Please login or register. June 20, 2019, 03:45:50 PM

Author Topic: Convert encrypted to unencrypted DCP  (Read 43554 times)

spongehead

  • New Member
  • **
  • Posts: 12
    • View Profile
Convert encrypted to unencrypted DCP
« on: June 05, 2013, 06:41:07 AM »
Hi,

I'm working for a small movie distributor.
We are planning to archive our movies as unencrypted DCPs on an inhouse server.

Right now our DCPs are archived at the postproduction house as encrypted DCPs.
But as they want quite some money for decrypting the DCPs we thought about decrypting the files ourselves.

So the plan is to receive the DCP and DKDM files from them and run them through some software.

My guess is that I would need easyDCP Player+ and easyDCP Creator+ for this job.
As these pieces of software are real pricy, are there any cheaper/free solutions?

Another question regarding DKDM files:
As far as I'm understanding the whole encryption thingy, DKDMs have to be linked to license files pointing to a specific server, right?
Or is it possible to get an DKDM that is working as a Master Key regardless on which system it is used.
(The information I found on the net is a bit inconsistent about this...)
If so, would archiving the encrypted DCP + Master DKDM be as future-proof as archiving unencrypted DCPs?

Thanks for any feedback!

liloneum

  • Jr. Member
  • ***
  • Posts: 83
    • View Profile
Re: Convert encrypted to unencrypted DCP
« Reply #1 on: June 06, 2013, 02:04:40 AM »
Hi,

An easy solution is to use Wolfgang's amazing kdm_decrypt available with the whole digital-cinema-tools solution:

https://github.com/wolfgangw/digital_cinema_tools_distribution/wiki

You will need to receive a dkdm pointing to the certificate created in ./digital_cinematools_folder/CERTSTORE (provide a file named "leaf.signed.pem" after renaming it to "yourcompagny.leaf.crt"

Then you will need to decrypt your assets to j2c and wav files into folders using asdcp-test -x (use asdcp-test -h to understand how it works).
You will need to provide the keys generated with kdm_decrypt for any asset.

When you have your plaintext elements, you will need to rebuild the structure of the dcp. If your dcp has only one reel, you can use opendcp_gui to build it. If you have multiple reels, you can use opendcp --reel... If you have complex compositions with entrypoints, it becomes harder, but it's possible...

That is the free solution. Another solution would be Wolfgang's amazing dietrich, that can manage all that. The cost of dietrich is lower than easydcp solution.

Another solution (more suitable) would be to generate yourself your kdm. You can do it with Wolfgang's cinemaslides --kdm or dietrich-kdm.
Or to ask the laboratories not to encrypt the dcp that they provide.

I consider explaining it that you have privileges on the rights of the film, of course and that you have Ubuntu on your computer.

Lilian

spongehead

  • New Member
  • **
  • Posts: 12
    • View Profile
Re: Convert encrypted to unencrypted DCP
« Reply #2 on: June 06, 2013, 03:13:57 PM »
So with dietrich I would have the option to either easily create an unencrypted DCP or to make new KDMs by myself?
Sounds great, but I guess I'll first need to have a closer look at the digital-cinema-tools/opendcp solution, thanks for pointing me in that direction.

I have also found a tool called YADE DCP Encoder which "Supports content encryption and decryption".
Does anyone have experience with this tool?

julieceylan

  • New Member
  • **
  • Posts: 15
    • View Profile
Re: Convert encrypted to unencrypted DCP
« Reply #3 on: June 06, 2013, 05:10:53 PM »
I have tried, with the small help from Wolfgang, to use kdm-decrypt to decrypt a KDM generated for a Fraunhofer player. It didn't work, apparently because Fraunhofer seals their KDM to be used only within their app, unless I have misunderstood Wolfgang. You really have to be an expert or a programmer to make these tools work, you just have a minimal support to help you and a bullet-proof gui for normal people would be great to have. For what it's worth, I think the best solution is still EasyDCP Player+, even if it's costy. It works fine ;-)

Julie

liloneum

  • Jr. Member
  • ***
  • Posts: 83
    • View Profile
Re: Convert encrypted to unencrypted DCP
« Reply #4 on: June 07, 2013, 02:54:36 AM »
I have tried, with the small help from Wolfgang, to use kdm-decrypt to decrypt a KDM generated for a Fraunhofer player. It didn't work, apparently because Fraunhofer seals their KDM to be used only within their app, unless I have misunderstood Wolfgang. You really have to be an expert or a programmer to make these tools work, you just have a minimal support to help you and a bullet-proof gui for normal people would be great to have. For what it's worth, I think the best solution is still EasyDCP Player+, even if it's costy. It works fine ;-)

Julie

kdm-decrypt will not decrypt a .dcpdig file generated for easydcp content because the keys are already in plaintext in this file.
You can use them directly with asdcp-test -x FOLDER/fileprefix -k KEYCORRESPONDINGTOTHEASSET asset.mxf
Use asdcp-info asset.mxf to know the uuid of this asset and find the key corresponding to it.

A kdm generated by easydcp will work fine with kdm-decrypt. kdm-decrypt extracts the keys from this kdm. The keys are directly available in the .dcpdig file.

You don't have to be an expert to understand how it works but of course you don't have to be afraid to use non gui programs.
See projectionniste.net (in French) to find a lot of help too.

So with dietrich I would have the option to either easily create an unencrypted DCP or to make new KDMs by myself?
Sounds great, but I guess I'll first need to have a closer look at the digital-cinema-tools/opendcp solution, thanks for pointing me in that direction.

As far as I know, dietrich will not decrypt the content but it will manage the kdm generation.

digital-cinema-tools, asdcp-test and opendcp will do anything you need, in case of simple compositions (without entrypoint)
use cinemaslides -h, cinemaslides --examples and asdcp-test -h

Lilian

julieceylan

  • New Member
  • **
  • Posts: 15
    • View Profile
Re: Convert encrypted to unencrypted DCP
« Reply #5 on: June 07, 2013, 04:01:14 AM »
Thanks Lilian, but I still don't understand ;-)

I wasn't talking about a .dcpdig file generated for easydcp, but about a KDM .pem file generated by a third-party for the EasyDCP player for instance, after having given the EasyDCP player certificates. You first have to decrypt this KDM with the private key corresponding with kdm-decrypt, to get the Cipher value in order to ingest this cipher value into asdcplib -x -k. Unless I'm wrong ?

Thanks for your help.

Best,

Julie

spongehead

  • New Member
  • **
  • Posts: 12
    • View Profile
Re: Convert encrypted to unencrypted DCP
« Reply #6 on: June 07, 2013, 04:41:40 AM »
I already played around with tools like ffmpeg and Image Magick so using these CLI tools shouldn't be such a big problem...

But I still need to get my head around this whole KDM/DKDM/public-/private key process and the files involved to really understand what I'm doing  ;D

As far as I know, dietrich will not decrypt the content but it will manage the kdm generation.

So I think I slightly misunderstood your second post:

Another solution would be Wolfgang's amazing dietrich, that can manage all that.

Well, nevermind... :D

liloneum

  • Jr. Member
  • ***
  • Posts: 83
    • View Profile
Re: Convert encrypted to unencrypted DCP
« Reply #7 on: June 07, 2013, 08:14:51 AM »
I wasn't talking about a .dcpdig file generated for easydcp, but about a KDM .pem file generated by a third-party for the EasyDCP player for instance, after having given the EasyDCP player certificates.

I think that a kdm file is supposed to be a .xml file. PEM files are chained certificates.
Can you send me this file to analyze it?

You first have to decrypt this KDM with the private key corresponding with kdm-decrypt, to get the Cipher value in order to ingest this cipher value into asdcplib -x -k. Unless I'm wrong ?

You're absolutely right!

liloneum

  • Jr. Member
  • ***
  • Posts: 83
    • View Profile
Re: Convert encrypted to unencrypted DCP
« Reply #8 on: June 07, 2013, 08:17:34 AM »
Au temps pour moi spongehead, you're right, I made a mistake.
Wolfgang would help you better than me, as I don't have dietrich tools. On the wiki you can see the possibilities.
https://github.com/wolfgangw/dietrich/wiki

Lilian

spongehead

  • New Member
  • **
  • Posts: 12
    • View Profile
Re: Convert encrypted to unencrypted DCP
« Reply #9 on: June 12, 2013, 11:59:04 AM »
Hi again,

I think we might go the "create your own KDMs" way, thanks again for pointing that out, Lilian.

The Demo of Fraunhofer's KDM Generator creates KDMs that are valid for 48 hours, which I think should be OK for one screening.

But since I also want to try the cinemaslides way of building KDMs, I still got some questions (sorry, if they might sound stupid):

After I got the DKDM from the lab which they made for my public key certificate (leaf.signed.pem, renamed to whatever.leaf.crt), I would then need to use kdm_decrypt on that DKDM together with my private key to get the content keys, right?
These keys I would then put in a folder called /movie01 and use these keys, the cpl_movie01_123_.xml from the DCP and the media block's public key certificate with cinemaslides to produce a KDM for that specific media block. Is this the right way of doing it?

Is it safe to edit make-dc-certificate-chain.rb, so it points to mycompany.org instead of example.org to create certificates that are easier to identify?

Just out of curiosity: Which one is my private key in the CINEMACERSTORE folder?

Is it possible to use the same keys/certificates for Fraunhofer's KDM Generator and digital_cinema_tools?

liloneum

  • Jr. Member
  • ***
  • Posts: 83
    • View Profile
Re: Convert encrypted to unencrypted DCP
« Reply #10 on: June 13, 2013, 10:36:25 AM »
After I got the DKDM from the lab which they made for my public key certificate (leaf.signed.pem, renamed to whatever.leaf.crt), I would then need to use kdm_decrypt on that DKDM together with my private key to get the content keys, right?
Yes. Julie Ceylan could share her feedback with the private help I gave her...

These keys I would then put in a folder called /movie01 and use these keys, the cpl_movie01_123_.xml from the DCP and the media block's public key certificate with cinemaslides to produce a KDM for that specific media block. Is this the right way of doing it?
Yes. Use cinemaslides -h and cinemaslides --example to understand everything!

Is it safe to edit make-dc-certificate-chain.rb, so it points to mycompany.org instead of example.org to create certificates that are easier to identify?
Yes, but you have to check the integrity of your chain.
Just out of curiosity: Which one is my private key in the CINEMACERSTORE folder?
leaf.key

Is it possible to use the same keys/certificates for Fraunhofer's KDM Generator and digital_cinema_tools?
No, because you will not have the private keys from Fraunhofer.

You're almost there! Courage!

Wolfgang Woehl

  • Global Moderator
  • Sr. Member
  • *****
  • Posts: 312
    • View Profile
Re: Convert encrypted to unencrypted DCP
« Reply #11 on: June 13, 2013, 11:21:42 AM »
I would then need to use kdm_decrypt on that DKDM together with my private key to get the content keys, right? These keys I would then put in a folder called /movie01 ...

You want to look at kdm-decrypt.rb --help and read about the --as-triple option which will output key data in the plaintext format cinemaslides is expecting in $CINEMASLIDESDIR/keys, each in its own file with the key id (first element of the triple) as filename.

spongehead

  • New Member
  • **
  • Posts: 12
    • View Profile
Re: Convert encrypted to unencrypted DCP
« Reply #12 on: June 13, 2013, 12:45:22 PM »
Thanks Lilian for cheering me up!  ;D

Yes, but you have to check the integrity of your chain.
I would need to have a look at the openssl verify documentation to do that, right?

Thank you Wolfgang for giving me that hint with the --as-triple option, I guess this is going to save me some trouble.
Also a big thank you for providing us with your amazing and free set of tools!

I'm getting closer to order a DKDM an have some test runs...
Oh Joy of Joys!!!

liloneum

  • Jr. Member
  • ***
  • Posts: 83
    • View Profile
Re: Convert encrypted to unencrypted DCP
« Reply #13 on: June 13, 2013, 01:03:14 PM »
I would need to have a look at the openssl verify documentation to do that, right?
Have a look at all Wolfgang's other tools... dc_crypto_context for example...

spongehead

  • New Member
  • **
  • Posts: 12
    • View Profile
Re: Convert encrypted to unencrypted DCP
« Reply #14 on: June 13, 2013, 02:45:41 PM »
Have a look at all Wolfgang's other tools... dc_crypto_context for example...

I must have overlooked that part on digital_cinema_tool's wiki page, thanks again!

dcinemaforum.com

Re: Convert encrypted to unencrypted DCP
« Reply #14 on: June 13, 2013, 02:45:41 PM »