Digital Cinema Security Poses New Challenges
by Michael Karagosian
©2005 Karagosian MacCalla Partners, all rights reserved worldwide
Published in the February 2005 issue of INS Asia Magazine
While digital cinema poses considerable technical challenges, perhaps the most challenging aspects posed by digital cinema are the areas of technology that affect business. This report takes a deeper look at the deployment of security systems in this business-to-business environment. As we will see, these issues are not trivial, and have a significant impact on the manner of doing business.
First, a quick review of security from a system level perspective inside the projection booth. In an earlier article, I introduced the model below to describe system level interoperability for the Presentation system.
Of the three major interfaces to the Presentation system, only Delivery systems, and to some extent, Back Office systems, exist in the cinema today. Delivery systems exist in the form of film-based delivery. While Back Office systems may not directly interface with film projectors, they exist to support the Point-of-Sale systems used for selling tickets. Since these systems are already in use, both technology-wise and business-wise, they provide a starting point for digital cinema systems to model and improve upon.
This isn't the case, however, for Security systems. Security systems are not integrated into cinema systems today, in either a technical sense or a business sense. Since there are no existing systems to model from, the operations and business methods required to support digital cinema security must be developed from the ground up.
Another point to consider: it is not acceptable to widely deploy digital cinema without adequate security in place. This makes it difficult, if not impossible, to deploy digital security one level at a time, working out the bugs along the way. We need digital cinema security right away.
For these reasons, digital cinema security poses a challenge for all parties involved, including content owners, exhibitors, as well as manufacturers and service providers. To better understand the issues, I'll continue with a quick review of the basic principles of electronic security.
Electronic security is the art of shifting trust from something difficult to protect to something easier to protect.
For example, we encrypt a file to protect it from unauthorized access. In doing so, we have shifted the problem of
protecting the file to that of protecting the decryption key. The reason for doing so is that, presumably, the decryption
key is easier to protect and process.
In digital cinema, an extra twist is needed. Digital movie files are quite large, up to 100GB, but need to be targeted
for playback in specific venues. In other words, we want the movie to play in Ho's Theatre, and not in Joyce's Cinema, which happens to be located down the road. The movie file size is too large to efficiently encrypt in a targeted manner per location. For this reason, the file is encrypted once, and sent to all locations licensed to play it. The burden of security for the encrypted files rests upon protecting the key.
Since we also want the key to be used only in targeted locations, and since the key is tiny in size compared to the movie files,
it is more practical to encrypt the key per location.
Electronic security also requires an authentication process. When writing a check, or using a credit card, you may be asked to provide proof of who you say you are, usually accomplished by presenting government-issued identification. In electronic security, receiving equipment also needs to identify itself in a trusted manner to sending equipment. This is accomplished by means of the digital certificate, which is another tool for shifting the issue of trust from one entity to another. The digital certificate is embedded in the device, and registered with a Certificate Authority. (For more information on Certificate Authorities, view "Third Party Certificate Authorities" in the Google Directory.) Ultimately, the Certificate Authority is the root of trust, from which one can determine if the equipment in question is identifying itself correctly, or not.
The digital certificate, by its nature, has both a public key and a private key. The private key is known to no one but the certificate itself. If properly designed, the certificate keeps its private key secret from prying eyes. The public key is registered with a Certificate Authority as belonging to the device that contains the certificate. Thus, to encrypt information for a device, one reads its certificate, authenticates the device by means of the Certificate Authority, and in doing so learns the public key of the device. Using the public key, one can encrypt the information to be sent such that it can only be decoded using the private key of the device (which no one but the device itself knows). This type of encryption is called PKI, for Public Key Infrastructure.
These two tools, the targeted security key, and the security certificate, are the means by which trust is managed electronically. However, other important processes are also needed to deploy these tools in a useful and acceptable manner in the business environment. These other processes will be custom to digital cinema, and are of significant importance. To illustrate, I'll offer a simple example of how security keys could be implemented in digital cinema, starting with a manufacturer of digital cinema servers.
A new server comes off the production line. It has been fully commissioned and tested, which, from a security perspective, means that the internal digital certificate has been installed. From a trust perspective, the installed digital certificate can be traced back to a trusted root certificate of the manufacturer.
This particular server is to be delivered to Joe's Cinema. Joe's Cinema receives the server, and installs it. In order to put its new digital cinema server to work, Joe's Cinema books a digital movie from a motion picture distributor. They're able to give the motion picture distributor enough information so that the distributor learns the public key of the server. As we get close to the actual show date, based on the information available at the time of booking, the distributor encrypts the movie key in a manner targeted for Joe's Cinema, and delivers it.
In the business-to-business environment of the cinema, booking a movie often means making the deal 6 months or more in advance of the show. As it turns out, as opening night for the movie arrives, Joe's Cinema no longer has the particular server that it originally bought, as the server was found to have a problem, and the manufacturer replaced it with a new one. The new server has a different public and private key in its digital certificate. Thus, the encrypted key sent by the distributor, based on the information at the time of booking, will no longer work in Joe's Cinema. We have a problem.
One way of preventing this problem is for Joe's Cinema to send an updated list of digital certificates to the distributor prior to the sending of security keys. But Joe's Cinema also does business with 10 other distributors. So to keep them all up to date, Joe's Cinema needs to send each distributor an updated certificate list. So far, this sounds fairly straight forward. But this solution doesn't scale nicely. If Joe's Cinema expands, and grows to 30 locations, it now needs to send a certificate list for each of its 30 locations to each of the 11 distributors it does business with, totaling 330 transactions. Further, Joe's Cinema must do this on a regular basis. This solution isn't very elegant for the distributor, either. In the US alone, a distributor could receive updated certificate lists, on a regular basis, from 700 cinema owners managing some 6000 locations. If each site sent out weekly updates, each distributor would handle 6000 transactions a week.
Managing these lists requires substantial effort. But even this effort doesn't solve the situation where a faulty server has to be replaced, say, on a Saturday evening, in the midst of an engagement. To get a new server up and running without losing several shows will require the distributor to send a new security key in a very timely manner.
The problem becomes more complex when considering other issues imposed by the security system. Digital certificates are only valid for a given time period. What happens to a valuable asset, such as a US$100,000 digital cinema projector, when the certificate expires? Security generally requires a closed loop system in which not only can certificates be issued, but they can also be revoked. What happens to an expensive asset when its certificate is revoked? Equally important, who determines that the certificate can be revoked?
Solutions to the key distribution problem have been put forth, some proposing to centralize the distribution of security keys. Presumably, the same entity that centralizes security key distribution would also determine the revocation status of equipment. This would require the entity to be neutral to all parties in the cinema industry - no small feat. Centralizing security key management would certainly simplify the data management issues for distributors, but it doesn't solve the complexity of data management for exhibitors. Many exhibitors would like to centralize the management of their certificate lists within their own organization. They would track the movement and replacement of equipment in a centralized list that they manage, and then make their list available on a regular basis to the distributors of security keys. However, at the time of this writing, no process or method has been agreed to by the parties involved.
As can be seen, implementing a security key distribution system poses challenges that do not exist with film technology. These issues will eventually be solved, removing what could be the final technology barrier to the widespread deployment of digital cinema.