<= DeCSS Central Main Page


This page contains mostly technical and historical information about both CSS (the "encryption") and DeCSS (the decryption tool).



CSS and the CSS license

CSS ("Content Scrambling System") is an encryption system that most commercial DVDs use, and all DVD players need to understand. It's alleged purpose is to stop piracy, however it also enforces region coding, non-skippable FBI warnings or commercials and many other artificial restrictions.
Links to a cryptoanalysis of CSS can be found below, but CSS also consists of one other element: The CSS license. CSS is still being treated as a secret, even though it's dirty secrets have been available to the general public since November 1999. So in order to incorporate CSS into a player or other device, a company has to sign the CSS license, which is used as a further means to enforce the various restrictions put on customers through the CSS access control mechanism.

As background information, we have a local mirror of http://www.dvdcca.org/dvdcca/data/css/, which provides downloads for many CSS documents including procedures and parts of the license. Many of the artificial restrictions enforced through the CSS license can be found there and you can see for yourself how little CSS has to do with access control or copy protection.
It is unknown whether DVD CCA makes the above files available on purpose or by mistake. But they have been available at the above address for at least several weeks now, so we consider them published.



Hacking CSS

The media generally refers to Jon Johansen as the one who cracked CSS, though this might not be so. In fact, the late DeCSS releases by MoRE ("Masters of Reverse Engineering") contain a text file that says quite the contrary: An anonymous german hacker was responsible for the CSS crack, and MoRE only claims credit for writing DeCSS, the software. Jon Johanson said the same again in a recent interview with LinuxWorld.
MoRE also mention Derek Fawcus, who used to have a site with a cryptoanalysis of CSS at http://www.eyrie.demon.co.uk/css/, though that site has been down for a long time now.
Frank A. Stevenson had his cryptoanalysis of CSS online at crypto.gq.nu for a much longer time. The site still contains a link to it, and in case that ever vanishes, I have also a local copy.
The links section shows clearly that CSS source code was posted anonymously to the LiVid mailing list on october 25th, 1999. Stevenson posted his first attack on the cipher two days later.
MoRE claim that they had working CSS decryption code in the middle of september, 1999.
DeCSS, the proof-of-concept software that includes the CSS decryption code, was released in later october, 1999. MoRE also claims that another group, Drink or Die (DoD) also had a working decryption tool. That brings the total count of independent groups breaking the CSS encryption to three.



DeCSS

The software was released in the final days of october, 1999. It got considerable media attention during the first days of november, 1999.
DeCSS is a very simple windows tool that allows decryption of a CSS encrypted movie DVD and the copying of all or selected files from it to the harddisk.
It should be mentioned (again), that DVD rippers had been available for a long time already. For some reason, this fact did not get much media attention, which might be the reason many journalists saw DeCSS as the "first DVD piracy tool". The main difference between the "1st generation" rippers and tools like DeCSS and DoD Speed Ripper are that the older rippers do not decrypt the DVD at all. Instead, they let a DVD player do the decryption and hook themselves into the video or other suitable drivers, copying the data stream after decryption. The "2nd generation" software do actual decryption.
While this might be used for piracy in theory, it leaves you with a large volume of raw data in practice. A typical movie DVD contains 4 to 6 individual .vob files of 1 GB size each (the last file may be shorter) plus whatever special features might be on the DVD. The total data volume of a typical movie DVD is between 7 and 9 GB of data. You can't burn this to CD, since a CD only holds 650 MB of data - the 1 GB .vob files don't fit. If you keep it on your harddisk, then said harddisk will quickly fill up. An 18 GB drive can hold two DVD movies, but costs considerably more than original copies of those would cost. The same holds true for all other media that can store this amount of data, including writeable-DVDs.
At this point in time, the only people for whom DVD piracy is profitable are the professional pirates who own expensive equipment and couldn't care less for any encryption, since they do bitwise copies anyways, which means that their pirate copies are precise duplicates of the originals, including the CSS encryption. The DVD player will notice no difference between such a copy and the original version. CSS can not stop this kind of piracy.
personal note

Worse yet, this kind of piracy has been around since 1998 - long before DeCSS was ever written.

It is interesting that Jim Cardwell (Warner Home Video) completely agrees with most of the points made above. The only thing missing from his thoughts is the conclusion from his "There's no real economic incentive for anyone to hack this product" to the reason why it was done nevertheless.
More support for our arguments is coming from other industry players. The Israel-based company anti-piracy technology company TTR, for example, has published a whitepaper about CSS containing very much the same arguments.
Both the DVD CCA and the MPAA also can hardly claim ignorance to the fact that DVD piracy was a serious problem long before DeCSS. Why they still blaim DeCSS to "enable piracy" is beyond me.

Some final remarks about the legality of reverse-engineering: Norway does have a law that explicitly allows reverse-engineering and also states that this right can not be taken away by contract or license. For those of you who speak norwegian, the law can be found here. For those of you who don't, here is a translation someone on the cypherpunks mailing list made.
For Germany, a similiar law allows reverse-engineering to create interoperatibility. I also now have a translation of this, though it has not been done by a legal expert, so some terms may be slightly incorrect.

Moreover, it is well possible that the whole DVD CCA licensing scheme violates the European Union treaty, specifically article 81 and article 82.

For the United States, here is information on why the DVD CCA is not sueing, and can not possibly sue, under copyright law. It also follows that the MPAA's case is weak at best, unless they can prove actual copyright infringement (e.g. DVD copying) by the defendants:
http://www.softwareprotection.com/patent.html quotes: "...in the United States, software that affects a physical process may be patentable. If the software preempts a mathematical algorithm, however, it is not patentable." - this is why CSS was not and probably cannot be patented.
http://www.softwareprotection.com/copyright.html quotes: "Generally, copyright laws protect the form of expression of an idea, but not the idea itself. With respect to software, this typically means that the computer program, in both human-readable and machine-executable form, and the related manuals are eligible for copyright protection, but the methods and algorithms within a program are not protected expression." - which means that a specific computer program (e.g. Xing DVD player) can be protected by copyright, but what it does (e.g. decrypt and play DVDs) can not.



Appendix: Software

You can download the following files from here. However, my FTP server has a limit of 10 anonymous users, so please consider using a mirror site. Lists of mirror sites are available at:

Mirror World Map
Connecticut 2600 Listing
Look it up in search engines



Software downloads:
DecVOB.tar.gz- DecVOB (Linux Source)
decss121b.zip- DeCSS v1.21b (Windows)
css-auth.tar.gz- CSS authorization code (Source Code)
nist-0.6.tgz- beginnings of a Linux DVD player (Linux)
livid.tar.gz- Linux DVD code (Linux)
DeCSSplus_v1.0.zip- DeCSS plus (Source and Windows .exe)
descramble.mp3- song with decss lyrics (MP3)


MD5 hash sums of the above files:
2158b0c4218c523afee12685464b0f18  DecVOB.tar.gz
8653090161e8f287d365132acb098581  css-auth.tar.gz
9d0d8a71aa3b146d70b6f923da693d19  decss121b.zip
95965e75cffb22acda0f50a442afae4e  nist-0.6.tgz
93cfc895f18c30d283d3a33ee9009afe  livid.tar.gz
50c7e923b17a27265227d4931cfa631e  DeCSSplus_v1.0.zip
c94989be43abd79b79448b9267946c4c  descramble.mp3