Circumnavigating AACS for Blu-ray and HD-DVD

It took nearly a month since the first report surfaced, but the Advanced Access Content System Licensing Administrator (AACS LA) confirmed last week that its perimeter has been breached. Well, sort of.

AACS encryption is still secure, the organization points out in a short confirmation of the hack on its site. However, the attack has been on players of AACS-protected content, and those players (not mentioned by name by AACS LA) are what have caused the content keys to be compromised. (The players affected are specific versions of PC playback software.)

This first workaround to AACS appeared reasonablly quickly, all things considered. A brief recap: On December 27, 2006, a user by the name of “muslix64” posted on Doom9’s Forum a link to the source code for BackupHDDVD, which he initially described as a tool to decrypt AACS protected movies, but really turned out to be a way to circumvent the DRM by finding the Volume Title Keys through a PC-based software player. As recently as January’s CES show in Las Vegas, officials from both the Blu-ray and the HD DVD camps were saying they hadn’t heard of any HD content surfacing on torrents or peer-to-peer networks.

Soon thereafter, though, the gig was up. Two weeks ago, Joss Whedon’s Serenity achieved the dubious honor of becoming the first pirated HD DVD movie (at a whopping 19GB). Other title keys have since appeared in the wild, and are, in the words of AACS LA, “an attack on one or more players sold by AACS licensees.”

The organization notes that it has “both technical and legal measures to deal with attacks such as this one.” Not surprising: Technologically, AACS has ways of “healing itself,” as industry insiders have liked to refer to the scheme’s ability to revoke and renew a player’s key.

How will this work in practicality? We’ll see how AACS passes this first test under fire. One solution? The affected players could have their keys revoked–meaning future titles won’t play on those software players. But, unless those software players have a built-in a way to regularly refresh its keys, those players could continue to play hacked titles.

The situation raises a host of issues now for the makers of software players, the makers of hardware content, and the makers of software content. For now–more than a month after muslix64 first brought to light the chinks in AACS’s armor–the silence has been deafening. AACS LA has not released an update stating its response; nor have software player manufacturers like CyberLink and Corel’s InterVideo had any statements. I’ll be intrigued to hear the responses from the studios, the hardware makers, and the player software makers–particularly as new movies and player devices roll out.