AACS

Advanced Access Content System (AACS) is a content distribution system for recordable and pre-recorded media. It has been developed by eight companies: Disney, IBM, Intel, Matsushita (Panasonic), Microsoft, Sony, Toshiba, and Warner Brothers. Most notably, AACS is used to protect the next generation of high definition optical discs such as Blu-ray and HD-DVD.

The AACS specification and decryption process are publicly available at https://aacsla.com/aacs-specifications/.

Contrary to the DVD CSS, which was definitely compromised once the unique encryption key had been discovered, Blu-ray uses stronger DRM mechanisms, which makes it a lot more difficult to manage. Firstly, the AACS standard uses a lot more complicated cryptographic process to protect the disc content, but also allows the industry to revoke compromised keys and distribute new keys through new discs.

You can determine whether a disc contains AACS protection by checking whether the /AACS directory exists.

AACS decryption process

The AACS decryption process for a protected disc by a licensed player goes through four stages:

  1. The software/embedded player's Device Keys, together with the disc's Media Key Block (MKB) data are used to retrieve a "Processing Key", and with that (plus another datum from the MKB) to compute the Media Key.
  2. That Media Key, together with the disc's Volume ID (VID) obtained by the player presenting a valid Host Certificate to the drive is used to compute the Volume Unique Key (VUK).
  3. This VUK is used to unscramble the disc's scrambled Title Keys.
  4. Finally those Title Keys unscramble the disc's protected media content.

Note that it is the disc that contains the MKB. MKBs have been renewed since the first commercial Blu-ray release in 2006. The latest MKB is version 81, and many discs actually share the same MKB. The software player provides the Host key and certificate, whereas the drive contains a list of the Host key/certificates that have been revoked. Host key/certification revocation occurs when a newer disc (containing a higher MKB than the previous played disc) is decrypted, or played, or attempted to decrypt or play (the mere insertion of a disc does not update the drive). When this happens, the drive forever loses its capability to use older Host key/certificates.


Abbr.Description
Km or MKMedia Key
Kvu or VUKVolume Unique Key
Kt or UKUnit Keys
VIDVolume ID
MKBMedia Key Block
DKDevice Keys
PKProcessing Keys
HCHost Certificate

Calculate VUK and UK online.

References

  1. Understanding AACS (including Subset-Difference)
  2. AACS_Spec_BD_Prerecorded_Final_0_953.pdf