Digital cinema uses a two step encyption method.
Every media asset of an encrypted DCP is encrypted with a 128 bit AES key. This step is a symmetric method, that means for encryption (during mastering of the DCP) and decryption (during playback in the movie theatre) the same key is used.
To transport these media keys safely to cinemas an asymmetrical encryption method (2048 bit RSA) is being used. Asymmetrical encryption uses pairs of keys, consisting of a public and a private key. The message is being encrypted with the public key and can only be decrypted with the private key. The public key can not be used to decrypt the message, meaning it can be safely published / forwarded.
So the AES media keys are sent to cinemas as Key delivery message (KDM), encrypted with the public key of the corresponding projection system and provided with a validity period. There the KDM is being imported on the projector and the media keys are extracted with the private key which is stored securely inside the projector. With the extracted media keys the DCP is being decrypted during playback.
This means that the same DCP goes out to every cinema but there has to be single KDM for for every projection system that will show the DCP. For any KDM that is generated we have to retrieve the corresponding public key / server certificate of the projection system for which the KDM is valid. For this purpose we maintain a database of all projectors in the field, with the information in which movie theatre and cinema hall the projector is used.
And this is how a Key delivery message looks like in detail: