Content security

Downloadable conditional access systems create a buzz.

Many operators and broadcasters have a fraught relationship with their conditional access (CA) provider. Having supplied CA for a long time, I think I know why. Spending money on CA doesn't win you extra customers or make your service any better. It can be costly to deploy, and it often introduces inflexibility. On occasion, it even slows down the introduction of new business models. So, perhaps it's no wonder that the relationship's often strained.

Figure 1. Lyse Tele’s EPG for its advanced IPTV service

Downloadable CA systems (DCAS) are creating a buzz within the industry. In this article, I'll explain how DCAS solve most of the issues introduced by the hardware element of CA.

Before I go any further, I would like to explain that although I think the smart card/embedded chip is the root of most of the issues with CA today, the hardware approach made a lot of sense when it was first introduced. That was in the early days of pay-TV. The standard method developed to secure content and revenues was to use embedded CA systems within the set-top box (STB) itself. This approach, however, has the limitation that a serious hack could necessitate the replacement of all an operator's STBs. To ensure that the CA system could be updated without replacing the STB, a removable CA module — the smart card — dominated many markets.

Over time, however, limitations to this approach became apparent. Smart cards are costly to produce, distribute and manage. Following a serious piracy attack, all smart cards would have to be changed.

Smart cards also reduce operator flexibility. For instance, an operator may have to wait until the next smart card switch before introducing new business models and content packaging strategies.

Two decades later, DCAS are quickly gaining acceptance as it becomes understood that their deployment removes the main problems associated with hardware-based CA, including:

  • DeploymentDownloadable CA is much more cost-effective to deploy.
  • ReplacementDownloadable CA can be replaced easily and cost-effectively, removing the vendor lock-in issue.
  • ManagementDCAS are much easier to manage and distribute.
  • FlexibilityThe complexity of hardware-based CA can drastically reduce an operator's flexibility.
  • SecurityHardware-based CA offers a fixed target, and the smart card is the best method for a hacker to profit from a hack. Both security issues are avoided with DCAS.

Downloadable CA in IPTV

Almost all of the first systems commercially deployed were at IPTV networks. There are several reasons IPTV operators chose DCAS, including the fact that many had a fresh approach and limited budgets. The smaller IPTV operators also knew they would be unlikely to come under concerted attack.

All IPTV operators needed a security approach that maximized operational flexibility — as flexibility would be a key advantage over incumbent pay-TV operators. For these reasons, DCAS became, and still remain, the de facto standard security method for IPTV.

However, at the two extremes of IPTV in terms of size and complexity (i.e. Tier-1 and Tier-3 operators) telco TV operators have different architectures, challenges and business models. Despite this, Tier-1 and Tier-3 operators are usually offered similar IPTV content and revenue security solutions.

Case study: Lyse Tele

An example of a company that has effectively integrated CA solutions with its middleware set-up is the Norwegian IPTV operator Lyse Tele. This operator required the advanced functionality of a fully featured CA system to support its ambitious network and business plans.

Lyse Energi is a Norwegian utility company that provides gas and electricity to more than 100,000 customers in the South Western region of Norway. The subsidiary Lyse Tele was formed to provide a triple-play package of telephone, TV and Internet services.

Following deregulation, the company saw the founding of a telecommunications division as both a defensive measure — reducing churn from new competitors by offering customers an enhanced service — as well as an offensive measure — and gaining new revenue streams from a triple-play offering. Broadband services are a natural extension of the company's traditional product offerings, delivering new products through a wired communication infrastructure that can be laid alongside Lyse's traditional power services.

The content security system was designed to allow Lyse Tele to move from the present centralized architecture to a distributed network whenever the business case made such a transition viable. The transaction processing architecture allows the company complete flexibility of marketing models and packaging of pay-TV content. The flexibility of DCAS also allowed the company to easily move to a franchise business model, through which Lyse enables other companies throughout Scandinavia to launch IPTV services.

The flexibility provided by DCAS means that Lyse Tele can employ whichever business models it decides best suit its goals and consumer preferences. When running on a bidirectional network, DCAS also enable the CA provider to view the status and efficiently administer, operate and maintain security remotely.

Cable and DCAS

Cable networks are just now showing increased interest in DCAS. It has taken longer for DCAS to get traction with cable than for IPTV. There are several reasons for this. The most important reason is that most cable operators are established businesses with existing deployed CA systems. Additionally, although many cable operators are aware of the lack of flexibility caused by their existing hardware-based security solutions, this very inflexibility makes it a tough decision to move from hardware security to DCAS. This decision is even harder when there's a natural fear that a new CA system, whether a DCAS or hardware-based, may have integration issues with an installed base of perhaps millions of STBs.

Case study: Multimedia Polska

Polish operator Multimedia Polska's integration of DCAS provides a clear example of a cable operator looking to gain the additional benefits of downloadable software CA. The company chose DCAS to provide security for its digital customers, enabling the company to transition its analog network to digital cable and IPTV. Again, the reason for choosing DCAS was its flexibility — with the key issue in this case being the ability to protect the company's digital subscribers from a unified IP headend. It was also important to the operator that the DCAS was not only DVB-compliant, but also that it had been designed to work with both traditional broadcast and IPTV environments.

The main benefits DCAS provided to Multimedia Polska include:

  • A technically and commercially scalable system from launch to full nationwide service delivery.
  • Protection of linear (live) TV services as well as VOD and time-shift TV, NVR and PVR services.
  • An efficient, secure, flexible and diverse service offering for both IPTV and CATV television subscribers.
  • Efficient scrambling of multicast traffic for IPTV and CATV subscribers with one unified headend. This provides enormous cost savings over alternative solutions that would require expensive additional network provision to make live/linear services available to both subscriber populations.

Today, the network has more than half a million analog CATV subscribers, which the company is migrating to a suite of digital pay-TV services. In parallel, the company offers similar services to its growing IPTV subscriber base through its ADSL/ADSL2+ deployment. The company also provides DOCSIS-compliant cable modems for broadband Internet access to CATV users using a Cisco Cable Modem Termination System (CMTS).

Multimedia Polska uses a common architecture to minimize the optical bandwidth costs across the operator's core network. A single scrambling algorithm was specified in the super headend for all premium services, including VOD across the IP and cable systems.

In general, the algorithm can be either DVB Common Scrambling Algorithm (DVB-CSA) or 128-bit AES scrambling, a scrambling algorithm that's well understood throughout the industry. At Multimedia Polska, AES had already been deployed on the IPTV system and for VOD pre-encryption, so the company decided to deploy the AES algorithm across all networks and services to avoid rescrambling content. Furthermore, this architecture does not require the use of any edge scrambling devices on the CATV network, providing additional cost savings.

An overview of the overall network architecture at Multimedia Polska is depicted in Figure 1. This diagram shows how the solutions interconnect with other vendors involved in the end-end network topology.

DCAS leverage the two-way IP traffic capability on both the IPTV and CATV networks to provide the operator with a robust, diverse and dynamically renewable client solution.

A crucial factor in taking this approach was to create the simplest network that could provide time-shift TV, PVR and network PVR services for Multimedia Polska, with the proviso that VOD servers deployed in the regions could ingest scrambled live services at the edge of the network. This allows a centralized time-shift TV and network PVR scheduling system, under Multimedia Polska's control, to decide what channels and programs are recorded in the network and subsequently made available to end users via a user-friendly electronic-programming guide (EPG) interface. All of this is achieved without any additional bandwidth requirements across the core network, as the ingest servers located at the edge operate on scrambled traffic.

DCAS for networks without a return path

One of the features of DCAS is that they use the power of bidirectional networks to provide a moving target and hence offer greater security than static hardware-based solutions. However, satellite, terrestrial and other operators without a return path are also starting to take advantage of the cost and flexibility benefits of DCAS.

To cater for these operators, broadcast CAS (BCAS) offer broadcast network operators all the key advantages already offered by DCAS to two-way network operators, including dynamic renewability, increased business flexibility, lowered costs, proven scalability, support for DVB standards and significantly lowered customer acquisition costs.


At launch, all DCAS vendors had to defend their technologies against accusations that they didn't provide sufficiently strong security. Over the last few years, this argument has been demolished by those vendors providing properly architected CA to operators of bidirectional networks. It was the flexibility of DCAS that won over first the IPTV operators and is now helping DCAS to gain ground in digital cable and hybrid cable/IPTV.

Finally, I believe you'll see DCAS start to be deployed in those networks without a return path. Perhaps a satellite operator that's unhappy with the required frequency and cost of smart card swap outs will take the plunge. I then believe we'll see the final step in the rise of DCAS security, as it becomes the de facto standard for content and revenue protection, whatever the architecture of the network to be protected.

Andy Mathieson is a director for Latens.