked DVD encryption. And this is the government’s fault?

Don’t get me wrong, I’m hardly gonna cut the government any slack when they screw up, but exactly how do we blame them for this? Let’s assume for a moment that the government started allowing the export of strong encryption five years ago. As a result DVD players were manufactured with 1024-bit decryption keys. All the keys themselves were encrypted with 1024-bit encryption. Except, of course, for Xing, who in our theoretical scenario still forgets to encrypt their key. The result? Exactly the same. The hackers find an easy to read unencrypted key and the DVD format still gets cracked.

What’s important to realize here is that, at least the way things happened, the unencrypted key was vital to the success of this crack. Is it possible that the programmers would’ve been able to crack the weak encryption on the 40-bit key? Yes, especially since according to the article the algorithm used to encrypt the key didn’t even use the full 40 bits. But it’s also possible that they would not have been able to crack the encrypted key, and we never would’ve had a crack without Xing’s screw-up.

The facts tend to support the latter scenario– if the programmers had been confident in their ability to brute force crack an encrypted key, would they have taken the time to look at all the software players, or simply realized the key was encrypted and started punching away at it?

Of course once the programmers had a working key it apparently enabled them to figure out the algorithm used to encrypt the other keys. In fact they commented on how weak the algorithm was. But would it have been as easy to crack without already knowing a key? I don’t have the expertise to say, but if anyone out there does feel free to comment.

Perhaps the intention of the story was to point out that the weak encryption allowed other keys to be compromised after the Xing key was found. If that’s the case, it didn’t seem to make it into the article. Thus we’re left with the implication that the government is to blame for its weak encryption, because of a piece of data that didn’t use any encryption at all. Riiiiight.

Comments closed
    • Anonymous
    • 20 years ago

    *[Anon@205.248.173.173<]* Don\'t be silly. just because the encryption scheme was hidden doesn\'t mean it is protected from being cracked. It means it would have taken a little bit longer. The governemtn requires 40 bit keys. These keys can be brute forced in seconds. No matter how cleverly you hide the key sooner or later someone is going to get at it.

    • Anonymous
    • 20 years ago

    *[Anon@24.1.127.21<]* An important thing to remember, though, is that there is no way that the key can be securely encrypted in a software application. At best it will be a complicated version of obfuscation. This is the same reason it is a bad idea to have your computer \"remember\" your POP passwords. Unless the user is forced to type a key from memory, the key WILL exist somewhere on the system. Admittedly, tracking down the key is a much more difficult process than finding the unencrypted password lying around! I would definetely say that finding an unencrypted key aided in breaking all future keys. Since they were able to recover plaintext, it makes the process of determining whether a potential key is correct or not very simple. It\'s almost like a Rosetta Stone.

Pin It on Pinterest

Share This