• Skip to main content
  • Skip to secondary menu
  • Skip to primary sidebar
  • Skip to footer

mkpeReport

top analysis covering digital cinema, 3-D, HFR, and laser illumination

  • Reports
  • About
  • mkpe.com
  • cinepedia.com

DCI Sidesteps Problems With NIST

June 2011 by Michael Karagosian

In January 2010, NIST published changes to the FIPS 140-2 Security Requirements for Crytographic Modules upon which the DCI specification relies for its core security specification. Comments were requested from all affected industries, and upon evaluation of the numerous responses, including that of DCI, NIST revised its changes as follows:

  1. The SHA-1 hash algorithm will be limited in its use after 2013.
  2. The method described in ANSI 9.31 cannot be used as a random number generator for generating content keys after 2015. This method is specified by DCI for use in generating the symmetrical key for content encryption.
  3. The key pair used for a digital signature cannot be used for other purposes in new media block designs beginning in 2011. At the time, DCI required the re-use of the media block key pair for AES key encryption in the KDM, for establishing TLS sessions, as well as for signing security logs.

Item 1, which requires the disuse of the SHA-1 hash algorithm, is only limited to its disuse in digital signatures. Fortunately, SMPTE standards call for use of the SHA-256 algorithm in digital signatures. SHA-1 is specified in SMPTE standards for use in other digital cinema applications, but per NIST Special Publication 800-131A, released in January 2011, titled “Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths,” all uses of the SHA-1 algorithm in digital cinema are allowed.

Item 2 does not impose a difficult problem. DCI has until 2015 to enforce it, and the revision only affects how mastering systems generate symmetrical keys, and not how projection systems are designed.

Most worrisome was item 3, with an implementation date of 2011. The change had the potential to affect how the KDM was generated, which in turn would impact how all servers in the field interpreted the KDM. No one expressed more panic than your author that DCI had allowed itself to be sucked into some ugly muck at a time when the digital cinema rollout was getting into high gear.

Thanks to a clever suggestion by Bill Elswick of Entertainment Technology Associates (and former CTO of Avica Technology), DCI managed to sidestep disaster. The trick was to accommodate NIST’s requirement for two certificates in new media block designs, while not impacting the manner in which KDMs are generated. Bill’s suggestion was to record the thumbprints of the required pair of media block certificates in the security log. KDMs continue to be unlocked by the primary Security Manager Certificate, called SM Cert, while the new Log Signer Certificate, called LS Cert, performs the duties of signing logs and TLS sessions. DCI specified the technique in its latest “errata.” The arrangement is illustrated in the figure below.

dual-cert-media-block-sm

For now, DCI will squeak by the recent changes of NIST to its 140-2 specification. NIST has yet to announce its long anticipated transition plans to the newer FIPS 140-3 specification. But this transition is not expected to create new ripples.

However, NIST security specifications are guaranteed to again change, as older security algorithms become more fragile in the face of ever-increasing computational power. Eventually, there will be changes that promise to upset digital cinema systems everywhere. But by then, the current wave of senior executives in the industry will have retired. The problem will be left with young upstarts looking forward to promising careers. Hopefully, they’ll handle the mess they inherit by matching the cleverness and sheer luck of their predecessors.

Filed Under: Servers and IMBs, Trade Organizations and Shows

Primary Sidebar

Search

Topics

  • 3-D
  • Accessibility
  • Alt Content & Advertising
  • Anti-Piracy
  • Color
  • Communications
  • Deployment Entities
  • Distributors
  • Exhibitors
  • Fulfillment
  • High Dynamic Range
  • Higher Frame Rates
  • Installations
  • Patents
  • Projectors
  • Servers and IMBs
  • Sound
  • Technical Bodies
  • Theatre Management Systems
  • Trade Organizations and Shows

Full Archives

a publication of
MKPE Consulting LLC

Footer

Important Stuff

  • About
  • Privacy Policy

Archives

  • Category & Monthly Archives
Archives date back to 2008.

MKPE

mkpeReport is a publication of MKPE, a world-class consultancy building business at the crossroads of cinema and technology.
Learn more about MKPE.

copyright © 2008 - 2023 mkpe consulting llc

We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of all cookies.
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
Powered by CookieYes Logo