There are several stages.
1. Disc -> Drive
The disc is encypted with a 'title key'. On the disc are a long list of encrypted 'title keys'. Each model of drive will have it's own drive key. It's drive key should then be able to decrypt one of the title keys. (The other encrypted keys are decryptable by other models of drive).
The disc also contains data on whether particular drives have been blocked, particular software has been blocked, or whether there are new keys. The drive will read this whenever a disc is inserted. If the data on the disc is newer than the data in the drive's firmware, it will automatically flash the new data into its firmware.
The encrption key system is designed so there are there are many levels of 'master keys' - a so called 'broadcast encryption' system. This means each individual drive could have its own set of keys, yet the key list on the disc wouldn't need to be very long. It is possible to choose the list of keys included on the disc in such a way that they can deactivite either a single drive key, a set of keys belonging to a model, or a set of keys belonging to a whole manufacturer.
2. Drive -> PC
The drive verifies that the PC OS (or DVD player device) is authorised to access the drive. The drive has a list of authorised OSs/software/Player hardware (the host), and will verify that the device posseses the correct encryption certificate to access the data on the disc.
As in step 1, the encryption system allows individual player softwares, etc. to be blocked. The drives also hold a list of blocked hosts in firmware (autoflashed when a disc is inserted) and will shutdown if the host is on the blocked list.
Once the host has been authorised, the decrypted 'title key' is given to the host. The host can then read the encrypted data off the drive.
3. Player
Using the decryption key, the player decrypts the data it reads from the main files on the disc. It then passes the data through the appropraite CODEC to produce a series of uncompressed frames which need to be sent to the screen.
(The AACS 'hack' attacked this stage - by using debugger software it was possible to extract the 'title key' from RAM being used by a software HDDVD player)
4. Graphics card/hardware
The uncompressed images are sent to the graphics card for display. In the case of PCs, the software should check if the graphics card supports HDCP. If it doesn't the software should refuse to decode the video. In the case of Windows Vista, the OS will somehow detect that a premium disc is being played, and intercept the data before it gets to the graphics card, degrading it.
The data at this stage may not be encrypted. However, in Vista - MS have added a facility that would allow the data to be re-encrypted on its way to the graphics card.
5. Graphics hardware -> Display
The HDCP encrypter (grpahics card) and decrypter (monitor) have their own set of keys (each model of device has a unique set of keys). The two systems negotiate encrypted communication between each other.
The encrypter has in its firmware a list of blacklisted decrypters. (So if someone buys a set of grey-market HDCP decrypter chips, and makes them into decryption boxes instead of plasma TV as they promised, those chips can be blocked). The firmware can be updated with new lists as newly discovered compromised decryption chips are discovered.
I'm not sure how this firmware update would take place (possibly new graphics card drivers may include new lists), or possibly there is someway for the data on protected discs to automatically flash the HDCP chip (much as how the drive self-flashes).
Again, the driver issue may be a possibility, as Vista 64 bit (which is the only version to support HDCP fully) has the ability to blacklist driver versions. So if a certain type of decrypter box was released to market, updated drivers could be issued that could not communicate with that box. Subsequently the old drivers could be blacklisted, so could no longer be installed.