Security and Privacy in Digital Rights Management

Volume 2320 of the series Lecture Notes in Computer Science pp 192-200


A Cryptanalysis of the High-Bandwidth Digital Content Protection System

  • Scott CrosbyAffiliated withCarnegie-Mellon University
  • , Ian GoldbergAffiliated withZero Knowledge Systems
  • , Robert JohnsonAffiliated withUniversity of California at Berkeley
  • , Dawn SongAffiliated withUniversity of California at Berkeley
  • , David WagnerAffiliated withUniversity of California at Berkeley

* Final gross prices may vary according to local VAT.

Get Access


We describe a weakness in the High Bandwidth Digital Content Protection (HDCP) scheme which may lead to practical attacks. HDCP is a proposed identity-based cryptosystem for use over the Digital Visual Interface bus, a consumer video bus used to connect personal computers and digital display devices. Public/private key pairs are assigned to devices by a trusted authority, which possesses a master secret. If an attacker can recover 40 public/private key pairs that span the module of public keys, then the authority’s master secret can be recovered in a few seconds. With the master secret, an attacker can eavesdrop on communications between any two devices and can spoof any device, both in real time. Additionally, the attacker can produce new key pairs not on any key revocation list. Thus the attacker can completely usurp the trusted authority’s power. Furthermore, the protocol is still insecure even if all devices’ keys are signed by the central authority.