HD DVD, Blu-ray protection in question after attacks

Next week, new HD DVD movies will hit the shelves that won't play on some players, the first countermeasure by the content and software industries to combat intensive efforts by hackers to break copy-protection technology.

The move comes four months after hackers first poked a hole in AACS (Advanced Access Content System), the complex encryption scheme used to protect HD DVD and Blu-ray Discs. In the interim, they've been able to decrypt HD DVD movies and, theoretically, upload them to file-sharing networks.

That security gap will be closed, at least for some time, with the new discs. But earlier this month, hackers scored another success in compromising AACS technology, an effort cryptography experts say foreshadows a difficult road ahead in keeping pirates at bay.

The development, disclosed on the Doom9.org forum for video technology aficionados, ironically involved the use of an HD DVD drive within the Xbox, the gaming system from Microsoft, one of the backers of the AACS system.

The new method uses the Xbox's HD DVD drive to read the volume ID for a disc, one piece of information needed to eventually decrypt and copy a disc.

AACS uses a system of numeric keys on playback software and discs to allow a movie to play. Once a hacker obtains a "device key" -- a numerical code within the playback software -- that key can unlock other mechanisms in place designed to block decryption of a movie.

Through sophisticated software probes, hackers found the device key in InterVideoDVD, a software program now owned by Corel. On April 6, Corel issued an update for the InterVideo WinDVD playback software that refreshes and further obscures those device keys. New HD DVDs issued after April 23 will not work on players running the old software.

The technique is known as "device key revocation," a feature of AACS that allows it to block players running software whose device key has been compromised. The upgrade is mandatory, as new movies have been programmed to not play on the old software.

It's the first time the content industry has used the revocation feature, and probably not the last. But supporters of AACS said it is designed to roll with the punches from hackers.

"The attacks -- all of them -- represent only attacks on individual players," said Michael Ayers, an attorney who is chairman of the business group of AACS Licensing Administrator, the trade group that represents vendors supporting the technology, which include Sony, Toshiba, The Walt Disney, and Warner Bros.

"They don't represent hacks of AACS itself," he said, adding that the industry expects more hacking attempts.

Ayers said a lag between when a system is attacked and when the industry can respond is inevitable, given that it takes time to investigate what the hackers are doing and eventually give the film industry and manufacturers enough time to respond. He defended AACS as "robust."

Cryptography experts tend to differ since the determination of the hackers and the availability of tools to analyze software puts AACS at a disadvantage. They think hackers will be copying the new discs sooner rather than later.