Content Decryption#

Server Certificates#

easyDCP Player+ allows playing back encrypted content. Each Digital Cinema play-out system or mastering station has its own private key and public key, and so does each easyDCP Player+ installation. The private key is known only to the play-out system, whereas the public key is contained in a public server certificate and may be distributed to content providers. When content providers choose to encrypt a DCP, they need to somehow provide the decryption keys (there is one key for every encrypted track file) to the play-out system. To ensure that no one else is able to read these sensitive decryption keys, they are themselves encrypted in a way that only the targeted play-out system is able to decrypt them. To do this, the content provider will need the play-out system’s public server certificate. This encrypted message is called a Key Delivery Message (KDM). easyDCP Player+ will keep all ingested KDMs in a repository (key repository subfolder in easyDCP Player+ application data folder. See 4.3) so that encrypted DCPs can be viewed multiple times without having to re-ingest the keys each time. KDMs will not be removed from the repository after they expired, but an expired KDM will no longer grant access to the DCP.

When easyDCP Player+ is first started, it does not yet have a server certificate set. The demo edition does not allow playback of encrypted content. Only in the commercial edition, server certificates can be requested from Fraunhofer support by clicking “Request License & Certificates” within the “Activation Status” pane inside the options dialog. The process is described in a screen cast at www.easydcp.com.

Unique private and public keys will be generated and provided to you online. The received license and certificate set (a Zip file) can be imported via drag & drop (or within the options dialog, “Activation Status” with „Import License & Certificates“).

The certificates are created and signed by Fraunhofer IIS. Fraunhofer IIS will delete the private key immediately, and keep the public leaf certificate in a database. The certificate is digitally signed by a chain of Fraunhofer certificates. These certificates are referred to as a certificate chain and this certificate chain, even though already included in the public server certificate, is additionally saved in a separate file. These certificates are meant for commercial use as they state the licensee’s URL and have a unique serial number that links the certificates to the license. These server certificates are tied to the licensee’s computer, using the easyDCP system hash. If the license should need to be migrated to another system, a new certificate set will have to be requested. A migration is possible in the user account at www.easydcp.com. Since the private key is very sensitive, it is asynchronously encrypted using a combination of easyDCP Player+ internal keys and a password selected by the user during the License & Certificates request. Likewise, if the user chooses to store their password, it is first asynchronously encrypted. The user password needs to have 6 to 20 letters and cannot be changed after it was created.

All mentioned files are stored in the user application data folder’s certificates subfolder (see 4.3). Hence, the OS user management can be used to maintain multiple sets of certificates simultaneously. In order to easily determine which files belong together, they are each identified by a unique ID. The ID of the set that is currently used by easyDCP Player+ is also listed in the “About” dialog (hit ‘F6’).

  • easydcpexport_<ID>.privkey.pem contains the encrypted private key

  • easydcpexport_<ID>.cert.sha256.crt is the public server certificate

  • easydcpexport_<ID>.chain.sha256.pem contains the certificate chain

  • easydcpexport_<_<ID>.privkey.passwd contains the encrypted user password.

When easyDCP Player+ is uninstalled, none of these files will be removed. If the user password file (*.passwd) is manually deleted, the user will simply be prompted for the password again the next time a KDM is ingested or an encrypted DCP is opened.

On demand, we can also offer the easyDCP Player+ NE edition, where “NE” stands for “No Export”. It contains all the features of easyDCP Player+ except for the export. It’s certificate prefix (stated in the filename as well as in the certificate itself) is “easydcpnoxport_” as opposed to “easydcpexport_”. This way, content owners easily distinguish which edition they issue a KDM for.

KDM Management#

Player

“Ingest Content Keys” pops up a file browser and lets you ingest content key files (Key Delivery Message or easyDCP Digest).

Drag & Drop: You can also ingest multiple Key Delivery Messages (KDM) or easyDCP Digests by simply dragging & dropping them onto the canvas.

The option “Export Public Server Certificate” will copy both the public leaf certificate (easydcpexport_<id>.cert.sha256.crt) and the signature chain (easydcpexport_<id>.chain.sha256.pem) to the selected folder. The signature chain contains the leaf certificate as well as intermediate certificates and the root certificate. You may safely distribute these certificates to content providers who want to issue a Distribution KDM to your easyDCP Player+ installation. When issuing (D)KDMs with easyDCP KDM Generator, place only the leaf certificate file (*.crt) into the server certificate’s folder or just drag and drop it into the corresponding input form.

For a description of how to request your custom certificates, please refer to chapter 4.2. For more details on the decryption workflow, please refer to chapter 9.

The option “Open Key Repository” opens the key repository in a Windows Explorer / Finder window. All ingested Key Delivery Messages (*.xml, *.kdm) and easyDCP Digests (*.dcpdig) will be stored in this folder and renamed according to the contained CPL UUID (digests with keys for multiple CPLs are duplicated). Expired key files can be deleted from here manually when easyDCP Player+ is not running.

On this page