DKDM
Introduction
A Distribution Key Delivery Message (DKDM) is a secure digital key used in the Digital Cinema industry to enable the distribution of encrypted Digital Cinema Packages (DCPs). Unlike a standard Key Delivery Message (KDM), which authorizes playback on a specific cinema server, a DKDM is intended for trusted organizations such as post-production facilities, localization studios, quality control (QC) houses, and distributors. The DKDM allows these facilities to decrypt an encrypted DCP so they can perform additional work, such as creating localized versions, adding subtitles, conducting quality control, or generating new encrypted DCPs for distribution. By using DKDMs, content owners maintain strict control over access to their intellectual property while allowing authorized partners to work with protected content.
Purpose
The primary purpose of a DKDM is to securely transfer decryption rights for encrypted cinema content without exposing the original encryption keys. A DKDM enables authorized organizations to:
- Access encrypted DCPs for post-production work.
- Create localized versions with subtitles or dubbed audio.
- Perform quality control and technical validation.
- Generate new DCPs for regional or international distribution.
- Deliver encrypted content to additional mastering or distribution facilities. Unlike a standard KDM, which only permits playback, a DKDM provides the authorization needed to process encrypted content during the mastering workflow.
How It Works
The DKDM workflow follows several secure steps:
- A mastering facility creates an encrypted Digital Cinema Package (DCP).
- The content owner requests the digital certificate (public certificate) of the receiving facility.
- Using the recipient's certificate, a DKDM is generated.
- The DKDM is securely delivered to the authorized facility.
- The recipient imports both the encrypted DCP and the DKDM into its mastering system.
- The mastering software uses the DKDM to decrypt the content internally.
- The facility performs the required work, such as localization, quality control, subtitle integration, or versioning.
- If necessary, a new encrypted DCP is created, and standard KDMs are later generated for individual cinemas. Throughout this process, the original content encryption keys remain protected and are never directly exposed to users.
Technical Structure
A DKDM is an XML-based file containing encrypted security information rather than media content. Its primary components include:
Content Encryption Key (CEK)
The DKDM securely contains the encrypted Content Encryption Key (CEK), which is required to decrypt the protected DCP.
Recipient Certificate
The DKDM is encrypted using the recipient organization's public certificate. Only the corresponding private key installed on the authorized mastering system can unlock the DKDM.
Validity Period
Each DKDM specifies a start date and an expiration date. The mastering system can only decrypt the content during this authorized time window.
Content Identification
The DKDM contains identifiers that link it to a specific Composition Playlist (CPL), ensuring it can only be used with the intended DCP.
Digital Signature
The issuing organization digitally signs the DKDM to verify its authenticity and ensure that it has not been modified.
Common Issues
Several problems may prevent a DKDM from functioning correctly.
Incorrect Recipient Certificate
If the DKDM is generated using the wrong certificate, the receiving facility will be unable to decrypt the DCP.
Expired Validity Period
Once the authorization period expires, the DKDM can no longer be used. A new DKDM must be issued.
Clock Synchronization Errors
Digital Cinema systems rely on accurate system time. Incorrect date or time settings may cause an otherwise valid DKDM to be rejected.
Certificate Mismatch
If the mastering system's installed certificate differs from the certificate used to generate the DKDM, decryption will fail.
Incorrect CPL Reference
A DKDM is tied to a specific Composition Playlist (CPL). If the CPL changes after the DKDM is created, a new DKDM may be required.
Standards
DKDMs are based on internationally recognized Digital Cinema standards.
Digital Cinema Initiatives (DCI)
The DCI specification defines the security architecture used to protect encrypted Digital Cinema Packages, including certificate-based encryption and key management.
SMPTE Standards
The Society of Motion Picture and Television Engineers (SMPTE) specifies the XML structure, encryption methods, certificate handling, and interoperability requirements for DKDMs and KDMs.
Public Key Infrastructure (PKI)
DKDMs rely on Public Key Infrastructure (PKI), where each authorized organization possesses a unique public/private key pair. This ensures that only the intended recipient can decrypt the authorization key.
DKDM vs. KDM
Although both DKDMs and KDMs are used to authorize access to encrypted DCPs, they serve different purposes.
| Feature | DKDM | KDM |
| Intended Recipient | Post-production facility, distributor, QC house | Cinema server |
| Purpose | Decrypt content for mastering and processing | Authorize playback |
| Can Process Content | Yes | No |
| Used During Distribution | Yes | No |
| Used During Exhibition | No | Yes |
Summary
A Distribution Key Delivery Message (DKDM) is a critical component of secure Digital Cinema workflows. It allows trusted post-production and distribution facilities to decrypt encrypted Digital Cinema Packages for authorized processing while maintaining the security of the original content. By using certificate-based encryption, digital signatures, and defined validity periods, DKDMs ensure that only approved organizations can access protected media. They play a vital role in localization, quality control, versioning, and international distribution before the final KDMs are generated for theatrical exhibition.