Microsoft PlayReady - complete client identity compromise
2024-5-9 16:2:43 Author: seclists.org(查看原文) 阅读量:0 收藏

fulldisclosure logo

Full Disclosure mailing list archives


From: Security Explorations <contact () security-explorations com>
Date: Thu, 9 May 2024 10:02:26 +0200

Hello All,

We have come up with two attack scenarios that make it possible to
extract private ECC keys used by a PlayReady client (Windows SW DRM
scenario) for the communication with a license server and identity
purposes.

More specifically, we successfully demonstrated the extraction of the
following keys:
- private signing key used to digitally sign license requests issued
by PlayReady client,
- private encryption key used to decrypt license responses received by
the client (decrypt license blobs carrying encrypted content keys).

A proof for the above (which Microsoft should be able to confirm) is
available at this link:
https://security-explorations.com/samples/wbpmp_id_compromise_proof.txt

While PlayReady security is primary about security of content keys,
ECC keys that make up client identity are even more important. Upon
compromise, these keys can be used to mimic a PlayReady client outside
of a Protected Media Path environment and regardless of the imposed
security restrictions.

In that context, extraction of ECC keys used as part of a PlayReady
client identity constitute an ultimate compromise of a PlayReady
client on Windows ("escape" of the PMP environment, ability to request
licenses and decrypt content keys).

Content key extraction from Protected Media Path process (through XOR
key or white-box crypto data structures) in a combination with this
latest identity compromise attack means that there is nothing left to
break when it comes to Windows SW DRM implementation.

Let this serve as a reminder that PlayReady content protection
implemented in software and on a client side has little chances of a
“survival” (understood as a state of not being successfully reverse
engineered and compromised). In that context, this is vendor’s
responsibility to constantly increase the bar and with the use of all
available technological means.

Thank you.

Best Regards,
Adam Gowdiak

----------------------------------
Security Explorations -
AG Security Research Lab
https://security-explorations.com
----------------------------------
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

  • Microsoft PlayReady - complete client identity compromise Security Explorations (May 09)

文章来源: https://seclists.org/fulldisclosure/2024/May/5
如有侵权请联系:admin#unsafe.sh