1. Field of the Invention
The present invention relates generally to broadcast data encryption that uses encryption keys.
2. Description of the Related Art
The above-referenced application discloses a system for encrypting publicly sold music, videos, nd other content. As set forth in the above-referenced application, only authorized player-recorders can play and/or copy the content and only in accordance with rules established by the vendor of the content. In this way, pirated copies of content, which currently cost content providers billions of dollars each year, can be prevented.
In the encryption method disclosed in the above-referenced application, authorized player-recorders are issued software-implemented device keys from a matrix of device keys. Specifically, the matrix of device keys includes plural rows and columns, and each authorized player-recorder is issued a single key from each column. The keys can be issued simultaneously with each other or over time, but in any event, no player-recorder is supposed to have more than one device key per column of the matrix. Using its device keys, an authorized player-recorder can decrypt a media key that in turn can be used to decrypt content that is contained on, e.g., a disk and that has been encrypted using the device keys. Because the player-recorder is an authorized device that is programmed to follow content protection rules, it then plays/copies the content in accordance with predefined rules that protect copyright owners' rights in digitized, publicly sold content.
In the context of DVD audio disks, it is anticipated that each column in the media key block will contain 25,000 entries, with each entry representing the encryption of a common media key using one of 25,000 device keys. A single media key block might apply, for instance, to a batch of 100,000 DVD disks or other media, such as CDs, flash memory, and hard disk drives. An authorized device can use its device key to decrypt the entry pertaining to it, to thereby obtain the media key. The media key is then used to decrypt the content.
The present invention recognizes that since each device key disclosed in the referenced application is 56 bits long, to guess a particular key would require, on average, 255 guesses, currently an impractically large number for a hacker to deal with. The present invention further recognizes, however, that since a single media key is encrypted once for each of, say, 25,000 device keys in a column, if a hacker obtained a media key block and the associated media key, the hacker could encrypt the media key with a guessed-at device key and then determine whether the result matches any of the 25,000 entries in the media key block column. If so, the hacker has compromised a device key that can then be provided to pirate (unauthorized) recorders to decrypt media key blocks from the current disk batch or any subsequent disk batch. If no match is found by the hacker, the hacker tries again with another guessed-at device key. This type of attack, referred to herein as a “coincidence” attack, consumes time but not so much that hacking a device key becomes impracticable. It is against this attack that the present invention is directed.