Digital Cinema System Specification

2.1.1.1. Digital Source Master (DSM) 🔗

The Digital Source Master (DSM) is created in post-production and can be used to convert into a Digital Cinema Distribution Master (DCDM). The DSM can also be used to convert to a film duplication master, a home video master, and/or a master for archival purposes. It is not the intention of this document to, in any way, specify the DSM. This is left to the discretion of the content provider. The content could come from a wide range of sources with a wide range of technical levels.

2.1.1.2. Composition 🔗

When discussing Digital Cinema content, it was realized that other content besides feature films would make use of the same digital system. Therefore, a new term was created to refer to any content that would have similar requirements to feature film content. The term “Composition” refers to all of the essence and metadata required for a single presentation of a feature, or a trailer, or an advertisement, or a logo to create a presentation using a digital system. This term will be used throughout this document and is intended to refer to a single element such as one and only one feature, trailer, advertisement or logo.

2.1.1.3. Digital Cinema Distribution Master (DCDM) 🔗

This document specifies a DCDM for the purpose of exchanging the image, audio and subtitles to encoding systems and to the Digital Cinema playback system. The DCDM is the output of the Digital Cinema post-production process (not to be confused with the feature post-production process, which creates the DSM) and is the image structure, audio structure, subtitle structure. These structures are mapped into data file formats that make up the DCDM. This master set of files can then be given a quality control check to verify items like synchronization and that the composition is complete. This requires the DCDM files to be played back directly to the final devices (e.g., projector and sound system) in their native decrypted, uncompressed, unpackaged form.

Note: See Section 10.2.1. for requirements specific to stereoscopic presentations.

2.1.1.4. Digital Cinema Package (DCP) 🔗

Once the DCDM is compressed, encrypted and packaged for distribution, it is considered to be the Digital Cinema Package or DCP. This term is used to distinguish the package from the raw collection of files known as the DCDM. Shown below is a typical flow for Digital Cinema. When the DCP arrives at the theater, it is eventually unpackaged, decrypted and decompressed to create the DCDM*, where DCDM* image is visually indistinguishable from the original DCDM image.

DSM → DCDM → DCP → DCDM* → Image and Sound

Note 1: Integrated projector and Media Blocks are strongly recommended. However in the exclusive case to accommodate a 2K, 48 FPS, 12 bit DCDM to use [SMPTE 372M Dual Link HD-SDI] as an interface, it is acceptable, but not recommended, to allow 10 bit color sub-sampling to create the DCDM* at the output of the Image Media Block decoder. This bit depth reduction and color subsampling is only allowed in the single combination of a DCDM at 2K, 48 FPS being transported over a link encrypted SMPTE 372M connection.

Note 2: See Section 10.2. for requirements specific to stereoscopic presentations.

2.1.1.5. Hierarchical Image Structure 🔗

The DCDM shall use a hierarchical image structure that supports both 2K and 4K resolution files (See Section 3.2.1. ) so that studios can choose to deliver either 2K or 4K masters and both 2K and 4K projectors can be deployed and supported. The supported mastering and projecting combinations are illustrated in Figure 3 .

Media Blocks (MB) for 2K projectors are required to be able to extract and display the 2K-resolution component from the 2K/4K DCP file(s). Media Blocks for 4K projectors are required to be able to output and display the full 4K DCDM. In the case of a 2K DCDM, the output of the Media Block is a 2K image. It is the responsibility of the 4K projectors to up-sample the image.

2.1.1.6. File / Frame-Based System 🔗

This Digital Cinema system is built upon a data file-based design, i.e., all of the content is made up of data stored in files. These files are organized around the image frames. The file is the most basic component of the system.

2.1.1.7. Store and Forward 🔗

This Digital Cinema system uses a store-and-forward method for distribution. This allows the files to be managed, processed and transported in non-real time. Non-real time could be interpreted as slower than real time, or faster than real time. After being transported to the theater, the files are stored on a file server until playback. However, during playback and projection, the Digital Cinema content plays out in real time.

2.1.1.8. Reels 🔗

Feature films have been sub-divided for some time into discrete temporal units for film systems called reels. This concept and practice will continue in use for the Digital Cinema system. In Digital Cinema, a reel represents a conceptual period of time having a specific duration chosen by the content provider. Digital Cinema reels can then be electronically spliced together to create a feature presentation.

2.1.1.9. Component Design 🔗

For the purpose of interoperability, the hardware and software used in the Digital Cinema system shall be easily upgraded as advances in technology are made. Upgrades to the format shall be designed in a way so that content can be distributed and played on the latest hardware and software, as well as earlier DCI-compliant equipment installations.

The Digital Cinema system shall provide a reasonable path for upgrading to future technologies. It shall be based upon a component architecture (e.g., Mastering, Compression, Encryption, Transport, Storage, Playback, Projection), that allows for the components to be replaced or upgraded in the future without the replacement of the complete system. It is the intention of this Digital Cinema specification to allow for advances in technology and the economics of technology advancement.

2.1.1.10. Storage and Media Block 🔗

Storage and Media Block are components of the theater playback system. Storage is the file server that holds the packaged content for eventual playback. The Media Block is the hardware device (or devices) that converts the packaged content into the streaming data that ultimately turns into the pictures and sound in the theater. Media Blocks are secure entities and the specific nature of that security is defined in Section 9. .

3.1.4.1. [This Item Left Blank Intentionally] 🔗

3.1.4.2. Frame Rates 🔗

The DCDM image structure is required to support a frame rate of 24.000 Hz. The DCDM image structure can also support a frame rate of 48.000 Hz for 2K image content only. The frame rate of any individual DCDM master is required to remain constant. Metadata is carried in the image data file format to indicate the frame rate.

3.1.4.3. Synchronization 🔗

Files within the DCDM set are required to carry information to provide for frame-based synchronization between each file. At a minimum, they are required to include a “start of file” and a continuous frame count.

3.2.2.1. Introduction 🔗

The DCDM image file format is mapped into TIFF.

3.2.2.2. File Mapping 🔗

The DCDM Image Structure shall be mapped into the TIFF Rev 6.0 File Format and further constrained as follows:

• 16 bits each per X', Y', and Z' channel, stored in the nominal TIFF R, G and B channels.
• The DCDM gamma-encoded X', Y' and Z' color channels are represented by 12-bit unsigned integer code values. These 12 bits are placed into the most significant bits of 16-bit words, with the remaining 4 bits filled with zeroes.
• The image orientation shall place the first pixel in the upper left corner of the image.
• The DCDM picture file shall contain only the active pixels in the image. In other words, it is not allowed to pad the picture to the full size of the DCDM container.

3.2.2.3. Synchronization 🔗

The DCDM file format is required to contain metadata that allows for synchronization of the images with other content:

• Each directory shall contain only one contiguous sequence of frames.
• For assembled reels, a separate directory shall be used for each reel with the following naming convention:
  • CompositionName.Reel_#
• For inserts, the directory naming convention shall be:
  • FeatureName.Reel_#.Insert_#
• Each reel shall contain sequentially numbered frames, using the following file naming convention. All names when sorted alphabetically shall be in sequential order (leading zeroes required). Therefore, the only thing that changes in the sequence is the frame numbers.
  • CompositionName.Reel_#.FrameNumber.tif
  • Example: Stealth.Reel_1.00001.tif

3.2.2.4. Image Metadata Required Fields 🔗

Image information and parameters, required to successfully interchange the DCDM Image Structure, shall be provided to the mechanism that will ingest the DCDM.

Each frame in the reel shall contain accurate and complete metadata, but it is permissible to read and extract the reel-based metadata from the first frame of a reel to use as a metadata “slate” for the rest of the frames in the reel.

The information, as shown in Table 4 below, is the minimum required information to successfully interchange files.

3.3.2.1. Audio Sample Rate Conversion 🔗

If a media block supports 96 kHz audio, it shall be able to perform sample rate conversion to 48 kHz or 96 kHz at the output when necessary.

3.3.4.1. General 🔗

The audio file format shall comply with the Broadcast Wave file format (.wav), per [ITU Tech 3285 version 1 (PCM WAVE coding)], is extended and constrained as further described here.

The audio file shall remain uncompressed throughout the Digital Cinema system. This shall include packaging, distribution and storage.

3.3.4.2. Synchronization 🔗

The Broadcast Wave (.wav) file is required to contain metadata that indicates the first sample of audio data. The metadata is also required to contain a continuous frame count relative to the image as well as the sample rate.

3.3.4.3. Object-Based Audio Essence (OBAE) 🔗

OBAE shall be carried in the MXF file format conforming to SMPTE ST 429-18 D-Cinema Packaging - Immersive Audio Track File.

3.4.2.1. Introduction 🔗

A subpicture data stream is a multiple-image data stream intended for the transport of visual data supplemental to a motion picture. The data is designed for graphic overlay with the main image of a Digital Cinema motion picture. It is designed only for an open display and not for a closed display. It is envisioned that the subpicture data stream, when employed, will typically be used for the transport of subtitle data.

3.4.2.2. File Format 🔗

Subpicture data is required to be encoded as a standardized, XML-based document. Such a standard is required to define both Timed Text and subpicture encoding methods allowing mixed-media rendering. Subpicture frames are required to be encoded as [ISO/IEC 15948:2004] PNG files.

3.4.2.3. Rendering Intent 🔗

The PNG file is required to be rendered with knowledge of color space and pixel matrix of the DCDM. The PNG file is required to be mastered at the same resolution as the DCDM.

For example, a DCP containing a 4K master will require 4K PNG files and no other resolution PNG files. When played on a 2K projector, it is the responsibility of the 2K projection system to downsample the 4K PNG files such that they display with the correct size with respect to the image data. And, a DCP containing a 2K master will require 2K PNG files and no other resolution PNG files. When played on a 4K projector, it is the responsibility of the 4K projection system to upsample the 2K PNG files appropriately.

3.4.2.4. Frame Rate and Timing 🔗

The XML navigation file specifies the temporal resolution of the subpicture file. A Frame count, Time In, Time Out, Fade Up Time and Fade Down Time, which correspond to the image, shall be included. The subpicture frame rate shall be equal to the frame rate of the associated DCDM image file.

3.4.2.5. Synchronization 🔗

The equipment or system that encodes or decodes the subpicture file is required to ensure that temporal transitions within the subpicture file are correctly synchronized with other associated DCDM files. The Digital Cinema equipment and subpicture file is required to re-synchronize after a restart of the system.

3.4.3.1. Introduction 🔗

Timed Text (e.g., captions and/or subtitles) is text information that may be presented at definite times during a Digital Cinema presentation.

3.4.3.2. File Format 🔗

Timed Text data is required to be encoded as a standardized, XML-based document.

Note: This provides for presentation via:

• Overlay in main or secondary projector image (open), or
• External display (closed)

3.4.3.3. Restart 🔗

The Digital Cinema equipment and Timed Text file is required to re-synchronize after a restart of the system.

3.4.3.4. Default Font 🔗

Font files are required to be used to render Timed Text for subtitle applications. Font files can be used to render Timed Text for caption applications. When used, font files are required to conform to [ISO/IEC 14496-22:2007(E) Information technology - Coding of audio-visual objects - Part 22: Open Font Format]. Timed Text files are required to be accompanied by all font files required for reproduction of the Timed Text.

The Timed Text file format is required to support a default character set. It is required that there be a default Unicode™ character set and a default font for that character set.

In event that an external font file is missing or damaged, the subtitle rendering device is required to use a default font supplied by the manufacturer. The default character set is required to be a Unicode™ ISO Latin-1 character set. The default font is required to conform to [ISO/IEC 14496-22:2007(E) Information technology - Coding of audio-visual objects - Part 22: Open Font Format] and support the ISO Latin-1 character set.

3.4.3.5. Identification 🔗

The Timed Text format requires the cardinal language of the text to be identified.

3.4.3.6. Searchability 🔗

A pure text stream is encouraged to isolate content from rendering markup for searchability.

3.4.3.7. Multiple Captions 🔗

The Timed Text format shall allow the display of multiple captions simultaneously. There shall be a maximum number of 3 lines of text allowed for simultaneous display.

Note: This allows for spatial representation for captions when two people are talking simultaneously.

3.4.3.8. Synchronization 🔗

The equipment or system that encodes or decodes the Timed Text file is required to ensure that temporal transitions within the data stream are correctly synchronized with other associated DCDM data streams.

3.4.5.1. Introduction 🔗

Many of today’s automation controls are driven by a time-based event list such as the system's Show Playlist, and can be classified by their show control functions, as in the partial list below.

• First frame of content
• First frame of intermission
• First frame of end credits
• First frame of end credits on black
• Last frame of content

Show control events or cues are required for the theater system operator to pre-program the timing of show control events. Such events or cues may indicate events such as the beginning of the title, beginning of the intermission, beginning of the credits, and the end of the feature. The events or cues will normally be placed into the Digital Cinema Composition Playlist, as defined in Section 5. .

5.2.2.1. Introduction 🔗

Digital Cinema presents a challenge to create a versatile packaging system. Throughout this system, some basic requirements are needed and are stated below.

5.2.2.2. Standards-Based Packaging 🔗

DCP Packaging shall adhere to SMPTE standards so that equipment receiving a compliant DCP can process and interpret it unambiguously. This format is encouraged to be a license-free technology.

For a Standard DCP, essence shall be packaged with all provisions of SMPTE ST 429-2 "D-Cinema Packaging - DCP Operational Constraints."

For a DCP containing OBAE (an IAB DCP), essence shall be packaged consistent with all provisions of [SMPTE ST 429-19 D-Cinema Packaging – DCP Operational Constraints for Immersive Audio].

5.2.2.3. Interoperable 🔗

The Packaging format is required to have an open framework that accommodates compressed, encrypted files as well as all other files used in Digital Cinema.

5.2.2.4. Scalable 🔗

The Packaging format is required to accommodate any number of essence or metadata components. There is no limit on the number of files included in the package or the size of the files.

5.2.2.5. Supports Essential Business Functions 🔗

The Packaging format is required to support content structure as needed during booking, fulfillment, show preparation, booking updates, secure licensed playback and logging.

5.2.2.6. Secure 🔗

The Packaging format is required to support integrity and security at two levels: (1) a basic level which can provide reasonable assurance of file integrity without reference to licenses or a Security Manager (SM), and (2) an engagement-specific level representing a particular business-to-business relationship.

5.2.2.7. Extensible 🔗

The Packaging format is required to allow for new Digital Cinema features (compositions) to be contained within the package.

5.2.2.8. Synchronization 🔗

The Packaging format is required to provide support for synchronization of the essence and metadata elements.

5.2.2.9. Human Readable Metadata 🔗

Human readable metadata is required to be in English (default) but can be provided in other languages as well.

5.2.2.10. Identity 🔗

The packaging format is required to support unique and durable identification of assets and metadata using embedded unique identifiers. Throughout this document, the acronym “UUID“ shall mean a type 4 (pseudo-random) Universally Unique Identifier (UUID) as defined in [IETF RFC 4122].

5.3.1.1. Introduction 🔗

The Sound and Picture Track File is the fundamental element in the Digital Cinema packaging system. The Sound and Picture Track File structure and requirements are defined by the essence or metadata that they contain. Each of these essence or metadata containers could be image, sound, subtitle (Timed Text and/or subpicture) or caption data. However, each track file follows the same basic file structure. A track file consists of three logical parts: the File Header, the File Body and the File Footer as shown in Figure 8 .

The file structure is further broken down into logical data items as defined in [SMPTE 336M Data Encoding Protocol using Key-Length-Value]. The KLV Coding Protocol is composed of Universal Label (UL) identification Key (UL Key), followed by a numeric Length (Value Length), followed by the data Value as shown below in Figure 9 . One or more of these data items are combined to form the logical parts shown above.

5.3.1.2. Format Information 🔗

Each track file is required to be a self-contained element, such that its essence or metadata can be understood and presented as it was packaged by a compliant decoder. The information is required to be located in the predetermined specified area. The Track File is required to contain the following minimum information:

• Required metadata for unique asset identification
• Required metadata for decompression (optional)
• Required metadata for decryption (optional)

The following information is required to be configured in a human readable format:

• Essence physical format description (e.g., 4096 x 2160)
• Essence title asset information (e.g., The_Perfect_Movie_English_R2)

5.3.1.3. Reel 🔗

A Reel is a conceptual period of time having a specific duration, as defined below:

• Track Files are required to be associated with a particular Reel.
• A Track File is required to not cross over a reel boundary that is a playable portion of a track file, between the mark in and mark out points.
• Reels are required to be composed of one or more Essence Track Files (e.g., Picture Only, Sound and Picture, Sound and Picture and Subtitle, etc.)
• The minimum duration of a Track File is required to be an integer number of frames, such that the length is greater than or equal to one (1) second.

5.3.1.4. Track File Replacement 🔗

A Track File is the smallest unit that can be managed or replaced as a discrete file in the field.

5.3.1.5. Synchronization 🔗

Each Track File is required to contain the following synchronization information:

• Start of Essence Data (mark in)
• End of Essence Data (mark out)
• Track File Frame Count
• Frame Rate
• Internal Synchronization

5.3.1.6. Splicing 🔗

Track Files of the same essence type and playback devices are required to support artifact-free splicing at any frame boundary, allowing the assembly of a continuous data stream from multiple Track Files. The playback device is required to perform sample accurate splicing of Sound Track Files.

5.3.1.7. Key Epoch 🔗

A Key Epoch is the period of time during which a given Decryption Key is effective. The Key Epoch shall minimally be one Reel.

5.3.1.8. Security 🔗

Each Track File is required to provide for encryption and methods to authenticate the data, if the content provider chooses to use such methods. In addition:

• The essence container is required to allow encrypted data, while the rest of the Track File metadata is left unencrypted.
• At any point in the delivery chain, it is required to be possible to detect whether any accidental or intentional alteration has occurred.

5.3.1.9. Integrity and Authentication 🔗

Each Track File is required to provide a method for verification of file integrity that can be easily determined at any step of the delivery process. In addition:

• It is encouraged that missing or corrupted data be easily identified.
• Track Files are encouraged to be subdivided into smaller segments, which have individual authenticity/error-check codes. This facilitates a decision as to whether the file is so corrupt it cannot be played, or whether it is safe to proceed with playback while requesting a replacement Track File.
• Synchronization with other Track Files is encouraged to be verifiable.

5.3.1.10. Extensibility 🔗

The Operational Pattern is required to accommodate future extensions within its original scope.

5.3.1.11. Random Access and Restarts 🔗

The Operational Pattern is required to support random access to the nearest integer minute. Random access to individual frames is neither required nor desired.

A restart occurs as a result of a stop or pause in the system while executing a Composition Playlist. The system may be restarted at any frame prior to the frame at which it was stopped or paused. It is required that a restart be logged by the Security Manager, provided that the essence (either image, audio or subtitle) is encrypted.

5.3.1.12. Simple Essence 🔗

A track file is required to contain essence of a single essence type (e.g., audio, image, subtitles). While a Track File can, for instance, contain all audio channels for a given language, additional languages are required to be stored in separate track file. The Composition Playlist will select the correct Track Files to play a requested version of the movie (composition).

5.3.2.1. Introduction 🔗

MXF Track File Encryption shall be compliant with SMPTE 429-6 D-Cinema Packaging – MXF Track File Essence Encryption. The following requirements clarify the use of SMPTE 429-6 with this specification. For the purpose of this section, a frame is defined as an image frame time, for example 24 FPS or 48 FPS.

• Each reel shall use a single cryptographic key for all frames within the sound or picture Track File.
• The integrity of each frame of sound and picture essence shall be verifiable using the HMAC-SHA1 algorithm. The optional Message Integrity Code (MIC) element of SMPTE 429-6 shall be present.
• There shall be a method for verifying that all frames within a sound and picture track are played in correct sequence. The optional TrackFileID and SequenceNumber elements of SMPTE 429-6 shall be present.

5.3.2.2. Encrypted Track File Constraints 🔗

MXF Track File Encryption shall be compliant with [SMPTE 429-6 D-Cinema Packaging – MXF Track File Essence Encryption].

5.3.3.1. Introduction 🔗

An Image Track File contains the image essence data and its associated metadata. Each Image Track File contains compressed image data and, optionally, may be encrypted. The following are requirements for an Image Track File.

Note: See Section 10.2.2. for requirements specific to stereoscopic presentations.

5.3.3.2. Frame Boundaries 🔗

The Image Track File is required to begin and end with complete frames that allow for splicing. Frames are defined to be image frames such as 24 FPS (1/24 sec) or 48 FPS (1/48 sec). The image data within the Track File shall be wrapped using KLV on an image frame boundary.

5.3.3.3. Compression 🔗

The Track File is required to support Constant Bit Rate (CBR) compression and Variable Bit Rate (VBR) compression, within the constraints of the specified code stream for the reference decoder (see Section 4. ).

5.3.3.4. Metadata 🔗

The following metadata is required to be furnished with the Image Track File:

• Unique ID
• Unique ID of corresponding plaintext track if encrypted
• Track type (i.e., image)
• Active Horizontal Pixels (Ph)
• Active Vertical Pixels (Pv)
• Aspect Ratio
• Frame Rate
• Frame count number (duration)

5.3.4.1. Introduction 🔗

A Sound Track File contains the Sound Essence data and its associated metadata. Sound Track Files shall be per SMPTE ST 429-3. The following are requirements for a Sound Track File.

Note: See Section 10.2.2. for requirements specific to stereoscopic presentations.

5.3.4.2. Frame Boundaries 🔗

The Sound Track File is required to begin and end with complete frames that are associated with its Image Track File to allow for a clean transition between reels. The audio data within the Sound Track File shall be wrapped using KLV on an image frame boundary.

5.3.4.3. Data Packing Format 🔗

The Sound Track File is required to support uncompressed audio data.

5.3.4.4. Metadata 🔗

The following metadata is required to be furnished with the Sound Track File:

• Unique ID
• Unique ID of corresponding plaintext track encrypted
• Track type (i.e., audio)
• Audio Sampling Frequency
• Quantization bits (sample size)
• Channel Count
• Channel Mapping Labels
• Data Packing Format
• Frame Rate
• Audio Frame count number (duration)

5.3.4.5. OBAE 🔗

OBAE shall be carried in an Immersive Audio Track File per SMPTE ST 429-18 D-Cinema Packaging – Immersive Audio Track File, which specifies all required metadata.

5.3.5.1. Introduction 🔗

A Subtitle Track File contains, for example, the Subtitling essence data and its associated metadata. Each Subtitle Track File may contain any combination of text, font references, and image references.

5.3.5.2. Frame Boundaries 🔗

The Subtitle Track File is required to have the same duration as the playable region of its associated Image Track File.

5.3.5.3. Timed Text 🔗

Any Timed Text element is required to use an Open Type font.

5.3.5.4. Subpicture 🔗

Subpicture elements are required to use the PNG file format.

5.3.5.5. Metadata 🔗

The following metadata is required to be furnished with the subpicture Track File:

• Unique identification
• Track Type (i.e., Timed Text, subpicture)
• Total Width In Pixels of the Image Track File (PNG files only)
• Total Height In Pixels of the Image Track File (PNG files only)
• Aspect Ratio (PNG files only)
• Frame Rate
• Position
• Timing (Temporal)

5.4.3.1. General Information 🔗

• A Composition Playlist is required to be identified by ISAN [ISO 15706] or UMID [SMPTE 330M Television – Unique Material Identifier (UMID)]
• Content Title in human readable text
• Content Kind (e.g., Feature, Trailer, Logo, Advertisement)
• Content Version
• Language
• Country
• Rating
• Aspect Ratio
• Image Format
• Audio Format

5.4.3.2. Image Track Information (list for each reel) 🔗

Any given Image Track File shall have one or more Entry Points within a given composition playlist.

• UUID
• File Authentication Code
• Entry Point (number of frames offset into the Track File)
• Duration

5.4.3.3. Audio Track Information (list for each reel) 🔗

Any given Audio Track File shall have one or more Entry Points within a given composition playlist.

• UUID
• File Authentication Code
• Entry Point (number of frames offset into the Track File)
• Duration

5.4.3.4. Subtitle Track Information if Present (list for each reel) 🔗

Any given Subtitle Track File shall have one or more Entry Points within a given composition playlist.

• UUID
• File Authentication Code
• Entry Point (number of frames offset into the Track File)
• Duration

5.4.3.5. [This Item Left Blank Intentionally] 🔗

5.4.3.6. Digital Signature 🔗

• Encrypted hash (message digest)
• Signer identification

5.4.3.7. Security of the CPL 🔗

For encrypted essence, the Composition Playlist shall be digitally signed such that modifications to the Composition Playlist (and/or the associated composition) can be detected. In support of this, the CPL assets "KeyID" and "Hash" elements shall be present in the CPL track file asset structure.

5.5.2.1. General 🔗

The Distribution Package is required to contain a Packing List and one or more Digital Cinema Track Files.

5.5.2.2. Packing for Transport 🔗

The distribution method is required to allow a DCP to be transported via physical media, satellite or network.

5.5.2.3. Security 🔗

The distribution method is required to provide digital signatures to allow the recipient to verify integrity of the Packing List and the enclosed files. In particular, where the DCP contains encrypted essence files, the Packing List shall be digitally signed.

Preparation of Packing Lists is a distribution fulfillment or transport function. Therefore, the digital signatures come from these entities, not the content-owner who mastered the files. Packing List security functions do not verify the authenticity of the content, only the intent of the delivery agent. Content authenticity is verified through signed Composition Playlists and validated Key Delivery Messages.

5.5.3.1. File Format 🔗

The Packing List is required to use XML data format with XML signature (digital signature) . It should be in English (default) but can be provided in other languages as well.

5.5.3.2. Fields 🔗

The following data fields are required to be included in the Packing List for each file in the Package:

• UUID
• Annotation Text parameter (optional), if present, is a free-form, human readable annotation associated with the asset. It is meant strictly as a displayable guidance for the user
• File Integrity check (hash) for each file in the distribution package
• Size of the file in bytes
• Type (e.g., Packing List, Playlist, Track File, opaque security data)
• Original File Name

The following fields are required to be included in the digital signature section of the Packing List:

• Signer parameter uniquely identifies the entity, and hence public key that digitally signs the Packing List.
• Signature parameter contains a digital signature authenticating the Packing List.

6.2.1.1. Introduction 🔗

Digital Cinema presents unique opportunities for the transport of theatrical content. Some basic requirements are stated below.

6.2.1.2. Security 🔗

The content owner’s encryption is required to not be removed during transport.

6.2.1.3. Robustness 🔗

The files are required to retain all of the data of the original files upon completion of transport of the Digital Cinema content.

7.2.3.1. Reliability 🔗

A key part of the Digital Cinema system is reliability. In the realm of Digital Cinema, the presentation should not be interrupted, except in the event of a catastrophic failure of the Digital Cinema system (e.g., loss of power) or a natural disaster. There will be cases where equipment will fail (such as happens now with traditional 35mm film equipment). However, the time between failures, and the speed at which it is repaired, is encouraged to be no worse than those for traditional 35mm film equipment.

Each individual theater system is required to have a Mean Time Between Failure (MTBF) of at least 10,000 hours.

7.2.3.2. Mean Time to Repair 🔗

A failed or malfunctioning unit/component is required to be capable of being diagnosed and replaced within 2 hours, exclusive of the time needed to order and to deliver the replacement component(s). Design of a system is required to allow repair of any failed unit/component within two hours.

7.2.3.3. Test Shows 🔗

The system is required to allow the content to be played back for validation and verification prior to exhibition.

7.2.3.4. Monitoring and Diagnostics 🔗

The system is required to provide monitoring and diagnostic checks and provide for status, monitoring, alignment and calibration. This can be done locally or through remote control.

7.2.3.5. Easy Assembly of Content 🔗

The system is required to provide a graphical user interface (GUI) interface for the assembly of content with relative ease in a timely matter.

7.2.3.6. Movement of Content 🔗

The system is required to provide for intra-theater movement of content within a multiplex facility. Emergency moves (e.g., equipment failure) between auditoriums are required to allow playback to start within 15 minutes or less after the start of the movement.

7.2.3.7. Ease of Operation 🔗

The Digital Cinema Theater System is encouraged to require only a reasonable level of computer operation knowledge or training for the basic operation of the system. The computer-based user interfaces are required to be simple and intuitive.

7.2.3.8. Multiple Systems 🔗

There can be one Theater Management System communicating to one or more Screen Management Systems.

7.2.3.9. Environment 🔗

The theater is required to provide an adequate environment for the equipment, with an operating temperature range of 10-35°C and operating Humidity of 10% to 85% Non-Condensing.

7.2.3.10. Safety 🔗

All equipment is required to comply with applicable safety regulations.

7.2.3.11. Storage Capacity Per Screen 🔗

The central and/or local storage system is required encouraged to have the capacity to hold at least 1 TByte of usable storage per screen, where a TByte equals 1,000,000,000,000 bytes.

7.2.3.12. Persistent Security 🔗

Theater systems equipment is required to implement all the security requirements as specified in Section 9. . These requirements enable the necessary functions and features for a reliable and persistent environment to protect content and Security Data, and support the required forensic processes that stakeholders require.

7.2.3.13. Power Failure 🔗

In the case of a power interruption, the Digital Cinema Theater System is required to be restored into a stable stop/idle condition.

7.2.3.14. Local Control 🔗

Every auditorium is required to provide the means of local control by the Screen Management System (SMS) at each projection booth.

7.3.3.1. General Information 🔗

• UUID
• Program Types (e.g., feature, trailer, logo, advertisement)
• Show Playlist Title
• Version
• Language
• Country
• Rating
• Aspect Ratio
• Image Format
• Audio Format

7.3.3.2. Sequence of Composition Playlists 🔗

• UUID
• Composition and/or Event Playlist Filename
• Show Timeline Count In Point
• Show Timeline Count Out Point

7.4.1.1. Introduction 🔗

The Screen Management System (SMS) is required to allow the theater staff to function similar to traditional theater operations . The workflow does not need to radically change to support Digital Cinema presentations. Digital Cinema content will arrive at the theater via fixed media, or through other means of transport, and will be loaded into central or local storage. The staff will then assemble a Show Playlist using a computer Graphical User Interface. This Show Playlist could include advertisements, logos, previews and a main feature. The staff will then direct the show to the screen and let the SMS begin the show by local or remote control.

The Screen Management System provides a user interface to control (start, stop, pause, load playlist, etc.) a single auditorium. The Theater Management System (TMS) allows a theater manager to control many or all auditoriums within a theater complex from a central location.

At the beginning of this section, fundamental requirements were listed that would allow theaters to operate as they have been for some time. This section will elaborate on some of these and other requirements, as they affect the SMS and TMS.

7.4.1.2. Local Control 🔗

Each auditorium in a theater complex is required to allow for local control at each screen via the SMS. This will provide for at a minimum:

• Show Start
• Show Stop
• Show Pause
• Show Restart
• Show programming (single screen installation)

7.4.1.3. User Accounts 🔗

The SMS and TMS are required to support multiple levels of user accounts. The following is an example of multiple accounts: Projection, Show Manager, Super-user, and Administrator with password-protected appropriate log-ons.

1. Projection – Required to be able to perform the following functions
   • Browse and activate current shows
   • Play content, including starting and stopping playback
   • Assemble shows
2. Show Manager – Required to have access to the following functions
   • All projection functions
   • Assemble or Delete Shows to/from storage
   • Import/Delete Content to/from storage
3. Super-user – Required to have access to the following functions
   • All Show Manager functions
   • User Management
   • Theater System Setup
4. Administrator – Required to have access to the following functions
   • All Super-user functions
   • System Setup
   • Security Setup

7.4.1.4. Receipt of Content 🔗

Content can be received by physical media or via a network. The theater systems are required to allow multiple motion pictures and related content to be delivered to a theater in a timely matter. The theater systems are also required to provide a method to verify that the data is complete and whether or not it has not been corrupted.

7.4.1.5. Movement of Content 🔗

The SMS and TMS are required to allow an authorized user to search for content and provide a method for the movement and deletion of content, within a screen or multiplex facility, while the system is in operation. As an example, this would include simultaneous content load-in and playback. This movement could consist of many different examples of operation such as:

• Downloading content while playback of presentations are in progress
• Movement of content from a central storage to local storage while other content is in playback
• Deleting content while other content is in playback
  1. The SMS or TMS is required to warn and not allow deletion if the content is in use or part of a current Show Playlist.
  2. The SMS or TMS is required to provide a deletion process that removes all of the content, key information, and playlists associated with the composition.

7.4.1.6. Assembly of Content 🔗

An electronic method is required to assemble trailers, feature presentations and other content in the creation of shows. At a minimum, a standard method is required to electronically identify the content to the SMS, TMS and the Security Manager (SM) to allow the show to be assembled and played back. This method of identification is embedded within the packaging format as metadata. (See Section 5. )

Operationally, the SMS and TMS are required to provide the user with a method of creating a Show Playlist. This method provides for the following:

• A method of building shows is required to allow only authorized personal to build, save and transport the Show Playlist.
• A method is required to use the validity/expiry method, so that one can check that one has the security devices and keying parameters required for playback.
• A method is required to make it possible for a Show Playlist to be provided via an external source.
• A method is required to provide a means for inserting a black screen and silence between content. The Media Block is required to be able to transition modes without displaying a roll or similar artifacts during a transition between clips in a playlist or between playlists.
• Show Playlists can consist of both encrypted and non-encrypted content.
• The Show Playlist can be communicated in whole to the Media Block, whereupon it is then stored and subsequently executed within the Media Block (Content Data Pull Model).
• The Show Playlist can be executed within the SMS and communicated to the Storage and Media Block one command at a time (Content Data Push Model).
• A method is required to provide for the insertion of cues. These cues allow the automation system to perform its tasks at event boundaries, such as start of feature and start of end credits.

7.4.1.7. Automation Programming 🔗

The Automation System is required to communicate events to and from the screen equipment . These can be light dimmers, curtains, or other systems within an auditorium . These events or cues are programmed within the TMS or the SMS, and initiated by either the SMS or the Automation depending on which unit is the controller and which is the responder. All of the event types are pre-programmed to have certain effects on the system. These events, at a minimum, are required to be recognized by all systems and are listed below:

• First Frame of Content
• First Frame of Intermission
• Last Frame of Intermission
• First Frame of End Credits
• First Frame of End Credits on Black
• Last Frame of Content

7.4.1.8. Playback of Content 🔗

The system is required to provide a method to:

• Have full content play functionality (e.g., make playlists active, stop, start, start play) at any reel break point in a playlist.
• Handle power interrupted while playing content. When the system is next started, it is required to inform the user that playback was abnormally interrupted during the last play, and offer the user the ability to restart playback at a point prior to the failure ( see Section 5.3.1.11. ). The system should also log such events.
• Have no interruptions during playback (glitch-free).
• Adjust the delay of audio ±5 image frames in 10 msec increments of all presentation content to the image.

7.5.2.1. Introduction 🔗

Ingest is the process of receiving content and security information at the theater level. These are the devices that connect to and from the outside world. The following is an example list of such devices split into two groups. The first group has to do with content while the second group is for security and control.

Content :

• Satellite receiver(s) (with cache or local storage)
• Terrestrial fiber network(s) (with cache or local storage)
• Fixed media interface(s)

Security and Control :

• Security Management Interface – Standardized Extra-Theater Message (ETM) and logging report communications interface.
• Once a complete DCP has been ingested, the TMS or SMS is encouraged to verify that a KDM is available and displays the time window for showing the content. A TMS or SMS show schedule can display conflicts between the KDM and the scheduled showings.
• The TMS or SMS is encouraged to alert the user when a KDM will expire within 48 hours.

7.5.2.2. Ingest Interfaces 🔗

The interfaces to the outside world can use any method or physical connection. Inside the theater structure, the architecture is encouraged to break down into two types of interfaces, one for the content and one for control/status and security communications.

• The content ingest interface is required encouraged to be at a minimum Gigabit Ethernet [IEEE802.3ab (copper)] or [IEEE802.3z (fiber)] interface.
• Theater facilities are encouraged to provide a connection that will be available 24/7 for security communications (e.g., ETMs). It is theater management’s decision as to whether this connection is dedicated. However it will be recognized that for some operational situations (e.g., receiving new KDMs), it may be important to have priority access to this connection.

7.5.2.3. Firewalls 🔗

Theater networks are required to protect the security system from the threat of external and internal network-born attacks by the installation of appropriate firewalls. Because there will be many variations in network designs, it is impossible to define specific solutions as part of this specification. Exhibition operators are encouraged to solicit competent network security engineering assistance as part of their facility network design efforts.

See Section 9.5.6. for additional exhibition communications and networking requirements.

7.5.3.1. Introduction 🔗

Content storage can be arranged into two basic configurations or a combination of the two. One is known as local storage and the other is central storage. Local storage is a configuration where the storage is located at each screen. Central storage is a configuration that has all of the storage of content in a central location for all of the screens in a multiplex. There can also be combinations of central and local storage.

7.5.3.2. Storage Reliability 🔗

The most important aspect of the storage system is reliability. For both hard disc drives (HDD) and solid state drives (SSD) there are a number of established RAID configurations that provide storage redundancy and therefore storage reliability. The storage system is required to provide redundancy such that should a single HDD or SSD module fail, the system will continue to play with no visible or audible interruptions or artifacts. The storage system implementation shall be field serviceable.

7.5.3.3. Central Storage 🔗

Central Storage implies that packaged content for a multiplex may be stored in one location. Central Storage may allow for multicasting of the content.

If only Central Storage architecture is used, careful planning is required to be done to ensure that it does not have a single point of failure, including the network. In this type of implementation, the Central Storage is required to also provide the capability to sustain the peak bit rate of all screens being fed simultaneously, along with ingest.

7.5.3.4. Local Storage 🔗

Local storage implies a single storage system for each screen . Local storage is required to be able to sustain the bit rate required for the playback of all content for that screen.

7.5.3.5. Combined Central and Local Storage. 🔗

A combination of central and local storage for a multiplex can be the best solution. The central storage can be used for ingest of material and redundancy of content, while the local storage is encouraged to hold just the content required for the immediate presentation(s).

7.5.3.6. Bandwidth 🔗

The storage system is required to provide enough output to support a continuous stream of compressed image, uncompressed audio and subtitle data (at 289 Mbits/sec if 48 kHz audio is used or 307 Mbits/sec if 96 kHz audio is used) to allow for non-interrupted Digital Cinema playback.

7.5.3.7. Capacity 🔗

Excluding storage necessary for redundancy, the storage system is required encouraged to provide for, at a minimum, the storage of three features (including pre-show content) per screen (one feature currently showing and a second or upcoming feature). Shown in Table 9 , are some example storage requirements. The numbers are based on:

• One three-hour feature
• 20 minutes of pre-show material at the same resolution
• 16 channels of uncompressed audio at 48 kHz at 24 (AES3) bits
• 3,000 sub pictures in PNG file format
• 3,000 Timed Text lines

Image size:

Calculated by: {Average or max bit rate (Mbits/sec) * hours * 60 min/hour * 60 sec/min} / {8 bits/byte *1000} the results is in GBytes

Audio size:

Calculated by: {32 (AES bits) * 48,000 samples/sec *16 (channels) * hours * 60 min/hour * 60 sec/min / 8 (bits/byte) = size
or
Calculated by: {32 (AES bits) * 96,000 samples/sec *16 (channels) * hours * 60 min/hour * 60 sec/min / 8 (bits/byte) = size

Sub Picture size:

Calculated by: 100,000 (bytes/png file @ level 1) * 3,000 (subtitles/feature) = size

Timed Text size:

Calculated by estimate of 1 MBytes per feature

7.5.3.8. Storage Security 🔗

It is required that image and audio essence on storage devices retains the original AES encryption, if present during ingest. It is required that decrypted plaintext (image or audio) essence is never stored on the storage system.

7.5.4.1. Introduction 🔗

Another key component in the playback chain is the Media Block. One or more Media Blocks are responsible for converting the packaged, compressed and encrypted data into raw image, sound and subtitles.

Depending upon implementation, both security and non-security functions take place within Media Blocks. Security functions of Media Blocks (those functions which process plain text essence or Security Data such as decryption keys) may take place only within physically secure perimeters called Secure Processing Blocks (SPB). Detailed security requirements of Media Blocks are discussed in Section 9.4. .

The Image Media Block is implemented as a component within the projection system, as shown in Figure 12 . 5 [5]

In addition to the single Image Media Block, single projector configuration shown above, this specification provides for Multiple Media Block (MMB) configurations to support multiple projectors and/or the use of an Outboard Media Block (OMB) within the projection booth. In connection with OMB functionality, the "IMB with OMB functions" (IMBO) is defined, and may be used alternatively to the IMB in projection systems. See Section 9. for details of MMB and OMB requirements and operation.

7.5.4.2. Media Block Functional Requirements 🔗

7.5.4.3. Media Block Interfaces 🔗

The Media Block is required to interface on three levels with the rest of the system. One level deals with the packaged Digital Cinema content. The next level is the raw essence output for the projector, the audio processor and any special devices for the automation system. The third level is the control and status of the Media Block playback system. These interfaces are noted below.

• Packaged Data – The packaged content requires a standard data interface that could handle bandwidths up to 307 Mbits/sec for the composition data if 96 kHz audio is used or 289 Mbits/sec if 48 kHz audio is used. This may be a Gigabit or 1000Base-T Ethernet [IEEE 802.3ab (copper)] or [IEEE 802.3z (fiber)] interface.
• Uncompressed Essence – The raw essence data requires a real time data interface with extremely high bandwidths. The interface will depend on the physical location of the Media Block and the type of essence that the interface carries.
  1. Main Image – This streaming data interface is required to handle data rates up to 10 Gbits/sec. ( See Section 8. for details.)
  2. Subpicture – This streaming data interface is required to handle data rates up to 20 Mbits/sec. This can be accomplished by the use of a standard 100Base-T Ethernet [IEEE 802.3] interface.
  3. Timed Text – This could be a streaming data interface depending on the buffer capability of the projector. It is expected that this interface can also use a standard 100Base-T Ethernet [IEEE 802.3] interface that can handle data rates up to 500 Kbits/sec. It is encouraged that there be at least two of these interfaces from the Media Block, one to feed the projector and the other to feed off-screen devices.
  4. Sound Essence – This interface is required to stream multiple digital audio channels to the Cinema Audio Processor. This is required to be in an AES3 format. For worst-case audio bandwidth, 19 Mbits/sec is required (16 channels * 24 bit sample * 48 kHz). 37 Mbits/sec is recommended (16 channels * 24 bits/sample * 96 kHz).
  5. OBAE - This interface is required to stream multiple digital audio channels to the Cinema Audio Processor. The interface format is required to be an interoperable standard multichannel format that is capable of meeting the audio bandwidth requirements for the rendered channel count. The exact interface format is not specified. The audio bandwidth requirements are generally more rigorous than main sound and will vary by the number of channels the system is capable of rendering. For example, for a system that can render 48 channels, a minimum of 55.3 Mbits/sec is required (48 channels * 24 bits/sample * 48 kHz). 110.6 Mbits/sec is recommended (48 channels * 24 bits/sample * 96 kHz). Multiple audio interfaces can be used as necessary to obtain the required bandwidth.

7.5.5.1. [This Item Left Blank Intentionally] 🔗

7.5.5.2. [This Item Left Blank Intentionally] 🔗

7.5.6.1. Introduction 🔗

The Audio System delivers the sound of the theatrical presentation to the audience. It is responsible for receiving the uncompressed digital audio from the Media Block, converting it to analog and directing it to the proper speakers for translation to acoustic energy.

For Sound Essence: The system is required to provide the capability for 16 channels of audio playback. The presentation is required to provide, at a minimum, a 5.1 audio format, (Left, Right, Center, Low Frequency Effects, Left Surround and Right Surround) . An audio format of 7.1 can also be provided. The undefined channels can include a Hearing Impaired and/or a Visually Impaired channels as well.

For OBAE: A playback system designed to play OBAE is required to provide the capability to render multiple playback channels to the immersive sound system in the theater. The rendering of object-based audio into a specific sound reproduction format is proprietary to manufacturing companies and is not addressed in this specification.

The Cinema Audio Processor can provide the digital audio conversion and the channel mapping. Its other duties can include playing the intermission program or music (often called non-sync) and allowing for monitoring in the projection booth.

7.5.6.2. Audio System Interfaces 🔗

The Audio System requires several interfaces. The main interface deals with the digital audio and the other interfaces deal with status and control . These interfaces are noted below.

• Digital Audio – The digital audio is delivered from the Media Block to the Cinema Audio Processor.

  For Sound Essence: This is a real time digital audio link that shall have the capacity for delivering 16 channels of digital audio at 24-bit 48 kHz. It is encouraged that this link support 96 kHz. For purposes of clarity, the MB shall be capable of processing 16 channels of 24 bit audio at 48 kHz , and is encouraged to be capable of processing audio similarly at 96 kHz. This link is required to follow [AES3-2003] recommended practice for serial transmission format for two-channel linearly represented digital audio data.

  For OBAE: Rendered OBAE shall be output from the Media Block to the theater audio system using an interoperable standard multichannel format that is capable of meeting the audio bandwidth requirements for the rendered channel count. The exact interface format is not specified. It is encouraged that this link support 96 kHz. The interface must be capable of delivering the maximum number of rendered channels to the cinema processor at 48 kHz. It is encouraged to be capable of processing OBAE at 96 kHz.

• Control and Status – The Cinema Audio Processor is encouraged to also provide a 100Base-T Ethernet [IEEE 802.3] interface that can receive control information and send status to Automation and/or SMS depending on the existing Automation in the theater.

7.5.7.1. Introduction 🔗

A Screen Automation System can interface with life safety, motor controlled curtains, motor controlled masking, the dimmers for the lighting, existing 35mm film projectors and possibly to other devices such as the Cinema Audio Processor, and/or special effects devices. One of the challenges of Digital Cinema is to interface with the many different Automation devices installed presently in the theaters.

7.5.7.2. Automation Interface 🔗

The automation interface is a variable that is different depending on the manufacturer of the installed system. This could range from contact closures to proprietary interfaces. The Theater System is required to translate Digital Cinema cues into something that the automation system understands, and reciprocally, is required to translate the automation information into something the SMS understands.

7.5.9.1. Introduction 🔗

Many Theater Systems will be part of a larger multi-screen facility. A single TMS for Digital Cinema operations is expected to support all multiplex configurations.

Figure 13 below demonstrates an example architecture of one of these systems from an interface prospective. This section will consider the requirements and interfaces of a large networked system. There are two main interface components of this larger system. The first is the Media Network and the second is the Theater Management Network.

7.5.9.2. Media Network 🔗

The Media Network is a high bandwidth, switched interface, made up of media interfaces, Disc Arrays and Media Blocks. The Media Network is required to support, for each screen, a sustained rate of 289 Mbits/sec if 48 kHz audio is used or 307 Mbits/sec if 96 kHz audio is used: 250 Mbits/sec for compressed image, 38 Mbits/sec for 16 channels of 24-bit samples at 96 KHz or 19 Mbits/sec for 16 channels of 24-bit audio samples at 48 KHz, and 20 MBits/sec for subtitle data (subpicture). Additional data bandwidth is needed for ingesting new content and control/monitoring.

7.5.9.3. Theater Management Network 🔗

8.2.2.1. Introduction 🔗

Digital Cinema presents a challenge to create a versatile projection system. Throughout this system, some basic requirements are needed and are stated below.

8.2.2.2. Interfaces 🔗

The projector is required to have the following interfaces:

• For control and status, 100Base-T Ethernet [IEEE 802.3] interface.

The projector can have:

• Graphics and/or Text Interface (could be the same as Control and Diagnostics, e.g., Ethernet Interface)

The projector is required to have a Media Block Interface into which either an IMB or IMBO will be installed.

The projector is required to not have any test, utility or output interface that provides unencrypted content in the clear.

8.2.2.3. Alternative Content 🔗

The projector is required to not preclude the ability to present alternative content. The projector can also provide an auxiliary content input.

8.2.2.4. Single Lens 🔗

The projection system is required to provide either a single lens solution or an unattended changeover if more than one lens is required.

8.2.2.5. Color Space Conversion 🔗

The projection system is required to convert the incoming DCDM* color space to its native color space.

8.2.2.6. Pixel Count 🔗

The sampling structure of the displayed picture array (pixel count of the projector) is required to be equal to or greater than that of the specified image containers (either 4096 x 2160 or 2048 x 1080).

8.2.2.7. Spatial Resolution Conversion 🔗

The projector is required to display either a native resolution of 4096x2160 or 2048x1080. If the projector's native resolution is 4096x2160, and the incoming spatial resolution of the content is 2048x1080, then the projection system is required to perform the up-conversion of 2048x1080 content to 4096x2160. All spatial conversions are required to be done at an exact ratio of 2:1 in each axis, i.e., a projector with a horizontal pixel count of slightly higher than the image container is required to not convert the projected image beyond the image container to fill the array, nor is an image to be converted to something less than the 4096x2160 or 2048x1080 image container size.

Should electronic image resizing or scaling be used to support a constant height projection or constant width projection theater environment, then it is required that the image resizing or scaling does not introduce visible image artifacts . It is intended that the projector project the full horizontal pixel count or the full vertical pixel count of the image container.

8.2.2.8. Refresh Rate 🔗

If the incoming frame rate is not the projection system native refresh rate, then the projector is required to convert it to its native refresh rate.

8.2.2.9. Forensic Mark 🔗

A Forensic Mark is required to be inserted in real time into the content at the earliest point after decryption and prior to the content data being present on any data bus outside the Media Block (see Section 9.4.6.2. ).

8.2.2.10. [This Item Left Blank Intentionally] 🔗

8.4.3.1. [This Item Left Blank Intentionally] 🔗

8.4.3.2. [This Item Left Blank Intentionally] 🔗

8.4.3.3. [This Item Left Blank Intentionally] 🔗

8.4.3.4. 10 Gigabit Fiber 🔗

For mastering environments, 10 Gigabit fiber, also known as [IEEE 802.3ae], may be adapted for a point-to-point interface. The goal for this interface would be to use the same physical layer and adopt a protocol for streaming image data. Listed below are some of the requirements:

• Dual SC Fiber Connector (back haul status/handshake)
• Multi Mode
• Point-to-point
• Matrix Switch and/or Patchable
• Up to 100 meter runs
• Physical Interface established (Layer 1)
• Electrical Interface established (Layer 1)
• 10 Gbit/sec link bandwidth to accommodate up to DCDM in real-time

8.4.5.1. Control 🔗

The following is an example list of control messages that can be sent to the projector:

• Local / Remote
• Power On / Off
• Douser On / Off
• Input Select
• Test Signal On / Off
• Test Signal Selection
• User Memory Recall 1 to n
• Zoom In / Out
• Focus + / -
• Lens Shift Up / Down
• Lamp Mode Full, Half
• Lamp Hours Reset
• Keystone + / -

8.4.5.2. Status 🔗

The following is an example list of status messages that can be sent from the projector:

• Projector On / Off
• Projector Standby Mode
• Projector Cool Down Mode
• Douser On / Off
• Lamp off due to Power Management
• Temperature Readings
• Temperature Warning
• Temperature Sensor Failure
• Temperature Shut down
• Current Input selection
• Input Signal Status
• Test Signal On / Off
• Test Signal Selection
• Lamp Hours Total
• Lamp Hours Bulb Life
• Lamp Mode
• Image Format – Aspect Ratio
• Power Failure

9.3.3.1. Security System Messages 🔗

There are two classes of messages in the security system architecture:

• Extra-theater Messages (ETM) – These are self-contained one-way messages that move Security Data and information outside or within the theater. These specifications have defined a fundamental message structure for a generic ETM, the requirements for which are normative and given in Section 9.8. .
• Intra-theater Messages (ITM) – Messaging that moves Operational Messages within the auditorium over one or more real-time two-way channel(s) between the Screen Management System (SMS) and Media Blocks (MB). Requirements for ITM Operational Messages are provided in the respective SMS, IMB, IMBO and OMB sections, and Section 9.4.5. Intra-Theater Message (ITM) Communications.

9.3.3.2. Security Entities 🔗

Security Entities (SE) are characterized by executing a narrowly defined security function, and having a role defined for them in a digital certificate with which they are associated. The five defined SE(s) are as follows (these are developed more fully in Section 9.4. ).

1. Screen Management System (SMS) – The SMS is not a secure device and therefore is not trusted to handle Security Data (keys). The SMS is trusted to send/receive commands to/from the auditorium SM, such as those required to prepare Media Blocks (MB) for playback.
2. Security Manager (SM) – Responsible for Security Data (keys) and Digital Rights Management within a defined sphere of control (see Section 9.4.3.5. , items 7 and 9c).
3. Media Decryptor (MD) – Transforms encrypted (image, sound, etc.) content to its original plaintext form.
4. Forensic Marker (FM) – Inserts markings (data indicating time, date and location of playback) in both image and audio essence in realtime at time of playback (i.e., a fingerprint or watermark inserter).
5. Secure Processing Block (SPB) – A Security Entity (SE) whose security function is to provide physical protection to other SEs contained within it. A Media Block is an example of a SPB. These specifications define two types of SPB physical protection perimeters (see Section 9.4.2.2. ).

Security Entity Notes:

• The term Security Entity should not be confused with secure entity . The term secure entity is not normatively defined or used in these specifications, as the SPB function serves this purpose, and is normatively defined.
• The SMS is not a secure device, and is sometimes viewed as part of the media server, or as part of the TMS. These security specifications focus on the SMS as the auditorium controlling device, independently of its scope or totality of other functions it may provide (see Section 9.4.2.5. ).

9.4.1.1. Architecture Description and Comments 🔗

The security architecture descriptions and requirements revolve around two embodiments: the SPB and the SE. As defined in Section 9.3.3. , SEs are logical devices that perform specific security functions. They are logical because these specifications do not dictate how SEs are actually designed, and more than one type of SE may be implemented within a single circuit.

All functional Security Entities (SEs) (except the SMS) shall be contained within SPBs, which provide physical protection for the Security Entities (SEs). The SPB is itself a literal SE Type – its security function is physical protection.

The type 1 and type 2 SPB requirements are more fully defined in the Media Block and projector SPB functional requirements below (see Section 9.5. ).

The playback processes begins and ends with the SMS, under the control of Exhibition. Thus, the SMS is viewed as the initiator of security functions, and the window into the exhibition security system. Protection over cryptographic processes begins by requiring the SMS to communicate, in a secure fashion (i.e., under TLS), with the Security Managers (SM) under its control. The security system takes advantage of these secure command and control features to protect itself, as well as the exhibition operator, from several forms of attacks, including SMS imposters and Denial of Service.

While it is true that the security system places no physical protection requirements on the SMS, the extent to which the SMS is vulnerable to being tampered with, or its functions subverted, is a result of exhibition implementation and policy (e.g., who gets access to the SMS, how it is physically protected by room locks, operator access). The security system requires the SMS and SMS operator to identity itself to the Security Manager. The extent to which this information is reliable is subject to issues outside the scope of the security system and this specification. But the security system structure and standards requirements are appropriately specified to enable policies to regiment these aspects according to any particular security needs, without needing to change or enhance SE device operations or features.

The architecture supports Multiple Media Block (MMB) operation, which refers to the use of the IMB (or IMBO) and one or more Outboard Media Blocks (OMB) to support playout. This enables flexibility to provide media processing beyond that specified for the IMB, including support for multiple projectors within the projection booth.

With MMB, each participating Media Block (e.g., IMB or IMBO and OMB) contains a Security Manager (SM) and Security Entities (SE) which process Digital Cinema Package (DCP) media essence simultaneously with, but independently of, other MBs during playout within a single auditorium. In addition to the appropriate DCP content essence, each MB must be supplied with the Composition Playlist(s) (CPL) and matching KDM(s) to support the entire show (which may consist of multiple compositions). MMB operational requirements are described in Section 9.4.3. .

Figure 15 presents an exemplary security system architecture, inclusive of basic data paths and message communications.

9.4.1.2. Post Playout Log Record Collection 🔗

For playout of any given Show Playlist, evidence of such playout requires a set of security log records that includes logs from all participating Media Blocks (MB). Over time, the movement, replacement, etc., of IMBs, IMBOs and OMBs may make the recovery of full sets of security log records difficult for stakeholders. For example, an IMB and OMB in a Multiple Media Block (MMB) architecture may become disassociated should devices be changed out for maintenance or the projection booth configuration changed.

This specification requires that a specific subset of records shall be collected and stored by the SMS on a daily basis, assuring such logs will be readily available. To avoid confusion and harmonize SMS and MB Security Manager (SM) responsibilities, the collection requirements shall apply to both MMB and non-MMB projection booth configurations.

Detailed requirements of this log collection process, including definitions of the specific subset of security log records, are provided in Section 9.4.2.5.2. (for the SMS) and Section 9.4.3.5.1. (for MB SMs). Requirements of log collection generally are provided in Section 9.4.6.3. .

9.4.2.1. Equipment Suites and Remote SPBs 🔗

The term Equipment Suite was used in connection with authentication of remote SPBs by the SM. With the elimination of link encryption there are no remote SPBs and associated equipment suite, so neither term is used in this specification.

9.4.2.2. The Secure Processing Block (SPB) 🔗

The SPB is defined as a container that has a specified physical perimeter, within which one or more SE and/or other plaintext processing functions are placed (e.g., decryptor, decoder, Forensic Marker). The SPB exists to enclose SEs and other devices in the content path, impede attacks on those SEs, and to protect signal paths between the SEs.

There are two normatively defined SPB types:

• Secure Processing Block type 1 – An SPB type 1 provides the highest level of physical and logical protection. All Media Blocks (as defined below) shall be contained within a type 1 SPB.
• Secure Processing Block type 2 – An SPB type 2 provides a lesser perimeter of protection, for content or security information that does not require the full SPB type 1 protection. SPB type 2 protection shall be provided by projectors.

Secure Processing Blocks (SPBs) shall provide a hard, opaque physical security perimeter that meets minimum security requirements as defined in 9.5.2 Robustness and Physical Implementations . Both SPB types are considered a Security Entity (SE), and shall be assigned a digital certificate per Section 9.5.1. .

9.4.2.3. Media Blocks (MBs) 🔗

The term Media Block 11 [11] (MB) has been used by the Digital Cinema industry in a number of ways. In this Section 9. , it has a very narrow scope: An MB is an SPB that contains a Security Manager (SM) and performs essence decryption, i.e., it contains at least one MD. Other SE functions may also be present within a MB SPB, as described below:

• Image Media Block (IMB) – The Image Media Block (IMB) is a type 1 Secure Processing Block (SPB) that shall contain a Security Manager (SM), Image, Audio and Subtitle Media Decryptors (MD), image decoder, Image and Audio Forensic Markers (FM).
• Image Media Block with OMB Functions (IMBO) – It is encouraged that the IMB perform the content essence processing functions of the Outboard Media Block (OMB) as given in Section 9.4.3.6.4. . An IMBO is an IMB that implements this functionality.
• Outboard Media Block (OMB) – The OMB is a type 1 SPB that shall contain a Security Manager (SM) and one or more Media Decryptors (MD) and associated Forensic Markers (FM) to process (only) those content essence types explicitly designated in Section 9.4.3.6.4. .

9.4.2.4. Security Manager (SM) 🔗

The SM controls Security Data and content access in a manner consistent with the policies agreed upon by the Stakeholders who rely upon it. There is one SM for each Media Block, and Rights Owners (Distribution) shall share the SM(s) for their security needs.

Security Manager functions shall conform to the requirements as given in Section 9.4.3.5. and Section 9.6.1. . The Security Manager is a self-contained system with an embedded processor and real-time operating system. SM functions shall not be implemented outside of the secure environment of a type 1 SPB.

Security Manager software changes and upgrade requirements are given in Section 9.5.2.7. .

9.4.2.5. Screen Management System (SMS) 🔗

Theater management controls auditorium security operations through the Screen Management System (SMS). Because the SMS interacts and communicates directly with the security system, per Section 9.3.3.2. item 1, it is also considered to be a Security Entity (SE) . The SM responds to the directives that Theater Management System (TMS) issues via the SMS. For purposes of simplicity, and subject to the TMS constraint below, this specification uses the term SMS to mean either/both Theater Management System (TMS) or Screen Management System (SMS).

SMS functions are supported by the Operational Message communications of Section 9.4.5. . The SMS shall support Operational Message communications with Media Blocks as follows:

• IMB or IMBO – Except as provided for below in Section 9.4.2.5.2. , the command protocol is not normatively specified, but is encouraged to support messaging as defined by SMPTE 430-17 SMS-OMB Communications Protocol Specification.
• OMB – The command protocol shall be compliant with and support all messaging as defined by SMPTE 430-17 SMS-OMB Communications Protocol Specification.

SMS Requirements:

• The SMS shall carry a DCI compliant digital certificate (see Section 9.5.1. ) to identify the SMS entity to the SM. The SMS certificate shall indicate only the SMS role unless the SMS is contained within a SPB meeting the protection requirements for any other designated roles. In the latter case the SMS shall be considered permanently integrated within said SPB, and the SPB and contained SMS shall be identified by a single certificate that is permanent to both.
• C ommunications between the SMS and Media Block SMs shall be protected using Transport Layer Security (TLS), except in the case of a permanently integrated SMS. (In the latter case the SMS and SM are collocated within the same MB, and the communications are protected within the MB's type 1 SPB.)
• The SMS digital certificate may be permanent to the SMS, or “operator certificates” may be assigned to designated personnel (e.g., using a dongle, smart card, etc.) for association with the SMS.
• For each KDM to be used in the playout of a CPL, the SMS shall confirm that all the content essence keys referenced by the KeyId elements within the AuthenticatedPublic section of the associated KDM are reflected (i.e., must exactly match those listed) in the CPL.
• In the event that Exhibition command and control designs include the TMS as a device that interfaces with the SMs, such a TMS shall be viewed by the security system as an SMS, and it shall carry a digital certificate and follow all other SMS behavior, Transport Layer Security (TLS) and Operational Message communications requirements.
• Identification of the SMS operator for purposes of the “AuthorityID” field (see Section 9.4.6.3.8. ) shall be by:
  • Certificate thumbprint, where “operator certificates” are used, or
  • Username/password or the like, as specified by exhibition management.

SM interaction with the SMS is normatively defined (see Section 9.4.3.5. ) 12 [12] . These include the requirements that:

• The SM provides log records identifying the SMS for which it operates, as well as the AuthorityID field. In the case where “operator certificates” are used, this information is the same (i.e., the digital certificate thumbprint).
• If multiple SMSs are present, exhibition shall designate one to TLS connect with, and be used for identity logging by, all SMs participating in any given showing. Upon request, this SMS shall be responsible for collecting and aggregating all post-show log data from all participating SMs.

9.4.2.6. Projection Systems and Marriage 🔗

From the security perspective, a projection system consists of the projector type 2 Secure Processing Block (SPB) and its “companion” SPB, which will be either the Image Media Block (IMB) or IMB with OMB functions (IMBO). A critical security issue is assuring that the clear text image output of the companion MB goes to a legitimate projection device.

Therefore Section 9.4.3.6.1. , defines a “marriage” process with the companion MB.

The purpose of the marriage is to have a human authority figure supervise the installation of a projection system to assure the physical connection of the two SPBs. At the time of installation the authority figure can provide visual inspection of the projector to assure it has not been tampered with.

Once a projector is installed, the state of marriage is permanent (and electrically monitored) until the authority figure decides to separate the two SPBs (for whatever reason). In addition, this specification establishes logging requirements surrounding projector installation and maintenance functions that record security-critical event information.

It is mandatory that a projection system installation includes the marriage function per Section 9.4.3.6. (noting the permanently married exception provided for in that section). The marriage process shall require the supervision of a human authority figure, who shall examine projectors as part of the marriage process to assure the associated SPB has not been tampered with.

9.4.2.7. Auxiliary Data Processing 🔗

Aux Data (AD) shall be considered essence defined under [SMPTE ST429-14: D-Cinema Packaging -- Aux Data File], subject to the exceptions specified herein. Aux Data is treated as a generic essence type. This means the specific functional requirements for AD decryption and post-decryption processing (e.g., decoding, forensic marking, etc.) must be known for a given implementation, but are out of scope of this specification except as provided for in Section 9.4.3.6.4. .

By way of example, image essence and audio essence (sometimes referred to as main image and main audio to avoid confusion with emerging types of AD), subtitle essence and Object-Based Audio Essence (OBAE) processing requirements are expressly addressed by this specification, and are thus distinguished from generic Aux Data essence types.

Encrypted Aux Data (AD) shall be decrypted only within a Media Block (MB) using the "MDX1" AD essence KeyType delivered by a KDM. (See [SMPTE ST430-1: D-Cinema Operations - Key Delivery Message].) The MDX2 KeyType shall be reserved for future use.

Aux Data that is not encrypted is not subject to the security constraints of this specification.

9.4.3.1. [This Item Left Blank Intentionally] 🔗

9.4.3.2. Pre-show Preparations 🔗

Pre-show preparations include tasks to be performed (well) in advance of show time to ensure adequate lead-time to resolve any issues that might impact the composition showing. These preparations do not prepare an auditorium for a showing, but are designed to provide assurance that all prerequisites for a specific showing have been satisfied.

• Composition Playlist (CPL) and Key Delivery Message (KDM) check(s) – Composition Playlists (CPL) and Key Delivery Messages (KDM) shall be validated by the Security Manager(s) participating in the respective composition playback.
• Composition decryption preparations – Each encrypted composition will have associated with it one or more Key Delivery Messages (KDM), carrying time window constraints, decryption keys, and the projector's authentication data (certificate thumbprint). The SMS, working with the security infrastructure, shall verify that all the KDMs and contained content keys required for playback are available and valid for scheduled exhibitions.
• Show playback preparations – Exhibitors will assemble Show Playlists specific to each exhibition event, containing various compositions (including advertising, trailers, movies, etc.). Because the final Show Playlists may involve many content keys and/or consist of content from different Rights Owners, it is the responsibility of the SMS to confirm that show preparations ensure the auditorium SM(s) confirm possession of all necessary Key Delivery Message(s) ( KDMs) for each composition of the Show Playlist.

The flow chart in Figure 17 is an example of how a system may prepare to execute a Show Playlist. This flow chart is informative. There are other designs that may have different steps or different sequences that will accomplish the same result and meet the requirements of this specification.

9.4.3.3. Show Playback 🔗

Show playback processes include auditorium preparations for the playback of a specific Show Playlist, and the actual run-time security functions that include content decryption, forensic marking, and recording of log data.

• Equipment preparations – The SMS and SM(s) shall prepare for playback prior to each Show Playlist (SPL) showing. This shall include validation of the authenticity and trust status of the projector, and delivery of all necessary KDMs/keys per Section 9.4.3.5. .
• Streaming media decryption – Playback of a show consists of a concatenation of compositions that require serial or (separately) parallel decryption. One or more Media Blocks (i.e., for single IMB or Multiple Media Block (MMB) operation) will be involved.
• Forensic Marking - Each MB shall apply Forensic Marking to image and audio essence and Aux Data (as applicable) during playback .
• Log data recording - Media Blocks shall capture log records as specified in Section 9.4.6.3. .

The flow chart in Figure 18 , is an example of how a system may execute a Show Playlist. This flow chart is informative. There are other designs that may have different steps or different sequences that will accomplish the same result and meet the requirements of this specification.

9.4.3.4. Post Playback 🔗

Post playback activity primarily includes collection of playback event log data.

• Collection of log data: SM – Each IMB and/or IMBO SM shall be responsible for collection of all playback event log data from the projector it supports per Section 9.4.6.3. .
• Collection of log data: SMS – The SMS shall be responsible for post playout log collection per Section 9.4.2.5.2. .

There are no end of engagement requirements placed on the security system. Exhibition may cleanse Screen Management System (SMS) or Theater Management System (TMS) devices, content storage devices, Key Delivery Message(s) (KDMs), etc. according to their own operational needs. Defined security system behavior places controls on Security Data, keys, etc. such that security interests are maintained.

The flow chart in Figure 19 , is an example of those items a system performs following a completed Show Playlist. This flow chart is informative. There are other designs that may have different steps or different sequences that will accomplish the same result and meet the requirements of the specification.

9.4.3.5. Functions of the Security Manager (SM) 🔗

Auditorium Security Managers (SMs) are responsible for overseeing the security aspects of the auditorium they are assigned to (installed in), inclusive of the Secure Processing Blocks they are responsible for and according to the content essence types they are provided to process. For Multiple Media Block (MMB) situations multiple SMs will be present within an auditorium, and each SM operates independently from other SMs in responding to the auditorium’s Screen Management System (SMS) to enable playback of content. The required SM functions are described below, from the perspective of each SM (i.e., not from the perspective of the auditorium). Depending upon the requirements for any given DCP, it will be recognized that for Multiple Media Block (MMB) auditorium situations the services of any single MB may not completely support playout of the DCP. However, individual compliance to these SM functions will assure playout is securely accomplished by the collective services of the auditorium MBs/SMs.

In listing these functions the approach is that of a reference model for SM behavior, meaning that these specifications do not define required implementation methods. A standards-compliant implementation must, however, have the same input/output behavior as the reference model.

Security Manager (SM) Functions:

1. Validate Key Delivery Messages per:
   1. The three validity checks of Section 6.1.2. of the KDM specification [SMPTE 430-1 D-Cinema Operations -- Key Delivery Message], and
   2. Confirming the KDM's CipherData element matches the contents and format of the table of said Section 6.1.2. of the KDM specification.

   Constrain use of KDM content keys per items 4 and 9 below to the SM's confirmation that one of the certificates in the signer chain of the associated Composition Play List (CPL) has a thumbprint that matches the ContentAuthenticator element of the KDM, per Section 5.2.4. of said KDM specification.

2. Security Manager (SM) KDM usage policy is specified as follows:
   1. For any given SM, playout within the associated Media Block (MB) shall be supported by a single KDM (i.e., a playout shall not occur that requires the combination of two or more KDMs). (Note that Multiple Media Block (MMB) operation will require multiple KDMs to support playout across multiple SMs/MBs. Since all KDMs for a given CPL must contain all the content keys for the composition (see Section 9.4.3. ), depending upon its MB configuration the SM may find more essence keys in the KDM and identified in the CPL than it will use.)
   2. For any given composition, playout shall be enabled for any start time that is within the KDM's time window.
   3. To avoid end of engagement issues, a show time’s playout may extend beyond the end of the KDM's playout time window, if started within the KDM playout time window, by a maximum of six (6) hours.
   4. Excepting the requirements of item 2c above, the SM shall delete any KDM and associated keys for which the playback time window has expired (passed).
3. Reject ETM messages that are not recognized as DCI compliant standardized messages.
4. Validate Composition Playlists (CPL), and log results as a prerequisite to the associated composition playback. For encrypted content, validation shall confirm that:
   1. The associated KDM's ContentAuthenticator element matches a certificate thumbprint of one of the certificates in the CPL's signer chain (see item 1 above), and that such certificate indicate only a "Content Signer" (CS) role per Section 5.3.4. "Naming and Roles" of the certificate specification [SMPTE 430-2 D-Cinema Operation - Digital Certificate].
   2. [This item left blank intentionally. The KDM-CPL content essence keys match test has been reassigned to the SMS.]
   3. The CPL meets the two validation requirements defined in Section 5.2.1. of SMPTE 430-5 D-Cinema "D-Cinema Operations – Security Log Event Class and Constraints for D-Cinema. D-Cinema" with the following caveat: When performing Step 9 of Section 6.2 in SMPTE ST 430-2, the desired time of the validation context shall be equal to the IssueDate field of the target CPL (and not the current time). This behavior permits the continued playback of a CPL after the expiration of its signing certificate, but ensures that the signing took place during the certificate's validity period.
5. Process essence (i.e., Track File frame) integrity pack metadata for image and sound during show runtime. Integrity pack deviations (including HMAC, as applicable) detected during playback shall be logged; however, per Section 9.6.1.2. Table 21 , playback should not be prevented or interrupted. For clarity purposes, integrity pack metadata is defined as Track File ID, Frame Sequence and calculated Message Integrity Code (MIC) information to be compared against the reference data contained in the associated CPL. Log information necessary to detect deviations (including restarts) from the actual playback sequence from the Track File ID and reel sequence specified in the CPL as follows:
   1. Image – Process integrity pack information, with the exception that the frame hash (HMAC) check is encouraged but optional.
   2. Audio – Process integrity pack information, including the hash (HMAC).
   3. OBAE – Process integrity pack information, including the hash (HMAC).

   The SM shall disallow or, within 61 seconds, terminate playout of encrypted content when any of the image and sound integrity pack metadata is not present per the requirements of Section 5.3.2.1. - Introduction.

   For purposes of clarity, while detected deviations in integrity pack metadata does not impact playout, the SM shall disallow or terminate playout should it detect any missing integrity pack metadata for the encrypted frame currently being processed. The SMS may direct the SM to resume playout from a subsequent track file frame location. However, playout shall be subject to the same requirement.

6. As of January 1, 2016, Federal Information Processing Standards (FIPS) compliance requirements disallow use of the random number generator (RNG) as specified in [SMPTE ST429-6 D-Cinema Packaging - MXF Track File Essence Encryption]. Additionally, a KDM key type is needed to support encryption of generic Auxiliary Data (AD) essence per [SMPTE ST429-14 D-Cinema Packaging - Aux Data File]. These are addressed by the following requirements for support of KDMs carrying "MIC" and "Aux Data" key types:
   1. Media Block (MB) SMs shall support the receipt and processing of KDMs carrying the MIC and Aux Data (AD) key types. (See [SMPTE ST430-1 D-Cinema Operations - Key Delivery Message].)
   2. MB SMs shall perform the content hash (HMAC) integrity check of above item 5 using the KDM-borne MIC keys if present (and shall not derive the MIC key from KDM content keys).
   3. MB SMs capable of processing KDM-borne MIC keys shall indicate so by including "MIC" in their digital certificate roles (see role definitions of Section 9.5.1.1. ).
   4. MB SMs shall not implement the Random Number Generator (RNG) defined (for the purpose of MIC key derivation) in [SMPTE ST429-6: D-Cinema Packaging - MXF Track File Essence Encryption].
   5. When receiving a KDM type that does not contain a MIC key, MB SMs shall perform all the content integrity checks specified in above item 5 except the hash (HMAC) check.
7. Authenticate the projector by confirming the projector certificate thumbprint carried in the KDM matches that received from the projector via the marriage connection. Content owners may optionally allow the SM to automatically assume trust in the projector that it's married to. To support this feature, a unique "assume trust" certificate thumbprint is specified as the "SHA-1 of the empty string". The Base64 value of this string shall be "2jmj7l5rSw0yVb/vlWAYkK/YBwk=" for this exclusive use.
8. [This Item Left Blank Intentionally]
9. The SM shall constrain playout of encrypted content to:
   1. Media Decryptors (MD) within the SM’s SPB (i.e., under no circumstances shall an SM export any KDM-borne essence key from the SM’s SPB).
   2. Specific MDs matching the KeyType IDs as designated by the KDM, per Section 5.2.8. of the KDM specification [SMPTE430-1 D-Cinema Operations - Key Delivery Message].
   3. Receipt by the SM of a valid KDM and CPL for the composition being prepared for playback per items 1 and 4 above.
10. [This Item Left Blank Intentionally]
11. [This Item Left Blank Intentionally]
12. Maintain secure time per Section 9.4.3.7. .
13. Execute log duties per Section 9.4.6.3. .
14. Execute Forensic Marking (FM) control operations per Section 9.4.6.2. .
15. [This Item Left Blank Intentionally]
16. [This Item Left Blank Intentionally]
17. [This Item Left Blank Intentionally]
18. Perform and log all the above functions under the operational (not security) control of the particular SMS designated by the exhibition operator per Section 9.4.2.5. .

9.4.3.6. Functional Requirements for Secure Processing Block Systems 🔗

Each type 1 Secure Processing Block (SPB) can be considered an SPB system, since it operates as a collection of SEs. Similarly, the projector also has its associated type 2 SPB, which does not contain SEs, but fulfills security functions as described below. (Secure Processing Block types are defined in Section 9.4.2.2. ).

This section defines the functions and operational requirements for the following SPB systems:

• Projector Secure Processing Block (SPB)
• Image Media Block (IMB) and IMB with OMB functions (IMBO) Secure Processing Block (SPB)
• Outboard Media Block (OMB)

In addition to the specific requirements given for SPB systems in this section, all SPB systems shall meet the behavior requirements of Section 9.6.1. Digital Rights Management.

9.4.3.7. Theater System Clocks and Trustable Date-Time 🔗

Note: Nothing in this section shall require that the user interfaces of the SMS or TMS use UTC. It is envisioned that these will use local time.

To ensure playback times and event log time stamps are time-accurate, means must exist to maintain proper security system time. Time shall mean UTC (Coordinated Universal Time). See ASN.1 standard syntax for transferring time and date data “GeneralizedTime” and “UTCTime”.

• All security transactions conferring date-time information (e.g., KDM time window) shall be UTC.

Image Media Block (IMB), IMB with OMB funcitions (IMBO) and Outboard Media Block (OMB) Security Managers shall each be responsible for maintaining secure and trusted time for their respective MBs. Additional security system clock requirements are:

• Each IMB, IMBO and OMB clock shall be set by the MB vendor to within one second of UTC using a reference time standard (such as WWV). The clock shall be tamper-proof and thereafter may not be offset from UTC or otherwise reset 14 [14] .
• In order to maintain synchronism between auditoriums, Exhibition shall be able to adjust a Security Manager’s time a maximum of +/- six minutes within any calendar year. Time adjustments shall be logged events.
• The IMB, IMBO and OMB Security Manager (SM) clocks shall have the following capabilities:
  • Resolution to one second
  • Stability to be accurate +/- 30 seconds/month
  • Date-Time range at least 20 years
  • Battery life of at least 5 years
  • Battery can be changed without losing track of proper time
  • Proper time stamping of log events shall not be interrupted during a clock battery change process.

9.4.4.1. Special Auditorium Situations 🔗

“Special Auditorium Situations” (which supported multiple projector operation) were enabled in conjunction with Link Encryption (LE) functionality, which is no longer supported by this specification. Use of more than one projector in an auditorium is enabled via Multiple Media Block (MMB) operation.

9.4.5.1. [This Item Left Blank Intentionally] 🔗

9.4.5.2. [This Item Left Blank Intentionally] 🔗

9.4.5.3. [This Item Left Blank Intentionally] 🔗

9.4.6.1. Forensic Marking 🔗

These specifications require that image, audio and Aux Data Forensic Marking (FM) capability be included (as applicable) in each Media Block. The security system identifies content marking devices (e.g., Forensic Marking embedders) as the “FM” Security Entity (SE) type.

Multiple solutions may be qualified and will allow Media Block solutions providers to select the solution of their choice. Candidate providers should meet with individual studios to discuss RAND and technical suitability of their approach.

Note: DCI reserves the right, at some future time, to require a specific Forensic Marking insertion solution for Digital Cinema systems.

At a minimum, Forensic Marking systems are required to meet the following:

9.4.6.2. Forensic Marking Operations 🔗

There may be differing circumstances surrounding the desire by a Rights Owner to forensically mark content. To accommodate these variations, it is necessary to be able to independently control the activation of both the audio and the image Forensic Marking (FM). The following rules shall be normative for Forensic Marking operations:

1. The SM shall be solely responsible for control of FM marking processes (i.e., “on/off”), and, subject to item 2 below, command and control of this function shall be only via the KDM per item 3 below.
2. Forensic Marking shall not be applied to non-encrypted audio or image content. If portions of a composition are encrypted and other portions are not, FM shall not be applied to those Track Files that are not encrypted.
3. Forensic Marking shall otherwise be applied to all encrypted picture and audio content, except as follows:
   1. The "no FM mark" and "selective audio FM mark" state shall be commanded by the 'ForensicMarkFlagList' element of the KDM.
   2. When the KDM 'ForensicMarkFlagList' indicates the "no FM mark" command, the FM device(s) shall enter a full bypass mode, and shall not alter the content essence for the associated encrypted DCP.
   3. When the KDM 'ForensicMarkFlagList' indicates the "selective audio FM mark" command, the audio FM device(s) shall not impose, in the associated encrypted DCP, any mark onto audio channels above the channel indicated in the command, per (d) below. This paragraph shall override (b) above if both the "no FM mark" and "selective audio FM mark" commands are present.
   4. The "selective audio FM mark" command shall be indicated by the presence of a ForensicMarkFlag element containing a URI of the form:
      http://www.dcimovies.com/430-1/2006/KDM#mrkflg-audio-disable-above-channel-XX
      where XX is a value in the set {01, 02, 03, 04, 05, 06, 07, 08, 09, 10, 11, 12, 13, 14, 15, 16 . 99} and corresponds to a channel identifier within the track, per 382M-2007 table E.1, as wrapped in a Sound Track file of the associated encrypted DCP. URIs of this form shall be used in conjunction with keys of KeyType "MDAK". A KDM shall carry only one such ForensicMarkFlag element.
   5. Forensic Marking for OBAE shall not be “selective,” it is applied (or not) to all channels and objects. When applied, the forensic mark shall be recoverable from any Media Block rendered audio output.
4. “No FM mark” states shall be capable of being independently commanded for audio or image compositions.
5. When commanded, the “no FM mark” state shall apply to the entire encrypted DCP. The “no FM mark” state shall not apply to any other DCP, even if the other DCP is part of the same showing (i.e., same Show Playlist).
6. [This Item Left Blank Intentionally]
7. [This Item Left Blank Intentionally]
8. The SM and FM Security Entities shall log the presence or absence of image, audio and Aux Data (AD) Forensic Marking for each encrypted DCP.
9. Notwithstanding the exceptions defined in Section 9.4.6.2. , all decrypted audio shall be forensically-marked. A Forensic Mark is required to be inserted in real time into the audio content at the earliest point after decryption and prior to the audio content data being present on any data bus outside the Media Block (see Section 9.4.6.1. ).

9.4.6.3. Logging Subsystem 🔗

In the Exhibition environment, the preparations for and execution of a movie showing creates information that has security and forensic implications. The capturing and storage of such information is the responsibility of the logging subsystem, which is executed by Media Block (MB) Security Managers (SM). In order to realize a “control lightly/audit tightly” end-to-end security environment, the security system includes a secure logging subsystem.

Cryptographic technology as applied to essence and key delivery, together with agreed upon usage rules provides the “control lightly” characteristics. The function of a logging subsystem is to respond to the “audit tightly” requirement. Logging is therefore observed as a critical component of security, and secure logging information and surrounding processes are subject to the same fundamental cryptographic requirements as the front end control components: cryptographic protection of critical functions and data components related to integrity, data loss, confidentiality and movement.

This section sets the logging subsystem requirements for security log data recording and reporting. All requirements shall apply equally to the IMB, IMBO and OMB, which are referred to in this section as Media Blocks (MB). References to Secure Processing Devices (SPB) are inclusive of MBs and display devices. The log information data formats and structures to be used in conjunction with these requirements are defined in two SMPTE standards:

• SMPTE 430-4 D-Cinema Operations - Log Record Format Specification for D-Cinema
• SMPTE 430-5 D-Cinema Operations - Security Log Event Class and Constraints for
  D-Cinema

SMPTE 430-4 defines the general format for log classes for digital cinema. SMPTE 430-5 defines the specific requirements for the security log class. All log requirements and terminology of this section are with respect to the SMPTE 430-5 security events class constraints specification.

Definitions related to logging:

• Log Event – Any event that has security implications or forensic value. Such an event results in the recording of log data.
• Log Data – Security event information that is recorded and stored within the Media Block (MB), where such an event took place or was observed.
• Log Record – Standardized XML structure representing a discrete logged event.
• Log Report – Standardized XML structure containing one or more log records spanning a continuous sequence in time. The log record content in a report is intended to be organized by class, and may be filtered prior to delivery according to specified criteria (Rights Owner, CPL, etc.).

Following the above definitions, a basic logging process is described:

• Surrounding a showing will be a number of security events that result in logged data. Discrete logged event data shall be placed in an XML structure called a record.
• A number of records are collected in sequence and by class to make up log reports.
• A complete (unfiltered) report is useful for transferring entire sets of log data for archiving or post-processing outside of the security system.
• A “filtered” report is useful for responding to a request for log data according to specified bounds (e.g., report the MB key usage records for CPL(id) for specific date(s) and time(s)).

9.5.1.1. Single Certificate Implementations 🔗

Single certificate implementations shall employ one Digital Cinema certificate in each Secure Processing Block (SPB). The requirements for use of a single SPB certificate are provided in the appropriate sections of this specification .

The identity of a device shall be represented by its certificate. The make and model of each certificated device shall be carried in the assigned certificate, and the serial number and device role(s) (see below) shall in particular be carried in the Common Name (CN) field of the assigned certificate. The make, model and serial number of each certificated device shall be placed on the exterior of said device in a manner that is easily read by a human, and this information shall at all times match that in the device's digital certificate.

Each SPB shall enumerate the security functions of the SPB according to SMPTE 430-2 D- Cinema Operations – Digital Certificate, Section 5.3.4. . For purposes of efficiency, SE types shall be minimally designated according the following roles:

• IMB, IMBO or OMB - SM
• Projector to be married - PR
• Projector permanently married to an IMB or IMBO - PR SM

The following role(s) shall be included for the IMB, IMBO and OMB, as applicable:

• KDM-borne Message Integrity Code key capable MB – MIC
• "Reserved" identity certificate (see Section 9.5.1.3. ) – RES

Note:

• The designation of other roles is optional.

9.5.1.2. Dual Certificate Implementations 🔗

Dual (two) certificates are used only with the Image Media Block (IMB), IMB with OMB functions (IMBO) and Outboard Media Block (OMB), and no other SPB types are affected. Dual certificate implementations split the utility of digital certificates between the two certificates. Dual certificate utility shall be as follows:

• Security Manager Certificate (SM Cert) – The SM Cert shall be used according to the same requirements as those for the above Section 9.5.1.1. , except for those functions specified for the below Log Signer Certificate. The SM Cert shall be the certificate associated with the identity of the Media Block and shall be the target of Key Delivery Messages (KDM).
• Log Signer Certificate (LS Cert) – The LS Cert shall be used to sign security log records per the requirements of Section 9.4.6.3.3.

The Log Signer Certificate shall enumerate the LS (Log Signer) role.

In addition to the above, dual certificate implementations require Digital Cinema certificate validation rules that may not be reflected in the current SMPTE digital cinema specification (see DCSS Section 9.8., SMPTE 430-2: “D-Cinema Operations – Digital Certificate”). The affected validation rule is driven by the “Key Usage” constraints as given in Table 2 of SMPTE 430-2 (“Field Constraints for Digital Cinema Certificates”), which is then reflected in validation rule # 6 of Section 6.2. . For dual certificate implementations validation rule # 6 shall be as stated in SMPTE 430-2 for single certificate implementations, except as follows:

• SM Cert – The DigitalSignature flag shall not be set.
• LS Cert – The KeyEncipherment flag shall not be set.

9.5.1.3. Media Block Identity Certificates 🔗

Media Blocks shall contain a minimum of two RSA key pairs associated with the SM role, either pair of which can be used with an identity certificate(SM Certificate). In other words, the MB shall have a minimum of two identity certificates, and shall respond as normal to the receipt of a KDM targeted to either identity (as distinguished by the respective RSA key pairs).

One identity certificate shall be published, and the other shall not be published and be reserved for future use as designated by DCI. The reserved certificate shall carry the “RES” role in addition to the roles enumerated by the published certificate.

9.5.2.1. Device Perimeter Definitions 🔗

Security equipment designs must provide physical perimeters around secrets not cryptographically protected. The following definitions explain terminology used for tamper protection of physical perimeters. Specific tamper requirements for SPB types 1 and 2 are given in subsequent Sections of Section 9.5.2. .

• Tamper evident – Penetration of the security perimeter results in permanent alterations to the equipment that are apparent upon inspection. This is the least robust perimeter, since it only reveals an attack after-the-fact, and depends on a specific inspection activity.
• Tamper resistant – The security perimeter is difficult to penetrate successfully.
  Compromise of effective tamper resistant designs requires the attacker to use extreme care and/or expensive tooling to expose secrets without physically destroying them and the surrounding perimeter(s).
• Tamper detecting and responsive – The security perimeter and/or access openings are actively monitored. Penetration of the security perimeter triggers erasure of the protected secrets.

9.5.2.2. Physical Security of Sensitive Data 🔗

Sensitive data critical to the security of the Secure Processing Block (SPB) (e.g., private keys or content keys) is generically referred to as a Critical Security Parameter (see Section 9.5.2.6. ). CSPs and plain text content essence shall be physically protected by Secure Silicon and/or Secure Processing Blocks as described below:

• Secure Silicon – Sensitive data contained within a Secure Silicon integrated circuit (IC) can only be compromised by a physical attack on the IC. All type 1 and type 2 Secure Processing Blocks (SPB) shall contain a Secure Silicon IC compliant to the following requirements:
  1. Secure integrated circuits used for Digital Cinema security applications shall meet FIPS 140-2 or 140-3 level 3 “Physical Security” area requirements as defined for “single-chip cryptographic modules”. (No other FIPS area requirements are mandated.)
  2. SPB private keys used for device identity (see Section 9.5.1. ) shall not exist outside of the Secure Silicon IC. For purposes of clarity, this means that (1) private keys (whether encrypted or not) shall not be moved or copied from Secure Silicon, and (2) the CipherValue element(s) of the KDM’s AuthenticatedPrivate element shall be decrypted by and within the Secure Silicon IC.
  3. Decrypted (plain text) content keys may be moved from the Secure Silicon IC for purposes of decrypting essence during playout only. They shall at all other times be contained within the Secure Silicon IC, or be stored off-chip in an encrypted fashion per the requirements of Section 9.7.4. .
• Secure Processing Block (SPB) Hardware Module – Sensitive data will only be exposed by penetration of a physical barrier, which surrounds the electronics.
  1. All Secure Processing Block (SPB) module designs shall implement hardware module perimeter protection that prevents access to internal circuitry and detects opening of the module perimeter. Further protection of keys and clear text content should use techniques such as burying sensitive traces, applying tamper resistant integrated circuit coverings, and tamper responsive circuitry. Detailed SPB type 1 and SPB type 2 physical protection requirements are defined below in Section 9.5.2.4. and Section 9.5.2.5. .
• Software – Protection implemented in software can be compromised through modifications to the software, inspection of memory, or monitoring of bus signals.
  1. Software protection methods shall not be used to protect Critical Security Parameter or content essence.

9.5.2.3. Repair and Renewal 🔗

The following address restrictions on repair and renewal of Secure Processing Blocks (SPBs) and associated cryptographic parameters:

• Type 1 SPBs may be field replaceable (as an entire SPB module) by Exhibition, but shall not be field serviceable (e.g., SPB type 1 maintenance access doors shall not be open-able in the field).
• The secure silicon device, contained within a SPB type 2, shall not be field serviceable, but may be field replaceable. It shall not be accessible during normal SPB type 2 operation or non-security-related servicing.
• Repair and renewal processes for an SPB type 1 and SPB type 2 shall be performed under the supervision of the security equipment vendor. Maintenance of the SPB type 2 (projector) is permitted for non-security components accessible via maintenance openings.
• All type 1 SPBs shall be issued a new private/public key pair and certificate upon any repair or renewal process that requires opening of the SPB perimeter. (Note that Section 9.7.6. precludes maintaining records of private key information.)

Repair and renewal is limited to failed devices, or devices which have lost or zeroed their secrets (e.g., private keys or digital certificates). Such maintenance does not effect the device’s FIPS 140-2 certification or compliance, as long as Section 9.5.2.5. requirements are met. Requirements for firmware changes to SPBs are given in Section 9.5.2.7. .

9.5.2.4. Specific Requirements for Type 2 Secure Processing Blocks 🔗

The SPB type 2 container has been defined specifically for protection of image essence exiting either an Image Media Block (IMB) or IMB with OMB functions (IMBO) (companion SPB to the projector SPB) and entering the projector. The purpose of this SPB is to protect the image essence signal as far as practical, recognizing that "all the way to light" production is not possible. It is also preferable not to impose formal FIPS 140-2 requirements on this SPB, as the security and signal flow functions are relatively simple.

General requirements for SPBs are defined in Section 9.4.2.2. and Section 9.5.2.2. . Specific requirements for projection systems are defined in Section 9.4.3.6.1. . As explained there, the type 2 SPB – also referred to as a projector SPB - is permitted to be opened for maintenance. To assure adequate protection of signals and circuits within the projector SPB, the following address physical requirements, and are in addition to those of the above noted sections:

• The projector SPB shall be designed for two types of access: "security servicing" and "non-security servicing." Security servicing is defined as having access to Security-Sensitive Signals, which are the companion SPB's output image essence signals or image signals derived from said output signals, or the projector SPB security access opening/detection circuits and associated signals.
• For non-security servicing (i.e., maintenance), Security-Sensitive Signals shall not be accessible via the SPB's maintenance door opening(s). In other words, there shall be a partition that separates security-related signals/circuits from non-security related maintenance accessible areas, which shall serve as the boundary of the type 2 SPB and deny access to Security-Sensitive Signals, without causing permanent and easily visible damage.
• Security servicing shall trigger a security access opening event per Section 9.4.3.6.1. , and be performed only under the supervision of the projector manufacturer per Section 9.5.2.3. . The triggering and clearing (i.e., reset) of a security access opening event shall be respectively logged as an "SPBOpen" and "SPBClose" security log, per Section 9.4.6.3.8. .
• Projector SPB access doors or panels shall be lockable using mechanical locks employing physical or logical keys, and shall be protected with tamper-evident seals (e.g., evidence tape or holographic seals). Alternatively, projector SPB access doors or panels shall be lockable using pick resistant locks employing physical or logical keys.
• Protection from external probing of Security-Sensitive Signals shall be provided by assuring barriers exist to prevent access to such signals via ventilation holes or other openings.

In summary, the projector SPB physical perimeter provides for unencumbered maintenance access, and security-critical signals are protected via security access opening door locks and opening detection. Exhibition visual inspection is relied upon to detect physical abuse that might allow compromise of, or access to, decrypted image essence.

9.5.2.5. FIPS 140 Requirements for Type 1 Secure Processing Blocks 🔗

Robustness requirements for type 1 Digital Cinema Secure Processing Blocks (SPBs) shall meet the requirements of Federal Information Processing Standards 140 (FIPS 140), which specifies the security requirements for a cryptographic module utilized within a security system protecting sensitive information in computer and telecommunications systems. There have been several iterations of FIPS 140, referred to as FIPS 140-1, FIPS 140-2 and FIPS 140-3 respectively . To become FIPS certified, type 1 SPB cryptographic modules shall be evaluated by a FIPS accredited laboratory against a then-active FIPS 140 version. 18 [18]

Once an SPB has received FIPS 140 certification, this specification considers its certificate valid for subsequent production of that model, independently of whether or not FIPS 140 certification processes have changed. However, FIPS guidelines mandate that design changes made to an SPB may require recertification of the device. In such event the then-active FIPS 140 certification requirements shall be used in obtaining a valid FIPS certificate to meet the requirements of this specification.

Suppliers are advised that a FIPS certified cryptographic module that has not been reviewed by an accredited FIPS laboratory within five years of its certification date will be automatically moved from the FIPS 140 “active” module status list to the “historical” list until such time as it is reviewed. Though a historical listing does not impact a module’s status with respect to its approval for Digital Cinema applications, suppliers are encouraged to maintain their SPB type 1 devices on the FIPS 140 active list.

General FIPS 140 requirements:

• Type 1 SPBs shall be FIPS 140 certified to a security “Level 3,” subject to the additional requirements or exceptions as noted for FIPS 140-3 and FIPS 140-2 in Section 9.5.2.5.1. and Section 9.5.2.5.2. below.
• Type 1 SPBs shall provide physical and logical protection of their security parameters and functions 24/7 and shall be able to respond to attacks under both powered and un-powered conditions. By way of example, if a type 1 SPB is in storage and relying upon a battery for tamper detection and response, it shall zeroize its Critical Security Parameters (CSPs) prior to a battery depletion condition which would not support proper tamper detection and/or response.
• Type 1 SPB suppliers shall at all times ensure that their published FIPS Security Policy document(s) accurately reflect the current state of the SPB design and functionality.
  

9.5.2.6. Critical Security Parameters and D-Cinema Security Parameters 🔗

A requirement of FIPS-140-2 is to list the Critical Security Parameters (CSP) that are important for the security of Digital Cinema cryptographic module(s) (Secure Processing Block) and its functions. The following CSPs shall receive Secure Processing Block (SPB) type 1 protection, whenever they exist outside of their originally encrypted state.

1. Device Private Keys – RSA private key that devices use to prove their identity and facilitate secure Transport Layer Security (TLS) communications.
2. Content Encryption Keys – KDM AES keys that protect content.
3. Content Integrity Keys – HMAC-SHA-1 keys that protect the integrity of compressed content (integrity pack check parameters).
4. [This Item Left Blank Intentionally]
5. [This Item Left Blank Intentionally]
6. [This Item Left Blank Intentionally]

The following items are not considered FIPS 140-2 CSPs, but are considered D-Cinema Security Parameters, and shall at all times be protected by a type 1 SPB perimeter (except where log data is extracted per Section 9.4.6.3. ).

1. Watermarking or Fingerprinting command and control – Any of the parameters or keys used in a particular Forensic Marking process.
2. Logged Data – All log event data and associated parameters constituting a log record or report.

9.5.2.7. SPB Firmware Modifications 🔗

In addition to the “limited” or “non-modifiable” Operational Environment requirements of FIPS 140, the following defines additional requirements for making software or firmware changes to type 1 Secure Processing Blocks (SPB) 20 [20] .

The following defines the requirements for making firmware changes to these security devices. FIPS 140-2 constrained devices shall:

• Be designed such that their firmware cannot be modified without the knowledge and permission of the original manufacturer.
• Require a Digital Cinema compliant certificate that authenticates and confirms the identity of the authority figure responsible for making a firmware change, and shall include time/date and version number information associated with any firmware change, in addition to the authority figure.
• Not undergo firmware changes without informing potentially affected information bases that support Digital Cinema equipment operations (e.g., databases used by stakeholders for facility lists, KDM and TDL creation), and the owner of the device.
• Log the firmware change event per the requirements of Section 9.4.6.3.8.
• Follow FIPS 140-2 certification body change notification requirements regarding modifications to security devices. Undergo re-certification if required.

9.6.1.1. Digital Rights Management: Screen Management System 🔗

The Screen Management System is responsible for managing Exhibition functions such as showtime movie playback, and is under the control of the Exhibitor. The Screen Management System manages playback functions via the Security Manager(s), however the Security Manager is at all times in control of and responsible for security functions and events. The full complement of Exhibition operational events therefore consists of those under the control of the Security Manager(s) and those under the control of the Screen Management System.

9.6.1.2. Digital Rights Management: Security Manager (SM) 🔗

The Security Manager is the executor of Digital Rights Management for the Media Block that contains it. Security Managers control use of content keys to enable playback of encrypted content. Keys are considered active for the business defined play period. Subject to security equipment authentication, proper operation, and integrity checks (see Section 9.4.3. ), the Security Manager exercises no control over playback, other than use of content keys during the valid play period. Under private business negotiations, a Distributor may provide keys for selected or all Security Managers (i.e., projectors) in a complex.

The above table depicts events related to the Security Manager and the system’s behavior. A film will not play-out if there is a failure in any of the items in rows 1, 2 and 3 due to wrong location (row 1), wrong date/time (row 2), or the attempted use of an unauthorized projector (row 3). In the event of modification in a movie file (row 4), the file should be replaced, but there are no Security System controls preventing an Exhibitor from playing-out a modified file. This event, like all security events, will be logged.

9.6.1.3. Digital Rights Management: Security Equipment 🔗

Security equipment (Media Block or projector) must perform to specified standards and function as designed. The Security Manager will continuously monitor for proper security equipment operation and physical integrity (tampering). Content playback is restricted to passing all security requirements at all times .

The above table depicts tampering or failure of security equipment. Security equipment that has been tampered with or is malfunctioning (row 1) shall not continue operation and must be replaced before playback can commence (or continue). An example of malfunctioning security equipment is a Media Block that no longer performs one of its security functions (e.g., decryption, Forensic Marking, logging). Similarly, the SM shall prohibit playout if the MB-projector marriage is broken or become compromised (row 2).