iTunes uses RSA and AES to encrypt the data channel. The encryption details are exchanged in the ANNOUNCE block of the RemoteAudioOutputProtocol.
iTunes sends a 342 bytes (2736 bits) long RSA/AES key (rsaaeskey) and a 22 bytes (176 bits) long AES initialization vector (aesiv) to the AirPortExpress.
The AirPortExpress then sends 342 bytes of data (Apple-Response) along with it’s answer, which is obviously another key.
I think the AX is ‘signing’ the iTunes key, because iTunes refuses to accept the Apple-Response from the RemoteAudioOutputProtocol example.
You’re right. The ‘key’ is just a random value, though. See below for details.
The Apple-Challenge / Apple-Response is iTunes’ method to verify that it’s talking to an Airport Express; it may be similar to the DAAP one which has been reverse-engineered. These headers are optional when talking to the Airport Express, so it’s possible for other programs to talk to the Express but it’ll be difficult to get iTunes to talk to something other than the Airport Express.
The DigitalAudioAccessProtocol is a simple protocol, it cannot be compared to cryptographic systems like RSA and AES
The BaseSixtyFour encoded 2736 bits can be decoded into 2048 bits binary data. This is not an X.509 certificate but could be the modulus and exponent of an 1024 bit RSA key.
Maybe the AirPortExpress generates the AES key and sends it back to iTunes, encrypted with the given RSA key. This way, only iTunes could decrypt the AES key using the private counterpart of the RSA key. However, encrypting an AES key with the RSA key results in 1024 bits of encrypted data whereas the RemoteAudioOutputProtocol example shows 2048 bits (Apple-Response).
I’ve tried to encrypt the aesiv as well and combined the two. iTunes hovewer refuses to accept the response.
JonJohansen (of DeCSS fame) published the AirPortExpress RSA public key on his blog:
AirPort Express RSA Public Key, Modulus:
59dE8qLieItsH1WgjrcFRKj6eUWqi+bGLOX1HL3U3GhC/j0Qg90u3sG/1CUtwC 5vOYvfDmFI6oSFXi5ELabWJmT2dKHzBJKa3k9ok+8t9ucRqMd6DZHJ2YCCLlDR KSKv6kDqnw4UwPdpOMXziC/AMj3Z/lUVX1G7WSHCAWKf1zNS1eLvqr+boEjXuB OitnZ/bDzPHrTOZz0Dew0uowxf/+sG+NCK3eQJVxqcaJ/vEHKIVd2M+5qL71yJ Q+87X6oV3eaYvt3zWZYD6z5vYTcrtij2VZ9Zmni/UAaHqn9JdsBWLUEpVviYnh imNVvYFZeCXg/IdTQ+x4IRdiXNv5hEew==
Exponent:
AQAB
He has released a CLI app to stream MPEG4 Apple Lossless to an AirPort Express. See http://nanocrew.net/blog/apple/revairtunes.html
I’d like to add, by using this key any app can stream to AirPort Express, but the music stays encrypted on the network.
Apple-Challenge is just a random 128-bit number generated by iTunes which gets sent to the AirPortExpress, and then the AirPortExpress encrypts (“signs”) this value with its RSA private key (the same that it uses to decrypt audio data). Then it sends back this encrypted data (the Apple-Response), and iTunes uses the public key portion (see above) to decrypt the message and then checks to make sure that it is the same value it generated. Until we get the private key out of the AirPortExpress, it’s not possible to convince iTunes to send anything to a non-AirPortExpress client (say, another computer pretending to be an AirPortExpress).
What about replacing the AirPortExpress’s public key in iTunes with another public key from a keypair that you generate yourself?
Would the key be found in http://www.apple.com/support/downloads/airportexpressfirmwareupdate63formacosx.html ?
What about using a publicly-accessible AirPort Express (or pool of them) that would just provide the “Apple-Response” to any servers that request it? Once the initial setup is performed, iTunes would continue to accept it as valid during the streaming session.
from reading other topics relating to this there are people that wonder whether the airport express has a secret serial port (there are 3 test pads on the pcb - this to me is probably access to the SPI interface of the flash chip (the flash chip is accessed via a serial line) and from what i read about the SPI interface it uses 3 wires (which reinforces my idea) + to me it would make more sense to me that this is the case as then the chip can be flashed after mounting during manufacture or repairs. this makes me think that figuring out which of the 3 pins are which one should be able to program an atmel AVR controller to read off the flash data fairly easily. The private key extracted by someone form the airport:
—–BEGIN RSA PRIVATE KEY—– MIIEpQIBAAKCAQEA59dE8qLieItsH1WgjrcFRKj6eUWqi+bGLOX1HL3U3GhC/j0Qg90u3sG/1CUt wC5vOYvfDmFI6oSFXi5ELabWJmT2dKHzBJKa3k9ok+8t9ucRqMd6DZHJ2YCCLlDRKSKv6kDqnw4U wPdpOMXziC/AMj3Z/lUVX1G7WSHCAWKf1zNS1eLvqr+boEjXuBOitnZ/bDzPHrTOZz0Dew0uowxf /+sG+NCK3eQJVxqcaJ/vEHKIVd2M+5qL71yJQ+87X6oV3eaYvt3zWZYD6z5vYTcrtij2VZ9Zmni/ UAaHqn9JdsBWLUEpVviYnhimNVvYFZeCXg/IdTQ+x4IRdiXNv5hEewIDAQABAoIBAQDl8Axy9XfW BLmkzkEiqoSwF0PsmVrPzH9KsnwLGH+QZlvjWd8SWYGN7u1507HvhF5N3drJoVU3O14nDY4TFQAa LlJ9VM35AApXaLyY1ERrN7u9ALKd2LUwYhM7Km539O4yUFYikE2nIPscEsA5ltpxOgUGCY7b7ez5 NtD6nL1ZKauw7aNXmVAvmJTcuPxWmoktF3gDJKK2wxZuNGcJE0uFQEG4Z3BrWP7yoNuSK3dii2jm lpPHr0O/KnPQtzI3eguhe0TwUem/eYSdyzMyVx/YpwkzwtYL3sR5k0o9rKQLtvLzfAqdBxBurciz aaA/L0HIgAmOit1GJA2saMxTVPNhAoGBAPfgv1oeZxgxmotiCcMXFEQEWflzhWYTsXrhUIuz5jFu a39GLS99ZEErhLdrwj8rDDViRVJ5skOp9zFvlYAHs0xh92ji1E7V/ysnKBfsMrPkk5KSKPrnjndM oPdevWnVkgJ5jxFuNgxkOLMuG9i53B4yMvDTCRiIPMQ++N2iLDaRAoGBAO9v//mU8eVkQaoANf0Z oMjW8CN4xwWA2cSEIHkd9AfFkftuv8oyLDCG3ZAf0vrhrrtkrfa7ef+AUb69DNggq4mHQAYBp7L+ k5DKzJrKuO0r+R0YbY9pZD1+/g9dVt91d6LQNepUE/yY2PP5CNoFmjedpLHMOPFdVgqDzDFxU8hL AoGBANDrr7xAJbqBjHVwIzQ4To9pb4BNeqDndk5Qe7fT3+/H1njGaC0/rXE0Qb7q5ySgnsCb3DvA cJyRM9SJ7OKlGt0FMSdJD5KG0XPIpAVNwgpXXH5MDJg09KHeh0kXo+QA6viFBi21y340NonnEfdf 54PX4ZGS/Xac1UK+pLkBB+zRAoGAf0AY3H3qKS2lMEI4bzEFoHeK3G895pDaK3TFBVmD7fV0Zhov 17fegFPMwOII8MisYm9ZfT2Z0s5Ro3s5rkt+nvLAdfC/PYPKzTLalpGSwomSNYJcB9HNMlmhkGzc 1JnLYT4iyUyx6pcZBmCd8bD0iwY/FzcgNDaUmbX9+XDvRA0CgYEAkE7pIPlE71qvfJQgoA9em0gI LAuE4Pu13aKiJnfft7hIjbK+5kyb3TysZvoyDnb3HOKvInK7vXbKuU4ISgxB2bB3HcYzQMGsz1qJ 2gG0N5hvJpzwwhbhXqFKA4zaaSrw622wDniAK5MlIE0tIAKKP4yxNGjoD2QYjhBGuhvkWKaXTyY= —–END RSA PRIVATE KEY—–