DCI Specs - Digital Cinema Initiatives

More documents

Recommendations

Info

Security Managers (SMs) other than requiring that the Image Media Block contain aSecurity Manager.The security system must be sufficiently flexible to support complex groupings andrelationships between the Rights Owners, Distributors and Exhibitors. Trust Domainsrepresent the essence of these relationships. The required flexibility is achieved throughtrust communications that supports the existence of simultaneous multiple overlappingdomains, as opposed to force-fitting them into a single domain. In practice, this isimplemented via the Digital Certificate chains and TDL that is part of the KDM. DigitalCertificate chaining and TDL management is out of scope of these standards.9.6.2.2. Authenticating Secure Processing Blocks & Linking TrustThrough CertificatesA Digital Cinema Certificate is a declaration by a trusted organization, such as amanufacturer, that the security device is a particular make and model and is certified(i.e., found compliant to this specification) to perform identified DC roles (e.g., performImage or Sound Decryption or provide SPB physical protection functions). The certificateis cryptographically bound to the security device it represents, in such a way that theauthenticity of the device is easy to verify. The Certificate is also cryptographically boundto the entity that issued it. This latter binding can be authenticated by knowing andtrusting another certificate, that of the certificate issuing entity, called the issuingauthority or Certificate Authority. Certificates of issuing authorities are called rootcertificates.The design of the certificate includes a technique called chaining, which is an elegantand cryptographically strong method of linking certificates back to the root certificateowned by its issuing authority. Thus, where required an entity can authenticate endentity leaf certificates by knowing just the (set of) root certificates it needs.The use of certificates to authenticate Secure Processing Blocks (SPB) or SecurityEntities (SEs) prevents the theft of content by substituting a rogue device for a legitimateSecure Processing Block (SPB) or Security Entity (SE) The security system requires(only) Image Media Block Security Managers to perform authentication functions,permitting the SM to safely extend trust to encompass those SPBs and SEs, thusforming its trust domain.9.6.2.3. Identity vs. “Trust”In the theater, the SM uses certificates for two primary functions: 1) authenticating aSecure Processing Block’s (SPB’s) identity and roles, and 2) establishing the secureTransport Layer Security (TLS) session for Intra-Theater Messaging communicationswith that Secure Processing Block (SPB). These two functions are performedsimultaneously when the SM and Secure Processing Block (SPB) set up their TransportLayer Security (TLS) session, during which, the Secure Processing Block (SPB)presents its certificate chain to the SM. This process opens secure communicationsbetween security devices in each auditorium suite, and allows the SM to identify suiteequipment.However, decisions that the SM makes regarding its “trust” in accepting the remoteSecure Processing Blocks (SPBs) as capable of playing content (receiving content keys,etc.) is independent of the above identity/authentication process. Trust decisions aremade on a Rights Owner by Rights Owner basis, and communicated via the TDL in theKDM (see Section 9.4.3.1 Transport Layer Security (TLS) Establishment and SecureDCI Digital Cinema System Specification v.1.2 Page 146
Processing Block (SPB) Authentication and Section 9.4.3.5 Functions of the SecurityManager (SM)).9.6.2.4. Revocation and Renewal of TrustThe use of TDLs in the KDM allows a simple and effective way for Distributors tocommunicate trust in exhibition equipment to the responsible Security Managers.However, the source (database) of equipment lists, from which TDL information isderived must be managed with respect to revocation and renewal issues per Table 23:Factors Supporting Trust in a Security Device, above.In routine operation, trusted equipment remains trusted indefinitely. However there maybe situations in which trust in a security device needs to be terminated or restored.Controlling change in trust relationships is an important aspect of trust management.Database references for TDL creation must be managed with respect to trust issues.However, these are outside the scope of this specification.9.7. Essence Encryption and CryptographyThe security system employs widely used and rigorously tested ciphers for use in DigitalCinema. The following are requirements pertaining to Digital Cinema applications for ciphersand associated security parameters.9.7.1. Content TransportContent security is transport agnostic, and can be accomplished by either electronic orphysical means. Other than as authorized and intended by Rights Owners (e.g., to supportDistribution practices or requirements), content shall only be decrypted at playback time atthe exhibition site under the policy of the SM.9.7.2. Image and Sound EncryptionThe AES cipher, operating in CBC mode with a 128 bit key, shall be used for Digital Cinemacontent encryption. See [FIPS-197 “Advanced Encryption Standard (AES)” November 26,2001. FIPS-197] and Section 5.3.2 MXF Track File Encryption, for MXF track file encryptiondetails.The content Rights Owner shall determine which, if any, of the essence types in thecomposition are encrypted for distribution.9.7.3. Subtitle EncryptionThe Subtitle List element shall be encrypted using xmlenc-core. The AES-128 CBCsymmetric cipher shall be used. The cryptographic key shall be identified using a uniqueKeyID value and delivered using the Key Delivery Message (see Section 9.8.).Subtitle encryption is directed primarily against interception during transport, andcryptographic protection within the theater is not required. For example, plaintext subtitlecontent may be transmitted from a server device to a projection unit. It is preferred, but notrequired, that subtitle content be maintained in encrypted form, except during playback.9.7.4. Protection of Content KeysThe RSA Public Key Cipher (with 2048-bit key) shall be used to protect keys for distribution.This is accomplished by the requirements of the Key Delivery Message.DCI Digital Cinema System Specification v.1.2 Page 147
Page 1 and 2:
Digital Cinema Initiatives, LLCDigi
Page 3 and 4:
Table of Contents1. OVERVIEW 151.1.
Page 5 and 6:
5.2.2. Packaging Fundamental Requir
Page 8 and 9:
7.5.5.1. Introduction..............
Page 10 and 11:
9.4.2.5. Screen Management System (
Page 12 and 13:
Table of FiguresFigure 1: System Ov
Page 14 and 15:
THIS PAGE LEFT BLANK INTENTIONALLYD
Page 16 and 17:
equirements for encrypting the esse
Page 18 and 19:
• This document specifies a basel
Page 20 and 21:
DCI Digital Cinema System Specifica
Page 22 and 23:
2.1.1. Major System Concepts2.1.1.1
Page 24 and 25:
2.1.1.8. ReelsFeature films have be
Page 26 and 27:
Metadata within the DCDM provides a
Page 28 and 29:
3.2.1.6. Transfer FunctionThe CIE X
Page 30 and 31:
The information, as shown in Table
Page 32 and 33:
AES Pair#/Ch# Channel # Label / Nam
Page 34 and 35:
3.3.4. File Format3.3.4.1. GeneralT
Page 36 and 37:
3.4.3. Timed Text Concepts and Requ
Page 38 and 39:
Page 40 and 41:
• All decoders shall decode each
Page 42 and 43:
Page 44 and 45:
5.2.2.3. InteroperableThe Packaging
Page 46 and 47:
Figure 6: Example Show PlaylistThe
Page 48 and 49:
Length (Value Length), followed by
Page 50 and 51:
which it was stopped or paused. It
Page 52 and 53:
5.3.4.2. Frame BoundariesThe Audio
Page 54 and 55:
• Rating• Aspect Ratio• Image
Page 56 and 57:
• Annotation Text parameter (opti
Page 58 and 59:
Page 60 and 61:
7.2.3.1. ReliabilityA key part of t
Page 62 and 63:
• Country• Rating• Aspect Rat
Page 64 and 65:
facility, while the system is in op
Page 66 and 67:
Exhibitor and the Distributor, data
Page 68 and 69:
7.5.2.2. Ingest InterfacesExcept fo
Page 70 and 71:
(channels) * hours * 60 min/hour *
Page 72 and 73:
7.5.4.2.4. UnpackagingAny packaged
Page 74 and 75:
7.5.6. Audio System7.5.6.1. Introdu
Page 76 and 77:
made up of Theater System devices a
Page 78 and 79:
DCI Digital Cinema System Specifica
Page 80 and 81:
8.2.2.3. Alternative ContentThe pro
Page 82 and 83:
With the projector turned off or wi
Page 84 and 85:
Image ParametersNominal(Projected I
Page 86 and 87:
Input Code Values Output Chromatici
Page 88 and 89:
8.4. Projector Interfaces8.4.1. Int
Page 90 and 91:
• Lens Shift Up / Down• Lamp Mo
Page 92 and 93:
• Essence Encryption and Cryptogr
Page 94 and 95:
content keys and Trusted Device Lis
Page 96 and 97: Figure 14: Digital Cinema Security
Page 98 and 99: Figure 15 presents the two fundamen
Page 100 and 101: DCI Digital Cinema System Specifica
Page 102 and 103: 9.4.2.3. Media Blocks (MBs)The term
Page 104 and 105: which TLS-based authentication alon
Page 106 and 107: working with the security infrastru
Page 108 and 109: Figure 18: Show Playback Overview9.
Page 110 and 111: a. Playout shall be fully supported
Page 112 and 113: 9.4.5. Intra-Theater Communications
Page 114 and 115: 4. Projector SPB designs shall not
Page 116 and 117: the event, and zero all Critical Se
Page 118 and 119: window) shall be UTC.Security Manag
Page 120 and 121: . The SM shall independently authen
Page 122 and 123: 6. No broadcast RRP commands shall
Page 124 and 125: Functions of the Security Manager (
Page 126 and 127: Note: DCI reserves the right, at so
Page 128 and 129: • Is required to survive camcorde
Page 130 and 131: • Log Data - Security event infor
Page 132 and 133: using the GetEventList and GetEvent
Page 134 and 135: failure) per Section 9.6.1.3 Digita
Page 136 and 137: • Secure Silicon -Sensitive data
Page 138 and 139: secure silicon chip, input/output s
Page 140 and 141: FIPS 140-2 level 3 devices provide
Page 142 and 143: to the appropriate Section 9.4.5.2.
Page 144 and 145: those under the control of the Secu
Page 148 and 149: The above RSA asymmetric protection
Page 150 and 151: THIS PAGE LEFT BLANK INTENTIONALLYD
Page 152 and 153: CPRL Acronym for Component Position
Page 154 and 155: LTCMain TitlesMBMDMEMetadataMTBFMXF
Page 156: TDLTimed TextTLMTLSTMSTrack FileUDP
show all

DCI Specs - Digital Cinema Initiatives

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?