conditional access system


Published on

Published in: Technology, Business
1 Comment
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

conditional access system

  1. 1. Functional model of aconditional access systemEBU Project Group B/CA EBU Project Group B/CA has developed a functional model of a conditional access system for use with digital television broadcasts. It should be of benefit to EBU Members who intend to introduce encrypted digital broadcasts; by using this reference model, Members will be able to evaluate the different conditional access systems that are available. 1. Introduction The model is not intended as a A conditional access (CA) system comprises a specification for a particular system. combination of scrambling and encryption to Rather, it provides a framework for prevent unauthorized reception. Scrambling is the defining the terms and operating process of rendering the sound, pictures and data principles of conditional access unintelligible. Encryption is the process of pro- systems and it illustrates some of the tecting the secret keys that have to be transmitted conflicts and trade-offs that occur with the scrambled signal in order for the when designing such systems. descrambler to work. After descrambling, any defects on the sound and pictures should be imperceptible, i.e. the CA system should be trans- parent. – to enforce payments by viewers who want ac- cess to particular programmes or programme The primary purpose of a CA system for broad- services; casting is to determine which individual receivers/ set-top decoders shall be able to deliver particular – to restrict access to a particular geographical programme services, or individual programmes, to area because of programme-rights consider-Original language: English the viewers. The reasons why access may need to ations (territorial control can be enforced if theManuscript received 6/10/95. be restricted include: receiver has a built-in GPS system);64 EBU Technical Review Winter 1995 EBU Project Group B/CA
  2. 2. Glossary Access Control System/Conditional Access System: The Pay-Per-View (PPV): A payment system whereby the complete system for ensuring that broadcasting services are viewer can pay for individual programmes rather than take only accessible to those who are entitled to receive them. out a period subscription. Pay-Per-View can work by debiting The system usually consists of three main parts – signal electronic credit stored in a smart card, by purchasing smart scrambling, the encryption of the electronic “keys” needed by cards issued for special programmes, or by electronic the viewer, and the subscriber management system which banking using a telephone line to carry debiting information ensures that viewers entitled to watch the scrambled from the home to the bank. programmes are enabled to do so. Period Subscription: The most popular payment system, in Algorithm: A mathematical process (e.g. DES, RSA) which which the viewer subscribes to a programme service for a can be used for scrambling and descrambling a data stream. calendar period (e.g. one year). Bouquet: A collection of services marketed as a single Piracy: Unauthorized access to controlled programmes. entity. Common methods of piracy include the issue of counterfeit Conditional Access Sub-System (CASS): The part of the smart cards and decoders which bypass all or part of the decoder which is concerned with decoding the electronic access control system. The use of video cassette recorders keys, and recovering the information needed to control the to record descrambled pictures for distribution among descrambling sequence. It is now usually implemented, all or friends/colleagues is also a simple method of piracy. in part, as a smart card. Programme: A television (or radio) presentation produced Control Word: The key used in the descrambler. by programme providers for broadcasting as one of a sequence. A programme is a grouping of one or more events. Descrambling: The process of undoing the scrambling to yield intelligible pictures, sound and/or data services. Scrambling: The method of continually changing the form of the broadcast signal so that, without a suitable decoder and Electronic key: A general term for the data signals used to electronic key, the signal is unintelligible. control the descrambling process in the decoders. There are several different levels of key, identifying the network which Service: A sequence of events, programmes or data, based the subscriber is entitled to access, the services within that on a schedule, assembled by a service provider to be network that are available to the subscriber and the detailed delivered to the viewer. control information to operate the descrambler. The ECMs SimulCrypt: A system for allowing scrambled picture/sound are one component of this “key” data; all levels must be signals to be received by decoders using different access correctly decrypted in order to view the programme. control systems. The principle of the system is that the Encryption: The method of processing the continually- different ECMs and EMMs needed for the various access changing electronic keys needed to descramble the control systems are sent over-air together. Any one decoder broadcast signals, so that they can be securely conveyed to picks out the information it needs and ignores the other the authorized users, either over-the-air or on smart cards. codes. It is analagous to providing multiple front doors to a large house, each with a different lock and its own door key. Entitlement Control Message (ECM): A cryptogram of the control word and the access conditions. An ECM is a Smart Card: A device that looks rather like a credit card; it is specific component of the electronic key signal and used as a token of entitlement to descramble broadcast over-the-air addressing information. The ECMs are used to signals. Most of the major European access control systems control the descrambler and are transmitted over-air in use smart cards. Other systems that bury the same encrypted form. functionality inside the decoder do not usually allow the system to be changed to combat piracy or to add new Entitlement Management Message (EMM): A message services. Smart cards can be issued by the Subscriber authorizing a viewer to descramble a service. An EMM is a Management System which can validate them by specific component of the electronic key signal and pre-programming them with keys to authorize access to over-the-air addressing information. The EMMs are used to certain tiers of programmes and/or data services. As part of switch individual decoders, or groups of decoders, on or off the same issuing and validation process, the card may be and are transmitted over-air in encrypted form. personalised to make each one valid for one particular Event: A grouping of elementary broadcast data streams decoder only. with a defined start and time (e.g. an advert or a news flash). Subscriber Authorization System (SAS): The centre Impulse Pay-Per-View: Impulse Pay-Per-View requires no responsible for organizing, sequencing and delivering EMM pre-booking. This rules out some Pay-Per-View methods and ECM data streams under direction from the Subscriber (e.g. issuing smart cards for specific programmes). Smart Management System. card debit, or electronic banking via telephone line, both support impulse Pay-Per-View. Over-the-air addressing can Subscriber Management System (SMS): The business support impulse PPV, provided that the time taken to process centre which issues the smart cards, sends out bills and the request is sufficiently small (this implies a relatively large receives payments from subscribers. An important resource capacity for over-the-air addressing data in the transmission of the Subscriber Management System is a database of channel. infromation about the subscribers, the serial numbers of the decoders and information about the services to which they Multiplex: An assembly of all the digital data that is carrying have subscribed. In commercial terms, this information is one or more services within a single physical channel. highly sensitive.EBU Technical Review Winter 1995 65EBU Project Group B/CA
  3. 3. Figure 1Vertically-integrated Service Transmission Viewers/ SMS SAS provider system operator IRDsCA system. Service Transmission Viewers/ provider SMS SAS system operator IRDs AFigure 2Devolved CA system. Service provider B Service SMS SAS Transmission Viewers/ provider X I system operator IRDs AFigure 3 ServiceDevolved/shared/common SMS SAS providerCA system. Y J B Service SMS provider Z CKEY: Programmes SMS = Subscriber Management System SAS = Subscriber Authorization System Entitlements to view IRD = Integrated Receiver Decoder Money, addresses and bills Money and addresses66 EBU Technical Review Winter 1995 EBU Project Group B/CA
  4. 4. – to facilitate parental control (i.e. to restrict the names, addresses and entitlement status of access to certain categories of programme2). viewers to their own services. An alternative model of a devolved CA system is 2. Transactional models shown in Fig. 3. Here, there are two independentTransactional models can be used to illustrate the CA Subscriber Authorization System (SAS) oper-underlying commercial transactions that take ators, I and J (see Section 5.3.). System J is usedplace in a conditional access broadcasting system, by service provider C only, whereas system I isin a way which is independent of the technology used by all three service providers. Conversely,employed. A similar analogy is sometimes used service providers A and B use system I only,for the sale of goods to the public through retail and whereas service provider C uses systems I and J.wholesale chains: in that situation, there is a flow Thus, viewers to the services provided by C canof goods and services in one direction – from the use a decoder which is appropriate for eithermanufacturers to the end customers – and a flow of system I or J. A further feature of this model is thatmoney in the reverse direction. the billing and the money flow is directly between the viewers and the Subscriber ManagementA model of a vertically-integrated CA system is System (SMS) operators (see Section 5.3.); it doesshown in Fig. 1. Here, the service provider is also not pass via the SAS operators or the transmissionthe network operator and the CA system operator. system operators. Consequently, sensitive in-Historically, CA systems originated in this form formation about the names and addresses of sub-and the model remains true for many cable scribers is known only to the appropriate servicesystems today: the cable operator acts as the ser- provider.vice provider (usually by purchasing the rights toshow programmes made by third parties) and also 3. Functional model of a CAas the carrier and the CA system operator. In suchcircumstances, and especially where – as in most reference systemcable systems – the cable operator supplies and A functional model of a hypothetical CA referenceowns the decoders, a single proprietary system is system is now described. The model is looselyacceptable, because there is no requirement to based on the Eurocrypt conditional access systemshare any part of the system with competitors. but its principles of operation are expected to apply to CA systems generally.A model of a devolved CA system is shown inFig. 2. In this case, the functions of the serviceprovider, network operator and CA system 3.1. Conditional Accessoperator are split. Indeed, there are two separate Sub-Systemservice providers, A and B, who share a common A Conditional Access Sub-System (CASS) is adelivery system (owned and operated by a third detachable security module which is used as partparty) and a common CA system which is owned of the CA system in a receiver. It is also possibleand operated by a different third party. Thus all to embed the security module in the receiver itself,billing and collection of money is carried out by in which case each receiver will typically have itsthe CA system operator who then passes on pay- own secret individual address. Replacement of thements in respect of programme rights back to the CASS is one means of recovering from a piracy at-appropriate service providers. This model is true tack. Replacement of the CASS also enables newfor many analogue satellite systems today and features to be added to the system as and when theyalso applies to a retail market in which there is are developed.only one retailer. Note how the CA system opera-tor has information about the names, addresses For analogue systems and some digital systems,and entitlement status of all viewers; programme the CASS is typically a smart card [1]. For digitalproviders, on the other hand, have access only to systems which use the Common Interface (see Section 3.6.), the CASS will be a PCMCIA3 mod-2. This is generally a Service Information (SI) function. ule and this may have an associated smart card. However, regulators might specify that programmes should be scrambled where parental control is required. In current analogue systems, parental control often uses 3. Personal Computer Manufacturers Computer Interface the CA system. Association.EBU Technical Review Winter 1995 67EBU Project Group B/CA
  5. 5. 3.2. Scrambling and descrambling are used to recover the descrambling control word in the decoder – is illustrated in Fig. 5. The ECMs The basic process of scrambling and descrambling are combined with a service key and the result is the broadcast MPEG-2 transport stream [2] is decrypted to produce a control word. At present, shown in Fig. 4. The European DVB Project has the control word is typically 60 bits long and is up- defined a suitable, highly-secure, Common dated every 2-10 seconds. Scrambling Algorithm. If the access conditions are to be changed at a pro- 3.3. Entitlement Control Messages gramme boundary, it may be necessary to update the access conditions every frame, which is much The generation, transmission and application of more frequently than is required for security Entitlement Control Messages (ECMs) – which reasons. Alternatively, a change in access condi-Figure 4Basic scrambling system. Tx Rx MPEG-2 MPEG-2 transport transportPicture stream Picture streamSound MUX Scrambler Modulator Demodulator Descrambler Demux Sound Data Data Note: In such a basic scrambling system, possession of a descrambler gives permanent entitlement to view.Figure 5Scrambling system withEncrypted Control Words. Tx RxPicture PictureSound MUX Scrambler Modulator Demodulator Descrambler Demux Sound Data Data ECMs CW CW ECMsService Encrypter Decrypter key Service Control Word key Note 1: Descrambling requires possession of a descrambler, a generator decrypter and the current service key. Note 2: Decryption recovers the descrambling Control Words (CW) from the Entitlement Control Messages (ECMs).68 EBU Technical Review Winter 1995 EBU Project Group B/CA
  6. 6. tions could be made frame-specific by sending out over-air or by another route, e.g. via a telephonea change in entitlements in advance and then insti- line. To retain the confidentiality of customer in-gating the change with a flag. A third method formation, it is best that the card supplier deliverswould be to change the control word itself at a the smart cards direct to the Subscriber Manage-programme boundary. However, the second and ment System (or another business centre whichthird approaches would not allow a programme guarantees confidentiality) for mailing to theproducer to change the access conditions instanta- viewer (see Section 3.5.).neously. It is possible to supply the cards through retail out- 3.4. Entitlement Management lets as well, provided the retailer can guarantee Messages confidentiality. In this situation, considerable care has to be taken if the cards have been pre-The generation, transmission, and application of authorized by the SAS, because such cards will beEntitlement Management Messages (EMMs) by a worthwhile target for theft.the Subscriber Authorization System is illustratedin Fig 6. When using the CA Common Interface [3], in con- juction with a PCMCIA module acting as theThe card supplier provides the CASS (usually a CASS, the descrambler is also situated in thesmart card) and then the SAS sends the EMMs CASS. Figure 6 Scrambling system with encrypted Control Words and Entitlement Management Messages. Tx RxPicture Picture Sound MUX Scrambler Modulator Demodulator Descrambler Demux Sound Data Data EMMs ECMs CW CW ECMs EMMs Entitlement Management Messages via telephone line (and validation return) Encrypter Encrypter Decrypter Decrypter Service Validation key Subscriber Security Control Word SMART card Authorization processor generator supplier System (secret keys) Conditional Access Sub-System (CASS) Note 1: Descrambling requires possession of a descrambler, a decrypter and the current service key. Note 2: Decryption requires the Entitlement Management Messages (EMMs) for the current programme – which usually involves secret keys stored in a detachable Conditional Access Sub-System (CASS).EBU Technical Review Winter 1995 69EBU Project Group B/CA
  7. 7. 3.5. Subscriber Management The CA system is contained in a low-priced, pro- System prietary module which communicates with the IRD via the Common Interface. No secret condi- As shown in Fig 7., the reference model is com- tional access data passes across the interface. pleted by the addition of a Subscriber Management System (SMS), which deals with the billing of The Common Interface allows broadcasters to use viewers and the collection of their payments. The CA modules which contain solutions from differ- control word need not be a decrypted ECM; it can ent suppliers, thus increasing their choice and anti- be generated locally (e.g. from a seed) which piracy options. means that the control word could be changed very quickly. 3.6. Common Interface 4. General requirements of a CA system The European DVB Project has designed a Common Interface for use between the Integrated To be acceptable for use by EBU members, a Receiver Decoder (IRD) and the CA system. As conditional access system needs to meet the fol- shown in Fig. 8, the IRD contains only those ele- lowing general requirements, some of which con- ments that are needed to receive clear broadcasts. flict.Figure 7Scrambling system withencrypted Control Words,Entitlement ManagementMessages and SubscriberManagement System. Tx RxPicture PictureSound MUX Scrambler Modulator Demodulator Descrambler Demux Sound Data Data EMMs ECMs CW CW ECMs EMMs Entitlement Management Messages via telephone line (and validation return) Encrypter Encrypter Decrypter Decrypter Service Validation key Subscriber Security Control Word SMART card Authorization processor generator supplier System (secret keys) Conditional Access Sub-System (CASS) Subscriber Bills Management System (SMS) Subscribers (Customer Management) Payments (credit card, Direct Debit, cash, cheque, etc)70 EBU Technical Review Winter 1995 EBU Project Group B/CA
  8. 8. DVB/MPEG integrated receiver/decoder (IRD) MPEG video Picture decoder Tuner Demodulator Demux MPEG video Sound MPEG-2 decoder transport stream Data Validation SI On-screen module decoder graphics (optional) Command Remote Receiver control bus input operating system DVB Common Interface DVB CW descrambler Validation (optional) Module operating system Module Data filters operating (ECMs, EMMs) system Security processor Figure 8 Proprietary SMART card DVB Common (optional) CA system Interface. 4.1. Convenience for viewers bination of programme services to which individual viewers had subscribed.The CA system should impose a minimum of bur- It should be easy for the viewer to pay the neces-den on the authorized viewer at any stage in the sary fees to the programme supplier. Paymenttransaction. In particular it should not require methods should include all forms of monetaryspecial action when changing channels (e.g. transaction including cash, direct debits and creditswapping a smart card or keying in a Personal cards. The viewer might prefer to receive a singleIdentification Number) nor should it significantly bill for any combination of services provided overdelay presentation of picture and sound when a period of time. It may therefore be desirable, but“zapping” (a sensible upper limit on the “zap- not a necessity, for different CA system operatorsping” time is 1 second). to share the use of smart cards. 4.2. SecurityFurthermore, it should be easy to gain initial ac-cess to the broadcasts, requiring the minimum of The CA system must be effective in preventingequipment, outlay and effort. Ideally, the com- piracy, i.e. unauthorized viewing by people who areplete system would be integrated into the televi- not entitled to access particular programmes or ser-sion set which would be able to access any com- vices. Although no CA technology can deliver per-EBU Technical Review Winter 1995 71EBU Project Group B/CA
  9. 9. fect security, the overall system – combined with approved service providers have fair access to a appropriate anti-piracy legislation and evasion- suitable delivery system. deterrent measures – must make piracy sufficiently difficult and/or uneconomic that the levels of 4.5. Autonomy of the service evasion are kept small. Smart cards or payment provider’s business cards must be resistant to tampering. For Pay-Per- View services in particular, the counting mecha- The primary contract should be between the ser- nism which indicates the remaining credit should be vice provider and the viewer. Although third parties immune to resetting by unauthorized parties. (such as common carriers and/or CA system opera- tors) may necessarily be involved in the broadcast- It is very important that the relationship between ing process, the CA system (and any other part of the service provider and the CA system operator is the system) should not require the service provider well defined so that, for example, a CA system to share commercially-sensitive information with operator can be compelled to act when piracy rival service providers, e.g. the identities of cus- reaches a certain level. There are a number of ways tomers and their entitlements to view. to recover from a piracy attack. It is possible to initiate electronic counter measures over-air, 4.6. Low entry and operating costs whereby pirate cards are disabled or subtle changes The cost of setting up and operating the CA system are made in the operation of genuine CASSs. Alter- is significant but must not be prohibitive. In particu- natively, by issuing new CASSs, large changes can lar, it should be capable of being scaled to allow low be made to the conditional access system. start-up costs when the subscriber base is very small. 4.3. Open marketing of digital The system should not pose a constraint on the ulti- receivers mate number of households that can be addressed; this could reach many tens of millions. The costs The viewers should be able to benefit from a large of upgrades to the CA system and of recovering choice of digital receivers or set-top boxes, from security breaches should be minimized by produced by a wide range of manufacturers com- selecting a reliable and secure system. peting in an open market. Such an open market ideally requires that the complete digital broad- casting system, excluding the CA system, be fully 5. Functional requirements of described in open standards which are fully pub- a CA system lished by the appropriate organization (e.g. the ETSI 4 or the ISO5). The terms of licensing any 5.1. Payment schemes Intellectual Property Rights (IPR) included with- It is important that the CA system supports a wide in a standard must be regulated by the appropriate range of charging and payment schemes. standards organization. (For example, in the case of an ETSI standard, licensing is open to all These include: manufacturers on an equitable basis.) – Subscription (pre-payment for a time period of It is undesirable for the CA system to be standard- viewing); ized: instead, the flexibility offered by the DVB – Pay-Per-View (payment for a programme or Common Interface should ensure that a plurality of group of programmes); CA systems may be adopted (see Section 3.6.). – Impulse Pay-Per-View (payment for a pro- 4.4. Open marketing of programme gramme or group of programmes without services advance notice). Pay-Per-View (PPV) and Impulse Pay-Per-View Authorized programme services should be acces- (IPPV) often require the provision of a return path sible to any viewer whose IRD conforms to the from the viewer to the CA system operator: in relevant standard and who has the relevant CA en- many systems this is implemented using a tele- titlements issued solely under the control of the phone connection and a modem built into the service provider. It must also be ensured that all IRD. The return path can be used to record view- ing history, which is important when considering the programme rights issues. 4. European Telecommunications Standards Institute. The acceptability and rules of operation for such a 5. International Organisation for Standardisation. telephone return-path need further study. In par-72 EBU Technical Review Winter 1995 EBU Project Group B/CA
  10. 10. ticular, a system must exist for those viewers who pendent zones so that operators have access todo not have a telephone connection. One possible write to and read from only those zones which con-method would be to purchase credits in advance tain information about entitlements to view theirand to store them as viewing tokens on a smart card own services. Where operators share a securityor CA module. The card or module could be re- device, it is important to resolve who issues and,authorized at a trusted dealer when information on more importantly, who re-issues the security de-past viewing could be transferred to the system vice – especially in the case of a breach of securityoperator. Provided security was not compromised, requiring a change of security would also be possible to have the smart card ormodule credited over-air with tokens which could A particularly important and difficult requirementbe initiated by a telephoned (voice) request from which arises from the need to share decoders is thatthe viewer. There must be a method to ensure that of allowing the IRD to be tuned to broadcastsall service providers are paid fairly for the pro- which do not necessarily carry the same over-airgrammes provided, in proportion to the total num- entitlement messages. It is worthwhile monitoringber of viewer hours. as many EMM data streams as possible, even when the receiver is in standby mode. 5.2. Multiple-decoder households In some instances (for example, message broadcast-The question must be addressed as to whether pay- ing), it is necessary for the broadcaster to be able toment authorizes: address large numbers of decoders in a short period of time. In these situations, it is worth using shared1. the use of only one decoder to receive and keys to reduce the access time for large audiences. decode the services; The audience is subdivided into groups of viewers; each person within a particular group has the same2. use throughout a household, which may have shared key which forms a part of the overall control multiple receivers/decoders and a VCR; word. Also, different messages intended for the3. use by one individual anywhere within a house- same viewer can be combined together. hold, in which case the entitlement needs to be transferable from one IRD to another, probably 5.3.2. Delivery system using a detachable security element such as a smart card. It is obvious that any one delivery medium (e.g. cable network, satellite transponder or terrestrialIn the third case given above, there is a conflict broadcast channel) should be capable of beingwith the requirement to validate the security de- shared between different and perhaps rival broad-vice for use with a particular decoder only. There- casters. Less obvious, but perhaps equally impor-fore, each decoder should have its own CASS and tant, is that any one transport stream should bethe records of multiple CASSs within a household capable of being decoded by different types of de-should be grouped together in the SMS to permit coder, so that one broadcast can simultaneouslyappropriate and reasonable billing. use different kinds of CA system. This is the SimulCrypt concept (see Section 7.1.1.). 5.3. Sharing of the CA system 5.3.3. CA SystemsIn order to provide a fair and open market for CAbroadcasts to develop, it is important that elements When considering the sharing of CA systems atof the CA system can be shared. These include the the sending end, it is important to be able to dividefollowing. the system into two separate functional elements: a) Subscriber Management System (SMS) 5.3.1. Receivers/decoders The SMS is primarily responsible for sendingOne generic receiver/decoder should be capable out bills and receiving payments from viewers.of receiving and decoding CA broadcasts from a It does not need to, and should not, be specificnumber of different broadcasters, perhaps using to a particular CA system. The SMS necessarilydifferent delivery media (e.g. cable, satellite, ter- holds commercially-sensitive information suchrestrial). This may imply that the decoder can sup- as the database of subscribers names and ad-port simultaneous use of multiple security devices, dresses and their entitlement status. Sharing ofor that one security device can be shared between the SMS between rival broadcasters is possibledifferent service providers. In the latter case, the if, and only if, it is operated by a trusted thirdsecurity device needs to be partitioned into inde- party and only if adequate “firewalls” are pro-EBU Technical Review Winter 1995 73EBU Project Group B/CA
  11. 11. vided so that any one service provider can ac- which the system will not be usable. Disable cess information only about subscribers to his messages may have an indefinite lifetime or her own services. Although sharing an SMS whereas enable messages may have a lifetime may be seen as undesirable, it must be recog- of a month or so. For security reasons, commu- nised that setting up and running an SMS is ex- nication between the SMS and the SAS can be pensive, perhaps prohibitively so for services encrypted although this may not be necessary if with a small number of subscribers at the outset. all systems are in a secure environment. The work of the SMS can be contracted out to 5.4. Transcontrol at media a trusted third party (TTP), e.g. a secure and boundaries reliable organization such as a bank. There should be a subscriber database and the system It will often be the case that a broadcast signal may must deal with changes to subscription details, travel via two or more different delivery media in installation difficulties, marketing, billing and tandem; for example the broadcast may be carried card distribution. The SMS also manages the on a satellite and then conveyed into some homes system installers and sends Entitlement Man- via a cable system. In such cases it is often desir- agement Messages (to authorize viewers) to the able to change the entitlement control at the media Subscriber Authorization System queue. boundary without needing to descramble and re- scramble completely. (This is possible with the use To ensure the privacy of customer database of the Common Scrambling Algorithm.) Howev- information, the SMS could mail replacement er, this method may present a security risk because smart cards and CA modules to the viewers. one CA system operator would have to present the These could be provided pre-authorized by the control word to another CA system operator inside conditional access system operator or could be the transcontrol equipment. authorized over-air by the Subscriber Autho- rization System using virtual addresses pro- vided by the SMS. In practice it may be more secure (though more expensive) to descramble and rescramble at the At the moment, cable companies often send out media boundary. Descramblers and rescramblers a tape of customer usage to another company, at from different CA system manufacturers could the end of the month, for billing. potentially be built into different PCMCIA modules. b) Subscriber Authorization System Changing the entitlement control at the media The Subscriber Authorization System (SAS) is boundary enables the end-transmission-system- primarily responsible for sending out the over- operators to maintain direct control over each of air entitlement messages and for validating their subscribers for all services provided. This security devices. The SAS needs a unique serial means that the viewer only has to operate the CA number (address) for each IRD security device system used by the end-transmission-system- but should not need access to commercially- operator. However, this approach also means that sensitive information such as the names and the service providers and the other transmission- addresses of subscribers. Hence it should be system-operators that have supplied services to the easily possible for rival broadcasters to share an end-transmission-system-operator cannot have di- SAS, although there are issues to be resolved rect and exclusive interaction with the subscribers. concerning the queuing times for messages. Smart cards can be indirectly authorized over- Another approach would be to have no transcon- air by the SAS. trol at media boundaries. The viewer would have access to all services using either the SimulCrypt The SAS generates a scrambler control word, or MultiCrypt approaches. This has the disadvan- encrypts the conditional access data, queues tage to the end-transmission-system-operator that and prioritises the Entitlement Management all control is handed over to the original CA system Messages from the Subscriber Management operator and it therefore requires a good working System, and scrambles the pictures and sound. relationship between all parties. New messages from the SMS join the immedi- ate queue, to be transmitted as soon as possible, and also join a regular cyclic queue where they 6. Operational requirements stay until they expire. The frequency of trans- of a CA system mission depends on the length of the queue and messages are expired by category. There will be For security reasons it is important to include at a maximum limit on response time beyond least the following functions in a CA system:74 EBU Technical Review Winter 1995 EBU Project Group B/CA
  12. 12. – Disable/enable decoder 7. System implementation Individual decoders or groups of decoders are 7.1. Satellite transmission prevented from descrambling any service, re- gardless of the authorizations stored in the The DVB Project has given its backing to two CA smart card or other security device. approaches for the transmission of digital televi- sion via satellite, namely SimulCrypt and Multi-– Disable/enable card Crypt. These approaches are also relevant in cable Individual smart cards, or groups of smart cards and terrestrial transmission. (or other security devices), need to be capable of being enabled or disabled over-air. 7.1.1. SimulCrypt– Disable/enable programme service In the case of SimulCrypt, each service is trans- mitted with the entitlement messages for a number Individual smart cards, or groups of smart of different proprietary systems, so that decoders cards, need to be capable of being enabled or using different conditional access systems (in dif- disabled over-air to decode any one particular ferent geographic areas) can decode the service. programme service. SimulCrypt requires a common framework for signalling the different Entitlement Message– Send message to decoder streams. Access to the system is controlled by the A text message is sent to individual decoders or system operators. Operation of the system re- groups of decoders for display on the screen; quires commercial negotiations between broad- alternatively, the over-air message may com- casters and conditional access operators. A code prise a display command and address of a mes- of conduct has been drawn up for the operation of sage which is pre-stored in the decoder or smart SimulCrypt. card, e.g. to warn of imminent expiry or to The philosophy behind the system is that in one request the viewer to contact the SMS because geographical area, it will only be necessary to of account difficulties. have a single smart card or CA module and a single– Send message to decoder for individual decoder to receive the local service. If one wanted programme service to descramble the service of a neighbouring area, one could subscribe to, and use the smart card/ A text message is sent to individual decoders or module for that service. Consequently, it is only groups of decoders in the same way as above, necessary to have a single Subscriber Management but is displayed only when the receiver/decoder System for a given area. When a viewer wants to selects the relevant programme service. watch services from two neighbouring areas, it is– Show customer’s ID card necessary for both services to carry the entitlement messages for that viewer. Therefore it is necessary The serial number of the smart card, or other to have secure links between the different Sub- means of identification (ID), is displayed on the scriber Management Systems of the different screen. This is not the secret ID contained with- operators to allow transfer of the entitlement mes- in the card, but is an unprotected ID which sages between operators. could be printed on the card. This function is useful for maintenance procedures. 7.1.2. MultiCrypt– Alter switching and drop-dead dates MultiCrypt is an open system which allows com- petition between conditional access system pro- An important security feature is that the algo- viders and Subscriber Management System opera- rithms used to decrypt the over-air entitlement tors. MultiCrypt uses common receiver/decoder messages and derive the descrambling control elements which could be built into television sets. words can be changed. To allow smooth transi- The Common Conditional Access Interface can be tion from one set of algorithms to the next, it is used to implement MultiCrypt. Conditional ac- helpful if the smart card (or other security de- cess modules from different system operators can vice) can store both algorithms and a date for be plugged into different slots in the common switching from one to the other; this switching receiver/decoder, using the common interface. date can be alterable over-air. There should also be a “drop dead” date beyond which the card will 7.2. Return path cease to function at all. Note that not all CA sys- tems perform these functions in this way and the For most home installations, a return path could be implementation may be very system-dependent. set up between the set-top decoder and the Sub-EBU Technical Review Winter 1995 75EBU Project Group B/CA
  13. 13. scriber Management System using a modem and return path could also be used to check that the the telephone network or a cable TV return. For decoder is tuned to the correct channel when example, calls could be initiated by the customer giving authorization over-air. This could re- using a remote control unit which auto-dials a duce the number of over-air signals that had to number delivered over-air. Also, the broadcaster be repeated perpetually. may want the customer’s decoder box to contact the SMS. This process could be initiated by com- 7.2.2. Reasons for not using a return mands sent over-air or (less likely) the SMS could path dial up the customer’s decoder box and interro- gate it directly. There are also a number of reasons for not using a return path, as follows: 7.2.1. Reasons for using a return path a) Increased decoder cost; There are a number of reasons for using a return b) Installation difficulties; path: The customer may not have a telephone at all, or a) Enhanced security; may not have a telephone in the relevant room (in which case an extension socket would have to be The return path establishes a one-to-one link fitted or a “cordless” connection would have to between the broadcaster and each decoder box. be used which would increase costs). Communication via the return path should be encrypted. c) Reliability of the telephone; b) Payment billing; In some areas, the reliability of the telephone service may be an issue. Pre-booked Pay-Per-View (PPV) and impulse PPV could be registered using the return path. d) Blocking of normal calls; Also, electronic viewing tokens could be pur- When the decoder is communicating, it will not chased via the return path. A central server with be possible to make or receive normal telephone a gateway would be necessary as a buffer for the calls, unless there is more than one telephone large numbers of requests that would be ex- line to the house. pected as part of a Pay-Per-View service. These payment billing services could also be obtained e) Telephone tapping. by the viewer dialling up the SMS using his con- Depending on how the communication system ventional telephone and having a conversation works, there is a potential for reduced system with an operator at the SMS. However this ap- security due to telephone tapping. Ideally, to proach would be more time-consuming and overcome this problem, it is recommended that costly to both the viewer and the SMS. the Subscriber Management System should re- c) Interactive TV; turn the calls made by the IRD (although this will increase the costs to the SMS), the commu- The return path could be used for audience par- nication should be encrypted, and the Subscrib- ticipation (for example voting, games playing, er Management System should be able to identi- teleshopping and telebanking). The return path fy individual IRDs. could also be used for message delivery from the SMS to the decoder, although its limited Overall, the benefits of using a return path far ex- bandwidth means that it is not very suitable for ceed the costs. In situations where the return path more complicated procedures such as Video- does not exist but alternative facilities exist for per- On-Demand (VOD). The return path could be forming some of its functions, decoders should be used to deliver to the SMS diagnostic informa- manufactured which are capable of implementing tion such as measurements of signal strength the return path. Cheaper decoders could be sold and bit error rate (BER) to help solve transmis- which do not have this option installed. sion problems, and other information such as a record of programmes watched to provide sta- 7.3. Home video recorders tistical information to the broadcaster. If the viewer wants to watch one programme while d) Transmission of entitlement messages. recording another, then decisions will have to be For large shared networks, the capacity for made about the payment approach for the service. transmission of entitlement messages may be When using the Common Interface of the CA sys- inadequate and additional capacity may be tem, it should be possible to descramble two chan- achieved by using the telephone network. The nels on the same multiplex (one to watch and the76 EBU Technical Review Winter 1995 EBU Project Group B/CA
  14. 14. other to record), using one PCMCIA module. To b) The second descrambler could also be useddescramble two channels on different multiplexes, if the viewer only owned an analogue videoone would need two PCMCIA modules, two tuners recorder.and two MPEG-2 decoders. In the video recorderOne approach would be to view the descrambled a) The video recorder could be used on its own,picture from one channel and to record the without the need for a separate IRD box toscrambled picture from another channel. The re- record programmes;corded picture could then be descrambled at view-ing time and the appropriate charges could be made b) Any number of video recorders could be usedin a Pay-Per-View system. Copy protection could without the need for multiple IRD set for the digital recording. However, if theDVTR does not record the encrypted data To reduce costs, the second descrambler couldassociated with scrambling or, if the encryption initially be available as an optional add-on to themechanism would prevent successful descram- IRD box.bling at the later replay time, it would be possibleto record an altered, but fixed, key. On replay, the 8. Conclusions andpicture could be descrambled using the fixed key,which would be specific to a particular recorder. recommendationsThis would help to ensure copyright protection by A basic set of transactional and functional modelspreventing a scrambled picture on a tape from one of CA systems for use with digital video broadcast-video recorder being descrambled by another ing systems has been outlined. These models arevideo recorder. intended to help EBU Members to understand and evaluate practical CA systems for use with futureTwo descramblers could be used to permit the des- DVB services and, in particular, to understand thecrambling and recording of one programme whilst functionality, technical terms, and trade-offs inwatching another. This has the disadvantage of these systems. The specification or evaluation ofadded cost and complexity. Copy protection a practical CA system requires considerably moreshould be set for the original digital recording to depth and detail than could be included in this out-hinder further digital recordings being made. line. In particular, an evaluation of security issues requires a careful analysis of the overall systemThe question then arises as to whether to locate the security, including non-technical issues such as thesecond conditional access module in the IRD or in theft of data.the video recorder. There are arguments in favourof both options and there is no need to standardizeon one approach. In the end, the decision will be Acknowledgementsmade by decoder and video recorder manufactur-ers. When costs fall sufficiently, it is likely that EBU Project Group B/CA acknowledges a par-top-of-the-range IRDs and video recorders will ticular debt of gratitude to Dr. S.R. Ely and Mr.have descramblers installed. (If the initial costs of G.D. Plumb of BBC Research and Developmentdigital video recorders are very high, it may also be Department for their considerable contribution topossible to buy analogue video recorders with the development of the reference model.built-in descramblers).The second descrambler/conditional access mod- Bibliographyule could be installed either in the existing IRDbox, or in the VCR. There are arguments in favour [1] ISO 7816: Identification Cards, Parts 1–6. (This ISO Standard describes “smart cards”).of both approaches: [2] ISO/IEC 13818-1: Generic coding ofIn the existing IRD box moving pictures and associated audio systems.a) Having two complete descramblers in the IRD (This ISO/IEC Standard describes “MPEG-2”). box, rather than one in the IRD box and one in [3] Common Interface Specification for the video recorder, would reduce the cost and Conditional Access and other Digital Video complexity of the overall system but only by a Broadcasting Decoder Applications. relatively small amount; DVB Document A007, July 1995.EBU Technical Review Winter 1995 77EBU Project Group B/CA