Key management systems typically employ messages known as entitlement control messages (ECMs) and entitlement management messages (EMMs) to control access to data streams. In a conditional access system, each content stream is associated with a stream of ECMs that serves two basic functions: (1) to specify the access requirements for the associated content stream; and (2) to convey the information needed by subscriber devices to compute the cryptographic key(s), which are needed for content reception. ECMs are transmitted in-band alongside their associated content streams. EMMs are control messages that convey access privileges and keys to subscriber devices. Unlike ECMs, which are embedded in transport multiplexes and are broadcast to multiple subscribers, EMMs are typically sent unicast-addressed to each subscriber device. That is, an EMM is specific to a particular subscriber.
For improved scalability and security, devices have been authenticated using public keys and digital certificates. Typically, for instance, in response to a compromise in the symmetric device keys, a device registration server individually sends every single device, a device registration message giving a new symmetric key protected under the public key. However, this individual communication of device registration message consumes a great deal of time as well as bandwidth. The bandwidth consumption is often problematic in many conditional access systems, such as for mobile TV and portable video players, which have very little available bandwidth. In addition, the bandwidth overhead required to individually communicate the device registration message to the devices is typically overly burdensome on the broadcast network, particularly as they must typically be repeated several times to ensure reliable reception.