The Content Scrambling System (CSS)

Disk Authentication


Overview

When a new DVD is inserted into a DVD drive, it must be authenticated before it can be used. This authentication uses a challenge-response protocol with CSS as the encryption method.

Disk Authentication is slightly tricky but straightforward in principle. It uses CSS in mode 3. The inputs to this algorithm are the challenge (10 bytes), the variant in use (0 to 31) and the keytype (KEY1, KEY2 or BUSKEY). The output is the 5-byte response.

Authentication requires the following steps, which must be performed in the correct order:

  1. Obtain an AGID from the drive
  2. Challenge the drive and get its response
  3. Calculate the variant the drive has chosen
  4. Obtain the challenge from the drive and calculate the response
  5. Send the response to the drive
  6. Read the disk key from the disk

Once these steps are done, the entire surface of the DVD can be read. I do not discuss here the decryption of the disk key or how to obtain the title keys - this is in fact somewhat unnecessary given the plaintext attack on CSS-encrypted data described here.

The Mount Fuji specifications must be referred to for the SCSI packet formats used below.

Obtaining an AGID from the drive

This step requires sending SCSI command REPORT_KEY with each INVALIDATE_AGID subcode in turn (to reset the drive) and then sending SCSI command REPORT_KEY with subcode GET_AGID to obtain the AGID. The AGID is a value of either 0x00, 0x40, 0x80 or 0xC0 which is added on to the subcodes used in subsequent SCSI REPORT_KEY and SEND_KEY commands to identify the program to the drive.

Challenging the drive and getting its response

This step requires sending SCSI command SEND_KEY with the subcode SEND_CHALLENGE_KEY + AGID. You include a challenge sequence which can be any sequence of 10 bytes. You then issue SCSI command REPORT_KEY with the subcode GET_KEY1 + AGID. This gives you the 5-byte value for KEY1.

Calculating the variant the drive has chosen

Now you must determine the variant that the drive is using. This is done by using CSS in mode 3 with keytype KEY1 to encrypt the challenge 32 times - once for each variant 0 to 31. One value will match the KEY1 the drive provided and this is the value of the variant you must use in subsequent steps.

Obtaining the challenge from the drive and calculating the response

This step requires sending SCSI command REPORT_KEY with the subcode GET_CHALLENGE + AGID. The drive returns a 10-byte challenge which you must then encrypt using CSS in mode 3 with keytype KEY2 and the variant calculated above. The result is the 5-byte value for KEY2.

Sending the response to the drive

Simply send the value of KEY2 to the drive using SCSI command SEND_KEY with the subcode SEND_KEY2 + AGID.

Reading the disk key from the disk

This is done using the SCSI command READ_DVD_STRUCTURE with subcode GET_DISK_KEY and the correct AGID specified. The results are somewhat irrelevant since the DVD data can be cracked using the methods I've explained here but reading the disk key is the last step in disk authentication.

Once this has succeeded, you can read sectors from the disk using the normal SCSI read commands. If this step fails, authentication has failed.

Note that the disk key obtained here is itself encrypted by XORing with a bus key. The bus key can be calculated by using CSS in mode 3 with keytype BUSKEY and the variant calculated above. Apply CSS to the 10-byte sequence obtained by concatenating KEY1 and KEY2 to get the 5-byte buskey. This is then simply XORed over the 2048-byte encrypted disk key.


[Back] [Home] [TinyTed]