What is Conditional Access?

Posted On

By Team ExpressPlay


  • Conditional access systems (CAS) are used by content providers, such as pay-TV operators, to ensure only those subscriber devices which meet certain conditions can access the protected content.
  • Conditional access systems work by encrypting digital transport streams (the pay-TV content) and sending authorizations to decrypt the content separately via entitlement management messages (EMM) 
  • Global CAS systems are underpinned by specific industry standards such as Moving Picture Experts Group (MPEG) and Digital Video Broadcasting (DVB), and the very important DVB Simulcrypt interface standard for digital television.
  • The rise of digital content and modes of distribution means content providers need to use a mixture of conditional access and digital rights management (DRM).

What is conditional access?

Until the late 1950s, the television broadcasting industry in the United States had a single business model: Sell advertising or product placement to pay for programming. With the gradual introduction of television systems offering pay-TV in the 60s, this model began to change. 

When it comes to charging for content and protecting the associated revenues, the basic requirement was (and still is) access control, which was achieved by employing a technology called conditional access. But what is conditional access you ask? Well, conditional access is a system that content providers use to protect and monetize their content by controlling who has access to it. It is commonly used on satellite or cable pay-TV services to regulate the contract between provider and user. Conditional access systems (CAS) work by:

  1. Encrypting content – Anybody can receive the signal transmitted by the content provider, but various protocols are used to encrypt the content so it appears scrambled (that is, unwatchable).
  2. Defining conditions of access – The user must meet certain conditions (such as paying for TV services) to have the content decrypted.
  3. Checking authorization – Entitlement messages are sent to the user’s receiver (such as a set-top box) to inform it which content it can decrypt.
  4. Decrypting content – The receiver has the capacity to decrypt the signal and does so when it receives authorization that the conditions have been met.

So, in this situation, only subscribers paying their bills and meeting the ‘conditions of access can watch the content being transmitted. Pay-TV operators adopted solutions created by CAS vendors to manage content protection and ensure that they and other rights holders could monetize their assets.

The conditional access (CA) model is still used for transmission of digital video broadcasting over satellite and terrestrial networks, as well as telco IPTV (or “managed IPTV”), although they both have been complemented with digital rights management security for OTT (streaming video over the Internet).

How conditional access systems work

One of the main attributes of traditional (legacy) broadcasting is that it is a one-way distribution system. Under this system, the satellite or cable feed is distributed to everyone, and the transmitting organization does not receive any feedback regarding who is picking up their feed or what they are doing with it. 

Conditional access systems work by requiring certain criteria to be met before granting a user access to the content. Here’s a closer look at how conditional access systems work. 

The broadcaster (for example, the pay-TV operator) encrypts their content and provides subscribers with the means to decrypt it via their set-top boxes (STB) aided by some CA-specific messages.

This decryption part of how conditional access systems work can be explained by looking at how a digital receiver such as an STB processes content:

  1. The broadcaster encrypts its content.
  2. The content is sent over satellite, terrestrial, or cable networks to a user’s STB.
  3. The STB, which integrates a specific conditional access system, has the technology from the conditional access system provider to decrypt the feed but needs the specific encryption key from the broadcaster to do so, together with an entitlement that confirms the user may decrypt this content.
  4. This encryption key is wrapped in an entitlement control message (ECM), a process that is repeated up to several times a minute. The ECM is sent to each receiver. The internal structure of ECMs is proprietary per CAS vendor, but the mechanism of inserting ECMs into the MPEG Transport Stream is standardized through DVB Simulcrypt. DVB Simulcrypt is an interface specification followed by all CAS companies and is integral to how conditional access systems work in general.
  5. The user’s receiver contains unique (secret) information, which confirms the authority to receive an entitlement management message (EMM) and grants access to the content. These EMMs are sent much less frequently and they inform each STB what content it is allowed to decrypt. The EMM can be said to contain the “channel line-up” for each subscriber although EMMs are not limited to linear (broadcast) channels but can be used for on-demand content too.
  6. If the CAS keys contained in EMMs and ECMs were to be hacked, the CAS vendor has to initiate piracy countermeasures that could mean replacing smart cards (if such are still used) or taking other remedial action depending on the circumstances and the CA technology in use.

The CAS uses the EMM to specify a user’s unique entitlement (such as the channels paid for) to enable the decryption of the signal. In the same way, if a user fails to pay their bill or drops a channel from their package, it will remain encrypted and not available for watching. 

Conditional access solutions and standards

For digital TV, the concern over pay-TV security is even greater. Unlike analog content, which deteriorates with each subsequent copy, each “copy” of digital content is as good as the original. So, in the digital age, content providers have to find new ways to ensure content protection and enable full monetization of rights. As a result, pay-TV operators have adopted a variety of proprietary CAS solutions from a small group of vendors. 

Industry standards have helped by providing a bridge between the proprietary CA systems and other components of end-to-end broadcasting infrastructure. One of the most widely used industry standards is the Digital Video Broadcasting (DVB) standard. This is an open standard managed by an international committee consisting of broadcasters, equipment vendors, and other companies with an interest in digital broadcasting. The DVB-CI (Common Interface) and CI+ standards allow device manufacturers to work with different CA systems. The DVB-CSA (Common Scrambling Algorithm) standard provides the cipher that encrypts the content. The DVB standard also specifies Simulcrypt as a methodology to reduce the amount of bandwidth it takes to transmit video if more than one CAS is deployed. With Simulcrypt-compliant CA systems the video is only transmitted once to all subscribers, who then also receive CA-specific, proprietary EMMs, and ECMs to help determine what content they may watch. 

Another major issue for broadcasters is that if a CAS system was hacked (which would generally happen after three to four years with smart card-based systems), the pay-TV operator had to pay for and send new smart cards with new unique information, thus rendering the old cards useless. This represents a major cost and considerable operational challenges for pay-TV operators, thus hitting them with additional CAPEX (purchase new cards) and OPEX (logistics of card distribution). 

Cardless CAS and the advent of two-way communications mean that smart cards for pay-TV are becoming obsolete in most markets. With cardless security, the anti-piracy countermeasures can usually be managed over the air .

Why conditional access matters

As the world becomes more digital, rights holders and content producers face new challenges when it comes to monetizing their content and preventing piracy. As a result, DRM has come to complement how conditional access systems work as an improved form of content security for digital transmission over IP-based networks such as the internet. DRM has the advantage that it can use two-way (IP) networks to communicate between head-end and receivers, which enables far better security approaches compared to one-way networks. 

However, CAS still plays an important role for pay-TV broadcasters using legacy one-way networks, typically satellite or terrestrial transmission. 

In fact, a recent Technavio report stated that “The conditional access system (CAS) market is expected to grow by USD 751.81 million during 2020-2024, expanding at a CAGR of almost 5%.” The report indicates one of the key reasons for this expansion is the growth of satellite broadcasting services.

Finding a balance 

With the simultaneous growth of OTT streaming services, content providers must find a balance between the functions of CAS and DRM. Moving solely to DRM does not suit the existing one-way broadcast infrastructure, while sticking only to CAS limits potential growth into new markets and technologies such as OTT services.

So broadcasters—especially well-established ones —need a blend of CAS and DRM. This blended model can help organizations harness the power and reach of adaptive bitrate streaming for OTT services, while at the same time bolstering their subscription models.

On the Intertrust website, you can read more about how Intertrust is bridging CAS and DRM. You’ll learn about how the seamless transmission of high quality 4K UHD content is being enabled by our ExpressPlay XCA™ solution, which brings CAS and DRM together into a single unified infrastructure.

Location is becoming even less important in the digital world, which can cause issues with the proper use of content created by national broadcasters. Across the world, legacy national broadcasters (such as the BBC in the UK or RAI in Italy) use a government-imposed charge to viewers in order to fund this public service. 

Conditional access, this time based on location rather than paying a fee, is thus essential for these organizations to continue to provide free-to-air services to people in their own countries while blocking access to those outside, which is an essential rights holder licensing requirement.

Conditional access is still a very important tool in the fight against piracy for broadcasters over one-way networks. It ensures rights holders and content providers get returns on their investment and effort. 

As one of the world’s leaders in security solutions and an early pioneer of DRM, Intertrust brings the latest technology and security techniques to the pay TV model. If you are interested in finding out more about what conditional access can offer in the digital age and how we are converging it with DRM to create a flexible solution to help pay TV operators and content providers all over the world, get in touch with our team.


intertrust-expressplay-xca CTA Banner

Related blog posts



Posted on 28 Sep 2022

Intertrust and Sofia Digital partner to offer Direct-to-TV services with ExpressPlay XCA

Read more



Posted on 27 May 2021

Understanding the reach of today’s video piracy

Read more



Posted on 10 Sep 2020

A converged security strategy for broadcast TV & streaming services

Read more