DVB CA ARCHITECTURE

Introduction

Digital Video Broadcasting (DVB) is a standard defining a one-to-many unidirectional data network for sending digital TV programs over satellite, cable, and other topologies. The standard enables the broadcasting industry to offer hundreds of pay-TV channels to consumers. The expanded capacities make the broadcast signals more valuable and attractive to signal thefts. To protect a DVB data-network, the DVB standard integrates into its broadcasting infrastructure an access control mechanism, commonly known as Conditional Access, or CA for short.

This report is an overview of the DVB-CA architecture. The approach is to provide a full picture of a typical DVB-CA deployment in operation. First, each of the major components is individually described. Then, an operational walk-through is given to show how the different components work together. Throughout the report, the architecture’s enabling technologies are mentioned. However, the technical details are not elaborated but instead deferred to references.

Functional Partitions

The DVB-CA architecture manages end-users ‘access to protected contents with three elements: data scrambling, a subscriber authorization system (SAS), and a subscriber management system

(SMS). Together, they form three layers around the protected contents:

Data scrambling encrypts the digital-TV contents at the center. The subscriber authorization system controls the data-scrambling element by handling the secured distribution of descrambling keys to authorized subscribers. Knowing which subscribers entitle to what contents, the subscriber management system delivers access permissions to the SAS for enforcement.

The protection scope of the DVB-CA architecture ends at the boundary where protected contents are legitimately descrambled. Thus, DVB-CA offers no protection when a legitimate subscriber wires up a receiver to tap out the descrambled contents.

Data-Scrambling

The data-scrambling element is the encryption of TV contents. To avoid confusion, the DVB-CA specification uses the terms scrambling and descrambling to mean the encrypting and decrypting of TV contents, differentiating other uses of cryptography in the broader DVB infrastructure. The broadcast center does the scrambling, and receivers perform the descrambling.

Subscriber Authorization System

The SAS element implements the access-control protocol. It enforces end-users ‘access rights by allowing only authorized subscribers to descramble the contents. SAS uses cryptography extensively, and the system is designed to be renewable inexpensively as a strategy to contain damage from being compromised.

Subscriber Management System

The SMS element grants access rights. Operating from the business operation center, the SMS maintains a database of subscribers. For each subscriber, the SMS database records subscription level, payment standing, and a unique ID inside the subscriber’s smart card. The SMS uses the information to decide which TV channels a subscriber is entitled to view, and the access permissions are given to the subscriber authorization system for enforcement.

System Architecture

The next picture depicts the major components of the DVB-CA architecture and their relations:

The scrambler and descrambler implement the data-scrambling element, and control words are the cipher keys. CA-Host, CA-Client, and CA-Module are the three distributed components of the SAS element, and they use CA descriptors and CA messages (EMM and ECM) for communication.

Scrambler and Descrambler

The data-scrambling cipher is called DVB Common Scrambling Algorithm (DVB-CSA). The algorithm is a combination of 64-bit block cipher followed by a stream cipher, with a key-size of 64 bits. However, the detail is kept secret and disclosed to equipment manufacturers under non-disclosure agreement. For performance and obscurity, the algorithm is implemented in hardware.

At the broadcast center, the scrambler generates control words to scramble the contents, and it passes the control words to the CA-Host for secured distribution to descramblers via ECM CA messages. Control words change about every ten seconds, and the scrambler synchronizes the descrambler to key switching using a specific bit in data-packet headers. As a defense strategy, different TV channels are scrambled with different stream of control words.

CA Messages

CA messages are encrypted command-and-control communications from CA-Host to CA-Modules. The DVB-CA architecture categorizes CA messages into Entitlement Control Messages (ECM) and Entitlement Management Messages (EMM). ECMs carry channel-specific access-control list and control words. EMMs deliver subscriber-specific entitlement parameters. As a strategy of defense in depth, a secret cipher different from data scrambling is used, and the details on the message formats are closely guarded secrets.

CA Descriptor

CA descriptors are data records associating a protected channel to its ECMs. Since different stream of control words are used to scramble different channels, there is no need to keep the relations secret. Thus, the CA descriptors are sent in clear via the electronic channel guide, which is transmitted continuously in the broadcast traffic.

CA-Host

The CA-Host is the control center of the access protection. It is responsible for encrypting all CA messages to CA-Modules and securely distributing CA messages' cipher keys to CA-Modules.

CA-Client

A CA-Client is the access-control coordinator at a receiver. It passes CA messages from the CA-Host to its CA-Module. It delivers the control words from the CA-Module to the descrambler. When the viewer selects a channel, the CA-Client uses the channel’s CA descriptor to filter the associated ECMs and passes them to the CA-Module. If the channel is a pay-per-view, the CA-Client also walks the viewer through GUI dialogs to confirm purchases.

CA-Module

A CA-Module (CAM) is the access-control guard at a receiver. Each CA-Module has a unique CAM-ID for identifying the subscriber. The CA-Module authenticates and decrypts EMMs to establish a subscriber’s entitlement parameters, which are stored in the CAM’s non-volatile and secured memory and never leave the CAM. The CA-Module also authenticates and decrypts ECMs to receive a channel’s control words and access parameters from the CA-Host. If the access parameter in an ECM is consistent with the entitlement parameters stored in the CA-Module, the CA-Module returns the control word to the CA-Client for setting up the descrambler.

Since it is important for CA-Modules to be temper-resistant and easily replaced when damaged or compromised, they are often implemented as smart cards.

Subscriber Management System

The SMS is the business manager determining each subscriber’s rights of channel access. It uses CAM-IDs to link subscribers to the subscriber authorization system.As a subscriber’s subscription level and payment standing change, the SMS modifies the access rights by instructing the CA-Host to send new EMMs to the CA-Module having the subscriber’s CAM-ID.

Network Integration

The next picture shows where the components of the DVB-CA architecture are integrated into a DVB data network:

To illustrate the interaction between the components in the DVB-CA architecture, a walk-through of the operations behind the following access scenario is presented next.

A subscriber is currently entitled to only basic services, without access to premium sports channels. In an evening, the subscriber browses through the on-screen channel guide and decides to watch a boxing event. Tuning to the channel, the subscriber is presented an on-screen message instructing the viewer to call the customer service center to upgrade subscription level. After going through the conversation of service upgrade, the customer representative confirms the subscriber’s request to upgrade. Within a few seconds, the on-screen message is replaced by the boxing show.

Behind the scene, the CA-Client receives the channel-tuning request from the GUI. From the channel number of the boxing event, the CA-Client looks up the parameters from the channel-guide to set up the data receiver and packet filter for receiving the show’s digital audio and video streams. More importantly, the CA-Client looks up the CA descriptor and extracts parameters to set up the packet filter for receiving ECM packets associated with the channel. When the ECMs arrive, the CA-Client passes them to the CA-Module and waits for response.

When the CA-Module receives an ECM, it authenticates and decrypts the ECM to extract the control word and access parameter of the tuned channel. Comparing the access parameter to the stored entitlement parameter, CA-Module finds that the service belongs to a subscription level higher than that of the subscriber. Thus, the CA-Module returns a status code of “below service level” to the CA-Client. The CA-Module continues to return the same status code for every ECM passed from the CA-Client since the subscriber’s entitlement remains unchanged.

Receiving a response status of “below service level”, the CA-Client displays a message on the TV screen, asking the subscriber to call the customer service center for service upgrade. The message remains on screen for as long as the CA-Module returns the same response to all ECMs passed from the CA-Client.

As instructed by the on-screen message, the subscriber calls the customer service center to request service upgrade. After confirming the request and obtaining online credit approval, the customer representative enters the new subscription level to the SMS. Upon receiving the upgrade, the SMS provides the new subscription level and the subscriber’s CAM-ID to the CA-Host. The CA-Host encapsulates the new subscription level into an EMM, tags it with the subscriber’s CAM-ID, signs and encrypts it, and inserts the EMM into the broadcast traffic.

Back at the receiver site, the CA-Client receives the EMM tagged with the subscriber’s CAM-ID and passes it to the CA-Module. After authenticating and decrypting the EMM, the CA-Module stores the new subscription level into its internal secured storage. When a subsequent ECM from the boxing channel comes along, the CA-Module finds that the subscriber is entitled to the channel. Consequently, CA-Module returns the control word.

Receiving a valid control word from the CA-Module, the CA-Client sets up the descrambler, and the digital audio and video data are descrambled, decoded, and shown on the TV set. Seeing the boxing event, the subscriber is happy and ends the conversation with the customer representative.

From this point on, the CA-Client continuously feeds the channel’s ECMs to the CA-Module, which returns new control words as they change.

 

DIGITAL HEADEND ARCHITECTURE

BASIC ARCHITECTURE OF A DIGITAL CATV HEADEND

Cable TV headends through out the country are now seriously considering the addition of digital CATV channels. Besides the advantages of better picture clarity and multi-channel sound as well as the potential to deliver HDTV (High Definition Television), the key necessity to shift to digital is large number of channels and the limited analog channel capacity of 106 analog channels on a cable TV Network.

Digital CATV provides for carriage of 6 to even 20 digital channels in the bandwidth of a single analog channel. Hence, if 10 analog channels are vacated, that bandwidth can carry 60 to 200 digital channels.

The fact that CAS roll out countrywide is only a matter of time, further adds to the impetus to roll out digital CATV channels from the headend.

This article provides a simple overview of the basic structure of a digital CATV headend. The aim is to provide cable operators an overview and understanding of a basic digital headend.

START THE CHANGES:- ENCODE

Signals from pay or Free-To-Air (FTA) satellite channels are typically available at the headend through an IRD (Integrated Receiver-Decoder) which provides a composite video (analog) output signal along with separate mono or stereo sound signals. Both, the video and audio signals are analog signals are need to be converted to a digital signal for use in a digital headend.

This conversion of the analog video and audio signals to a digital data stream is done by a MPEG-2 Encoder. The MPEG-2 encoder provides a signal stream of digital data that contains both, the video and audio digital signals.

One encoder is required per analog TV channel.

Hence, if 20 analog TV channels are to be carried as digital channels, the digital headend will require 20 separate encoders to convert the analog signals to digital signals.

Encoders form a crucial component in the quality of the digital signal. If the conversion of analog to digital is not done well, the picture quality will certainly suffer.

The cost of digital encoders used for local encoding is very high and would typically account for a major part of the headend cost. MPEG-2 encoders will typically cost Rs. 20,000 to Rs. 2 lac per channel, depending on the brand, quality and facilities offered.

MAINTAIN YOUR BANDWIDTH:- BITRATES MANAGEMENT
MPEG-2 also permits the user to set the maximum digital bit rate of the digital output signal. An analog channel can be converted into a digital channel with bit rates varying from 1.5 Mbps to 5 Mbps or even higher. The larger the bit allocated to each analog channel, the better the picture quality. However, larger bit rates imply that fewer the digital channels can be squeezed into the bandwidth of 1 analog channel. On the other and a low bit rate of 1.5 Mbps may result in a visibly poor digital quality. As technology marches on, it has been possible to achieve good picture quality with lower bit rates using MPEG-2 compression.

A TYPICAL STANDARD
Larger bit rates are required for channels where the picture changes rapidly, such as in a sports channel covering a football game. The camera continuously follows the ball and the entire picture changes rapidly. Such channels require a bit rate of 3 Mbps to 5 Mbps.

On the other hand a News channel often has very little change in picture content from TV frame to TV frame. The news reader's face and background remains almost constant. Such channels require a much lower bit rate. It is generally felt that news channels can be adequately encoded by allocating them a bit rate of 1.5 Mbps to 2.5 Mbps.

USE A SMART DEVICE TO STATMUX
Of course, there will be certain period when the sports channel focuses only on the Commentator's face. At these duration, the lower bit rate applicable for News channels would be adequate for the Sports channel.

Similarly if the News channel shows an outdoor clip, it would require a much higher bandwidth.

It would be extremely wasteful if News channels and Sports channels were allocated fixed data rate. This has led to the advanced development of - "Statistical Multiplexing". This examines the picture content of each channel approximately 20 times every second and continuously allocates different bit rates for different channels, depending on the instantaneous picture requirement for each channel.

If fixed data rates encoding accommodates 6 digital channels per analog channel, statistical multiplexing practically increases it to 10 or 12 digital channels compressed into an analog channel bandwidth. 

USE OF BETTER CODECS
Instead of MPEG-2, the MPEG-4 standard can also be used for digitizing an analog signal. MPEG-4 offers almost 40% better compression that is 40% more digital channels in the same analog bandwidth.

A detailed discussion on the MPEG-4 is beyond the scope of this article. However, SCAT has carried a detailed article on MPEG-4 in past issues of the magazine.

The MPEG-4 encoders and decoders (STBs) are currently very expensive and rarely deployed on cable TV network currently.

DIGITAL INTEGRATION
As indicated above, the cost of digital encoders is typically very high.

A digital headend can therefore save a substantial amount of money if the digital satellite receiver provides for a digital (ASI) output rather than the CVBS analog outputs. Many professional digital satellite receivers offer such a facility though typically, the digital IRDs distributed by pay TV channels do not offer an ASI (Digital) output. Further, since pay channels "pair" their IRDs and smart cards, it is also not possible for the cable operator to use an authorized smart card with an independently procured digital satellite receiver with ASI output.

This is an area that the TRAI needs to look into and address, to facilitate lower cost digitization of CATV headends.

If the satellite receiver directly provides an ASI output, no encoder is required and the digital signals can be directly fed into the digital combiner.



THE MULTIPLEXER
Encoders provide separate digital output for each TV channel.

In an analog headend a channel combiner combines multiple analog channels. Similarly, in a digital headend a multiplexer (MUX) combines multiple digital channels and creates a "Transport Stream" (TS)

The Transport Stream not only combines the digital channels but also creates a summary of the digital data contained in the Transport Stream.

Multiplexers are typically available to 'combine' either 12 to 20 digital channels.

Such multiplexers accept ASI inputs upto 200 MBps and offer between 1 to 4 outputs. 

MULTIPLE OUTPUTS
A multiplexer combines several digital channels to form a single transport stream that will be carried in the bandwidth of a single analog channel. Depending on the capability of the encoders and whether statistical multiplexing is used, the number of channels that can be compressed into the space of a single analog CATV channel (8 MHz for PAL-G) varies from 6 channels to as high as 16 to 20 channels.

However, the amount of digital content (Mbps) that can be carried on a single analog channel will also depend on the type of modulation used by the cable TV network.

QAM MODULATION
Quadrature Amplitude Modulation (QAM) provides for carriage of a large amount of digital data in a small bandwidth. QAM however requires strong signal strengths with very little noise. Hence QAM modulation cannot be used for satellite transmission but is used universally for digital CATV networks.

QAM modulation is typically used as either QAM 64, QAM 128 or QAM 256.

QAM 64 offers the least compression and is most tolerant to external noise injected into the network due to poor quality cables, connectors or tap-offs. On the other hand QAM 256 provides the largest number of digital channels within a single analog channel but requires very good networks to transmit digital pictures to the consumer without freezing or pixelisation (picture breaking up into small squares or dots).


MULTIPLEX CONFIGURATION
Depending on whether QAM 64, 128 or 256 is to be used for digital modulation, the multiplexer is to be configured to offer the appropriate mixing. The multiplexer is configured by connecting it to a PC, through SNMP via an Ethernet port.

Table 1 shows the different digital output bit rates applicable for QAM 64, 128 & 256. 

Typical Bit Rates For Different Levels of QAM Modulation 

QAM 64........................... 38 Mbps
QAM 128 ......................... 48 Mbps
QAM 256 ......................... 51 Mbps

The multiplexer can be used for multiple channel inputs with a total bit rate of up to 200 Mbps. Hence if the full 200 Mbps input capability is utilized, the multiplexer will have to be configured to provide for separate ASI output data streams each of 50 Mbps. The cable network will have no choice but to use 256 QAM digital modulation after the multiplexer.

If the network intents to use 128 QAM it will have to reduce the input data rate to the multiplexer by either:

i) Using more compression per channel (hence more expensive encoders or poorer picture quality) or

ii) Using fewer channels. 

SCRAMBLING
CAS requires that pay channels be scrambled and the subscriber's STB decodes/un-scrambles only the channels that they pay for.

Hence a digital headend that carries pay channels will typically have to scramble the pay channels.

Fig.3 shows the location of the scrambler in the digital headend. 



Each multiplex output requires a separate scrambler. The cost of the scrambler can vary very widely depending on the scrambling system used. As a rough estimate a scrambler could cost Rs. 2 lacs each. Note that if their multiplexer is configured with 4 outputs, 4 separate scramblers will have to be installed, increasing the cost of digital headend very substantially.

For free-to-air (FTA) channels no scramblers to be used and the output of the multiplexer is fed directly to a QAM modulator.

SET TOP BOX ARCHITECTURE

Firstly, We start with defining that what actually is a Set top Box.

Definition:-

A set-top box (STB) or set-top unit (STU) is an information appliance device that generally contains a tuner input and displays output connects to a television set and an external source of signal, turning the source signal into content in a form that can then be displayed on the television screen or other display device. They are used in cable television, satellite television, and over-the-air television systems, as well as other uses.

Architecture:-

The STB selects the appropriate broadcast TV information by tuning to one of many input channels. The signal is digitally modulated using Quadrature Phase Shift Key (QPSK) for satellite applications, Quadrature Amplitude Modulation (QAM) for cable and Orthogonal Frequency Division Multiplexing (OFDM) for terrestrial. The information in the selected RF channel is then processed by the demodulator to produce an MPEG-2 Transport Stream (TS) containing the audio, video and other information that relates to the selected TV programme.

The STB generally also contains some form of modern to allow it to send and receive interactive data. Conventional telecommunication modems are typically used in satellite and terrestrial STBs while cable STBs generally have a cable modem. DOCSIS cable modems use QAM demodulator for the downstream data whilst out-of-hand DAVIC cable modems use QPSK demodulator. In both cases, a QPSK modulator is used to transmit the upstream data, though DOCSIS also have a 16 QAM mode.

In general, digital TV information in the MPEG-2 TS may be encrypted to present customers who have not paid for a particular service from being able to view it. The MPEG demultiplexer selects

and decrypts the compressed audio and video for the particular programme that the viewer wishes to watch, using decryption keys supplied by the Conditional Access Sub System (CASS). The MPEG decoder then compresses the audio and video information for the selected programme. The Central Processing Unit (CPU) controls the whole operation and performs specific data manipulation function. It generally uses a Real Time Operating System (RTOS) on top of a hardware abstraction layer for the management of the resources and processes of the STB directed by the higher level software.

It is thus obvious from this diagram that, the front-end, which contains the tuner and the demodulator, will be different for the three transmission media. Hence if a STB is to be made interoperable across all the three transmission media it should be fitted with switchable front ends.

Whenever an MPEG-2 TS carries encrypted (Or scrambled) services, the TS also carries two types of messages called EMM (Entertainment Management Message) and ECM (Entitlement Control Message). An EMM carries a list of Pay TV services which the owner of that STB is entitled to view and also the date upto which he is entitled to receive them. The ECM on the other hand carries a data element called control word (CW), which is used by the ‘descrambler’ in the STB to descramble the picture and make it intelligible again. Both these messages are carried in the TS in an ‘encrypted’ form. Whereas DVB has standardized the scrambling algorithm (known as DVB common scrambling algorithm, DVBCSA), algorithms used for ECM/EMM encryption are not standardized for obvious reasons.