Intel Investigating HDCP Master Key Exposure

Intel is investigating how the master key for its anti-piracy HDCP protocol was exposed on the Internet.

Intel is investigating how a master key for the High-bandwidth Digital Content Protection (HDCP) protocol used to protect digital content made its way to the Internet.

Developed by Intel, the HDCP protocol is used to protect video and audio content as it is transmitted between devices such as Blu-ray players and high-definition televisions and to verify the device receiving the content is licensed to do so.

The master key is used to generate keys meant for consumer devices. On Sept. 14, it was reported that a secret master key for HDCP had been posted on the Internet. Intel confirmed the key was legitimate Sept. 16.

"We're investigating how it might have been obtained, how someone might have determined it," Intel spokesperson Tom Waldrop told eWEEK.

Anyone who knows the master key can generate keys, which "destroys both of the security properties that HDCP is supposed to provide," blogged Ed Felten, director of the Center for Information Technology Policy at Princeton University.

"HDCP encryption is no longer effective because an eavesdropper who sees the initial handshake can use keygen to determine the parties' private keys, thereby allowing the eavesdropper to determine the encryption key that protects the communication," Felten wrote. "HDCP no longer guarantees that participating devices are licensed, because a maker of unlicensed devices can use keygen to create mathematically correct public/private key pairs."

Waldrop said that for someone to use the device keys, "they also would have to find a way to design those into some kind of hardware."

"Build a box, make a chip that implements it ... for all practical purposes that's what would have to be done in most cases that can be conceived of, and those things aren't trivial," the spokesperson said.

Waldrop added that the company will pursue legal action if need be to protect its intellectual property.

"Should someone use this published information to create a circumvention device, there are definitely enforcement actions that could be taken. ... We would avail ourselves of the legal remedies as appropriate at our choice," he said.