VIP Central

 

HDCP 2.2: Authentication and Key Exchange (AKE)

In The HDCP 2.2 Authentication Process – an Introduction, we discussed why we need HDCP, and the basic steps of the HDCP Authentication Process. We noted that an advanced version of RSA is the underlying cryptography standard used during the Authentication and key exchange. In HDCP 2.2 Authentication: RSA Cryptography, we discussed the basics of RSA Cryptography. In this blog post, we will dive into the details of Authentication and Key Exchange (AKE), which is the first step in the authentication protocol. You can learn more about the HDCP 2.2 Authentication Process by downloading our whitepaper, Demystifying the HDCP 2.2 Authentication Process.

The HDCP transmitter can start at any time even before a previous authentication is complete. HDCP Receiver’s public key Certificate is verified by the HDCP transmitter then the devices share a master key Km. This stored master Key Km accelerates the subsequent communication between HDCP transmitter and Receiver. Authentication also happens even if the transmitter doesn’t have a stored master Key corresponding to the HDCP receiver. These keys information are sent in form of messages. If we are using HDMI then these messages would go over the I2C based control bus in big endian format.

1024 bit wide Receiver’s public key is stored in the certificate which has the following content:

HDCP-Certificate

Below figure shows the flow for Authentication and key exchange:

HDCP-AKE-flow-without-stored-KmAuthentication and Key Exchange Flow (without stored Km)

Transmitter sends its own information to receiver which in turns sends its own certificate containing public key within 100ms time frame. Transmitter verifies the signature. As explained in the figure below, the failure of the signature verification will result in the Authentication abort:

HDCP-signature-verif-AKESignature Verification during AKE

After successful signature verification, if the transmitter doesn’t have the stored master key Km from the previous session, the transmitter generates a random 128 bit master key, encrypts it using the RSAES-OAESP encryption with receiver’s public key, and sends it to the receiver.

In addition to signature verification, the transmitter also checks that the receiver ID of the receiver is not present in the revocation list. It is a procedure to make sure that a receiver which has been compromised and identified will be tracked during authentication. If the receiver ID is found in the revocation list, AKE is aborted.

Upon receiving the encrypted Km, receiver decrypt it using the receiver private key (HDCP2.2 recommend using Chinese Remainder theorem to reduce effort as this is the most compute intensive step in the entire authentication flow). There is also a time limit bound of 1s for the entire decryption and the subsequent hash value calculation.

After the receiver successfully decrypts the km, it sends back the H_Prime, a HMAC-SHA-256 (see below section for details), hash value of the master key Km to the transmitter. This is to provide an acknowledgement to the transmitter that the receiver has indeed successfully decrypt the master Key Km.

Upon receiving the Hash value (H_prime) from the receiver, the transmitter checks against its own computed value. Upon successful comparison of the H_Prime, Authentication and key exchange is complete otherwise AKE is aborted.

HMAC SHA-256

In order to provide more authenticity for messages, HDCP2.2 uses Hash based Message Authenticity code(HMAC). The HMAC-SHA256 is a message authentication method which uses the underlying hash functions as SHA-256. The input to the HMAC-SHA256 is a key (which can be message). The output is the message access code which can be send back to originator of the message which can check the HMAC code against its own code and verify the message has been correctly received by the receiver.

Pairing

Before explaining the next step in the Authentication Flow, it is important to explain a process called Pairing. In the above AKE flow, it is explained how transmitter generates a master key Km if it doesn’t have the stored key Km. Now transmitter can store the received Km value for the next session and reuse it instead of generating a new Km, hence speeding up the entire flow of AKE. In the AKE flow after the receiver send H_Prime information to transmitter, it will send the AES encrypted master Key to the transmitter. Transmitter stores the Encrypted master key and master key itself. For subsequent session, The AKE flow with stored Km is illustrated in the figure below:

HDCP-AKE-with-stored-KmAuthentication and Key Exchange (With Stored Km)

 You can learn more about the HDCP 2.2 Authentication Process by downloading our whitepaper, Demystifying the HDCP 2.2 Authentication  Process.