Conditional access (abbreviated CA) or conditional access system (abbreviated CAS) is the protection of content by requiring certain criteria to be met before granting access to this content. The term is commonly used in relation to digital television systems (Both for Satellite and Cable delivery system).

In Digital Video Broadcasting

Under the Digital Video Broadcasting (DVB) standard, conditional access system (CAS) standards are defined in the specification documents for DVB-CA (conditional access), DVB-CSA (the common scrambling algorithm) and DVB-CI (the Common Interface). These standards define a method by which one can obfuscate a digital-television stream, with access provided only to those with valid decryption smart-cards. The DVB specifications for conditional access are available from the .

This is achieved by a combination of scrambling and encryption. The data stream is scrambled with an 48-bit secret key, called the control word. Knowing the value of the control word at a given moment is of relatively little value, as under normal conditions, content providers will change the control word several times per minute. The control word is generated automatically in such a way that successive values are not usually predictable; the DVB specification recommends using a physical process for that.

In order for the receiver to unscramble the data stream, it must be permanently informed about the current value of the control word. In practice, it must be informed slightly in advance, so that no viewing interruption occurs. Encryption is used to protect the control word during transmission to the receiver: the control word is encrypted as an entitlement control message (ECM). The CA subsystem in the receiver will decrypt the control word only when authorised to do so; that authority is sent to the receiver in the form of an entitlement management message (EMM). The EMMs are specific to each subscriber, as identified by the smart card in his receiver, or to groups of subscribers, and are issued much less frequently than ECMs, usually at monthly intervals. This being apparently not sufficient to prevent unauthorized viewing, TPS has lowered this interval down to about 12 minutes. This can be different for every provider, BSkyB uses a term of 6 weeks. When Nagravision 2 was hacked, Digital+ started sending a new EMM every three days to make unauthorized viewing more cumbersome.

The contents of ECMs and EMMs are not standardized and as such they depend on the conditional access system being used.

The control word can be transmitted through different ECMs at once. This allows the use of several conditional access systems at the same time, a DVB feature called simulcrypt, which saves bandwidth and encourages multiplex operators to cooperate. is widespread in Europe; some channels, like the CNN International Europe from the Hot Bird satellites, can use 7 different CA systems in parallel.

The decryption cards are read, and sometimes updated with specific access rights, either through a conditional-access module (CAM), a PC card-format card reader meeting DVB-CI standards, or through a built-in ISO/IEC 7816 card reader, such as that in the Sky Digibox.

Several companies provide competing CA systems; VideoGuard, Irdeto, Nagravision, Conax, Viaccess, Cisco, Mediaguard (a.k.a. SECA) are among the most commonly used CA systems.

Due to the common usage of CA in DVB systems, many tools to aid in or even directly circumvent encryption exist. CAM emulators and multiple-format CAMs exist which can either read several card formats or even directly decrypt a compromised encryption scheme. Most multiple format CAMs and all CAMs that directly decrypt a signal are based on reverse engineering of the CA systems. A large proportion of the systems currently in use for DVB encryption have been opened to full decryption at some point, including Nagravision, Conax, Viaccess, Mediaguard (v1) as well as the first version of VideoGuard.

Conditional access in North America

In Canadian and United States cable systems, the standard for conditional access is provided with CableCARDs whose specification was developed by the cable company consortium CableLabs.

Cable companies in the US are required by the Federal Communications Commission to support CableCARDs; standards now exist for two way communication (M-card) but satellite television has its own standards. Next generation approaches in the United States eschew such physical cards and employ schemes using downloadable software for conditional access such as DCAS.

The main appeal of such approaches is that the access control may be upgraded dynamically in response to security breaches without requiring expensive exchanges of physical conditional-access modules. Another appeal is that it may be inexpensively incorporated into non-traditional media display devices such as Portable media players.

Conditional access systems

Conditional access systems include:

Analog systems

Digital systems

CA IDNameDeveloped byIntroduced (year)SecurityNotes
0x4AEBAbel QuinticAbel DRM Systems2009Secure
0x4AF0ABV CASABV International Pte. Ltd2003Secure
 ?B-CASUsed in Japan only
0x1702, 0x1722, 0x1762reserved for various non-BetaResearch CA systemsFormally owned by BetaTechnik/Beta Research (subsidiary of KirchMedia). Handed over to TV operators to handle with their CA systems.
0x1700 – 0x1701, 0x1703 – 0x1721, 0x1723 – 0x1761, 0x1763 – 0x17ff, 0x5601 – 0x5604VCAS DVBVerimatrix Inc.
0x2600BISSEuropean Broadcasting UnionCompromised
0x4900China CryptCrytoWorks (China) (Irdeto)
0x22F0CodicryptScopus Network Technologies (now part of Harmonic)Secure
0x4AEACryptoguardCryptoguard AB2008Secure
0x0B00Conax ContegoConax ASSecure
0x0B00Conax CAS 5Conax ASCompromisedPirate cards has existed
0x0B00Conax CAS 7.5Conax ASSecure
0x0B00, 0x0B01, 0x0B02, 0x0BAAConax CAS 7Conax ASCompromisedCardsharing
0x0B01, 0x0B02, 0x0B03, 0x0B04, 0x0B05, 0x0B06, 0x0B07Conax CAS 3Conax ASCompromisedPirate cards has existed
0x4AE4CoreCryptCoreTrust(Korea)2000S/W & H/W SecurityCA for IPTV, Satellite, Cable TV and Mobile TV
0x0D00, 0x0D02, 0x0D03, 0x0D05, 0x0D07, 0x0D20CryptoworksPhilips CryptoTecPartly compromised (older smartcards)
0x4ABFCTI-CASBeijing Compunicate Technology Inc.
0x0700DigiCipher 2Jerrold/GI/Motorola 4DTVSecureDVB-S2 compatible, used for retail BUD dish service and for commercial operations as source programming for cable operators
0x4A70DreamCryptDream Multimedia
0x2719,0xEAD0VanyaCasS-Curious Research & Technology Pvt. Ltd., Equality Consultancy Services
0x5501GriffinNucleus Systems, Ltd.
0x5581Bulcrypt2009Used in Bulgaria and Serbia
0x0606Irdeto 1Irdeto1995Compromised
0x0602, 0x0604, 0x0606, 0x0608, 0x0622, 0x0626, 0x0664, 0x0614Irdeto 2Irdeto2000Compromised
0x0692Irdeto 3Irdeto2010Secure
0x4AA1KeyFlySIDSAPartly compromised (v. 1.0)
0x0100Seca Mediaguard 1SECACompromised
0x0100Seca Mediaguard 2 (v1+)SECAPartly compromised (MOSC available)
0x0100Seca Mediaguard 3SECA2008
0x1800, 0x1801, 0x1810, 0x1830NagravisionNagravision2003Compromised
0x1801Nagravision CarmageddonNagravisionCompromisedCombination of Nagravision with BetaCrypt
0x1702, 0x1722, 0x1762, 0x1801Nagravision AladinNagravisionCompromised
0x1801Nagravision 3 - MerlinNagravision2007Secure
0x1801Nagravision - ELKNagravision2008?SecureIPTV
0x4A02TongfangTsinghua Tongfang CompanySecure
0x4AD4OmniCryptWidevine Technologies2004Used only for adult television channels
0x0E00PowerVuScientific AtlantaCompromisedProfessional system widely used by cable operators for source programming
0x0E00PowerVu+Scientific AtlantaCompromisedProfessional system used by cable operators for source programming
0x1000RAS (Remote Authorisation System)Tandberg TelevisionProfessional system, not intended for consumers.
0x4AC1Latens SystemsLatens2002
0x4A60, 0x4A61, 0x4A63SkyCrypt/Neotioncrypt/Neotion SHLAtSky/Neotion[2]2003
0x4A80ThalesCryptThales Broadcast & Multimedia[3]Viaccess modification. Was developed after TPS-Crypt was compromised.[4]
0x0500TPS-CryptFrance TelecomCompromisedViaccess modification used with Viaccess 2.3
0x0500Viaccess PC2.3, or Viaccess 1France TelecomCompromised
0x0500Viaccess PC2.4, or Viaccess 2France Telecom2002Compromised
0x0500Viaccess PC2.5, or Viaccess 2France TelecomCompromised
0x0500Viaccess PC2.6, or Viaccess 3France Telecom2005Compromised
0x0500Viaccess PC3.0France TelecomCompromised
0x0500Viaccess PC4.0France Telecom2008Compromised
Viaccess PC5.0France Telecom2011Secure
Viaccess PC6.0France TelecomSecure
VideoCrypt INews Datacom
VideoCrypt IINews Datacom
VideoCrypt-SNews Data com
0x0930, 0x0942Cisco VideoGuard 1NDS (now part of Cisco)1994Partly compromised (older smartcards)
0x0911, 0x0960Cisco VideoGuard 2NDS (now part of Cisco)1999Secure
0x0919, 0x0961, 0x09ACCisco VideoGuard 3NDS (now part of Cisco)2004Secure
0x0927, 0x0963, 0x093b, 0x09CDCisco VideoGuard 4NDS (now part of Cisco)2009Secure
0x4AD0, 0x4AD1X-CryptXCrypt Inc.Secure
0x4AE0, 0x4AE1, 0x7be1DRE-Crypt2004Secure