CD/DVD Copy Protection

of 36 /36
CD/DVD Copy Protection Tim G¨ uneysu 02/12/2004 Advanced Seminar for ITS Ruhr-Universit¨ at Bochum Chair for Communication Security Advisor: Andr ´ e W eimerskirch

Embed Size (px)

Transcript of CD/DVD Copy Protection

P:/Ruhr Universität Bochum/Erstes Semester/Seminar/Ausarbeitung/Seminar.dvi1. Introduction 1
2. Specifying the Medium 2 2.1. Characteristics of an Optical Data Medium . . . . . . . . . . . . . 2 2.2. CD Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.2.1. Red Book . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2.2.2. Yellow Book . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.3. DVD Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.3.1. DVD-ROM . . . . . . . . . . . . . . . . . . . . . . . . . . 6 2.3.2. DVD-Video . . . . . . . . . . . . . . . . . . . . . . . . . . 6
3. Copy Protection in Theory 8 3.1. Target Applications and Business Areas . . . . . . . . . . . . . . . 8 3.2. Classification of Protections . . . . . . . . . . . . . . . . . . . . . 8
3.2.1. Abusing the Medium Specification . . . . . . . . . . . . . 9 3.2.2. Injecting Read Errors Intentionally . . . . . . . . . . . . . 10 3.2.3. Verification of the Original . . . . . . . . . . . . . . . . . . 10 3.2.4. Digital Signatures and Cryptography . . . . . . . . . . . . 10
4. Protection Implementations 11 4.1. Protecting Data on CD-ROMs . . . . . . . . . . . . . . . . . . . . 11
4.1.1. Suitable Approaches for Data Protection . . . . . . . . . . 11 4.1.2. Implementations providing Data Protection . . . . . . . . 11 4.1.3. Efficiency of recent Data Protection Mechanisms . . . . . . 14
4.2. Protecting Audio Content on CD-DAs . . . . . . . . . . . . . . . 14 4.2.1. Suitable Approaches for Audio Protection . . . . . . . . . 15 4.2.2. Implementations providing Audio Protection . . . . . . . . 15 4.2.3. Efficiency of recent Audio Protection Mechanisms . . . . . 15
4.3. Protecting Data on DVD-ROMs . . . . . . . . . . . . . . . . . . . 17 4.3.1. Suitable Approaches for Data Protection . . . . . . . . . . 17 4.3.2. Implementations providing Data Protection . . . . . . . . 17 4.3.3. Efficiency of recent Data Protections . . . . . . . . . . . . 17
4.4. Protecting Video Content on DVD-Video Disks . . . . . . . . . . 18
ii Contents
4.4.1. Suitable Approaches for Video Protection . . . . . . . . . 18 4.4.2. Implementations providing Video Protection . . . . . . . . 18 4.4.3. Efficiency of recent Video Protection Implementations . . . 18
5. Legal Aspects 20 5.1. Digital Rights Protection in Germany . . . . . . . . . . . . . . . . 20 5.2. Circumventing Copy Protections . . . . . . . . . . . . . . . . . . . 20
6. Conclusions 21
A. Appendix 22 A.1. Listing of CD Protections . . . . . . . . . . . . . . . . . . . . . . 22 A.2. Listing of CD & DVD Protections . . . . . . . . . . . . . . . . . . 28
1. Introduction
This paper was written for the advanced seminar ”CD and DVD Copy protection” accomplished during the author’s ITS master studies at the Ruhr-Universitat Bochum. It represents an overview about mechanisms, technologies, and available implementations for protecting optical media discs as a widespread commodity against further and uncontrolled replication. It will further outline options how to circumvent and deactivate copy protections of optical media - but of course without giving details. This report definitely refuses to be considered as some sort of a hacker’s guide to rip contents illegally from Compact Disks (CD) and Digital Versatile Disks (DVD). As a first step in the jungle of protection systems, this paper will commence to classify and assess the operation and performance of several copy protection schemes.
But to do so, it is required to start with introducing the reader to the limi- tations and specification of the considered media. This information will barely be necessary for understanding the different variants of hardware based copy pro- tections.
The next topic is dedicated to available protections suitable for preventing a CD from being duplicated without authorization. This chapter will also dis- cuss diverse implementation approaches to assess their means and effectiveness. This includes a presentation of ways how to break inefficient CD based protec- tion mechanisms. To accommodate with the different options for CD contents like data and audio, an evaluation will be performed separately of both content types.
Accordingly, the DVD as second medium is analyzed using same criteria as al- ready determined for CD evaluation. As a last important fact, the legal aspects of making copies of protected and unprotected media and the employment and development of tools to support this action is highlighted in a separate chapter. The discussion of regulations in pub- lic laws will give a clue if authors and originators of content and software will receive backup support by a country’s legislative. For simplicity, this part will only relate to German laws. Finally, the employment of copy protections for optical media will be discussed as a whole in respect to options what needs to be improved and if it makes sense to ship products with copy protections.
2. Specifying the Medium
2.1. Characteristics of an Optical Data Medium
It is evident to have a closer look onto the medium itself. This basic information will help to get a more thorough understanding of protection mechanisms and their technical operation. Both, the Compact Disks (CD) and Digital Versatile Disks (DVD) are disks with normally 12 cm diameter and 1.2 mm thickness. In common, the physical body of such an optical medium is called dye.
The disk dye itself comprises a sandwich of a polycarbonate substrate containing pits molded into the upper surface and coated with aluminum. This layer is then protected by a lacquer on which the disk label is printed.
The dye for CDs and DVDs measures 15mm diameter centric hole. The audio or computer data is stored between two disk circles of 25 mm (after the lead-in) and 58 mm maximum where the lead-out starts. The basic layout of a CD/DVD/ is depicted in Figure 2.1. Data on an optical disk media is stored using two states
Figure 2.1.: CD/DVD Layout
which are represented on the surface, the so called pits and lands [Ser02a]. A laser beam is required to focus on the data lane consisting of pits and lands through the clear optical grade polycarbonate plastic.
2.2 CD Specifications 3
The data on the disk is divided into three main areas:
• Lead-in (from 23 mm to 25 mm on disk) which contains digital silence in the main channel plus the Table of Contents (TOC) in a subcode Q-channel. It also allows the laser pickup head to follow the pits and to synchronize to the audio or computer data before the start of the program area. The length of the lead-in is determined by the need to store the Table of Contents for up to 99 tracks. A track is a data segment which is placed in one sequence on the disk and represents a logical data group.
• Program area (from 25 mm to at most 58 mm) contains up to about 80 minutes or 700 MB of data divided into a maximum of 99 tracks.
• Lead-out contains digital silence or zero data. This defines the end of the CD program area.
2.2. CD Specifications
On a CD the data is stored in a helix of pits and lands where pits are about 0.12 microns deep and their length varies from 0.8 microns minimum (3 units in length) to 3 microns maximum (11 units in length) depending on the data. The laser which will read out the bits represented by pits and lands operates on a wave length of 780 nm [Ser02a]. The data is arranged in sectors which are the smallest addressable unit for a CD-ROM device operating according to Yellow Book specification. Each sector itself is composed out of 98 frames which build a subunit containing basic data segments like a laser synchronization area, a set of subchannels or control code, 24 bytes of data payload and an error correction code. Frames are intricately interleaved so that damage to the disk will not destroy any single frame, but only small parts of many frames [Sto00]. An important role for copy protection systems is due to the subchannels. They are defined as eight separate one bit channels, each designated by a character from P to W. The subchannels are important for defining the Lead-In, Lead-Out and Track areas of a disk (P-Channel) as well the complete TOC or the remaining time index (Q-Channel). It should be annotated that not all subchannels are in use (R-W are usually empty for most formats). After having shortly discussed the physics of the disk dye, it is evident to highlight the logical disk structure next. Several different formats for arranging data on CDs have been defined. Those ”books” of the Compact Disk family were named for the color of the binder covers in which the specification was issued. Red Book is the specification for CD Audio, Yellow Book is CD-ROM, Orange Book is CD Recordable, Green Book is CD interactive (CD-i), Blue Book is Enhanced CD, and White Book is Video CD. All of these books are based on the Red
4 Specifying the Medium
Book physical disk specification, but some also define the types of content the disk may contain, such as 44.1 MHz PCM audio for Red Book, and MPEG 1 video for White Book. Other disk formats, such as Mixed Mode or HFS, do not have books, but are logical variations of one or more of the book formats. For example, the Yellow Book defines CD-ROM as far as the physical characteristics of the disk, addressing schemes, and error correction are concerned, but the file system and type of content can be user defined. A Yellow Book disk could use the HFS file system, the ISO 9660 file system, or a user-defined file system, and could contain text, raw data, or multimedia elements. As copy protections are usually only deployed on Red and Yellow Book CDs, those standards will be subject of investigation in the following.
2.2.1. Red Book
The Red Book, which defines CD-Audio, is the compact disk pioneer. The CD was created, after all, to be nothing more or less than a universal delivery medium for one type of content only, namely music digitized at 44,100 samples per second (44.1KHz) in a range of 65,536 possible discrete values (16 bits). The resulting logical format, the Red Book, or Compact Disc-Digital Audio (CD-DA), was defined by Philips N.V. and Sony Corporation in 1980.
Data on an audio disk is organized into frames in order to ensure a constant read rate. Each frame consists of 24 bytes of user data, plus synchronization, error correction, and control and display bits. One of the first crucial things to understand about CD-Audio is that its data is not arranged in distinct physical units. Instead, one frame is interleaved with many other frames so that a scratch or defect in the disk will not destroy a single frame beyond correction. Rather, a scratch will destroy a small portion of many frames, all of which can be recovered. It is important to note that at this point the frame-to-sector grouping has not taken place [Ser02a].
2.2.2. Yellow Book
If Red Book is the father of all CD formats, Yellow Book is the mother. Red Book is actually the basis for and an integral part of Yellow Book, which defines CD- ROM, or Compact Disk-Read Only Memory, announced by Philips and Sony in 1983. CD-ROM was originally seen as a way to allow digitized content including but not limited to audio to benefit from the capacity, durability, and economies of scale that were rapidly making compact disk audio a big success. Yellow Book is the disk specification that gave birth to all the variations on a CD scheme that make CD formats so versatile and confusing.
Rather than redefining the physical format, it was decided to adapt the physi- cal format of Red Book for storage of computer data. At its lowest level, Yellow Book specification for CD-ROM is nearly identical to RedBook, in that it retains
2.3 DVD Specifications 5
the TOC, Lead In, Program area, Lead Out, and basic error correction. But the next level of Yellow Book reorganizes the frames defined in Red Book into sectors (98 frames, or 2,352 bytes per sector) and adds another layer of error detection and correction. The extra error correction information, at 288 bytes per sector, plus 12 bytes of sync and 4 bytes of header, reduces the available sector space for user data to 2,048 bytes. Addresses of sectors are expressed as minutes, seconds, and sectors (MM:SS:SS). Yellow Book stops there, however, leaving it up to the CD-ROM developer to decide how to arrange sectors into logical blocks and log- ical blocks into files. And that is the first step into the complexity of CD, in the form of Mode 1 and Mode 2.
The Yellow Book specification defines two data structures: Mode 1 and Mode 2. The mode byte, which is included in the header field of a CD-ROM sector, describes the type of data contained in the data field. Mode 1 denotes CD-ROM data with Error Correction Code (ECC), which provides space for 2,048 bytes of user data in each frame. It is the mode used to store data that is unforgiving of error, like computer programs or databases. Mode 2 denotes a sector with data stored without ECC, which provides more room (2,336 bytes) for user data, but which is typically used for data that is more tolerant of error, like audio, video, or graphics [Ser02a].
It is important to note the ability of Yellow Book to manage multi-sessions. Multi-session means to continue writing data to a CD though a previous recording session was already applied and finished. This feature is very useful especially considering when appending additional files to a file system residing on an optical disk later on.
2.3. DVD Specifications
The Digital Versatitile Disk (DVD) is a high capacity CD-dimensioned disk for video, multimedia, games and audio applications. Physical dimensions are in principle identical to compact disk except a bonding of several layers of polycar- bonate instead of a single one. Capacities for the read-only disk are by far larger than for a CD and range from 4.7GB to 17.1GB [Ser02b]. With the success of the compact disk there has been a clear need for a higher capacity format to meet additional application requirements like the following.
• DVD-Video, which was launched in 1997 in the USA, has become the most successful of all the DVD formats, as it has proved to be an ideal vehicle for distributing video content from the movie industry. It can store a full-length movie of high quality video with surround sound audio.
• DVD-ROM is beginning to replace the CD-ROM and provides a new high capacity disk format for the computer industry. New PCs are now provided
6 Specifying the Medium
with DVD drives instead of CD drives. The entertainment industry has developed new game consoles (e.g. Sony’s PS2 and Microsoft’s X-Box) which incorporate DVD-ROM drives for more sophisticated and realistic games.
• DVD-Audio, which was launched in 2000, is slowly gathering momentum to become the format for very high quality, surround sound music, offering the music industry new revenue opportunities. Thus, it will not play a major role in further investigation of copy protection mechanisms.
• Recordable formats such as DVD-RAM, DVD-RW and DVD-R are now be- ing extensively used in PCs for computer backup and in standalone products such as video recorders and camcorders.
2.3.1. DVD-ROM
The DVD-ROM was designed to have logical characteristics similar to the CD- ROM. The main intention for the development process was to achieve a medium with more capacity than a CD-ROM but the same features. But it is not that simple. The filesystem ISO 9660, which is commonly used for CD-ROMs, is ca- pable of addressing 4GB of sectors. At 2,048 bytes of user data per sector, that is around eight terabytes of addressable data in a single volume. Furthermore, ISO 9660 is capable of addressing a maximum file size of 4GB. However, in the real- world implementations of ISO 9660, drivers and redirectors such as MSCDEX and CDFS are capable of addressing only 2GB of data, and files of up to 2GB in size. This 2GB limitation is not exclusively the property of CD-ROM, however, most operating systems are limited to reading 2GB as a restriction of a 32-bit system.
The new file system that DVD-ROM uses is a officially defined as ”ISO 9660 and Micro UDF”; however, there may be good reasons to leave ISO 9660 behind when making the move to DVD. UDF is capable of addressing 18 quintillion, or 18 billion bytes of data. That seems sufficient for nowadays, and most of our future needs, certainly. But the real beauty of UDF is that it can offer the true cross-platform universality that ISO 9660 attempted.
2.3.2. DVD-Video
DVD Video is identical to DVD ROM up to the application level. For DVD Video, the application layer is defined as the type of video codec, audio compres- sion, navigational commands, auxiliary files, and other data types it may contain. Only a DVD disk that conforms to these definitions will play on a DVD Video player. If a DVD-ROM disk not developed to the DVD Video application layer
2.3 DVD Specifications 7
was inserted into the player, the player would not recognize it as a DVD.
The DVD Video specification is by far the most detailed, largest, and most re- strictive of the DVD format books, and far beyond the scope of this report to cover in detail. The format defines MPEG 2 variable bit rate video, alternate camera angles, multiple aspect ratios, interactive menus with chapter breaks, parental, presentation, and navigational controls; Dolby AC-3, MPEG 2, or Lin- ear PCM audio; Stereo or Surround Sound; up to eight sound tracks (for foreign languages); and 32 subpicture streams (for subtitles). The output from a DVD Video disk is not an MPEG 2 digital video stream, but a stream of all of these elements multiplexed together. In addition, most DVD Video discs use Macrovi- sion Colorstripe encoding for digital to analog copy protection, and CSS (Content Scrambling System) encryption to prevent digital to digital copying. The latter type of copy protection will be highlighted more thoroughly in the next chapters.
3. Copy Protection in Theory
3.1. Target Applications and Business Areas
What is the reason that copy protection is required? Software piracy grew from 37 percent in 2000 to 40 percent in 2001 around the world, according to the Busi- ness Software Alliance’s (BSA) seventh annual survey on global software piracy. It is expected that software and content privacy will cause a major impact on the income of owners as stated by the following figures. The Recording Industry As- sociation (RIAA) says they were more successful in holding up illegal operations in 2001 than they were in 2000. Raids on more than 230 distribution operations and more than 145 manufacturing operations led to the seizure of 2.8 million unauthorized CD-Rs. Raids aside, the RIAA says the music industry loses more than $1 billion per year from the illegal activities conducted in the world’s four leading pirate marketplaces: Brazil, China, Russia, and Mexico. Not including losses resulting from Internet piracy, the sale of pirate recordings exceeds $4.2 billion worldwide. It is obvious, that some sort of mechanism needs to be found to reduce the im- pact of losses caused by uncontrolled content duplication and software piracy. So, what are the areas of business in which copy protection against unauthorized replication and distribution is supposed to help?
• Audio (CD-DA)
• Video (DVD-Video)
3.2. Classification of Protections
Although it is an obvious necessity for protecting systems to minimize piracy with CDs and DVDs, this is not a trivial task. The following requirements apply: First, an original compact disk must always permit reading to allow access to the stored data. Second, it is clear that a duplication of content means that the data
3.2 Classification of Protections 9
is read as well from the original with the only difference that this operation is dedicated to create another copy. But how is it possible for the optical system to detect if the data is just used for its intended purpose or is going to be replicated? A second requirement is that the copy protection must guarantee availability of the medium, this means the protection may not influence its compatibility in respect to be played in various environments and devices. Third, due to the fact that a CD is considered as a commodity, a protection mech- anism may not increase the production costs in a significant manner. Otherwise, if the financial additional burden to afford the protected CD for a customer is unacceptably high, he or she might feel especially forced to obtain the content illegally by private duplication. It is rather obvious that all requirements contradict each other resulting in a need for a trade-off between protection benefits, financial efforts and compatibil- ity issues. Having highlighted the requirements for protection mechanisms, the next step is to classify the different types and ways how to reduce the threat for undesired medium replication.
The techniques for protection can be organized to four different flavors and protection classes, respectively:
• Abusing the Medium Specification (A)
• Intentionally Injecting Read Errors (B)
• Verification of the Original (C)
• Digital Signatures and Cryptography (D)
The protection classes will differ in their efficiency and additional cost - in monetary and computational sense. The means to apply such a copy protection class to an optical disk is described by the following sections.
3.2.1. Abusing the Medium Specification
The integrity and structure of an optical medium like a CD or DVD is described by a standard like the Red, Yellow or other colored book and DVD-5/9/10/17 specifications. A lot of copy protections are based on the idea that some content replaying devices are more ’intelligent’ than others. A digital trap will prevent ’smarter’ ones to use their built-in advantage for creating a copy. Exactly this is the situation for CD-DA disks specified after the Red Book stan- dard. They are being manipulated in a way that they will work fine with (at least most of) all CD audio players which only know reading Red Book CDs but will probably fail when being inserted into CD-ROM drives which are capable to deal with Yellow Book CDs, because those more advanced features from the Yellow Book standard have been disrupted and cause the ’smarter’ device to get
10 Copy Protection in Theory
stuck. This is definitely the most naive approach to protect a medium, but of course it is on the other hand a rather cheap way as it just requires some minor modifications to the format of the original disk. By the way, this protection type using format deviation is a very simple technique and is usually only applied for protecting Red book or audio CDs.
3.2.2. Injecting Read Errors Intentionally
Another scheme to prevent disk copying is to inject errors on the disks in less important areas which should cause a copy process reading the entire disk for a full one-to-one copy to fail. This protection type is usually employed with data bound media (CD-ROM, DVD-ROM). Usually, it requires a software on the disk that can check for the presence of these security characteristics, namely defective sectors. If those could not be found as the disk is an unauthorized replica on which the disk errors were corrected during the replication process, the software should complain about the copy and exit. To inject read errors into media requires the usage of specially crafted devices and software capable to modify the frame format or designated parts of it. In general, this demands more sophisticated systems or even specially equipped CD reproduction facilities to produce such ’modified’ disks.
3.2.3. Verification of the Original
This type of protection relies basically on fingerprinting techniques which will identify a master or original disk from a copy. There are some aspects in the CD/DVD production process which might be used to distinguish between media incorporating the same content uniquely. Again, this technique is only suitable for disk containing software which is capable to scan for the required security characteristics.
3.2.4. Digital Signatures and Cryptography
Another option for copy prevention is the application of digital signatures and cryptography. Although the employment of cryptographic mechanisms might look to be the most promising idea, it should be clear that the only medium which could hold the signature or the key, is the disk itself. Thus, as the cryptographic element is placed on the disk, it might be an easy subject of compromission in case that its exact location is known. Of course, this option requires a verification engine which performs a check of the signature’s validity. The validation process can occur either by hardware (DVD-Video) or software (CD-ROM, DVD-ROM).
4. Protection Implementations
The following chapter will discuss recent implementations of copy protections. For a better overview it will highlight protections for CDs and DVDs separately.
4.1. Protecting Data on CD-ROMs
As a first step, the protection of Compact Disks created according to the Yellow Book standard are being discussed. This includes the media for data and file system oriented content like software products and games.
4.1.1. Suitable Approaches for Data Protection
Common techniques to protect data disks make use of all protection classes as stated in chapter 3.2, i.e. format deviations, read errors, the verification of the original and the application of cryptography.
4.1.2. Implementations providing Data Protection
The most simple implementation which can be applied to Yellow Book compli- ant CDs to reduce the risk for unauthorized duplication is the manipulation of the disk’s file system on which the software or data is written. This should be considered as a class (A) protection. Here, it is common practice to create either too large files which seem not to fit onto the medium (e.g. 6 GB) when attempting a copy by just faking the file size in the catalog or by using doubly referenced blocks or even by storing more data on the CD as it would be expected. There are original CDs which show a total capacity of data greater than the available size of common recordable disks (e.g. 706 MB) [Gra03]. This type of copy protection is suitable to prevent the user from copying the contents of the disk on a file per file basis.
The class (B) protection, the creation of unreadable areas, is intended to doom an attempt for a one-to-one copy. This defective sectors which were injected to the discs are usually part of unused space or files. The creation of defective blocks can be either take place by manipulating the error correction code in a fashion that a correction by hardware is not possible and just results in triggering an error escalation mechanism. A more profoundly approach is the disruption
12 Protection Implementations
of entire frames by playing around with the sync pattern of each frame which will cause the disk drive’s laser to lose synchronization while following the data helix. Where an unqualified correction code might still be copied using a raw copy mode of a replication device, a loss of synchronization on the medium will usually cause a failure of the copy process when a sequential read is attempted. Another technique of class (B) protection is the use of so called ’Weak Sectors’. At first sight weak sectors look like a collection of useless data. The data consists of a sequence of zeros but it also has special sector groups containing a regu- lar bit pattern. Reading this data with a CD-ROM will work perfectly in all CD-ROMs and CD-recorders. A regular pattern like this will appear similar to ’XYXYXYXYXYXY’.
Figure 4.1.: Weak Sectors on Optical Media
But when trying to write out these regular bit patterns there are a lot of recorders that do not support this operation. A CD recorder has to produce the same patterns using its EFM encoder. When a regular bit pattern goes through the EFM Encoder it is converted to a smaller value by converting bits to bytes (8 bit = 1 byte) in a predetermined way. But exactly this lookup will fail for a series of widespread CD recorders. Figure 4.1 shows the futile process of weak sector copying. There are rumors that this is a secret arrangement between copy protection and CD recorder manufactures about the implementation of write fail- ures when a special bit pattern occurs in the input stream [CDF03]. Third class (C) of protection mechanisms includes unique fingerprints on the orig- inal disk which allows the software to identify the master with great probability. A first variant provides a check routine verifying the physical angle between the first and last accessible logical block on a CD. This information can be used as input to generate a hash code from the angle information which can be checked by a software routine against the CD to prove that it is an original. This method works due to the fact that the angle between first and last logical block is different for every disk written by a CD-R writer, due to variably-sized laser calibration
4.1 Protecting Data on CD-ROMs 13
areas, different CD-R types, etc. This kind of protection was published and imple- mented by the CD-Cops protection from the Link Data Security Labs [Gam03a]. A quite simple but effective approach is taken in Sony’s SecuROM [Son03]. A specific check routine probes for the existence of a so called pregroove area which is only present on CD-recordables. The pregroove for CD-R is used to define its size, vendor, maximal recording speed, etc. If such an information block is found, it is for sure that the underlying medium is a CD-R copy. Another class (B) option yields the usage of prepared masters containing already a precompiled session which cannot be copied by conventional techniques. A software module again can check for the presence of this session and in case that it is not found instantly exit with an error message. This technique is implemented by the Hex- alock copy protection [Hex03]. But an immediate shutdown is not the only possible way for a copy protection mechanism to behave. The Fade protection is preferring a gradual loss of fea- tures after the first time a startup from a duplicated disk was performed [Cod01]. Thus, a game based on the Fade protection system, will first show up all features and will then reduce its options with the time, e.g. suddenly it is not possible to raise more funds in an economic game or to trigger the grenade launcher in an Ego-Shooter game. Psychologists promise this to be the more annoying and sustaining type of copy protection causing the owners of the replica to buy the game with a greater probability than without the gradual loss of features. An abrupt termination is considered to provoke more efforts to break the copy pro- tection than this silent way.
The protection class (D) is concerned about digital signatures and cryptogra- phy. It is important to emphasize that all keys and signatures must be placed on the medium itself reducing its security quite dramatically. For common and standardized CD-ROM devices with no support to advanced cryptography, this will only represent a rather weak solution to protect the disk content, because it means that the key encrypting the content must be placed somewhere on the medium in plain text. The only option to complicate a direct extraction of the cryptographic element from the medium is to hide it away very securely either in the disk subcodes or between defective sectors. A specific software wrapper is responsible to extract the hidden key from the disk and thereafter decrypt the content using that gathered code. Currently, there are some implementations available incorporating this type of protection mechanism. SafeDisk [Mac01] and Securom [Son03] are the most fa- mous representatives of this kind.
14 Protection Implementations
4.1.3. Efficiency of recent Data Protection Mechanisms
Copy protections which rely on abusing the medium or file system specification are in general rather inefficient and simple to deactivate. The security mecha- nisms of those products can easily be circumvented by simply creating so called 1:1 Disk-At-Once (DAO) copies. This is a special recording mode of a CD- recorder which does not read the original CD per file or track but as a whole. Thus, the file system is not being analyzed and thus the copy process will not detect any problems due to a file-based copy protection. Protections of class (B) are harder to fool. Due to the reason that the inten- tionally injected read errors will be checked by software, two option remain to make a copy. First, the CD is duplicated one-per-one using raw data copy by a duplicator which is enabled to skip defective errors quickly. This process might work very efficiently if the frame format is intact and if only the error correction codes are subject to errors. But this process is likely to last several hours as the extraction of totally corrupted sectors and frames is quite time consuming. As a second step, the software checking for the disk errors requires to be patched. If the check routine is finally eliminated from the code, missing read errors of the copy will not have any effect to the execution of the program. This is exactly the way to handle the verification mechanisms of class (C) protections. As all of them rely on unique physical characteristics of a medium, the only way to work around the protection is to remove the checking routine from the software. Digital signatures and other cryptographic elements of class (D) will also be mainly dependent on software. Usually, wrappers or loaders are existing on such copy protected CDs encapsulating the actual content. Only when the crypto- graphic element was successfully found, the application’s startup or content ex- traction is granted. The most promising way to circumvent this problem is to substitute the wrappers or loaders with patched versions which either do the job without requiring the digital signature or by introducing a new file (replacing the information from the hidden sectors) in which the key for data decryption is stored.
4.2. Protecting Audio Content on CD-DAs
Audio CDs or Compact Disk Digital Audio (CD-DA) are manufactured accord- ing to the Red Book specification. As already mentioned, the Red Book does not encompass all of the features provided by later standards like multisession recording, multiple TOCs, etc. On the other hand, Audio CDs are played by a stand-alone player device with no additional software involved which could be adapted to inhabit some flavors of copy protection mechanisms.
4.2 Protecting Audio Content on CD-DAs 15
4.2.1. Suitable Approaches for Audio Protection
As mentioned in the introduction, the missing capability to employ software based protections like class (C) and (D) is a delimiting factor and will restrict the CD- DA to rely on simple TOC manipulations in order to confuse Yellow Book capable CD-ROM devices. This may include the following techniques from class (A):
• Invalid TOC: Incorrect Track Size
• Invalid TOC: Not exisisting succeeding TOC
• Multisession: Illegal second session
4.2.2. Implementations providing Audio Protection
Due to the reason that only protection class (A) is available for CD-DA, there are only quite a few imaginable implementations. First it is possible to manipulate the TOC in the Q-Subchannel of the CD-DA with extended features borrowed from the Yellow Book which a standardized audio device is supposed to ignore. But these advanced features are invalid causing a CD-ROM device getting confused and stuck. A first way to trick CD-ROM devices is to manipulate the actual track size of each audio track. Most audio player ignore the track size in the Q-Subchannel and just read the data from the track. A more intelligent CD-ROM drive will make use of this falsified information and refuse to copy the huge track. Another option yields the multisession option of the Yellow Book standard. A Red Book compliant CD-DA will be ’extended’ by an invalid additional session. This extension can either consist of a corrupt TOC entry pointing to a non-existing session or a session which contains only totally scrambled data causing the reading device to look for the session somewhere in nirvana. The latter approach is quite heavily used, a good example is Sony’s Key2Audio copy protection [Son02].
4.2.3. Efficiency of recent Audio Protection Mechanisms
As stated in the introduction, members of protection class (A) as employed on CD-DAs do not claim to be the hardest to handle. There are quite a bunch of possibilities how to disable the copy protection on CD-DA. A first way is to use the feature in recording programs called ’Ignore Illegal TOC’. This option will analyze the track structure without considering the poisoned information from the copy-protected audio disk. A further strategy could be to duplicate the original CD one-by-one using a raw data copy mode including any subchannel information. In most cases this will just copy the illegal information without making a big deal about it. However, the most famous option is the so called felt-tip or post-it attack. Here, the illegal information which is sometimes
16 Protection Implementations
stored in a visible circle on CD can be easily defeated by filling and deactivating it using a felt-tip (Figure 4.2) or covering it with post-its (Figure 4.3). It should be
Figure 4.2.: Felt-tip Attack
mentioned that the felt-tip variant should be considered as the preferred method when attempting to eliminate the protection. Due to strong radial forces which act on the CD within the reading device, the post-it may peel away causing damage to the CD drive.
Figure 4.3.: Post-It Attack
To solve the secret why this type of circumvention works: when the defective sessions which contain some scrambled data are covered entirely or partially either by a post-it or by a felt-tip line, the CD-ROM drives will decide to stick with the first session or TOC as this is the only one readable. As the device cannot extract a single bit from the succeeding session it cannot fall into the trap of the nonsense contents in an appended session.
4.3 Protecting Data on DVD-ROMs 17
4.3. Protecting Data on DVD-ROMs
In general, the CD and DVD do not differ much. Thus, most of the mechanisms except any kind of format deviations introduced in context with the CD would principally work with a DVD as well. The only reason for DVD protections not being that popular is their novelty; there are currently quite a few vendors and software distributors which propagate their software or data products on DVDs. Thus, the margin of products is not big when considering to reduce unauthorized disk duplication.
4.3.1. Suitable Approaches for Data Protection
As already stated, variations with the disk format specification will not be appli- cable for DVDs in general. But it is imaginable to make use of all other possible techniques which have already been introduced for the CD. This includes the injection of bad and/or weak sectors, specific verification techniques which might again engage on the physical sector geometry as the deployment of hidden digital signatures and cryptographic elements. Please refer to Section 4.1.1 for further information.
4.3.2. Implementations providing Data Protection
DVD protections are based in general on protection categories (B) to (D). Thus, it is possible to inject defective sectors to avoid simple one-to-one copies from the original. This is also true for the employment of weak sectors, because the SafeDisk protection from MacroVision is also available for DVDs employing the same techniques [Mac01]. Implementations fitting in protection class (C) however seem not to be on the market. This might be a direct effect that DVDs containing software or games have not been established in greater dimensions in the markets. For most purposes, CD-ROMs are still in use. But this is probably just a matter of time until first implementations fitting class (C) will arise. But there are already protections of class (D) for the DVD. Again, the SafeDisk implementation is a sample for the employment of digital signatures.
4.3.3. Efficiency of recent Data Protections
Because the same protection mechanisms are used for DVDs as for CDs their efficiency will not differ much. Therefore, the evaluation of effectiveness looks quite the same. For estimating the scope of a protection, please gather further information from Section 4.1.3.
18 Protection Implementations
4.4. Protecting Video Content on DVD-Video Disks
Nowadays, the DVD is broadly used as a medium to carry movies from the pro- ductions studios to the end-user at home. The device manufactured for this pur- pose, the DVD-player, has already found its way into many homes. This device provides cryptography and thus an advantage to the copy protection developers as seen in the following sections.
4.4.1. Suitable Approaches for Video Protection
Most DVD-Video discs are encoded in a scrambled format. The scrambling was performed prior to burning and requires a descrambling in hardware before the video content becomes visible again. The content descrambling is usually per- formed by dedicated players, commonly known just as DVD player, and a disk key. The current state-of-the-art in this field is discussed in the following.
4.4.2. Implementations providing Video Protection
The Content Scrambling System (CSS) is the most popular system used to scram- ble the audio/video data on the DVD-Video disk. Each video title set (VTS) can be selectively scrambled using a unique key. Each unique title is assigned to one disk key and up to 99 title keys (one per VTS), which are stored on the disk in encrypted form.
In the decoder or DVD player, the original keys are obtained by decryption of the disk key using appropriate keys which have been incorporated to each players and these are finally used to descramble the data. For DVD-ROM drives, the MPEG-2 decoder challenges the drive and receives the necessary keys for decryption. This ensures that only approved hardware/software can be used.
The keys used should be unique for every disk title and are encrypted by the CSS Licensing Authority and, usually, the initial scrambling is performed, as al- ready stated, during glass mastering. Security is vital and the keys used and the encryption algorithms must be kept secret. Only those companies involved in designing hardware and software for CSS encoding and/or decoding need infor- mation on the algorithms and systems used.
4.4.3. Efficiency of recent Video Protection Implementations
Although the CSS makes use of a multitude of keys which might indicate a com- plex encryption and a decoding scheme strongly preserved as secret, the system is completely insecure. The disk key, which is relevant to deduce the title keys, only uses a 40 bit encryption, which is itself not an impossible problem when initiating a brute force key search. Using cryptanalytical methods it is possible to break down the total computational complexity further to 216 which is barely
4.4 Protecting Video Content on DVD-Video Disks 19
Figure 4.4.: CSS Key System
nothing in today’s processing power. So it is very easy to break the encryption of the video/audio content and convert the video content into a new format [Gra03]. And it is even worse. As described above, the disk key is decrypted using a set of player keys stored in each DVD player device. Using a similar attack, it is possible to extract all player keys from a playing device which enable an easy deciphering of the latest DVDs. There is no need to break the disk keys by brute force any more.
5. Legal Aspects
5.1. Digital Rights Protection in Germany
Since September 2003 the German legislature has released new laws to protect copyright holders. This act was mandatory to meet the previously adopted Eu- ropean directives to improve the legal situation for intellectual property [dJ03]. Although not all postulated details by the EU were already realized in this change of statutes, copyright holders may be pleased nevertheless. The balance of what is allowed and prosecuted since September 2003 has been definitely shifted in their favor, cutting off rights of the end-user.
5.2. Circumventing Copy Protections
The new law also encompasses the creation of disk duplicates for backup purposes. When an end-user is willing to replicate his original media with protected content to avoid a disaster in case that the original is accidentally devastated, he or she is allowed to do that as far as no copy protection is circumvented. This is definitely true for CD-DA and other content (§95a to 95d UrhG), for CDs with software and raw data content this does not have any effect (§69a Abs.5 UrhG). Thus, it is allowed to create up to seven backup copies of your favorite computer games, but of course, you may not pass it on or even sell it to third parties. The same is true for discs with other contents, as long as they are not affected with any copy protecting mechanisms. Thus, circumventing copy protections will be prosecuted in case that the underlying medium is of any other type like audio, video or photo CD. Furthermore, not only the act of duplication itself is prohibited, even the employment and development of tools to support the operation of copying those disks has been declared to be illegal. This includes the use of programs like CloneCD, BlindWrite Suite, and lots of more. The legal situation with copy protection faking and emulation utilities like the DAEMON Tools or other virtual image managers are yet unknown and will be matter of precedence cases in the future.
6. Conclusions
Drawing a final conclusion about the facts, it will reveal that copy protection, in spite to what their names might imply, does only represent a way to complicate the creation of a working duplicate. Therefore, some vendors avoid the termi- nology of ’copy protection’ and use a weaker expression of ’copy control systems’ instead. The actual intention is only to frustrate most people who attempt to create a simple one-to-one pirate copy from a borrowed medium. It is true that most copy protection mechanisms have already been broken, for many of them even exist generic patches or step-by-step circumvention strategies which mean only insignificant additional effort for a common user who considers a medium repli- cation.
The analysis of this situation clearly shows that only a complete framework of se- curity measures may create a solution which is absolutely secure against copying. The greatest problem of the current approach is that the authorization infras- tructure based on stand-alone players with no secured interfaces is absolutely inadequate to support an unbreakable solution. It is easily possible to rip off the music from a CD-DA using a digital output of the CD-player which is plugged into the digital input jack of a computer’s sound card. A solution to this might come with the Content Protection System Architecture as proposed by the 4C (IBM, Intel, Matsushita, Toshiba) including encrypted interfaces and connections combined with a better key management than CSS is currently using [Ent00]. As long as such an or similar approach will be realized, optical disk media are hardly to prevent from becoming subject of piracy. Another point of criticism is the realization of compatibility. As postulated by a requirement in the beginning of this paper (compare chapter 3.2), copy protection should be designed to keep compatibility to every type of replaying hardware. This is unfortunately not true, especially for class (A) protections. There are quite a significant number of player implementations on the market which are getting dazed by copy protections as well as resulting in reasonable enragement of customers. Besides the fact that copy protection are only useful in very limited dimensions, there are known facts that they even change the customer’s attitude when considering to buy a copy- protected CD when he or she might risk that the newly afforded disk will not operate in his or her environment.
A. Appendix
CD-Cops is an envelope protection which is added to the CDs main executable. Minute differences are measured to establish the CD-ROMs fingerprint and to ensure that copies are not accepted. This fingerprint is usually expressed as an 8-digit code or key number. The CD-Cops software which recognizes and either accepts or rejects the CD is protected by Links Code Security, a system which has been in use since 1984 [Gam03b].
Protection Class: C
Backup Solution: Use CD-Cops Decryptor to determine new CD-Code from backup copy
Vendor: Link Data Security
CD-Protect works on the principle of direct hardware coding on the CD-ROM. While trying to read a CD master treated as described, unreadable sectors are reported. These areas cannot be copied to the hard drive without further in- tervention of the operating system (Windows 9x/Me/2000/XP). The attempt to read the CD with a copying software is either directly terminated or takes up to several hours. Copying to a blank CD is thus hardly possible with the copy protection [Gam03b].
Protection Class: B
Backup Solution: Use DAO-Copy with defective sector skipping and patch the software accord-
CD-Shield SE
CDSHIELD protects/modifies a CD-Image by adding sector-errors before it is burned to a CD-R. This prevents people from making a backup [Gam03b].
Protection Class: B
Backup Solution: As this is a very low-budget solution most advanced backup software should
DBB (Don’t Bother Burn)
DBB’s exact functionality is of course surrounded by strict secrecy, but briefly, the protection comprises several separate security modules which work together to create the complexity that crackers encounter in their attempts to break the protection. Among other things, DBB contains instructions that register any changes made, add a dynamic process that changes the protection sequence be- tween each production and parts of the secret behind DBB and DBB PS is re- vealed. A strong encryption should ensure that the exact instructions and codes remain secret [Gam03b].
Protection Classes: B, D
Vendor: Effnet
Codemasters’ anti-piracy initiatives receive an additional push with the introduc- tion of FADE, a PC-based piracy protection system that can degrade gameplay if a counterfeit copy of the game is identified as being played. Codemasters has equipped the computer game Operation Flashpoint with embedded coding that can recognize the difference between counterfeit and real copies of the game’s CD. If a pirate CD is identified, the game automatically disables key gaming features [Gam03b].
Protection Class: C
Backup Solution: Software patches will be required to remove/disable the protection.
Vendor: Codemasters
24 Appendix
HexaLock CD-RX
HexaLock CD-RX media are specially made CD-R’s that contain a precompiled session, which includes security elements that make the disks copy protectable. The program files are linked to these security elements during the recording pro- cess, thus creating a copy-protected CD-R. The authorized mastering process can be done in one-off mode, or in an automated mode in selected duplication systems [Gam03b].
Protection Class: C
Backup Solution: Software patches will be required to remove/disable the protection.
Vendor: HexaLock
Laserlock uses a combination of encryption software and unique laser marking on the CD surface made during the special LaserLock mastering procedure, in order to make copying practically impossible. Every CD-ROM application has a unique locking parameter that provides a complete protection against illegal re-mastering and reproduction. LaserLock offers protection for every application differently as each application package is characterized by a unique encryption parameter that is specified during LaserLocking procedure [Gam03b].
Protection Classes: C, D
Backup Solution: Use either a generic LaserLock reader or simply copy the disk using a raw data
The LockBlocks protected CD’s have 2 circles, one about 5 mm, the other 3 mm, which cause a CD-Reader/Writers to lockup when being read. Unfortunately, more is not known about this type of copy protection [Gam03b].
Protection Classes: B, C
Backup Solution: Software patches are needed to get around this protection.
Vendor: Dinamic Multimedia
Phenoprotect produces read errors directly on the CD-ROM in areas which do not contain any game data, but can be checked by programs. CD Writers report these as unreadable sections. These areas cannot be copied to the hard drive.
The specific software, e.g. the game and the InstallShield used for installation can, however, contain instructions from the software manufacturer to check this erroneous data, if this data is not found when the program starts, it is not an original version and the game or installation is terminated.
Windows 9x operation systems cannot read the erroneous sections. Any at- tempt to copy will result in the operation system aborting the process [Gam03b].
Protection Class: B
Backup Solution: Raw disk copy and software patches are required.
Vendor: CodeCult
A visible circle is added to the CD, with which users can distinguish between an original and a pirated copy at a glance.
Several checks are added in order for the software to be able to check the files in the visible circle, and when not found the application should deny to func- tion. The files which are located inside the visible circle are designed not to be copied, since the circle origin cannot be exactly replicated on known CD-R media. Furthmore, it will take many hours for a CDRW to read the Ring PROTECH protected CD, and eventually it will malfunction [Gam03b].
Protection Class: B
Backup Solution: Raw disk copy mode of advanced backup software is required to copy those
Roxxe CD protection is a combination of hardware and software protection that should make it impossible to run software from illegally copied CDs [Gam03b]. The vendor of Roxxe promises the following basic requirements:
• The original software is modified so that it will not run, without the specific action of the guard module.
26 Appendix
• The guard module recognizes the original CD-ROM, without this detection the application will not run or will run under considerable restrictions.
• Physical key is present on the CD-ROM. This key should not be repro- ducible, either by disk copying using a CD writer or professional remaster- ing to a silver CD.
Protection Classes: B, C, D
Backup Solution: Not yet published
Vendor: Electronic Publishing Association LLC
Macrovision SAFECAST is designed to help developers and publishers protect their pre-release software from unauthorized copying. It uses a software-based encryption toolkit that is made available to the publisher in order to allow com- plete control of the encryption process. When a publisher encrypts the gold disk they can distribute it directly to end users who are then required to contact the publisher directly or via a web site to obtain access keys to play the program. The access keys are a cheaper substitute for hardware dongles or other security mechanisms which often interfere with playing a particular pre-release program [Gam03b].
Protection Class: D
Vendor: MacroVision
The SmarteCD technology is designed to encrypt and embed an identifying ’black hole’ within the content of each individual product CD resulting in technology that should distinguish an original, properly licensed CD from a forgery. At the point of CD replication or duplication, SmarteCD physically alters the CD media preventing it from duplication or digital reproduction [Gam03b].
Protection Classes: C, D
Backup Solution: A one-to-one backup will seem to be working at once, but requires additional
software patching as the protection will recognize the duplicate at some point during execution.
Vendor: Smarte Solutions
SoftLock affects each CD-ROM title with a unique locking parameter, namely a protection code and special mark, consisting of defective errors.
SoftLock uses a combination of:
• Encryption software
• Unique serial marking on the CD made during mastering procedure.
• Special arrangement of files in TOC.
This type of protection makes use of virtually all protection classes [Gam03b].
Protection Classes: A, B, C, D
Backup Solution: Not yet published
Vendor: Assel
28 Appendix
DiscGuard is an anti-piracy system that effects two basic changes to the software package:
• The main executable files on a DiscGuard-protected CD-ROM are en- crypted.
• A special digital signature is inscribed onto a pressed CD-ROM, and mapped into a software decryption key. The digital signature has been designed to be hardly reproducible by either counterfeiting (re-mastering) or disk burn- ing.
When such an authentic disk is used, a signature decryption occurs first and, if successful, the application will be executed [Gam03b].
Protection Class: D
Backup Solution: No generic software patch exists. Thus individual patching is required.
Vendor: TTR Technologies Inc.
The DVD-Cops protection is added directly to the main executable before the actual DVD is pressed. After this a unique access code is extracted from the DVD which enables the user to install the DVD. From then on, the software should run only when the original DVD is present in the drive [Gam03b].
Protection Class: C
Backup Solution: Not yet published, but probably similar to CD-Cops mechanism.
Vendor: Link Data Security
SecuROM is a CD-ROM and DVD copy protection technology that identifies a genuine CD-ROM or DVD using a special authentication mechanism. During Sony DADCs mastering process an electronic fingerprint is applied onto the glass master which assigns a unique number to each CD-ROM title.
A.2 Listing of CD & DVD Protections 29
The most recent version also detects if it is being run from a CD-R media (V-Rally 2), to solve this just use a CD-ROM, instead of a CD-Writer, to play the game from.
The latest SecuROM New revision includes ”Trigger Functions” which al- low the developer to program multiple and customizable authentication checks throughout the entire application, providing a stronger copy control than systems with only one check at program start [Gam03b].
Protection Classes: B, C, D
Backup Solution: First perform a raw data copy, then apply generic patches available on the
Vendor: Sony
SaveDisk v1-v3
SafeDisc v3 uses an key to encrypt the main executable (EXE or DLL) and creates a corresponding digital signature which is added to the CD-ROM/DVD- ROM when they are replicated. The size of the digital signature varies from 3 to 20 MB depending how good the encryption should be. The authentication process itself takes about 10 to 20 seconds [Gam03b].
Protection Classes: B, D
Backup Solution: First perform a raw data copy, then apply generic patches available on the
Internet (v1, v2) or patch the executable individually (v3).
Vendor: Macrovision Corporation
TAGES uses new encryption and authentication technologies compatible with standard multi-media PC computers and drives (a ring of 1 MB secured content) [Gam03b].
Protection Classes: B, D
Backup Solution: Replacing the protected executable by a fixed executable.
Vendor: MPO & THALES
2.1. CD/DVD Layout . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
4.1. Weak Sectors on Optical Media . . . . . . . . . . . . . . . . . . . 12 4.2. Felt-tip Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 4.3. Post-It Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 4.4. CSS Key System . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
[CDF03] CDFreaks. Safedisc 2 explained and defeated. Internet Website, 2003.
[Cod01] CodeMasters. Codemasters fade system. Internet Website, 2001.
[dJ03] Bundesministerium der Justiz. Gesetz uber urheberrecht und verwandte schutzrechte. BGBl I 1965, 1273, 2003.
[Ent00] 4C Entity. Content protection system architecture. PDF, 2000.
[Gam03a] GameCopyWorld. Cd-cops copy. Internet Website, 2003. protections cd- cops.shtml.
[Gam03b] GameCopyWorld. Listing of copy protections. Internet Website, 2003. protections.shtml.
[Gra03] TTD Graphics. Kopierschutzverfahren fur cd und dvd. Internet Web- site, 2003.
[Hex03] Hexalock. Hexalock cd-rw. Internet Website, 2003.
[Mac01] MacroVision. Macrovision safedisk v1-v3. Internet Website, 2001.
[Ser02a] Deluxe Global Media Services. CD Specification. Internet, 2002. intro.htm.
[Ser02b] Deluxe Global Media Services. D VD Specification. Internet, 2002. intro.htm.
[Son02] Sony. Key2audio homepage. Internet Website, 2002.
32 Bibliography
[Sto00] Search Storage. Compact disc. Internet Website, 2000.,,sid5 gci507072,00.html.