Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!mnetor!seismo!cmcl2!yale!husc6!mit-eddie!rutgers!princeton!allegra!ulysses!faline!karn From: karn@faline.UUCP (Phil R. Karn) Newsgroups: sci.crypt Subject: Re: This is *stupid* Message-ID: <271@faline.UUCP> Date: Wed, 3-Dec-86 22:47:28 EST Article-I.D.: faline.271 Posted: Wed Dec 3 22:47:28 1986 Date-Received: Sat, 6-Dec-86 21:44:09 EST References: <12246@watnot.UUCP> <3720@utcsri.UUCP> Distribution: net Organization: Bell Communications Research, Inc Lines: 49 There have been several premature reports of the demise of Videocipher-II. One showed up on the Independent Network News a few months ago. In it a satellite dish dealer first showed a reporter how adding a capacitor to a Videocipher box would recover the video on an unsubscribed channel (this was legit, but no surprise since everyone knows that the video is easy to recover). Then he claimed that through the use of an ordinary FM broadcast receiver, he could get the sound. Well, it was pretty obvious to me that he was just getting it from his local CATV company, since many carry the sound for subscription channels on the FM broadcast band (this is how you get stereo). Several days later, HBO made the same accusation, but the dish dealer denied that he got the audio off a CATV system. He also refused to repeat the demonstration. He claimed that he'd tell M/A-Com the details of his scheme only if they'd agree to recall every Videocipher box -- an offer M/A-Com is unlikely to accept. You decide. As far as I know, Videocipher represents the first time DES has been used in a situation where the legitimate receiver is either apathetic or actively hostile to keeping the keys secret. Videocipher uses a primary/secondary key scheme. The primary keys are used to decrypt an encrypted secondary key which is sent over the satellite. This secondary key can be fixed, or it can change periodically; each time it changes, the box must decrypt it with the primary key and start using it to decrypt the audio. Clearly, the primary keys are the "key" to cracking the system. Obviously, any subscriber can get as much matching plaintext/cleartext as he or she wants, but this isn't of much use since DES has already shown itself to be highly resistant to known plaintext attacks (i.e., you'll probably have to try all possible 2^56 keys in a DES chip of your own until you hit the one that works). The security of the system therefore depends entirely on the physical security of the primary DES keys, which of course have to be in the box you sell to the customer. They are kept in the unit in a register on a custom CMOS chip with battery backup. Naturally, the chip is designed to make reading the keys impossible. Given that DES has withstood all (published) cryptanalytical attacks, and that you can get physical possession of the primary keys by simply buying a box, the most fruitful avenue of attack on Videocipher is likely to be physical. Special solvents exist for dissolving epoxy off ICs without damaging the chips, and special scanning electron microscopes exist for reading voltage levels within operating ICs. All it takes is one motivated person with access to the necessary resources to read the key registers, post the results to netnews, and the game will be over. Until then, I'm taking all reports of Videocipher audio cracking with a large bag of salt. Phil