Simulcrypt Explained

64 EBU Technical Review Winter 1995EBU Project Group B/CA

Functional model of aconditional access systemEBU Project Group B/CA

1. Introduction

A conditional access (CA) system comprises acombination of scrambling and encryption toprevent unauthorized reception. Scrambling is theprocess of rendering the sound, pictures and dataunintelligible. Encryption is the process of pro-tecting the secret keys that have to be transmittedwith the scrambled signal in order for thedescrambler to work. After descrambling, anydefects on the sound and pictures should beimperceptible, i.e. the CA system should be trans-parent.

The primary purpose of a CA system for broad-casting is to determine which individual receivers/set-top decoders shall be able to deliver particularprogramme services, or individual programmes, tothe viewers. The reasons why access may need tobe restricted include:

EBU Project Group B/CA hasdeveloped a functional model of aconditional access system for usewith digital television broadcasts. Itshould be of benefit to EBUMembers who intend to introduceencrypted digital broadcasts; byusing this reference model,Members will be able to evaluate thedifferent conditional access systemsthat are available.

The model is not intended as aspecification for a particular system.Rather, it provides a framework fordefining the terms and operatingprinciples of conditional accesssystems and it illustrates some of theconflicts and trade-offs that occurwhen designing such systems.

– to enforce payments by viewers who want ac-cess to particular programmes or programmeservices;

– to restrict access to a particular geographicalarea because of programme-rights consider-ations (territorial control can be enforced if thereceiver has a built-in GPS system);

Original language: EnglishManuscript received 6/10/95.

65EBU Technical Review Winter 1995EBU Project Group B/CA

Glossary

Access Control System/Conditional Access System: Thecomplete system for ensuring that broadcasting services areonly accessible to those who are entitled to receive them.The system usually consists of three main parts – signalscrambling, the encryption of the electronic “keys” needed bythe viewer, and the subscriber management system whichensures that viewers entitled to watch the scrambledprogrammes are enabled to do so.

Algorithm: A mathematical process (e.g. DES, RSA) whichcan be used for scrambling and descrambling a data stream.

Bouquet: A collection of services marketed as a singleentity.

Conditional Access Sub-System (CASS): The part of thedecoder which is concerned with decoding the electronickeys, and recovering the information needed to control thedescrambling sequence. It is now usually implemented, all orin part, as a smart card.

Control Word: The key used in the descrambler.

Descrambling: The process of undoing the scrambling toyield intelligible pictures, sound and/or data services.

Electronic key: A general term for the data signals used tocontrol the descrambling process in the decoders. There areseveral different levels of key, identifying the network whichthe subscriber is entitled to access, the services within thatnetwork that are available to the subscriber and the detailedcontrol information to operate the descrambler. The ECMsare one component of this “key” data; all levels must becorrectly decrypted in order to view the programme.

Encryption: The method of processing the continually-changing electronic keys needed to descramble thebroadcast signals, so that they can be securely conveyed tothe authorized users, either over-the-air or on smart cards.

Entitlement Control Message (ECM): A cryptogram of thecontrol word and the access conditions. An ECM is aspecific component of the electronic key signal andover-the-air addressing information. The ECMs are used tocontrol the descrambler and are transmitted over-air inencrypted form.

Entitlement Management Message (EMM): A messageauthorizing a viewer to descramble a service. An EMM is aspecific component of the electronic key signal andover-the-air addressing information. The EMMs are used toswitch individual decoders, or groups of decoders, on or offand are transmitted over-air in encrypted form.

Event: A grouping of elementary broadcast data streamswith a defined start and time (e.g. an advert or a news flash).

Impulse Pay-Per-View: Impulse Pay-Per-View requires nopre-booking. This rules out some Pay-Per-View methods(e.g. issuing smart cards for specific programmes). Smartcard debit, or electronic banking via telephone line, bothsupport impulse Pay-Per-View. Over-the-air addressing cansupport impulse PPV, provided that the time taken to processthe request is sufficiently small (this implies a relatively largecapacity for over-the-air addressing data in the transmissionchannel.

Multiplex: An assembly of all the digital data that is carryingone or more services within a single physical channel.

Pay-Per-View (PPV): A payment system whereby theviewer can pay for individual programmes rather than takeout a period subscription. Pay-Per-View can work by debitingelectronic credit stored in a smart card, by purchasing smartcards issued for special programmes, or by electronicbanking using a telephone line to carry debiting informationfrom the home to the bank.

Period Subscription: The most popular payment system, inwhich the viewer subscribes to a programme service for acalendar period (e.g. one year).

Piracy: Unauthorized access to controlled programmes.Common methods of piracy include the issue of counterfeitsmart cards and decoders which bypass all or part of theaccess control system. The use of video cassette recordersto record descrambled pictures for distribution amongfriends/colleagues is also a simple method of piracy.

Programme: A television (or radio) presentation producedby programme providers for broadcasting as one of asequence. A programme is a grouping of one or more events.

Scrambling: The method of continually changing the form ofthe broadcast signal so that, without a suitable decoder andelectronic key, the signal is unintelligible.

Service: A sequence of events, programmes or data, basedon a schedule, assembled by a service provider to bedelivered to the viewer.

SimulCrypt: A system for allowing scrambled picture/soundsignals to be received by decoders using different accesscontrol systems. The principle of the system is that thedifferent ECMs and EMMs needed for the various accesscontrol systems are sent over-air together. Any one decoderpicks out the information it needs and ignores the othercodes. It is analagous to providing multiple front doors to alarge house, each with a different lock and its own door key.

Smart Card: A device that looks rather like a credit card; it isused as a token of entitlement to descramble broadcastsignals. Most of the major European access control systemsuse smart cards. Other systems that bury the samefunctionality inside the decoder do not usually allow thesystem to be changed to combat piracy or to add newservices. Smart cards can be issued by the SubscriberManagement System which can validate them bypre-programming them with keys to authorize access tocertain tiers of programmes and/or data services. As part ofthe same issuing and validation process, the card may bepersonalised to make each one valid for one particulardecoder only.

Subscriber Authorization System (SAS): The centreresponsible for organizing, sequencing and delivering EMMand ECM data streams under direction from the SubscriberManagement System.

Subscriber Management System (SMS): The businesscentre which issues the smart cards, sends out bills andreceives payments from subscribers. An important resourceof the Subscriber Management System is a database ofinfromation about the subscribers, the serial numbers of thedecoders and information about the services to which theyhave subscribed. In commercial terms, this information ishighly sensitive.


Serviceprovider SAS Transmission

system operatorViewers/

IRDsSMS

Programmes

Entitlements to view

Money, addresses and bills

Money and addresses

KEY:

Serviceprovider

A

Transmissionsystem operator

Viewers/IRDsSMS

Serviceprovider

B

SAS

Serviceprovider

A

Serviceprovider

B

Serviceprovider

C

SMSY

SMSX

SMSZ

SASJ

SASI

Viewers/IRDs

Transmissionsystem operator

Figure 1Vertically-integratedCA system.

Figure 2Devolved CA system.

Figure 3Devolved/shared/commonCA system.

SMS = Subscriber Management SystemSAS = Subscriber Authorization SystemIRD = Integrated Receiver Decoder


– to facilitate parental control (i.e. to restrictaccess to certain categories of programme2).

2. Transactional models

Transactional models can be used to illustrate theunderlying commercial transactions that takeplace in a conditional access broadcasting system,in a way which is independent of the technologyemployed. A similar analogy is sometimes usedfor the sale of goods to the public through retail andwholesale chains: in that situation, there is a flowof goods and services in one direction – from themanufacturers to the end customers – and a flow ofmoney in the reverse direction.

A model of a vertically-integrated CA system isshown in Fig. 1. Here, the service provider is alsothe network operator and the CA system operator.Historically, CA systems originated in this formand the model remains true for many cablesystems today: the cable operator acts as the ser-vice provider (usually by purchasing the rights toshow programmes made by third parties) and alsoas the carrier and the CA system operator. In suchcircumstances, and especially where – as in mostcable systems – the cable operator supplies andowns the decoders, a single proprietary system isacceptable, because there is no requirement toshare any part of the system with competitors.

A model of a devolved CA system is shown inFig. 2. In this case, the functions of the serviceprovider, network operator and CA systemoperator are split. Indeed, there are two separateservice providers, A and B, who share a commondelivery system (owned and operated by a thirdparty) and a common CA system which is ownedand operated by a different third party. Thus allbilling and collection of money is carried out bythe CA system operator who then passes on pay-ments in respect of programme rights back to theappropriate service providers. This model is truefor many analogue satellite systems today andalso applies to a retail market in which there isonly one retailer. Note how the CA system opera-tor has information about the names, addressesand entitlement status of all viewers; programmeproviders, on the other hand, have access only to

2. This is generally a Service Information (SI) function.However, regulators might specify that programmesshould be scrambled where parental control is required.In current analogue systems, parental control often usesthe CA system.

the names, addresses and entitlement status ofviewers to their own services.

An alternative model of a devolved CA system isshown in Fig. 3. Here, there are two independentCA Subscriber Authorization System (SAS) oper-ators, I and J (see Section 5.3.). System J is usedby service provider C only, whereas system I isused by all three service providers. Conversely,service providers A and B use system I only,whereas service provider C uses systems I and J.Thus, viewers to the services provided by C canuse a decoder which is appropriate for eithersystem I or J. A further feature of this model is thatthe billing and the money flow is directly betweenthe viewers and the Subscriber ManagementSystem (SMS) operators (see Section 5.3.); it doesnot pass via the SAS operators or the transmissionsystem operators. Consequently, sensitive in-formation about the names and addresses of sub-scribers is known only to the appropriate serviceprovider.

3. Functional model of a CAreference system

A functional model of a hypothetical CA referencesystem is now described. The model is looselybased on the Eurocrypt conditional access systembut its principles of operation are expected to applyto CA systems generally.

3.1. Conditional AccessSub-System

A Conditional Access Sub-System (CASS) is adetachable security module which is used as partof the CA system in a receiver. It is also possibleto embed the security module in the receiver itself,in which case each receiver will typically have itsown secret individual address. Replacement of theCASS is one means of recovering from a piracy at-tack. Replacement of the CASS also enables newfeatures to be added to the system as and when theyare developed.

For analogue systems and some digital systems,the CASS is typically a smart card [1]. For digitalsystems which use the Common Interface (seeSection 3.6.), the CASS will be a PCMCIA3 mod-ule and this may have an associated smart card.

3. Personal Computer Manufacturers Computer InterfaceAssociation.


3.2. Scrambling and descrambling

The basic process of scrambling and descramblingthe broadcast MPEG-2 transport stream [2] isshown in Fig. 4. The European DVB Project hasdefined a suitable, highly-secure, CommonScrambling Algorithm.

3.3. Entitlement Control Messages

The generation, transmission and application ofEntitlement Control Messages (ECMs) – which

are used to recover the descrambling control wordin the decoder – is illustrated in Fig. 5. The ECMsare combined with a service key and the result isdecrypted to produce a control word. At present,the control word is typically 60 bits long and is up-dated every 2-10 seconds.

If the access conditions are to be changed at a pro-gramme boundary, it may be necessary to updatethe access conditions every frame, which is muchmore frequently than is required for securityreasons. Alternatively, a change in access condi-

MPEG-2transportstream

ScramblerMUX

Picture

Sound

Data

Picture

Sound

Data

Modulator

Tx

Descrambler DemuxDemodulator

Note: In such a basic scrambling system, possession of adescrambler gives permanent entitlement to view.

Figure 4Basic scrambling system.

Picture

Sound

Data

Picture

Sound

Data

Modulator

Tx

Demodulator

Note 1: Descrambling requires possession of a descrambler, adecrypter and the current service key.

Note 2: Decryption recovers the descrambling Control Words(CW) from the Entitlement Control Messages (ECMs).

Figure 5Scrambling system withEncrypted Control Words.

Servicekey

Scrambler

Encrypter

MUX

Control Wordgenerator

ECMs

Servicekey

ECMs

Demux

Decrypter

Descrambler

CW CW

MPEG-2transportstream

Rx

Rx


tions could be made frame-specific by sending outa change in entitlements in advance and then insti-gating the change with a flag. A third methodwould be to change the control word itself at aprogramme boundary. However, the second andthird approaches would not allow a programmeproducer to change the access conditions instanta-neously.

3.4. Entitlement ManagementMessages

The generation, transmission, and application ofEntitlement Management Messages (EMMs) bythe Subscriber Authorization System is illustratedin Fig 6.

The card supplier provides the CASS (usually asmart card) and then the SAS sends the EMMs

over-air or by another route, e.g. via a telephoneline. To retain the confidentiality of customer in-formation, it is best that the card supplier deliversthe smart cards direct to the Subscriber Manage-ment System (or another business centre whichguarantees confidentiality) for mailing to theviewer (see Section 3.5.).

It is possible to supply the cards through retail out-lets as well, provided the retailer can guaranteeconfidentiality. In this situation, considerable carehas to be taken if the cards have been pre-authorized by the SAS, because such cards will bea worthwhile target for theft.

When using the CA Common Interface [3], in con-juction with a PCMCIA module acting as theCASS, the descrambler is also situated in theCASS.

Picture

Sound

Data

Picture

Sound

Data

Modulator

Tx

Demodulator

Note 1: Descrambling requires possession of a descrambler, a decrypter and the currentservice key.

Note 2: Decryption requires the Entitlement Management Messages (EMMs) for thecurrent programme – which usually involves secret keys stored in a detachableConditional Access Sub-System (CASS).

Figure 6Scrambling system with

encrypted Control Words andEntitlement Management

Messages.

Scrambler


ECMs

Servicekey

ECMs

Descrambler

CW CW

EncrypterEncrypter

Subscriber Authorization

System

MUX

EMMs

Demux

EMMs

Decrypter

Validation

Decrypter

Securityprocessor

(secret keys)

Conditional AccessSub-System (CASS)

SMART cardsupplier

Entitlement ManagementMessages via telephone line

(and validation return)

Rx


3.5. Subscriber ManagementSystem

As shown in Fig 7., the reference model is com-pleted by the addition of a Subscriber ManagementSystem (SMS), which deals with the billing ofviewers and the collection of their payments. Thecontrol word need not be a decrypted ECM; it canbe generated locally (e.g. from a seed) whichmeans that the control word could be changed veryquickly.

3.6. Common Interface

The European DVB Project has designed aCommon Interface for use between the IntegratedReceiver Decoder (IRD) and the CA system. Asshown in Fig. 8, the IRD contains only those ele-ments that are needed to receive clear broadcasts.

The CA system is contained in a low-priced, pro-prietary module which communicates with theIRD via the Common Interface. No secret condi-tional access data passes across the interface.

The Common Interface allows broadcasters to useCA modules which contain solutions from differ-ent suppliers, thus increasing their choice and anti-piracy options.

4. General requirements of aCA system

To be acceptable for use by EBU members, aconditional access system needs to meet the fol-lowing general requirements, some of which con-flict.

Picture

Sound

Data

Picture

Sound

Data

Modulator

Tx

Demodulator

Figure 7Scrambling system withencrypted Control Words,Entitlement ManagementMessages and SubscriberManagement System.

Scrambler


ECMs

Servicekey

ECMs

Descrambler

CW CW

EncrypterEncrypter

MUX

EMMs

Demux

EMMs

Decrypter

Validation

Decrypter

Securityprocessor

(secret keys)

Conditional AccessSub-System (CASS)

SMART cardsupplier

Entitlement ManagementMessages via telephone line

(and validation return)

Subscriber Authorization

System

SubscriberManagement

System (SMS)(Customer

Management)

Subscribers

Bills

Payments(credit card, Direct Debit, cash, cheque, etc)

Rx


Moduleoperatingsystem

Tuner Demodulator

MPEGvideo

decoder

MPEGvideo

decoder

Picture

SoundMPEG-2transportstream

Demux

Data

On-screengraphics

Receiveroperating system

SIdecoder

Remotecontrolinput

DVB/MPEG integratedreceiver/decoder (IRD)

DVB Common Interface

Validationmodule

(optional)

Command

bus

Validation(optional)

Data filters(ECMs, EMMs)

Securityprocessor

DVBdescrambler

SMART card(optional)

ProprietaryCA system

Moduleoperatingsystem

CW

Figure 8DVB Common

Interface.

4.1. Convenience for viewers

The CA system should impose a minimum of bur-den on the authorized viewer at any stage in thetransaction. In particular it should not requirespecial action when changing channels (e.g.swapping a smart card or keying in a PersonalIdentification Number) nor should it significantlydelay presentation of picture and sound when“zapping” (a sensible upper limit on the “zap-ping” time is 1 second).

Furthermore, it should be easy to gain initial ac-cess to the broadcasts, requiring the minimum ofequipment, outlay and effort. Ideally, the com-plete system would be integrated into the televi-sion set which would be able to access any com-

bination of programme services to whichindividual viewers had subscribed.

It should be easy for the viewer to pay the neces-sary fees to the programme supplier. Paymentmethods should include all forms of monetarytransaction including cash, direct debits and creditcards. The viewer might prefer to receive a singlebill for any combination of services provided overa period of time. It may therefore be desirable, butnot a necessity, for different CA system operatorsto share the use of smart cards.

4.2. Security

The CA system must be effective in preventingpiracy, i.e. unauthorized viewing by people who arenot entitled to access particular programmes or ser-vices. Although no CA technology can deliver per-


fect security, the overall system – combined withappropriate anti-piracy legislation and evasion-deterrent measures – must make piracy sufficientlydifficult and/or uneconomic that the levels ofevasion are kept small. Smart cards or paymentcards must be resistant to tampering. For Pay-Per-View services in particular, the counting mecha-nism which indicates the remaining credit should beimmune to resetting by unauthorized parties.

It is very important that the relationship betweenthe service provider and the CA system operator iswell defined so that, for example, a CA systemoperator can be compelled to act when piracyreaches a certain level. There are a number of waysto recover from a piracy attack. It is possible toinitiate electronic counter measures over-air,whereby pirate cards are disabled or subtle changesare made in the operation of genuine CASSs. Alter-natively, by issuing new CASSs, large changes canbe made to the conditional access system.

4.3. Open marketing of digitalreceivers

The viewers should be able to benefit from a largechoice of digital receivers or set-top boxes,produced by a wide range of manufacturers com-peting in an open market. Such an open marketideally requires that the complete digital broad-casting system, excluding the CA system, be fullydescribed in open standards which are fully pub-lished by the appropriate organization (e.g. theETSI4 or the ISO5). The terms of licensing anyIntellectual Property Rights (IPR) included with-in a standard must be regulated by the appropriatestandards organization. (For example, in the caseof an ETSI standard, licensing is open to allmanufacturers on an equitable basis.)

It is undesirable for the CA system to be standard-ized: instead, the flexibility offered by the DVBCommon Interface should ensure that a plurality ofCA systems may be adopted (see Section 3.6.).

4.4. Open marketing of programmeservices

Authorized programme services should be acces-sible to any viewer whose IRD conforms to therelevant standard and who has the relevant CA en-titlements issued solely under the control of theservice provider. It must also be ensured that all

4. European Telecommunications Standards Institute.

5. International Organisation for Standardisation.

approved service providers have fair access to asuitable delivery system.

4.5. Autonomy of the serviceprovider’s business

The primary contract should be between the ser-vice provider and the viewer. Although third parties(such as common carriers and/or CA system opera-tors) may necessarily be involved in the broadcast-ing process, the CA system (and any other part ofthe system) should not require the service providerto share commercially-sensitive information withrival service providers, e.g. the identities of cus-tomers and their entitlements to view.

4.6. Low entry and operating costs

The cost of setting up and operating the CA systemis significant but must not be prohibitive. In particu-lar, it should be capable of being scaled to allow lowstart-up costs when the subscriber base is very small.

The system should not pose a constraint on the ulti-mate number of households that can be addressed;this could reach many tens of millions. The costsof upgrades to the CA system and of recoveringfrom security breaches should be minimized byselecting a reliable and secure system.

5. Functional requirements ofa CA system

5.1. Payment schemes

It is important that the CA system supports a widerange of charging and payment schemes.

These include:

– Subscription (pre-payment for a time period ofviewing);

– Pay-Per-View (payment for a programme orgroup of programmes);

– Impulse Pay-Per-View (payment for a pro-gramme or group of programmes withoutadvance notice).

Pay-Per-View (PPV) and Impulse Pay-Per-View(IPPV) often require the provision of a return pathfrom the viewer to the CA system operator: inmany systems this is implemented using a tele-phone connection and a modem built into theIRD. The return path can be used to record view-ing history, which is important when consideringthe programme rights issues.

The acceptability and rules of operation for such atelephone return-path need further study. In par-


ticular, a system must exist for those viewers whodo not have a telephone connection. One possiblemethod would be to purchase credits in advanceand to store them as viewing tokens on a smart cardor CA module. The card or module could be re-authorized at a trusted dealer when information onpast viewing could be transferred to the systemoperator. Provided security was not compromised,it would also be possible to have the smart card ormodule credited over-air with tokens which couldbe initiated by a telephoned (voice) request fromthe viewer. There must be a method to ensure thatall service providers are paid fairly for the pro-grammes provided, in proportion to the total num-ber of viewer hours.

5.2. Multiple-decoder households

The question must be addressed as to whether pay-ment authorizes:

1. the use of only one decoder to receive anddecode the services;

2. use throughout a household, which may havemultiple receivers/decoders and a VCR;

3. use by one individual anywhere within a house-hold, in which case the entitlement needs to betransferable from one IRD to another, probablyusing a detachable security element such as asmart card.

In the third case given above, there is a conflictwith the requirement to validate the security de-vice for use with a particular decoder only. There-fore, each decoder should have its own CASS andthe records of multiple CASSs within a householdshould be grouped together in the SMS to permitappropriate and reasonable billing.

5.3. Sharing of the CA system

In order to provide a fair and open market for CAbroadcasts to develop, it is important that elementsof the CA system can be shared. These include thefollowing.

5.3.1. Receivers/decoders

One generic receiver/decoder should be capableof receiving and decoding CA broadcasts from anumber of different broadcasters, perhaps usingdifferent delivery media (e.g. cable, satellite, ter-restrial). This may imply that the decoder can sup-port simultaneous use of multiple security devices,or that one security device can be shared betweendifferent service providers. In the latter case, thesecurity device needs to be partitioned into inde-

pendent zones so that operators have access towrite to and read from only those zones which con-tain information about entitlements to view theirown services. Where operators share a securitydevice, it is important to resolve who issues and,more importantly, who re-issues the security de-vice – especially in the case of a breach of securityrequiring a change of security device.

A particularly important and difficult requirementwhich arises from the need to share decoders is thatof allowing the IRD to be tuned to broadcastswhich do not necessarily carry the same over-airentitlement messages. It is worthwhile monitoringas many EMM data streams as possible, even whenthe receiver is in standby mode.

In some instances (for example, message broadcast-ing), it is necessary for the broadcaster to be able toaddress large numbers of decoders in a short periodof time. In these situations, it is worth using sharedkeys to reduce the access time for large audiences.The audience is subdivided into groups of viewers;each person within a particular group has the sameshared key which forms a part of the overall controlword. Also, different messages intended for thesame viewer can be combined together.

5.3.2. Delivery system

It is obvious that any one delivery medium (e.g.cable network, satellite transponder or terrestrialbroadcast channel) should be capable of beingshared between different and perhaps rival broad-casters. Less obvious, but perhaps equally impor-tant, is that any one transport stream should becapable of being decoded by different types of de-coder, so that one broadcast can simultaneouslyuse different kinds of CA system. This is theSimulCrypt concept (see Section 7.1.1.).

5.3.3. CA Systems

When considering the sharing of CA systems atthe sending end, it is important to be able to dividethe system into two separate functional elements:

a) Subscriber Management System (SMS)

The SMS is primarily responsible for sendingout bills and receiving payments from viewers.It does not need to, and should not, be specificto a particular CA system. The SMS necessarilyholds commercially-sensitive information suchas the database of subscribers names and ad-dresses and their entitlement status. Sharing ofthe SMS between rival broadcasters is possibleif, and only if, it is operated by a trusted thirdparty and only if adequate “firewalls” are pro-


vided so that any one service provider can ac-cess information only about subscribers to hisor her own services. Although sharing an SMSmay be seen as undesirable, it must be recog-nised that setting up and running an SMS is ex-pensive, perhaps prohibitively so for serviceswith a small number of subscribers at the outset.

The work of the SMS can be contracted out toa trusted third party (TTP), e.g. a secure andreliable organization such as a bank. Thereshould be a subscriber database and the systemmust deal with changes to subscription details,installation difficulties, marketing, billing andcard distribution. The SMS also manages thesystem installers and sends Entitlement Man-agement Messages (to authorize viewers) to theSubscriber Authorization System queue.

To ensure the privacy of customer databaseinformation, the SMS could mail replacementsmart cards and CA modules to the viewers.These could be provided pre-authorized by theconditional access system operator or could beauthorized over-air by the Subscriber Autho-rization System using virtual addresses pro-vided by the SMS.

At the moment, cable companies often send outa tape of customer usage to another company, atthe end of the month, for billing.

b) Subscriber Authorization System

The Subscriber Authorization System (SAS) isprimarily responsible for sending out the over-air entitlement messages and for validatingsecurity devices. The SAS needs a unique serialnumber (address) for each IRD security devicebut should not need access to commercially-sensitive information such as the names andaddresses of subscribers. Hence it should beeasily possible for rival broadcasters to share anSAS, although there are issues to be resolvedconcerning the queuing times for messages.Smart cards can be indirectly authorized over-air by the SAS.

The SAS generates a scrambler control word,encrypts the conditional access data, queuesand prioritises the Entitlement ManagementMessages from the Subscriber ManagementSystem, and scrambles the pictures and sound.New messages from the SMS join the immedi-ate queue, to be transmitted as soon as possible,and also join a regular cyclic queue where theystay until they expire. The frequency of trans-mission depends on the length of the queue andmessages are expired by category. There will bea maximum limit on response time beyond

which the system will not be usable. Disablemessages may have an indefinite lifetimewhereas enable messages may have a lifetimeof a month or so. For security reasons, commu-nication between the SMS and the SAS can beencrypted although this may not be necessary ifall systems are in a secure environment.

5.4. Transcontrol at mediaboundaries

It will often be the case that a broadcast signal maytravel via two or more different delivery media intandem; for example the broadcast may be carriedon a satellite and then conveyed into some homesvia a cable system. In such cases it is often desir-able to change the entitlement control at the mediaboundary without needing to descramble and re-scramble completely. (This is possible with the useof the Common Scrambling Algorithm.) Howev-er, this method may present a security risk becauseone CA system operator would have to present thecontrol word to another CA system operator insidethe transcontrol equipment.

In practice it may be more secure (though moreexpensive) to descramble and rescramble at themedia boundary. Descramblers and rescramblersfrom different CA system manufacturers couldpotentially be built into different PCMCIA modules.

Changing the entitlement control at the mediaboundary enables the end-transmission-system-operators to maintain direct control over each oftheir subscribers for all services provided. Thismeans that the viewer only has to operate the CAsystem used by the end-transmission-system-operator. However, this approach also means thatthe service providers and the other transmission-system-operators that have supplied services to theend-transmission-system-operator cannot have di-rect and exclusive interaction with the subscribers.

Another approach would be to have no transcon-trol at media boundaries. The viewer would haveaccess to all services using either the SimulCryptor MultiCrypt approaches. This has the disadvan-tage to the end-transmission-system-operator thatall control is handed over to the original CA systemoperator and it therefore requires a good workingrelationship between all parties.

6. Operational requirementsof a CA system

For security reasons it is important to include atleast the following functions in a CA system:


– Disable/enable decoder

Individual decoders or groups of decoders areprevented from descrambling any service, re-gardless of the authorizations stored in thesmart card or other security device.

– Disable/enable card

Individual smart cards, or groups of smart cards(or other security devices), need to be capableof being enabled or disabled over-air.

– Disable/enable programme service

Individual smart cards, or groups of smartcards, need to be capable of being enabled ordisabled over-air to decode any one particularprogramme service.

– Send message to decoder

A text message is sent to individual decoders orgroups of decoders for display on the screen;alternatively, the over-air message may com-prise a display command and address of a mes-sage which is pre-stored in the decoder or smartcard, e.g. to warn of imminent expiry or torequest the viewer to contact the SMS becauseof account difficulties.

– Send message to decoder for individualprogramme service

A text message is sent to individual decoders orgroups of decoders in the same way as above,but is displayed only when the receiver/decoderselects the relevant programme service.

– Show customer’s ID card

The serial number of the smart card, or othermeans of identification (ID), is displayed on thescreen. This is not the secret ID contained with-in the card, but is an unprotected ID whichcould be printed on the card. This function isuseful for maintenance procedures.

– Alter switching and drop-dead dates

An important security feature is that the algo-rithms used to decrypt the over-air entitlementmessages and derive the descrambling controlwords can be changed. To allow smooth transi-tion from one set of algorithms to the next, it ishelpful if the smart card (or other security de-vice) can store both algorithms and a date forswitching from one to the other; this switchingdate can be alterable over-air. There should alsobe a “drop dead” date beyond which the card willcease to function at all. Note that not all CA sys-tems perform these functions in this way and theimplementation may be very system-dependent.

7. System implementation

7.1. Satellite transmission

The DVB Project has given its backing to two CAapproaches for the transmission of digital televi-sion via satellite, namely SimulCrypt and Multi-Crypt. These approaches are also relevant in cableand terrestrial transmission.

7.1.1. SimulCrypt

In the case of SimulCrypt, each service is trans-mitted with the entitlement messages for a numberof different proprietary systems, so that decodersusing different conditional access systems (in dif-ferent geographic areas) can decode the service.SimulCrypt requires a common framework forsignalling the different Entitlement Messagestreams. Access to the system is controlled by thesystem operators. Operation of the system re-quires commercial negotiations between broad-casters and conditional access operators. A codeof conduct has been drawn up for the operation ofSimulCrypt.

The philosophy behind the system is that in onegeographical area, it will only be necessary tohave a single smart card or CA module and a singledecoder to receive the local service. If one wantedto descramble the service of a neighbouring area,one could subscribe to, and use the smart card/module for that service. Consequently, it is onlynecessary to have a single Subscriber ManagementSystem for a given area. When a viewer wants towatch services from two neighbouring areas, it isnecessary for both services to carry the entitlementmessages for that viewer. Therefore it is necessaryto have secure links between the different Sub-scriber Management Systems of the differentoperators to allow transfer of the entitlement mes-sages between operators.

7.1.2. MultiCrypt

MultiCrypt is an open system which allows com-petition between conditional access system pro-viders and Subscriber Management System opera-tors. MultiCrypt uses common receiver/decoderelements which could be built into television sets.The Common Conditional Access Interface can beused to implement MultiCrypt. Conditional ac-cess modules from different system operators canbe plugged into different slots in the commonreceiver/decoder, using the common interface.

7.2. Return path

For most home installations, a return path could beset up between the set-top decoder and the Sub-


scriber Management System using a modem andthe telephone network or a cable TV return. Forexample, calls could be initiated by the customerusing a remote control unit which auto-dials anumber delivered over-air. Also, the broadcastermay want the customer’s decoder box to contactthe SMS. This process could be initiated by com-mands sent over-air or (less likely) the SMS coulddial up the customer’s decoder box and interro-gate it directly.

7.2.1. Reasons for using a return path

There are a number of reasons for using a returnpath:

a) Enhanced security;

The return path establishes a one-to-one linkbetween the broadcaster and each decoder box.Communication via the return path should beencrypted.

b) Payment billing;

Pre-booked Pay-Per-View (PPV) and impulsePPV could be registered using the return path.Also, electronic viewing tokens could be pur-chased via the return path. A central server witha gateway would be necessary as a buffer for thelarge numbers of requests that would be ex-pected as part of a Pay-Per-View service. Thesepayment billing services could also be obtainedby the viewer dialling up the SMS using his con-ventional telephone and having a conversationwith an operator at the SMS. However this ap-proach would be more time-consuming andcostly to both the viewer and the SMS.

c) Interactive TV;

The return path could be used for audience par-ticipation (for example voting, games playing,teleshopping and telebanking). The return pathcould also be used for message delivery fromthe SMS to the decoder, although its limitedbandwidth means that it is not very suitable formore complicated procedures such as Video-On-Demand (VOD). The return path could beused to deliver to the SMS diagnostic informa-tion such as measurements of signal strengthand bit error rate (BER) to help solve transmis-sion problems, and other information such as arecord of programmes watched to provide sta-tistical information to the broadcaster.

d) Transmission of entitlement messages.

For large shared networks, the capacity fortransmission of entitlement messages may beinadequate and additional capacity may beachieved by using the telephone network. The

return path could also be used to check that thedecoder is tuned to the correct channel whengiving authorization over-air. This could re-duce the number of over-air signals that had tobe repeated perpetually.

7.2.2. Reasons for not using a returnpath

There are also a number of reasons for not using areturn path, as follows:

a) Increased decoder cost;

b) Installation difficulties;

The customer may not have a telephone at all, ormay not have a telephone in the relevant room (inwhich case an extension socket would have to befitted or a “cordless” connection would have tobe used which would increase costs).

c) Reliability of the telephone;

In some areas, the reliability of the telephoneservice may be an issue.

d) Blocking of normal calls;

When the decoder is communicating, it will notbe possible to make or receive normal telephonecalls, unless there is more than one telephoneline to the house.

e) Telephone tapping.

Depending on how the communication systemworks, there is a potential for reduced systemsecurity due to telephone tapping. Ideally, toovercome this problem, it is recommended thatthe Subscriber Management System should re-turn the calls made by the IRD (although thiswill increase the costs to the SMS), the commu-nication should be encrypted, and the Subscrib-er Management System should be able to identi-fy individual IRDs.

Overall, the benefits of using a return path far ex-ceed the costs. In situations where the return pathdoes not exist but alternative facilities exist for per-forming some of its functions, decoders should bemanufactured which are capable of implementingthe return path. Cheaper decoders could be soldwhich do not have this option installed.

7.3. Home video recorders

If the viewer wants to watch one programme whilerecording another, then decisions will have to bemade about the payment approach for the service.When using the Common Interface of the CA sys-tem, it should be possible to descramble two chan-nels on the same multiplex (one to watch and the


other to record), using one PCMCIA module. Todescramble two channels on different multiplexes,one would need two PCMCIA modules, two tunersand two MPEG-2 decoders.

One approach would be to view the descrambledpicture from one channel and to record thescrambled picture from another channel. The re-corded picture could then be descrambled at view-ing time and the appropriate charges could be madein a Pay-Per-View system. Copy protection couldbe set for the digital recording. However, if theDVTR does not record the encrypted dataassociated with scrambling or, if the encryptionmechanism would prevent successful descram-bling at the later replay time, it would be possibleto record an altered, but fixed, key. On replay, thepicture could be descrambled using the fixed key,which would be specific to a particular recorder.This would help to ensure copyright protection bypreventing a scrambled picture on a tape from onevideo recorder being descrambled by anothervideo recorder.

Two descramblers could be used to permit the des-crambling and recording of one programme whilstwatching another. This has the disadvantage ofadded cost and complexity. Copy protectionshould be set for the original digital recording tohinder further digital recordings being made.

The question then arises as to whether to locate thesecond conditional access module in the IRD or inthe video recorder. There are arguments in favourof both options and there is no need to standardizeon one approach. In the end, the decision will bemade by decoder and video recorder manufactur-ers. When costs fall sufficiently, it is likely thattop-of-the-range IRDs and video recorders willhave descramblers installed. (If the initial costs ofdigital video recorders are very high, it may also bepossible to buy analogue video recorders withbuilt-in descramblers).

The second descrambler/conditional access mod-ule could be installed either in the existing IRDbox, or in the VCR. There are arguments in favourof both approaches:

In the existing IRD box

a) Having two complete descramblers in the IRDbox, rather than one in the IRD box and one inthe video recorder, would reduce the cost andcomplexity of the overall system but only by arelatively small amount;

b) The second descrambler could also be usedif the viewer only owned an analogue videorecorder.

In the video recorder

a) The video recorder could be used on its own,without the need for a separate IRD box torecord programmes;

b) Any number of video recorders could be usedwithout the need for multiple IRD boxes.

To reduce costs, the second descrambler couldinitially be available as an optional add-on to theIRD box.

8. Conclusions andrecommendations

A basic set of transactional and functional modelsof CA systems for use with digital video broadcast-ing systems has been outlined. These models areintended to help EBU Members to understand andevaluate practical CA systems for use with futureDVB services and, in particular, to understand thefunctionality, technical terms, and trade-offs inthese systems. The specification or evaluation ofa practical CA system requires considerably moredepth and detail than could be included in this out-line. In particular, an evaluation of security issuesrequires a careful analysis of the overall systemsecurity, including non-technical issues such as thetheft of data.

Acknowledgements

EBU Project Group B/CA acknowledges a par-ticular debt of gratitude to Dr. S.R. Ely and Mr.G.D. Plumb of BBC Research and DevelopmentDepartment for their considerable contribution tothe development of the reference model.

Bibliography

[1] ISO 7816: Identification Cards, Parts 1–6.(This ISO Standard describes “smart cards”).

[2] ISO/IEC 13818-1: Generic coding ofmoving pictures and associated audiosystems.(This ISO/IEC Standard describes “MPEG-2”).

[3] Common Interface Specification forConditional Access and other Digital VideoBroadcasting Decoder Applications.DVB Document A007, July 1995.

Simulcrypt Explained

Documents

Transcript of Simulcrypt Explained