HDCP 2.3 High-bandwidth Digital Content Protection, revision 2.3

Definition and stewardship

HDCP — High-bandwidth Digital Content Protection — is a link-layer encryption scheme applied across HDMI, DisplayPort, MHL, USB-C, and several wireless interfaces, designed to stop the digital content carried on the link from being captured between a source (a Blu-ray player, a streaming box) and a sink (a TV or projector). The standard is maintained and licensed by Digital Content Protection LLC, a wholly owned Intel subsidiary, which manufacturers must license to ship compliant devices.

The HDCP 2.3 on HDMI Specification was published on February 28, 2018; the companion Interface Independent Adaptation Specification, Revision 2.3 followed on March 2, 2018, and the DisplayPort mapping at Revision 2.3 came on January 23, 2019. HDCP 2.3 succeeded HDCP 2.2, the previous mainstream revision used for 4K-era content.

Version history

HDCP 2.x is not a continuation of HDCP 1.x — it is a different protocol. The 1.x line uses a proprietary stream cipher in which each decoded pixel is XOR-ed against a 24-bit value derived from per-device secret keys exchanged via Blom's scheme. The 2.x line replaces that with industry-standard primitives: 128-bit AES in counter mode for content encryption, RSA (with 3072-bit and 1024-bit key sizes) for certificate-based authentication and key transport, and HMAC-SHA256 for message authentication.

Within the 2.x line, HDCP 2.3 is an incremental security-hardening revision of HDCP 2.2 rather than a new architecture. The additions are more stringent device-security mechanisms — hardware root of trust, hardened execution environment, runtime integrity checking, and an integrity check after unauthorized modification — together with a tightened locality check used to bound the round-trip distance between transmitter and receiver. The locality check existed in HDCP 2.2 and was tightened in HDCP 2.3; some consumer-tier sources describe it as "new in 2.3," but the DCP specifications listing and W3C EME registry place it in 2.2. A July 2021 errata from DCP further required transmitter implementations to upgrade the locality-check protocol, with an 18-month compliance window.

For home-theater purposes, the version that matters at the content level is 2.2. Playback of premium 4K content — UHD Blu-ray and most 4K HDR streams — requires HDCP 2.2 (or 2.3, which is backward compatible with it) on every link in the chain: source, any AVR or switch in the middle, the cable, and the display. A single non-2.2 device anywhere in the path will block 4K HDR playback or force a downgrade.

Authentication and enforcement

HDCP 2.x authentication runs in three phases. First is Authentication and Key Exchange (AKE): the transmitter sends an AKE_Init containing a 64-bit pseudo-random nonce, the receiver returns its DCP-signed public certificate, and the transmitter verifies it against the certificate authority and against the System Renewability Message revocation list. Second is the Locality Check: the transmitter sends a nonce, both sides compute a value, and the receiver must return a matching value within a tight time bound — the round-trip ceiling that defeats relay attacks. Third is Session Key Exchange (SKE): the transmitter generates a 128-bit session key plus a 64-bit IV, encrypts the session key under the receiver's public key, and AES-CTR encryption of audio and video then begins.

When authentication fails, the source has three documented behaviors depending on the content's policy. Most commonly the output is blanked — black screen, or an "HDCP unauthorized" message. Some sources fail gracefully by silently downgrading to 1080p, which is why a viewer can believe they are watching 4K when the chain has actually fallen back. Premium-flagged content refuses to play at all rather than downgrade.

The enforcement model exists because the threat is real. An HDCP stripper sits between a compliant source and a downstream device, completes HDCP authentication on the source's behalf, and re-emits decrypted video as a clean unencrypted HDMI signal that can be captured. After several 4K Netflix and Amazon titles leaked starting in late 2015, Warner Bros. and DCP LLC sued HDFury (LegendSky) over its 4K HDCP-stripping splitters; in 2016 a U.S. court ordered $5 million in DMCA damages. The hardware root of trust and tightened locality check in 2.3 are aimed squarely at that class of device.

Real-world failure modes

In a home-theater chain, the most common HDCP failure is not a 4K source or a 4K display — it is a middle device that does not properly pass through the source's HDCP version. An older AVR, a soundbar with HDMI input, or an HDMI switch sitting between an HDCP 2.2 source and a 4K display can block the entire path. Because every link must agree, an AVR that is only HDCP 1.4, or that mishandles 2.2 pass-through, takes the chain down. Denon's official guidance attributes most reports to the source not asserting its HDCP flag correctly, or to the AVR not authenticating it correctly, and recommends EDID/HDCP reset, firmware updates, and confirming compliant cabling within the 33-foot HDMI specification.

"HDCP handshake" issues — intermittent black flashes, "No signal" on input switch, a blank screen that clears after a power cycle — are symptoms of the same convergence problem. Standard remediation runs in roughly the order of likelihood: power-cycle in the order sink, then repeater, then source, so each device re-reads downstream EDID; update firmware on the AVR and source, since HDCP fixes are common in firmware notes; swap to a Premium High Speed or Ultra High Speed Certified HDMI cable kept under 33 feet; and as a last resort bypass the AVR with a direct source-to-display run to isolate which link is non-compliant.

HDCP 2.3 sources interoperate with HDCP 2.2 sinks and vice versa. The harder break is across the 1.x boundary: HDCP 2.x as a family is architecturally separate from HDCP 1.x and interoperates with 1.x hardware only when the 2.x device explicitly bundles a 1.x implementation, or when a dedicated converter sits in the path. HDCP 2.2 was also deliberately broken away from 2.0/2.1, which had known weaknesses, and does not interoperate with those earlier 2.x revisions.