The Visualist Blog

Salt Mines, KeyChains, and Media: 3 Things AV should know about HDCP

It’s dark, cramped, and dry. A single elevator slides more than 600 feet underground creaking to a stop to deliver a solitary visitor and their payload – a locked case carrying an original 35mm print.

What’s in that case?

The original celluloid print of Star Wars? Something more modern like Christopher Nolan’s 35mm cut of The Dark Knight Rises?

Whatever it is, it’s destined for storage in a secure facility, locked into an abandoned salt mine below the Kansas plains.

The facility is responsible for storing media in it’s physical form. Access is tracked and logged, no copies can be made or exit the mine, and when it comes time to distribute a film, each reel is tracked and hand delivered to theatres under lock and key.

It’s been a while since delivery trucks were used to hand deliver cooled metal cases of media to movie theatres. Instead, they now receive a “digital content package”(DCP) on what amounts to a shipping container with a set of drives that are plugged into a digital cinema projector. Importantly, the DCP contains a set of security mechanisms that allow the reconstruction of the film content at a particular time, at a particular theatre, etc..

Fast forward to to the early 2000s. Intel, and a the computing industry, now knows that digital media distribution won’t be limited to expensive, licensed cinema projectors – instead, users want to buy, watch, and store content on their own device. This means a security algorithm needs to be developed that can ensure content, when decoded and played on a device – isn’t simply being recorded and redistributed. (Read more on analog-to-digital transition ).

Their motive – become a valid distribution platform that keeps Hollywood happy.  After all, outside of gaming, and enterprise productivity, isn’t media and entertainment a massive market?

Intel then decides it’s in their best interest to act both as keymaster and enforcer for modern digital content protection.

Enter HDCP.

If you are an AV integrator, consultant, or simply have to deal with AV room systems – you’ve probably run into the problems that HDCP creates.  When you plug your OSX laptop into a wall plate so you can look at your device on the room display and all you see if black – that could be HDCP.  So what is it?  How does it work? Well – there is no locked salt mine, instead HDCP, a protocol that operates over the cable, is the vault.

At a high-level it’s pretty straightforward. The protocol operates over a video cable between a source and receiver; pair (i.e. a DVD player and a television) and is intended to ensure that only authorized receivers can receive and display HDCP protected content.  When HDCP content needs to be transmitted, the source initiates a request for authentication. 

The cool mathematics are out of scope for this article, but, in general, the transmitter sends a unique identifier (called a key-selection-vector, KSV) along with a random number to the receiver.  The receiver, in turn, sends it’s own KSV to the transmitter. Both then use each other unique identifiers and their own secret encryption key to generate a secret session key

Because all of the unique HDCP identifiers are mathematically related, the computation results in both devices holding an identical secret value.  What’s cool about this is that secret value will be used to feed the encryption algorithm that will be used to transmit the protected content – but – it’s never been transmitted between the sender and receiver.  This means, even if I was listening in, I never get hold of the session key. From there on out, the content is encrypted by the sender and decrypted by the receiver before display.

If I’m not a valid receiver (i.e. someone cooks up an HDMI capture/store device in their maker space) – my session secret will be different than the one generated by the transmitter and I can no longer view the content.  Even more simply, If my display simply doesn’t hold a unique KSV because it’s not licensed to display protected content, the sender can just stop sending, resulting in a black display. 

Where could this go wrong?

A lot of places. If you’re designing a room that, for example, allows users to plug into the HDMI on the table, but that table port runs into a video switch – that switch needs to negotiate a special form of HDCP that includes the “repeater”.  If your video switch is a simple two port switcher you picked up at Best Buy – then it probably won’t implement HDCP and no protected content makes it to the display. 

As promised here are 3 things to remember when thinking about HDCP:

  1. The transmitter decides when and when not to enforce HDCP.  I use a MacBook, OSX decides when to implement HDCP based on the devices it is connected to.  If you connect a MacBook to a device that support HDCP, your MacBook will discover that and then enforce it.  Why is that a problem?  Consider the case where you plug your macbook into a video switch that has HDCP “on” that then goes to a display that does not have HDCP.  The switch will cause your MacBook to enable HDCP, but by the time that encrypted stream reaches the display it’s unable to show content – back to the black screen.  Keep this in mind – look at ways to modify devices in the signal path to only support HDCP when the transmitted explicitly needs it.
  2. HDCP is not always secure. In fact, earlier versions of HDCP have already been compromised (leave it to smart mathematicans to uncover any vulnerabilities).  Intel admitted that the even the 2.0 algorithm has been compromised and released updates to the approach.  Rumor has it that a Chinese company is building workaround devices to force HDCP back into 2.0 mode so it can continue to be vulnerable.
  3. HDCP is not always on.  This is implied in point 1.  But keep in mind that HDCP is enabled when the transmitter decides to enable it.  For example, watching a purchased video in fullscreen from iTunes will certainly entail HDCP on your video outputs.  Watching that same video in a window on the desktop may not. These decisions are based on the operating system/hardware that manages the media and are often related to ‘Fair use’ law.

What’s the punchline here?

Much like the days of manual distribution, no system is secure, and no system is not without inconvenience.

AV integrators and installers should at least understand the media distribution issues related to protected content and be able to make informed decisions about how to design rooms that will allow users to do what they need in the space to be productive.

You should understand HDCP so your customers don’t have to even know it exists.

Leave a Comment

More posts like this

Technology at Scale - The Future of Cities

[rt_reading_time postfix="min read" postfix_singular="min read"]

July, 2021

Read Post

tech+ Podcast - Digital Nomadism: The Office is Anywhere

[rt_reading_time postfix="min read" postfix_singular="min read"]

April, 2021

Read Post

tech+ Podcast:
40 Billion Cameras and Counting

[rt_reading_time postfix="min read" postfix_singular="min read"]

March, 2021

Read Post