news government kept xing from encrypting key

Government kept Xing from encrypting key!

OK, check out this article at Wired. According to the author, it’s all the government’s fault that DVD got cracked. Why? Because of 40-bit encryption. Let’s review, people. Some industrious Norwegians looking to write a Linux DVD player were trying to figure out how to get around the encryption scheme. They started looking at Windows-based players to figure out how they did it, but they hit a wall, because the decryption key in each one was encrypted so it couldn’t be read. All except for Xing Technologies’ XingDVD player, of course, because they forgot to encrypt their key. The result? The programmers read the key out of the XingDVD executable and thus cracked DVD encryption. And this is the government’s fault?

Don’t get me wrong, I’m hardly gonna cut the government any slack when they screw up, but exactly how do we blame them for this? Let’s assume for a moment that the government started allowing the export of strong encryption five years ago. As a result DVD players were manufactured with 1024-bit decryption keys. All the keys themselves were encrypted with 1024-bit encryption. Except, of course, for Xing, who in our theoretical scenario still forgets to encrypt their key. The result? Exactly the same. The hackers find an easy to read unencrypted key and the DVD format still gets cracked.

What’s important to realize here is that, at least the way things happened, the unencrypted key was vital to the success of this crack. Is it possible that the programmers would’ve been able to crack the weak encryption on the 40-bit key? Yes, especially since according to the article the algorithm used to encrypt the key didn’t even use the full 40 bits. But it’s also possible that they would not have been able to crack the encrypted key, and we never would’ve had a crack without Xing’s screw-up.

The facts tend to support the latter scenario– if the programmers had been confident in their ability to brute force crack an encrypted key, would they have taken the time to look at all the software players, or simply realized the key was encrypted and started punching away at it?

Of course once the programmers had a working key it apparently enabled them to figure out the algorithm used to encrypt the other keys. In fact they commented on how weak the algorithm was. But would it have been as easy to crack without already knowing a key? I don’t have the expertise to say, but if anyone out there does feel free to comment.

Perhaps the intention of the story was to point out that the weak encryption allowed other keys to be compromised after the Xing key was found. If that’s the case, it didn’t seem to make it into the article. Thus we’re left with the implication that the government is to blame for its weak encryption, because of a piece of data that didn’t use any encryption at all. Riiiiight.