[关闭]
@zhongdao 2020-10-12T13:50:55.000000Z 字数 4404 阅读 4017

dcp打包与kdm加密

DCP kdm 加密 xml


准备

安装xmlspy, 便于查看xml文件.
安装 dcp-o-matic, 目前流行的一个dcp打包与kdm加密工具, 网站介绍是Free, open-source DCP creation from almost anything.

介绍

DCP, Digital Cinema Package
KDM, Key Delivery Message

A Digital Cinema Package (DCP) contains high quality audio-visual files in the Material Exchange Format (MXF). The preferred format for picture is SMPTE (JPEG 2000). Audio is usually supplied as a 24-bit linear PCM multichannel WAV file. Encryption with 128-bit AES-CBC is optional.

When the Digital Cinema Package is encrypted the ability to playback files is controlled by a separate Key Delivery Message (KDM). The KDM is in XML format and contains the decryption keys for a specific projector or device including the period of validity. This ensures that the media cannot be used at another location or outside the agreed performance dates.

Software used for DCP and KDM creation includes: AutoDCP, CineAsset, Cinemaslides, CuteDCP, DCP-o-matic, Dolby SCC2000, DVS Clipster, easyDCP Creator, OpenDCP, and QubeMaster.

电影行业的音视频文件标准。
数字电影包(DCP)和密钥传送消息(KDM)分别用于图像/音频/字幕文件和加密密钥分发。
其中KDM也有如下定义:
DRM for Cinema, Key generated between a DCP and a MB (Media Block = projection system), Contains business information, like time window for showing the content.

MXF文件存储经过转换后的标准视频、音频文件。
AES 加密应用于所有MXF 文件。密钥通过KDM 生成并传输到投影机上。KDM 是只能被终端设备打开的XML文件。KDM和每一个播放列表相关联,规定正确的投影开始和结束时间。

架构

image_1c0nfvejs1q9idd494v12s211ve20.png-106.9kB

image_1c0nftsaq9mtd7i1tlcmn5dlh1j.png-176.5kB

image_1c0nf6uob1k407k3rgl4rb1e23m.png-71.2kB

image_1c0nf5b2dvj9dm8n5n1rtjk6p9.png-84.2kB

image_1c0nk28j41sj41qqv19fe1pri4og5k.png-213.3kB

DCP 播放过程
image_1c0ngjkhrqads661dgc181e16ep2d.png-63.1kB

文件名说明
image_1c0nhu2ju1tci1of01m1s1liq1sh857.png-217.9kB

dcp打包

kdm加密

KDM是基于 D-Cinema generic Extra-Theater Message(ETM) format. 它通过标准化的 XML的加密与签名部分, 实现了使用XML 来代表关于内容秘钥和TDL的信息. 其中, KDM的消息使用 X.509的数字证书,提供认证与信任机制.

KDM 包括3种基本的信息类型:

也就是

KDM的基本信息流如下图:
image_1c0ngm48m2k41noh1i4vcgu1t0l2q.png-70kB

CPL与KDM结构的关系如下图:
image_1c129udrbocb8711gc3hu3n8713.png-47.5kB

参考 smpte 430-1 和 smpte 430-3

Authenticated and Private (Encrypted) Information

kdm文件中已验证和以加密的信息说明
This segment of the ETM shall be digitally signed, and trust in the signature can be verified using the certificate chain in the Signature portion. This portion is encrypted before being transmitted. The word “private” that appears in the XML label for this segment means that only a specified set of recipients is able to decrypt and view this information.
The formal XML definition is given in Annex C. Figure 3 is an informative illustration of the appropriate code section from that annex.
Anyone can verify the signature on the ETM and validate the certificate chain to decide whether the message has been modified and whether it was created by a trusted entity. However, only an entity that knows the private key of one of the recipients can decrypt this portion of the message.
This segment contains zero or more EncryptedKey fields and at most one EncryptedData field. The EncryptedKey field defines data (that includes an AES key) that is encrypted by the RSA algorithm and the Encrypted Data field defines data (if any) encrypted by the AES algorithm. It is a standard cryptographic security practice to use two encryption algorithms (RSA and AES) to get the key management benefit of using RSA and the performance benefits of using AES.

image_1c11omvocp46m7d7ru54rha3m.png-89.1kB

任何人都可以验证与核实kdm的证书链, 确认消息是否被修改以及是否由可信任的实体创建, 然而只有拥有私钥的接收者才能解密其消息.
对于KDM而言, xml中的EncryptedData 部分可以忽略, 每一个 EncryptedKey元素携带这一个内容秘钥(content key)和相关的信息. KDM文件只有1个接收者.

KDM中的 EncryptedKey元素的具体说明如下:
包含 KeyInfo, CipherData, EncryptedData 字段.
参考smpte 430-1 的标准文件. 6.1节 EncryptedKey
其中的CipherData字段由如下格式的固定字节长度的明文前后相连接在一起组成, 见下表格:
image_1c11mj3f01s8uqlfko15ptes9.png-62.8kB
第一个字段是Structure ID, 16字节长度, 128位长的固定标示. 第2个字段是证书与公钥的Hash的二进制标示, 第3个字段是CPL的UUID的二进制表示, 第4个字段是KeyType, 4字节的字节字串, 第5个字段是KeyID, UUID的二进制形式, 第6个字段是开始时间, 第7个字段是结束时间,第8个字段是内容秘钥.
总共8个字段的长度累加是138字节长.

image_1c14aovmf11jv17er8c81gut1pks20.png-93.7kB
加密后的内容
image_1c14aqnkt1dcr1eu01973pcukdf2d.png-89.3kB

具体操作步骤

GUI

CMD

相关内容

散列值是SHA-1的Base64校验编码。可以通过命令来计算出来。
openssl sha1 -binary "FILE_NAME" | openssl base64

资料链接

Inter-Society Digital Cinema Forum (ISDCF)
http://isdcf.com/ISDCF/index.html

SMPTE Documents needed for SMPTE-DCP packages:
https://cinepedia.com/references/

DRAFT ISDCF Doc5 - Guideline for SMPTE KDMs and Certificates Behaviors
http://isdcf.com/papers/ISDCF-Doc5-kdm-certs.pdf

DCP-o-matic
http://dcpomatic.com/

如何进行DCP打包?
https://www.zhihu.com/question/43605387?sort=created

Digital Cinema Mastering 101
https://www.slideshare.net/sundanceinstitute/graef-allen-dolby-dcp-presentation-deck-20130423
Digital cinema
https://www.slideshare.net/AnoopKAnand/digital-cinema-43413954

Development of Digital Cinema Delivery System on the NGN
https://www.ntt-review.jp/archive/ntttechnical.php?contents=ntr201005le1.html

Trusted Device List & Workflow
https://cinepedia.com/security/trusted-device-list/

Technology FAQs
https://cinepedia.com/faqs/technology-faqs/

D-cinema Digital Cinema System : Presentation, analysis, and open source perspectives RMLL 2010
http://slideplayer.com/slide/11347368/

SSL中,公钥、私钥、证书的后缀名都是些啥?
https://www.zhihu.com/question/29620953

添加新批注
在作者公开此批注前,只有你和作者可见。
回复批注