Cinemaslides extract for new DCP in OpenDCP

[Stephen van Vuuren]

I’ve got someone with an encrypted DCP – the have the DKDM. Will CInemaslides extract the JC2 and WAV files with this so I re-do a new unencrypted DCP with openDCP? It’s the film’s distributor – so it’s an authorized use.

 

stephen van vuuren

336.202.4777

 

http://www.insaturnsrings.com/

http://www.sv2dcp.com/

http://www.sv2studios.com/

 

A film is – or should be – more like music than like fiction. It should be a progression of moods and feelings. The theme, what’s behind the emotion, the meaning, all that comes later.

–Stanley Kubrick

 

[Wolfgang Woehl]

> I’ve got someone with an encrypted DCP – the have the DKDM. Will CInemaslides extract the JC2 and WAV files with this so I re-do a new unencrypted DCP with openDCP? It’s the film’s distributor – so it’s an authorized use.

Cinemaslides will not extract compositions.

You can use kdm-decrypt, asdcp-unwrap etc. to do it.

Wolfgang

[Stephen van Vuuren]

> You can use kdm-decrypt, asdcp-unwrap etc. to do it.

Thanks!

stephen van vuuren
336.202.4777

http://www.insaturnsrings.com/
http://www.sv2dcp.com/
http://www.sv2studios.com/

A film is - or should be - more like music than like fiction. It should be a progression of moods and feelings. The theme, what's behind the emotion, the meaning, all that comes later.
-Stanley Kubrick

-----Original Message-----
From: ope...@googlegroups.com [mailto:ope...@googlegroups.com] On Behalf Of Wolfgang Woehl
Sent: Tuesday, August 19, 2014 11:40 AM
To: ope...@googlegroups.com
Subject: Re: Cinemaslides extract for new DCP in OpenDCP

> I've got someone with an encrypted DCP - the have the DKDM. Will CInemaslides extract the JC2 and WAV files with this so I re-do a new unencrypted DCP with openDCP? It's the film's distributor - so it's an authorized use.

Cinemaslides will not extract compositions.

You can use kdm-decrypt, asdcp-unwrap etc. to do it.

Wolfgang

--
You received this message because you are subscribed to the Google Groups "opendcp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to opendcp+u...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Stephen van Vuuren]

>You can use kdm-decrypt, asdcp-unwrap etc. to do it.

Wolfgang,

This client has confirmed that the want me to do it. They also said the DKDM has not been made. I did find a couple of dcinemaforum posts about this but they were not clear on the steps. Does that documentation exist somewhere? I don't see the anything but the basic command line in github. Not what steps needed to get a DKDM that will decrypt properly.

stephen van vuuren
336.202.4777

http://www.insaturnsrings.com/
http://www.sv2dcp.com/
http://www.sv2studios.com/

A film is - or should be - more like music than like fiction. It should be a progression of moods and feelings. The theme, what's behind the emotion, the meaning, all that comes later.
-Stanley Kubrick

-----Original Message-----
From: ope...@googlegroups.com [mailto:ope...@googlegroups.com] On Behalf Of Wolfgang Woehl
Sent: Tuesday, August 19, 2014 11:40 AM
To: ope...@googlegroups.com
Subject: Re: Cinemaslides extract for new DCP in OpenDCP

> I've got someone with an encrypted DCP - the have the DKDM. Will CInemaslides extract the JC2 and WAV files with this so I re-do a new unencrypted DCP with openDCP? It's the film's distributor - so it's an authorized use.

Cinemaslides will not extract compositions.

You can use kdm-decrypt, asdcp-unwrap etc. to do it.

Wolfgang

[Lars Goldschlager]

To get a DKDM you can decrypt to get the keys, you need to send them a copy of your leaf certificate to generate the DKDM to your cert (be carefull to send the certificate and not the key)

[Stephen van Vuuren]

> To get a DKDM you can decrypt to get the keys, you need to send them a copy of your leaf certificate to generate the DKDM to your cert (be carefull to send the certificate and not the key)

 

Thanks for that info but I’m not clear what “my leaf certificate” is or how to create that.

 

stephen van vuuren

336.202.4777

 

http://www.insaturnsrings.com/

http://www.sv2dcp.com/

http://www.sv2studios.com/

 

A film is – or should be – more like music than like fiction. It should be a progression of moods and feelings. The theme, what’s behind the emotion, the meaning, all that comes later.

–Stanley Kubrick

[Terrence Meiczinger]

If they have the original encryption key, it’s pretty easy to decrypt the MXFs. If they only have a D/KDM, then you need to generate DKDM for your system which requires a certificate chain. It’s somewhat of a pain to make the certificate chain, but you only have to do it once. This is why I think the whole encryption thing is a whole lot of hurt. People don’t really have any idea what they are in for. 

[Stephen van Vuuren]

>> If they only have a D/KDM, then you need to generate DKDM for your system which requires a certificate chain. It’s somewhat of a pain to make the certificate chain, but you only have to do it once. T

 

Well, I can’t find the list of steps to make a certificate chain for generate a DKDM.

 

stephen van vuuren

336.202.4777

 

http://www.insaturnsrings.com/

http://www.sv2dcp.com/

http://www.sv2studios.com/

 

A film is – or should be – more like music than like fiction. It should be a progression of moods and feelings. The theme, what’s behind the emotion, the meaning, all that comes later.

–Stanley Kubrick

 

[Terrence]

It's essentially the same process as for a web server. In your case,
since you are just trying to decrypt, I think you can get away with
just generating a public key.

openssl genrsa -out "privkey.pem" -des3 "2048"
openssl rsa -in "privkey.pem" -out "pubkey.pem" –pubout

You give the public key to whomever is creating the DKDM. Then, you
use your private key with the DKDM to get the encryption key.

On Fri, Aug 22, 2014 at 12:18 PM, Stephen van Vuuren

[Stephen van Vuuren]

Thanks! I think I will charge them a healthy amount for this.

stephen van vuuren
336.202.4777

http://www.insaturnsrings.com/
http://www.sv2dcp.com/
http://www.sv2studios.com/

A film is – or should be – more like music than like fiction. It should be a progression of moods and feelings. The theme, what’s behind the emotion, the meaning, all that comes later.
–Stanley Kubrick

[Lars Goldschlager]

If you get Wolfgang Woehl's digital cinema tools (get from here: https://github.com/wolfgangw/digital_cinema_tools ) he includes a script to easily generate certificate chains (the script is called make-dc-certificate-chain.rb in the root, you'll probably will find this more easy to do in linux, it might be possible in theory to do in windows, using ruby and openssl). When you work with DCI/SMPTE in general (there are exceptions) you end up with this:

Certificate authority (root certificate): This is a certificate that is used to sign all other certificates bellow it. It'll never be used to sign end products of DCP production, and it basically represents your company (you). When you use it to sign certificates "bellow" it what you're saying is "This company is certifying this branch/thing belongs to it"

Branch (Intermediate certificate): This will also not be used to sign stuff in general, other than your leaf certificate, it basically represents a branch, a group, inside the company. Doremi for example has a branch called products, and a lower branch inside it called dolphin for ims/imb/dcp players. There can be many levels of branches, a typical Doremi certificate chain has 4 levels of intermediate certificates before reaching the end (leaf) certificate. But the specs onyl call for a single intermediate certificate minimum. This is signed by the root cert to mark it as created by the company.

Leaf (end? certificate): this is the certificate you use to sign stuff normally that you produce, DCP cpls, KDMs, etc. They belong to a unit, department, or person inside the company, it is signed by the intermediate certificate to mark it as belonging to the branch, and the company.

Leaf key: the key is the secret part to the certificate, in general you'll need a key only for the leaf certificate (all others will have one though), because it's the only one you use to interact with the world. When someone produces a DKDM for your certificate chain, you send them the leaf certificate, or a chain file with all the certificates one after the other (which will be needed depends on company policy and software used in the company that will produce the DKDM), to the person who holds the dcp keys. this person will generate a DKDM, which is basically a KDM encrypted against your chain ending in your leaf certificate, or your leaf certificate alone... they will send you this DKDM, and you can use your leaf certificate's key (the secret part, you never share) to decrypt that dkdm (since it was encrypted against the leaf certificate), to obtain the keys contained within (again, Wolfgang Woehl's digital cinema tools includes a script that will help you do this using your key and the dkdm, the script is called kdm-decrypt.rb and it's inside the encryption directory).

Like Terrence mentions, you can simply create one certificate (and its key), to work for a DKDM (expecting they wont demand a chain), and use the private (key) part to decrypt it at home. But in my opinion it can pay in the long run to learn how DCI and SMPTE standards expect certificate chains to be setup for the future if you intend to work more on DCPs.

Attently, Lars.

[Stephen van Vuuren]

Thanks so much Lars – very helpful information. I do have a Unbuntu 12.04 box I use for DCP drive formatting and vetting DCPs, so can run it there.