undefined | Better HN

0 points_yb2s1y ago0 comments

How does the remote streaming server know a key is an authentic hardware GPU that hasn't been compromised, and not something you just generated in software, to enable software level decryption of the media?

It seems like you'd need some central SSL like certificate authority to verify and revoke credentials that were universally implemented in the same way by all GPU manufacturers.... surely there is no such thing?

0 comments

kbolino1y ago

At least for HDCP, that's exactly how it works. From the HDCP 2.2 spec [1]:

> Device Key Set. An HDCP Receiver has a Device Key Set, which consists of its corresponding Device Secret Keys along with the associated Public Key Certificate.

> Public Key Certificate. Each HDCP Receiver is issued a Public Key Certificate signed by DCP LLC, and contains the Receiver ID and RSA public key corresponding to the HDCP Receiver.

> The top-level HDCP Transmitter checks to see if the Receiver ID of the connected device is found in the revocation list.

[1]: https://www.digital-cp.com/sites/default/files/specification...

_yb2sOP1y ago

Thanks, that clarifies my confusion about how this could be realistically implemented. I couldn't see a practical way to verify every device on every connection via a central authority without massive scaling and reliability issues, but maintaining a small revocation list that can be cached everywhere media is distributed from seems quite practical.

mike_hearn1y ago

FWIW, efficient revocation has been solved since the Bluray era using AACS subset difference trees.

mjg591y ago

There doesn't need to be a central CA, you just need to establish trust with the DRM vendor. The GPU vendors coordinate with Microsoft to make Playready work, Android devices have certs that can be validated by Google for Widevine, Apple just does their own thing.

j / k navigate · click thread line to collapse