DeCSS in Words

by CSS

The decryption of data on a DVD encoded through the CSS algorithm can be broken down into three steps.

The first is the decryption of the disk key, the second is the decryption of the title key, and the third is the decryption of the encrypted DVD disk sectors.

Each decryption step in software requires the simulation of a 17-bit Linear-Feedback Shift Register (LFSR) and a 25-bit LFSR, both of whose outputs are summed 8-bits at a time (along with any carry bits from the previous addition) to produce the decrypted output.

There are any number of ways in which the two LFSRs can be simulated in software.  The 17-bit LFSR is often implemented using a single machine word where the feedback is computed through cascaded right shifts and XORs.  On the other hand, the 25-bit LFSR's output is frequently determined through lookups into byte vectors.

The contents of the low bits in one such lookup table are:

0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x09, 0x08, 0x0B, 0x0A, 0x0D, 0x0C, 0x0F, 0x0E, 0x12, 0x13, 0x10, 0x11, 0x16, 0x17, 0x14, 0x15, 0x1b, 0x1A, 0x19, 0x18, 0x1F, 0x1E, 0x1D, 0x1C, 0x24, 0x25, 0x26, 0x27, 0x20, 0x21, 0x22, 0x23, 0x2D, 0x2C, 0x2F, 0x2E, 0x29, 0x28, 0x2B, 0x2A, 0x36, 0x37, 0x34, 0x35, 0x32, 0x33, 0x30, 0x31, 0x3F, 0x3E, 0x3D, 0x3C, 0x3B, 0x3A, 0x39, 0x38, 0x49, 0x48, 0x4B, 0x4A, 0x4D, 0x4C, 0x4F, 0x4E, 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x5B, 0x5A, 0x59, 0x58, 0x5F, 0x5E, 0x5D, 0x5C, 0x52, 0x53, 0x50, 0x51, 0x56, 0x57, 0x54, 0x55, 0x6D, 0x6C, 0x6F, 0x6E, 0x69, 0x68, 0x6B, 0x6A, 0x64, 0x65, 0x66, 0x67, 0x60, 0x61, 0x62, 0x63, 0x7F, 0x7E, 0x7D, 0x7C, 0x7B, 0x7A, 0x79, 0x78, 0x76, 0x77, 0x74, 0x75, 0x72, 0x73, 0x70, 0x71, 0x92, 0x93, 0x90, 0x91, 0x96, 0x97, 0x94, 0x95, 0x9B, 0x9A, 0x99, 0x98, 0x9F, 0x9E, 0x9D, 0x9C, 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87, 0x89, 0x88, 0x8B, 0x8A, 0x8D, 0x8C, 0x8F, 0x8E, 0xB6, 0xB7, 0xB4, 0xB5, 0xB2, 0xB3, 0xB0, 0xB1, 0xBF, 0xBE, 0xBD, 0xBC, 0xBB, 0xBA, 0xB9, 0xB8, 0xA4, 0xA5, 0xA6, 0xA7, 0xA0, 0xA1, 0xA2, 0xA3, 0xAD, 0xAC, 0xAF, 0xAE, 0xA9, 0xA8, 0xAB, 0xAA, 0xDB, 0xDA, 0xD9, 0xD8, 0xDF, 0xDE, 0xDD, 0xDC, 0xD2, 0xD3, 0xD0, 0xD1, 0xD6, 0xD7, 0xD4, 0xD5, 0xC9, 0xC8, 0xCB, 0xCA, 0xCD, 0xCC, 0xCF, 0xCE, 0xC0, 0xC1, 0xC2, 0xC3, 0xC4, 0xC5, 0xC6, 0xC7, 0xFF, 0xFE, 0xFD, 0xFC, 0xFB, 0xFA, 0xF9, 0xF8, 0xF6, 0xF7, 0xF4, 0xF5, 0xF2, 0xF3, 0xF0, 0xF1, 0xED, 0xEC, 0xEF, 0xEE, 0xE9, 0xE8, 0xEb, 0xEA, 0xE4, 0xE5, 0xE6, 0xE7, 0xE0, 0xE1, 0xE2, 0xE3

The contents of the high bits lookup table are composed of the following values repeated 32 times:

0x00, 0x24, 0x49, 0x6D, 0x92, 0xB6, 0xDB, 0xFF, 0x00, 0x24, 0x49, 0x6D, 0x92, 0xB6, 0xDB, 0xFF

Using this method, one determines the 25-bit LFSR output by using the least significant 16-bits of the LFSR as two eight bit offsets into the above tables, and using the XOR of these values.

The plain text is obtained by summing eight bits of output from both LFSRs plus any carry bits from a previous addition.  If an inversion is required, simply XOR the 17-bit LFSR with the inversion mask before summing with the 25-bit LFSR.

Each player is preprogrammed with a small set of player keys.

To determine the correct decrypted disk key we must attempt to decrypt the disk key with each of the machine's player keys.  The search ends once a decrypted key hashes to the same 40-bit value as the decrypted disk key hash stored on disk.

In order to start decrypting keys we must first set up our simulated shift registers.  Seed the 17-bit LFSR with the first 16-bits of a player key and set the MSB to 1 to avoid null cycling.

Seed the 25-bit LFSR is with the next 24-bits (specifically, bits 16 to 39) of the player key.  All bits except the three LSBs are shifted up a bit.

Bit 4 is set to 1 to avoid null cycling.  A table lookup with the LFSR state is used to obtain the next state of the LFSR.  A bit inversion of the output is performed with a four state inverter in position 1 for this round of encryption.

Using the same process that decrypted the disk key, we will now use the disk key to decrypt the title key.  The title key is used for the decryption of the encrypted sectors of the DVD disk.  The final bit inversion in this round of decryption is performed with the inverter in State 2.

Using the title key as input to the shift registers we can now read each sector off the disk and easily decrypt the data blocks using the aforementioned process with the inverter in State 3.