[Matroska-devel] WebM encryption

Joseph Ashwood ashwood at msn.com
Sat Jun 23 13:31:01 CEST 2012

Here we go again.

-----Original Message----- 
From: Steve Lhomme
Subject: [Matroska-devel] WebM encryption

> Those of you technical enough might be in this proposal to extend
> Matroska/WebM to support one kind of encryption:
> https://sites.google.com/a/webmproject.org/wiki/encryption/webm-encryption-rfc

A few of the basic problems. The most obvious problem is the arbitrary use 
of HMAC. HMAC-SHA1 should not be used for anything new, trimming will not 
improve the situation. Second problem with the HMAC, it doesn't prevent 
reordering, this is a security problem. In SHA-1 there is no definition of 
"leftmost" bits, this needs definition.

The inclusion of a separate IV in each collection of bytes, also has 
problems. The first one is that this quickly opens the door to repeating 
IVs, in CTR mode this immediately removes the security. Second it again 
allows for undetectable reordering. Worse, 3.7.1 actually forces a collision 
in the IVs.

Limiting the key size to strictly 128 bits, generally not a good idea, it 
limits the applicable usefulness.

Most importantly the process of getting the keys to the client is 
specifically outside the scope, so the hard part to do correctly is outside 
the scope.

More information about the Matroska-devel mailing list