The Content Scrambling System (CSS)

A Technical Description


The Content Scrambling System (CSS) is used on DVDs to encrypt the data so that only licensed DVD players can decode it. It is also used in variant forms to implement a challenge-response protocol between DVD player software on a PC and a DVD drive (ATAPI or SCSI) attached to that PC, and to decrypt the title key (the CSS key for a file) from the disk key and player key. In all there are four variant forms of CSS.

CSS is a very simple encryption scheme based on shifts, XORs and table lookups. Its keylength is 40 bits, although it has been shown elsewhere that a brute force attack is only O(2^25) and a plaintext attack is only O(2^18) - i.e. CSS is weak for its keylength.

This document describes the CSS algorithm in enough technical detail to implement it. I also describe the plaintext attack, which is for academic benefit only since all the valid player keys are already known. Finally I describe the disk authentication procedure, which is quite involved and difficult to extract from the Mount Fuji document.

For reference, a CSS implementation is provided in source code form; this is not in a format that can be readily converted to a program as this might potentially violate the Digital Millenium Copyright Act; however it should serve as useful reference material for those wishing to implement CSS on their own.

The Basic Algorithm

The CSS State Machine
Initializing the State Machine
Stepping the State Machine
Decrypting the Data
The CSS Table

CSS Modes

Decrypting stream data (Mode 1)
Calculating the Response to a Challenge (Mode 3)
Calculating the Title Key (Modes 0 and 2)

The Plaintext Attack

Obtaining the CSS State
Backtracking the CSS State

Disk Authentication

Obtaining an AGID from the drive
Challenging the drive and getting its response
Calculating the variant the drive has chosen
Obtaining the challenge from the drive and calculating the response
Sending the response to the drive
Reading the disk key from the disk

[Home] [TinyTed]