Conditional access

Last updated

Conditional access (abbreviated CA) or conditional access system (abbreviated CAS) is the protection of content by requiring certain criteria to be met before granting access to the content. The term is commonly used in relation to digital television systems and to software.


In Software

Conditional Access is a function that lets you manage people’s access to the software in question, such as email, applications, documents and information. It is usually offered as SaaS (Software-as-a-Service) and deployed in organizations to keep company data safe. By setting conditions on the access to this data, the organization has more control over who accesses the data and where and in what way the information is accessed.

Possible conditions could be:

When setting up Conditional Access, access can be limited to or prevented from the chosen conditions. This way it can be determined that, for example, access is only possible from certain networks or prevented from certain browsers.

Current providers of Conditional Access include:

Conditional Access can be offered with Microsoft Intune. [3]

In Digital Video Broadcasting

Under the Digital Video Broadcasting (DVB) standard, conditional access system (CAS) standards are defined in the specification documents for DVB-CA (conditional access), DVB-CSA (the common scrambling algorithm) and DVB-CI (the Common Interface). These standards define a method by which one can obfuscate a digital-television stream, with access provided only to those with valid decryption smart-cards. The DVB specifications for conditional access are available from the standards page on the DVB website.

This is achieved by a combination of scrambling and encryption. The data stream is scrambled with a 48-bit secret key, called the control word. Knowing the value of the control word at a given moment is of relatively little value, as under normal conditions, content providers will change the control word several times per minute. The control word is generated automatically in such a way that successive values are not usually predictable; the DVB specification recommends using a physical process for that.

In order for the receiver to unscramble the data stream, it must be permanently informed about the current value of the control word. In practice, it must be informed slightly in advance, so that no viewing interruption occurs. Encryption is used to protect the control word during transmission to the receiver: the control word is encrypted as an entitlement control message (ECM). The CA subsystem in the receiver will decrypt the control word only when authorised to do so; that authority is sent to the receiver in the form of an entitlement management message (EMM). The EMMs are specific to each subscriber, as identified by the smart card in his receiver, or to groups of subscribers, and are issued much less frequently than ECMs, usually at monthly intervals. This being apparently not sufficient to prevent unauthorized viewing, TPS has lowered this interval down to about 12 minutes. This can be different for every provider, BSkyB uses a term of 6 weeks. When Nagravision 2 was hacked, Digital+ started sending a new EMM every three days to make unauthorized viewing more cumbersome.

The contents of ECMs and EMMs are not standardized and as such they depend on the conditional access system being used.

The control word can be transmitted through different ECMs at once. This allows the use of several conditional access systems at the same time, a DVB feature called simulcrypt, which saves bandwidth and encourages multiplex operators to cooperate. DVB Simulcrypt is widespread in Europe; some channels, like the CNN International Europe from the Hot Bird satellites, can use 7 different CA systems in parallel.

The decryption cards are read, and sometimes updated with specific access rights, either through a conditional-access module (CAM), a PC card-format card reader meeting DVB-CI standards, or through a built-in ISO/IEC 7816 card reader, such as that in the Sky Digibox.

Several companies provide competing CA systems; ABV, VideoGuard, Irdeto, Nagravision, Conax, Viaccess, Synamedia, Mediaguard (a.k.a. SECA) are among the most commonly used CA systems.

Due to the common usage of CA in DVB systems, many tools to aid in or even directly circumvent encryption exist. CAM emulators and multiple-format CAMs exist which can either read several card formats or even directly decrypt a compromised encryption scheme. Most multiple format CAMs and all CAMs that directly decrypt a signal are based on reverse engineering of the CA systems. A large proportion of the systems currently in use for DVB encryption have been opened to full decryption at some point, including Nagravision, Conax, Viaccess, Mediaguard (v1) as well as the first version of VideoGuard.

Conditional access in North America

In Canadian and United States cable systems, the standard for conditional access is provided with CableCARDs whose specification was developed by the cable company consortium CableLabs.

Cable companies in the US are required by the Federal Communications Commission to support CableCARDs; standards now exist for two way communication (M-card) but satellite television has its own standards. Next generation approaches in the United States eschew such physical cards and employ schemes using downloadable software for conditional access such as DCAS.

The main appeal of such approaches is that the access control may be upgraded dynamically in response to security breaches without requiring expensive exchanges of physical conditional-access modules. Another appeal is that it may be inexpensively incorporated into non-traditional media display devices such as portable media players.

Conditional access systems

Conditional access systems include:

Analog systems

Digital systems

CA IDNameDeveloped byIntroduced (year)SecurityNotes
0x4AEBAbel QuinticAbel DRM Systems2009Secure
0x4AF0 , 0x4AF2 , 0x4B4BABV CASABV International Pte. Ltd2006Secure (Farncombe Certified)CA,DRM,Middleware & Turnkey Solution Provider For DTH, DVBT/T2, DVBC, OTT, IPTV, VOD,Catchup TV, Audience Measurement System, EAD etc.
0x4AFCPanaccessPanaccess Systems GmbH2010Secure (Farncombe Certified)CA for DVB-S/S2, DVB-T/T2, DVB-C, DVB-IP, OTT, VOD, Catchup etc.
0x4B19RCAS or RIDSYS casRIDSYS, INDIA2012Secure
0x4B30, 0x4B31ViCASVietnam Multimedia Corporation (VTC)UnknownSecure (Farncombe Certified)
N/A B-CAS ARIB STD-B25 (Multi-2) Association of Radio Industries and Businesses (ARIB)2000CA for ISDB. Used in Japan only
0x1702, 0x1722, 0x1762reserved for various non-BetaResearch CA systemsFormally owned by BetaTechnik/Beta Research (subsidiary of KirchMedia). Handed over to TV operators to handle with their CA systems.Unknown
0x1700 – 0x1701, 0x1703 – 0x1721, 0x1723 – 0x1761, 0x1763 – 0x17ff, 0x5601 – 0x5604VCAS DVBVerimatrix Inc.2010
0x2600 BISS European Broadcasting Union UnknownCompromised
0x27A0-0x27A4ICAS (Indian CAS)ByDesign India Private Limited2015Secure
0x4900China CryptCrytoWorks (China) (Irdeto)Unknown
0x22F0CodicryptScopus Network Technologies (now part of Harmonic)UnknownSecure
0x4AEACryptoguardCryptoguard AB2008Secure
0x0B00 Conax ContegoConax ASUnknownSecure
0x0B00 Conax CAS 5Conax ASUnknownCompromisedPirate cards has existed
0x0B00 Conax CAS 7.5Conax ASUnknownSecure
0x0B00, 0x0B01, 0x0B02, 0x0BAAConax CAS 7Conax ASUnknownCompromisedCardsharing
0x0B01, 0x0B02, 0x0B03, 0x0B04, 0x0B05, 0x0B06, 0x0B07Conax CAS 3Conax ASUnknownCompromisedPirate cards has existed
0x4AE4CoreCryptCoreTrust(Korea)2000S/W & H/W SecurityCA for IPTV, Satellite, Cable TV and Mobile TV
0x0D00, 0x0D02, 0x0D03, 0x0D05, 0x0D07, 0x0D20 Cryptoworks Philips CryptoTecUnknownPartly compromised (older smartcards)
0x4ABFCTI-CASBeijing Compunicate Technology Inc.Unknown
0x0700 DigiCipher 2 Jerrold/GI/Motorola 4DTV1997Compromised DVB-S2 compatible, used for retail BUD dish service and for commercial operations as source programming for cable operators.

Despite the Programming Center shut down its consumer usage of DigiCipher 2 (as 4DTV) on August 24, 2016, it is still being used for cable headends across the United States, as well as on Shaw Direct in Canada.

0x4A70DreamCryptDream Multimedia2004Proposed conditional access system used for Dreambox receivers.
0x2719,0xEAD0InCrypt CasS-Curious Research & Technology Pvt. Ltd., Equality Consultancy ServicesUnknown
0x5448Gospell VisionCryptGOSPELL DIGITAL TECHNOLOGY CO., LTD.UnknownSecure
0x5501 Griffin Nucleus Systems, Ltd.Unknown
0x5581Bulcrypt Bulcrypt 2009Used in Bulgaria and Serbia
0x0606Irdeto 1Irdeto1995Compromised
0x0602, 0x0604, 0x0606, 0x0608, 0x0622, 0x0626, 0x0664, 0x0614Irdeto 2Irdeto2000
0x0692Irdeto 3Irdeto2010Secure
0x4AA1 KeyFly SIDSA2006Partly compromised (v. 1.0)
0x0100Seca Mediaguard 1 SECA 1995Compromised
0x0100Seca Mediaguard 2 (v1+) SECA 2002Partly compromised (MOSC available)
0x0100Seca Mediaguard 3 SECA 2008
0x1800, 0x1801, 0x1810, 0x1830 Nagravision Nagravision2003Compromised
0x1801Nagravision CarmageddonNagravisionUnknownCombination of Nagravision with BetaCrypt
0x1702, 0x1722, 0x1762, 0x1801Nagravision AladinNagravisionUnknown
0x1801Nagravision 3 - MerlinNagravision2007Secure
0x1801Nagravision - ELKNagravisionCirca 2008IPTV
0x4A02Tongfang Tsinghua Tongfang Company 2007Secure
0x4AD4OmniCrypt Widevine Technologies 2004
0x0E00 PowerVu Scientific Atlanta 1998CompromisedProfessional system widely used by cable operators for source programming
0x0E00PowerVu+Scientific Atlanta2009
0x1000RAS (Remote Authorisation System) Tandberg Television UnknownProfessional system, not intended for consumers.
0x4AC1Latens SystemsLatens2002
0xA101 RosCrypt-M NIIR2006
0x4A60, 0x4A61, 0x4A63SkyCrypt/Neotioncrypt/Neotion SHLAtSky/Neotion [4] 2003
0x4A80ThalesCryptThales Broadcast & Multimedia [5] UnknownViaccess modification. Was developed after TPS-Crypt was compromised. [6]
0x0500TPS-CryptFrance TelecomUnknownCompromisedViaccess modification used with Viaccess 2.3
0x0500 Viaccess PC2.3, or Viaccess 1 France Telecom Unknown
0x0500Viaccess PC2.4, or Viaccess 2France Telecom2002
0x0500Viaccess PC2.5, or Viaccess 2France TelecomUnknown
0x0500Viaccess PC2.6, or Viaccess 3France Telecom2005
0x0500Viaccess PC3.0France Telecom2007
0x0500Viaccess PC4.0France Telecom2008
UnknownViaccess PC5.0France Telecom2011Secure
UnknownViaccess PC6.0France Telecom2015
0x0930, 0x0942Synamedia VideoGuard 1 NDS (now part of Synamedia) 1994Partly compromised (older smartcards)
0x0911, 0x0960Synamedia VideoGuard 2 NDS (now part of Synamedia) 1999Secure
0x0919, 0x0961, 0x09ACSynamedia VideoGuard 3 NDS (now part of Synamedia) 2004Secure
0x0927, 0x0963, 0x093b, 0x09CDSynamedia VideoGuard 4 NDS (now part of Synamedia) 2009Secure
0x56D0Onnet CA/DRMOnnet Systems India Pvt. Ltd.2021SecureCA/DRM, IPTV Middleware, OTT, Interactive Services, STB Middleware, AR/VR
0x4AD0, 0x4AD1X-CryptXCrypt Inc.2010Secure
0x4AE0, 0x4AE1, 0x7be1DRE-Crypt Cifra 2004Secure
UnknownPHI CASRSCRYPTO2016Secure

See also

Related Research Articles

The Encrypting File System (EFS) on Microsoft Windows is a feature introduced in version 3.0 of NTFS that provides filesystem-level encryption. The technology enables files to be transparently encrypted to protect confidential data from attackers with physical access to the computer.

OpenCable is a set of hardware and software specifications under development in the United States by CableLabs to "define the next-generation digital consumer device" for the cable television industry. The consumer-facing brand tru2way was introduced in January, 2008.

Pirate decryption is the decryption, or decoding, of pay TV or pay radio signals without permission from the original broadcaster. The term "pirate" is used in the sense of copyright infringement. The MPAA and other groups which lobby in favour of intellectual property regulations have labelled such decryption as "signal theft" even though there is no direct tangible loss on the part of the original broadcaster, arguing that losing out on a potential chance to profit from a consumer's subscription fees counts as a loss of actual profit.


Conax develops television encryption, conditional access and content security for digital television. Conax provide CAS technology to pay TV operators in 85 countries. The company has offices in Norway (headquarters), Russia, Germany, Brazil, the United States, Canada, Mexico, Indonesia, Philippines, Thailand, China, Singapore, and India, with a 24/7 Global Support Center in India.

Conditional-access module Content decryption key

A conditional access module (CAM) is an electronic device, usually incorporating a slot for a smart card, which equips an Integrated Digital Television or set-top box with the appropriate hardware facility to view conditional access content that has been encrypted using a conditional access system. They are normally used with direct-broadcast satellite (DBS) services, although digital terrestrial pay TV suppliers also use CAMs. PC Card form factor is used as the Common Interface form of Conditional Access Modules for DVB broadcasts. Major CAM manufacturers include: Neotion, SmarDTV & SMIT.

VideoGuard, produced by NDS, is a digital encryption system for use with conditional access television broadcasting. It is used on digital satellite television systems - some of which are operated by News Corporation, which owned about half (49%) of NDS until its sale to Cisco in 2012. Its two most widely used implementations are Sky in the United Kingdom and Ireland and DirecTV in the United States, the former of which launched the digital version of the system in 1998.

Television encryption, often referred to as "scrambling", is encryption used to control access to pay television services, usually cable or satellite television services.


Nagravision is a company of the Kudelski Group that develops conditional access systems for digital cable and satellite television. The name is also used for their main products, the Nagravision encryption systems.

Common Interface

In Digital Video Broadcasting, the Common Interface is a technology which allows decryption of pay TV channels. Pay TV stations want to choose which encryption method to use. The Common Interface allows TV manufacturers to support many different pay TV stations, by allowing to plug in exchangeable conditional-access modules (CAM) for various encryption schemes.


Dreambox is a series of Linux-powered DVB satellite, terrestrial and cable digital television receivers, produced by German multimedia vendor Dream Multimedia.

KeyFly is a conditional access (CA) system developed by SIDSA which is compatible with the DVB-CSA platform. The system is based on SIDSA MACtsp processors, and conditional-access modules for it can integrate the card directly into the CAM.


In television encryption, Cryptoworks is a DVB conditional access system, developed by Philips CryptoTec but now belonging to Irdeto.

Card sharing, also known as control word sharing, is a method of allowing multiple clients or digital television receivers to access a subscription television network with only one valid subscription card. This is achieved by electronically sharing a part of the legitimate conditional access smart card's output data, enabling all recipients to gain simultaneous access to scrambled DVB streams, held on the encrypted television network.

Multi-Choice TV (MCTV) is a television service provider in Barbados. It is a Multichannel Multipoint Distribution Service (MMDS) or DVB-C wireless microwave-based broadcast subscription television provider. They offer a variety of packages which can be considered as comparatively priced to similar providers throughout the world.

The DBox is a DVB satellite and cable digital television integrated receiver decoder. They were distributed widely for use with Pay television channels. The DBox-1 was the first DVB-capable receiver to be produced and distributed in large quantity. It was commissioned by the Kirch group's DF1, an early German provider of digital television that later merged with Premiere. The hardware was developed and produced by Nokia though later also produced by Philips and Sagem under license.

FTA receiver

A free-to-air or FTA Receiver is a satellite television receiver designed to receive unencrypted broadcasts. Modern decoders are typically compliant with the MPEG-2/DVB-S and more recently the MPEG-4/DVB-S2 standard for digital television, while older FTA receivers relied on analog satellite transmissions which have declined rapidly in recent years.

Cable television piracy is the act of obtaining unauthorized access to cable television services. It is a form of copyright infringement. In older analog cable systems, most cable channels were not encrypted and cable theft was often as easy as plugging a coaxial cable attached to the user's television into an apartment house cable distribution box. In some rural areas nonsubscribers would even run long cables to distribution boxes on nearby utility poles. Set-top boxes were required with some systems, but these were generic, and often in an unknowing violation of contract, former customers would donate them to thrift stores for sale or retain them indefinitely in storage when they ended their subscription to the service rather than return them to the provider. Other ways of cable theft were using a cable tv converter box to steal only premium channels such as HBO and pay per view; by descrypting all channels. Wheras a normal converter would only decrypt the ones paid for by the customer. An electronic signal was sent to descramble each channel paid for, known as a "bullet" which would also effect some illegally used descramblers, some however were bulletproof. The boxes also would often be ordered from overseas or given to customers by corrupt third-party installers of cable television.

Addressability is the ability of a digital device to individually respond to a message sent to many similar devices. Examples include pagers, mobile phones and set-top boxes for pay TV. Computer networks are also addressable, such as via the MAC address on Ethernet network cards, and similar networking protocols like Bluetooth. This allows data to be sent in cases where it is impractical to control exactly where or to which devices the message is physically sent.

Dream Satellite TV

Dream Satellite TV was the first all-digital Direct-To-Home (DTH) television broadcasting service via satellite in the Philippines. Broadcasting from the Dream Broadcast Center located at the Clark Special Economic Zone in Pampanga. Content is received from program providers, compressed and broadcast via Koreasat 5 in DVB-S and NTSC color format exclusively to its subscribers using the Integrated Receiver-Decoder and the Conax/Nagravision 3 Encryption System.

Unibox is a satellite, cable and terrestrial digital receiver. It has been distributed widely for use with Pay TV. It also enables the receiver to store digital copies of MPEG TS on internal harddisk or networked filesystems.


  1. MicrosoftGuyJFlo. "Wat is voorwaardelijke toegang in Azure Active Directory?". (in Dutch). Retrieved 2019-09-23.
  2. "Workspace management". Workspace 365. Retrieved 2019-09-23.
  3. Brenduns. "Voorwaardelijke toegang met Microsoft Intune - Microsoft Intune". (in Dutch). Retrieved 2019-09-23.
  4. "Skycrypt". 2008-01-17. Retrieved 2008-08-28.
  5. "What means ThalesCrypt? - AfterDawn".
  6. "TPSCrypt". 2008-01-17. Retrieved 2008-08-28.