Conditional access: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 10:47, 22 October 2019 edit 41.92.33.18 (talk) No edit summary Tag: Visual edit ← Previous edit		Latest revision as of 02:03, 21 April 2025 edit undo Jdcooper (talk \| contribs) Extended confirmed users 30,157 edits Reverted 1 edit by 36.78.195.224 (talk): Revert persistent abusive overtagging Tags: Twinkle Undo
(42 intermediate revisions by 32 users not shown)
Line 1: {{short description\|System used to prevent non-paying customers from accessing content that requires payment}} {{multiple issues\| {{cleanup list\|date=January 2015}} {{original research\|date=January 2015}} {{globalize\|date=January 2015}} {{~~Refimprove~~More citations needed\|date=March 2008}} }} '''Conditional access''' (~~abbreviated~~ '''CA''') oris ~~'''conditional~~a ~~access~~term ~~system'''~~commonly ~~(abbreviated~~used ~~'''CAS''')~~in isrelation ~~the~~to ~~protection~~[[software]] ofand ~~content~~to by[[digital ~~requiring~~television]] ~~certain~~systems. ~~criteria~~Conditional access is an evaluation to beensure ~~met~~the ~~before~~person ~~granting~~who is seeking access to content is authorized to access the content. ~~The term~~Access is ~~commonly~~managed ~~used~~by inrequiring ~~relation~~certain criteria to ~~[[digital~~be ~~television]]~~met ~~systems~~before ~~and~~granting access to ~~[[software]]~~the content. == In ~~Software~~software == Conditional ~~Access~~access is a function that lets ~~you~~an organization manage ~~people’s~~people's access to the software in question, such as email, applications, ~~documents~~ and ~~information~~documents. It is usually offered as [[Software as a service\|SaaS]] (Software-as-a-Service) and deployed in organizations to keep company [[data]] safe. By setting conditions on the access to this data, the organization has more control over who accesses the data and where and in what way the information is accessed. When setting up conditional access, access can be limited to or prevented based on the policy defined by the system administrator. For example, a policy might require that access is available from certain networks, or access is blocked when a specific [[web browser]] is requesting the access. ~~Possible conditions could be:~~ ==In digital television== * Geographical ___location Under the [[Digital Video Broadcasting]] (DVB) standard, conditional access system (CAS) standards are defined in the specification documents for DVB-CA (conditional access), [[Common Scrambling Algorithm\|DVB-CSA]] (the common [[Scrambler\|scrambling]] algorithm) and [[DVB-CI]] (the [[Common Interface]]).<ref>{{Cite web \|title=Security \|url=https://dvb.org/solutions/security/ \|access-date=2022-12-05 \|website=DVB \|language=en-US \|archive-date=2022-12-05 \|archive-url=https://web.archive.org/web/20221205161912/https://dvb.org/solutions/security/ \|url-status=live }}</ref> These standards define a method by which one can obfuscate a digital-television stream, with access provided only to those with valid decryption [[smart cards\|smart-cards]]. The DVB specifications for conditional access are available from the [https://web.archive.org/web/20130116162443/http://www.dvb.org/technology/standards/index.xml#conditional standards page on the DVB website].▼ * [[IP address]] and network * Used device * [[Web browser\|Browser]] * [[Operating system\|Operating System (OS)]] When setting up Conditional Access, access can be limited to or prevented from the chosen conditions. This way it can be determined that, for example, access is only possible from certain networks or prevented from certain browsers. ~~Current providers of Conditional Access include:~~ * [[Microsoft]] (including [[Office 365]]) * [[Microsoft Azure\|Azure Active Directory]]<ref>{{Cite web\|url=https://docs.microsoft.com/nl-nl/azure/active-directory/conditional-access/overview\|title=Wat is voorwaardelijke toegang in Azure Active Directory?\|last=MicrosoftGuyJFlo\|website=docs.microsoft.com\|language=nl-nl\|access-date=2019-09-23}}</ref> * [[Workspace 365]]<ref>{{Cite web\|url=https://workspace365.net/en/product-tour/workspace-management/\|title=Workspace management\|website=Workspace 365\|language=en-US\|access-date=2019-09-23}}</ref> Conditional Access can be offered with Microsoft Intune<ref>{{Cite web\|url=https://docs.microsoft.com/nl-nl/intune/conditional-access\|title=Voorwaardelijke toegang met Microsoft Intune - Microsoft Intune\|last=Brenduns\|website=docs.microsoft.com\|language=nl-nl\|access-date=2019-09-23}}</ref>. ~~==In Digital Video Broadcasting==~~ ▲Under the [[Digital Video Broadcasting]] (DVB) standard, conditional access system (CAS) standards are defined in the specification documents for DVB-CA (conditional access), [[Common Scrambling Algorithm\|DVB-CSA]] (the common [[Scrambler\|scrambling]] algorithm) and [[DVB-CI]] (the [[Common Interface]]). These standards define a method by which one can obfuscate a digital-television stream, with access provided only to those with valid decryption [[smart cards\|smart-cards]]. The DVB specifications for conditional access are available from the [http://www.dvb.org/technology/standards/index.xml#conditional standards page on the DVB website]. This is achieved by a combination of [[scrambler\|scrambling]] and [[encryption]]. The data stream is scrambled with a 48-bit secret key, called the ''control word''. Knowing the value of the control word at a given moment is of relatively little value, as under normal conditions, content providers will change the control word several times per minute. The control word is generated automatically in such a way that successive values are not usually predictable; the DVB specification recommends using a physical process for that. Line 35 ⟶ 20: In order for the receiver to unscramble the data stream, it must be permanently informed about the current value of the control word. In practice, it must be informed slightly in advance, so that no viewing interruption occurs. [[Encryption]] is used to protect the control word during transmission to the receiver: the control word is encrypted as an ''entitlement control message'' (ECM). The CA subsystem in the receiver will decrypt the control word only when authorised to do so; that authority is sent to the receiver in the form of an ''entitlement management message'' (EMM). The EMMs are specific to each [[subscriber]], as identified by the smart card in his receiver, or to groups of subscribers, and are issued much less frequently than ECMs, usually at monthly intervals. This being apparently not sufficient to prevent unauthorized viewing, [[Télévision Par Satellite\|TPS]] has lowered this interval down to about 12 minutes. This can be different for every provider, [[British Sky Broadcasting\|BSkyB]] uses a term of 6 weeks. When [[Nagravision\|Nagravision 2]] was hacked, [[Digital+]] started sending a new EMM every three days to make unauthorized viewing more cumbersome. The contents of ECMs and EMMs are not standardized and as such they depend on the conditional access system being used.<ref>[https://www.itu.int/dms_pubrec/itu-r/rec/bt/R-REC-BT.1852-1-201701-I!!PDF-E.pdf Conditional-access systems for digital broadcasting 2016-10] {{Webarchive\|url=https://web.archive.org/web/20230301233307/https://www.itu.int/dms_pubrec/itu-r/rec/bt/R-REC-BT.1852-1-201701-I!!PDF-E.pdf\|date=2023-03-01}}</ref> The control word can be transmitted through different ECMs at once. This allows the use of several conditional access systems at the same time, a DVB feature called ''simulcrypt'', which saves bandwidth and encourages multiplex operators to cooperate. [https://web.archive.org/web/20130116162443/http://www.dvb.org/technology/standards/index.xml#conditional DVB Simulcrypt] is widespread in Europe; some channels, like the [[CNN International]] Europe from the [[Hot Bird]] satellites, can use 7seven different CA systems in parallel. The decryption cards are read, and sometimes updated with specific access rights, either through a [[conditional-access module]] (CAM), a [[PC card]]-format card reader meeting DVB-CI standards, or through a built-in [[ISO/IEC 7816]] card reader, such as that in the [[Digibox (Sky Digital)\|Sky Digibox]]. Several companies provide competing CA systems; ABV, [[VideoGuard]], Irdeto, [[Nagravision]], [[Conax]], [[Viaccess]], [[Synamedia Ltd.\|Synamedia]], [[Mediaguard]] (a.k.a. [[Nagra France\|SECA]]) are among the most commonly used CA systems. Due to the common usage of CA in DVB systems, many tools to aid in or even [[Pirate decryption\|directly circumvent]] encryption exist. CAM emulators and multiple-format CAMs exist which can either read several card formats or even directly decrypt a compromised encryption scheme. Most multiple format CAMs and all CAMs that directly decrypt a signal are based on [[reverse engineering]] of the CA systems. A large proportion of the systems currently in use for DVB encryption have been opened to full decryption at some point, including Nagravision, Conax, Viaccess, Mediaguard (v1) as well as the first version of VideoGuard. === Conditional access in North America === In ~~Canadian~~Canada and ~~United States [[Cable television in~~ the United States~~\|cable systems]]~~, the standard for conditional access is provided with [[CableCARD]]s whose specification was developed by the cable company consortium [[CableLabs]]. Cable companies in the USUnited States are required by the [[Federal Communications Commission]] to support CableCARDs~~; standards~~. ~~now~~Standards exist for two -way communication (M-card), but [[satellite television]] has ~~its own~~separate standards. Next -generation approaches in the United States eschew such physical cards and employ schemes using downloadable software for conditional access such as [[Downloadable Conditional Access System\|DCAS]]. The main appeal of such approaches is that the [[access control]] may be upgraded dynamically in response to security breaches without requiring expensive exchanges of physical [[conditional-access ~~module]]s. Another appeal is that it may be inexpensively incorporated into non-traditional media display devices such as [[Portable media player\|portable media players]]~~modules. === Conditional access systems === Conditional access systems include: ==== Analog systems ==== [[EuroCrypt]] [[Nagravision]] Line 61 ⟶ 46: [[VideoCrypt]] ==== Digital systems ==== {\|class="wikitable" \|- Line 69 ⟶ 53: \| 0x4AEB \|\| Abel Quintic \|\| Abel DRM Systems \|\| 2009 \|\| Secure \|\| \|- \| ~~0x4AF0~~0x4A64, 0x4AF0, 0x4AF2 , 0x4B4B, 0x4B4C \|\| ABV CAS \|\| ABV International Pte. Ltd \|\| 2006 \|\| Secure (Farncombe Certified) \|\|CA, DRM, Middleware & Turnkey Solution Provider For DTH, DVBT/T2, DVBC, OTT, IPTV, VOD, Catchup TV, Audience Measurement System, EAD etc. \|- \| 0x4AFC \|\| Panaccess \|\| Panaccess Systems GmbH \|\| 2010 \|\| Secure (Farncombe Certified) \|\| CA for DVB-S/S2, DVB-T/T2, DVB-C, DVB-IP, OTT, VOD, Catchup etc. \|- \| 0x4B19 \|\| RCAS or RIDSYS cas \|\| RIDSYS, INDIA \|\| 2012 \|\| Secure \|\| CA for DVB-C, IPTV, OTT, VOD, Catchup etc. \|- \| 0x4B30, 0x4B31 \|\| ViCAS \|\| Vietnam Multimedia Corporation (VTC) \|\| Unknown \|\| Secure (Farncombe Certified) \|\| Line 90 ⟶ 74: \| \|\| \|- \| 0x1700 – 0x1701, 0x1703 – 0x1721, 0x1723 – 0x1761, 0x1763 – 0x17ff, 0x5601 – 0x5604 \|\| VCAS DVB \|\| Verimatrix Inc. \|\| ~~Unknown~~2010 \| \|\| \|- \| 0x2600 \| 0x2610 \| [[BISS]] \| BISS-E \| [[European Broadcasting Union]] \|\| ~~Unknown~~2002 \| Compromised \|\|▼ 2018 ▲\| Compromised, BISS-E secure \|\| \|- \|0x27A0-0x27A4 \|ICAS (Indian CAS) \|ByDesign India Private Limited \|2015 \|Advanced Embedded Secure \| \|- \| 0x4900 \|\| China Crypt \|\| CrytoWorks (China) (Irdeto) \|\| Unknown Line 130 ⟶ 129: \| \|\| \|- \| 0x0700 \|\| [[DigiCipher ~~2]]~~and DigiCipher II \|\| Jerrold/GI/[[Motorola]] 4DTV \|\| 1997 \| Compromised \|\| [[DVB-S2]] compatible, used for retail BUD dish service and for commercial operations as source programming for cable operators. Despite the Programming Center ~~shut~~shutting down its consumer usage of DigiCipher 2 (as 4DTV) on August 24, 2016, it is still being used for cable headends across the United States, as well as on Shaw Direct in Canada. \|- \| 0x4A70 \|\| DreamCrypt \|\| Dream Multimedia \|\| 2004 Line 147 ⟶ 146: \| \|\| \|- \|0x5448,0x6448 \|Gospell VisionCrypt \|GOSPELL DIGITAL TECHNOLOGY CO., LTD. Line 160 ⟶ 159: \|- \|- \| 0x0606 \|\| Irdeto 1 \|\| Irdeto \|\| 1995 \|\| rowspan="2" \| Compromised (Cardsharing and MOSC available) \|\| rowspan="2" \| \|- \| 0x0602, 0x0604, 0x0606, 0x0608, 0x0622, 0x0626, 0x0664, 0x0614 \|\| Irdeto 2 \|\| Irdeto \|\| 2000 \|- \| ~~0x0692~~0x0624, 0x0648, 0x0650, 0x0639 \|\| Irdeto 3 \|\| Irdeto \|\| 2010 \|\| ~~Secure~~Compromised (Cardsharing available) \|\| \|- \| ~~0x4AA1~~0x0692, 0x06A4, 0x06B6, 0x069F, 0x06AB, 0x06F1 \|\| ~~[[KeyFly]]~~Irdeto Cloaked \|\| ~~SIDSA~~Irdeto \|\| Unknown \|\| Secure \|\| \|- \| 0x4AA1 \|\| [[KeyFly]] \|\| SIDSA \|\| 2006 \| Partly compromised (v. 1.0) \|\| \|- \| 0x0100 \|\| Seca [[Mediaguard]] 1 \|\| [[Nagra France\|SECA]] \|\| ~~Unknown~~1995 \| Compromised \|\| \|- \| 0x0100 \|\| Seca [[Mediaguard]] 2 (v1+) \|\| [[Nagra France\|SECA]] \|\| ~~Unknown~~2002 \| Partly compromised (MOSC available) \|\| \|- Line 189 ⟶ 190: \| 0x1801 \|\| Nagravision - ELK \|\| Nagravision \|\| Circa 2008 \|\| IPTV \|- \| 0x4A02 \|\| Tongfang \|\| [[Tsinghua Tongfang Company]] \|\| ~~Unknown~~2007 \| Secure \|\| \|- \| 0x4AD4 \|\| OmniCrypt \|\| [https://go.buydrm.com/thedrmblog/topic/google-widevine-drm Widevine Technologies] \|\| 2004 \|\| \|\| \|- \| 0x0E00 \|\| [[PowerVu]] \|\| [[Scientific Atlanta]] \|\| 1998 \| rowspan="2" \| Compromised \|\| rowspan="2" \| Professional system widely used by cable operators for source programming \|- \| 0x0E00 \|\| PowerVu+ \|\| Scientific Atlanta \|\| ~~Unknown~~2009 \|- \| 0x1000 \|\| RAS (Remote Authorisation System) \|\| [[Tandberg Television]] \|\| Unknown Line 207 ⟶ 208: \| 0xA101 \|\| [https://web.archive.org/web/20110726100247/http://www.niir.ru/eng/page.php?trid=96 RosCrypt-M] \|\|NIIR \|\| 2006 \|\| \|\| \|- \| 0x4A60, 0x4A61, 0x4A63 \|\| SkyCrypt/Neotioncrypt/Neotion SHL \|\| AtSky/Neotion<ref>{{cite web \|url=http://sat.uz/2008/01/17/skycrypt.html \|title=Skycrypt \|~~accessdate~~access-date=2008-08-28 \|~~work~~date=2008-01-17 \|~~publisher~~archive-date=2022-11-26 \|~~date~~archive-url=https://web.archive.org/web/20221126100736/https://sat.uz/2008-/01-/17/skycrypt.html \|url-status=live }}</ref> \|\| 2003 \|\| \|\| \|- \| Unknown \|\| T-crypt \|\| Tecsys Line 213 ⟶ 214: \| \|\| \|- \| 0x4A80 \|\| ThalesCrypt \|\| Thales Broadcast & Multimedia<ref>~~http~~{{Cite web\|url=https://www.afterdawn.com/glossary/term.cfm/thalescrypt\|title=What means ThalesCrypt? - AfterDawn\|website=www.afterdawn.com\|access-date=2020-02-14\|archive-date=2023-06-19\|archive-url=https://web.archive.org/web/20230619151411/https://www.afterdawn.com/glossary/term.cfm/thalescrypt\|url-status=live}}</ref> \|\| Unknown \| \|\| Viaccess modification. Was developed after TPS-Crypt was compromised.<ref>{{cite web \|url=http://sat.uz/2008/01/17/tpscrypt.html \|title=TPSCrypt \|~~accessdate~~access-date=2008-08-28 \|~~work~~date=2008-01-17 \|~~publisher~~archive-date=2022-11-26 \|~~date~~archive-url=https://web.archive.org/web/20221126100421/https://sat.uz/2008-/01-/17/tpscrypt.html \|url-status=live }}</ref> \|- \| 0x0500 \|\| TPS-Crypt \|\| France Telecom \|\| Unknown \| rowspan="7" \| Compromised \|\| Viaccess modification used with Viaccess 2.3 \|- \| 0x0500 \|\| [[Viaccess]] PC2.3, or Viaccess 1 \|\| [[France Telecom]] \|\| ~~Unknown~~1996 \| \|- \| 0x0500 \|\| Viaccess PC2.4, or Viaccess 2 \|\| France Telecom \|\| 2002 \|\| \|- \| 0x0500 \|\| Viaccess PC2.5, or Viaccess 2 \|\| France Telecom \|\| ~~Unknown~~2003 \| \|- Line 245 ⟶ 246: \| 0x0911, 0x0960 \|\| Synamedia [[VideoGuard]] 2 \|\| [[NDS Group\|NDS (now part of Synamedia)]] \|\| 1999 \|\| Secure \|\| rowspan="3" \| \|- \| 0x0919, 0x0961, 0x09AC, 0x09C4, 0x091F, 0x0944, 0x09AA \|\| Synamedia [[VideoGuard]] 3 \|\| [[NDS Group\|NDS (now part of Synamedia)]] \|\|2004 \|\| Secure \|- \| 0x0927, 0x09BF, 0x0910, 0x0913, 0x098C, 0x098D, 0x098E, 0x0911, 0x0950, 0x09BB, 0x0987, 0x0963, ~~0x093b~~0x093B, 0x09CD \|\| Synamedia [[VideoGuard]] 4 \|\| [[NDS Group\|NDS (now part of Synamedia)]] \|\|2009 \|\| Secure ▼ \|- \|- \| 0x56D0 \|\| Onnet CA/DRM \|\| Onnet Systems India Pvt. Ltd. \|\| 2021 \|\| Secure \|\| CA/DRM, IPTV Middleware, OTT, Interactive Services, STB Middleware, AR/VR ▲\| 0x0927, 0x0963, 0x093b, 0x09CD \|\| Synamedia [[VideoGuard]] 4 \|\| [[NDS Group\|NDS (now part of Synamedia)]] \|\|2009 \|\| Secure \|- \| 0x4AD0, 0x4AD1 \|\| X-Crypt \|\| XCrypt Inc. \|\|2010 Line 268 ⟶ 272: [[Card sharing]] * [[Compression Networks]] * [[~~Digicipher~~Conditional-access 2module]] * [[DigiCipher 2]] * [[Digital rights management]] * [[Pirate decryption]]