I've noticed that on Chrome license's responses, the session key which is normally 256 bytes long to match the length of the device private key, now is 128 bytes. It seems to suggest it is decrypted with a less secure private key (very unlikely) or the device private key is used elsewhere and differently.
I am not sure if I am missing anything or I am misunderstanding, but has this been noted or researched? or maybe this is on web based CDM's only? Padding the session key is not an option that works.
I've noticed that on Chrome license's responses, the session key which is normally 256 bytes long to match the length of the device private key, now is 128 bytes. It seems to suggest it is decrypted with a less secure private key (very unlikely) or the device private key is used elsewhere and differently.
I am not sure if I am missing anything or I am misunderstanding, but has this been noted or researched? or maybe this is on web based CDM's only? Padding the session key is not an option that works.