TiVo Awarded Patent For Password You Can't Hack

Davis Freeberg writes "TiVo has always been known for thinking outside of the box, but this week they were awarded an unusual patent related to locking down content on their hard drives. According to the patent, they've invented a way to create password security that is so tough, it would take you longer than the life of a hard drive in order to figure it out. They could be using this technology to prevent the sharing of content or it could be related to their advertising or guide data, but if their encryption technology is really that good, it's an interesting solution for solving the problem of securing networks."

So....

3-4 weeks tops?

Re:So....

I want to know if the patent is invalidated when it's broken.

(ie: does making outlandish and incorrect claims in a patent invalidate it?)

IANAL...

...but I am a law student and just took an introductory IP course, so I'll try to answer. A patent must actually do what you claim it does. But they don't claim it can't be cracked:

...difficult or impossible...

...significantly more secure...

Re:So....

I don't think so.

In the US at least, there's no requirement that a patented idea or invention or system actually do anything useful or work or even do what it claims.

There are numerous patents for mind-reading devices, nutjob free energy systems and perpetual motion machines, and searching the USPTO database for the "hyper-light-speed antenna" will produce some interesting reading.

Might as well patent completely unbreakable DRM.

Re:Does it matter?

The password might not be cracked. Well, at least not cracked in a meaningful or useful way. I can think of several ways this could be accomplished. Tying the drive to the mainboard with a kill switch that burns out the firmware controler could be one. This could mean all ads and all content is useless outside the tivo and the drive is borked if tried outside it too.

But if this patents is invalidated, it is meaningful in several ways. First is other devices might be forced into using it by the media companies or something and this will raise the costs of consumer electronics. The next thing is, suppose someone discovers this as a way to keep usable information out of anyone's hands who don't have permission to use it. There is another royalty that needs to be payed and it will come out of our pockets too. But most importantly, A patent takes an entire piece of software off the market for most. Imagine if the word processor was patented when it originally was developed. Whatever the first word processor was and anyone willing to pay the royalties to them are the only word processors we would have. Openoffice.org wouldn't be here, Microsoft could have bought the patent and stopped everyone from using it other then them, so on and so on.

So what happens when computers are fast enough that to be somewhat reasonable secure, you need this patent. If it is still valid, again, everyone pays TIVO to use it. But if it was copy written instead of patented, then many other players could attempt to do similar things and hopefully competition would make things better and all. But if we are stuck with this one implementation and it turns out not to work, any working implementations from other companies will have a payment to TIVO associated with any costs.

Re:So....

No shit. The second your product gets into a consumer's home, its "unhackable" status vanishes.

Re:So....

Quite true because at that point there is nothing to stop a person simply copying everything off the disk (just a raw copy even if it is still encrypted).

As soon as you can do that, 3 things are true:

(1) You can preserve it on something more reliable (longer life) than the original drive and work on cracking it from there.
(2) You can make multiple copies and work on it x times faster by attacking each drive/copy with a separate part of the list of possible solutions.
(3) You can spend as long as you like working on cracking it and when the drive reaches the end of it's life, pick up where you left off working on your clone disk.

More importantly how many copies would you need to make to solve it within a useful time period at all? Would you get the data within a useful time frame? Within years? Within your own life time?

Obviously if they have made it so that you can only access the drive with a specific controller then the idea of taking copies is significantly more difficult, but from what I've read it's just a regular Western Digital drive which means you could hook it up and take a raw image of the entire disk even without being able to decode the contents at that point. So as the parent said, you're not hacking it "in situ" and as soon as the drive gets into a consumer's home, you've handed of a the data to be copied.

This is just a patent for making hacking difficult, but since when does that stop anyone?

Meanwhile, I am not even going to bother trying to figure out how this is a solution for "securing networks".

Re:So....

Why not encrypt the HDD at the level of the drive electronics? That way a user would have to physically remove the platter to read any useful data. That process would cost more than most data one could recover from an average user's tivo.

On the other hand, yes, this does appear to be a simple patent on tying a hard drive to an electronics unit. Viable attack vectors are already obvious.

The patent that will never reach courts.

"Unhackable" passwords ?!?

At least you know nobody is going to get sued over this one. Ever.

Re:So....

3-4 weeks tops?

At least ... it's triple rot-13 after all.

Re:So....

Tivo loses because the person says they couldn't have broken the tivo code because the code is unbreakable, if they did, then Tivo loses the patent.

Don't be daft. The vague boasts in the patent abstract are irrelevant to the validity of the patent. You could claim in the abstract that your patented method will grant the user perpetual happiness. All that's relevant to the validity are the claims, and those are purely descriptive of function.

Re:So....

*in the underground lair of tivo*

tivo suit guy 1: Those lousy internet people keep cracking our encryption!

tivo suit guy 2: How do they keep doing it?

tivo suit guy 1: Because time is on their side, and they have no life! grr

tivo suit guy 2: How long can a 'really hard' encryption take?

tivo suit guy 1: I have no idea, maybe like a month? A week?

tivo suit guy 2: A WEEK? You can't be serious!

drive manufacturer suit: Well, if you can't beat crackers at their own game, what needs to get done is to beat them from a different angle.

tivo suit guy 1: what do you mean?

drive manufacturer suit: Think about it, every time you come up with a new password, it gets cracked in a week, there is no control over that. So, what needs to get done is to beat them where they have no control. TIME!

tivo suit guy 2: Time? And how do you expect us to control TIME?

drive manufacturer suit: Easy. Since we know that a password can be cracked within a week, what needs to get done is to prevent them from getting access to the password before that week. All we have to do is manufacture drives that will fail within a week!

tivo suit guy 2: That's brilliant!

tivo suit guy 1: Wait a minute. We can't have customer's drives dying withing one week. That's just no good for business.

drive manufacturer suit: Don't worry about it. We'll use flash drives. Flash ram wears out overtime. We can explain to the customer that the new flash drives will use less energy, have no moving parts, and are cheaper!

tivo suit guy 1: Will they really be cheaper?

drive manufacturer suit: only to you they will be. That way you won't have to pass off the savings to the customer. Plus, you can add in an additional subscription fee to have new flash drives mailed to them every week when they mail back their old flash drives! Think: netflix, but instead of dvds, flash drives. More money for you!

tivo suit guy 2: kinda like the photo-copier industry with their toners.. hrm, I like it!

tivo suit guy 1: Wait wait wait! Those drives will still cost us a pretty penny, so what's the secret?

drive manufacturer suit: *grins* we will be using _OLD_ flash drives. Just like the old flash drives that croaked so quickly. The manufacturing technology to build them was very cheap. We can churn those out like nobody's business.

tivo suit guy 1: hrm, so essentially they are disposable drives?

tivo suit guy 2: It's an excellent plan! We can add in the additional 'service' and bleed our customers dry!

drive manufacturer suit: soo, do we have a deal?

tivo suit guy 1 & 2: it's a deal! I think I'm gonna patent that idea!

*shakes hands, and the meeting is ended, tivo suit guys leave*

drive manufacturer gets on cell phone

drive manufacturer boss: so, how did it go?

drive manufacturer suit: They accepted project 'disposable drive.' Those fools have no idea we're playing them for our pawn.

drive manufacturer boss: Eeeexxxeeeelent~

drive manufacturer suit: Phase 1 is complete. I've finished talking to Apple and Creative already. I'm scheduled to meet with Sprint and Verizon tomorrow.

drive manufacturer boss: Once we have all the mp3 players, cell phones, and tivos supplied with our disposable drive, users will be upset that only after a week of use, their electronics became useless! This will soil the name of flash drives in a larger scale never seen before, and drive customer confidence towards flash down! They will be forced to lower their prices, and eventually perish under their manufacturing costs. Harddrives will RISE AGAIN! MUHWAHAHAHAHAHA!

And the password is...

MDlGOTExMDI5RDc0RTM1QkQ4NDE1NkM1NjM1Njg4QzA=

Don't tell anyone.

Re:oh i found it on google with 1.9 mln results!

09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0

To quote Spock, "I believe that is what [he] said."

sbizna ~$ base64 --decode <<< "MDlGOTExMDI5RDc0RTM1QkQ4NDE1NkM1NjM1Njg4QzA="
09F911029D74E35BD84156C5635688C0

I only caught it because I read RFC 2045 the other day. (specifically, the section on Base64 encoding...)

-:sigma.SB

A really long one?

So it's like a really character password with random characters and punctuation and stuff?

That doesn't sound like it would be worth a patent.

Then again, it might be more interesting and have non-typeable characters...

Or maybe just "Joshua"

This sounds familiar:

Patent For Password You Can't Hack

Hack available for download from the internet in 5, 4, 3, 2....

longer than the life of a hard drive in order ....

Wasn't about the same thing said for the DVD protection system? All security systems like this fall apart when the user had the device being hacked in his hands.

And what if it's a WD drive they are talking about? The life of those is so low they had to drop their warranty to 1 year because they admitted 3 years would put them out of business. (The reason I only use Segate 5 year warranty drives).

Hamel's Folly

On the dangers of assuming keyspace => security:

The mechanical ciphering machine invented by Alexander von Kryha in 1924 received the Prize of the Prussian Ministry of the Interior at the 1926 Police Fair and a Diploma from the famous postwar Chancellor of Germany, Konrad Adenauer, at the International Press Exhibition in Cologne two year later. Von Kryha was not only an inventor, but also an astute entrepreneur. To promote his commercial venture Internationale Kryha Machinen Gesellschaft of Hamburg, Kryha turned to the famous mathematician Georg Hamel for an endorsement. Hamel calculated the size of the key space to be 4.57*10^50 and concluded that only immortals could cryptanalyze Kryha ciphertext. Not withstanding Hamels estimate, a cryptanalysis of the Kryha machine by Friedman did not require as much time and is described in the ''2 Hours, 41 Minutes,'' a chapter in Machine Cryptography and Modern Cryptanalysis [Devoirs and Ruth, 1985].

from ''Computer Security and Cryptography'', Alan G. Konheim.

Clone Drives?

If it exceeds the life of the drive theres an easy way to just clone the drive or remove the platters and put them into another hard drive (yeah very sensitive operation likely requiring the conditions of a clean room).

Its hard to make something undefeatable and if you claim such it is only going to attract people as a challenge. Maybe that is what they want?

Of course if someone proves that it isnt 'impossible' then does that void the patent?

Hard disk life

The hard disk must have a really short life :/

Yet another reason not to get a Series3 TiVo

I have two Series2 units and I love them. But there's no way in hell I'd spend PS3-level prices on a Series3 recorder, especially with the lack of TivoToGo and now this bullshit.

Look, if I buy a device that has a hard drive in it, that hard drive is mine. The data on it is mine. If you don't want me to access it from the "wrong" host, maybe you shouldn't have sold it in the first place. You can have all the control you want over that hard drive while it's gathering dust in your warehouse.

Re:Yet another reason not to get a Series3 TiVo

This is the reason why SageTV, MythTV, and other free-to-do-what-I-want-to-PVR-software for the computer is the way to go. PVRs that try to control what we can record, when we can fast forward, and what we can do with the recorded content aren't giving the consumers what they want. You can buy a $300 PC, add a $100 TV Tuner, and buy a copy of sageTV for $80 (because setting up MythTV is more complicated than it should be), and you have a complete PVR that doesn't try to control what you do. You can even get it with an IR Blaster to control that set top box.

Blog spam is just plain wrong

it's an interesting solution for solving the problem of securing networks.

This has nothing to do with networks at all. The patent is about making sure a hard disk can only talk to a certain host.

Its just another attempt to prevent people form using their own hardware how they want to.

Why so much effort

... to work against the consumer?

Re:Why so much effort

because the consumer is not their customer.

Re:I've done this before just for fun.

Essentially they are claiming: Using a wire-secure challenge system between a hard drive and a host.

In the text they mention prior art of both:
1. Using a challenge system between a hard drive and a host
2. a wire-secure challenge system

Even if no one has ever put cryptographic functions into a hard drive (I'd be surprised) virtually every cryptography paper talks about all of the communications in the only meaningful terms, abstract ones, implying in a way obvious to non-experts that it can be used between any equipment.

This, like many other bad patents, is at best a land-grab for a specific piece of territory so well discovered, mapped, and understood that claiming a portion of it is just ridiculous.

New Marketing Tool

Make a security claim so wild that every hacker will buy your product to try to crack it. $$$$

Re:Man in the middle?

The claim in the patent is simply using one of many man-in-the-middle resistant challenge/response methods to avoid exactly this. A much more interesting attack is to emulate the environment of the host, and get it to unlock the disk for you, or to sniff the unencrypted actual data off the wire. This is more an obstacle of convenience than one of actual security. They don't want one person finding the key and using it to write computer software so you can toss your drive from the DVR right into the computer to rip video without special hardware.

Nothing Is Unhackable

When I was a wee tot, I remember seeing a single-panel _Dennis The Menace_ cartoon. The cartoon itself had Dennis' father at a boardroom-type table with a few other people, his briefcase open, and various parts spilling out. The caption was something like "Gentlemen, our new bathroom scale did not pass the 'Dennis test'. We cannot refer to it as 'unbreakable'".

Since then, whenever I've heard about something claiming to be unbreakable, I picture a very broken bathroom scale...

can we get the old hahaha tag now

I love it when someone says that 'x' can't be done.... that is sure to bring on the people that show it can be done

A good way to lose their business

I know that I'm probably not their target audience, but the one reason that I have two subscribed tivos is that I can hack them and disable the DRM and generally they've been pretty cool about it. But the day they lock me out of my one boxes is the day that I cancel my subscriptions and either continue with the hardware on my own or switch to MythTV.

Read the patent...

It's basically just a DRM-machination with the cryptography on chip. Basically, the same that AACS has on HD-DVD, and the patent specifies that guessing the password woud take longer than the lifetime of a drive. Euhm, I guess even guessing 56-bits encryption would be enough.

The problem is still, the user has HIS content, he can do whatever he wants with it as long as he can see it. Unless you encrypt the lightwaves that reach our eyes and plant a DRM chip in our brain, we're going to be able to copy your precious content.

Re:Read the patent...

Nope, no encryption; just hash-based Challenge-response authentication [wikipedia.org].

It's the diffie-helman key exchange

An authentication system for securing information within a disk drive to be read and written to only by a specific host computer such that it is difficult or impossible to access the drive by any system other than a designated host is disclosed. While the invention is similar in intent to a password scheme, it significantly more secure. The invention thus provides a secure environment for important information stored within a disk drive. The information can only be accessed by a host if the host can respond to random challenges asked by the disk drive. The host's responses are generated using a cryptography chip processing a specific algorithm. This technique allows the disk drive and the host to communicate using a coded security system where attempts to break the code and choose the correct password take longer to learn than the useful life of the disk drive itself.

Drive sends random junk. Host responds with digital signature on random junk. Drive verifies signature. It's a diffie-hellman key exchange derived system called a digital signature. RSA and DSA (El Gamal is DSA's corresponding cryptosystem) are examples.

BeyondTV

I use BeyondTV and couldn't be happier. No restrictions. They also have SmartChapters which identify distinct blocks of video (cough, commercials, cough). I can also burn to DVD with an extra plugin. You get free TV listings - you just have to buy the software. Sure - they get you with upgrades, but you can choose not to upgrade.

Cryptographic Challenge-Response Authentication?

"The information can only be accessed by a host if the host can respond to random challenges asked by the disk drive. The host's responses are generated using a cryptography chip processing a specific algorithm. This technique allows the disk drive and the host to communicate using a coded security system where attempts to break the code and choose the correct password take longer to learn than the useful life of the disk drive itself."

In what novel way - or any way for that matter - does this differ from standard cryptographic challenge-response authentication? I mean, maybe they are using an extremely long generated series of psuedorandom keys, secrets, responses, or all 3 but I don't see how that is novel. Or perhaps incorrect responses result in the disk controller becoming non-responsive for a short period to increase the time required to exhaust the series, but that isn't novel either.

Any ideas?

How is this news?

It's not like good crypto is hard to come by. I mean if I pick a good password with AES you aren't cracking that in your lifetime, much less the life of a harddrive. The problem isn't a good password, the problem is that DRM tries to use crypto for something it isn't made for. Crypto is about keeping out non trusted parties. That's how SSH works. You have the key, the server has the key and thus only you and the server can decrypt the traffic. Anyone else can capture everything if they want, and they are going to get all of nowhere with it.

The problem with DRM is that the person who is the recipient is also one of the people they want to keep out. This creates a problem: To decrypt the message (by message I mean whatever they are giving you, video, song, game, whatever) you have to give them the key. However, if they have the key, well then they can decrypt it and do what they want with it.

This leads to all the tricky, and ineffective, stuff we see these days. They try to hide the key so that only the device can find it and you can't get at it. Well that just don't work. It can make it so it isn't as simple as just copying a disk, but as we've seen with the AACS break, you can't hide that shit from a determined attacker. The key IS on there, it CAN be found.

So I don't care how good their password scheme is. AES-256 with a 64 character password is good enough to last until the sun goes dark (or at least until quantum computing becomes a reality) but that doesn't buy you anything if you have to hand out the key as part of your scheme as is required by DRM.

Why It Does and Does Not Matter

Quickly, before Cringely ruins it with bad math, I need to point out some very obvious weaknesses in making this work correctly:

• SHA-1 has been (somewhat) broken [schneier.com]. Not highly repeatable yet, but they're getting there.
• Encryption does not hide a message forever. Most of us picked up on that in one form or another. It just hides it long enough to make the information useless. If I can only break a single machine 6 years after it was written, the video isn't going to be very useful to me.
• Good encryption methods assume two things. One is the attacker does not have the key. Smart card attacks have shown [iacr.org] (PDF) that even though an attacker has to guess the key, a poor implementation may provide useful hints during the guessing phase.
• The second assumption is that the message is not highly predicatable. Disk drives are known for having highly-predicable components on them which makes finding the plaintext all that easier.
• These folks are so cocky about SHA-1's entropy space, they claim "there is no need to abort the authentication process from a specific host. For example, there is no need to abort the authentication process if a specific host generates three wrong passwords. " Zeroization [cerberussystems.com] is the only way to do this right. You can also vary this so that after three failures, an automatic delay is introduced to slow down the guessing.
• Reading the patent text indicates that new "commands" will be added. No mention of a bus protocol (ATA or SCSI) is mentioned. Presumably, they won't make the drives themselves, so it will need standardized. The hard drive community is open to using patents, but only if the terms are reasonable or a cross-licensing deal is in the works. If this is a forced attempt, it will fail miserably or cost so much that the drives will be considered custom, low-volume, high-cost components.
• The likelihood of them screwing the implementation up are so high, they should pursue FIPS 140-1 [cerberussystems.com] certification for every hard drive made. Then, the patent can apply outside the domain of Tivo.
• This scheme works better as a general hard drive protection measure than for a Tivo. People who own a Tivo might probe the memory chips for the crypographic module to sweep for the drive or system keys. AACS recent events ought to make it obvious that people are motivated to do this. The general case may prevent a lost hard drive from being very useful.
• It would appear that the cryptographic module does NOT actually encrypt data on the platters. It seems to only cover communication between the host and the disk controller. If an attacker were to replace the circuit board with one whose path was trusted, they could read the platters without issue. They do this all the time in the hard drive repair business; no clean room required.

Okay, you all can go back to your regularly scheduled cheap shots.

Paging...

Paging DVD Jon. Report to the TiVo on Deck 7.

what if i made some 1:1 s?

FTA: According to the patent, they've invented a way to create password security that is so tough, it would take you longer than the life of a hard drive in order to figure it out.

So it's security is that a brute-force/birthday attack is just so improbable that the drive will wear out before i can test enough possibilities to have a measurable chance of getting it? Besides, twofish, blowfish, AES, any virtually any other standard encryption algorithm could boast the same thing. Tell me if I'm wrong, but couldn't i make a bunch of 1:1 copies of the disk and use those to crack it?

I'm no security expert...

but I do know this nifty card trick:

Give your friend a deck of cards. Turn around and have them shuffle it, select a card at random, memorize the card and put it back in the deck. Have them shuffle it some more (without you looking at it). Take the deck from them and take a card from it and say 'this was your card'.

In the long run, you'll be right about 1 in 52 times. If you happen to be right the first time with a particular friend, and never do the trick again, they will be scratching their head for a long time trying to figure out how you did it.

So, the point I'm trying to make is that it could take longer than the life of a hard drive to crack the super secret code, or you get get it right on the first guess (or the second one, or the third one...). So it seems rather silly to claim that it is uncrackable.

This patent sucks

That is a dreadful patent, and it would be ridiculous to see it issued; hardware challenge-response dates back to at least the first IFF machines in the second world war, they're not even mentioning having a deliberately slow password-hashing algorithm, which is itself at least as old as UNIX, and the technique is vulnerable to bump-in-the-ATA-cable extraction of the data from the disc in the first place, and probably also to an attack where you swap the drive controller board for one from a drive of similar model without Special Tivo Sauce.