• Skip to main content
  • Skip to secondary menu
  • Skip to primary sidebar
  • Skip to footer

mkpeReport

top analysis covering digital cinema, 3-D, HFR, and laser illumination

  • Reports
  • About
  • mkpe.com
  • cinepedia.com

DCI Proposes a Solution for its NIST Problem

October 2010 by Michael Karagosian

The problem posed by NIST is discussed at great length in earlier reports. (A search on this site for NIST will reveal them.) As much as DCI-imposed compliance to frequently-changing NIST standards poses a problem, DCI itself has caused angst by remaining silent about what it intends to do about it.

That intent came through loud and clear this month. A hint was dropped in this month’s ISDCF meeting that some members of DCI did not find it desirable to unhinge the DCI specification from NIST/FIPS-compliance. Later in the month, DCI’s long-time security consultant, Tony Wechselberger, posted a one-page document concerning the dual security certificate problem in the SMPTE 21DC Study Group for FIPS Revisions. The group has only 22 members from the digital cinema community, and the document is not posted on the DCI web site.

DCI’s proposal is to require two digital certificates in newly-designed media blocks. But rather than track these certificates individually, DCI proposes to only track the primary certificate used for the encryption of the KDM. The secondary certificate is needed, per the new NIST rule, to separately conduct secure communication with the projector and to sign security logs. These secondary tasks are currently handled by the primary certificate in existing media block designs. To track the secondary certificate, DCI proposes that a reference to the secondary certificate be placed within the primary certificate. The method for doing so is the subject of debate, but all of the methods proposed can work. The diagram below illustrates the concept.

Dual Certificate Media Block Concept
Dual Certificate Media Block Concept

The solution proposed by DCI is clever. It is backwards compatible, as it only requires security key management entities to collect one certificate for the encryption of the KDM, as is done today. It ties the signature in the security log to the KDM-related certificate, so that such signatures can be associated with the known primary key of the media block. It does require more work to learn and track this association, but it is doable.

There is one more issue posed by NIST that SMPTE must address, and that is the disuse of the SHA-1 hash algorithm for digital signatures in SMPTE/DCI-compliant security logs, in favor of SHA-256. SHA-1 message digests are called for in SMPTE 430-4 Log Record Format and SMPTE 430-5 Log Event Class and Constraints. The extent to which changes are required in the specifications remains to be seen. If the transition period for dual-certificate media blocks is substantially far away (much later than 1 January 2011), it is likely that both transitions will be timed together.

It’s not clear, however, that these steps are all that are needed. German media block manufacturer Mikrom was posed a difficult problem by the NIST-accredited consultancy guiding their product design for FIPS 140-2 compliance. The consultancy claims that the changes imposed in FIPS 140-2 Annex A require further changes than those that DCI claims that could impact backwards compatibility. DCI, of course, is operating under the guidance of a US-based NIST-accredited consultant. The winner in this debate has yet to be decided.

Assuming no complications, DCI has taken steps that will allow it to continue to require NIST/FIPS compliance without posing major impacts on workflow. That’s the good news. The bad news is that DCI is getting away without addressing how security changes are managed in the future.

Filed Under: Trade Organizations and Shows Tagged With: DCI, NIST, Security

Primary Sidebar

Search

Topics

  • 3-D
  • Accessibility
  • Alt Content & Advertising
  • Anti-Piracy
  • Color
  • Communications
  • Deployment Entities
  • Distributors
  • Exhibitors
  • Fulfillment
  • High Dynamic Range
  • Higher Frame Rates
  • Installations
  • Patents
  • Projectors
  • Servers and IMBs
  • Sound
  • Technical Bodies
  • Theatre Management Systems
  • Trade Organizations and Shows

Full Archives

a publication of
MKPE Consulting LLC

Footer

Important Stuff

  • About
  • Privacy Policy

Archives

  • Category & Monthly Archives
Archives date back to 2008.

MKPE

mkpeReport is a publication of MKPE, a world-class consultancy building business at the crossroads of cinema and technology.
Learn more about MKPE.

copyright © 2008 - 2023 mkpe consulting llc

We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of all cookies.
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
Powered by CookieYes Logo