@zhongdao
2021-12-09T22:50:15.000000Z
字数 5536
阅读 7216
DCP
kdm
加密
xml
安装xmlspy, 便于查看xml文件.
安装 dcp-o-matic, 目前流行的一个dcp打包与kdm加密工具, 网站介绍是Free, open-source DCP creation from almost anything.
DCP, Digital Cinema Package
KDM, Key Delivery Message
A Digital Cinema Package (DCP) contains high quality audio-visual files in the Material Exchange Format (MXF). The preferred format for picture is SMPTE (JPEG 2000). Audio is usually supplied as a 24-bit linear PCM multichannel WAV file. Encryption with 128-bit AES-CBC is optional.
When the Digital Cinema Package is encrypted the ability to playback files is controlled by a separate Key Delivery Message (KDM). The KDM is in XML format and contains the decryption keys for a specific projector or device including the period of validity. This ensures that the media cannot be used at another location or outside the agreed performance dates.
Software used for DCP and KDM creation includes: AutoDCP, CineAsset, Cinemaslides, CuteDCP, DCP-o-matic, Dolby SCC2000, DVS Clipster, easyDCP Creator, OpenDCP, and QubeMaster.
电影行业的音视频文件标准。
数字电影包(DCP)和密钥传送消息(KDM)分别用于图像/音频/字幕文件和加密密钥分发。
其中KDM也有如下定义:
DRM for Cinema, Key generated between a DCP and a MB (Media Block = projection system), Contains business information, like time window for showing the content.
MXF文件存储经过转换后的标准视频、音频文件。
AES 加密应用于所有MXF 文件。密钥通过KDM 生成并传输到投影机上。KDM 是只能被终端设备打开的XML文件。KDM和每一个播放列表相关联,规定正确的投影开始和结束时间。
DCP 播放过程
文件名说明
KDM是基于 D-Cinema generic Extra-Theater Message(ETM) format. 它通过标准化的 XML的加密与签名部分, 实现了使用XML 来代表关于内容秘钥和TDL的信息. 其中, KDM的消息使用 X.509的数字证书,提供认证与信任机制.
KDM 包括3种基本的信息类型:
也就是
KDM的基本信息流如下图:
CPL与KDM结构的关系如下图:
参考 smpte 430-1 和 smpte 430-3
kdm文件中已验证和以加密的信息说明
This segment of the ETM shall be digitally signed, and trust in the signature can be verified using the certificate chain in the Signature portion. This portion is encrypted before being transmitted. The word “private” that appears in the XML label for this segment means that only a specified set of recipients is able to decrypt and view this information.
The formal XML definition is given in Annex C. Figure 3 is an informative illustration of the appropriate code section from that annex.
Anyone can verify the signature on the ETM and validate the certificate chain to decide whether the message has been modified and whether it was created by a trusted entity. However, only an entity that knows the private key of one of the recipients can decrypt this portion of the message.
This segment contains zero or more EncryptedKey fields and at most one EncryptedData field. The EncryptedKey field defines data (that includes an AES key) that is encrypted by the RSA algorithm and the Encrypted Data field defines data (if any) encrypted by the AES algorithm. It is a standard cryptographic security practice to use two encryption algorithms (RSA and AES) to get the key management benefit of using RSA and the performance benefits of using AES.
任何人都可以验证与核实kdm的证书链, 确认消息是否被修改以及是否由可信任的实体创建, 然而只有拥有私钥的接收者才能解密其消息.
对于KDM而言, xml中的EncryptedData 部分可以忽略, 每一个 EncryptedKey元素携带这一个内容秘钥(content key)和相关的信息. KDM文件只有1个接收者.
KDM中的 EncryptedKey元素的具体说明如下:
包含 KeyInfo, CipherData, EncryptedData 字段.
参考smpte 430-1 的标准文件. 6.1节 EncryptedKey
其中的CipherData字段由如下格式的固定字节长度的明文前后相连接在一起组成, 见下表格:
第一个字段是Structure ID, 16字节长度, 128位长的固定标示. 第2个字段是证书与公钥的Hash的二进制标示, 第3个字段是CPL的UUID的二进制表示, 第4个字段是KeyType, 4字节的字节字串, 第5个字段是KeyID, UUID的二进制形式, 第6个字段是开始时间, 第7个字段是结束时间,第8个字段是内容秘钥.
总共8个字段的长度累加是138字节长.
加密后的内容
散列值是SHA-1的Base64校验编码。可以通过命令来计算出来。
openssl sha1 -binary "FILE_NAME" | openssl base64
curl https://bootstrap.pypa.io/pip/3.5/get-pip.py -o get-pip.py
python3.5 get-pip.py --force-reinstall
apt-get install build-essential libssl-dev libffi-dev python-dev
apt-get install build-essential libssl-dev libffi-dev python-dev
apt-get install python3
update-alternatives --config python
sudo pip uninstall crypto
sudo pip uninstall pycrypto
apt-get install build-essential libssl-dev libffi-dev python-dev
apt-get install libpcap-dev libpq-dev
apt install python3-dev
apt install python-dev
curl https://bootstrap.pypa.io/pip/3.5/get-pip.py -o get-pip.py
python3.5 get-pip.py --force-reinstall
#然后再安装
pip3 install lxml
pip3 install Crypto
pip3 install rsa
pip3 install pycrypto
pip3 install signxml
提示:
c/_cffi_backend.c:2:20: fatal error: Python.h: No such file or directory
compilation terminated.
error: command 'x86_64-linux-gnu-gcc' failed with exit status 1
----------------------------------------
ERROR: Failed building wheel for cffi
Running setup.py clean for cffi
Failed to build cffi
pip3 install pyinstaller
pip3 freeze |grep cry -i
编译可执行:
pyinstaller -F mkkdm.py
查找代码变量位置:
grep servicePriv ./ -rwn
查看dkdm:
vim DKDM/DKDM_aaa_FTR_Enc_2M_20210608_SMPTE_OV_20210608T000000_20210623T000000_20210608151215.678.xml
Inter-Society Digital Cinema Forum (ISDCF)
http://isdcf.com/ISDCF/index.html
SMPTE Documents needed for SMPTE-DCP packages:
https://cinepedia.com/references/
DRAFT ISDCF Doc5 - Guideline for SMPTE KDMs and Certificates Behaviors
http://isdcf.com/papers/ISDCF-Doc5-kdm-certs.pdf
DCP-o-matic
http://dcpomatic.com/
如何进行DCP打包?
https://www.zhihu.com/question/43605387?sort=created
Digital Cinema Mastering 101
https://www.slideshare.net/sundanceinstitute/graef-allen-dolby-dcp-presentation-deck-20130423
Digital cinema
https://www.slideshare.net/AnoopKAnand/digital-cinema-43413954
Development of Digital Cinema Delivery System on the NGN
https://www.ntt-review.jp/archive/ntttechnical.php?contents=ntr201005le1.html
Trusted Device List & Workflow
https://cinepedia.com/security/trusted-device-list/
Technology FAQs
https://cinepedia.com/faqs/technology-faqs/
D-cinema Digital Cinema System : Presentation, analysis, and open source perspectives RMLL 2010
http://slideplayer.com/slide/11347368/
SSL中,公钥、私钥、证书的后缀名都是些啥?
https://www.zhihu.com/question/29620953