ETSI TR 101 532 V1.1.1 (2015-02)

TECHNICAL REPORT
End-to-End Network Architectures (E2NA);
Mechanisms addressing interoperability of multimedia service
and content distribution and consumption
with respect to CA/DRM solutions

2 ETSI TR 101 532 V1.1.1 (2015-02)

Reference
DTR/E2NA-00004-CA-DRM-interop
Keywords
CA, DRM, interoperability, terminal
ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° 7803/88

Important notice
The present document can be downloaded from:
http://www.etsi.org/standards-search
The present document may be made available in electronic versions and/or in print. The content of any electronic and/or
print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any
existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the
print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
http://portal.etsi.org/tb/status/status.asp
If you find errors in the present document, please send your comment to one of the following services:
https://portal.etsi.org/People/CommiteeSupportStaff.aspx
Copyright Notification
No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying
and microfilm except as authorized by written permission of ETSI.
The content of the PDF version shall not be modified without the written authorization of ETSI.
The copyright and the foregoing restriction extend to reproduction in all media.

© European Telecommunications Standards Institute 2015.
All rights reserved.
TM TM TM
DECT , PLUGTESTS , UMTS and the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members.
TM
3GPP and LTE™ are Trade Marks of ETSI registered for the benefit of its Members and
of the 3GPP Organizational Partners.
GSM® and the GSM logo are Trade Marks registered and owned by the GSM Association.
ETSI
3 ETSI TR 101 532 V1.1.1 (2015-02)
Contents
Intellectual Property Rights . 5
Foreword . 5
Modal verbs terminology . 5
Introduction . 5
1 Scope . 6
2 References . 6
2.1 Normative references . 6
2.2 Informative references . 6
3 Abbreviations . 9
4 The role and importance of CA/DRM solutions . 12
4.1 Introduction . 12
4.2 Basic introduction to CA/DRM systems . 12
4.3 Introduction to the role of Trust Authorities. 13
5 Current landscape of CA and DRM solutions . 14
5.1 Introduction . 14
5.2 DVB . 14
5.2.1 About the DVB . 14
5.2.2 DVB-CA . 14
5.2.3 DVB-SPP . 15
5.2.4 DVB-CPCM . 15
5.2.5 CI Plus . 16
5.2.6 DVB Harmonized Security Framework . 16
5.3 ETSI - TISPAN . 17
5.4 ETSI KLAD System . 18
5.5 ETSI ISG ECI . 18
5.6 ITU-T . 19
5.7 Open IPTV Forum (OIPF) . 20 ®
5.8 HbbTV . 20 ®
5.9 Digital Living Network Alliance (DLNA ) . 21
5.10 ATIS (Alliance for Telecommunications Industry Solutions) . 21
5.11 IETF (Internet Engineering Task Force) . 22
5.12 W3C . 22
5.13 Open Mobile Alliance (OMA) . 23
rd
5.14 3 Generation Partnership Project (3GPP) . 23
5.15 ISO MPEG . 24
TM
5.16 DECE and ULTRAVIOLET . 24
5.17 US DCAS . 25 ®
5.18 GlobalPlatform . 25
6 Implementation and operation of CA/DRM systems . 26
6.1 Introduction . 26
6.2 Effective implementation of systems . 26
6.3 Anti-hacking and counter piracy activities . 27
7 Interoperability in practice . 28
7.1 Introduction . 28
7.2 Interoperability when several CA/DRM solutions are simultaneously used . 28
7.3 Interchanging security systems . 29
7.3.1 Current architecture . 29
7.3.2 CA/DRM Switching in deployed terminals . 30
7.3.3 CI Plus solution . 30
7.3.4 Software download solutions . 31
ETSI
4 ETSI TR 101 532 V1.1.1 (2015-02)
8 New market needs . 32
8.1 Introduction . 32
8.2 UHDTV . 32
8.3 Companion screen . 32
9 Lessons from main body clauses 4 - 8 . 33
10 Conclusions . 34
History . 36

ETSI
5 ETSI TR 101 532 V1.1.1 (2015-02)
Intellectual Property Rights
IPRs essential or potentially essential to the present document may have been declared to ETSI. The information
pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found
in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in
respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web
server (http://ipr.etsi.org).
Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee
can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web
server) which are, or may be, or may become, essential to the present document.
Foreword
This Technical Report (TR) has been produced by ETSI Project End-to-End Network Architectures (E2NA).
Modal verbs terminology
In the present document "shall", "shall not", "should", "should not", "may", "may not", "need", "need not", "will",
"will not", "can" and "cannot" are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms
for the expression of provisions).
"must" and "must not" are NOT allowed in ETSI deliverables except when used in direct citation.
Introduction
Alongside well established TV delivery solutions, new services and applications offering content via a variety of
technical platforms over managed and unmanaged networks have emerged in a rapidly evolving environment. This has
led to a widely fragmented market in terms of proprietary and standardized elements of the platforms and the CA/DRM
solutions in use.
The variety of solutions, involving standardized and proprietary elements, presents obvious challenges to content
providers wanting to distribute their content to broad communities of end-users while a fragmented world market is an
obstacle for manufacturers of consumer equipment wanting to maximize economy of scale due to the need to adapt for
different technical platforms and CA/DRM systems. Last but not least, consumers may appear to lack the utmost
flexibility in choosing services and available content due to the service providers use of different delivery platforms and
CA/DRM systems.
The present document examines the underlying reasons for the variety of delivery platforms focussing on standards and
solutions in the market for CA/DRM interoperability and considers whether new standardization initiatives will help to
reduce market fragmentation and improve interoperability in the solutions used for distribution and consumption of
multimedia content.
ETSI
6 ETSI TR 101 532 V1.1.1 (2015-02)
1 Scope
The present document about "Mechanisms addressing interoperability of multimedia service and content distribution
and consumption with respect to CA/DRM solutions" gives an overview and provides guidance on several CA/DRM
subjects, presents related activities in standardization bodies and discusses implementation issues. Special attention is
paid to existing solutions already introduced to the market with regard to interoperability as well as to emerging
software-based solutions, all operated under a trusted environment.
Analysis of solutions for interoperable multimedia content distribution and consumption with respect to CA/DRM,
suitable for Multimedia platforms (broadcast, broadband or hybrid) and to the content/services delivered over them is
the main focus of the present document, addressing:
• A review of the status of existing and emerging standards together with other attempts to produce
interoperable and interchangeable CA/DRM solutions suitable for multimedia consumption across multiple
networks and platforms.
• A presentation of the practical framework required for implementation and operation of a CA/DRM system.
• An analysis of the interoperability available using current solutions and lessons from all the attempts reviewed.
• Emerging market needs.
• Concepts for market implementation including business roles, liability and trust.
• Regulatory and legal issues.
The present document covers all aspects of interoperability involving standardized elements concerning Conditional
Access (CA) and Digital Rights Management (DRM) solutions associated with content distribution and consumption
across various technical platforms for conventional Broadcast TV (DVB-C/C2, -S/S2, -T/T2) as well as for Broadband
TV (including IPTV, WEB-TV) and Mobile TV.
2 References
2.1 Normative references
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the
referenced document (including any amendments) applies.
Referenced documents which are not found to be publicly available in the expected location might be found at
http://docbox.etsi.org/Reference.
NOTE: While any hyperlinks included in this clause were valid at the time of publication ETSI cannot guarantee
their long term validity.
The following referenced documents are necessary for the application of the present document.
Not applicable.
2.2 Informative references
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the
referenced document (including any amendments) applies.
NOTE: While any hyperlinks included in this clause were valid at the time of publication ETSI cannot guarantee
their long term validity.
ETSI
7 ETSI TR 101 532 V1.1.1 (2015-02)
The following referenced documents are not necessary for the application of the present document but they assist the
user with regard to a particular subject area.
[i.1] ETSI TR 102 688-1: "Media Content Distribution (MCD); MCD framework; Part 1: Overview of
interest areas".
[i.2] ETSI TR 102 688-3: "Media Content Distribution (MCD); MCD framework; Part 3: Regulatory
issues, social needs and policy matters".
[i.3] Recommendation ITU-T X.1191: "Functional requirements and architecture for IPTV security
aspects".
[i.4] ETSI TS 187 021: "Security services and mechanisms for customer premises networks connected
to NGN".
[i.5] ETSI TS 187 003: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); NGN Security; Security Architecture".
[i.6] Recommendation ITU-T J.293: "Component definition and interface specification for the next
generation set-top box".
[i.7] ETSI TS 102 796: "Hybrid Broadcast Broadband TV".
[i.8] IETF RFC 5027: "Security Preconditions for Session Description Protocol (SDP) Media Streams".
[i.9] IETF RFC 4046: "Multicast Security (MSEC) Group Key Management Architecture".
[i.10] IETF RFC 3830: "MIKEY: Multimedia Internet KEYing".
[i.11] IETF RFC 4909: "Multimedia Internet KEYing (MIKEY) General Extension Payload for Open
Mobile Alliance BCAST LTKM/STKM Transport".
[i.12] IETF RFC 4535: "GSAKMP: Group Secure Association Key Management Protocol".
[i.13] ISO/IEC 14496-12: "Information technology -- Coding of audio-visual objects -- Part 12: ISO base
media file format".
[i.14] ISO/IEC 23001-7: "Information technology -- MPEG systems technologies -- Part 7: Common
encryption in ISO base media file format files".
[i.15] ISO/IEC 23009-1: "Information technology -- Dynamic adaptive streaming over HTTP (DASH) --
Part 1: Media presentation description and segment formats".
[i.16] ETSI TS 103 162: "Access, Terminals, Transmission and Multiplexing (ATTM); Integrated
Broadband Cable and Television Networks; K-LAD Functional Specification".
[i.17] Information about gaining access to the DVB Common Scrambling Algorithms (DVB-CSAX).
NOTE: Available at http://www.etsi.org/services/security-algorithms/dvb-csa-algorithm.
[i.18] ETSI TS 100 289 (V1.2.1): "Digital Video Broadcasting (DVB); Support for use of the DVB
Scrambling Algorithm version 3 within digital broadcasting systems".
[i.19] ETSI TS 101 699 (V1.1.1): "Digital Video Broadcasting (DVB); Extensions to the Common
Interface Specification".
[i.20] ETSI TS 103 197 (V1.5.1): "Digital Video Broadcasting (DVB); Head-end implementation of
DVB SimulCrypt".
[i.21] ETSI TS 102 474: "Digital Video Broadcasting (DVB); IP Datacast over DVB-H: Service
Purchase and Protection".
[i.22] ETSI TS 102 825: "Digital Video Broadcasting (DVB); Content Protection and Copy Management
(DVB-CPCM)".
[i.23] ETSI EN 300 294: "Television systems; 625-line television Wide Screen Signalling (WSS)".
ETSI
8 ETSI TR 101 532 V1.1.1 (2015-02)
[i.24] HDCP Rev 2.2: "High Bandwidth Digital Content Protection (HDCP)".
[i.25] CI Plus v1.3 CI Plus version 1.3.
[i.26] EC Universal Service Directive 2002/22/EC amended by Directive 2009/136/EC.
[i.27] Recommendation ITU-T X.1192: "Functional requirements and mechanisms for the secure
transcoding of IPTV".
[i.28] Recommendation ITU-T X.1193: "Key management framework for secure IPTV services".
[i.29] Recommendation ITU-T X.1195: "Service and content protection (SCP) interoperability scheme".
[i.30] DLNA® Guidelines.
NOTE: Available to DLNA® members at http://www.dlna.org/dlna-for-industry/guidelines.
[i.31] ATIS specifications.
NOTE: Available to ATIS members at http://www.atis.org/iif/digitalrm.asp.
[i.32] W3C Encrypted Media Extensions (EME).
NOTE: Available at http://www.w3.org/TR/encrypted-media/.
[i.33] W3C Media Source Extensions (MSE).
NOTE: Available at https://dvcs.w3.org/hg/html-media/raw-file/tip/media-source/media-source.html.
[i.34] Open Mobile Alliance (OMA) Mobile Broadcast Services Enabler.
NOTE: Available at http://technical.openmobilealliance.org/Technical/technical-information/release-
program/current-releases/oma-mobile-broadcast-services-v1-3.
[i.35] Open Mobile Alliance (OMA): "BCAST DRM profile based on OMA DRM 2.0".
[i.36] Open Mobile Alliance (OMA): "BCAST SmartCard profile".
[i.37] IETF RFC 380: "Multimedia Internet Keying (MIKEY)".
[i.38] 3GPP TS 23 246: "3rd Generation Partnership Project; Technical Specification Group Services
and System Aspects; Multimedia Broadcast/Multicast Service (MBMS); Architecture and
functional description".
[i.39] 3GPP TS 33 246: "3rd Generation Partnership Project; Technical Specification Group Services
and System Aspects; 3G Security; Security of Multimedia Broadcast/Multicast Service (MBMS)".
[i.40] DECE Common File Format (CFF).
[i.41] ETSI TS 103 127 (V1.1.1): "Digital Video Broadcasting (DVB); Content Scrambling Algorithms
for DVB-IPTV Services using MPEG2 Transport Streams".
[i.42] Recommendation ITU-T X.1194: "Algorithm selection scheme for service and content protection
descrambling".
[i.43] Recommendation ITU-T X.1196: "Framework for the downloadable service and content
protection system in the mobile IPTV environment".
[i.44] Recommendation ITU-T X.1197: "Guidelines on criteria for selecting cryptographic algorithms
for IPTV service and content protection".
[i.45] Recommendation ITU-T X.1198: "Virtual machine-based security platform for renewable IPTV
service and content protection".
[i.46] Recommendation ITU-T J.1001: "Requirements for conditional access client software remote
renewable security system".
ETSI
9 ETSI TR 101 532 V1.1.1 (2015-02)
[i.47] CENELEC EN 50221: "Common Interface Specification for Conditional Access and other Digital
Video Broadcasting Decoder Applications".
[i.48] MovieLabs group specification for enhanced content protection.
NOTE: Available at http://www.movielabs.com/ngvideo/MovieLabs%20Specification%20for%20Enhanced%20
Content%20Protection%20v1.0.pdf.
[i.49] ETSI ISG ECI white paper.
NOTE: Available at http://portal.etsi.org/ECI/ETSI%20ISG%20ECI%20White%20Paper-v1_20.pdf.
[i.50] ATIS-0800001.v003: "IPTV DRM Interoperability Requirements".
NOTE: Available at https://www.atis.org/docstore/product.aspx?id=26099.
[i.51] ATIS-0800006.v002: "IIF Default Scrambling Algorithm (IDSA) IPTV Interoperability
Specification".
NOTE: Available at https://www.atis.org/docstore/product.aspx?id=25435.
3 Abbreviations
For the purposes of the present document, the following abbreviations apply:
3DES Triple Digital Encryption Standard
rd
3GPP 3 Generation Partnership Project
rd
3GPP2 3 Generation Partnership Project 2
AAA Authentication, Authorization, Accounting
AES Advanced Encryption Standard
AMD3 Ammendment 3
API Application Programming Interface
ARDP Access Right Distribution Protocol
ARIB Association of Radio Industries and Businesses
ASIC Application Specific Integrated Circuit
ATIS Alliance for Telecommunications Industry Solutions
ATTM Access, Terminals, Transmission and Multiplexing
AVMSD AudioVisual Media Services Directive
B2B Business to Business
BB Marlin Broadband specification
BCAST OMA Mobile Broadcast services specifications
BCMCS 3GPP BroadCast MultiCast Service
C&R Compliance and Robustness
CA Conditional Access
CA/DRM Conditional Access/Digital Rights Management
CAM Conditional Access Module
CAS Conditional Access System
CCSA China Communications Standards Association
CE Consumer Electronics
CENC Common ENCryption
CENELEC European Committee for Electrotechnical Standardisation
CFF Common File Format
CGMS-A Copy Generation Management System - Analog
CI Plus Common Interface Plus
CI Common Interface
CISSA Common IPTV Software-oriented Scrambling Algorithm
CMLA Content Management License Administrator
CMMB China Mobile Multimedia Broadcasting
CORAL The Coral Consortium
CPCM Content Protection & Copy Management
CPE Customer Premises Equipment
CPU Central Processing Unit
ETSI
10 ETSI TR 101 532 V1.1.1 (2015-02)
CSA Common Scrambling Algorithm
DASH Dynamic Adaptive Streaming over HTTP
DCAS Downloadable Conditional Access System
DECE Digital Entertainment Content Ecosystem
DIS DRM Interoperability Solution
DLNA® Digital Living Network Alliance
DPA Differential Power Analysis
DRM Digital Rights Management
DTCP-IP Digital Transmission Copy Protection - Internet Protocol
DTG Digital TV Group
DTLA Digital Transmission Licensing Administrator
DVB Digital Video Broadcasting
DVB-C/C2 Digital Video Broadcasting - Cable, First and Second Generation
DVB-CA DVB Conditional Access
DVB-CBMS DVB Convergence of Broadcasting and Mobile Services
DVB-CI DVB Common Interface
DVB-H DVB Handheld
DVB-NGH DVB Next Generation Handheld
DVB-S/S2 Digital Video Broadcasting - Satellite, First and Second Generation
DVB-SH Digital Video Broadcasting - Satellite Handheld
DVB-T/T2 Digital Video Broadcasting – Terrestrial, First and Second Generation
DVD Digital Versatile Disc
EBU European Broadcasting Union
EISA Extended Industry Standard Architecture
EME Encrypted Media Extensions
ETSI European Telecommunications Standards Institute
EU European Union
eUMTS Enhanced Universal Mobile Telecommunications System
FCC Federeal Communications Commission
FLO Forward Link Only
FLUTE File Delivery over Unidirectional Transport
GBA Generic Bootstrapping Architecture
GSAKMP Group Secure Assciation Key Management Protocol
GSM Global System for Mobile
HbbTV® Hybrid Broadcast Broadband TV
HD High Definition
HDCP High-bandwidth Digital Content Protection
HSF Harmonized Security Framework
HTML HyperText Markup Language
HTML5 HyperText Markup Language version 5
HTTP HyperText Transfer Protocol
IAB Internet Architecture Board
ID Identity
IDSA IIF Default Scrambling Algorithm
iDTV Integrated Digital Television
IEC International Electrotechnical Commission
IESG Internet Engineering Steering Group
IETF Internet Engineering Task Force
IIF IPTV Interoperability Forum
IMS IP Multimedia Subsystem
IP Internet Protocol
IPDC Internet Protocol Datacast
IPR Intellectual Property Rights
IPSEC Internet Protocol Security
IPTV Internet Protocol Television
IPTV-GSI Internet Protocol Television Global Standards Initiative
ISDB-T Integrated Services Digital Broadcasting Terrestrial
ISG ECI Industry Specific Group Embedded Common Interface
ISMA Internet Streaming Media Alliance
ISO BMFF ISO Base Media File Format
ISO International Organization for Standardization
ITU International Telecommunication Union
ETSI
11 ETSI TR 101 532 V1.1.1 (2015-02)
ITU-T International Telecommunication Union-Telecommunication
JTC Joint Technical Committee
KLAD Key LADder
LLP Limited Liability Partnership
LTE Long Term Evolution
LTKM Long Term Key Message
MBMS Multimedia Broadcast Multicast Services
MIKEY Multimedia Internet Keying
MLDv2 Multicast Listener Discovery version 2
MPEG Moving Picture Experts Group
MPEG2 (M2TS) Motion Picture Experts Group 2 Transport Stream
MPEG-DASH Motion Pictures Expert Group - Dynamic Adaptive Streaming over HTTP
MSE Media Source Extensions
MSEC Multicast SECurity
MSK MBMS Service Key
MSOs Multiple System Operators
MTK MBMS Traffic Key
NGN Next Generation Networks
OIPF Open IPTV Forum
OMA Open Mobile Alliance
OS Operating System
OTT Over-The-Top
PKI Public Key Infrastructure
QoS Quality of Service
RAM Random Access Memory
RFC Request For Comments
RTP Real-time Transport Protocol
RTSP Real Time Streaming Protocol
RUIM Removable User Identity Module
SARFT State Administration of Radio, Film and Television
SCP Service and Content Protection
SDP Session Description Protocol
SE Secure Element
SIM Subscriber Identity Module
SPP Service Purchase and Protection
SR Special Report
SRTP Secure Real-time Transport Protocol
STB Set-Top Box
STKM Short Term Key Message
SW Software
TA Trust Authority
TC Technical Committee
TEE Trusted Execution Environment
TISPAN Telecommunications and Internet converged Services and Protocols for Advanced Networking
TNT2 Digital Terrestrial Television 2
TR Technical Report
TS Technical Specification
TTA Telecommunications Technology Association
TTC Telecommunications Technology Committee
TV Television
UHD Ultra High Definition
UHDTV Ultra High Definition Television
UIM User Identity Module
UK United Kingdom
UMTS Universal Mobile Telecommunications System
US United States
USA United States of America
USB Universal Serial Bus
USIM Universal Subscriber Identity Module
USP Unique Selling Point
W3C World Wide Web Consortium
WEB-TV Web delivered Television
ETSI
12 ETSI TR 101 532 V1.1.1 (2015-02)
WiMAX Worldwide Interoperability for Microwave Access
WM Windows Media
WMDRM-ND Windows Media Digitial Rights Mechanism Network Devices
4 The role and importance of CA/DRM solutions
4.1 Introduction
This clause provides background information about why CA/DRM systems are used to provide security for pay TV
content and how the integrity of each CA/DRM system is assured by an entity known as a "Trust Authority" which
accepts liability for the system and consequently sets rules which govern its use.
4.2 Basic introduction to CA/DRM systems
Content rights owners, and system operators acting on their behalf, want to restrict consumption of their content to just
those users who are explicitly authorized to consume it and to prevent it from being copied or re-transmitted unless the
user has been granted the right so to do. The rights owners may wish to apply further restrictions such as a limit to the
period of time over which a piece of stored content can be consumed. The purpose of Conditional Access (CA) and
Digital Rights Management (DRM) systems is to fulfill the content rights owners' requirements to protect content from
misuse according to the rules and rights they wish to impose.
The term CA was applied to earlier pay TV security systems in which content consumption is conditional on the system
operator authorizing a viewer to have access. These CA systems usually relied on a piece of removable hardware - a
viewing (or smart) card as part of their architecture - and did little apart from protect the TV content while it was in a
unidirectional broadcast channel. The removable hardware was introduced as an enabler to the concept of renewability -
the ability to upgrade and renew important parts of a security platform without having to change out the whole of it.
Although not without cost, the replacement of, for example, a viewing card and download of new accompanying
software is considerably cheaper than changing a population of terminals and is regarded as a cost effective means to
respond to piracy or the threat of it. The detailed design of the removable/replaceable hardware is proprietary, outside
the scope of any standard, in order that it can support counter measures that are not known to hackers and so that it can
be changed out at a time that suits business requirements. The new accompanying software is delivered using a secure
download process. When using a CA module with no viewing card, the renewability can be achieved using a similar
process to that for systems that include a viewing card. The application of Digital Rights Management or DRM systems
began with a broader scope of applicable content than the traditional CA system, for example to books, images and
other media, and implemented many of the usage restrictions, which most modern CA systems are now also able to
support. These usage restrictions set, for example, rules to be applied to the storage of content and the means by which
it may be exported or consumed from the user device. DRM systems typically have no removable hardware element
such as a viewing card; the security system is composed of replaceable software although it may relate to and depend on
certain fixed hardware elements. Hence, modern CA and DRM systems can provide similar functionality for a pay TV
environment.
The fundamental architecture used by CA and DRM systems alike to protect content is one in which content is
encrypted using a scrambling algorithm and a key to seed the scrambling. The key, or in some cases an artefact that
allows the key to be locally generated, is encrypted so that it can be conveyed securely to the viewer at the point of
reception; it is usually integrated into the broadcast channel or otherwise associated to the content. The security system
of the viewer decrypts the key and uses it to descramble the content in order to allow the rights granted in terms of
consumption, storage and re-transmission to be exercised. In broadcast applications, the key is normally changed
periodically in order to make it harder for an attacker to determine what it is or to predict it when it changes.
In addition to a removable hardware element, CA systems based on the DVB Common Scrambling Algorithm
specifications employ a scrambling algorithm that is designed to be far easier to implement in hardware than software
on general purpose processors.
NOTE: Some DRM systems also support the use of the DVB Common Scrambling Algorithm, about which
further information can be found in clause 5.1.
ETSI
13 ETSI TR 101 532 V1.1.1 (2015-02)
The design topology, involving fixed and typically removable hardware as well, is intended to make it more difficult for
a system to be attacked by someone who seeks to gain an understanding of the software code of the system and to
access it. In addition, a specific implementation design of a scrambling algorithm can be protected by registering IPR,
operating a license regime for bona fide users and pursuing anyone who violates the terms of the license by legal
measures. A high level of resilience and protection is particularly important in a security system in which the content
rights owner or system operator is using a unidirectional broadcast system and has no direct bidirectional
communication path with the viewer's security system.
Although it is important to ensure that scrambling algorithms in use are robust against current threats and those that can
be predicted over the expected system lifetime, breaches to security systems are seldom accomplished by the
exploitation of a direct attack involving the scrambling algorithm used to encrypt content. In practice, successful attacks
are usually achieved by exploiting an inherent weakness in the implementation or in the key management system which
allows the keys to be predicted, generated or discovered and transferred to the user's system at the rate at which they are
required for the descrambling process.
It is of the utmost importance that a security system is designed to prevent unauthorized access to the code or any other
aspect of the operation of the security system that might allow a third party to access or otherwise discover the keys that
are used; it will be robust against attacks. It is also a necessary feature of a security system that it can be upgraded to
respond to evolving security threats and business needs. In order to reconcile these two requirements, upgrades will be
accomplished securely such that the viewer's system will only accept software from a verified source so that an upgrade
can be trusted. The topics of robustness and trust are discussed in the following clause.
4.3 Introduction to the role of Trust Authorities
Content security systems necessarily rely on a Trust Authority (TA) for their commercial deployment. The Trust
Authority has the following main roles:
• publish and maintain a set of compliance rules that define the mandatory behaviour of devices/entities
belonging to the content security ecosystem;
• publish and maintain a set of robustness rules that define the minimum security level for a device/entity
belonging to the content security ecosystem;
• provide device/entities that belong to the content security ecosystem (i.e. that conform to compliance and
robustness rules) with the necessary cryptographic key material, e.g. a certificate and associated private key;
• monitor the content security ecosystem for early detection of devices/entities that do not conform to
compliance and robustness rules or for early detection of security breaches;
• take necessary actions (e.g. revocation; compliance and robustness rules update; etc.) to remedy non-
compliance or security breaches; and
• provide a legal framework for all entities belonging to the content security ecosystem.
In addition, some Trust Authorities verify compliance and/or security robustness or appoint external third parties to
perform these verifications.
The absence of a Trust Authority would result in low- (or even zero-) security level implementations of the content
security system that could be easily breached without any efficient means to remove these implementations from the
content security ecosystem. Content providers may refuse to provide their content for distribution on such content
security ecosystems.
For proprietary CA or DRM systems, the role of Trust Authority is often taken by the CA or DRM provider itself. For
security systems defined by a standard or a consortium, a dedicated legal entity is generally created or used to play this
role (e.g. DTLA for DTCP-IP or CMLA for OMA DRM).
ETSI
14 ETSI TR 101 532 V1.1.1 (2015-02)
5 Current landscape of CA and DRM solutions
5.1 Introduction
This clause covers the market status of CA and DRM solutions and related information, which either are standardized or
being developed by industrial organizations and fora.
5.2 DVB
5.2.1 About the DVB
The DVB project is a consortium established in 1994 with about 200 members, which devises and maintains DVB
standards and conditions in a Joint Technical Committee (JTC) with ETSI, CENELEC and the EBU. See also
www.dvb.org.
5.2.2 DVB-CA
In September 1994, agreement was reached in the DVB project to offer three basic standards aimed at enabling
interoperability of content and services across multiple networks using different proprietary CA systems.
• DVB Common Scrambling Algorithm (DVB-CSA) [i.17], (DVB-CSA3) [i.18].
• DVB Common Interface (DVB-CI) [i.19] (see also clause 5.2.5 introducing CI Plus).
• DVB Simulcrypt (DVB-SIM) [i.20].
These standards are used worldwide for broadcast and their principles are available in many other standards such as
ISDB-T, FLO, CMMB, etc. These standards allow interoperability of broadcast service access across operator networks
and devices insofar as commercial and business agreements allow such interoperability. DVB is not limited to
broadcast; the principles of the approach also apply to IPTV, mobile TV, OTT and other services.
The encryption algorithms DVB-CSA v1/DVB-CSA v2 standardized by DVB are based on the same algorithm but with
different key lengths. They were not published by the DVB project for security reasons but are available under licence.
They were designed to be "hardware friendly", meaning that implementation in software was technically difficult to
process. As processor power and speed has improved over time, resistance to software implementation has reduced and
the key length is now beginning to be regarded as relatively short. These factors inspired DVB to create a new, more
complex and secure version which was standardized as DVB-CSAv3 in 2007. CSAv3 is supported by new terminal
equipment now arriving on the market, however migrating to CSAv3 requires the previous generation of terminal
equipment to be replaced. The DVB-CSA licensing management for all 3 algorithms is handled by ETSI as the
custodian.
In addition to the CSA algorithms DVB also standardized a software-oriented scrambling algorithm called CISSA
(Common IPTV Software Oriented Scrambling Algorithm) [i.41] which was designed as "software-friendly", meaning
that the algorithm is easy to implement in either hardware or software in order to support with a software
implementation also terminals that are using general purpose CPUs. Low cost end user devices typically still use a
hardware accelerator element. The algorithm uses the AES cipher.
CA systems are based on different technologies for management of keys but typically rely on the standardized common
scrambling algorithm for content protection. CA systems from different technology providers are mutually
incompatible. This means that a user's set-top box with an integrated CA/DRM system is not interoperable with other
systems, although interoperability can be provided at the headend level when business agreements require this through
the DVB Simulcrypt standard which provides for the synchronization of keys between different CA systems.
DVB also developed the Common Interface (DVB-CI) standard. This specifies the hardware interface on the terminal or
host equipment and the CA module (CAM) interface and functionality. Typically a viewing (smart)card is used in
conjunction with the CAM to personalize the service with viewer subscription products and essential security elements,
but it is also possible to embed security credentials in a module. This architecture allows periodic updates to be made to
the security system by changing the viewing card (where used) or the entire CA/DRM system can be replaced by
changing the CAM.
ETSI
15 ETSI TR 101 532 V1.1.1 (2015-02)
Terminal devices can accept any compatible CAM allowing multiple CA systems to be used to access various services
from multiple service providers when there is no commercial agreement to share the content through Simulcrypt. It is
also possible to embed multiple CA systems in the same CAM allowing a single CAM to access several networks with
different CA systems.
The Common Interface (CI) has not enjoyed lasting support in the international market in the standardized form of
1997. This is largely due to security concerns about the unencrypted digital transport stream interface which could be
used for unauthorized copying; there were also concerns about possible circumvention of certain specific national
requirements on Protection of Minors (refer also to AVMSD, protection of minors). These concerns led to a lack of
support from some network operators and content providers (although it is still in use in for example Switzerland,
Austria and the Netherlands). CI Plus was developed to fill these technical gaps. For further details see clause 5.2.5 on
CI Plus.
Under the title "CA neutral CPE" DVB attempted to standardize all hardware components required for an encryption
system and
...