{"id":56593,"date":"2024-05-01T20:40:39","date_gmt":"2024-05-01T16:40:39","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/178419\/msplayready-cryptoweakness.txt"},"modified":"2024-05-01T20:40:39","modified_gmt":"2024-05-01T16:40:39","slug":"microsoft-playready-cryptography-weakness","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/microsoft-playready-cryptography-weakness\/","title":{"rendered":"Microsoft PlayReady Cryptography Weakness"},"content":{"rendered":"<p>Hello All,<\/p>\n<p>There is yet another attack possible against Protected Media Path<br \/>process beyond the one involving two global XOR keys [1]. The new<br \/>attack may also result in the extraction of a plaintext content key<br \/>value.<\/p>\n<p>The attack has its origin in a white-box crypto [2] implementation.<br \/>More specifically, one can devise plaintext content key from white-box<br \/>crypto data structures of which goal is to make such a reconstruction<br \/>difficult \/ not possible. This alone breaks one of the main security<br \/>objective of white-box cryptography which is to protect the secret key<br \/>(unbreakability) [3].<\/p>\n<p>Contrary to the initial (XOR key) attack, the white-box crypto attack<br \/>is not limited to the given narrow time window (white-box data<br \/>structures need to be present for the time of a movie decryption \/<br \/>playback). Fixing it might require a completely new approach \/<br \/>implementation (current one is obviously flawed).<\/p>\n<p>In that context, white-box crypto attack seems to be more severe than<br \/>the XOR key one.<\/p>\n<p>Additionally, a cryptographic check proving that extracted key values<br \/>correspond to real keys has been conducted for Canal+ Online, Netflix,<br \/>HBO Max, Amazon Prime Video and Sky Showtime.<\/p>\n<p>The check relies on a digital cryptographic signature verification.<br \/>Such a signature is appended at the end of each license issued by<br \/>PlayReady license server.<\/p>\n<p>The crypto check works as following:<br \/>&#8211; plaintext value of a digital signature key encrypted through ECC is<br \/>extracted from a Protected Media Path process<br \/>&#8211; the extracted signature key is used to calculate the AES-CMAC value<br \/>of a binary licence XMR blob<br \/>&#8211; the calculated signature value is checked against the signature<br \/>appended at the end of the issued license<br \/>&#8211; correct AES-CMAC value implicates correct signature key (and correct<br \/>content key)<\/p>\n<p>The above mechanism is also used by Microsoft to verify the<br \/>correctness of decrypted content keys received from a license server.<br \/>It relies on the fact that signature key is part of the same encrypted<br \/>license blob as content key. Thus, successful extraction of a<br \/>signature key implicates successful extraction of a content key.<\/p>\n<p>In the context of no confirmation \/ denial [4] from the platforms<br \/>indicated above as being affected, the crypto check should constitute<br \/>sufficient proof to support that claim alone.<\/p>\n<p>Thank you.<\/p>\n<p>Best Regards,<br \/>Adam Gowdiak<\/p>\n<p>&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;-<br \/>Security Explorations &#8211;<br \/>AG Security Research Lab<br \/>https:\/\/security-explorations.com<br \/>&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;-<\/p>\n<p>References:<br \/>[1] Microsoft Warbird and PMP security research<br \/>https:\/\/security-explorations.com\/microsoft-warbird-pmp.html<br \/>[2] White-box cryptography, Wikipedia<br \/>https:\/\/en.wikipedia.org\/wiki\/White-box_cryptography<br \/>[3] White-Box Security Notions for Symmetric Encryption Schemes<br \/>https:\/\/eprint.iacr.org\/2013\/523.pdf<br \/>[4] Microsoft DRM Hack Could Allow Movie Downloads From Popular<br \/>Streaming Services<br \/>https:\/\/www.securityweek.com\/microsoft-drm-hacking-could-allow-movie-downloads-from-popular-streaming-services\/<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hello All, There is yet another attack possible against Protected Media Pathprocess beyond the one involving two global XOR keys [1]. The newattack may also result in the extraction of a plaintext content keyvalue. The attack has its origin in a white-box crypto [2] implementation.More specifically, one can devise plaintext content key from white-boxcrypto data &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-56593","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/56593","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=56593"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/56593\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=56593"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=56593"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=56593"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}