- Conditional access systems (CAS) are used by content providers, such as pay-TV operators, to ensure only those who meet certain conditions can access their content.
- Conditional access systems work by encrypting all transmission signals and sending entitlement messages that inform a user’s receiving device which content it is authorized to decrypt.
- Global CAS systems are underpinned by specific industry standards such as MPEG and DVB, and the very important DVB Simulcrypt interface standard.
- The rise of digital content means content providers need to use a mixture of conditional access and digital rights management (DRM).
What is conditional access?
Until the late 1950s, the TV industry had a single business model: Sell advertising or product placement to pay for programming. With the gradual introduction of pay-TV in the 60s, this model began to change.
When it comes to charging for content and protecting the associated revenues, the basic requirement was (and still is) access control, which was achieved by employing a technology called conditional access. But what is conditional access you ask? Well, conditional access is a system that content providers use to protect and monetize their content by controlling who has access to it. It is commonly used on satellite or cable pay-TV services to regulate the contract between provider and user. Conditional access systems (CAS) work by:
- Encrypting content – Anybody can receive the signal transmitted by the content provider, but various protocols are used to encrypt the content so it appears scrambled (that is, unwatchable).
- Defining conditions of access – The user must meet certain conditions (such as paying for TV services) to have the content decrypted.
- Checking authorization – Entitlement messages are sent to the user’s receiver (such as a set top box) to inform it which content it can decrypt.
- Decrypting content – The receiver has the capacity to decrypt the signal and does so when it receives authorization that the conditions have been met.
So, in this situation, only subscribers paying their bills (that is, meeting the ‘conditions of access’) can access and watch the content being transmitted. Pay-TV operators adopted solutions created by CAS vendors to manage content protection and ensure that they and other rights holders could monetize their assets.
The conditional access (CA) model is still used for transmission of digital video broadcasting over satellite and terrestrial networks, as well as telco IPTV (or “managed IPTV”), although they both have been complemented with digital rights management security for OTT (streaming video over the Internet).
How conditional access systems work
One of the major challenges with traditional (legacy) broadcasting is that it is a one-way distribution system. Under this system, the satellite or cable feed is distributed to everyone, and the transmitting organization does not receive any feedback regarding who is picking up their feed or what they are doing with it.
Conditional access systems work by requiring certain criteria to be met before granting a user access to the content. Here’s a closer look at how conditional access systems work.
The transmitter (for example, the pay-TV operator) encrypts their content and provides subscribers with the means to decrypt it via their set-top boxes (STB) aided by some CA-specific messages.
This decryption part of how conditional access systems work can be explained by looking at how a digital receiver such as an STB processes content:
- The broadcaster encrypts its content.
- The content is sent over satellite, terrestrial, or cable networks to a user’s STB.
- The STB, which integrates a specific conditional access system, has the technology to decrypt the feed but needs the specific encryption key from the provider to do so, together with an entitlement that confirms the user may decrypt this content.
- This encryption key is wrapped in an entitlement control message (ECM), a process that is repeated up to several times a minute. The ECM is sent to each receiver. The internal structure of ECMs are proprietary per CAS vendor, but the mechanism of inserting ECMs into the MPEG Transport Stream is standardized through DVB Simulcrypt. DVB Simulcrypt is an interface specification followed by all CAS companies and is integral to how conditional access systems work in general.
- The user’s receiver contains unique (secret) information, which confirms the authority to receive an entitlement management message (EMM). These EMMs are sent much less frequently and they inform each STB what content it is allowed to decrypt. The EMM can be said to contain the “channel line-up” for each subscriber although EMMs are not limited to linear (broadcast) channels but can be used for on-demand content too.
- If the CAS keys contained in EMMs and ECMs were to be hacked, the CAS vendor has to initiate piracy countermeasures that could mean replacing smart cards (if such are still used) or taking other remedial action depending on the circumstances and the CA technology in use.
The CAS uses the EMM to specify a user’s unique entitlement (such as the channels paid for) to enable decryption of the signal. In the same way, if a user fails to pay their bill or drops a channel from their package, it will remain encrypted and not available for watching.
Conditional access solutions and standards
For digital TV, the concern over pay-TV security is even greater. Unlike analog content, which deteriorates with each subsequent copy, each “copy” of digital content is as good as the original. So, for the digital age, content providers have had to find new ways to ensure content protection and enable full monetization of rights. As a result, pay TV operators have adopted a variety of proprietary CAS solutions from a small group of vendors.
Industry standards have helped by providing a bridge between the proprietary CA systems and other components of an end-to-end broadcasting infrastructure. One of the most widely used industry standards is the Digital Video Broadcasting (DVB) standard. This is an open standard managed by an international committee consisting of broadcasters, equipment vendors, and other companies with an interest in digital broadcasting. The DVB-CI (Common Interface) and CI+ standards allow device manufacturers to work with different CA systems. The DVB-CSA (Common Scrambling Algorithm) standard provides the cipher that encrypts the content. The DVB standard also specifies Simulcrypt as a methodology to reduce the amount of bandwidth it takes to transmit video if more than one CAS is deployed. With Simulcrypt compliant CA systems the video is only transmitted once to all subscribers, who then also receive CA-specific, proprietary EMMs and ECMs to help determine what content they may watch.
Another major issue for broadcasters is that if a CAS system was hacked (which would generally happen after three to four years with smart card-based systems), the pay-TV operator had to pay for and send new smart cards with new unique information, thus rendering the old cards useless. This represents a major cost and considerable operational challenges for pay-TV operators, thus hitting them with additional CAPEX (purchase new cards) and OPEX (logistics of card distribution).
Cardless CAS and the advent of two-way communications means that smart cards for pay-TV are becoming obsolete in most markets. With cardless security, the anti-piracy countermeasures can usually be managed over-the-air.
Why conditional access matters
As the world becomes more digital, rights holders and content producers face new challenges when it comes to monetizing their content and preventing piracy. As a result, DRM has come to complement how conditional access systems work as an improved form of content security for digital transmission over IP-based networks such as the internet. DRM has the advantage that it can use two-way (IP) networks to communicate between head-end and receivers, which enables far better security approaches compared to one-way networks.
However, CAS still plays an important role for pay-TV broadcasters using legacy one-way networks, typically satellite or terrestrial transmission.
Finding a balance
With the growth of OTT streaming services, content providers must find a balance between the functions of CAS and DRM. Moving solely to DRM does not suit the existing one-way broadcast infrastructure, while sticking only to CAS limits potential growth into new markets and technologies such as OTT services.
Thus, broadcasters—especially well-established ones —need a blend of CAS and DRM. This blended model can help organizations harness the power and reach of adaptive bitrate streaming for OTT services, while at the same time bolstering their subscription models.
On the Intertrust website you can read more about how Intertrust is bridging CAS and DRM. You’ll learn about how the seamless transmission of 4K UHD content is being enabled by our ExpressPlay XCA™ solution, which brings CAS and DRM together into a single unified infrastructure.
Location is becoming even less important in the digital world, which can cause issues for the proper use of content created by national broadcasters. Across the world, legacy national broadcasters (such as the BBC in the UK or RAI in Italy) use a government-imposed charge to viewers in order to fund this public service.
Conditional access, this time based on location rather than paying a fee, is thus essential for these organizations to continue to provide free-to-air services to people in their own countries while blocking access to those outside, which is an essential rights holder licensing requirement.
Conditional access is still a very important tool in the fight against piracy for broadcasters over one-way networks. It ensures rights holders and content providers get returns on their investment and effort.
As one of the world’s leaders in security solutions and an early pioneer of DRM, Intertrust brings the latest technology and security techniques to the pay-TV model. If you are interested in finding out more about what conditional access is able to offer in the digital age and how we are converging it with DRM to create a flexible solution to help pay-TV operators and content providers all over the world, get in touch with our team.
About Bo Ferm
Bo Ferm is engaged in product marketing activities for Intertrust ExpressPlay. He is a versatile technology professional with 30+ years of successful B2B positions in Europe, North America and South East Asia. He has worked extensively with broadcasting and streaming technologies, with the past 15 years dedicated to media security in various forms.