Conditional Access System (CAS) is the core technology for pay TV. It is very important to understand its operation mechanism and master its use and maintenance for the successful development of pay TV service.
This article refers to the address: http://
First, conditional acceptance of the basic principles
The composition of the CAS includes: a user management system SMS, a service information generation system SIG, a program management PMS/SI editing system, a program scheduling processing EIS, a user authorization management system SAS, a conditional access CA, and the like. There are two main blocks: one is the SMS that manages the user, and the other is the CA that manages the program. CA is mainly divided into two parts: one is the signal scrambling part, which is a random code generated by a random code generator (called the control word CW) to control the scrambler to scramble the signal; the second is the encryption part. In order for the scrambled signal to be successfully descrambled at the receiving end, the receiving end must also have a control word identical to the scrambling end to control the descrambler. Therefore, the front end CW is transmitted to the receiving end if it is directly transmitted. It will be easily intercepted by hackers and make CAS useless. To this end, CW is encrypted and transmitted. This encryption is a multi-layer encryption mechanism, which increases the security of CW transmission, directly to the first layer of CW encryption. The generated ciphertext is called the authorization control information ECM, and is transmitted together with the scrambled code stream through the multiplexer. The ECM also contains information such as time, program price, program authorization control, etc., so the ECM is program-oriented management information. The key encrypted for CW is called the work key SK. SK is usually called the monthly key. It is changed once a month. Every time SK is changed, the system must authorize all users. The second layer encryption is performed by encrypting the SK with a program key PDK, and the generated ciphertext and the authorization information acquired from the SMS form the authorization management information EMM generated by the SAS. The EMM also contains the smart card number, the authorization time, User authorization information such as authorization level. This information is mainly to complete the authorization of the user, so the EMM is the management information for the user. The EMM authorizes the user at what time to watch and see what channel, and it is also transmitted through the multiplexer together with the scrambling code stream. The most basic encryption system of CA.
In order to prevent the key from being intercepted by the hacker in the transmission, a double key method is generally used to assign a pair of keys to each user, and one of the keys that the user himself has is called a private key, which is only used for decryption. Usually this key is stored in the user's smart card. The other is the public key, which is only used for encryption. The two keys are formed into a one-to-one correspondence by the algorithm, and the secret added by the public key can be unlocked only by the corresponding private key. In this way, we do not need to transfer the key directly, so it has a high security. This is an authentication process called digital signature. The general private key (PDK) is stored in the user's smart card, so at the receiving end, the decryption of the EMM is unique, that is, a smart card can only decrypt the EMM information associated with it, and after decryption, all the solutions for solving the ECM can be obtained. The information is then obtained by decrypting the ECM to obtain the CW, and the CW is sent to the descrambler in the set top box to complete the descrambling work, and the decryption process is completed in the decryption system in the smart card. Authorization uses the method of central addressing and smart card sharing, the process is as follows:
The set-top box detects that the DVB stream is a scrambled stream, drives the card reader to work, transfers the smart card management program to the central processor to start the operation, and reads the card number of the smart card. Find the PSI in the transport stream, find the conditional access table CAT in the PSI, find the corresponding EMM information according to the EMM packet identification code (PID) given in the CAT table, and then the card number of the smart card and the authorization information in the EMM. The card number is proofread, that is, the address comparison operation is performed. If the proofreading is invalid, there will be related information on the screen prompting you that you are not authorized to watch. If the proofreading is successful, the ECM and EMM are transmitted to the smart card, and the decryption program is called in the smart card (in order to enhance the security of the CAS, the entire decryption process is performed in the smart card), and the private key (PDK) in the smart card is used for the EMM and ECM. Perform layer-by-layer decryption to obtain SK and obtain CW, and send the CW back to the set-top box to complete descrambling of the program code stream (as shown in Figures 1 and 2). At the same time, the key SK is stored in the smart card, and the decryption and descrambling in the future can directly call the SK in the card, and the authorization process does not need to be repeated. At this time, the system only needs to transmit the ECM (because in general, every 5- -- 10 seconds CW will be changed once, so ECM will also be sent every 5-10 seconds.) Only when the operator wants to update SK will start a new authorization process. Usually, every time SK is updated, the operator must use a few The time of day (depending on the number of users) is continuously sent EMM to authorize the user. If some users do not turn on during the authorization period for other reasons, they can contact by phone, and after the front end confirms, send the user a dedicated EMM. .
There are the following ways to change the authorization:
1. When the front-end SMS finds that a user has arrived, it sends an instruction to the CA to close the authorization, and sends the EMM to update the SK and re-authorize.
2. The authorization time stored in the smart card is compared with the time in the downlink signal (this time information is in the ECM), and if the time of the downlink signal is not within the authorization time interval, the authorization is revoked.
3. Use the authorization information stored in the smart card to compare with the additional parameters in the ECM. If the program access conditions are not met, the authorization is revoked.
In order to provide users with more choices in program ordering, CAS provides PY (Pay-per-View), Instant Paying IPPV (Impulse PPV) and in addition to the most basic program subscriptions (Subscription). A variety of authorization methods, such as time-based payment, are attached to the program and are described by additional parameters (reservation type, PPV fee, preview time, etc.). Generally, they are carried in the ECM information like a control word. A plurality of private keys are stored in the smart card, and each key corresponds to an authorization mode, and each type of authorization corresponds to an EMM.
Looking at the entire authorization process, the security of CAS depends on the confidentiality of the smart card, and the smart card must have reliable anti-copy performance.
For different program product packages (one or more TS streams consisting of single or multiple programs), there are different ECMs and EMMs corresponding to each, and each program product package corresponds to one ECM and multiple EMMs (depending on the order Depending on the user, how many EMMs there are for each product package, which can be divided into unicast and multicast formats.
Unicast is to use a single program as a product package. Users can purchase one or more product packages at will. Therefore, the choice is very flexible for users, but its authorization information is large. Let the data volume of each EMM be 100 bytes, the existing users 600,000, a total of 60 sets of programs, that is, there are 60 program product packages, each 6 product packages occupy one transmission channel (modulated on a QAM modulator) ), if each user buys all the product packages (this is the extreme case), then the number of ECMs generated is 60, the smart card must be able to store 60 different SKs, and different programs are used to enable different decryption. SK. The total data volume of EMM is: 600000*100*8*60=28800Mb. The huge data will make the authorization time longer, which will affect the normal viewing of users.
Multicasting is a combination of multiple programs to form a product package, which can be purchased by users in the form of packages. This method is mostly used in the initial stage of digital TV development, and provides users with preferential policies like “buy one get twoâ€. In this way, the amount of data for both ECM and EMM will be reduced. Similarly, the data volume of each EMM is 100 bytes, the user is 600,000, and there are 60 sets of programs. Each 6 sets of programs constitutes one product package, and there are 10 product packages, each of which occupies one transmission channel (modulated in On a QAM modulator), if each user also purchases all the product packages, the ECM generated is still 60, and the total EMM data volume is: 600000*100*8*10=4800Mb, and the visible data volume is unicast. Less is more.
In order to reduce the time of each authorization, we can solve this by reasonably allocating the channel bandwidth or using some scheduling algorithm. For example, in the modulation scheme of 64QAM and 6.875Mb/s symbol rate, each channel can obtain (6.875*6*188)/204=38Mb/s (the theoretical spectral efficiency of 64QAM is 6bits/s/hz, 188, 204 is RS coding). The structure, 188 valid data out of 204 bytes, 16 redundant bytes, used for error correction coding) data bandwidth. We can reserve about 5Mb/s of bandwidth for EMM, SI and other information, and the remaining 33Mb/s bandwidth should not exceed 6 sets of TV programs. At this time, the video bit rate is maintained at an average of about 5 Mb/s. At this code rate, the image quality is not perceived to be degraded by the naked eye.
Second, the relationship between SMS and CA
In CAS, the authorization work is issued by the SMS to the CA, and the CA generates and transmits the authorization information. The SMS is controlled by the user through the CA, and the program is packaged according to different combinations to generate different products. The instructions are issued by the SMS through the CA. SMS is actually an operational management software platform that provides a complete and effective management and support system for integrated management of operations. It integrates functions such as user management, billing, accounting, customer service, statistical analysis, decision support, and customer relationship management. It is an indispensable tool for operators to develop pay TV services and other value-added services. SMS uses a three-tier architecture:
1. Database: store information such as users, finances, and user terminal equipment.
2, application services: according to the operation of the program product packaging and pricing, set-top box, smart card initialization definition.
3, client applications: user management, financial management, operational strategy management.
SMS and CA are inseparable. It gives the CA the way of encrypting the program to the intuitive product form and is market-oriented, and the user's purchase is reflected in the authorization behavior of the specific smart card.
In addition, China's program management is a multi-level authorization hierarchical management method, which requires SMS and CA have a unified interface and data format, a unified interface protocol (such as IP) between the various levels of SMS to facilitate networking.
Third, the operating mode of CA
CA also has two modes of operation: the same density and multiple secrets. The same secret is based on the future technical upgrade of CA. It has no direct relationship with the operation of pay TV. The same density is that the front end uses more than two CAs, each CA uses a different encryption system to process the CW, generating different ECMs and EMMs, but the scrambler and CW are shared. When the operator finds that the CA of his choice does not meet the needs, he will consider replacing it with a new CA. Since the old user also uses the old set-top box, the old CA cannot be removed. At this time, the new CA is old and old. The CA performs the same secret, allowing a digital broadcast platform to run two CAs at the same time. The original old users continue to use the original set-top box, and the newly developed users adopt the new set-top box. The two CAs have an interaction period on the platform until the new one. CA is commonly used, and old set-top boxes are gradually reduced until they are completely replaced.
Duo is an operation-based model that has a direct bearing on the operation of pay TV. In the case of multiple densities, multiple different CAs run simultaneously on the digital front end, creating a platform for multiple vendors. Each program has its own different definition of its content and mode, and each program provider protects its interests through CA. For example, the central pay channel and the provincial pay channel do not want to be controlled by the local operator, and it is difficult for the operator to require all the programmers to use their own CA. The program provider and the operator distribute the revenue through the agreement. This is the CA's Multi-mode operation mode. This mode requires the integration of multiple descramblers and decryption algorithms in the set-top box, which results in a significant increase in the cost of the set-top box. In addition, set-top box manufacturers must coordinate with a number of CA manufacturers when producing set-top boxes, which brings a lot of inconvenience to the production. Therefore, the multi-density mode is not suitable for promotion and application.
In fact, the Science and Technology Department of the State Administration of Radio, Film and Television released the application model of the CAS system in 2003: one is the decryption mode, and the other is the non-decryption mode.
Decryption mode: the program code stream of the program provider is transmitted to the operator's digital front end and then descrambled, restored to the unscrambled program code stream, and then encrypted by the operator's CA system, transmitted to the user, all programs are operated by the operator Unified management. In this model, operators can adopt a single CA and CA in the same way.
No decryption mode: When the program provider and the operator adopt the same CA system, the program code stream of the program provider is transmitted to the operator digital front end without being descrambled and directly transmitted to the user. The user sends the application for viewing the program of the program to the SMS of the operator, and the SMS submits the information to the SMS of the program provider, and the SMS of the program provider issues the authorization of the user through the CA system of the program. After receiving the code stream of the program provider's scrambled program, the operator relays the message to the user without change. A partitioned smart card is used in the user terminal, and the CA system key of the program provider and the operator CA system key are respectively implanted into different smart card partitions, and the user terminal determines which secret to use according to the identifier of the CA system in the scrambled program code stream. The key is descrambled.
Fourth, the machine card separation program
At present, the production of set-top boxes involves operators, set-top box manufacturers and CA manufacturers. Because operators must first determine which CA system to use, set-top box manufacturers must implant CA modules into set-top boxes according to the requirements of CA manufacturers. Complete the production of the set-top box. In this way, the set-top box produced is only suitable for a certain operator, the product lacks versatility and competitiveness, and the user lacks individualized choice. The set-top box cannot be sold in ordinary shopping malls, which is not conducive to the set-top box. Promotion. For this reason, there is a reference to "machine card separation". The so-called machine card separation is to integrate all the hardware and software of the CA in the set-top box into a single module, and complete the CA independently with a dedicated integrated circuit and smart card. Function, the CA is no longer directly processed in the set-top box. The CA module is installed in the PCMCAI card and communicates with the set-top box through a common interface CI. As a result, the set-top box is versatile. The shortcoming of this scheme is because the cost is increased by using a PCMCAI card.
Another solution: Because any CA manufacturer is willing to support its own CA products to support as many different types of set-top boxes as possible, it is willing to provide any set-top box CA solution for set-top box manufacturers and operators. To meet the various application requirements of operators, CA manufacturers or set-top box manufacturers put various CA modules into any set-top box, which frees manufacturers and operators from the troubles of CA. Users can use different smart cards. To enable different CAs, this is a solution that is constantly changing.
There is also a scheme called soft and hard separation: CA kernel software includes CA workflow provided by CA manufacturer, communication protocol between CA algorithm and set-top box, and communication protocol between CA system and smart card, including various solutions. Disturb the external work instructions required for the operation. The CA kernel is built into five underlying drives inside the set-top box.
Based on the dynamic module, these five modules must be processed by the CA. The first module is the operating system, because the CA process must be managed by the operating system; the second module is the on-screen display system, which is responsible for displaying the CA's own information to communicate with the operator. These two modules exist independently of the application. The third module is the driver software of the demultiplexer. The CA needs to operate the demultiplexer to obtain the specific code stream required for the CA operation. The fourth module is the descrambling. The CA core needs to directly control the descrambler. The scrambled program source is descrambled; the fifth module is the communication module, and the CA needs to process the communication interface in certain specific situations (such as online on-demand), including backhaul, download, and the like. The last three modules are all hardware related. According to the above analysis, no matter which CA, only five software interfaces need to correspond to the five bottom modules. If we can define a common CA software interface (application program interface) standard, it requires driver software developers to develop interface interfaces that conform to the various underlying driver APIs, and the CA kernel also reverses the interface for the underlying API. It is possible to directly solve the problems associated with various set-top boxes and CAs by directly interacting with the underlying modules via the API. It solves the compatibility problem of the CA kernel to the lower layer, only solves the problem that the CA enters the set-top box, and also has a CA application problem. The function of the CA must also be reflected by the application, so it is necessary to define an application-oriented like the underlying software API. Connect to the CA's Application Services API. High-end set-top boxes can define APIs for middleware, and popular set-top boxes can interface directly to the application layer. In this way, as long as there is an API standard for drivers and applications, set-top box manufacturers can release and sell set-top boxes without CA software, and operators only need to download their selected CA and application software to the user's set-top box. You can carry out operational services. This is the so-called "soft and hard separation" set-top box mode.
In summary, CAS is the core technology of digital TV. At present, if multiple CAs are running on the same platform, it is suitable to adopt the same dense operation mode. Machine card separation is the production and sales strategy of set-top boxes. The purpose is to achieve The market sales of set-top boxes is one of the necessary technical means to develop digital TV.
Android is an open source mobile operating system based on Linux platform released by Google at the end of 2007, and then improved for use in netbooks and MIDs. The platform consists of operating system, user interface and application software, and is claimed to be the first truly open and complete mobile software for mobile terminals.
To put it simply, the Android system is actually a very open system. It can not only realize the functions of the most commonly used notebook computers, but also realize various directional operations like mobile phones. Moreover, it is specially designed for mobile phones. The operating system developed for equipment has advantages in system resource consumption and human-computer interaction design. It is an operating system that combines traditional and advanced advantages.
New Android Tablet,Android Tablet,New Android Tablet
Jingjiang Gisen Technology Co.,Ltd , https://www.gisengroup.com