System used to prevent non-paying customers from accessing content that requires payment
Conditional access
(
CA
) is a term commonly used in relation to
software
and to
digital television
systems. Conditional access is that 'just-in-time' evaluation to ensure the person who is seeking access to content is authorized to access the content. Said another way, conditional access is a type of access management. Access is managed by requiring certain criteria to be met before granting access to the content.
In software
[
edit
]
Conditional access is a function that lets you manage people's access to the software in question, such as email, applications, and documents. It is usually offered as
SaaS
(Software-as-a-Service) and deployed in organizations to keep company
data
safe. By setting conditions on the access to this data, the organization has more control over who accesses the data and where and in what way the information is accessed.
When setting up conditional access, access can be limited to or prevented based on the policy defined by the
system administrator
. For example, a policy might require access is available from certain networks, or access is blocked when a specific
web browser
is requesting the access.
In digital television
[
edit
]
Under the
Digital Video Broadcasting
(DVB) standard, conditional access system (CAS) standards are defined in the specification documents for DVB-CA (conditional access),
DVB-CSA
(the common
scrambling
algorithm) and
DVB-CI
(the
Common Interface
).
[1]
These standards define a method by which one can obfuscate a digital-television stream, with access provided only to those with valid decryption
smart-cards
. The DVB specifications for conditional access are available from the
standards page on the DVB website
.
This is achieved by a combination of
scrambling
and
encryption
. The data stream is scrambled with a 48-bit secret key, called the
control word
. Knowing the value of the control word at a given moment is of relatively little value, as under normal conditions, content providers will change the control word several times per minute. The control word is generated automatically in such a way that successive values are not usually predictable; the DVB specification recommends using a physical process for that.
In order for the receiver to unscramble the data stream, it must be permanently informed about the current value of the control word. In practice, it must be informed slightly in advance, so that no viewing interruption occurs.
Encryption
is used to protect the control word during transmission to the receiver: the control word is encrypted as an
entitlement control message
(ECM). The CA subsystem in the receiver will decrypt the control word only when authorised to do so; that authority is sent to the receiver in the form of an
entitlement management message
(EMM). The EMMs are specific to each
subscriber
, as identified by the smart card in his receiver, or to groups of subscribers, and are issued much less frequently than ECMs, usually at monthly intervals. This being apparently not sufficient to prevent unauthorized viewing,
TPS
has lowered this interval down to about 12 minutes. This can be different for every provider,
BSkyB
uses a term of 6 weeks. When
Nagravision 2
was hacked,
Digital+
started sending a new EMM every three days to make unauthorized viewing more cumbersome.
The contents of ECMs and EMMs are not standardized and as such they depend on the conditional access system being used.
[2]
The control word can be transmitted through different ECMs at once. This allows the use of several conditional access systems at the same time, a DVB feature called
simulcrypt
, which saves bandwidth and encourages multiplex operators to cooperate.
DVB Simulcrypt
is widespread in Europe; some channels, like the
CNN International
Europe from the
Hot Bird
satellites, can use 7 different CA systems in parallel.
The decryption cards are read, and sometimes updated with specific access rights, either through a
conditional-access module
(CAM), a
PC card
-format card reader meeting DVB-CI standards, or through a built-in
ISO/IEC 7816
card reader, such as that in the
Sky Digibox
.
Several companies provide competing CA systems; ABV,
VideoGuard
, Irdeto,
Nagravision
,
Conax
,
Viaccess
,
Synamedia
,
Mediaguard
(a.k.a.
SECA
) are among the most commonly used CA systems.
Due to the common usage of CA in DVB systems, many tools to aid in or even
directly circumvent
encryption exist. CAM emulators and multiple-format CAMs exist which can either read several card formats or even directly decrypt a compromised encryption scheme. Most multiple format CAMs and all CAMs that directly decrypt a signal are based on
reverse engineering
of the CA systems. A large proportion of the systems currently in use for DVB encryption have been opened to full decryption at some point, including Nagravision, Conax, Viaccess, Mediaguard (v1) as well as the first version of VideoGuard.
Conditional access in North America
[
edit
]
In
Canada
and
United States
, the standard for conditional access is provided with
CableCARDs
whose specification was developed by the cable company consortium
CableLabs
.
Cable companies in the United States are required by the
Federal Communications Commission
to support CableCARDs. Standards exist for two-way communication (M-card), but
satellite television
has separate standards. Next-generation approaches in the United States eschew such physical cards and employ schemes using downloadable software for conditional access such as
DCAS
.
The main appeal of such approaches is that the
access control
may be upgraded dynamically in response to security breaches without requiring expensive exchanges of physical
conditional-access modules
. Another appeal is that it may be inexpensively incorporated into non-traditional media display devices such as
portable media players
.
Conditional access systems
[
edit
]
Conditional access systems include:
Analog systems
[
edit
]
Digital systems
[
edit
]
CA ID
|
Name
|
Developed by
|
Introduced (year)
|
Security
|
Notes
|
0x4AEB
|
Abel Quintic
|
Abel DRM Systems
|
2009
|
Secure
|
|
0x4A64, 0x4AF0, 0x4AF2, 0x4B4B, 0x4B4C
|
ABV CAS
|
ABV International Pte. Ltd
|
2006
|
Secure (Farncombe Certified)
|
CA, DRM, Middleware & Turnkey Solution Provider For DTH, DVBT/T2, DVBC, OTT, IPTV, VOD, Catchup TV, Audience Measurement System, EAD etc.
|
0x4AFC
|
Panaccess
|
Panaccess Systems GmbH
|
2010
|
Secure (Farncombe Certified)
|
CA for DVB-S/S2, DVB-T/T2, DVB-C, DVB-IP, OTT, VOD, Catchup etc.
|
0x4B19
|
RCAS or RIDSYS cas
|
RIDSYS, INDIA
|
2012
|
Secure
|
CA for DVB-C, IPTV, OTT, VOD, Catchup etc.
|
0x4B30, 0x4B31
|
ViCAS
|
Vietnam Multimedia Corporation (VTC)
|
Unknown
|
Secure (Farncombe Certified)
|
|
0x4800
|
Accessgate
|
Telemann
|
Unknown
|
|
|
0x4A20
|
AlphaCrypt
|
AlphaCrypt
|
Unknown
|
|
|
N/A
|
B-CAS
ARIB STD-B25 (Multi-2)
|
Association of Radio Industries and Businesses
(ARIB)
|
2000
|
|
CA for ISDB. Used in Japan only
|
0x1702, 0x1722, 0x1762
|
reserved for various non-BetaResearch CA systems
|
Formally owned by BetaTechnik/Beta Research (subsidiary of KirchMedia). Handed over to TV operators to handle with their CA systems.
|
Unknown
|
|
|
0x1700 ? 0x1701, 0x1703 ? 0x1721, 0x1723 ? 0x1761, 0x1763 ? 0x17ff, 0x5601 ? 0x5604
|
VCAS DVB
|
Verimatrix Inc.
|
2010
|
|
|
0x2600
0x2610
|
BISS
BISS-E
|
European Broadcasting Union
|
2002
2018
|
Compromised, BISS-E secure
|
|
0x27A0-0x27A4
|
ICAS (Indian CAS)
|
ByDesign India Private Limited
|
2015
|
Advanced Embedded Secure
|
|
0x4900
|
China Crypt
|
CrytoWorks (China) (Irdeto)
|
Unknown
|
|
|
0x22F0
|
Codicrypt
|
Scopus Network Technologies (now part of Harmonic)
|
Unknown
|
Secure
|
|
0x4AEA
|
Cryptoguard
|
Cryptoguard AB
|
2008
|
Secure
|
|
0x0B00
|
Conax
Contego
|
Conax AS
|
Unknown
|
Secure
|
|
0x0B00
|
Conax
CAS 5
|
Conax AS
|
Unknown
|
Compromised
|
Pirate cards has existed
|
0x0B00
|
Conax
CAS 7.5
|
Conax AS
|
Unknown
|
Secure
|
|
0x0B00, 0x0B01, 0x0B02, 0x0BAA
|
Conax CAS 7
|
Conax AS
|
Unknown
|
Compromised
|
Cardsharing
|
0x0B01, 0x0B02, 0x0B03, 0x0B04, 0x0B05, 0x0B06, 0x0B07
|
Conax CAS 3
|
Conax AS
|
Unknown
|
Compromised
|
Pirate cards has existed
|
0x4AE4
|
CoreCrypt
|
CoreTrust(Korea)
|
2000
|
S/W & H/W Security
|
CA for IPTV, Satellite, Cable TV and Mobile TV
|
0x4347
|
CryptOn
|
CryptOn
|
Unknown
|
|
|
0x0D00, 0x0D02, 0x0D03, 0x0D05, 0x0D07, 0x0D20
|
Cryptoworks
|
Philips CryptoTec
|
Unknown
|
Partly compromised (older smartcards)
|
|
0x4ABF
|
CTI-CAS
|
Beijing Compunicate Technology Inc.
|
Unknown
|
|
|
0x0700
|
DigiCipher and DigiCipher II
|
Jerrold/GI/
Motorola
4DTV
|
1997
|
Compromised
|
DVB-S2
compatible, used for retail BUD dish service and for commercial operations as source programming for cable operators.
Despite the Programming Center shut down its consumer usage of DigiCipher 2 (as 4DTV) on August 24, 2016, it is still being used for cable headends across the United States, as well as on Shaw Direct in Canada.
|
0x4A70
|
DreamCrypt
|
Dream Multimedia
|
2004
|
|
Proposed conditional access system used for Dreambox receivers.
|
0x4A10
|
EasyCas
|
Easycas
|
Unknown
|
|
|
0x2719,0xEAD0
|
InCrypt Cas
|
S-Curious Research & Technology Pvt. Ltd., Equality Consultancy Services
|
Unknown
|
|
|
0x0464
|
EuroDec
|
Eurodec
|
Unknown
|
|
|
0x5448
|
Gospell VisionCrypt
|
GOSPELL DIGITAL TECHNOLOGY CO., LTD.
|
Unknown
|
Secure
|
|
0x5501
|
Griffin
|
Nucleus Systems, Ltd.
|
Unknown
|
|
|
0x5581
|
Bulcrypt
|
Bulcrypt
|
2009
|
|
Used in Bulgaria and Serbia
|
0x0606
|
Irdeto 1
|
Irdeto
|
1995
|
Compromised (Cardsharing and MOSC available)
|
|
0x0602, 0x0604, 0x0606, 0x0608, 0x0622, 0x0626, 0x0664, 0x0614
|
Irdeto 2
|
Irdeto
|
2000
|
0x0624, 0x0648, 0x0650, 0x0639
|
Irdeto 3
|
Irdeto
|
2010
|
Compromised (Cardsharing available)
|
|
0x0692, 0x06A4, 0x06B6, 0x069F, 0x06AB, 0x06F1
|
Irdeto Cloaked
|
Irdeto
|
Unknown
|
Secure
|
|
0x4AA1
|
KeyFly
|
SIDSA
|
2006
|
Partly compromised (v. 1.0)
|
|
0x0100
|
Seca
Mediaguard
1
|
SECA
|
1995
|
Compromised
|
|
0x0100
|
Seca
Mediaguard
2 (v1+)
|
SECA
|
2002
|
Partly compromised (MOSC available)
|
|
0x0100
|
Seca
Mediaguard
3
|
SECA
|
2008
|
|
|
0x1800, 0x1801, 0x1810, 0x1830
|
Nagravision
|
Nagravision
|
2003
|
Compromised
|
|
0x1801
|
Nagravision Carmageddon
|
Nagravision
|
Unknown
|
Combination of Nagravision with BetaCrypt
|
0x1702, 0x1722, 0x1762, 0x1801
|
Nagravision Aladin
|
Nagravision
|
Unknown
|
|
0x1801
|
Nagravision 3 - Merlin
|
Nagravision
|
2007
|
Secure
|
|
0x1801
|
Nagravision - ELK
|
Nagravision
|
Circa 2008
|
IPTV
|
0x4A02
|
Tongfang
|
Tsinghua Tongfang Company
|
2007
|
Secure
|
|
0x4AD4
|
OmniCrypt
|
Widevine Technologies
|
2004
|
|
|
0x0E00
|
PowerVu
|
Scientific Atlanta
|
1998
|
Compromised
|
Professional system widely used by cable operators for source programming
|
0x0E00
|
PowerVu+
|
Scientific Atlanta
|
2009
|
0x1000
|
RAS (Remote Authorisation System)
|
Tandberg Television
|
Unknown
|
|
Professional system, not intended for consumers.
|
0x4AC1
|
Latens Systems
|
Latens
|
2002
|
|
|
0xA101
|
RosCrypt-M
|
NIIR
|
2006
|
|
|
0x4A60, 0x4A61, 0x4A63
|
SkyCrypt/Neotioncrypt/Neotion SHL
|
AtSky/Neotion
[3]
|
2003
|
|
|
Unknown
|
T-crypt
|
Tecsys
|
Unknown
|
|
|
0x4A80
|
ThalesCrypt
|
Thales Broadcast & Multimedia
[4]
|
Unknown
|
|
Viaccess modification. Was developed after TPS-Crypt was compromised.
[5]
|
0x0500
|
TPS-Crypt
|
France Telecom
|
Unknown
|
Compromised
|
Viaccess modification used with Viaccess 2.3
|
0x0500
|
Viaccess
PC2.3, or Viaccess 1
|
France Telecom
|
1996
|
|
0x0500
|
Viaccess PC2.4, or Viaccess 2
|
France Telecom
|
2002
|
|
0x0500
|
Viaccess PC2.5, or Viaccess 2
|
France Telecom
|
2003
|
|
0x0500
|
Viaccess PC2.6, or Viaccess 3
|
France Telecom
|
2005
|
|
0x0500
|
Viaccess PC3.0
|
France Telecom
|
2007
|
|
0x0500
|
Viaccess PC4.0
|
France Telecom
|
2008
|
|
Unknown
|
Viaccess PC5.0
|
France Telecom
|
2011
|
Secure
|
|
Unknown
|
Viaccess PC6.0
|
France Telecom
|
2015
|
|
0x0930, 0x0942
|
Synamedia
VideoGuard
1
|
NDS (now part of Synamedia)
|
1994
|
Partly compromised (older smartcards)
|
|
0x0911, 0x0960
|
Synamedia
VideoGuard
2
|
NDS (now part of Synamedia)
|
1999
|
Secure
|
|
0x0919, 0x0961, 0x09AC, 0x09C4, 0x091F, 0x0944, 0x09AA
|
Synamedia
VideoGuard
3
|
NDS (now part of Synamedia)
|
2004
|
Secure
|
0x0927, 0x09BF, 0x0910, 0x0913, 0x098C, 0x098D, 0x098E, 0x0911, 0x0950, 0x09BB, 0x0987, 0x0963, 0x093B, 0x09CD
|
Synamedia
VideoGuard
4
|
NDS (now part of Synamedia)
|
2009
|
Secure
|
0x56D0
|
Onnet CA/DRM
|
Onnet Systems India Pvt. Ltd.
|
2021
|
Secure
|
CA/DRM, IPTV Middleware, OTT, Interactive Services, STB Middleware, AR/VR
|
0x4AD0, 0x4AD1
|
X-Crypt
|
XCrypt Inc.
|
2010
|
Secure
|
|
0x4AE0, 0x4AE1, 0x7be1
|
DRE-Crypt
|
Cifra
|
2004
|
Secure
|
|
Unknown
|
PHI CAS
|
RSCRYPTO
|
2016
|
Secure
|
|
See also
[
edit
]
References
[
edit
]
External links
[
edit
]