Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
ISO 26430-6: Auditorium Security Messages for Intra-Theater D-Cinema Communications
Secure Request-Response Protocol Using TLS and KLV Encoding for Digital Cinema Exhibition Networks
Introduction to Auditorium Security Messages
ISO 26430-6, adopted from SMPTE 430-6, defines the Auditorium Security Message (ASM) specification for secure intra-theater communications between D-Cinema devices. The standard enables interoperable communication of security-critical information between Security Managers and remote Secure Processing Blocks (SPBs) over an exhibition network. ASM uses Transport Layer Security (TLS) for authentication and confidentiality, combined with Key-Length-Value (KLV) coding for message encoding.
The ASM protocol uses well-known port 1173, reserved by IANA specifically for D-Cinema security Request-Response Pairs (RRPs), ensuring no conflicts with other theater network services.
Protocol Architecture and Message Structure
ASM communications follow a synchronous Request-Response Pair (RRP) model. Each RRP consists of a Request from the Initiator (typically the Security Manager within an Image Media Block) followed by a Response from the Responder (the remote SPB). TLS sessions are established with mutual authentication using D-Cinema compliant X.509 certificates, ensuring both endpoints verify each other identity before any security-critical data exchange.
Message encoding uses Fixed Length Pack KLV encoding per SMPTE 336M. Each KLV packet has a 16-byte Universal Label (UL) key, a BER-encoded 4-byte length field, and a variable-length value. The TLS cipher suite is constrained to TLS_RSA_WITH_AES_128_CBC_SHA with 2048-bit RSA keys, AES-128-CBC symmetric cipher, SHA-1 hashing, and a fixed 512-byte record size.
| ASM Command Category | Commands | Purpose |
|---|---|---|
| General Purpose | BadRequest, GetTime, GetEventList, GetEventID, QuerySPB | Remote SPB management, time sync, event logging, health monitoring |
| Link Encryption | LEKeyLoad, LEKeyQueryID, LEKeyQueryAll, LEKeyPurgeID, LEKeyPurgeAll | Link encryption key management for secure content streaming |
Engineering Insights for Implementation
The Responder must maintain a key buffer for at least 16 LE keys and key IDs. The LEKeyLoad command delivers keys using a batch structure, each containing LE Key ID (4 bytes), Key (16 bytes), Expire Time (4 bytes, in seconds), and Attribute Data (8 bytes for AES counter mode seeding). The Overflow response element informs the Initiator when the key buffer would be exceeded, allowing adaptive key management.
The KLV Length field uses a BER-encoded fixed 4-byte format. For example, a 12-byte Value field encodes as 0x83 0x00 0x00 0x0C. Implementations must strictly follow this encoding to avoid parsing failures that could be exploited by attackers.
One notable design decision is the synchronous RRP constraint: each pairing must complete before a new RRP is opened between the same two SPBs. Responders unable to respond within 2 seconds (for both general purpose and link encryption commands) should issue a BadRequest response with a busy indicator. This prevents resource exhaustion and simplifies state management in security processors.
FAQs
Q: What is the purpose of mutual authentication in ASM?
A: Mutual authentication enables the Responder (remote SPB) to receive and record the Initiator (Image Media Block) certificate thumbprint for logging and audit purposes. It also prevents man-in-the-middle attacks by ensuring both endpoints verify each other identity before any security data exchange.
A: Mutual authentication enables the Responder (remote SPB) to receive and record the Initiator (Image Media Block) certificate thumbprint for logging and audit purposes. It also prevents man-in-the-middle attacks by ensuring both endpoints verify each other identity before any security data exchange.
Q: How does the GetTime command support security logging?
A: The GetTime command returns the Responder UTC time as a 64-bit integer of seconds since 1970-01-01. The Security Manager uses this to determine the time difference between itself and the remote SPB, removing the delta from log entries for accurate forensic analysis.
A: The GetTime command returns the Responder UTC time as a 64-bit integer of seconds since 1970-01-01. The Security Manager uses this to determine the time difference between itself and the remote SPB, removing the delta from log entries for accurate forensic analysis.
Q: What happens when an SPB receives an unknown command?
A: The Responder issues a BadRequest Response containing a complete copy of the unrecognized Request command. This allows the Initiator to diagnose protocol mismatches or version incompatibilities. For busy conditions, the Request Copy field is set to null (zero length).
A: The Responder issues a BadRequest Response containing a complete copy of the unrecognized Request command. This allows the Initiator to diagnose protocol mismatches or version incompatibilities. For busy conditions, the Request Copy field is set to null (zero length).
