|
|
This topic comprises 2 pages: 1 2
|
|
Author
|
Topic: Make KDM for encrypted DCP
|
|
|
|
|
|
|
|
|
|
|
Marcel Birgelen
Film God
Posts: 3357
From: Maastricht, Limburg, Netherlands
Registered: Feb 2012
|
posted 12-03-2014 05:25 AM
I guess you need to dive into how this whole DCI and PKI encryption scheme works.
The simplified version:
- You encrypt your content with your own encryption key. Essentially, you encrypt all content related assets in the DCP, both audio and video.
- Your customer's server also has an encryption key stored in the media block, actually a private and a public key. The public key can be exported, the private key in the server remains private, even for the customer. It's protected by all kinds of security measures, so you cannot easily retrieve it from the media block.
- Your customer sends you their public key.
- Now you send them your key to the content via a KDM. But you do not send this key plain text, otherwise your customer could just get the key from the KDM and essentially do whatever they want with it. The key in your KDM is encrypted, using the public key from the server of your customer. This way, it can only be decrypted with the private key inside the media block in the server.
The media block, the protected part in the server, serves as content police and secure key vault. It's responsible for securely storing the server's private key, securely decrypting the content and also enforcing time limitations on the validity of the KDM.
A secure media block must be designed in such a way, that any tampering will essentially destroy the sensitive parts of the memory. It also keeps its own clock, which can only be adjusted within very limited time frames, this is to avoid somebody using the age old trick of resetting the clock to extend content/license validity.
| IP: Logged
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Michael Qu
Film Handler
Posts: 43
From: shanghai shanghai china
Registered: Jan 2012
|
posted 12-03-2014 10:11 AM
quote: Marcel Birgelen
Michael, did you check the On-line documentation of DCP-o-matic?
More information in the documentation?Several mouths ago,I read the whole document, but this time,only the "KDM" part. I will check it for more.
quote: Marcel Birgelen
The simplified version:
- You encrypt your content with your own encryption key. Essentially, you encrypt all content related assets in the DCP, both audio and video.
- Your customer's server also has an encryption key stored in the media block, actually a private and a public key. The public key can be exported, the private key in the server remains private, even for the customer. It's protected by all kinds of security measures, so you cannot easily retrieve it from the media block.
- Your customer sends you their public key.
- Now you send them your key to the content via a KDM. But you do not send this key plain text, otherwise your customer could just get the key from the KDM and essentially do whatever they want with it. The key in your KDM is encrypted, using the public key from the server of your customer. This way, it can only be decrypted with the private key inside the media block in the server.
The media block, the protected part in the server, serves as content police and secure key vault. It's responsible for securely storing the server's private key, securely decrypting the content and also enforcing time limitations on the validity of the KDM.
A secure media block must be designed in such a way, that any tampering will essentially destroy the sensitive parts of the memory. It also keeps its own clock, which can only be adjusted within very limited time frames, this is to avoid somebody using the age old trick of resetting the clock to extend content/license validity.
Oh,this make me clear.I misunderstand the privite key as the key of the DCP Maker
![[Frown]](frown.gif)
| IP: Logged
|
|
|
|
Carsten Kurz
Film God
Posts: 4340
From: Cologne, NRW, Germany
Registered: Aug 2009
|
posted 12-03-2014 03:54 PM
quote: Michael Qu
I package the DCP with my PC,so the key is in my PC?But I didn't find any other files except the DCP fiLes.
Michael - the 'raw' key that is used to encrypt the DCP, and which is used to create the KDM afterwards, is stored with the other project definition in the metadata.xml file. You can look it up there if you want.
So this stays safe on your computer, if you don't accidentally copy it with the DCP to a distribution drive. If you lose it, delete the project file/folder, etc., you will not be able to create another KDM for this particular DCP/CPL.
You would have to create the full DCP from scratch incl. encryption with a new key.
To create KDMs, you will first need to create a database of certificates/screen/theater references within DCP-o-matic. When creating a KDM for a specific screen, you will link this screens/servers certificate with the CPL you created, then either store the KDM file locally or set up an email chain to send it directly to the theater/projectionist.
This KDM is then only valid for that particular screen, and within the given time frame you set. DCP-o-matic will create this time frame based on your local machine timezone settings. So if you let the window start at 9am, this will be YOUR 9am. As long as your DCP doesn't cross timezones, you can ignore this.
- Carsten
| IP: Logged
|
|
|
|
All times are Central (GMT -6:00)
|
This topic comprises 2 pages: 1 2
|
Powered by Infopop Corporation
UBB.classicTM
6.3.1.2
The Film-Tech Forums are designed for various members related to the cinema industry to express their opinions, viewpoints and testimonials on various products, services and events based upon speculation, personal knowledge and factual information through use, therefore all views represented here allow no liability upon the publishers of this web site and the owners of said views assume no liability for any ill will resulting from these postings. The posts made here are for educational as well as entertainment purposes and as such anyone viewing this portion of the website must accept these views as statements of the author of that opinion
and agrees to release the authors from any and all liability.
|
Home
![[Big Grin]](biggrin.gif)
I am coming again.![[Confused]](confused.gif)
Printer-friendly view of this topic