The following article might be of interest to some people:

http://eprint.iacr.org/2007/420.pdf

It explains that the current Drive-Host authentication protocol is not completely secure. The authors mention among other weaknesses an exploit for revoked devices to still communicate successfully with the host.

Unfortunately the only thing the whole Drive-Host authentication is necessary for is to acquire the Volume ID ... and we can read this without any problem using a Xbox360 addon drive.

Unfortunately the only thing the whole Drive-Host authentication is necessary for is to acquire the Volume ID ... and we can read this without any problem using a Xbox360 addon drive.

If you don't care about bluray, that is :)

Anyway, the first weakness described doesn't really need to get pointed out, it's pretty obvious.
If you are in possession of a valid drive certificate along with it's secret key, you can "revive" a revoked drive. For now, we don't have any drive revocations and in case some people actually have found secret keys of some drive, it's kept secret for it has very limited value anyway.

The man in the middle attack is interesting in a way, because it might allow a virtual drive that mimics a real HD/BD drive while it uses the credentials of an actual drive for authentication only.
This way you could make 1:1 copies (encrypted) and then play them with this virtual drive (using an official software player that will do the decryption).

But there is no real point in doing all that, as long as we can decrypt the data ourselves, which is the only way to potentially (some day...) transcode the videos and play them in any desired way we like.

An encrypted 1:1 copy is only "half way there" and is probably interesting for those torrent uploader morons who didn't really get the point of fair use... :rolleyes:

How can you revive the drive? If you change the version number you invalidate the signature of the MKB. To recreate it you need the private key of the AACS LA certificate. Or am I missing something?

The signature includes both "Drive Revocation" and the "Version" Record.

AACS_Verify(AACS_LApub, Signature Data, Type and Version and Drive Revocation List)

How can you revive the drive? If you change the version number you invalidate the signature of the MKB. To recreate it you need the private key of the AACS LA certificate. Or am I missing something?

The signature includes both "Drive Revocation" and the "Version" Record.

In weakness 1 they just point out that the detection of the changed version number does not occur immediately. They use a very technical definition of a "weakness" and consider it to be a weakness for any communication to continue after the attacker has modified the communication stream.

In weakness 2 the "attacker" needs its own legitimate drive certificate, but can serve as the intermediary between a revoked drive and the host so that the revoked drive can still set up an authenticated session. Again, it's a pretty uninteresting type of weakness.