NetUP DRM/CAS Overview


The NetUP Conditional Access System (CAS) encrypts multimedia streams for transmission over unprotected channels. Only authorized users subscribed to the service can play these streams. NetUP's CAS allows an IPTV service provider to strictly control access to the content and build financial relations with subscribers and content providers alike.

NetUP's CAS consists of the following components:

  • real-time encryption server for multicast streams;
  • real-time encryption module for unicast streams (VoD, NPVR, Pause TV and Catch Up TV) - eVoD plug-in;
  • query router and encryption key distribution system, a part of the IPTV Cluster Balancer system;
  • decoding module for IP set-top boxes.


The encryption algorithm used is CSA (Common Scrambling Algorithm) supported by most IP set-top boxes on the hardware level. This allows decoding heavy streams such as for the case of HD Video. For set-top boxes that do not support hardware decoding, the software implementation of the algorithm in a Linux kernel module is used.

The system is developed in C/C++ programming languages with the use of optimized algorithms. Client devices based on x86, PowerPC, Broadcom, STM, TI Davinci and other hardware platforms are supported.

NetUP's CAS has been registered in the European DVB Project registry. The CAS identification number (CAID) is 0x4AEF.

The scheme of DRM/CA system for IPTV

System Operation

The Linux kernel module on the CAS server intercepts IP packets with multimedia content and encrypts them. The packets are marked as encrypted and forwarded into the network. By default the key change period is 10 seconds. Unique encryption keys are used for each IP stream.

The client's set-top box establishes protected connection with the CAS server and periodically receives updated encryption keys. The received keys are forwarded to the Linux kernel module on the set-top box. This module intercepts IP packets coming from the network and performs their decryption (if the stream is encrypted and there are available keys for the current IP stream). Then the decrypted packets are forwarded to the applications they are intended for. This action is performed transparently to other applications on the IP STB.

A subscriber's set-top box IP STB Aminet 110 with the USB flash drive
IP set-top box AmiNET 110