Talk:Content Scramble System

From Wikipedia, the free encyclopedia

So... what's the point of using CSS? :-) --Ihope127 16:28, 26 August 2005 (UTC)

Control. You can't sell a DVD player unless you pay $25 for a license from the DVD CCA. And they won't sell you a license unless you configure the software on the DVD player a certain way (honor DVD region codes and User Operation Prohibitions on certain DVD chapters). --Pmsyyz 20:47, 26 August 2005 (UTC)

Also, the average Joe doesn't go looking on the internet for a program to de-css a disk, so that he can copy it. For most it's too much work, too involved, or they are afraid of the MPAA, if anything this article needs a section on fair-use and backing up your disks

CuBiXcRaYfIsH 03:00, 29 December 2005 (UTC)

Actually I would also pretty much be interested in the reason behind CSS. As I read in Lawrence Lessig: The Future of Ideas, css does not intended to stop the copying of DVDs. It zas just a way to make it more difficult to play them. It would be got to elaborate more on this topic, but I don't feel myself a laz expert.Viktor.nagy 14:09, 24 October 2006 (UTC)

[edit] Incorrect Title

Shouldn't this article be titled "Content Scrambling System"? "Scramble" doesn't make sense, grammatically or historically. algocu 19:09, 2 April 2007 (UTC)

It is known, officially, as the Content Scramble System. It is not an incorrect title. Just because it doesn't make sense to you does not mean that it is wrong. System names tend to be like that - only making sense to their designers. --Jmccormac 05:35, 3 April 2007 (UTC)

http://www.dvdcca.org/css/ -- intgr 08:19, 3 April 2007 (UTC)

[edit] "Ironically"??

...which could be brute-forced by a 450Mhz processor in less than a minute[1]. Ironically, a 450MHz processor was stated...

I'm sure the statistic on brute force used a 450MHz processor because it was the industry-stated minimum, in which case, there's no irony here. This part should be rewritten. Dansiman (talk|Contribs) 16:32, 20 December 2007 (UTC)

The irony lies not in the fact that a 450MHz processor can crack CSS, since arguably any processor can do that, given enough time, but in the fact that it can do it in a timescale so short that it is essentially no more difficult than just playing a DVD normally. Maybe irony is the wrong word, but there is definitely something fittingly perverse about an encryption system so badly designed that it is “secure” only against people who have no reason to try to break it (by virtue of not having processors powerful enough to play DVDs smoothly). —Preceding unsigned comment added by 193.61.85.126 (talk) 17:09, 10 January 2008 (UTC)

[edit] Isn't the effective key length only 16bits?

"In addition, structural flaws in the algorithm reduced the effective key length to only around 25 bits, which could be brute-forced by a 450Mhz processor in less than a minute"

IIRC, the 40 bit key is split into two sections, one 16 bits and the other 24 bits which are then used to seed a 17-bit and a 25-bit LFSR (Linear Feedback Shift register) respectively. These are then combined in a trivial manner.

Surely an attack thus only needs to try all the 2^16 combinations of the first LFSR and, along with a known/guessed plain-cipher text pair, it can directly compute the other 24 bits of the key.

Simon Fenney (talk) 11:41, 15 January 2008 (UTC)

The important question here is: are there any sources documenting this? Otherwise it would be original research. -- intgr [talk] 22:26, 15 January 2008 (UTC)

A quick search turned up this [2] which seems to confirm what I thought, i.e. "This streamcipher is very weak, a trivial 2^16 attack is possible"

Simon Fenney (talk) 12:53, 24 January 2008 (UTC)

There are different attacks to the CSS. If you have 5-6 bytes of known plain-cipher text the attack to the stream-cipher is 2^16 and can be accomplished even on a 450 MHz PC in a fraction of a second. It is quite difficult to know/guess plain text though, as this is compressed mpeg stream. On the other hand, if you have access to the sector that contains the encrypted disc key (which can only be read after a successful authenticating procedure) and do not have a player key, you can attack the disc key hash by a 2^25 brute-force attack (this takes less than a minute on a 450 MHz PC). Afterwards, you can do another 2^16 attack to get an arbitrary player key. This way all player keys (about 30) can be computed in less than a second. When the player keys are known (which they are) there is no need to do any attack at all. The disk key hash attack is described in chapter 4 of Frank Stevenson's article (see above), the known-plaintext attack is mentioned in chapter 2 and is also used to get the player keys after the disc key has been found. --132.230.166.181 (talk) 16:52, 23 April 2008 (UTC)

As for "It is quite difficult to know/guess plain text though" I'm not sure I agree. IIRC, the first N-bytes (~128 bytes) of each 2k(?) sector are not encrypted and the changeover frequently seems to straddle the MPEG2 quantisation tables. These are extremely predictable so obtaining known cipher+plain text may be rather simple.Simon Fenney (talk) 12:45, 6 May 2008 (UTC)