Conditional Access (CA) is typically used by pay-television operators to restrict access to content to authorized subscribers. While several commercial CA solutions exist for structured broadcasting, Internet-based television, and video-on-demand services, these solutions are mostly proprietary. Use of proprietary solutions incurs royalty payments and increased cost of components for Set-Top-Box manufacturers. In many developing countries Set-Top-Boxes for the migration to Digital Television will be subsidized by government. An efficient, flexible, and open conditional system that does not incur royalties or require specialised security hardware would be beneficial for these countries. In this chapter, the authors explore conditional access solutions that draw on the area of cryptographic key management and distribution for IPTV environments. They wrap up with propositions on how an open Cryptographic Access Control (CAC) system can be implemented practically by pay-television operators who have to handle a large number of subscriptions.
TopIntroduction
In the television industry, Conditional Access (CA) is the application of cryptography for controlling access to content. The term is most commonly used in reference to the traditional scheduled programming that is distributed over digital broadcast mediums such as satellite, terrestrial, and cable.
Pay-television (or premium television) content, which consists primarily of high quality video and audio streams, is by its nature a high-bandwidth application. Traditional television broadcast networks have limited bandwidth and typically it is infeasible to encrypt the data stream with a different key for each valid subscriber. In recent years, increasing availability of fast home broadband connections has allowed the advent of streaming Internet Video-on-demand (VOD) services which do establish individual network connections (unicast) to clients. This type of application is reportedly responsible for a large percentage of global bandwidth usage, placing a strain on distribution networks. Unicast distribution of “live television” (including scheduled programming) to a large number of receivers is extremely inefficient. Multicast facilitates efficient distribution of this type of content over IP networks.
Pay-TV operators are heavily reliant on conditional access systems to support their business model. CA systems are also used for free-to-view (FTV) television broadcasts (distinct from free-to-air (FTA) in which broadcast content is not encrypted at all). Encryption of FTV content can be for reasons such as restricting access to content by physical region. National borders, for example in order to prevent viewers in nearby countries from accessing content that is ultimately paid for by tax-payers.
Within a country, regional boundaries might also be defined on the basis of broadcast licenses and advertising. The South African Broadcasting Corporation (SABC) for instance, plans to switch to digital terrestrial television (DTT). The benefits of digital television include greater efficiency in usage of the radio spectrum, and better picture quality. The SABC, as is the case for similar broadcasting agencies in the developing world, could use a CA system to control access to pay-television to within national or community boundaries, and/or for ensuring that only valid license holders are able to access TV. This is important in creating a trusted environment where valid subscribers get reliable access to their subscription content.
Motivation and Objectives
This chapter was inspired in part by the need of a South African set-top-box (STB) manufacturer for an open, royalty-free conditional access mechanism for IPTV that is based on tested academic research in cryptographic key management. The objective of this research therefore is to study existing research in key management systems and design and implement end-to-end framework that is both theoretically robust and practically implementable.
Existing commercial CA systems are closed, and proprietary. To the best of our knowledge, while there is much research in the area of group key management, there is little available research that specifically addresses the design of a complete conditional access system for IPTV.
Further, conditional access systems might rely on “security by obscurity”. That is, the strength of their security is dependent on an attacker not having knowledge of the workings of the system. Kerckhoff's principle should be applied: an attacker having knowledge of the algorithms used should not compromise the security of the system.
CA systems used in some IPTV deployments are based on DRM mechanisms, use a simple key distribution centre (SKDC) approach, or encapsulate broadcast CA systems in IP packets. There is arguably room for improvement in terms of security and efficiency.