A Cryptanalysis of the High-Bandwidth Digital Content Protection System

  • Scott Crosby
  • Ian Goldberg
  • Robert Johnson
  • Dawn Song
  • David Wagner
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2320)


We describe a weakness in the High Bandwidth Digital Content Protection (HDCP) scheme which may lead to practical attacks. HDCP is a proposed identity-based cryptosystem for use over the Digital Visual Interface bus, a consumer video bus used to connect personal computers and digital display devices. Public/private key pairs are assigned to devices by a trusted authority, which possesses a master secret. If an attacker can recover 40 public/private key pairs that span the module of public keys, then the authority’s master secret can be recovered in a few seconds. With the master secret, an attacker can eavesdrop on communications between any two devices and can spoof any device, both in real time. Additionally, the attacker can produce new key pairs not on any key revocation list. Thus the attacker can completely usurp the trusted authority’s power. Furthermore, the protocol is still insecure even if all devices’ keys are signed by the central authority.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    A. Shamir. Identity-based cyrptosystems and signature schemes. In Crypto’84, 1984.Google Scholar
  2. 2.
    Y. Desmedt and J. Quisquater. Public-key systems based on the difficulty of tampering. In Crypto’86, 1986.Google Scholar
  3. 3.
    H. Tanaka. A realization scheme for the identity-based cryptosystem. In Crypto’87, 1987.Google Scholar
  4. 4.
    S. Tsuji and T. Itoh. An ID-based cryptosystem based on the discrete logarithm problem. In IEEE Journal of Selected Areas in Communication, volume 7, 1989.Google Scholar
  5. 5.
    Dan Boneh and Matthew Franklin. Identity-based encryption from the Weil pairing. In CRYPTO’2001, 2001.Google Scholar
  6. 6.
    David Barth. Personal communication. September 2001.Google Scholar
  7. 7.
    Rolf Blom. An optimal class of symmetric key generation systems. In T. Beth, N. Cot, and I. Ingemarsson, editors, Proc. EUROCRYPT 84, pages 335–338. Springer-Verlag, 1985.Google Scholar
  8. 8.
    Rolf Blom. Non-public key distribution. In R. L. Rivest, A. Sherman, and D. Chaum, editors, Proc. CRYPTO 82, pages 231–236, New York, 1983. Plenum Press.Google Scholar
  9. 9.
    Scott Crosby. Apparent HDCP authentication protocol weaknesses. http://cryptome.org/hdcp-weakness.htm, May 2001.
  10. 10.
    Keith Irwin. Four simple cryptographic attacks on HDCP. http://www.angelfire.com/realm/keithirwin/HDCPAttacks.html, July 2001.
  11. 11.
    Niels Ferguson. Censorship in action: Silenced by the DMCA. http://www.macfergus.com/niels/dmca/index.html, August 2001.
  12. 12.
    Intel Corporation. High-Bandwidth Digital Content Protection System, 1.00 edition, February 2000.Google Scholar
  13. 13.
    Hitachi, Ltd. and Intel Corporation and Matsushita Electronic Industrial Co., Ltd. and Sony Corporation and Toshiba Corporation. Digital Transmission Content Protection System, Volume 1, July 2001.Google Scholar
  14. 14.
    Semiconductor Design Solutions. RSA2048A RSA coprocessor data sheet. http://www.sidsa.com/datasheets/RSA/ds_rsa2048a_short.html.
  15. 15.
    3GPP Security Algorithms Group of Experts. 3GPP KASUMI evaluation report. Technical report, 3rd Generation Partnership Project, Oct 2000.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2002

Authors and Affiliations

  • Scott Crosby
    • 1
  • Ian Goldberg
    • 2
  • Robert Johnson
    • 3
  • Dawn Song
    • 3
  • David Wagner
    • 3
  1. 1.Carnegie-Mellon UniversityUSA
  2. 2.Zero Knowledge SystemsUSA
  3. 3.University of California at BerkeleyUSA

Personalised recommendations