[Spliff]

I used to read how cracking PGP's encryption would take 1000 years using 10 million computers (or something along those lines). These claims must be BS because it seems that any encryption scheme that's out there gets cracked quickly. e.g., DVD's Macrovision, Apple's Fairplay DRM, Windows XP authentication, etc.

Now today, I read this.

Is it that difficult to create a hard-to-crack encryption scheme? Why can't Microsoft prevent software piracy of XP by requiring a unique 1024-bit registration code? I don't see how Apple will be able to prevent OS X from running on any old Intel machine once someone cracks their protection method (probably within days).

[jamil5454]

It's because these people aren't actually cracking the encryption, they're cracking the way the system as a whole works. They're cracking one little aspect to trick the whole system.

[Spliff]

Originally Posted by jamil5454

It's because these people aren't actually cracking the encryption, they're cracking the way the system as a whole works. They're cracking one little aspect to trick the whole system.

So what is the point of encryption if there are other ways around it? It's effectively useless, like having an armoured front door to your house but leaving the window open.

[CharlesS]

Originally Posted by Spliff

So what is the point of encryption if there are other ways around it? It's effectively useless, like having an armoured front door to your house but leaving the window open.

Because there are fewer users with the patience and technical know-how to apply a crack than the ones that will simply download a serial from somewhere. Plus, a crack can make a program unstable or have other weird side effects. Plus, the author of the crack is untrusted and could do any malicious thing he wanted to...

As for a 1024-bit encrypted registration code, I'd love to be able to do that myself, actually. However, it would produce a code far too long for the user to type in manually, so it would require the user to get a registration file rather than a registration code. And I'm not sure how well users would take to that.

[TETENAL]

Originally Posted by Spliff

I used to read how cracking PGP's encryption would take 1000 years using 10 million computers (or something along those lines). These claims must be BS because it seems that any encryption scheme that's out there gets cracked quickly. e.g., DVD's Macrovision, Apple's Fairplay DRM, Windows XP authentication, etc.

It's not BS because you are comparing apples with oranges here.

DVDs, Macrovision, Apple's Fairplay and what you mention are all hacked because the hacker has access to the key. You need to be able to play the DVD, CD, tune etc. so you have a key somewhere (hidden maybe but it's there). Understanding the algorithm and finding the key means you can access all the data. You could before as well, but now you can at will.

You compare this to encryption where the attacker does not have access to the key. If you encrypt an e-mail then you have the key and the receiver has the key to decrypt it, but an attacker who catches the mail in the middle does not. The attacker can not access the data and he won't be able to do so in 1000 years whatever. It's a completely different situation.

[d4nth3m4n]

cue TRANSLTR.

[CharlesS]

Originally Posted by TETENAL

It's not BS because you are comparing apples with oranges here.

DVDs, Macrovision, Apple's Fairplay and what you mention are all hacked because the hacker has access to the key. You need to be able to play the DVD, CD, tune etc. so you have a key somewhere (hidden maybe but it's there). Understanding the algorithm and finding the key means you can access all the data. You could before as well, but now you can at will.

You compare this to encryption where the attacker does not have access to the key. If you encrypt an e-mail then you have the key and the receiver has the key to decrypt it, but an attacker who catches the mail in the middle does not. The attacker can not access the data and he won't be able to do so in 1000 years whatever. It's a completely different situation.

Well, not in the case of a registration code for Windows XP or whatever. You could use public/private key encryption in that case, in which the only person who would have the private key would be the developer, and he/she would use it to encrypt some information to create the original registration code. The software would only have the public key to decrypt that code, but wouldn't have the private key to make their own codes at will.

The only problem with this idea is that to make the encryption strong enough, the resulting code would have to be way too long for the user to type in manually...

[TETENAL]

Originally Posted by CharlesS

Well, not in the case of a registration code for Windows XP or whatever.

Windows isn't encrypted.

Anyway, if software were encrypted, then again you need to send the user the key to decrypt it. And that's case b). The hacker has access to the key.

Whenever the attacker does not have access to the key modern encryption algorithms are effective.

[JoshuaZ]

Because people are smart, and have a lot of free time.

[CharlesS]

Originally Posted by TETENAL

Windows isn't encrypted.

Anyway, if software were encrypted, then again you need to send the user the key to decrypt it. And that's case b). The hacker has access to the key.

Whenever the attacker does not have access to the key modern encryption algorithms are effective.

Uh, I didn't say Windows was encrypted. I was talking about registration codes. You'd have the public key to decrypt the code, but you wouldn't have the private key to encrypt it, which you'd need to do to create pirated serial numbers for Surfer's Serials or whatever. Did you even read my post?

[GSixZero]

There's a lot of misinformation in this thread.

Encryption is different than protection. Windows, iTunes, etc are not encrypted, they just have an outer layer of protection. Once that outer layer is broken the inside is unrestricted, be in music or software. If the insides were encrypted, they would be totally inaccessible. The problem with those files is having them be restricted, but still accessible. Apple wants you to be able to listen to your music in iTunes, but not on your Rio.

Properly encrypted files are functionally impossible to break. They have no layer of protection because all the information is encrypted and unintelligible.

Imagine it like this. Windows and iTunes are like locking a Ferrari in a garage. If you can break the lock, you can open the door and drive the car away. Encryption is like totally disassembling the car and leaving it in a pile on your drive way. All the materials needed are there to build that car, but without the directions on how to assemble it, it's useless.

[goMac]

The problem is that at some point, that information needs to be decoded. Whatever is decoding the information, in addition to the information, will need the key to decode it. How do securely send someone encrypted info if you have to send them the key to unencrypt things too?

The various systems try and find ways of getting around this, but cracking them is simply done by finding a way to fake the key or get the actual one. In the case of iTunes, Apple didn't seem to have tried too hard. The key is your iTunes account. Also songs are not encrypted when they are downloaded. Your machine actually handles the encryption itself.

[wataru]

Originally Posted by GSixZero

There's a lot of misinformation in this thread.

Encryption is different than protection. Windows, iTunes, etc are not encrypted, they just have an outer layer of protection. Once that outer layer is broken the inside is unrestricted, be in music or software. If the insides were encrypted, they would be totally inaccessible. The problem with those files is having them be restricted, but still accessible. Apple wants you to be able to listen to your music in iTunes, but not on your Rio.

Properly encrypted files are functionally impossible to break. They have no layer of protection because all the information is encrypted and unintelligible.

Imagine it like this. Windows and iTunes are like locking a Ferrari in a garage. If you can break the lock, you can open the door and drive the car away. Encryption is like totally disassembling the car and leaving it in a pile on your drive way. All the materials needed are there to build that car, but without the directions on how to assemble it, it's useless.

Speaking of misinformation

iTunes does encrypt music files you purchase through the iTMS. But this encryption is cracked relatively easily because it's not hard to get at the keys (either stored on an iPod or gotten directly from Apple by a program pretending to be iTunes).

[Millennium]

wataru is correct. Every so-called "crack" of a DRM system thus far has come not from a flaw in the encryption, but from hackers finding the keys on the machines. To understand why this works, you have to understand how public-key encryption works, and why DRM schemes don't use it correctly.

In public-key encryption, you use two "keys". If you encrypt a file with one key, then only the other key can decrypt it; even the key which encrypted it won't work for decrypting. Typically, you designate one key as a public key, which you distribute as widely as possible, and you keep the other key -the private key- for yourself.

Once you've done this, there are two ways you can use the key. If you encrypt a message with your private key, then anyone who has your public key can decrypt it. This may seem bad, but it has its uses: because only you have the private key, recipients can be certain that the message came from you and hasn't been altered, or else the decryption wouldn't have worked. That's what a digital signature is: a small piece of data encrypted with the sender's private key, which you can decrypt to make sure it's coming from the right place. This is extremely useful for authentication, but not very useful for keeping stuff secret, since the decryption key is publicly available.

The other way to use encryption is to encrypt your message with somebody else's public key. Once you've done that, only the private key will decrypt it (the public key won't work for that). Since only the person who made the public key has the private key, only that person will be able to decrypt the message. This is how you keep messages secret using encryption. Of course, since the encryption key is public, anyone could have sent the message. Truly secure systems will first sign the message (with the sender's private key) and then encrypt it with the recipient's public key.

Now, how does all this apply to DRM? The truth of the matter is that media companies do encrypt their messages, but they don't do it right. They encrypt the media with one key, which they keep secret, and then they put the other key on the media players (they have to, or the players wouldn't be able to play the media). If you go back through my explanation, though, you find that this isn't really encrypting for secrecy. In essence, all they're doing is signing the media. This is also why the "cracks" people have done against DRM systems haven't truly broken anything; you see many decryptors, but no one has been able to encrypt new things. If they could do that, then the system would be cracked, because that would mean that they have both keys. But all they've found, in essence, was the public key, and that's not supposed to be difficult anyway.

In other words, properly-used encryption is still very secure. The problem is that the media companies aren't using it properly, and that's why their DRM has been so easy to defeat.

[analogika]

Wow, thanks for that, Mill.

[CharlesS]

Originally Posted by Millennium

In other words, properly-used encryption is still very secure. The problem is that the media companies aren't using it properly, and that's why their DRM has been so easy to defeat.

That was a pretty good explanation, except for this part. The media companies aren't using it properly? How are they supposed to make the songs still playable on people's computers, iPods, etc. without putting the public key in the player?

[Millennium]

Originally Posted by CharlesS

That was a pretty good explanation, except for this part. The media companies aren't using it properly? How are they supposed to make the songs still playable on people's computers, iPods, etc. without putting the public key in the player?

They can't, and this is part of the point: encryption as we know it is not an appropriate tool for this particular task. If they ever want to create a truly effective DRM scheme, they're going to have to look beyond encryption for the answers.

[CharlesS]

Originally Posted by Millennium

They can't, and this is part of the point: encryption as we know it is not an appropriate tool for this particular task. If they ever want to create a truly effective DRM scheme, they're going to have to look beyond encryption for the answers.

Right, but that doesn't mean that they're using the encryption improperly. If that were the case, then that would mean there would be a proper way to use encryption which would meet their needs. This is the part of your post that I object to.

[nonhuman]

Originally Posted by CharlesS

Right, but that doesn't mean that they're using the encryption improperly. If that were the case, then that would mean there would be a proper way to use encryption which would meet their needs. This is the part of your post that I object to.

They are using encryption improperly: it's the wrong tool for the job. If you use a hammer to drive screws, you're using that hammer improperly, even though it will (sorta) get the job done.

Using encryption properly would mean not using it for a task it's not designed for.

[Millennium]

Originally Posted by CharlesS

Right, but that doesn't mean that they're using the encryption improperly. If that were the case, then that would mean there would be a proper way to use encryption which would meet their needs. This is the part of your post that I object to.

Here's the thing. They want to keep anyone who isn't authorized to access their media from doing so. That's an ideal task for encryption, which is probably why they elected to try it in the first place. My point is that even if encryption were a good method for DRM, it wouldn't matter because they're using it wrong.

[CharlesS]

Originally Posted by nonhuman

They are using encryption improperly: it's the wrong tool for the job. If you use a hammer to drive screws, you're using that hammer improperly, even though it will (sorta) get the job done.

Using encryption properly would mean not using it for a task it's not designed for.

I dunno, I think it does its job all right. You just have to realize what its job is. It'll never be possible to make a music file impossible to crack and still able to play on your iPod. Period. However, the encryption makes it more difficult for the average Joe to crack it. Sure, someone who knows what he/she is doing can find the key without too much difficulty, but the people who know how to do this will always be a minority, and then you have the whole problem of being vulnerable to the DMCA by doing so.

Can you think of any way to make a music file 100% crack-proof and still able to play on the iPod? Because I can't.

[Mithras]

It's my impression that the Blu-ray or HD-DVD hi-def movies will have a much stronger encryption, with tons of spare keys so they can expire broken ones, etc. So does this mean that we probably won't be able to rip next-gen HD movies as we can with DVDs? I've gotten so used to being able to time-shift rentals, rip movies for watching from a quiet hard drive instead of optical drive, etc... It'll be a bummer.

Also, correct me if I'm wrong, but there still isn't a crack for Windows Media DRM, right? I know there was a Winamp hole that allowed access to the decoded audio stream, but there's no equivalent of JHymn for WM, correct?

[nonhuman]

Originally Posted by CharlesS

I dunno, I think it does its job all right. You just have to realize what its job is. It'll never be possible to make a music file impossible to crack and still able to play on your iPod. Period. However, the encryption makes it more difficult for the average Joe to crack it. Sure, someone who knows what he/she is doing can find the key without too much difficulty, but the people who know how to do this will always be a minority, and then you have the whole problem of being vulnerable to the DMCA by doing so.

The thing is, as soon as one person cracks it, that crack is available to everyone. And then it's only a matter of time before someone makes it easy for your average joe to apply that crack to their own music.

Can you think of any way to make a music file 100% crack-proof and still able to play on the iPod? Because I can't.

Sure, assign a big thug with a shotgun to everyone who purchases music to make sure they don't crack it.

[ghporter]

The whole concept of DRM is flawed. Instead of limiting how the media can be played back, they should have tried some other approach that SPECIFICALLY ADDRESSED UNAUTHORIZED DISTRIBUTION BY THE BUYER.

A "watermark" signature in each file, akin to a serial number, would serve several purposes toward this end. First, it could be used to establish that "John A." was authorized to have that file by creating the serial number in such a way that it included John A.'s identity-his phone number, username, something like that. Second, it would be a surefire way to identify where a pirated copy had come from, as that serial number would (as above) identify the authorized owner. The "watermarked" files could easily be in a file format that players recognized as requiring ANY watermark to be valid files These files would be stored in an unencrypted form, wouldn't require any special handling, and wouldn't cause any problems for valid uses. They'd just point a very damning finger at the original purchaser.

Finally, with all DRM systems I'm aware of, you can easily create an audio CD from the downloaded songs. And it's trivial to rip an audio CD into MP3s. So what's the point in spending all the time and money on the DRM software and distribution schemes, when ANYBODY can simply burn to audio, rip, and distribute the songs-without ANY way of determining who did it?