Learning Center
Plans & pricing Sign in
Sign Out

CSS Overview


									Content Scramble System (CSS)
Bo Zhou, Peixian Yan, Gang Liu, Zongpeng Liu, Matthew Black

CSS stands for "Content Scrambling System". "It is the data scrambling method used to garble the
content of a DVD disc. According to most sources, CSS was put into use for the purpose of
ensuring that copyrighted material placed in this format would only be usable with licensed DVD
playback mechanisms. During this way, the DVD should not be copied from the disc directly as
well. "[8]

How does CSS protect the DVD?

Every DVD player on the market today is coded with a small set of "player keys". Every DVD
disc on the market today is coded with a "disk key" to identify that disc. When a DVD player
attempts to read a DVD, the player uses it's player key and proceeds down the list of encrypted
disk keys on the disk.

The DVD producer must buy the DVD license to produce the legal DVD player. There are 409
different player keys totally, different producer has different player key.

The DVD can be played under the Windows and MAC environment by using the software DVD
player, we can‘t play DVD under the Linux, because Linux is open source, that means it will show
the way how the CSS work by presenting the code from the source of the Linux. It is also one of
the reasons why DeCSS was made.

An anonymous German hacker from MoRE(master of reverse engineering) wrote the DeCSS in
order to watch the DVD under the Linux, and he give the code to the Jon Johanson, a 16-year-old
Norwegian. In the late September 1999, Jon put the DeCSS on to the web, free to download.

The whole Linux society was expired by this small program. Everybody was downloading it and
transfer it to others as many as possible!

MPAA(The Motion Picture Association of America ) was furious about the DeCSS, acutely they
don‘t care people only use it to play DVD, the problem is that any body can simply copy DVD by
DeCSS. This makes the piracy extremely easy.

It is ok if we use DVD re-writer to copy the DVD directly from the disc, but one empty DVD ram
is much more expensive than a DVD. On every DVD disc, the data is stored as MPEG-2 file,
which is extremely large, and it is not possible to be stored in a normal CD-ROM. The MPEG-4
file has almost the same quality as MPEG-2 file, and only about 10% size of the MPEG-2 file.
Because the data on DVD was protected by the CSS, we only need to solve the way for how to
copy the data from the disc. Here is the graphic of how to make a MPEG-4 file.
DVD                                                                        PC

MPEG-2                                                    ‘ *.vob ’ file                                 MPEG-4 file
                                                           (very large)                                 (much smaller)
                       DeCSS                                                 FlaskMPEG

            As we can see, we can make the MPEG-4 file in this simple way, when ever the MPEG-4 was
            made, it is very easy to transfer through the web site.

            How does the DeCSS work?

            DeCSS is just as same as a software DVD player. It uses a player key to unscramble the scrambled
            contents of a DVD to make playable MPEG-2 video files. It is the Xing player key. Every DVD
            producer has to buy the CSS license to produce the DVD player. The German hacker found out the
            Xing player key by the producer‘s careless design.

            But it is reported that the Xing player key has been revoked. If this is true, no newly released
            DVDs can be descrambled with this player key; DeCSS will not work on these DVDs.

            Actually, CSS is very easy to break. Because it is only use 40-bit key to protect the data. That
            means it only has 2 to the power of 40 possibilities, a brute-force search will quickly find the key
            even if the scrambling algorithm is well-designed.

            In my opinion, the MPAA would really love to make the CSS into a 80-bit or more large key, but
            according to common wisdom, CSS was made weak intentionally to avoid government red tape,
            since at the time (in 1996) the U.S. export regulations banned export of strong encryption

            Based on the points that I mentioned above, "CSS is different from other examples of
            cryptography such as encrypted e-mail. Unlike encrypted e-mail where the objective of the
            encryption is to maintain privacy, CSS has nothing to do with maintaining privacy or secrecy of
            the video. Anyone who buys a DVD containing a CSS "encrypted" movie can view that movie by
            placing it in a DVD player. This is totally unlike encrypted mail that only the intended recipients
            can read."[8]
CSS System Overview
For the CSS system, it contains the DVD, the DVD player and the host(software that plays the
DVD). The DVD disk itself contains the encrypted content, which can not be delivered to the
DVD player unless both sides are authenticated with each other as licensed and the region keys on
both sides are matched. After the data are able to transmit between the DVD player and DVD,
there are several steps of encryption of the data, as well as, keys such as title key.
Before talk about the encryption on the DVD data, there are some keys I would like to list as

Region key: It is used to ensure that a DVD which is produced in a certain region can only be
played by the DVD play which was produced in the same region and vice-versa.

Authentication key: it is used to authenticate the DVD player and DVD; it ensures that both
devices are licensed.

Session key: it is used to encrypt the data when it transferred from the DVD player to the host to
prevent eavesdropping.

Player key: there are total of 409 Player keys which are assigned by DVD Copy Control
Association to each of the DVD player manufacturer, each of which has its own unique Player
key. E.g. Sony player has its own key; Panasonic player has its own Play key.

Disk key: Disk is used to encrypt the title key. The Player key decrypts it. The player key tries all
the possible Disk keys and verifies the correctness with the Disk hash.

Sector key: it is used to XOR with title key, and used to encrypt the data. It is store in Bytes 80 –
84 of each sector‘s header.

Title key: it is XORed with the sector key, and used to encrypt the data. The tile key is come from
the Title (i.e. Video Title Set).

Encryption on data

The keys above are all involved in the whole CSS system. For the encryption of the data which
will be stored in the DVD, there are only few keys need to be used, namely sector key and title

―System‘s security depends entirely on the insides of the keystream generator.‖[1]. Therefore the
keystream generator we choose is very important for keeping the content secured. Can we use the
key to generate the keystream directly, and apply it to the plaintext, result in the ciphertext? you
can, but the ciphertext can easily be broken once the keystream is known. Image the scenario that
Bob has got a copy of ciphertext, and he acquires the plain text of it, for Computer Security, we
always assume the hacker knows the algorithm of the encryption, so we assume the algorithm use
XOR operation on the plaintext and key. Therefore, what Bob needs to do is just XOR the cipher
with the plaintext, and he gets the keystream, when the next cipher comes, he can easily the
decrypt the cipher (all the rest) by the keystream he just got since we have ‗a‘ XOR ‗b‘ = ‗c‘ and
‗c‘ XOR ‗a‘ =‘b‘. Therefore we should not keep the keystream un-changed.

In CSS system, it uses a technique called Linear Feedback Shift Register (LFSR) to generate the
pseudo-random bit stream, which generates the random keystream. It is implemented in hardware.
The diagram below shows the how a generic LFSR works[7].



   Feedback Path
                                      Feedback function

LFSR basically contains two parts, a shift register and Tap sequence.
            Shift register is a sequence of bits, and each time a bit is needed to the register and
    feed in to the register from the leftmost side, and all the bits in the register are shifted to the
    right, which can generate 1 bit at a time as a output of the LFSR.
            Tap sequence basically means that it taps several bits from the register, and feed
    them into a so-call Feedback function (XOR in most cases), and the Feedback function
    output a bit as the input of the register, this bit is fed in to the leftmost side of the register.
            With certain tap sequences, LFSR can cycle through all 2n -1 possible internal states,
    which is called maximal length LFSR, the reason for subtract 1 here is that we get rid of the
    case with all 0 bits in the register since all 0 bits in the register will only generate non-ending
    keystream of 0 (with XOR operation), which is called null-cycling.

LFSR uses 2 LFSRs, one is initialized with 17 bits, which is 2 bytes + 1 bit, the bit 1 here is to
prevent the null-cycling state in the register, this bit is located at the position 4(count from right to
left) in the register. And each time the register taps the bits at the position 1 and 15, and feed those
2 bits into a Feedback function, the Feedback function it used is XOR operation, and gets the
output from the Feedback function as the input of the register as well as the output of the LFSR,
unlike the traditional LFSR, the output generates from the register is thrown away to the garbage.
In stead, it uses the output generates from the Feedback function. The following diagram shows
how the CSS LFSR-17 works.
    1 0 1 1 1 1 0 0 1 0 1 0 1 1 0 1 1



    1 0 1 1 1 1 0 0 1 0 1 0 1 1 0 1 1

          1                      1



    1 0 1 1 1 1 0 0 1 0 1 0 1 1 0 1 1


               0 1 0 1 1 1 1 0 0 1 0 1 0 1 1 0 1


                       Output        0
  The other is LFSR-25 and is initialised with 3 bytes + 1 bit to prevent null cycling. The LFSR-25
  is slightly different from LFSR-17, which taps the bits from the register at the position 1, 4,5,15
  (count from right to left).

HoTherefore, LFSR-17 and LFSR-25 use 40bit (5bytes) key, which derives from the title key and Driv
stsector key, the 2 bytes seeded into LFSR is the XOR between the first 2 bytes of the title key and
  the first 2 bytes of the sector key, the bytes seeded into LFSR-25 is the XOR between the next 3
  bytes of the title key and the next 3 bytes of the sector key.

  After LFSR-17 and LFSR-25 have generated 1 byte output, we add them up to form a output byte
  as the keystream, the carry out of this addition is used as the carry in for the next addition (note:
  the first keystream byte is formed by LFSR-17 and LFSR-25, the carry in from the previous
  addition is 0 since that is the first keystream byte). The following diagram shows how it works[7].

          LFSR-17           1
                           byt                                           Chanllenge(D)
                            e Optional bit-wise                             (nonce)
                                                                   +8-bit add
                            e      Optional bit-wise
    the previous
  In the CSS system, there are several parts need to generate the random keystream, therefore we
  optionally use the bit-wise inverter(s) (it changes 1 to 0, and 0 to 1) to generate keystream in
  different modes in CSS. For the Authentication between the DVD and DVD Player (i.e.
  authenticates whether each other is licensed), one inverter is used on LFSR-17, but not LFSR-25.
  For the encryption and decryption on keys, the inverted also are used optionally, the inverter is not
  used when deal with the Session key, but the Title key. For the data encryption/decryption, a
  inverter is needs as well, the following diagram shows the inverter settings for each mode[7]:
                           Mode                          LFSR-17             LFSR-25

Authentication between DVD and DVD Player                   Yes                 No

Encryption/Decryption on Session Key                        No                  No

Encryption/Decryption on Title key                          No                  Yes

Encryption/Decryption on Data                               Yes                 No

Now, we have got the keystream generated by both LFSR-17 and LFSR-25, both are seeded with
the keys, before we combine the keystream and actual DVD data, there is the substitution on the
data, generally, the substitution is just substitution a character by another character (i.e. change the
bit of the character to other bits), the reason it used here I assume is to make algorithm more
complex. After the data get thought the substitution table, we XOR them with the keystream as the
diagram shows below[7]:

  Output byte from LFSRs                                    XOR               Output data

     Input data                                  Table-based substitution


Furthermore, apart from the encryption on the data, CSS also does the encryption/decryption on
keys as I mentioned before, inverters are used optionally for different modes in CSS. The
following diagram gives a basic structure of how the keys are encrypted/decrypted[7]:

                                     Bytes of Ciphertext/Plaintext

          0                           0                     0                          0

        Permutation                Permutation            Permutation                Permutation
           Table                      Table                  Table                      Table

                      K0                        K1                      K2                         K3
           +                          +                      +                          +

    Permutation                   Permutation           Permutation               Permutation
           Table                      Table                  Table                      Table

           +                          +                      +                          +

          0                           1                     2                          3
There 5 columns and 6 rows in the diagram above, the first and the last row can be the Ciphertext
or the Plaintext (or the other way round), lets have a look how it encrypt a key, the first 4 bytes are
taken from the key, all the bytes go thought the permutation table, which swap the bits around
within that byte, K0, K1,K2, K3 are the keystream generated by the LFSRs, in a addition to the
first byte, all other the bytes(N) go thought the permutation table, and XOR with the K(n)
keystream, as well as XOR with the previous byte (N-1). For the first byte, it XORed with K0, as
well as the permuted byte of the last byte as the diagram shows. All the bytes in the 3th row go
thought another permutation table afterwards, and XOR with the K(n) again, the Ciphertext is

How a DVD is Played
The process of playing the DVD is as follows [6][7]
    1. The Host and player authenticate themselves as licensed (q.v).
    2. The player decrypts each encrypted disk key until a disk key has been verified as correct
        against the hash.
    3. The Disk and title keys are sent to the host. The session key is used to prevent a man in
        the middle attack.
    4. Each title key is decrypted by the disk key
    5. Each sector is decrypted with the appropriate title key.

The sector key (bytes 80-84 in the sector) is used to decrypt the
rest of the sector.Mutual Authentication
Authentication involves a secret hash function that should only be known by licensed units.
The Authentication method runs as follows [6][7]
    1. The drive requests the AGID(Authentication Grant ID) from the host. This uniquely
        identifies the session
    2. The drive generates a challenge (40-bit random number) and sends it to the host
    3. The host encrypts the challenge using the secret CSS hash and sends the encrypted value
        to the drive.
    4. The drive verifies the encrypted challenge
    5. Likewise the host generates a challenge (40-bit random number) and sends it to the drive
    6. The drive encrypts the challenge using the secret CSS hash and sends the encrypted value
        to the host.
    7. The host verifies the encrypted challenge
    8. The CSS hash function is used to create the key from the XOR of the 2 challenges
                   Drive                                                                   Host
                               Request AGID

      Initialization done                                                              Initialization done
                               Challenge (D) (nonce)
             Decrypt and verify                         Encrypted Challenge (D)         Encrypt Challenge (D)

                                                         Challenge (H) (nonce)
                                                                                        Decrypt and verify
 Encrypt Challenge (H)                                                                    Challenge(H)
                                Encrypted Challenge (H)

                                              Success or Failure
Session key created                                                                           Session key created

     The Authentication method is weak. First it is possible to have a hoax player and host the both
     agree that they are both authentic. The idea of a secret hash function uses the controversial
     ―security by obscurity‖ approach, which if the scheme is leaked it will render the whole
     authentication process useless. If a user can retrieve the code of the host the code used for the hash
     can be found and the hash is no longer secret.

     Cryptanalysis of CSS
     The Following cryptanalysis methods were described in[7]

     Brute Force attack on disk keys
     CSS only uses 40 bit keys; due to US export restrictions. hence it is possible to find the disk key
     by looking at 240 possible disk keys by using a brute force search. This attack is in fact possible
     with a complexity of 225 by attacking the hash making it feasible in runtime applications

     Attack with 6-bytes of LFSR output
     If we have 6 bytes of LFSR output it is possible to find the input of the LFSR. This however is not
     a terribly useful attack, as we don‘t normally have 6-bits lying around. This provides a 216 attack
     to find the input of LFSR‘s and hence the key.
     The Attack proceeds as follows.
              For each possible content of LFSR-17
                Clock out 4 bits from LFSR-17
                Get the output of LFSR-25 by subtracting the output of LFSR-17 from the combined
                   Workout the contents of LFSR-25 from the output of LFSR-25
                   Clock out 2 bytes
                   If correct we have the initial state of LFSR and hence the key
                   Otherwise continue with possible LFSR-17 inputs
Attack with 5-bytes of LFSR output
This is a much more feasible attack since the following attack on CSS mangling will easily give
use 5 bytes of LFSR output.
       For each possible content of LFSR-17
         Clock out 3 bits from LFSR-17
         Get the corresponding bytes of output of LFSR-25 by subtracting the output of
            LFSR-17 from the combined output. We have all but the highest order bit from

CSS Mangling
This known Ciphertext attack allows us to find 5 bytes of LFSR output and hence carry out the
previous attack.

       For each byte
       For each Guess
            o Work backwards though the encryption
            o Verify the expected input with actual input

Content Protection Technologies

We have talked so much about CSS is a content protection technology that is used on
DVDs. But does it the only technology we used to protect the information on DVDs?
Of course, the answer should be negative. There are so many technologies we are
using to protect the copyright of the content. And there are so many are proposed to
try to solve the problem because there are some problems when we using the existing

Major Technologies

There are three major content protection technologies are used on DVDs. They are


CGMS (Copy Generation Management System) is a management system operating at
a copy generation level. The CGMS information is integrated within the video signal
coming from the player and the recording equipment must respect this signal. A
digital standard such as IEEE 1394/Firewire will be present on the digital
connections. The audio equivalent is called SCMS (Serial Copy Management
System). The aim is to prevent copies of copies, with the help of indicators (flags),
and stop mass copying of the master support. [1]
The CGMS information defines that how many times the data can be copied. There
are three copying states: copy enable, copy one generation and copy never.


APS (Analog Protection System), was developed by Macro vision, and is integrated
within each player to prevent analog copying on VHS. Computer video cards also use
this system. [2]

APS uses two technologies, which are AGC (Automatic Gain Control) and Color
Stripe to prevent illegal analog copying and make the illegal copies have a very low
level of quality.


As we have talked, CSS is a digital data encryption technology to prevent copying
video files directly from the DVD discs. And we have found that it is not a successful
enough technique because it does not work very well as people expected.

Other Approaches

Right now, representatives from the Computer, Consumer-Electronics and Movie
Industries have created some technical working groups to work together and try to
find a better way to protect the copyrights. For example, there are Copy Protection
Technical Working Group (CPTWG), which was created by Hitachi, Intel, Matsushita
(MEI), Sony and Toshiba, the 4C Entity that was created by IBM, Intel, Matsushita
and Toshiba, and the 4C Entity created the Advanced Access Content System
Listening Administrator (AACS LA) with Microsoft, Sony, Walt Disney and Warner
Bros. They have been working collaboratively for several years and have created
some protection schemes.

·The 4C Entity has created
       ·Content Protection for Pre-recorded Media (CPPM)
       ·Content Protection for Recordable Media (CPRM)
       ·Content Protection System Architecture (CPSA)

·The CPTWG has developed the Digital Transmission Content Protection (DTCP).

·Intel developed the High-bandwidth Digital Content Protection (HDCP).

·Thomson developed Extended Content Access (XCA).

·And the AACS LA is developing the Advanced Access Content System (AACS),
which they claimed ―a specification for managing content stored on the next
generation of prerecorded and recorded optical media for consumer use with PCs and
CE devices.‖ [3]



Advanced Access Content System Licensing Administrator (AACS LA) is developing
the Advanced Access Content System, a specification for managing content stored on
the next generation of pre-recorded and recorded optical media for consumer use with
PCs and CE devices. Advanced Access Content System will complement new
innovations in the next-generation of optical discs, and enable consumers to enjoy
next-generation content, including high-definition content.
 AACS Framework

 AACS: Advanced, format-neutral protection for next generation audiovisual content for a variety
 of underlying formats.

                                                Advanced Format
 Legacy Format

                              Standard Definition
                                       High Definition

CSS                                                    AACS

 How AACS works

 For content providers, content aggregators, and device manufacturers, Advanced
 Access Content System will present opportunities for new distribution and business
 models, while improving functionality and interactivity for the consumer. For
 example, in addition to pre-recorded optical disc support, Advanced Access Content
 System is being designed to support the ability to make recordings of content, as
 authorized. Additionally, the technology will support expanded flexibility in
 accessing, managing and, through interoperability, transferring content within a
 standalone or networked environment. Using advanced, proven cryptographic
 methods, AACS is flexible enough to interoperate with content protection
 technologies to enable consumers, to the extent authorized, to save licensed, protected
 copies of prerecorded movie titles onto home media server hard drives or authorized
 media while preventing unauthorized reproduction and distribution of next-generation
 optical media.

     AACS Technology
          Strong cryptography
          o Advanced Encryption Standard with 128-bit keys.
          o Next-generation media key block.

      Revocation of compromised devices

          o Precise – affects only compromised key
          o Efficient tree-based, broadcast encryption

      Enhanced drive authentication

      Support for advanced operations such as ―move‖

      Use of network connectivity to enable enhanced uses

      New approaches to enhance robustness of implementations

          o Combination of proactive software renewal with revocation

      Reviewing potential solutions to thwart professional mass distribution of
       unauthorized recordings (e.g. theatrical camcorder piracy)

Advantages of AACS Approach

   o   Major benefits for consumers
   o   Supports delivery of next-generation content, including high definition
   o   Provides increased flexibility, while remaining transparent to legitimate users
   o   Enables new entertainment experiences across multiple devices

   o Major benefits for Studios

   o Enables new entertainment business models
   o Protects copyrighted works on next generation media
   o Encourages legitimate use of content

   o Major benefits for Technology providers

   o Accelerates next-generation content flow including high definition
   o Increases demand for infrastructure services
   o Provides even playing field for technology companies to compete for solutions
     and services
   o Low implementation costs
   o Participation from industry leaders across the value chain
   o Content, Information Technology, Consumer Electronics


As we mentioned before, CSS cannot protect the copyrights very well. So, we are
going to compare CSS with other two approaches to show that why it is worse than
other approaches.


CSS prevents copying video content directly from the DVD discs. CPPM does almost
the same thing but not video content. CPPM prevents copying pre-recorded audio
content from the DVD discs.

One aim of CPPM is make the system renewable. Renewability is typically
accomplished by revoking devices that have been compromised.

CSS and CPPM have a common weakness. CSS uses 40-bit keys and CPPM uses 56-
bit keys. The key lengths are so short because the US cryptographic export laws
restrict them may be by massive political pressure or economical consideration.


CSS uses 40-bit keys, so the brute force attack can be carried out with the complexity
of 2^40. But with the weak cryptographic algorithm, the brute force attack is possible
to be carried out with the complexity of 2^25.

The protection mechanisms described in the AACS specification are based on some
common cryptographic functions. One of them is the Advanced Encryption Standard
(AES) block cipher algorithm, as specified in FIPS Publication 197. Unless otherwise
specified, the AES algorithm is used with data blocks of 128 bits and keys with
lengths of 128 bits. [4] It means the brute force attack may be carried out with a
complexity of 2^128. If you can crack CSS in one second, you would have to use
more than 10^19 years to crack the AES cipher algorithm with the same computing

AACS also uses advanced Media Key Block (MKB) to manage and revoke keys.
During this way, AACS will make the system renewable.

AACS would potentially allow people to store copies of a movie on home computers
and watch it on other devices connected to a network—or even transfer it to a portable
movie player. [5]

           Content Scramble System is a Mechanism of encrypts data to DVD disk.
           Advantages: Protect the authority of the content provider so that the authority
            provider can earn much more money.
           Disadvantages: CSS uses a 40-bit key. Even if the scrambling algorithm is well
            designed, the short key length means that a brute-force search will quickly find the
            key. So it‘s easy to decrypt.
           Belong to a standard definition
           Developed by DVD Copy Control Association
           DeCSS is a decryption of CSS in order to play DVD files on LINUX

 [1] Industry, Research, Energy, Environment and STOA (Scientific and Technical
 Options Assessment): Security Technologies for Digital Media—Final Report, p.35
 [2] Industry, Research, Energy, Environment and STOA (Scientific and Technical
 Options Assessment): Security Technologies for Digital Media—Final Report, p.34
 [3] AACS LA: (
 [4] AACS LA: Advanced Access Content System (AACS) Technical Overview
 (informative), p.5 (July 21, 2004)
 [5] AACS LA: Advanced Access Content System (AACS) Industry Briefing, (July 14, 2004)
 [6] CSS: Under the hood (,1558,1230030,00.asp
 [7] Content Scrambling System (CSS): Introduction, Gregory Kesden. (http://www-


To top