Conditional access

Conditional access

Conditional Access (abbreviated CA) is the protection of content by requiring certain criteria to be met before granting access to this content. The term is commonly used in relation to digital television systems, most notably satellite television.


Conditional access in DVB

Under the DVB, conditional access system standards are defined in the specification documents for DVB-CA (Conditional Access), DVB-CSA (the Common Scrambling Algorithm) and DVB-CI (the Common Interface). These standards define a method by which a digital television stream can be obfuscated, with access provided only to those with valid decryption smart cards. The DVB specifications for Conditional Access are available from the standards page on the DVB website.

This is achieved by a combination of scrambling and encryption. The data stream is scrambled with an 48-bit secret key, called the control word. Knowing the value of the control word at a given moment is of relatively little value, as under normal conditions, content providers will change the control word several times per minute. The control word is generated automatically in such a way that successive values are not usually predictable; the DVB specification recommends using a physical process for that.

In order for the receiver to unscramble the data stream, it must be permanently informed about the current value of the control word. In practise, it must be informed slightly in advance, so that no viewing interruption occurs. Encryption is used to protect the control word during transmission to the receiver: the control word is encrypted as an entitlement control message (ECM). The CA subsystem in the receiver will decrypt the control word only when authorised to do so; that authority is sent to the receiver in the form of an entitlement management message (EMM). The EMMs are specific to each subscriber, as identified by the smart card in his receiver, or to groups of subscribers, and are issued much less frequently than ECMs, usually at monthly intervals. This being apparently not sufficient to prevent unauthorized viewing, TPS has lowered this interval down to about 12 minutes. This can be different for every provider, BSkyB uses a term of 6 weeks. When Nagravision 2 was hacked, Digital+ started sending a new EMM every three days to make unauthorized viewing more cumbersome.

The contents of ECMs and EMMs are not standardized and as such they depend on the conditional access system being used.

The control word can be transmitted through different ECMs at once. This allows the use of several conditional access systems at the same time, a DVB feature called simulcrypt, which saves bandwidth and encourages multiplex operators to cooperate. DVB Simulcrypt is widespread in Europe; some channels, like the CNN International Europe from the Hot Bird satellites, can use 7 different CA systems in parallel.

The decryption cards are read, and sometimes updated with specific access rights, either through a Conditional Access Module (CAM), a PC card-format card reader meeting DVB-CI standards, or through a built-in ISO/IEC 7816 card reader, such as that in the Sky Digibox.

Several companies provide competing CA systems; SafeAccess, VideoGuard, Irdeto Access, Nagravision, CoreTrust, Conax, Viaccess, Latens, Verimatrix, and Mediaguard (a.k.a. SECA) are among the most commonly used CA systems.

Due to the common usage of CA in DVB systems, many tools to aid in or even directly circumvent encryption exist. CAM emulators and multiple-format CAMs exist which can either read several card formats or even directly decrypt a compromised encryption scheme. Most multiple format CAMs and all CAMs that directly decrypt a signal are based on reverse engineering of the CA systems. A large proportion of the systems currently in use for DVB encryption have been opened to full decryption at some point, including Nagravision, Conax, Viaccess and Mediaguard (v1).

Conditional access in North America

In Canadian and United States cable systems, the standard for conditional access is provided with CableCARDs whose specification was developed by the cable company consortium CableLabs.

Cable companies in the US are required by the Federal Communications Commission to support CableCARDs; standards now exist for two way communication (M-card) but satellite television has its own standards. Next generation approaches in the United States eschew such physical cards and employ schemes using downloadable software for conditional access such as DCAS.

The main appeal of such approaches is that the access control may be upgraded dynamically in response to security breaches without requiring expensive exchanges of physical conditional access modules. Another appeal is that it may be inexpensively incorporated into non-traditional media display devices such as Portable media players.

Conditional Access Systems

Conditional access systems include:

Analog Systems

Digital Systems

CA id. Name Developed by Introduced (year) Security Notes
0x4AEB Abel Quintic Abel DRM Systems 2009 Secure
0x4800 Accessgate Telemann
0x4A20 AlphaCrypt AlphaCrypt
 ? B-CAS Used in Japan only
0x1702, 0x1722, 0x1762 BetaCrypt 1 BetaTechnik/Beta Research (subsidiary of KirchMedia) Partly compromised (older smartcards) Irdeto modification
0x1710 BetaCrypt 2 BetaTechnik/Beta Research (subsidiary of KirchMedia) Partly compromised (older smartcards) Irdeto modification
0x2600 BISS European Broadcasting Union Compromised
0x4900 China Crypt CrytoWorks (China) (Irdeto)
0x22F0 Codicrypt Scopus Network Technologies Secure
0x0B00 Conax CAS 5 Norwegian Telekom
0x0B00 Conax CAS 7 Norwegian Telekom Chip pairing (married card)
 ? CoreCrypt CoreTrust 2000 S/W & H/W Security CA for IPTV, Satellite, Cable TV and Mobile TV
4347 CryptOn CryptOn
0x0D00, 0x0D02, 0x0D03, 0x0D05, 0x0D07, 0x0D20 Cryptoworks Philips CryptoTec Partly compromised (older smartcards)
0x4ABF CTI-CAS Beijing Compunicate Technology Inc.
0x0700 DigiCipher 2 Jerrold/GI/Motorola 4DTV Secure DVB-S2 compatible , used for retail BUD dish service and for commercial operations as source programming for cable operators
0x4A70 DreamCrypt Dream Multimedia
0x4A10 EasyCas Easycas
0464 EuroDec Eurodec
5501 Griffin Nucleus Systems, Ltd.
0x5581 Bulcrypt Bulcrypt 200? Used in Bulgaria and Serbia
0x0606 Irdeto 1 Irdeto 199? Compromised
0x0602, 0x0604, 0x0606, 0x0608, 0x0622, 0x0626, 0x0664 Irdeto 2 Irdeto 2000 Partly compromised
0x4AA1 KeyFly SIDSA Partly compromised (v. 1.0)
0x0100 Seca Mediaguard 1 SECA
0x0100 Seca Mediaguard 2 (v1+) SECA Partly compromised
0x0100 Seca Mediaguard 3 SECA 2008
0x1800, 0x1801, 0x1810, 0x1830 Nagravision Nagravision 2003 Compromised
0x1801 Nagravision Carmageddon Nagravision Combination of Nagravision with BetaCrypt
0x1702, 0x1722, 0x1762, 0x1801 Nagravision Aladin Nagravision
0x1801 Nagravision 3 - Merlin Nagravision 2007 Secure
0x1801 Nagravision - ELK Nagravision 2008? Secure IPTV
0x4A02 Novel-SuperTV Novel-SuperTV 1998 Secure China and Other Countries
0x4AD4 OmniCrypt Widevine Technologies 2004 Used only for adult television channels
0x0E00 PowerVu Scientific Atlanta Secure Professional system widely used by cable operators for source programming
0x0E00 PowerVu+ Scientific Atlanta Secure Professional system used by cable operators for source programming
0x1000 RAS (Remote Authorisation System) Tandberg Television Professional system, not intended for consumers.
0xA101 RosCrypt-M NIIR 2006
4A60, 4A61, 4A63 SkyCrypt/Neotioncrypt/Neotion SHL AtSky/Neotion[1] 2003
 ? T-crypt
0x4A80 ThalesCrypt TPS Viaccess modification. Was developed after TPS-Crypt was compromised.[2]
0x0500 TPS-Crypt France Telecom Compromised Viaccess modification used with Viaccess 2.3
0x0500 Viaccess PC2.3, or Viaccess 1 France Telecom Compromised
0x0500 Viaccess PC2.4, or Viaccess 2 France Telecom 2002 Compromised
0x0500 Viaccess PC2.5, or Viaccess 2 France Telecom Secure
0x0500 Viaccess PC2.6, or Viaccess 3 France Telecom 2005 Secure
0x0500 Viaccess PC3.0 France Telecom Secure
VideoCrypt I News Datacom
VideoCrypt II News Datacom
VideoCrypt-S News Datacom
0x0911, 0x0919, 0x0960, 0x0961 NDS Videoguard 1 NDS Compromised
0x0911, 0x0919, 0x0960, 0x0961 NDS Videoguard 2 NDS
0x0911, 0x0919, 0x0960, 0x0961, 0x093b, 0x0963 NDS Videoguard 3 NDS 2008
4AD0, 4AD1 X-Crypt XCrypt Inc. Used only for adult television channels
0x5500, 0x4AE0, 0x4AE1 Z-Crypt/DRE-Crypt Digi Raum Electronics Secure
0x4AE5 PRO-Crypt IK SATPROF 2008 Secure
0x4B00 Safeview Safeview 2006 Secure

See also


  1. ^ "Skycrypt". 2008-01-17. Retrieved 2008-08-28. 
  2. ^ "TPSCrypt". 2008-01-17. Retrieved 2008-08-28. 

External links

Wikimedia Foundation. 2010.