I also recommend an insightful talk by the author of the article, delivered at a Chaos Computer Club (CCC) event (GPN, Gulaschprogrammiernacht) on this topic. Unfortunately, it's only available in German, but it's definitely worth watching:
https://media.ccc.de/v/gpn22-382-kein-kinoerlebnis-ohne-korr...
„No cinema experience without correct certificate management... A look behind the scenes of a cinema with a digital projector system, how distributors deliver films to cinemas with end-to-end encryption, and how films are protected from piracy. In addition to an overview of projector technology, the presentation will demonstrate the file format and manual decryption of film data.“
Edit: I just realized that the author of the article also delivered the recorded talk, adapted my comment.
Hi, asdcplib author here (mentioned in the article.) Excellent writeup of DCP and related tech. FYI the colorspace of an SDR DCP MXF file is X'Y'Z' with gamma 2.6 (see SMPTE 428-1.) Other MXF formats (i.e., not cinema) use a wide variety of colorspaces. Despite the huge range of XYZ, DCP image files are usually constrained to code values that fall within P3 (again, SDR.) The HDR applications are more interesting.
Upon reading the comments: • DCP is a B2B format. DCP usage is licensed by contract, not EULA. Please keep these important differences in mind when commenting on DRM. • Decrypt, decode, color processing, watermark occurs in FPGA. If you think that sounds hard, remember that all of this tech was originally deployed 20 years ago. Moore's law has made our lives much easier since! • Frame-by-frame encipherment, rather than whole stream, better supports random access and the famous tobacco intermissions popular in the EU.
Even with all of this onerous encryption and DRM, it's not hard to find pirated copies of movies. It makes me think that the sacrifice in ownership rights for the theaters over their equipment isn't worth it.
There is essentially zero piracy from these digital cinema releases. The pirate copies are generally from once it starts digitally streaming on one of the services including PPV, and when pirate copies exist earlier it is almost always someone with a camera in a theatre making a terrible quality screener.
Piracy is inevitable, but in this case their model is much more robust that I would have predicted.
Most pirated copies aren't from theatrical releases; they mostly come out when the titles are available on streaming/blu-ray. DRM might be a failure in other fields, but it's working pretty well in this particular case.
Most people are completely fine watching a 720p x264 1GB version half a year after release. Sure, there are some purists who want as good image quality as possible as soon as possible, but that's a tiny minority. I think the actual motivation is that cinemas are becoming less and less relevant in the age of streaming, so they're doing anything they can to protect the little revenue they have, because the only way cinema can make money is to hype a movie to the moon, and then have it shown exclusively in cinemas for some period of time. But with streaming services investing in their own movies, the days of this distribution model are numbered. Having a cinema in 2025 is like having an internet cafe in 2010.
Pirated copies of theatrical releases at the time of release are much more rare, though.
The value of protecting releases is extremely high in the narrow window of finalizing production and getting it into theaters or online launch platforms.
If there was no DRM and watermarking then these would be pirated constantly before release.
Yep, and those pirated copies are DRM free, work everywhere, no HDCP and other crap, no internet connection needed, so they're "better" in that way too (not just price-wise).
I'm confused why it's encrypted as a JPEG image per frame instead of one AES encrypted video file. Since the same AES key is used for each frame it wouldn't add any additional security imo
I think JPEG 2000 is simply the chosen format for distribution of the video, not for security.
JPEG 2000 has some interesting properties for very high quality video storage and transport where bandwidth is not a concern. The traditional encoded video formats we know are less preferred at this scale.
JPEG 2000 is resource intensive, though. The decoding hardware is probably either GPU based or using an FPGA implantation from one of the providers who makes hardware for this.
JPEG 2000 for each frame? I wonder what they use for decompression. JPEG 2000 decompressors are really slow. Most couldn't keep up with frame rate without GPU support.
Packaging DCPs used to be a massive faff. (it might still be one)
Basically they are a tar[1] of images with a bunch of audio streams for different speaker configurations. depending on the quality settings, they can be encoded for higher colour space (ie 16 bit log per channel)
Even with lossless jpeg2000, these packages can be huge.
But, back in 2011, the biggest problem was encoding jpeg2000 required hardware to get anything near realtime performance. (I also think there were dedicated DCP packaging machines, but I never actually saw one.)
One of my colleagues decided the best way to ship the finalised movie was to open up an NFS port on sohonet and let the technicolor hook the DCP packager directly.
it worked, but our CTO diplomatically asked them to stop.
> The video stream is encoded as one single JPEG2000 picture per frame. Each frame is encrypted with the same static AES key.
Is this not a problem? It’s not a good idea to reuse the same key to encrypt very similar files. Similar to ECB. See the famous penguin https://words.filippo.io/the-ecb-penguin/
I’m surprised they don’t use something like XTS commonly used for disk encryption. It derives a unique key for each block/frame and allow you to access each individual blocks/frames non sequentially.
> Every Frame is using a unique IV (Initialization Vector), which ensures that the AES Block Cipher generates always different cipher texts and makes brute force harder. This works similar to a Password Salt.
>Encrypted DCPs use Forensic Watermarks which contain the serial number of the projection system. So if a recorded copy of a movie appears online, the theatre will have to answer serious questions and may never get movies again.
Is this not as simple as dumping the same movie from two different projectors, diffing the output, then obfuscating the watermark?
To do that you need to figure out what parts are noise (watermark), simply diffing them would just give you a different noise pattern which can still be analyzed depending on how the watermark is encoded.
I’m trying to understand the timeline here; the article was originally written last year and the latest spec is also from 2024 but the article has a link to this HN thread created yesterday?
Maybe the author saw a bunch of hits coming from HN and edited his post to add the link to the discussion? It doesn't seem as if the author themselves posted their article.
I don't think new theatre releases are generally getting leak in digital formats anymore until they hit streaming which can sometimes be as soon as weeks or couple months after original release. Obviously 'tele-syncs' (cameras capturing the film) still exist but that wasn't your question. The one exception to this can be oscar movie season when studios release films via a special Apple TV app and that be be slightly less secure (though still water-marked).
I would ask you to support your claim of 'high quality digital dumps' by citing one that has come out in the last couple years. See https://predb.net/
Hollywood is stupid and eroded its own economic advantage by putting everything on streaming. This was already known, but it also makes antipiracy operations much, much harder.
Ripping a stream is always going to be easier than getting any unprotected video footage out of a movie theater. The stream is in your own home, you own and can tamper with all the equipment involved in playing it, and the economics of CDNs prevent robust traitor-tracing schemes[0] that could be used to hunt you down.
In contrast, movie theaters are public locations, so every one of them is a known entity. The entire supply chain for movie projection is controlled. And that makes traitor-tracing a lot easier. All the hackers pointing out that DRM is fundamentally breakable are ignoring the fact that that only matters iff you're anonymous and untraceable. Otherwise, they won't bother making the DRM stronger, they'll just arrest people until the movies stop leaking.
It's the XKCD laptop wrench story[1] in reverse. The crypto nerd imagines DRM to be easily broken trash, but the reality is that the security of the DRM is in the $5 wrench, not the math.
Let's play contrast-and-compare. If you want to leak a stream, you need:
- A streaming account
- Knowhow or software to decrypt the data stream as it's downloaded and played, or,
- Knowhow to modify a TV so that you can capture the unencrypted video and audio streams inside the TV
The last one isn't done because it's a pain in the ass and the TV scene prefers bit-perfect rips over re-encoded captures. But at some point in the TV, you have to decrypt the video; LCD panels do not natively accept encrypted signals. And that is something you can build hardware to capture.
Now let's try leaking a movie. There's a few avenues of attack, roughly corresponding to the traditional movie scene release categories:
- You can go to the theater and point a camera at the screen. They actually check for this now, in pretty much any western country you'll get kicked out or arrested for camming a movie. If you don't get caught, they can still narrow you down to a location in the room via your shooting angle, and possibly determine what theater you were at with line frequency hum. That's enough information to narrow down the guy leaking the movie to a handful of customers. Do this enough times and you create a unique fingerprint to catch yourself with.
- You can get a job as a projectionist and run the movie projector into another camera directly. That kind of machine is called a telecine, and it used to be one of the higher quality ways to get leaked movies back when they were on film. This is specifically the scenario that all the DRM in the projector is designed to stop. If you do anything to change the light path of the projector, it locks up until the manager comes in and types a password to authorize the change.
- You could bribe the manager or owner to telecine the movie for you. Problem is, the number of people who actually have the password that unlocks the projector is really small[2] and traceable. If a telecine leak is traced back to their theater, someone's getting fired at a minimum, jailed in the worst case.
- You could break the DCI scheme itself; but you still need to source the files and keys to decrypt the movies. This is the crypto nerd's imaginary scenario. Even then, the files could themselves have steganographically injected information identifying the theater who got that master copy, which you can't strip out merely by having the encryption keys. Again, nobody is giving you those files unless they're too stupid to understand the implications (unlikely) or they have faith that you can strip out the stegotext.
It's just way easier to rip a stream than a movie in a theater. And when Hollywood moved to streaming they also made it a lot easier to leak movies.
[0] To be clear, traitor-tracing each stream would require a unique encode per account to inject the stegotext; that's computationally unfeasible. Doing one encode per movie theater would still be a struggle, but less so by three orders of magnitude.
Standards are often cheap. Many tech companies have a subscription to all IEEE papers and standards. The incremental cost of downloading one standard more is in the noise. But even if you don't have a subscription, the price for, say, the 802.11n standard is only $381.
It's remarkable that they do all this in the context of box office revenues cratering. In 2024 American theaters has less gross ticket sales than they did in 1982, in constant dollars. The whole thing of movie theaters is just over.
andreashaerter|10 months ago
„No cinema experience without correct certificate management... A look behind the scenes of a cinema with a digital projector system, how distributors deliver films to cinemas with end-to-end encryption, and how films are protected from piracy. In addition to an overview of projector technology, the presentation will demonstrate the file format and manual decryption of film data.“
Edit: I just realized that the author of the article also delivered the recorded talk, adapted my comment.
asdcplib|10 months ago
Upon reading the comments: • DCP is a B2B format. DCP usage is licensed by contract, not EULA. Please keep these important differences in mind when commenting on DRM. • Decrypt, decode, color processing, watermark occurs in FPGA. If you think that sounds hard, remember that all of this tech was originally deployed 20 years ago. Moore's law has made our lives much easier since! • Frame-by-frame encipherment, rather than whole stream, better supports random access and the famous tobacco intermissions popular in the EU.
john01dav|10 months ago
codemiscreant|10 months ago
Piracy is inevitable, but in this case their model is much more robust that I would have predicted.
gruez|10 months ago
anal_reactor|10 months ago
Aurornis|10 months ago
The value of protecting releases is extremely high in the narrow window of finalizing production and getting it into theaters or online launch platforms.
If there was no DRM and watermarking then these would be pirated constantly before release.
perryflynn|10 months ago
fmajid|10 months ago
ajsnigrutin|10 months ago
dherls|10 months ago
Aurornis|10 months ago
JPEG 2000 has some interesting properties for very high quality video storage and transport where bandwidth is not a concern. The traditional encoded video formats we know are less preferred at this scale.
JPEG 2000 is resource intensive, though. The decoding hardware is probably either GPU based or using an FPGA implantation from one of the providers who makes hardware for this.
KaiserPro|10 months ago
The idea was that they wanted up to 16bit colour (per channel) lossless imagery. The encryption was (or so I recall) was an extra feature.
perryflynn|10 months ago
Biganon|10 months ago
> Frame-by-frame encipherment, rather than whole stream, better supports random access and the famous tobacco intermissions popular in the EU.
Animats|10 months ago
userbinator|10 months ago
perryflynn|10 months ago
KaiserPro|10 months ago
Basically they are a tar[1] of images with a bunch of audio streams for different speaker configurations. depending on the quality settings, they can be encoded for higher colour space (ie 16 bit log per channel)
Even with lossless jpeg2000, these packages can be huge.
But, back in 2011, the biggest problem was encoding jpeg2000 required hardware to get anything near realtime performance. (I also think there were dedicated DCP packaging machines, but I never actually saw one.)
One of my colleagues decided the best way to ship the finalised movie was to open up an NFS port on sohonet and let the technicolor hook the DCP packager directly.
it worked, but our CTO diplomatically asked them to stop.
[1] not actually but conceptually similar
jackjeff|10 months ago
Is this not a problem? It’s not a good idea to reuse the same key to encrypt very similar files. Similar to ECB. See the famous penguin https://words.filippo.io/the-ecb-penguin/
I’m surprised they don’t use something like XTS commonly used for disk encryption. It derives a unique key for each block/frame and allow you to access each individual blocks/frames non sequentially.
perryflynn|10 months ago
> Every Frame is using a unique IV (Initialization Vector), which ensures that the AES Block Cipher generates always different cipher texts and makes brute force harder. This works similar to a Password Salt.
NoMoreNicksLeft|10 months ago
Is this not as simple as dumping the same movie from two different projectors, diffing the output, then obfuscating the watermark?
TheDcoder|10 months ago
hbcondo714|10 months ago
I’m trying to understand the timeline here; the article was originally written last year and the latest spec is also from 2024 but the article has a link to this HN thread created yesterday?
baud147258|10 months ago
ddtaylor|10 months ago
pain_perdu|10 months ago
I would ask you to support your claim of 'high quality digital dumps' by citing one that has come out in the last couple years. See https://predb.net/
stepupmakeup|10 months ago
kmeisthax|10 months ago
Ripping a stream is always going to be easier than getting any unprotected video footage out of a movie theater. The stream is in your own home, you own and can tamper with all the equipment involved in playing it, and the economics of CDNs prevent robust traitor-tracing schemes[0] that could be used to hunt you down.
In contrast, movie theaters are public locations, so every one of them is a known entity. The entire supply chain for movie projection is controlled. And that makes traitor-tracing a lot easier. All the hackers pointing out that DRM is fundamentally breakable are ignoring the fact that that only matters iff you're anonymous and untraceable. Otherwise, they won't bother making the DRM stronger, they'll just arrest people until the movies stop leaking.
It's the XKCD laptop wrench story[1] in reverse. The crypto nerd imagines DRM to be easily broken trash, but the reality is that the security of the DRM is in the $5 wrench, not the math.
Let's play contrast-and-compare. If you want to leak a stream, you need:
- A streaming account
- Knowhow or software to decrypt the data stream as it's downloaded and played, or,
- Knowhow to modify a TV so that you can capture the unencrypted video and audio streams inside the TV
The last one isn't done because it's a pain in the ass and the TV scene prefers bit-perfect rips over re-encoded captures. But at some point in the TV, you have to decrypt the video; LCD panels do not natively accept encrypted signals. And that is something you can build hardware to capture.
Now let's try leaking a movie. There's a few avenues of attack, roughly corresponding to the traditional movie scene release categories:
- You can go to the theater and point a camera at the screen. They actually check for this now, in pretty much any western country you'll get kicked out or arrested for camming a movie. If you don't get caught, they can still narrow you down to a location in the room via your shooting angle, and possibly determine what theater you were at with line frequency hum. That's enough information to narrow down the guy leaking the movie to a handful of customers. Do this enough times and you create a unique fingerprint to catch yourself with.
- You can get a job as a projectionist and run the movie projector into another camera directly. That kind of machine is called a telecine, and it used to be one of the higher quality ways to get leaked movies back when they were on film. This is specifically the scenario that all the DRM in the projector is designed to stop. If you do anything to change the light path of the projector, it locks up until the manager comes in and types a password to authorize the change.
- You could bribe the manager or owner to telecine the movie for you. Problem is, the number of people who actually have the password that unlocks the projector is really small[2] and traceable. If a telecine leak is traced back to their theater, someone's getting fired at a minimum, jailed in the worst case.
- You could break the DCI scheme itself; but you still need to source the files and keys to decrypt the movies. This is the crypto nerd's imaginary scenario. Even then, the files could themselves have steganographically injected information identifying the theater who got that master copy, which you can't strip out merely by having the encryption keys. Again, nobody is giving you those files unless they're too stupid to understand the implications (unlikely) or they have faith that you can strip out the stegotext.
It's just way easier to rip a stream than a movie in a theater. And when Hollywood moved to streaming they also made it a lot easier to leak movies.
[0] To be clear, traitor-tracing each stream would require a unique encode per account to inject the stegotext; that's computationally unfeasible. Doing one encode per movie theater would still be a struggle, but less so by three orders of magnitude.
[1] https://xkcd.com/538/
[2] This is also why the 3D era of film made movies way too fucking dark.
6stringmerc|10 months ago
shmerl|10 months ago
tverbeure|10 months ago
jeffbee|10 months ago
tverbeure|10 months ago
KaiserPro|10 months ago