Digital Video Broadcasting Conditional Access Architecture
A Presentation for SJSU-CS265 (Fall 2002): Security Engineering by Tong
Ho (tong_ho@yahoo.com)
Full report in PDF
Introduction
- Digital Video Broadcasting (DVB) -- A one-to-many data network for digital TV
- Conditional Access (CA) -- Management of end-users' rights to access contents
Functional Partitions
- Three elements to protect contents:
- Encryption of channel contents
- Subscriber Authorization System (SAS)
- Enforcement of access control
- Three distributed components: CA-Host, CA-Client, and
CA-Module
- Subscriber Management System (SMS)
- Keep a database of subscribers
- Determine access rights by monitoring subscription level and payment
standing
System Architecture
- Distributed components
- Same data network for content delivery and access control
- Scrambler and Descrambler
- Scrambler in broadcast center; Descrambler in every receiver
- DVB Common Scrambling Algorithm; secret cipher; 64-bit key (control
words)
- CA Messages - from CA-Host to CA Modules
- Entitlement Control Messages (ECM) -- channel specific: control words, access criteria
- Entitlement Management Message (EMM) -- subscriber specific: access rights
- CA Descriptors - from CA-Host to CA-Client
- Describe association between a channel and its ECM stream -- channel
specific
- CA-Host -- the SAS Command-and-Control
- Encrypt and deliver channel-specific control words and access criteria as ECMs
- Encrypt and deliver subscriber-specific rights as EMMs
- CA-Client -- the SAS Access Coordinator
- Receive and pass ECMs and EMMs to CA-Module
- Deliver control words from CA-Module to descrambler
- CA-Module -- the SAS Gate Keeper
- CAM-ID, uniquely assigned to each subscriber
- Authenticate and decrypt EMMs for rights; result never leaves the CAM
- Authenticate and decrypt ECMs for control words and access criteria
- Return control words
only if stored rights matches channel's access criteria
- Temper-evident and temper-resistant
- Renewable -- cheaply replaced when damaged or compromised
- Subscriber Management System
- Decide each subscriber's rights of channel access
- Update subscriber entitlements by giving CA-Host the (CAM-ID, rights)
doublets.
Network Integration
- DVB-CA fits into the MPEG-2 Transport Architecture
Summary
- Manage end-users' access rights to a DVB digital TV network's content
- Use the same broadcast network for content delivery and access protocol
- Rely on secret cryptography and temper-resistant hardware
- Contain damage of security compromise by being renewable
- Adopted by many DTV networks for real deployment