Solution
Overview
Irdeto
Conditional Access
A fully renewable and scalable solution for protecting content and business models
on broadcast and IPTV networks
Digital content piracy is a
worldwide issue. Well-funded
criminal organizations are
constantly looking to exploit
security systems and the
explosion of illegal content
streaming websites in recent
years means this threat is now
stronger than ever. Once the
danger was limited to control
word sharing and smart card
tampering on managed STBs,
but today’s consumers view
digital video on a wide variety
of unmanaged devices. This
leaves content vulnerable to
www.irdeto.com
advanced hacking attacks at
all points along the media
pipeline.
To protect their revenue
and reputation, operators
need uncompromising and
sophisticated conditional access
solutions that are constantly
evolving to address the latest
threats. Preventing piracy is
essential, but so is the ability
to recover swiftly if a breach
does occur, and to track down
and shut off the source of any
content leaks. Such renewable,
© 2022 Irdeto. All Rights Reserved.
traceable security is increasingly
central to operator growth
strategies because it is a key
condition of agreements with
licensing authorities such
as sports rights holders and
Hollywood studios. To win
the desirable, high-quality
content that differentiates
them from competitors,
attracts subscribers and builds
brand loyalty, operators must
demonstrate continuing
commitment to combating
piracy.
1
 FOCUS ON COST-EFFICIENCY
In addition to the threat from pirates and pay TV rivals, operators also face a battle for subscribers with
over-the-top (OTT) players and direct-to-consumer offerings from content owners. To counter the effects
of so-called “cord cutting”, operators must keep prices low at the same time as adding value. Typically,
this means investing in their own multiscreen services. For many operators, the adoption of software-
based (cardless) conditional access in place of smart cards is an obvious choice as it reduces procurement,
distribution and management expenses as well as STB hardware costs, without impacting security.

A sharp focus on operational efficiency is also necessary as the number of screens grows, to eliminate
duplication of effort and technology across broadcast and OTT. Many pay TV companies are looking for
ways to simplify security management in a multiscreen world, adopting unified processes for all content,
whether the protection mechanism is CA or Digital Rights Management (DRM).

FLEXIBILITY FOR THE FUTURE

While piracy and cost control are a common concern to all operators, the specifics of the services they run
can vary widely from one market to another and over time. To stay ahead of their competition, operators
need the flexibility to test and implement new business models and features that may appeal to their
unique customer base. This can range from subscription and pay-per-view VOD (whether streamed,
downloaded or pushed to the STB) to home networking, PVR functionality, or tie-ins with third parties
such as OTT-services. All of these have implications for content security. To offer a truly dynamic, tailored
service to their subscribers, operators need a CA system that supports a rich feature set and the ability to
add these new capabilities quickly and easily over-the-air.

The Irdeto Conditional Access System (CAS), a solution in the Irdeto 360 Security portfolio, provides the
most stringent content security for pay TV operations. It also enables pay TV operators and broadcasters
to offer more services, payment options and device support. This equates to more choice, flexibility and
convenience for their customers. Whether via cable, satellite, terrestrial or IPTV, Irdeto Conditional Access
gives broadcasters the flexibility to easily deploy new TV services without interrupting existing subscriber
services or compromising their digital assets.

KEY BENEFITS
Stay ahead of evolving security threats with renewable, uncompromising security
To protect your investments, Irdeto Conditional Access offers renewable security technology. This enables
operators to remotely update both software-based and smart card security clients quickly and easily in
the event of a piracy incident, without costly card swaps. An on-going roadmap of security enhancements
ensures Irdeto CAS protects against the latest threat trends and is compliant with the changing
requirements of all major content licensing authorities.

www.irdeto.com © 2022 Irdeto. All Rights Reserved. 2

Drive ARPU with attractive new features that can
be added over the air
Irdeto CAS is a fully-featured solution that includes
a large number of modules and client options to
support advanced functionalities such as VOD,
home-networking and PVR. Over-the-Air updates
give operators the flexibility to test and rapidly
deploy new services to existing STBs in the field,
improving the offering to their subscribers and
creating an opportunity for the operator to raise
ARPU.
Minimize costs with flexible deployment options
Available as either a smart card or software-based
security client to dramatically reduce the total cost
of ownership (TCO), Irdeto CAS can be configured
to meet the needs of each specific market. Suitable
for protecting content for broadcast or IPTV
delivery to managed devices such as STBs, it can
be tailored from small or medium-sized networks,
to large-scale networks with millions of subscribers
in a fully redundant setup. Also available as a
managed service, Irdeto CAS is compatible
with a wide range of set-top boxes, client
devices, compression equipment and subscriber
management systems. This open approach allows
operators to select the components of their choice
or rely on Irdeto for a pre-integrated, end-to-end
solution.
DELIVERING CHOICE, FLEXIBILITY AND CONVENIENCE
Irdeto CAS enables pay TV operators to offer
a wide range of services, payment options and
supported devices. This in turn allows them to offer
increased choice, flexibility and convenience to
their customers.
Effective And Vigilant Anti-Piracy Efforts
Operators can’t afford to rely entirely on measures
and technologies aimed at preventing piracy. They
must respond effectively when piracy does occur.
In addition to the best-in-class security technology
at the core of Irdeto CAS, Irdeto continuously
provides advanced countermeasures as plug-ins to
www.irdeto.com © 2022 Irdeto. All Rights Reserved.
Introduce 4K Ultra HD (UHD) services with more
control
To obtain rights to early release movies or other
premium content, operators must comply with
MovieLabs’ Enhanced Content Protection (ECP)
requirements for Secure Media Pipeline (SMP) to
enforce output control. However, SMP must not
be implemented simply as an on/off switch to
allow 4K UHD content only on 4K TVs with HDCP
2.2 or above. Such an approach would severely
limit operators’ support for subscribers since most
devices in the home today do not support HDCP
2.2. To give operators more control, Irdeto CAS
allows operators to define granular enforcement
profiles to maximize their business models.
For example, 4K UHD content not subject to
MovieLabs ECP, such as sports or TV programs can
be viewed on 4K TVs with HDCP 1.4. Operators
can also maximize their 4K content investment by
providing a lower resolution version of the content
to HD, SD and analog TVs, enabled by the SMP
implementation in Irdeto CAS.
4K UHD early 4K UHD and Catch-up & Free to air
release, box office premium content VOD library content
SMP SMP SMP No
w/exceptions w/exceptions SMP
4K TV with HDCP 2.2
4K TV with HDCP 1.4+
SD & HD TV Down-res
Mobile devices Down-res
Analog TV Down-res
the system. These enhancements help operators
respond quickly to new threats and ensure rapid
recovery.
To effectively utilize these tools, Irdeto offers a
suite of services to help operators manage security
over the lifecycle of the content. These services
range from ensuring site security and auditing
operator platforms and devices, to watching and
defending on an on-going basis and keeping
security up-to-date to stay ahead of ever-evolving
security threats.
3
Renewable Security
The cornerstone of Irdeto’s security strategy is
renewability, enabling operators to update the
headend and deployed clients quickly and easily.
This renewability is powered by Irdeto’s unique
FlexiFlash mechanism which is integrated into
both the Irdeto software-based and smart card
clients, ensuring an end to costly card swaps.
FlexiFlash is used to introduce new features and
piracy countermeasures as plug-ins to the system,
resulting in shorter development, test and release
times and faster response and recovery when new
threats and incidents arise.
Future-proof cryptography
The Irdeto Key Management System (KMS) uses
the latest advances in cryptography to create
Irdeto-specific algorithms and an operator-unique
cryptographic layer, resulting in:
• No single point of security failure.
• Higher resistance against attacks with proven
cryptographic strength and indefinitely
updateable algorithms.
• Reduced impact from any individual threat – the
use of diverse primary keys across each device
type and model ensures that in the event of a
key being compromised, only a small subset
of devices can be affected. The risk cannot be
spread to other devices or operators.
The KMS is an essential component of the Irdeto
Integrated Management System (IMS) which allows
operators to centralize administration of content
security across both CA and DRM.
Countermeasures against control word sharing
(CWS)
Irdeto CAS provides effective defense against
CWS, including:
A heuristic algorithm to detect smart cards used for
control word redistribution.
An improved communications interface layer with
intellectual property rights (IPR) support to enable
prosecution when a smart card is used in emulation
STBs.
A variety of pay TV options
Irdeto CAS offers a large number of optional
modules to support advanced functionalities. This
www.irdeto.com © 2022 Irdeto. All Rights Reserved.
enables operators to provide more flexibility to
subscribers and increase ARPU. Supported services
include:
• 4K Ultra HD MovieLabs support with secure
media pipeline.
• Home network sharing.
• Video on demand (Subscription or pay per
view).
• Impulse pay per view (PPV).
• Personal video recorder (PVR).
• Digital rights management (requires PVR).
• CI+ Conditional Access Module (CAM).
• Proximity control.
• Remote ECM generator.
Flexible Deployment models
The Irdeto CAS can be deployed in multiple
different configurations and across a variety of
client devices to address unique business, security
and operational requirements. It can also be
provided as a managed service. Irdeto’s solutions
are compliant with industry standards, enabling
interoperability and ease of integration with third-
party products to provide maximum choice to
operators.
CI+ CAM for integrated digital television (iDTV)
A variety of pay TV services, such as home network
support and PVR, can be delivered directly to the
iDTV set without the need for an STB.
Home networking
Controlled sharing and distribution of subscriber
content across multiple screens (both secondary
TVs and unmanaged consumer devices) within a
household. This also includes options for Download
& Go on specific devices. For further information,
please visit Irdeto.com to see the Irdeto Home
Networking Security solution overview.
Multiroom
Content viewing in multiple rooms within a
household from a single subscription.
Proximity control
A cost-effective implementation to share content
on the PVR via the home network while preventing
STBs – and the content - from moving outside the
home.
4
 Content Distribution Consumer

Subscription,
pre-paid,
pre-enabled,
preview,
Irdeto Key Server PPV, PVR,
catch-up TV, VOD, Irdeto Smart Card
home networking etc.

Content

Irdeto Key Management

System Irdeto Cloaked CA

Broadcast or
IPTV network

Irdeto DVB Streamer or Irdeto-approved STB or CI+ CAM

other headend equipment with Secure Chipset

Figure 1. A flexible, renewable security solution that adapts to the demands of any pay TV market

GROUND-BREAKING TECHNOLOGY
Flexible Security Client Update
Irdeto Conditional Access is based on industry
leading technology allowing smart card and
software-based clients to be securely updated
in the field. This feature, called FlexiFlash, is
unique to Irdeto and allows for major security and
functionality updates to the subscriber devices.
Operators can use FlexiFlash to renew the
complete CA client.
redistribution and device software tampering.
Irdeto’s secure chipset solution is based on:
• The presence of an advanced security
descrambler chip in the STB or CAM.
• The unique personalization of this chip during
production.
• A pairing relationship between the security
client and the chip integrated into the device.

In Irdeto’s customer networks, FlexiFlash has been
proven to speed up the upgrade of functionality
and enable proactive security updates and rapid
response to piracy attacks. FlexiFlash helps
operators to maximize their return on investment
by extending the effectiveness of their CA solution,
and renew security clients without disrupting
subscribers’ viewing experience.
Secure Chipset
The Irdeto Secure Chipset solution is the ideal
response to the challenges of securing a STB or
CAM against two forms of piracy: control word
These attributes enable the smart card or
software-based client to be securely bound to a
device. In this solution, control word messages
are uniquely encrypted as they pass between the
Irdeto CA client and an advanced security chipset
in the device. They can only be decrypted by the
authorized STB chip which is paired to that card or
client. This unique pairing between the device and
the CA client ensures that targeted downloads can
only be received by the intended device. Enhanced
protection of the flash memory prevents attacks on
services processed by the device.

www.irdeto.com © 2022 Irdeto. All Rights Reserved. 5

A Choice Of Hardware And Software-Based CA
Client Solutions
Irdeto offers its customers the CA solution that best
suits their content protection and business model
requirements using both hardware and software-
based security clients. Both solutions, when used
with Irdeto’s Secure Chipset technology, provide
the same level of uncompromising protection
against the latest forms of piracy and are fully
upgradable while in the field. A unified headend
system enables the operator to easily manage both
clients, making a mixed-based deployment simple
and cost effective.
Each security client uses a “secure container” to
ensure it is highly robust against hacking, reverse
engineering and tampering. Irdeto smart cards
use the latest silicon technology available from
leading manufacturers, while Irdeto Cloaked
CA is protected by Irdeto’s innovative security
technology for source code obfuscation, data
transformations and white box cryptography. This
results in “cloaked” code that is meaningless to
anyone who should attempt to reverse-engineer it.
GROUND-BREAKING TECHNOLOGY
CAS-Related Services
Irdeto has an expert team of professionals to
support a global customer base. A full range
of professional services is available to meet
customers’ needs; including:
Integration and customization services
Requirements analysis for the design and
development of the project, integration support for
Irdeto components to manufacturers and partners,
and technical integration consultancy to help Irdeto
customers develop strategies and innovative ideas
for their business.
Headend implementation services
System preparation of the Irdeto headend
equipment and on-site installation services to help
operators install and integrate equipment with
minimal interruption to their services, and support
operators with acceptance testing.
www.irdeto.com © 2022 Irdeto. All Rights Reserved.
Architecture And Components
Each Irdeto CAS deployment consists of the
following components:
Irdeto Key Management System (KMS).
Irdeto Key Server.
Depending on the operator’s requirements, the
following components may also be deployed to
create a custom solution:
• Irdeto Rights – provides multi-DRM protection
for OTT and home networking to unmanaged
devices.
• Irdeto DVB Streamer – supports EPG services
and STB updates by injecting CA messages into
transport streams.
• Irdeto Pre-Encryption Server (PES) – enables
VOD services by encrypting VOD assets with
CA protection.
Training
On-site operational and intensive product training
to ensure the maintainability of the system.
Introductory and Foundation courses on CA are
also available. Customized training programs can
be developed on request.
Testing and field trial support
Develop tests and scripts, manage regression and
extensive systems testing, reporting progress using
quality software tools to deliver results to all levels
of audiences within or outside the organization.
STB and device verification testing is available, with
associated device manufacturer support.
STB security evaluation service
Provide operators with a comprehensive
assessment of their integrated 4K Ultra HD STB in
the context of the MovieLabs’ ECP requirements.
The service outlines how well the STB measures
up and recommends any improvements that can
6
be made to maximize the operators’ chance of
securing premium content. It can be performed
on all set-top boxes with Irdeto-certified secure
chipsets. For more information, please refer to the
STB Security Evaluation Service overview.
Security lifecycle services audit, update and
implementation services
Conduct an audit of the CAS location, configuration
and management processes based on CA Site
Security Certification requirements, help operators
mitigate the risk of piracy and fraud resulting from
incorrect and unsafe operation of the CAS, reduce
vulnerability to social engineering attacks.
Managed services
Provision of 24x7 Security Operations Center
(SOC) for 1st line support, off-air CA broadcast and
platform monitoring.
Customer support services
24x7 SOC for 1st line support, 2nd line support
for more complex problem analysis, bug fix
implementation, system upgrades and updates.
Piracy control and cybercrime management
For more information on this end-to-end suite of
services for brand and revenue protection, please
see the Piracy Control & Cybercrime Management
solution overview.

CA system optimization service

Provide an assessment of customer’s content
protection system and its environment in order
to give appropriate recommendations for
configuration, tuning, system implementation,
security improvement and to support
implementation of such recommendations.

SUMMARY
Irdeto CAS is a secure, flexible and cost-effective
CA System that addresses the full range of
security challenges faced by pay TV operators in
the modern market. It can be deployed as either
a cardless or smart card-based solution. The
software-based implementation, Irdeto Cloaked
CA, is the most advanced and widely deployed
cardless conditional access system for broadcast
operators worldwide. It has been independently protect the operator’s content investments,
audited and certified. It is most recently audited by revenue, and reputation. With approval from
Farncombe (Cartesian) in July 2017 for compliance leading licensing authorities such as Hollywood
to MovieLabs’ ECP requirements, where it received Studios and sports rights owners, the solution is
the highest possible score for enforcing the an integral part of negotiations to secure the most
stringent usage rules for 4K UHD premium content. attractive content including 4K Ultra HD.

In addition to uncompromised security based on
a hardware root of trust, Irdeto CAS is regularly
enhanced with new plug-ins that guard against
the latest content security threats. And if the
worst does happen, built-in renewability ensures
operators can rapidly and effectively recover
from any piracy incident. Together, these features
Selecting Irdeto CAS can deliver significant savings
on both capital and operational expenditure. Irdeto
Cloaked CA can reduce total cost of ownership
by as much as 40% through lower hardware,
distribution and management costs.

www.irdeto.com © 2022 Irdeto. All Rights Reserved. 7

Operators naturally keep their market under constant review because consumer demands are always
changing. To help our customers stay agile and fit for whatever the future brings, Irdeto CAS has built-
in support for a full range of business models and advanced features to suit developing business plans.
From home networking and PVR capabilities to pre-pay models or VOD streaming and downloads, over-
the-air deployment capabilities mean operators can develop, test and roll-out these new services quickly
and efficiently.

Irdeto is the world leader in digital platform cybersecurity, empowering businesses to innovate for a secure,
connected future. Building on over 50 years of expertise in security, Irdeto’s services and solutions protect revenue,
enable growth and fight cybercrime in video entertainment, video games, and connected industries including
transport, health and infrastructure. With teams around the world, Irdeto’s greatest asset is its people and diversity
is celebrated through an inclusive workplace, where everyone has an equal opportunity to drive innovation and
support Irdeto’s success. Irdeto is the preferred security partner to empower a secure world where people can
connect with confidence.

Last modification: 15-02-2022 / 11:40 am GMT+01:00

www.irdeto.com © 2022 Irdeto. All Rights Reserved. 8