Conditional access (CA) is a technique for limiting the access of content (e.g., audiovisual works such as movies) to authorized users. For example, CA systems have been developed for cable TV and non-cable TV including digital television (DTV). In a CA system for digital television, the media content is scrambled (encrypted) using a standard algorithm before broadcasting. The key used for scrambling/descrambling the media content in a CA system is called a control word (CW). The control word is securely provided to the subscribers through entitlement control messages and entitlement management messages. A security device uses the control word to descramble (decrypt) the received media content.
Typically, the control word changes frequently (e.g., about every 0.1 second). To prevent unauthorized access, the control words are protected (scrambled/encrypted) using a service key (SK) when being broadcast. Only the security devices in possession of the service key can recover the control word for descrambling the media content protected by the CA system.
An entitlement control message (ECM) is typically used to broadcast the control word in an encrypted form, which can be decrypted using the service key. The entitlement control message is checked against the access criteria in order to provide authorization. The control word is released if authorization is granted. Using the service key, the system can securely broadcast common information, such as the control word, to subscribers simultaneously without having to individually broadcast a message for each of the subscribers.
To individually manage each security device, each security device has a unique identity so that the CA system can broadcast a message specifically for one security device. An entitlement management message (EMM) typically contains the actual authorization data (e.g., entitlement) to authorize the security device for certain access criteria. Entitlement management messages are individually addressed to particular security devices. An entitlement management message may be only for one particular security device with a unique identity. The system broadcasts an entitlement management message for each of the entire population of the security devices to individually control the security devices. Typically, each security device has a unique, secrete user key (UK) so that an entitlement management message for one security device can only be decrypted using the unique user key of the security device.
Typically, the service key also changes periodically (e.g., once a month for subscription TV or once a movie for Pay-per-View). An entitlement management message can be used to send the service key to a particular security device for a subscriber. The CA system broadcasts an entitlement management message for each subscribing security device to deliver the service key. After the service key is individually delivered to the subscribing security devices using the entitlement management messages, the CA system can broadcast the encrypted control words that can be decrypted using the service key.
Through the use of entitlement management messages and entitlement control messages, a CA system can offer capabilities such as pay-per-view (PPV), interactive features such as video-on-demand (VOD) and games, the ability to restrict access to certain material, and the ability to direct messages to specific receiving devices (e.g., set-top boxes with a smart card).
In digital television, the media content (e.g., video and audio signals) is converted into a digital form using the MPEG-2 format. The digital form of the media content of one program is multiplexed together with those of other programs for transmission so that multiple programs appear to be transmitted simultaneously. The CA system scrambles the digital form of programs and transmits the entitlement control messages and the entitlement management messages with the digital form of programs for broadcast either within the multiplex (e.g., Satellite) or through an out-of-band channel (e.g., Cable).
Typically, a set-top box (STB) at the receiving end descrambles the data stream and decodes the MPEG-2 data for viewing. A tuner portion of the STB receives the incoming signal, demodulates it and reconstitutes the transport stream, which contains many packets of information. The set-top box can de-multiplex the entitlement management messages and entitlement control messages and the media content. The data (e.g., service key and control word) contained in the entitlement management message and entitlement control message are used to descramble the encrypted programming material. The set-top box then renders the MPEG-2 data for viewing.
A digital rights management (DRM) system manages rights digitally. Digital rights management uses encryption software to protect electronic information and prevent widespread distribution. In a typical digital rights management scheme, a DRM server software program wraps the digital content through encryption according to applicable policies. A DRM client software program unwraps the content and makes it accessible in accordance with its rights. The rights are typically distributed to clients separately from the wrapped electronic information. DRM clients may include desktop PCs, handhold devices, set-top boxes, mobile phones and other portable devices. In additional to encrypting/scrambling the digital content to limit the distribution, a digital rights management system may also provide the description, identification, trading, protection, monitoring and tracking of various forms of rights.
Content encryption is typically performed using symmetric key cryptography, while key encryption is typically using public/private key cryptography. In symmetric key cryptography, the same key is used to both encrypt and decrypt the content. In public/private key cryptography, different but related keys are used to encrypt and decrypt the content.