IP CAS / DRM
Conditional Access System for Signage
Conditional Access System (CAS) encrypts the content for transmission over unprotected channels. The content may be reproduced only by the authorized users. By means of this system, the Signage provider may control the clients’ access to the content, as well as the ensuing financial commitments.
CAS/DRM is intended to be used as a component of the Alfailaq solution. The system can work with different client equipment: classical and Android-based IP set-top boxes, and PC. Depending on the equipment type different encryption algorithms are used (CSA or AES) to optimally utilize the onboard STB hardware resources to decrypt the streams. This decreases the overall IP STB load that is especially critical in case of High Definition video. CSA (Common Scrambling Algorithm), a scrambling algorithm developed in 1994, is today widely used in digital broadcasting. AES (Advanced Encryption Standard) is currently the most popular symmetric-key encryption algorithm.
Each media content unit is associated with its encryption key. CAS/DRM uses three-level encryption.
– First-level keys are permanent and get issued once for each content unit upon first encryption. These keys are stored in the database shared jointly by the CAS and Middleware.
– Second-level keys are generated dynamically based on the first-level keys and the current time. The lifespan of a second-level key does not exceed one hour. Since the CAS and Middleware servers have their system timers synchronized, the two are able to generate identical second-level keys independently. A second-level key may be passed to an STB upon request, but only for the content units accessible to this customer.
– Third-level keys are used directly for encryption of transferred data, and sent in encrypted form together with the content. They are generated dynamically based on the corresponding second-level key, current time, and IP address. The lifespan of a third-level key is just 5 minutes.
Client authentication model in CAS / DRM
The billing system keeps a personal account, a certificate, a private key, and a one-time activation code for each customer. On the first launch of an STB or a PC client, the customer would enter the activation code, so the certificate and private key are saved on the customer’s side. They are used later for establishing the SSL connections and for the authentication on the Middleware server.
If the customer is using the PC client, the certificate and private key are stored in an encrypted form with the key derived from the hardware configuration of the computer where the client is installed, thus preventing them from being transferred to another computer. To run the PC client on another machine, the customer would need another activation code.
In such a manner, CAS/DRM system does not use smart cards, unlike other conditional access systems. Therefore considerable expenses of cards production are avoided.