Understanding HDMI & HDCP 2.2 Authentication

VIP Expert

Apr 20, 2015 / 2 min read

When digital content is transmitted, it is susceptible to unauthorized copying and interceptions. Hence protecting content has become an important factor in the transmission of audiovisual content. In 2003, Intel developed an encryption technique called the High-bandwidth Digital Content Protection (HDCP) protocol to protect audio and video data between a transmitter (transmitting the audio visual content such as a Blu-ray player) and a receiver such as a Monitor. If a transmitting device is transmitting the content HDCP protected then the receiver must also support HDCP in order to receive the content correctly.

HDCP protocol is now managed by Digital Content Protection (DCP), LLC, an Intel subidiary, which licenses technologies for the protection of commercial digital content. For every HDCP protected digital content must follow the HDCP protocol and also must have a license issued by DCP, LLC.

History of HDCP

In earlier devices that support the 1.X version of HDCP, such as HDCP1.4, the receiver demonstrates that it has valid secret keys, device private key. Transmitter authenticates that the receiver has valid keys, and then both devices share a secret session key that will be used during encryption as depicted in Figure 1. The authentication strength was reasonable using SHA-1 encryption algorithm in key exchanges. Most of the authentication and encryption was proprietary between devices that support HDCP1.4. Encryption uses a proprietary stream cipher.

HDCP 1.x authentication process diagram

Introduction to HDCP2.2

HDCP 2.2 specification applies state of the art cryptography standards, such as RSA and AES, and uses them in authentication and encryption respectively which makes it much more secure than the previous HDCP1.X protocols.

HDCP 2.2 protocol works in 3 phases: the first phase, Authentication, is to verify that the receiver is genuine and authorized to receive the digital content. During the second phase, Encryption, transmitter can start sending the encrypted data to receiver, which will then decrypt it using keys exchanged during the authentication step. In the event that legitimate devices are compromised, the third phase, Renewability, allows the HDCP transmitters to identify such compromised devices and prevent transmission of HDCP content.

HDCP2.2 Authentication Protocol

Before transmitting the audio visual content, the transmitter must make sure using the authentication protocol that the receiver is genuine and authorized to receive the protected content.

The Authentication Protocol consists of:
1. Authentication and key exchange (AKE): Checks that the receiver contains a valid un-revoked public key certificate.
2. Locality Check: A check to make sure that the receiver is placed nearby and restricts the transmission to a locality.
3. Session key exchange (SKE): A common shared session key is exchanged which will be used to encrypt the data itself.
4. Authentication with repeater: An option step when sink is a repeater i.e., Subsequent sink device can be attached. Transmitter checks that none of the receivers in the topology is un-authorized.

In the next blog post, we will discuss the basics of RSA cryptography. An advanced version of RSA is the underlying cryptography standard used during the Authentication and key exchange.

Continue Reading