{"id":56715,"date":"2024-05-09T20:29:57","date_gmt":"2024-05-09T16:29:57","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/178521\/msplayready-identitydisclose.txt"},"modified":"2024-05-09T20:29:57","modified_gmt":"2024-05-09T16:29:57","slug":"microsoft-playready-complete-client-identity-compromise","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/microsoft-playready-complete-client-identity-compromise\/","title":{"rendered":"Microsoft PlayReady Complete Client Identity Compromise"},"content":{"rendered":"

Hello All,<\/p>\n

We have come up with two attack scenarios that make it possible to
extract private ECC keys used by a PlayReady client (Windows SW DRM
scenario) for the communication with a license server and identity
purposes.<\/p>\n

More specifically, we successfully demonstrated the extraction of the
following keys:
– private signing key used to digitally sign license requests issued
by PlayReady client,
– private encryption key used to decrypt license responses received by
the client (decrypt license blobs carrying encrypted content keys).<\/p>\n

A proof for the above (which Microsoft should be able to confirm) is
available at this link:
https:\/\/security-explorations.com\/samples\/wbpmp_id_compromise_proof.txt<\/p>\n

While PlayReady security is primary about security of content keys,
ECC keys that make up client identity are even more important. Upon
compromise, these keys can be used to mimic a PlayReady client outside
of a Protected Media Path environment and regardless of the imposed
security restrictions.<\/p>\n

In that context, extraction of ECC keys used as part of a PlayReady
client identity constitute an ultimate compromise of a PlayReady
client on Windows (“escape” of the PMP environment, ability to request
licenses and decrypt content keys).<\/p>\n

Content key extraction from Protected Media Path process (through XOR
key or white-box crypto data structures) in a combination with this
latest identity compromise attack means that there is nothing left to
break when it comes to Windows SW DRM implementation.<\/p>\n

Let this serve as a reminder that PlayReady content protection
implemented in software and on a client side has little chances of a
\u201csurvival\u201d (understood as a state of not being successfully reverse
engineered and compromised). In that context, this is vendor\u2019s
responsibility to constantly increase the bar and with the use of all
available technological means.<\/p>\n

Thank you.<\/p>\n

Best Regards,
Adam Gowdiak<\/p>\n

———————————-
Security Explorations –
AG Security Research Lab
https:\/\/security-explorations.com
———————————-<\/p>\n

Packet Storm Editor Note – below is wbpmp_id_compromise_proof.txt<\/p>\n

c:\\_MNT\\PROJECTS\\WBPMP\\code\\toolkit>shell
# MS Play Ready \/ Canal+ VOD toolkit
# (c) Security Explorations 2016-2019 Poland
# (c) AG Security Research 2019-2022 Poland<\/p>\n

loaded cdn [CDN helper]loaded mspr [MS Play Ready toolkit]loaded vod [CANALP VOD toolkit]loaded cgaweb [CANALP CGAWeb toolkit]msprcp> set CDM_DIR cdm\\w10
msprcp> identity
0C86330B0E98CD7C586F336088DAFA0E
4F72F3CBDC81C849F635AE556A73679F
902B255736B6E891F3AF30F98B0A5DBA
D9A5C7A90F8DEA029AA8FB1C95887BE3
E82DFAE7A9DB21FC1ECF33C1DADC54B7
msprcp> identity 0C86330B0E98CD7C586F336088DAFA0E -v
[0C86330B0E98CD7C586F336088DAFA0E]\n

PRKF
version: 3
attr: 100c Unknown
data
0000: 00 04 00 00 ….
attr: 1000 Unknown
data
0000: 00 01 10 01 00 00 00 2c 00 02 00 80 00 01 00 00 …….,……..
0010: ea 3c 67 da 4e 43 de e0 00 00 00 10 30 e1 4c db .<g.NC……0.L.
0020: 9d 23 9e 97 f7 1d ac 03 13 c2 2b 69 00 01 10 02 .#……..+i….
0030: 00 00 00 7c 00 01 01 00 00 00 00 40 cb 27 6f 9f …|…….@.’o.
0040: 9f 76 46 64 54 23 19 ef 9c c7 69 0f 9c 3b e3 75 .vFdT#….i..;.u
0050: 8b d3 78 2a 8d 03 fb a8 bf 9e 1c 6d f7 10 1c 69 ..x*…….m…i
0060: 94 2c 4d 07 d9 68 8b 61 09 85 bb d3 4e e8 58 20 .,M..h.a….N.X.
0070: e2 0c c9 bc a9 a8 1e b7 f6 59 65 7d 00 62 e4 7a ………Ye}.b.z
0080: 4a 93 87 21 00 00 00 20 93 de eb 4b ab b4 b2 c1 J..!…….K….
0090: 71 9b 3c fc cf a8 b9 7e f2 a9 4f e1 07 39 17 fd q.<…….O..9..
00a0: 23 10 72 8a 29 95 bf d8 00 01 10 11 00 00 00 3c #.r.)……….<
00b0: 00 02 00 80 2d 82 c1 90 50 2c e7 55 00 00 00 10 ….-…P,.U….
00c0: 8f 03 13 45 06 c3 b4 3e fb 7f 1d 77 e8 ca 2d 07 …E…>…w..-.
00d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
00e0: 00 00 00 00 ….
attr: 1009 Identities
IdentityInfo
pubkey
0000: f0 34 a0 f4 28 79 dc a4 73 88 c8 fa a6 46 40 94 .4..(y..s….F@.
0010: ef 10 f7 4b f4 42 5e 2e 51 c1 08 67 9d 9a 4b 2e …K.B^.Q..g..K.
0020: af 2b ed 89 8e dd bb eb 1b ad 68 df 9c 33 d2 8b .+……..h..3..
0030: 1d f3 a5 77 1a d2 a0 a3 b9 4d 83 6d 24 a4 2a 03 …w…..M.m$.*.
prvkey
0000: 31 d5 b7 ab dd 28 44 52 3b 8a ac 6c e2 c5 4e 34 1….(DR;..l..N4
0010: 61 1d 97 8f e1 4f 63 e9 c0 14 8a 83 6c 5f 3f cc a….Oc…..l_?.
IdentityInfo
pubkey
0000: 42 b2 a0 ff 38 1c 34 cc 67 06 3b 50 e1 2e 0d de B…8.4.g.;P….
0010: 74 49 55 29 38 ef 66 0c 60 5c 90 9f 8c b0 49 43 tIU)8.f…….IC
0020: 0f e7 a8 1f 2f 67 5a b2 90 5c 3e 2e 99 62 19 b4 ….\/gZ…>..b..
0030: 4a 39 8b 23 64 5e 4c d7 cc 95 38 bd 3c d3 2b f7 J9.#d^L…8.<.+.
prvkey
0000: d7 60 5c 71 57 a0 01 7c 58 e2 e7 79 a8 b1 12 55 …qW..|X..y…U
0010: 1d 72 14 f0 d9 2c ef 04 6c cc 57 c1 2e 9b e3 b4 .r…,..l.W…..
IdentityInfo
pubkey
0000: cb 27 6f 9f 9f 76 46 64 54 23 19 ef 9c c7 69 0f .’o..vFdT#….i.
0010: 9c 3b e3 75 8b d3 78 2a 8d 03 fb a8 bf 9e 1c 6d .;.u..x*…….m
0020: f7 10 1c 69 94 2c 4d 07 d9 68 8b 61 09 85 bb d3 …i.,M..h.a….
0030: 4e e8 58 20 e2 0c c9 bc a9 a8 1e b7 f6 59 65 7d N.X……….Ye}
prvkey
0000: 4c 33 c6 8e 0e f1 b6 f1 0c d5 31 6b 40 94 aa 68 L3……..1k@..h
0010: 32 cc 68 1b 00 3b fc 65 8b c4 3c e3 cb 62 de fc 2.h..;.e..<..b..
0020: 11 ef 51 7b 92 73 a1 84 24 ac 71 33 cf 76 d3 05 ..Q{.s..$.q3.v..
0030: 44 2d 4e 12 79 3f 3f 09 7a 4e 4d 51 ac 78 a7 3c D-N.y??.zNMQ.x.<
0040: 6b k
IdentityCertChain
CERT CHAIN:
### CERT
– random
0000: 07 80 59 24 9a b6 7e 48 c3 7f 6d 38 30 af f0 b6 ..Y$…H..m80…
– seclevel 2000
– uniqueid
0000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
– pubkey_sign
0000: 42 b2 a0 ff 38 1c 34 cc 67 06 3b 50 e1 2e 0d de B…8.4.g.;P….
0010: 74 49 55 29 38 ef 66 0c 60 5c 90 9f 8c b0 49 43 tIU)8.f…….IC
0020: 0f e7 a8 1f 2f 67 5a b2 90 5c 3e 2e 99 62 19 b4 ….\/gZ…>..b..
0030: 4a 39 8b 23 64 5e 4c d7 cc 95 38 bd 3c d3 2b f7 J9.#d^L…8.<.+.
– pubkey_enc
0000: cb 27 6f 9f 9f 76 46 64 54 23 19 ef 9c c7 69 0f .’o..vFdT#….i.
0010: 9c 3b e3 75 8b d3 78 2a 8d 03 fb a8 bf 9e 1c 6d .;.u..x*…….m
0020: f7 10 1c 69 94 2c 4d 07 d9 68 8b 61 09 85 bb d3 …i.,M..h.a….
0030: 4e e8 58 20 e2 0c c9 bc a9 a8 1e b7 f6 59 65 7d N.X……….Ye}
– digest
0000: c5 c4 33 e5 4e b0 c5 b3 5b e9 89 9b de 89 b4 cd ..3.N…[…….
0010: e5 e1 c3 bb 80 c3 88 87 17 40 95 0b 3a 82 cc 89 ………@..:…
– signature
0000: 23 ce 2a 20 50 24 8f 32 3d 5a 08 5c 88 dd 65 dd #.*.P$.2=Z….e.
0010: 93 66 be ec 7a d5 c6 39 80 66 c1 f5 36 4e b7 08 .f..z..9.f..6N..
0020: 9d 7b 59 05 79 3b 49 08 4f 94 af 7f b8 96 4e 81 .{Y.y;I.O…..N.
0030: bd ff fe 38 61 d8 08 90 96 2c b6 32 ee ba 75 5f …8a….,.2..u_
– signkey
0000: 59 86 b7 a2 a9 d6 b3 06 1f 5d 20 08 f6 97 ee f5 Y……..]……
0010: bc c6 15 cb e6 4e f9 60 7a 83 55 3d c0 3a 21 b6 …..N..z.U=.:!.
0020: d4 c7 33 e2 71 7e 1c ad 00 e5 20 70 87 64 66 9e ..3.q……p.df.
0030: ee 5f 4d 78 b1 c6 42 3a f9 6f af 6a 44 cf ef 3d ._Mx..B:.o.jD..=
– sig status: BAD SIGNATURE
### CERT
– names
* Microsoft
* Windows
* 6.4.9.000
– random
0000: 28 37 b2 3d a4 70 a4 7f f0 8c 69 78 3c 6c 38 cd (7.=.p….ix<l8.
– seclevel 2000
– uniqueid
0000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
– pubkey_sign
0000: 59 86 b7 a2 a9 d6 b3 06 1f 5d 20 08 f6 97 ee f5 Y……..]……
0010: bc c6 15 cb e6 4e f9 60 7a 83 55 3d c0 3a 21 b6 …..N..z.U=.:!.
0020: d4 c7 33 e2 71 7e 1c ad 00 e5 20 70 87 64 66 9e ..3.q……p.df.
0030: ee 5f 4d 78 b1 c6 42 3a f9 6f af 6a 44 cf ef 3d ._Mx..B:.o.jD..=
– digest
0000: 68 d5 b6 78 9c 6c c4 63 36 50 62 4a cc 20 c0 08 h..x.l.c6PbJ….
0010: 16 1b 0a e9 31 0c 68 97 dc eb 1a 41 1b df 6b 75 ….1.h….A..ku
– signature
0000: c2 a3 13 ec e8 a9 f0 77 70 df 3d 8b 2b ed 08 68 …….wp.=.+..h
0010: b0 79 c9 d2 40 84 26 a9 1d 16 00 4a 73 76 81 c7 .y..@.&….Jsv..
0020: aa 1f 75 78 6d 17 20 6e 15 e1 8f 2d 39 c8 db 05 ..uxm..n…-9…
0030: 00 0d b5 6f 88 27 04 ed a4 8f 24 7f c7 f7 da b4 …o.’….$…..
– signkey
0000: e7 3a 1b a7 c0 65 9e 6d 2f 45 5c 9d 80 91 cc da .:…e.m\/E……
0010: 96 c9 63 6b 4f 63 a1 78 18 f5 54 e4 bd 19 97 14 ..ckOc.x..T…..
0020: 81 07 fe d9 8a bf 0e 6b 8e 96 81 58 e6 90 7c a7 …….k…X..|.
0030: df 1d 66 cf a3 58 f7 7b 1c 4e 62 d0 28 11 56 9c ..f..X.{.Nb.(.V.
– sig status: OK
### CERT
– names
* Microsoft
* PlayReady SL2000 Device Port- Windows Lib Codebase Version CA
* 1.0.0.4
– random
0000: db 51 85 24 63 ac 07 0b aa c9 91 f9 c4 0a 07 2a .Q.$c……….*
– seclevel 2000
– uniqueid
0000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
– pubkey_sign
0000: e7 3a 1b a7 c0 65 9e 6d 2f 45 5c 9d 80 91 cc da .:…e.m\/E……
0010: 96 c9 63 6b 4f 63 a1 78 18 f5 54 e4 bd 19 97 14 ..ckOc.x..T…..
0020: 81 07 fe d9 8a bf 0e 6b 8e 96 81 58 e6 90 7c a7 …….k…X..|.
0030: df 1d 66 cf a3 58 f7 7b 1c 4e 62 d0 28 11 56 9c ..f..X.{.Nb.(.V.
– digest
0000: 63 70 b4 92 33 b1 cf 78 7f 9e 36 01 29 e0 29 b2 cp..3..x..6.).).
0010: f7 cf b1 cc 0b 71 5d 6a 02 24 df 01 75 d2 2f 0e …..q]j.$..u.\/.
– signature
0000: 99 f3 5b 4b 55 a8 8d a8 bd 18 db 94 8e b0 31 1f ..[KU………1.
0010: 14 a4 43 41 64 f7 fd 81 cd 1e 57 68 0e f1 2c 40 ..CAd…..Wh..,@
0020: c4 c2 19 20 78 37 41 07 c1 e3 54 ec fb 64 19 18 ….x7A…T..d..
0030: 13 5b 2c 5a 34 7f 1f 48 7a 88 5a 02 33 e5 b9 76 .[,Z4..Hz.Z.3..v
– signkey
0000: 7d 91 d4 6d 44 f0 29 2a bd b9 72 d7 9b dc bc f8 }..mD.)*..r…..
0010: 35 ad 17 27 cb c8 35 37 7e 91 43 58 44 f9 1b 3f 5..’..57..CXD..?
0020: 71 be 7c 6b 04 0d bf d4 f7 80 8b 7a 0c 47 f7 82 q.|k…….z.G..
0030: 30 2b 9c 29 5f 05 eb c3 92 71 f5 47 88 41 fd 1b 0+.)_….q.G.A..
– sig status: OK
### CERT
– names
* Microsoft
* PlayReady SL2000 Device Port – Windows Platform CA for x86\/amd64
* 1.0.0.3
– random
0000: 4a ee c4 a0 0d c9 57 ab 14 52 de 28 54 42 f3 84 J…..W..R.(TB..
– seclevel 2000
– uniqueid
0000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
– pubkey_sign
0000: 7d 91 d4 6d 44 f0 29 2a bd b9 72 d7 9b dc bc f8 }..mD.)*..r…..
0010: 35 ad 17 27 cb c8 35 37 7e 91 43 58 44 f9 1b 3f 5..’..57..CXD..?
0020: 71 be 7c 6b 04 0d bf d4 f7 80 8b 7a 0c 47 f7 82 q.|k…….z.G..
0030: 30 2b 9c 29 5f 05 eb c3 92 71 f5 47 88 41 fd 1b 0+.)_….q.G.A..
– digest
0000: 2f ad a9 0e 8f 7e 82 47 7a 2e 82 c3 6d 0c 20 c7 \/……Gz…m…
0010: 0b 58 95 d7 2e 85 21 28 83 b1 9c 27 0b 49 dc 21 .X….!(…’.I.!
– signature
0000: 9e fb bf 14 68 cc 5e 0f db 21 7d 11 dc 67 4a 23 ….h.^..!}..gJ#
0010: 71 c7 ac 34 73 bb 48 ee a3 33 c3 c9 55 62 2e c2 q..4s.H..3..Ub..
0020: bb 36 01 af cd dc 88 48 01 fa d2 2b 4b 3f e3 75 .6…..H…+K?.u
0030: 48 44 98 40 9d db 53 0f 44 25 a5 65 fd 29 61 7e HD.@..S.D%.e.)a.
– signkey
0000: a1 87 e3 42 5c 05 f7 a4 52 85 d6 fe c8 17 f7 3b …B….R……;
0010: 69 64 74 e2 b9 e1 61 4b a3 fa 51 b9 ad fe 9d 27 idt…aK..Q….’
0020: 3f 6a 4e 50 75 e0 1d f2 ab 18 61 e7 c2 e1 9b d2 ?jNPu…..a…..
0030: 87 99 86 8f 97 f7 cb a2 1d 97 73 19 ba b8 be 92 ……….s…..
– sig status: OK
### CERT
– names
* Microsoft
* PlayReady SL2000 Device Port + Link CA
* 1.0.0.1
– random
0000: ec aa b6 cd 0b 16 ca df e9 a8 82 52 b4 58 9c a9 ………..R.X..
– seclevel 2000
– uniqueid
0000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
– pubkey_sign
0000: a1 87 e3 42 5c 05 f7 a4 52 85 d6 fe c8 17 f7 3b …B….R……;
0010: 69 64 74 e2 b9 e1 61 4b a3 fa 51 b9 ad fe 9d 27 idt…aK..Q….’
0020: 3f 6a 4e 50 75 e0 1d f2 ab 18 61 e7 c2 e1 9b d2 ?jNPu…..a…..
0030: 87 99 86 8f 97 f7 cb a2 1d 97 73 19 ba b8 be 92 ……….s…..
– digest
0000: ed 0f 33 d6 b4 ab f0 8d c0 1a 47 1f d0 13 68 0e ..3…….G…h.
0010: 0c 12 e3 a9 ce d3 00 f9 9b 45 af 61 f1 68 4d 64 ………E.a.hMd
– signature
0000: 31 60 bc 8c 1f 0e 5e fe ea 80 83 79 b4 ad 02 74 1…..^….y…t
0010: f1 c9 20 f9 c8 93 f0 ca 5c c7 72 e6 5c 97 8e 88 ……….r…..
0020: a8 9f c5 b0 7b b6 d0 8f 50 33 20 fa 34 03 4a ea ….{…P3..4.J.
0030: 68 91 01 d2 f0 cb 0f fa 4d 51 5c 25 93 c8 c2 12 h…….MQ.%….
– signkey
0000: 86 4d 61 cf f2 25 6e 42 2c 56 8b 3c 28 00 1c fb .Ma..%nB,V.<(…
0010: 3e 15 27 65 85 84 ba 05 21 b7 9b 18 28 d9 36 de >.’e….!…(.6.
0020: 1d 82 6a 8f c3 e6 e7 fa 7a 90 d5 ca 29 46 f1 f6 ..j…..z…)F..
0030: 4a 2e fb 9f 5d cf fe 7e 43 4e b4 42 93 fa c5 ab J…]…CN.B….
– sig status: OK
attr: 1010 Unknown
data
0000: 00 02 00 80 2d 82 c1 90 50 2c e7 55 00 00 00 10 ….-…P,.U….
0010: 9e 53 d0 8b 82 43 90 08 bb f4 25 2d 06 1d 79 0e .S…C….%-..y.
0020: b1 ff 09 8d 5a 7c 52 4d ae 22 40 b0 5e c8 4d 33 ….Z|RM.”@.^.M3
0030: 00 05 00 00 ….
attr: 1013 Unknown
data
0000: 00 00 00 01 00 00 00 10 30 b3 3e b8 a1 31 ae 42 ……..0.>..1.B
0010: ab 0d 43 74 c5 15 cd e0 ..Ct….
attr: 1014 Unknown
data
0000: 19 ec 66 7f 93 64 89 46 95 47 89 1d a5 37 12 f1 ..f..d.F.G…7..
SignerCertChain
CERT CHAIN:
### CERT
– names
* Microsoft
* Microsoft KeyFileSigner
* 1.0.0.1
– random
0000: f0 6a b7 09 88 a4 c7 c8 1d f9 5c 6d cd e4 ab 52 .j………m…R
– seclevel 2000
– uniqueid
0000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
– pubkey_sign
0000: 97 41 fa 59 bd 5e b8 22 80 b2 a9 e2 dd e5 70 87 .A.Y.^.”……p.
0010: ce 91 07 e4 3b 12 81 69 fb a9 94 48 37 f4 9e 46 ….;..i…H7..F
0020: bb b7 11 b9 8f 4e c8 17 96 50 9d 05 f5 98 f7 a7 …..N…P……
0030: 5c 44 56 2d 4d 2a c3 4d 48 1a c7 4a 1d 48 16 c4 .DV-M*.MH..J.H..
– digest
0000: b9 e0 29 a8 59 21 9c de c1 b5 75 58 4c e6 6d e3 ..).Y!….uXL.m.
0010: 08 8c 3e 43 05 14 26 fa 8d c0 3e a5 df f3 df bc ..>C..&…>…..
– signature
0000: c8 b0 b2 4d 59 da e8 2b a5 b1 ac 61 95 54 85 ea …MY..+…a.T..
0010: 32 a1 19 5f 45 9c 0d 54 a0 cf 43 86 54 64 41 c0 2.._E..T..C.TdA.
0020: 8a 02 e7 0d e1 49 aa 40 26 61 a9 e0 b8 77 d9 ac …..I.@&a…w..
0030: 1e 2d 3f 2c 7f 7c 29 82 74 c3 74 f9 11 5d f0 81 .-?,.|).t.t..]..
– signkey
0000: af 6f af 3a 41 e4 a2 b9 eb cd 8c 95 a5 05 9b 11 .o.:A………..
0010: 38 a3 97 2a 1e c0 72 e3 24 52 78 b9 b5 49 28 f3 8..*..r.$Rx..I(.
0020: e0 28 3e 78 51 5d eb 6f 56 93 1a 5a 28 f3 aa b3 .(>xQ].oV..Z(…
0030: 04 c7 1f b5 b4 c7 f4 92 59 ed 21 f8 65 14 ec 33 ……..Y.!.e..3
– sig status: OK
### CERT
– names
* Microsoft
* PlayReady SL2000 KeyFileSigner Root CA
* 1.0.0.1
– random
0000: d6 ac 35 b4 d8 5d b4 30 74 0c ac 05 ea 0c 1e 86 ..5..].0t…….
– seclevel 2000
– uniqueid
0000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
– pubkey_sign
0000: af 6f af 3a 41 e4 a2 b9 eb cd 8c 95 a5 05 9b 11 .o.:A………..
0010: 38 a3 97 2a 1e c0 72 e3 24 52 78 b9 b5 49 28 f3 8..*..r.$Rx..I(.
0020: e0 28 3e 78 51 5d eb 6f 56 93 1a 5a 28 f3 aa b3 .(>xQ].oV..Z(…
0030: 04 c7 1f b5 b4 c7 f4 92 59 ed 21 f8 65 14 ec 33 ……..Y.!.e..3
– digest
0000: 71 01 a1 dd 80 f2 79 7a 2e 3c f2 f6 b9 bf 78 b0 q…..yz.<….x.
0010: ed 65 93 d5 42 cf 17 d4 0a c7 fa b0 18 82 3b 2f .e..B………;\/
– signature
0000: af 18 1d 1a 7d 98 92 c5 df 3e ac b3 2a 17 d2 29 ….}….>..*..)
0010: 92 e9 7f 4c 0f b1 5a 3d bd 91 d9 e2 bb b9 34 87 …L..Z=……4.
0020: e7 9b 00 bb 78 02 1f 5c a8 e0 f2 e0 0b d3 f9 b5 ….x………..
0030: 1a c5 e6 fe dd cd b4 1c 3f d7 89 d1 62 6a 5a 0b ……..?…bjZ.
– signkey
0000: 86 4d 61 cf f2 25 6e 42 2c 56 8b 3c 28 00 1c fb .Ma..%nB,V.<(…
0010: 3e 15 27 65 85 84 ba 05 21 b7 9b 18 28 d9 36 de >.’e….!…(.6.
0020: 1d 82 6a 8f c3 e6 e7 fa 7a 90 d5 ca 29 46 f1 f6 ..j…..z…)F..
0030: 4a 2e fb 9f 5d cf fe 7e 43 4e b4 42 93 fa c5 ab J…]…CN.B….
– sig status: OK
msprcp> identity 0C86330B0E98CD7C586F336088DAFA0E -e 0C86330B0E98CD7C586F336088DAFA0E
0C86330B0E98CD7C586F336088DAFA0E.enc.pub (public encryption key)
0C86330B0E98CD7C586F336088DAFA0E.enc.prv (private encryption key)
0C86330B0E98CD7C586F336088DAFA0E.sig.pub (public signing key)
0C86330B0E98CD7C586F336088DAFA0E.sig.prv (private signing key)
msprcp> checkkeypair 0C86330B0E98CD7C586F336088DAFA0E.enc.prv.plain 0C86330B0E98CD7C586F336088DAFA0E.enc.pub
KEY CHECK:
– prv: 7704db9c130887d60a2c61b1891bbad64676ba56fe146fc6ecc2be993c1cb53d
– pub:
X: cb276f9f9f764664542319ef9cc7690f9c3be3758bd3782a8d03fba8bf9e1c6d
Y: f7101c69942c4d07d9688b610985bbd34ee85820e20cc9bca9a81eb7f659657d
KEY CHECK OK
msprcp><\/p>\n","protected":false},"excerpt":{"rendered":"

Hello All, We have come up with two attack scenarios that make it possible toextract private ECC keys used by a PlayReady client (Windows SW DRMscenario) for the communication with a license server and identitypurposes. More specifically, we successfully demonstrated the extraction of thefollowing keys:– private signing key used to digitally sign license requests issuedby …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-56715","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/56715","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=56715"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/56715\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=56715"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=56715"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=56715"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}