Key selection vector

Last updated September 28, 2023

A Key Selection Vector (KSV) is a numerical identifier associated with a Device Key Set which is distributed by a Licensor or its designee to Adopters and is used to support authentication of Licensed Products and Revocation as part of the HDCP copy protection system. The KSV is used to generate confidential keys, specifically used in the Restricted Authentication process of HDCP. Restricted Authentication is an AKE method for devices with limited computing resources. This method is used by copying devices of any kind (such as DV recorders or D-VHS recorders) and devices communicating with them for authenticating protected content. The restricted authentication protocol uses asymmetric key management and common key cryptography, and relies on the use of shared secrets and hash functions to respond to a random challenge.^[1]

Restricted Authentication Protocol

The goal of Restricted Authentication is for a device to prove that it holds a secret shared with other devices. One device authenticates another by issuing a random challenge for which the response is generated by combining the shared secrets and multiple hashes. Formally, a Key Selection Vector is a 40-bit vector containing 20 ones and 20 zeros, and is used to specify the random challenge. The Device Key Set is a collection of 40 56-bit values, and is the set of shared secrets for this protocol

During the authentication process, both parties (a transmitter and a receiver) exchange their KSVs. Then each device adds (unsigned addition modulo $2^{56}$ ) its own device secret keys according to a KSV received from another device. If a particular bit in the KSV is set to 1, then the corresponding secret key is used in the addition and otherwise it is ignored. For each set of keys a special key called a KSV (Key Selection Vector) is created. Each KSV has exactly 20 bits set to 0 and 20 bits set to 1. Keys and KSVs are generated in such a way that during this process both devices get the same 56 bit number as a result. That number is later used in the encryption process.

Uniqueness and Revocation of KSVs

Since valid keys can become compromised (hacked, for instance through reverse engineering hardware), the HDCP scheme includes a mechanism to revoke keys. The KSV values are unique to each key set and, therefore to each device. The HDCP system can then compare these values to a revocation list, and authentication fails if either the transmitter or receiver appears on the revocation list. Updates to the revocation list arrive with new media and are automatically integrated into a device's revocation list. This means that damage can be limited if a key set is exposed or copied.

This revocation process does not affect other devices, even if the devices are of the same make and model. KSV values are similar to serial numbers in this sense. As an example of how this system works, if two customers were to buy the same model of television on the same day at the same store, and the first customer hacked their television, the first customer's key could be revoked without affecting the ability of the other customer's television to play content.

Attacks on Restricted Authentication

If an attacker can find 40 linearly independent vectors ( $A_{1}$ ) keys ... ( $A_{40}$ )keys (i.e. the vectors generated by adding together a device's Device Key Set based on a KSV,) then they can completely break the HDCP system for all devices using a given Device Key Set. At this point, they can extract the secret key array for any number of KSVs, which allows them to access the shared secrets used in the HDCP authentication protocol. Since the keys generated from the KSVs are produced linearly in the given system (i.e. getting a key from a KSV can be viewed as matrix multiplication), someone could determine the Device Key Set matrix from any 40-50 different systems: $A_{1}$ .... $A_{n}$ , and the associated KSV (this is public information from the protocol).

In other cases where the extracted keys are not linearly independent, it is still possible to create a new XKey for a new Xksv that is within the span of the ( $A_{i}$ )KSVs (by taking linear combinations) for which the private keys have been found. There will be, however, no guarantee of them satisfying the required property that a KSV must have; 20 ones and 20 zeros.^[2]

Setting up the Equations

Assuming there are 40 ( $A_{i}$ ) KSVs that are linearly independent (and naming Xkeys the matrix of the keys in the Device Key Set), this gives a set of n linear equations on 40 unknowns –

[Xkeys] * (A1)ksv = = [(A1)keys] * Xksv[Xkeys] * (A2)ksv = = [(A2)keys] * Xksv...[Xkeys] * (A40)ksv = = [(A40)keys] * Xksv

By having acknowledgment on all the KSVs, and assuming the secret key vectors ( $A_{i}$ )keys are known, the above algorithm can be used to find the secret keys to produce a new derived key from arbitrary new KSV. If the space spanned by the ( $A_{i}$ )KSVs doesn't span the full 40 dimensional space, this may be okay because the KSVs were either not designed to not span the space, or only a small number of extra keys are needed to find a set of vectors spanning the full space. Each additional device has low odds of being linearly dependent with the existing set. (roughly 1/2^[40-dimensionality-of-spanned-space]. This analysis of probabilities of linear dependence is similar to the analysis of Simon's Algorithm).^[2]

Related Research Articles

Continuum mechanics is a branch of mechanics that deals with the deformation of and transmission of forces through materials modeled as a continuous mass rather than as discrete particles. The French mathematician Augustin-Louis Cauchy was the first to formulate such models in the 19th century.

In quantum computing, a qubit or quantum bit is a basic unit of quantum information—the quantum version of the classic binary bit physically realized with a two-state device. A qubit is a two-state quantum-mechanical system, one of the simplest quantum systems displaying the peculiarity of quantum mechanics. Examples include the spin of the electron in which the two levels can be taken as spin up and spin down; or the polarization of a single photon in which the two states can be taken to be the vertical polarization and the horizontal polarization. In a classical system, a bit would have to be in one state or the other. However, quantum mechanics allows the qubit to be in a coherent superposition of both states simultaneously, a property that is fundamental to quantum mechanics and quantum computing.

In mathematical logic and computer science, a general recursive function, partial recursive function, or μ-recursive function is a partial function from natural numbers to natural numbers that is "computable" in an intuitive sense – as well as in a formal one. If the function is total, it is also called a total recursive function. In computability theory, it is shown that the μ-recursive functions are precisely the functions that can be computed by Turing machines. The μ-recursive functions are closely related to primitive recursive functions, and their inductive definition (below) builds upon that of the primitive recursive functions. However, not every total recursive function is a primitive recursive function—the most famous example is the Ackermann function.

In mathematics, an abelian category is a category in which morphisms and objects can be added and in which kernels and cokernels exist and have desirable properties. The motivating prototypical example of an abelian category is the category of abelian groups, Ab. The theory originated in an effort to unify several cohomology theories by Alexander Grothendieck and independently in the slightly earlier work of David Buchsbaum. Abelian categories are very stable categories; for example they are regular and they satisfy the snake lemma. The class of abelian categories is closed under several categorical constructions, for example, the category of chain complexes of an abelian category, or the category of functors from a small category to an abelian category are abelian as well. These stability properties make them inevitable in homological algebra and beyond; the theory has major applications in algebraic geometry, cohomology and pure category theory.

The Digital Signature Algorithm (DSA) is a public-key cryptosystem and Federal Information Processing Standard for digital signatures, based on the mathematical concept of modular exponentiation and the discrete logarithm problem. DSA is a variant of the Schnorr and ElGamal signature schemes.

2 (two) is a number, numeral and digit. It is the natural number following 1 and preceding 3. It is the smallest and only even prime number. Because it forms the basis of a duality, it has religious and spiritual significance in many cultures.

In category theory, the coproduct, or categorical sum, is a construction which includes as examples the disjoint union of sets and of topological spaces, the free product of groups, and the direct sum of modules and vector spaces. The coproduct of a family of objects is essentially the "least specific" object to which each object in the family admits a morphism. It is the category-theoretic dual notion to the categorical product, which means the definition is the same as the product but with all arrows reversed. Despite this seemingly innocuous change in the name and notation, coproducts can be and typically are dramatically different from products.

$<span class="mw-page-title-main">Egyptian fraction</span> Finite sum of distinct unit fractions$

An Egyptian fraction is a finite sum of distinct unit fractions, such as

In algebraic number theory, a quadratic field is an algebraic number field of degree two over $, the rational numbers.$

In functional analysis and operator theory, a bounded linear operator is a linear transformation $between topological vector spaces (TVSs) and that maps bounded subsets of to bounded subsets of If and are normed vector spaces, then is bounded if and only if there exists some Failed to parse : M>0 such that for all$

A lattice is an abstract structure studied in the mathematical subdisciplines of order theory and abstract algebra. It consists of a partially ordered set in which every pair of elements has a unique supremum and a unique infimum. An example is given by the power set of a set, partially ordered by inclusion, for which the supremum is the union and the infimum is the intersection. Another example is given by the natural numbers, partially ordered by divisibility, for which the supremum is the least common multiple and the infimum is the greatest common divisor.

Sedimentation equilibrium in a suspension of different particles, such as molecules, exists when the rate of transport of each material in any one direction due to sedimentation equals the rate of transport in the opposite direction due to diffusion. Sedimentation is due to an external force, such as gravity or centrifugal force in a centrifuge.

In abstract algebra and number theory, Kummer theory provides a description of certain types of field extensions involving the adjunction of nth roots of elements of the base field. The theory was originally developed by Ernst Eduard Kummer around the 1840s in his pioneering work on Fermat's Last Theorem. The main statements do not depend on the nature of the field – apart from its characteristic, which should not divide the integer n – and therefore belong to abstract algebra. The theory of cyclic extensions of the field K when the characteristic of K does divide n is called Artin–Schreier theory.

Statistical learning theory is a framework for machine learning drawing from the fields of statistics and functional analysis. Statistical learning theory deals with the statistical inference problem of finding a predictive function based on data. Statistical learning theory has led to successful applications in fields such as computer vision, speech recognition, and bioinformatics.

Conway's Soldiers or the checker-jumping problem is a one-person mathematical game or puzzle devised and analyzed by mathematician John Horton Conway in 1961. A variant of peg solitaire, it takes place on an infinite checkerboard. The board is divided by a horizontal line that extends indefinitely. Above the line are empty cells and below the line are an arbitrary number of game pieces, or "soldiers". As in peg solitaire, a move consists of one soldier jumping over an adjacent soldier into an empty cell, vertically or horizontally, and removing the soldier which was jumped over. The goal of the puzzle is to place a soldier as far above the horizontal line as possible.

The sensitivity index or discriminability index or detectability index is a dimensionless statistic used in signal detection theory. A higher index indicates that the signal can be more readily detected.

In mathematics, a complete field is a field equipped with a metric and complete with respect to that metric. Basic examples include the real numbers, the complex numbers, and complete valued fields.

In the field of mathematical analysis, a general Dirichlet series is an infinite series that takes the form of

Abelian varieties are a natural generalization of elliptic curves, including algebraic tori in higher dimensions. Just as elliptic curves have a natural moduli space Failed to parse : {\displaystyle \mathcal{M}_{1,1}} over characteristic 0 constructed as a quotient of the upper-half plane by the action of $, there is an analogous construction for abelian varieties using the Siegel upper half-space and the symplectic group .$

Lunar arithmetic, formerly called dismal arithmetic, is a version of arithmetic in which the addition and multiplication operations on digits are defined as the max and min operations. Thus, in lunar arithmetic,

References

↑ Digital Content Protection, LLC. (July 8, 2009). "High-bandwidth Digital Content Protection System" (PDF).
1 2 Irwin, Keith (August 2, 2001). "Four Simple Attacks on HDCP".

External links

Apparent HDCP weaknesses

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Digital Content Protection, LLC. (July 8, 2009). "High-bandwidth Digital Content Protection System" (PDF).

[:0-2] 1 2 Irwin, Keith (August 2, 2001). "Four Simple Attacks on HDCP".

[1]

[2]