IP CAS/DRM - NetUP Conditional Access System for IPTV

NetUP's Conditional Access System (CAS) encrypts the content for transmission over unprotected channels. The content may be reproduced only by the authorized users. By means of this system, the IPTV provider may control the clients' access to the content, as well as the ensuing financial commitments.

NetUP CAS/DRM is intended to be used as a component of the NetUP.tv solution. The system can work with different client equipment: classical and Android-based IP set-top boxes, and PC. Depending on the equipment type different encryption algorithms are used (CSA or AES) to optimally utilize the onboard STB hardware resources to decrypt the streams. This decreases the overall IP STB load that is especially critical in case of High Definition video. CSA (Common Scrambling Algorithm), a scrambling algorithm developed in 1994, is today widely used in digital broadcasting. AES (Advanced Encryption Standard) is currently the most popular symmetric-key encryption algorithm.

NetUP CAS/DRM workflow

The CAS server accepts content from an IP network to one of its network interfaces, encrypts it, and sends via another interface into an IP network where the IPTV consumers reside.

Once encrypted, the content is sent to an STB client or a PC client. The STB must have the NetUP firmware installed, which accepts and decrypts the content, and also implements the Middleware graphical interface (these functions are not intended to be handed over to a third-party software).

The CAS server interacts closely with the IPTV Middleware to ensure the clients' authentication. The CAS and Middleware servers of one IPTV complex share a common database.

NetUP CAS/DRM

Encryption basics

Each media content unit is associated with its encryption key. The NetUP CAS/DRM uses three-level encryption.

• First-level keys are permanent and get issued once for each content unit upon first encryption. These keys are stored in the database shared jointly by the CAS and Middleware.
• Second-level keys are generated dynamically based on the first-level keys and the current time. The lifespan of a second-level key does not exceed one hour. Since the CAS and Middleware servers have their system timers synchronized, the two are able to generate identical second-level keys independently. A second-level key may be passed to an STB upon request, but only for the content units accessible to this customer.
• Third-level keys are used directly for encryption of transferred data, and sent in encrypted form together with the content. They are generated dynamically based on the corresponding second-level key, current time, and IP address. The lifespan of a third-level key is just 5 minutes.

Client authentication model in NetUP CAS/DRM

The billing system keeps a personal account, a certificate, a private key, and a one-time activation code for each customer. On the first launch of an STB or a PC client, the customer would enter the activation code, so the certificate and private key are saved on the customer's side. They are used later for establishing the SSL connections and for the authentication on the Middleware server.

If the customer is using the PC client, the certificate and private key are stored in an encrypted form with the key derived from the hardware configuration of the computer where the client is installed, thus preventing them from being transferred to another computer. To run the PC client on another machine, the customer would need another activation code.

In such a manner, the NetUP CAS/DRM system does not use smart cards, unlike other conditional access systems. Therefore considerable expenses of cards production are avoided.