In the known standard pay-TV broadcast model, as disclosed in the “EBU Functional Model of a Conditional Access System”, EBU technical review, winter 1995, the pay-TV service to be broadcast is encrypted and the keys to decrypt the pay-TV service on the multimedia receiver side are placed in Entitlement Control Messages (ECM) sent together with the scrambled pay-TV service. The ECM messages are encrypted with a transmission key, which is changed frequently for security reasons.
In addition to the descrambling keys, the ECM messages carries information on the pay-TV service conditional access rights in the form of access conditions to be enforced on the multimedia receiver side.
Subscriber conditional access rights (for example a service subscription right for one month), as well as the transmission keys, are managed and transmitted on an asynchronous way in the form of Entitlement Management Messages (EMM). The EMM messages are encrypted with secret keys only known by the multimedia receiver.
For a multimedia receiver to be able to receive and decrypt a service, the first step is therefore to receive and decrypt the EMM messages carrying the rights corresponding to the product as well as the EMM messages carrying the transmission keys necessary to decrypt the ECM messages. For that purpose, the multimedia receiver comprises a unique key and the EMM is encrypted by this unique key and broadcast so that only this multimedia receiver can decrypt the EMM message. For that purpose, symmetric or asymmetric keys can be used.
The multimedia receiver is associated or locally connected to a security module comprising at least one processor and a memory. The security module can have different forms, such as a smartcard, a secure chip, an USB dongle or tamper-resistant software stored in a secure memory of the multimedia receiver.
The security module is considered as secure enough to store in its memory at least the transmission key, the unique key pertaining to the multimedia receiver and access right (or rights) to one or more pay-TV services.
The roles of the security module are to receive the ECM and EMM messages, decrypt the ECM message using the transmission key and extract the access key (or keys) as well as the access conditions related to a selected pay-TV service. The security module checks if the right matching the access conditions contained in the ECM message is present in the memory of the security module and in a positive case, the access key is returned to the multimedia receiver for decrypting the selected service.
An ECM message can contain more that one access condition definition, in this case, according to a policy applied, the security module can check the presence of the rights in its memory and return the access key if at least one of the rights is present. According to another policy, the security module can return the access key only if all the rights matching the whole set of access conditions are present in the memory of the security module.
Document US2004/0101138A1 discloses a system and a method for secure distribution of digital media content through a packet-based network such as the Internet. The security of the method does not require one-to-one key exchange, but rather enables keys, and/or information required in order to build the key, to be broadcast through the packet-based network. The digital media content is then also preferably broadcast, but cannot be accessed without the proper key. However, preferably only authorized end-user devices are able to access the digital media content, by receiving and/or being able to access the proper key. Thus, the system or method is useful for other types of networks in which digital media content is more easily broadcast rather than unicast, in addition to packet-based networks. ECM is broadcast to all end user devices, but the particular end user device is more preferably only able to generate the key if this end user device also receives an EMM from broadcaster head end. The EMM is optionally and more preferably used for periodic renewal of security module, such that without periodic receipt of such an EMM, security module eventually is no longer able to access the media content, because it is no longer able to use the ECM information to generate the key for decrypting the media content. The EMM may be sent to a plurality of different end user devices at one time, as a broadcast or multicast, such that a group of end user devices would receive the information at once. For example, a particular EMM could be designated for one group of end user devices, according to a particular subscription plan or other type of payment structure, and/or according to the network address of the members of the group of end user devices. A preferred feature of EMMs is an authorization period, such that EMMs are preferably only valid for the authorization period, after which a new EMM must be received. Thus, the security information is still renewed, while also supporting access of authorized end users to the media content, even in a non-reliable network environment such as the Internet.
Document US2008/0059993A1 discloses subscriber authorization system including: an authorization management system, configured to transmit, through multicasting, an authorization message EMM to a plurality of terminals on a transmission network, wherein the EMM carries a multicast address, a product identity and authorization data. Before transmitting the EMM to authorize the subscribers, a multicast address of a group is determined. Because every card has a unique card address, a number of cards with a common address attribute are set in the group. During the authorization process concerning a product, the authorization management system encapsulates authorization data, a product identity and the multicast address into an EMM and transmits the EMM to terminal devices of subscribers through group-based multicast. A terminal device of a subscriber belonging to the group identified by the EMM parses the authorization message upon receiving the EMM, obtains information of whether the subscriber has subscribed to the product and performs authorization on the subscriber according to the information of whether the subscriber has subscribed to the product.
According to these methods, the EMM messages are sent for updating rights in the security module. Only ECM processing is conditioned by the processing of an EMM as usual in known user devices.
Document EP1212879B1 discloses a process and a transmission system of chain of database updating messages between a managing centre and a plurality of subscriber databases geographically shared. Each message includes a chain identifier and a chain index allowing the identification of the message in the chain. If a message is not received following interference in the connection, the processing of further messages can cause the locking of databases. In order to avoid this drawback, the solution consists in adding to each message a condition block which determines if this message has to be processed without reference to elements of the chain or which are the conditions linked to the previous processing of elements of the chain.
The particularity of each message is that it contains only a part of the data intended to the database; two cases are possible:                the order of message reception plays an important role and each message has to follow the preceding one.        the order of reception do not play any role and the messages are executed at reception.        
In this document all messages of the chain are sent according to a same mode: either broadcast, multicast or upon request from the subscriber unit.
At present, when reception of a global EMM message by all security modules has to be enforced for security reasons, a ECM-related key is changed if the processing of the EMM message has given a result such as a data segment change in the security module memory or a new version of a piece of software. Global key change may be a risky operation and is problematic whenever multimedia receivers are disconnected. In this case, the reception of a new key by the security module can take a long time, so that the user may call the managing center and trigger an immediate update, which is an expensive operation.