Who Do You Trust?
by Michael Karagosian
©2010 MKPE Consulting LLC All rights reserved worldwide
originally published in the 15 January 2010 issue of Digital Cinema Report
Who do you trust is the most fundamental issue of security. Digital cinema was originally devised so that studios could conduct business with exhibitors without concern for theft of content in its pristine, digital form. As the number of digital cinema installations grows, the management of security keys becomes increasingly difficult to perform and the entities that supply security keys struggle to keep up with new installations.
The topic of security key management has been a point of significant discussion within ISDCF (Inter-Society Digital Cinema Forum). But the most important discussion, that of understanding how trust works in digital cinema, has been elusive. The purpose of this article is to provide a clear understanding of how trust is managed in digital cinema. With that knowledge comes an understanding of how digital cinema should evolve to address security key management.
When discussing trust, it's useful to understand the concept of the "trusted device list," or TDL. Depending on whom one talks to, the TDL can have more than one purpose. To some, it's the collection of credentials from equipment installed in the field. This information is needed to create security keys that allow movies to play. To others, it is the list that tells a studio which digital cinema devices are naughty, and which are nice. The second definition creates unrest. It's the kind of thing that spells g-a-t-e-k-e-e-p-e-r, and gets politicians excited.
There are a few things everyone should know about TDLs. The first is that such lists do not exist in a centralized, one-list-says-it-all form. If it did exist as a single list, who would you trust to put it together?
Trust is the most fundamental concept in security. Content owners want to trust that their content is played on valid, secure equipment. To do so, the security credentials of equipment in the field must be learned and kept up-to-date to enable the creation of the right Key Delivery Messages. Security keys for playing a movie are encrypted and contained in a KDM. Content owners also need to check the validity of the devices for which KDMs are to be made. Content owners need to trust that the equipment credentials they possess are for real equipment, and not hacked devices designed to steal the movie. They hire companies to keep equipment credentials private and to digitally package movies and to create and assemble KDMs.
There are many KDM creators, each maintaining their own TDLs. The dominant players in the KDM creator space are Deluxe and Technicolor. But there isn't a single, master TDL somewhere. Instead, there are many TDLs, privately owned and maintained.
The second thing one should know is that, just as there isn't a master trusted device list; revocation lists also do not exist.
If a revocation list were to exist, it would contain the credentials of devices, which are not trusted. This is an area where there is valid concern for gatekeepers. The difficulty in allowing revocation lists is that security keys for digital cinema enable the operation of a business. If the cancellation or withholding of a KDM were to occur due to a revocation list, the screen would go dark and revenue would be lost. Compare this scenario to the original concept of the revocation list, which is to ensure that electronic financial transactions take place using trusted equipment. If the financial equipment isn't trusted, then the financial transaction can still take place; but it takes place on different equipment. No one loses money. In digital cinema, improper use of a revocation list can lead to financial loss. Good reason for not having revocation lists in digital cinema.
The third thing one should know is that we don't have an explicitly defined structure for trust in digital cinema. We do not have a universal infrastructure for providing the right equipment credentials to those who create KDMs. Nor can KDM creators easily learn if equipment credentials are valid.
To learn how to improve this, it is necessary to understand how trust takes place. When someone talks about security, one often hears about encryption, keys, certificates, and validation. But we tend to forget that the ultimate authority of trust is a human being. A good security system will minimize the number of people that must be trusted, but it cannot eliminate trust in people.
In current practice, trust is in the hands of multiple parties. The exhibitor, the equipment manufacturer, and the KDM creator (the entity that creates a Key Delivery Message) all must be trusted. If there is a third party in between as a handler of security processes, then that entity must be trusted, too. As digital cinema expands globally, the studios would like to minimize the number of entities they have to trust to ensure that their content is secure.
Today, trust begins with the manufacturer of the equipment, which maintains a list of equipment serial numbers and associated equipment credentials, such as digital certificates and forensic mark identifiers. The exhibitor provides a list of serial numbers of active equipment, and a third party marries the exhibitor's serial number with the manufacturer's information. The third party could be the system integrator, a separate service provider, a KDM creator, or a combination of these. This is how equipment credentials are learned and validated.
The most sensitive role in the digital cinema security chain is that of the KDM creator. Once a KDM is created, the movie can be decrypted on the device to which the KDM is targeted. Without the appropriate KDM, the movie cannot be played. Should a KDM be created for a device that is not intended to play the movie, or for a device that is no longer trusted, then a breach of trust has occurred. The KDM creator is hired by the content owner, which creates a trusted relationship between the two entities. In worst-case scenarios it also provides a path for recourse.
In order for a KDM to be created, the target device's digital cinema certificate must be known. This requires that the KDM creator possess trusted equipment credentials obtained from both exhibitor and equipment manufacturer. The KDM creator also has a degree of responsibility in making trusted decisions. If the movie does not play because of an incorrect KDM, it is the KDM creator that must respond appropriately.
The challenge is that the greater the number of entities that must be trusted, the weaker the security chain. Ideally, among manufacturer, exhibitor, and KDM creator, only the KDM creator need be trusted. However, it is not possible to eliminate the manufacturer as a trusted party, as it is the trusted source of digital equipment credentials. But it is possible to reduce the exhibitor's role as a trusted party by automating the communication of equipment credentials from the cinema to the KDM creator. Not only does this reduce the exhibitor's role as a trusted party, but it also reduces the labor involved in maintaining TDLs.
Tools have already been created to enable this important step. It is the purpose of the standardized Facility List Message, or FLM, to carry digital equipment credentials back to KDM creators as part of an automated process. Notably, the FLM is specified in NATO's Digital Cinema System Requirements.
But even with the FLM in place, the trust chain is not perfect. The KDM creator must know when a particular device is removed from service or no longer valid. It is assumed that the manufacturer will remain responsible for tracking this information and appropriately updating its database. This can be a tall order to fill.
The question of how third parties play in the trust chain is often raised. As long as the content owner has a path of recourse to the third party, the trust chain is retained. Only when the third party is completely neutral, such as a government funded-entity, does the trust chain break down. Ironically, several governments have expressed interest in operating such entities with the illusion that it will add value to the industry.
This long walk through the digital cinema trust chain is hopefully instructive in a number of ways. It educates the steps required to maintain trust. It demonstrates where responsibilities lie. And it shows why automating the handling of equipment credentials in the cinema will improve the trust chain for global expansion.
NATO's Digital Cinema Requirements identifies the Data and Key Management System, or DKMS, as the component providing the automated management of equipment credentials in the cinema. SMPTE (Society of Motion Picture and Television Engineers) standardized the FLM for open exchange of equipment credentials. Unfortunately, none of this has been put to work as yet. The DKMS and the FLM will be one of the next areas of evolution in the digital cinema.
Michael Karagosian is founder and president of MKPE Consulting LLC, a Los Angeles-based consultancy in the entertainment industry. You can visit his company site at http://mkpe.com.