Updating the High Definition Content Protection Standard with Version 2.0

HDCP security is administered by the Digital Content Protection LLC which is a subsidiary of Intel. HDCP Rev. 1.x has been in existence since 1999 and will shortly be supplemented by HDCP Rev. 2.0 which was published in October of 2008.

This article will give a brief introduction of HDCP then dive into the recently announced upgrade and how it will be implemented. HDCP 2.0 (as it will be referred to in this article) is a dramatic improvement in security design and will be initially adopted in wireless networks targeted at the distribution of high-definition content in the home.

High-Definition Content Protection " HDCP
Studios and consumer electronics developers understood that the next generation of entertainment distribution technology such as high definition TV and DVDs would offer pirates the opportunity to steal premiere, high value content.

In 1999 the studios were just beginning to move into an accelerated distribution model which shortened the delay among theatre distribution (where the content is physically protected), premium (pay-TV and captive distribution such as airline entertainment systems) distribution followed shortly thereafter by mass media distribution on DVD.

The metrics for the potential loss of revenue from theft of high-definition content resulting from the new distribution model was astounding and the studios were determined to develop new content protection designs to avoid the massive losses experience in the music industry.

This resulted in four new security designs " three which are implemented on Blu-Ray DVDs and one " HDCP, which protects the content as it moves from a source device such as a DVD player or set top box to the display device. The HDCP standard is controlled by an industry licensing authority known as the Digital Content Protection LLC (DCP) which is a subsidiary of Intel Corporation.

The DCP works very closely with the High-Definition-Multimedia-Interface (HDMI) Licensing LLC which controls the overall interface standard that is used ubiquitously by the consumer electronics and PC manufacturers as the de facto connection technology for high-definition content. Figure 1 below illustrates the use model for HDCP as used in HDMI.

Figure 1. Content Protection in HDCP

Security Design in HDCP Rev. 1.3: A review
The vast majority of high-definition products shipping today support a Rev. of HDMI Rev. 1.3. There are three variants shipping today " 1.3, 1.3a and 1.3b which reflect tweaks to the standard and changes in testing methodology to improve interoperability.

All HDMI Rev. 1.3 interfaces today must implement HDCP Rev. 1.3 in order to comply with the standard. The content protection design in HDCP has three important elements:

1. Encryption and decryption of the digital multi-media content " both audio and video;
2. Authentication and key derivation; and
3. Revocation.

As shown in Figure 2 below, under the nomenclature used by the DCP, a device which renders multi-media content is known as a Sink device. A device which sends content over an HDMI cable is known as a Source.

There can also be a repeater in the system which might for example be a surround sound audio system. It would extract the audio from the HDMI cable but allow the video to transition through the repeater to the final video rendering system.

Figure 2. Under HDCP, the cable, known as the Source Device sends content to a Sink device which renders multi-media content.

It is the responsibility of a Source device to cryptographically authenticate that the device on the other end of the cable (i.e. the Sink device) is a valid HDCP device and that it has not been placed on the revocation list by the DCP indicating it has been compromised by hackers. After authenticating a Sink device, the Source device can then encrypt the content and sends it over the cable.

In HDCP Rev. 1.x, content encryption is done through a proprietary cipher that was invented by Intel. As the standard dates all the way back to 1999, the Advanced Encryption Standard (AES) was still under review by the U.S. National Institute of Standard and Technology (NIST) and as such this was not an option.

The HDCP cipher was a reasonable choice as it was very small in terms of silicon area and could easily handle the high speeds required for uncompressed audio/video content. It is likely that the HDCP cipher is subject to attack but there has been no report of it being broken.

This is probably due to the fact that the security design in HDCP has other fundamental flaws that led to the design being broken very quickly so there has been no need for hackers to attack the cipher itself.

It is in the authentication and key derivation process that the vulnerability of the security design is most evident. When an HDCP device is manufactured, the DCP provides a set of highly confidential keys and other secrets to the manufacturer.

These are then stored in the silicon device in non-volatile memory or in encrypted form in off-chip memory. These keys are known as Device Private Keys and are secret values that must not be revealed to hackers. In addition, there is a Key Selection Vector (KSV) which is a 40 bit binary value that uniquely identifies the HDCP device.

During the authentication process, the KSVs are exchanged. Each device does a mathematical transform involving the other device's KSV with the Device Private Keys (i.e. the Sink KSV with the Source Device Private Keys and vice-versa) to derive a symmetric key to use with the HDCP cipher.

This process is much simpler than a traditional key exchange algorithm used for example in banking transactions but it was chosen as it fits the cost model for consumer electronics. It has however proven to be the Achilles heel of the security design and was quickly broken by experts in cryptanalysis.

Despite knowing that this flaw existed, the DCP continued to use the design over the last ten years so as to provide continuity to consumers and manufacturers. Finally however, the DCP has moved to change the design as we'll see later in this article.

Lastly, all HDCP based consumer electronic devices must maintain a revocation list that is administered by the DCP. Each time a new Blu-Ray movie is created for example, the most recent revocation list is included on the disk.

The Source device checks the revocation list on the media to see if it is more recent than the one stored locally on the device and if so copies it into local memory.

Each time a Sink device is attached to the Source, the Source checks to determine if the Sink device KSV is on the revocation list. If the Sink device KSV is on the revocation list, the Source device cannot transmit high definition content to the revoked rendering device.