Well that blew up, huh? If you follow emulation or just gaming on the whole, you've probably heard about the controversy around the Dolphin Steam release and the Wii Common Key. There's been a lot of conclusions made, and while we've wanted to defend ourselves, we thought it would be prudent to contact lawyers first to make sure that our understanding of the situation was legally sound. That took some time, which was frustrating to ourselves and to our users, but now we are educated and ready to give an informed response.
That is what we call an attack, or a vulnerability. It isn’t supposed to happen, and at the point where it does, that algorithm becomes cryptographically insecure and should not be used.
I see what you’re thinking though, as it would be such an old hash that collisions must be known, right?
Well unfortunately, what we are dealing with here is encryption, not hashing, and hash collisions do not apply as an attack vector to encryption.
You could in theory try a cryptographic attack on the encrypted data but then you run into a few other problems:
you’re effectively distributing a DRM bypass tool, expressly forbidden under DMCA
Attacking even the likes of RC4 takes considerable compute time on modern systems
If you do crack it, you legally can’t store it, which compounds problem number 2.
Legality aside because I’m sure there’s always going to be some random law that they will use (or twist) to fight this… With 3DS I remember there was a community provided cloud cracking service. I’m guessing it was either some comically weak algorithm or they found some vulnerability they were able to exploit.
But even then that’s not really a good comparison because if there was some master key (I don’t know the specifics) it is still physically on your 3DS and they weren’t sending them around (or worse, hosting it on a store).
The situation sucks but I understand it from Valve’s point of view. It’s not about whether they think it is okay or not, it’s about them being concerned about liability from Nintendo who are well known for protecting their IP.
Get this: their digital licensing protection scheme was entirely client side. Which meant anybody with a hacked 3DS could just request any game they liked directly from the eShop.
A hash converts a large input into a small output. If a hash takes up to 128 ASCII characters and outputs 64, there will be ~10^135 collisions per output. This is completely normal and not a design flaw. It’s simple math.
The strength of a cyyptographic hash function (not the only kind of hash or the only useful kind) is in not being predictable, not in avoiding collisions.
Actually it does. That’s literally what hashing is supposed to do.
https://en.wikipedia.org/wiki/Hash_collision
That is what we call an attack, or a vulnerability. It isn’t supposed to happen, and at the point where it does, that algorithm becomes cryptographically insecure and should not be used.
I see what you’re thinking though, as it would be such an old hash that collisions must be known, right?
Well unfortunately, what we are dealing with here is encryption, not hashing, and hash collisions do not apply as an attack vector to encryption.
You could in theory try a cryptographic attack on the encrypted data but then you run into a few other problems:
you’re effectively distributing a DRM bypass tool, expressly forbidden under DMCA
Attacking even the likes of RC4 takes considerable compute time on modern systems
If you do crack it, you legally can’t store it, which compounds problem number 2.
Legality aside because I’m sure there’s always going to be some random law that they will use (or twist) to fight this… With 3DS I remember there was a community provided cloud cracking service. I’m guessing it was either some comically weak algorithm or they found some vulnerability they were able to exploit.
But even then that’s not really a good comparison because if there was some master key (I don’t know the specifics) it is still physically on your 3DS and they weren’t sending them around (or worse, hosting it on a store).
The situation sucks but I understand it from Valve’s point of view. It’s not about whether they think it is okay or not, it’s about them being concerned about liability from Nintendo who are well known for protecting their IP.
Oh the shit on the 3DS was absolutely comical.
Get this: their digital licensing protection scheme was entirely client side. Which meant anybody with a hacked 3DS could just request any game they liked directly from the eShop.
A hash can take more inputs than it has outputs. By definition there have to be collisions.
…what are you even talking about? A hashing algorithm takes one data input and makes one hash from said data input.
A hash converts a large input into a small output. If a hash takes up to 128 ASCII characters and outputs 64, there will be ~10^135 collisions per output. This is completely normal and not a design flaw. It’s simple math.
The strength of a cyyptographic hash function (not the only kind of hash or the only useful kind) is in not being predictable, not in avoiding collisions.