Overview
When a new DVD is inserted into a DVD drive, it must be authenticated before it can be used.
This authentication uses a challenge-response protocol with CSS as the encryption method.
Disk Authentication is slightly tricky but straightforward in principle. It uses
CSS in mode 3. The inputs to this algorithm are
the challenge (10 bytes), the variant in use (0 to 31) and the keytype (KEY1, KEY2
or BUSKEY). The output is the 5-byte response.
Authentication requires the following steps, which must be performed in the correct order:
- Obtain an AGID from the drive
- Challenge the drive and get its response
- Calculate the variant the drive has chosen
- Obtain the challenge from the drive and calculate the response
- Send the response to the drive
- Read the disk key from the disk
Once these steps are done, the entire surface of the DVD can be read. I do not discuss here the
decryption of the disk key or how to obtain the title keys - this is in fact somewhat unnecessary
given the plaintext attack on CSS-encrypted data described here.
The Mount Fuji specifications must be referred to for the SCSI packet formats used below.
Obtaining an AGID from the drive
This step requires sending SCSI command REPORT_KEY with each INVALIDATE_AGID subcode in turn (to reset the drive)
and then sending SCSI command REPORT_KEY with subcode GET_AGID to obtain the AGID. The AGID is a value of either 0x00, 0x40,
0x80 or 0xC0 which is added on to the subcodes used in subsequent SCSI REPORT_KEY and SEND_KEY commands to identify the program
to the drive.
Challenging the drive and getting its response
This step requires sending SCSI command SEND_KEY with the subcode SEND_CHALLENGE_KEY + AGID. You include a challenge sequence which can be
any sequence of 10 bytes. You then issue SCSI command REPORT_KEY with the subcode GET_KEY1 + AGID. This gives you
the 5-byte value for KEY1.
Calculating the variant the drive has chosen
Now you must determine the variant that the drive is using. This is done by using CSS in mode 3 with keytype KEY1 to encrypt the
challenge 32 times - once for each variant 0 to 31. One value will match the KEY1 the drive provided and this is the value of the
variant you must use in subsequent steps.
Obtaining the challenge from the drive and calculating the response
This step requires sending SCSI command REPORT_KEY with the subcode GET_CHALLENGE + AGID. The drive returns a 10-byte challenge
which you must then encrypt using CSS in mode 3 with keytype KEY2 and the variant calculated above. The result is the 5-byte value for KEY2.
Sending the response to the drive
Simply send the value of KEY2 to the drive using SCSI command SEND_KEY with the subcode SEND_KEY2 + AGID.
Reading the disk key from the disk
This is done using the SCSI command READ_DVD_STRUCTURE with subcode GET_DISK_KEY and the correct AGID specified. The results are somewhat irrelevant
since the DVD data can be cracked using the methods I've explained here but reading the disk key is the last
step in disk authentication.
Once this has succeeded, you can read sectors from the disk using the normal SCSI read commands. If this step fails, authentication has failed.
Note that the disk key obtained here is itself encrypted by XORing with a bus key. The bus key can be calculated by using CSS in mode 3 with keytype
BUSKEY and the variant calculated above. Apply CSS to the 10-byte sequence obtained by concatenating KEY1 and KEY2 to get the 5-byte buskey. This
is then simply XORed over the 2048-byte encrypted disk key.