Xbox key defended by more than just length
[This article was contributed by LWN reader Tom Owen]
Someone thought this was urgent enough to work all evening.On Monday, this story was up on ZDNet with a dateline of 3PM Pacific. The Neo Project, an open source distributed computing effort, had started work to factorize the Microsoft Xbox public key. Just a few hours later, a little before midnight in Ontario, administrator Mike Curry posted this message on the Neo discussion board:
The Neo Project had spent six months grinding away on the RSA 576-bit factoring challenge while waiting for something worthier to come up. "Something worthier" turned out to be the Xbox Challenge, once Michael Robertson (Lindows and mp3.com) extended his offer of $100,000 for a procedure to boot 386 Linux on a Microsoft Xbox games console.
The games console business model was invented by King Camp Gillette as "razors and blades," but a better analogy for technical folks might be "printers and cartridges." The initial unit — razor, printer or console — is priced attractively regardless of the actual cost, and the profits are made on surprisingly expensive consumables. It takes technical subtlety and legal protection — to stop free-riding competitors. In the case of the Xbox, Microsoft charges a fat fee — many dollars per copy — to sign a game with the private xbox key; the console knows the public key and won't boot games signed by anyone else. Owners can fit so-called mod chips to bypass the check, but MS knows that most people won't poke around in the hardware. The Neo Project set out to crack the Xbox key to allow Linux to boot on an unmodified Xbox.
If the key only allowed booting Linux on the Xbox, Microsoft would probably not be too concerned. But that key would also allow anybody to sign any game, and thus bypass Microsoft altogether. And that, of course, is a direct threat to Microsoft's Xbox business plan.
The Xbox hacker site has an "unofficial quote" from a Neo Project source
So is Microsoft releasing its vicious assault lawyers in a desperate attempt to preserve the endangered xbox business model? Well, probably not. There was never any practical danger. One of the largest keys ever factored in public was the RSA 512 bit challenge, it took a few months work on a few hundred sub-500MHz class machines and nine days on a Cray. The 2048 bit Xbox public key is obviously more difficult, but it's truly astonishing just how much more difficult. RSA doesn't publish an estimate beyond 1620 bits, which they list as requiring a year with over 1000 trillion (1,000,000,000,000,000) 500MHz Pentiums, each with 120TB memory. Even the dotcom bust has not freed up that sort of hardware, so they expect this sort of key to stand for decades.
Instead, the Neo Project was hoping to get lucky; they were trying random keys in the hope that they might happen to hit the right one. In the day they were running, a few thousand machines tested almost a billion potential keys. Which is good progress, except that the number of potential keys is counted in a number with hundreds of digits. Odds like that make winning the lottery twice, or death in a meteorite strike into everyday occurrences. If they were really looking for a result "today, tomorrow or never," the smart money would be on never.
Microsoft -- assuming it was Microsoft -- bets with the smart
money,
but they shut down the Neo Project's Xbox effort anyway.
It must take a firm nerve to keep faith in RSA and statistics when you learn
that thousands of machines
are working away on a lock that defends a future billion-dollar revenue stream.
Compared with a risk like that, lawyers are cheap, even when they have to work
nights.
Posted Jan 9, 2003 6:29 UTC (Thu)
by Strike (guest, #861)
[Link]
The 2048 Xbox public key is obviously more difficult, but it's truly astonishing just how much more difficult. The 2048-bit Xbox public key ...
Posted Jan 9, 2003 9:47 UTC (Thu)
by beejaybee (guest, #1581)
[Link] (1 responses)
Highly sophisticated factoring methods like NFS scale much better than most people realise. Indeed factoring has been shown to be an "easy" problem, as a polynominal time algorithm has been published. RSA 2048 may well be safe for a few years yet (at any rate, the commercial life of the Xbox) but don't simply assume that it is safe for the lifetime of the Universe. As for the Neo project's aborted effort - their approach was indeed extremely unlikely to succeed - IMHO M$'s lawyers' advice _should_ have been to leave them in business, perhaps even provide a little covert support, in the hope of diverting effort away from projects which have a much better chance of success.
Posted Jan 9, 2003 11:10 UTC (Thu)
by beejaybee (guest, #1581)
[Link]
I wrote "Indeed factoring has been shown to be an "easy" problem, as a polynominal time algorithm has been published." This is not quite true - there is indeed a polynominal time algorithm but it depends on quantum computing. QC will, of course, totally destroy RSA, whatever the key length.
Posted Jan 10, 2003 13:47 UTC (Fri)
by copsewood (subscriber, #199)
[Link]
In what sense could it be OK to forge a digital signature to pretend to be someone different from one's true identity, when it isn't OK to forge a handwritten signature ? I think to combat the monopoly implications of the reasonably exclusive right to use a signature, we need to consider the principles behind the old IBM versus Teletype Corporation suit, which eventually forced the monopoly to open up the market for peripherals. If access to the Microsoft private key is the issue to running a Linux distribution on unmodified Xboxes, it would seem to me more appropriate for a Linux distributor, project or consortium to sue Microsoft for refusal to sign a Linux boot loader for use on XBox hardware as an Xbox program on fair, reasonable and non-discriminatory terms. Presumably once a suitable small and generic boot loader had been signed, any free software could be run. Whether a free society should allow a hardware manufacturer with a position to establish a monopoly, legally to charge for use of a signature required in order to run any software on unmodified hardware is another and very relevant question.
Correction
Well, they aren't RSA keys, but NFSNET (http://www.nfsnet.org/) is routinely factoring numbers around 2^700 - at a rate of around one a month, without an immense number of volunteers and using hardware requiring only around 128 MBytes memory.Xbox key defended by more than just length
Um.Xbox key defended by more than just length
However much I agree with legal, moral, truthful and decent attacks against the MS monopoly this is one which I feel is plain wrong for the same reason that spam should be made illegal, i.e. that it involves forgery and deception (spam always has forged addresses to make complaints to the origin more difficult). Xbox key defended by more than just length