Doom9's Forum - View Single Post - Just a couple of thoughts regaurding aacs

HyperHacker · 20th July 2007, 07:40

Yep, brute-forcing means trying every key. The math is simple as long as you're not confused by big numbers: Keys are 16 bytes. One byte is 8 bits so a key is 16 * 8 = 128 bits. This means the number of possible keys is 2^128 = 3.4028236692093846346337460743177e+38 (look up scientific notation if you don't understand this number). If your computer could process 1 billion keys per second (which would be pretty impressive with today's technology), it'd still take 340282366920938463463374607431.77 seconds (which is 10790283070806014188970.52915499 years) to go through them all! Your network would have to consist of 1,000,000,000,000,000,000,000 computers to get through them in even 10 years! (I might have one or two zeros too few/many there, but that hardly makes a difference.)

As for signatures, look up RSA and private/public-key encryption. Normally, you give out the public key (used to encrypt) and keep the private key (used to decrypt) to yourself. Thus anyone can encrypt a message, and only you - not even them - will be able to decrypt it.
Signing works the opposite way - the public and private keys switch roles. That means you give out the private key and keep the public key a secret, so anyone will be able to decrypt the message but only you can encrypt it. To sign a file, you generate a hash of it using a nice strong algorithm like SHA1, encrypt this hash with your public key, and include it with the file. Anyone will be able to use the private key to decrypt the hash and confirm that it matches the file (= the file hasn't been modified). If you make any changes, the hash won't match anymore, and without the public key you can't encrypt a new one, so anyone can see the file has been modified.
(Bit confusing eh?

)

Of course, you can hack the software to ignore the signature and carry on doing what it does even if the file is modified, or replace the "private" key within it with your own so that you can use your own "public" key to sign it. But unless there's a security hole that allows for arbitrary code execution (or at least controlled patching of memory), you won't be able to get other peoples' devices to accept this new file without hacking them too.

There's plenty of info about all this on Wikipedia if you're interested.

20th July 2007, 07:40	#7 \| Link
HyperHacker Resident DRM Hater Join Date: Oct 2006 Location: International waters Posts: 242	Yep, brute-forcing means trying every key. The math is simple as long as you're not confused by big numbers: Keys are 16 bytes. One byte is 8 bits so a key is 16 * 8 = 128 bits. This means the number of possible keys is 2^128 = 3.4028236692093846346337460743177e+38 (look up scientific notation if you don't understand this number). If your computer could process 1 billion keys per second (which would be pretty impressive with today's technology), it'd still take 340282366920938463463374607431.77 seconds (which is 10790283070806014188970.52915499 years) to go through them all! Your network would have to consist of 1,000,000,000,000,000,000,000 computers to get through them in even 10 years! (I might have one or two zeros too few/many there, but that hardly makes a difference.) As for signatures, look up RSA and private/public-key encryption. Normally, you give out the public key (used to encrypt) and keep the private key (used to decrypt) to yourself. Thus anyone can encrypt a message, and only you - not even them - will be able to decrypt it. Signing works the opposite way - the public and private keys switch roles. That means you give out the private key and keep the public key a secret, so anyone will be able to decrypt the message but only you can encrypt it. To sign a file, you generate a hash of it using a nice strong algorithm like SHA1, encrypt this hash with your public key, and include it with the file. Anyone will be able to use the private key to decrypt the hash and confirm that it matches the file (= the file hasn't been modified). If you make any changes, the hash won't match anymore, and without the public key you can't encrypt a new one, so anyone can see the file has been modified. (Bit confusing eh? ) Of course, you can hack the software to ignore the signature and carry on doing what it does even if the file is modified, or replace the "private" key within it with your own so that you can use your own "public" key to sign it. But unless there's a security hole that allows for arbitrary code execution (or at least controlled patching of memory), you won't be able to get other peoples' devices to accept this new file without hacking them too. There's plenty of info about all this on Wikipedia if you're interested. __________________ Because Moogles pwn.