[Matroska-devel] WebM encryption
Joseph Ashwood
ashwood at msn.com
Sat Jun 23 13:31:01 CEST 2012
Here we go again.
-----Original Message-----
From: Steve Lhomme
Subject: [Matroska-devel] WebM encryption
> Those of you technical enough might be in this proposal to extend
> Matroska/WebM to support one kind of encryption:
> https://sites.google.com/a/webmproject.org/wiki/encryption/webm-encryption-rfc
A few of the basic problems. The most obvious problem is the arbitrary use
of HMAC. HMAC-SHA1 should not be used for anything new, trimming will not
improve the situation. Second problem with the HMAC, it doesn't prevent
reordering, this is a security problem. In SHA-1 there is no definition of
"leftmost" bits, this needs definition.
The inclusion of a separate IV in each collection of bytes, also has
problems. The first one is that this quickly opens the door to repeating
IVs, in CTR mode this immediately removes the security. Second it again
allows for undetectable reordering. Worse, 3.7.1 actually forces a collision
in the IVs.
Limiting the key size to strictly 128 bits, generally not a good idea, it
limits the applicable usefulness.
Most importantly the process of getting the keys to the client is
specifically outside the scope, so the hard part to do correctly is outside
the scope.
Joe
More information about the Matroska-devel
mailing list