Following the assessment of problems that accompany changes introduced by NIST to FIPS 140-2, the core security to which the DCI Specification requires compliance, is like watching a ping-pong game. At last review, we noted that DCI’s security consultant, Tony Wechselberger, introduced no less than 5 redlined documents to SMPTE that would need to be changed to comply with an algorithm change for digital signatures. The nightmare of how to maintain backwards compatibility was on many minds.
Further research was conducted with NIST security experts to ascertain if all five documents are truly impacted. As a result, Tony reports good news. In a recent report the SMPTE Study Group for FIPS Revisions, Tony indicates that only one of the five documents previously flagged must be revised. The affected document is SMPTE ST0429-6 MXF Track File Essence Encryption. It is the standard that specifies how government-quality AES encryption is applied to digital cinema content. The impacted feature of this document is an optional one, called the Message Integrity Code, or MIC. It provides an additional guarantee of content integrity to the encryption process. To comply with new NIST rules, the MIC algorithm used, and manner in which the MIC algorithm is applied, must change.
It has been proposed that both the current MIC algorithm and the new MIC algorithm be included in the standard to insure backwards compatibility. Inclusion of both should have no impact on FIPS 140-2 compliance. If this is true, then DCI is truly blessed. It will have squeaked by the government-imposed upgrade to FIPS 140-2 without causing an onerous change to new equipment and without creating backwards compatibility problems.
The degree of attention that has been paid over the past two years to the changes introduced by NIST has been intense. It is interesting how industry executives have brushed it off as a non-event, and causes one to wonder if it’s understood just how brittle the requirement is for FIPS compliance. Perhaps they simply don’t care.