KDM (Key Delivery Message). The data message type used to carry encrypted keys to a target player, authorizing the player to decrypt and play the associated encrypted content.
When DCPs are encrypted, they require a special key to open them and this key is encoded into a KDM. KDMs allow you to specify what facilities can and cannot view your film and can be sent out at your discretion.
KDM is the acronym for Key Delivery Message. A KDM is required to play an encrypted movie. Each KDM enables one version of the movie to play on a target playback device for a limited duration, which could be hours, weeks, or months.
The KDM is the vehicle for securely delivering symmetric content encryption keys to authorized playback equipment. A KDM targets only one playback device, and is an expression of trust in the targeted device. Further, the trust conveyed by a KDM is only expressed for one encrypted Composition. Content versions, expressed as a separate Composition, require a different KDM to play it.
Symmetric keys carried by the KDM are encrypted, making the KDM intrinsically secure. It does not rely on a secure transport, such as TLS, to secure the keys it carries. For example, a KDM can be posted on a public web page, with the only possible outcome being that the single device authorized by the KDM will be capable of playing the associated content in accordance with the conditions carried in the KDM.
It follows that trust is expressed at the time of creation of the KDM, and not in the distribution of the KDM. This reduces the distribution of the KDM to a matter of pure logistics, without concern for the security of the transport mechanism. If a KDM arrives at the wrong destination, for example, the security of the Composition it addresses will not be compromised.
In performing its role as the communicator of trust, the KDM carries certain data:
Encrypted symmetric content keys necessary to play an encrypted Composition
Composition identifier associating the KDM with the Composition for which it was created
Date/time validity period for use of the content keys
Forensic marking instructions
Identifier of the targeted media block (the “recipient”)
Structurally, the KDM is a form of a generic message type called Extra-Theater Message (ETM). The designers of the ETM envisioned a class of security messages that would require the common set of features defined by this message type. However, in practice, only the KDM utilizes the ETM. For this reason, two SMPTE standards, SMPTE ST430-1 KDM and SMPTE ST430-3 ETM, are required for a complete definition of the KDM.