Information on CSS

CSS is the weak form of encryption used on DVD-video. Its been cracked. The program DeCSS was the first, and a few newer ones with easy-to-use GUI interfaces are now available. DVDDecrypter is one of the most popular. Its in the tools section (I dont link to utilities except from the tools section because it makes the links harder to manage). The DeCSS program has an intresting legal history.

Most people know DeCSS was written by a norwegen teenager, Jon Johansen. Thats not quite true. The CSS weakness was found by an anonymous german. The DeCSS program was a team project by a group known as Masters of Reverse Enginering. Jon Johansen did some programing and supplied the webspace for it, and had the bad luck to get both the publicity the the unwanted attention from the lawyers. A software DVD player was disasembled and studied. Because the player didn't use all the anti-temper technicques required by the CSS license it was possible to get the critical player key from the software, and other keys could then be calculated. That software player has now had its license revoked and the CSS renewability feature used to disable it, but DeCSS will still work.

The DeCSS program was originally hosted on its authors own webserver. The MPAA and DVDCCA noticed it and sent in the lawyers, attempting to cencor the site and have the programers father, owner of the server, jailed. Of course by the time they got that server down the program was all over the internet. Later the MPAA started a long battle with 2600 magazine, accusing them of breaking the DMCA by linking to DeCSS even through they didn't have a copy on their servers. The DVDCCA joined in claiming the CSS key was a trade secret.

After the legal battles DeCSS earned the unofficial title of worlds most illegal program. DMCA protestors can now buy t-shirts printed with DeCSS source code.

The original aim of DeCSS was to allow DVDs to be played on linux systems. The DVDCCA refused to licence any non-windows players, for reasons they refused to make public but probably related to linux open-source nature and the poor DRM that implies. The reason is valid of course, linux is completly usless for anything involveing DRM. Its easy to modify the kernel, video drivers and sound drivers to intercept data. As linux is the opposite of DRM its not a problem. DVDs can now be played on linux with great difficulty, but it is illegal in the US to posess the software needed for doing so.

The DVDCCA and MPAA give the impression that DeCSS allows DVDs to be copied. That is not entirely true. DVDs could be copied or riped quite easily before CSS was broken. Encrypted DVDs can be bit-copied. Consumer DVD recorders are not able to write CSS keys, but a firmware hack can fix that problem. Professional DVD writers can write CSS blocks. DVDs can also be ripped without DeCSS using a variety of methods. The simplist is connecting a DVD player to a capture card, but some more technicly skilled rippers have done it using screen memory monitors and even brute force. Brute force decryption on DVDs isn't very difficult because a weakness in the CSS algolithm makes it only equivilent to 25-bit, but it is still time consumeing. CSS can also be broken using other weaknesses, one of which reduces it to the equivilent of 16-bit, but is difficult to use :-). CSS was introduced for a different form of protection. The CSS system meant discs can not be played without a key. The key is available to player manufactures for a lot of money and a licence which requires they impliment the full region protection and macrovision protection system, plus the no-skip on the FBI warning/advert and stops any digital outputs. It also allows a revocation system. A players key must be present on a disk to decrypt it, so removing that key from a disk means it wont play in that player. To be used if holes are discovered in a player. It has been used once, to revoke the player which was reverse enginered to write DeCSS. Althrough many players have weak region or macrovision protection the DVDCCA only revokes players for serious problems, bad publicity.

Extract from http://www-2.cs.cmu.edu/~dst/DeCSS/Gallery/plain-english.html
Decrypting a DVD movie is done in several steps. First one must have a master key, which is unique to the DVD player manufacturer. It is also known as a player key. The player reads an encrypted disk key from the DVD, and uses its player key to decrypt the disk key. The DVD drive firmware however will not just read the key - it has to be convinced the request is from a legitimate, licenced player program. This is achieved by a sophisticated cryptographic protocol, which fortunatly contains holes large enough to fly a jet through. The drive will also check the region information on the disc, and refuse to read keys on wrong-region discs - a semi-successful measure to prevent software-only region cracks. Then the player reads the encrypted title key for the file to be played. (The DVD will likely contain multiple files, typically 4 to 8, each with its own title key.) It uses the decrypted disk key (DK) to decrypt the title key. Finally, the decrypted title key, TK, is used to descramble the actual content.

To reduce processing requirements (ie cost) encrypted VOBs are only partially encrypted. Enough is encrypted that it wont play but not enough to make the players too expensive. That is why playing a DVD without decryption will sometimes still get you jumpy sound and no picture.

A licence has now been granted for a linux DVD player. It seems the DVDCCA decided to allow one linux player restricted by their licence instead of the many unlicenced players they would have if they did not allow a legal player.

For a more technical explanation of the encryption look at this. The CSS Gallery displays many forms of CSS code, and examines the legal confusion surounding free speech and computer code. A tutorial on the technical aspects of CSS, and the many weaknesses which can be used as well as DeCSS, is here.

And here is some more information, emailed to me:

I thought you might like to know that DVD-D discs can be ripped even after they destroy themselves, assuming the info on your site is correct. According to your site, the only thing that is destroyed on a DVD-D is the CSS keyblock. The problem with that is DVD Decrypter in brute force (DeCSS Plus) mode does not require access to the keyblock as it uses cryptanalysis (usually a known plaintext attack) to break CSS. DVD players that use libdvdcss like mplayer and xine are also not affected as long as the right CSS cracking mode is selected. It is also interesting to note that these methods can be used to bypass RPC2 region protection, as almost all RPC2 drives only block access to the CSS keyblock on a wrong region DVD, they do not affect reading the encrypted data itself. Presumably this is to allow access to non-encrypted content on the DVD (trailers, wallpapers, etc) even if the region is not correct. Whatever the reason for that oversight, it allows software that does not rely on the normal I/O key exchange method to play and/or copy DVDs that are the wrong region as well as the DVD-D self-destructing DVDs. I have included more info about the various methods used by mplayer to decrypt CSS below, taken directly from the mplayer docs for linux.
bus key: This key is negotiated during authentication (a long mix of ioctls and various key exchanges, crypto stuff) and is used to encrypt the title and disk keys before sending them over the unprotected bus (to prevent eavesdropping). The bus key is needed to get and predecrypt the crypted disk key.
cached key: MPlayer looks for already cracked title keys which are stored in the ~/.mplayer/DVDKeys directory (fast ;).
key: If no cached key is available, MPlayer tries to decrypt the disk key with a set of included player keys.
disk: If the key method fails (e.g. no included player keys), MPlayer will crack the disk key using a brute force algorithm. This process is CPU intensive and requires 64 MB of memory (16M 32Bit entries hash table) to store temporary data. This method should always work (slow).
title request: With the disk key MPlayer requests the crypted title keys, which are inside hidden sectors using ioctl(). The region protection of RPC-2 drives is performed in this step and may fail on such drives. If it succeeds, the title keys will be decrypted with the bus and disk key.
title: This method is used if the title request failed and does not rely on any key exchange with the DVD drive. It uses a crypto attack to guess the title key directly (by finding a repeating pattern in the decrypted VOB content and guessing that the plain text corresponding to the first encrypted bytes is a continuation of that pattern). The method is also known as "known plaintext attack" or "DeCSSPlus". In rare cases this may fail because there is not enough encrypted data on the disk to perform a statistical attack or because the key changes in the middle of a title. This method is the only way to decrypt a DVD stored on a hard disk or a DVD with the wrong region on an RPC2 drive (slow).