The

evolution of content protection

A Farncombe White Paper Sponsored by Irdeto

June 2013

Farncombe White Paper

Table of Contents

1. Introduction ........................................................................................................................... 3
2. Market evolution .................................................................................................................... 3
2.1 The main players ............................................................................................................................... 3
2.2 How the market is developing ........................................................................................................... 4
2.3 The causes of market evolution ......................................................................................................... 5
Reasons for the rise of DRM ....................................................................................................................... 5
3. Business and Technology Challenges ...................................................................................... 7
3.1 The differences between CA and DRM .............................................................................................. 7
The CA model .............................................................................................................................................. 7
The DRM model .......................................................................................................................................... 8
3.2 The changing nature of content piracy .............................................................................................. 8
3.3 Ongoing management of devices ...................................................................................................... 9
3.4 Implications for pricing ..................................................................................................................... 10
3.5 Implementing DRM in Devices .......................................................................................................... 10
4. Market adoption .................................................................................................................. 11
5. Conclusions and Recommendations for DRM Adopters ......................................................... 12
The need for robust security implementations on connected devices is increasing ................................ 12
CAS and DRM have different models and pricing cannot easily be compared ......................................... 12
AES is facilitating the growth of DRM-based security solutions ............................................................... 12
In-home distribution of premium content requires bridging solutions .................................................... 12
Complexity of DRM implementation (and time-to-market) is context-dependent .................................. 12
Combating modern piracy requires more than just CA and DRM ........................................................... 13
6. About Farncombe ................................................................................................................. 13
7. About Irdeto ......................................................................................................................... 13

Copyright 2013 Farncombe

Page 2

Farncombe White Paper

1. Introduction
Conditional Access Systems (CAS) and Digital Rights Management (DRM) once inhabited two completely
different sectors not surprisingly, because they were invented for two different purposes:

CA technologies evolved in one-way broadcast environments in the early 90s to protect the
transport of video content and control access to it and were adopted by vertically integrated
pay-TV operators to ensure that only those subscribers who had purchased their premium content
could view it.
DRM came later, and was created by the publishing industry for an already connected world, where
it was used to control consumers usage rights to premium textual and graphical content acquired
over the Internet: it was not generally deployed to control access or protect transport.

However, the recent trend towards on-demand video consumption has caused these formerly distinct roles
to evolve and merge.
Today, CA solutions can be found managing viewers rights to consume video on-demand from Digital Video
Recorders (DVRs), while the boom in TV Everywhere consumption on handheld devices has meant that the
DRM solutions they integrate are being increasingly deployed to protect video distribution and control access
to it.
This White Paper investigates some of the issues this development raises, focussing on the recent shift in the
TV market towards the adoption of DRM-based content protection solutions, and assesses the main drivers
for this change, taking an in-depth look at the business and technology implications for market players
wishing to adopt a DRM approach.
Our broad conclusion is that properly-implemented DRM can be as effective a mechanism for protecting
premium video content as properly-implemented CAS but it is not as easy to implement in a robust
manner, and therefore not as inexpensive as may be popularly supposed.

2. Market evolution
2.1 The main players

For the purposes of this White Paper, we define a Conditional Access System or CAS as a content-protection
solution used in a managed network, either one-way or two-way. CAS generally uses entitlements
management and encryption to control content consumption, and has traditionally been deployed to protect
premium content delivered in a vertically integrated solution to receivers controlled by a pay-TV operator,
using a hardware-based approach (usually smartcards, although cardless CA systems also exist1).
By contrast, Digital Rights Management (DRM) products have emanated from the publishing industry,
initially being used to protect textual or graphical content delivered over un-managed, horizontal networks
such as the Internet. DRM generally uses a combination of licences and keys to deliver rights to content, and
has latterly been applied to over-the-top (OTT) video for consumption on handheld/portable devices such as
laptops, tablets, and smartphones. Generally, DRM solutions take a software-based approach.
These distinctions have become increasingly fuzzy which is partly what this White Paper is about but they
can be helpful in understanding the players and their different business models.
In the CAS camp, we would list the principal players as China Digital TV, Cisco (NDS), Conax, Irdeto, Motorola,
Nagra, Latens, Viaccess-Orca, and Verimatrix. A number of these have added DRM products to their line-ups
in recent years.
The table overleaf ranks them according to estimated revenues2.

1

See recent Farncombe White Paper on Cardless Broadcast Security: http://www.farncombe.com/2012/10/farncombe-publishes-

white-paper-on-the-future-of-cardless-ca-systems/
2
Ranking is based on Irdeto internal revenue estimates based on commercially-confidential data

Copyright 2013 Farncombe

Page 3

Farncombe White Paper

Figure 1: Traditional CA players ranked by estimated revenue

Ranking

Company

CAS Platform

1.

Cisco (NDS)

VideoGuard

2.

Nagra

MediaAccess

3.

Irdeto

Irdeto CAS

4.

Arris (Motorola Home)

MediaCipher

5.

China Digital TV

Novel Supertv

6.

Conax

Contego

7.

Viaccess-Orca

VO

8.

Verimatrix

VCAS

9.

Latens

Titanium

Source: Ranking by revenue based on Irdeto internal estimates.

Meanwhile, the main DRM players are Adobe, Apple, Marlin (Intertrust), Microsoft, and Widevine. They are
listed in the table below alphabetically rather than ranked by revenue, since in most cases DRM sales are
incidental in revenue terms to their main business, or do not figure at all (e.g. Apple).
Figure 2: Main DRM players

Company

DRM Platform

Adobe

Adobe Access

FairPlay

Apple

Marlin

Intertrust

Microsoft

PlayReady

Widevine

Multiplatform DRM

Source: Farncombe research

2.2 How the market is developing

ABI Research forecasts that from 2012 to 2018 revenues associated with conditional access (CAS) to set-top
boxes will decline by 10% while revenues associated with multiscreen content delivery will more than
double. Driving this transition is a transition of set-top box shipments from high-ARPU markets to emerging
markets, as well as increase of content delivery via over the top (OTT) platforms and to multiscreen devices,
according to ABI Research Practice Director Sam Rosen.

Copyright 2013 Farncombe

Page 4

Farncombe White Paper

According to research by IHS Screen Digest, by 2015, 49% of all devices obtaining television services from the
largest global pay-TV operators will be PCs, smartphones, tablets and other multiscreen devices, up from
18% in 2011. Set-top boxes will account for the other 51%, having declined from 82% of all devices over the
same period (see Figure 3 below).
Figure 3: Forecast of Installed Base of Set-Top Boxes and Active Multiscreen Devices Accessing Pay-TV
Services for 43 of the Largest Operators (Thousands of Units)



700,000
600,000
500,000
400,000
300,000
200,000
100,000
0
2010

2011

2012

2013

2014

2015

Ackve Mulkscreen Devices

STB Installed Base of Mulkscreen Operators

Source: IHS Screen Digest July 2012

Almost universally, the non-STB devices will use software-based DRM-type solutions to protect video
content, for reasons that we explore in the rest of this section.
These developments are taking place in an environment where the nature of piracy attacks is also changing:
broadly speaking, where before hacks tended to be directed at revealing the secret keys used to scramble
content, the objective today is increasingly the redistribution of illegally-acquired content over broadband
networks.
The implication of this switch in piracy tactics is that an operator needs to do much more to secure its
content than simply to deploy a CA or DRM system, a point we develop further in Section 3.

2.3 The causes of market evolution

Reasons for the rise of DRM
The Common Scrambling Algorithm was intended to prevent reception of video on PC-like devices
When the DVB defined its CA approach in 1995, it stated that two routes to develop the market for digital
television reception should be encouraged. The first of these was interoperability of CAs, delivered either
through a Simulcrypt or Multicrypt approach; the second was the enabling element of the Common
Scrambling Algorithm (CSA) and its inclusion, in Europe, in all receivers able to descramble digital signals so
as to enable the concept of the single receiver in the home of the consumer.4
The CSA was only to be implemented in hardware, in order to sideline the PC as a potential receiving-device.
As a former member of the DVBs CA Specialist Group recalled, it was considered a reasonable target at that
time to specify the key length of the CSA such that it ought to remain resistant to brute force attacks for a
period of 10 years. In other words it should be designed in such a way that the kind of computing power
available to consumers, even in 10 years time, would be unlikely to be able to calculate the algorithms code
in real time.

See: http://bit.ly/11GDTQF
DVB press release issued 9 March 1995

Copyright 2013 Farncombe

Page 5

Farncombe White Paper

Given the boom in video consumption on high-powered PC-like devices such as smartphones and tablets,
that approach may no longer be applicable in todays world, but its legacy has left CA vendors trying to
access a market that DVB sought to exclude.
Increasing consumption of (HD) OTT video
Smartphones and tablets in particular are having a significant impact on the number of video streams being
viewed, while the increasing broadband bandwidth available is making it ever more possible to consume
high-resolution formats such as HDTV on these second screens:
Ciscos latest Global Mobile Data Traffic Forecast Update for 2012-2017 says that global mobile data
traffic5 grew 70% in 2012, largely on the back of increased video consumption, which exceeded 50%
of all traffic by the end of last year. The company forecasts that mobile video will grow at a CAGR of
75% between now and 2017, generating two-thirds of mobile data traffic by 2017.
Cisco also argues that as mobile network connection speeds increase, the average bit-rate of content
accessed through the mobile network will increase, predicting that high-definition video will be
more prevalent.
Thus not only is the amount of video being consumed on handheld/portable devices increasing, but
because of the trend towards HD, which is a premium product there is a greater need to protect it.
Of itself, this would merely signify an increased requirement for the deployment of content security
solutions in general (i.e. both CAS and DRM), but because of the nature of these new devices and the type of
networks they use, DRM is the only choice, for the reasons outlined below.

New connected devices do not use smartcards

The devices that are principally responsible for the explosion in the consumption of IP video, namely tablets
and smartphones (and to a lesser extend PCs), do not contain broadcast tuners. This causes a problem for
pay-TV operators, who need to be able to offer the content their customers want on all the devices they own
in order to preserve its value.
In a DVB context, content security is ensured using a mandated hardware-based Common Scrambling
Algorithm (CSA) similarly for ATSC in the USA. However, there is no such hardware-based requirement for
non-DVB or ATSC devices: so instead, such connected devices have adopted DRM systems based on the use
of the Advanced Encryption Standard (AES). This is because it is much easier for a manufacturer to
incorporate a DRM technology that uses AES than it is to incorporate a CAS that is linked to a mandatory
hardware-based decryption mechanism.
Two-way environments do not require smartcards
As argued in a previous White Paper6, in two-way network environments, the arguments are broadly in
favour of the adoption of cardless systems. Properly implemented, software-based content security systems
such as those deployed by Apple and others have been shown to be effective in protecting the distribution of
premium content on the Internet and other types of two-way communications networks.
Perception that DRM is cheaper than CA
Farncombes interactions with TV industry players suggest that there is a tendency for DRM to be regarded
as generally less expensive to implement than CA. Later in this White Paper we explain in some detail why
we think this view is based on a misconception about the nature of the two different approaches and their
differing cost models. However, whatever the rights and wrongs of the argument, this perception has
exerted some influence on persuading the industry to opt for DRM solutions rather than CA-based ones.
DRM market less fragmented than CA market
CAS predates DRM, and was for that reason originally a far more prevalent tool for protecting content than
DRM. However, it inhabits a highly fragmented market, in which CA implementations generally have to be
tailored to specific types of devices in specific territories, for individual operators. Todays CE manufacturers,
on the other hand, address global markets with generic products such as TV sets, PCs, tablets and

5

Note that Ciscos definition encompasses traffic off-loaded from cellular networks to fixed-line broadband indeed, Cisco is
forecasting that mobile off-loading will increase from around a third of traffic in 2012 to nearly half in 2017.
6
http://www.farncombe.com/2009/05/tv-conditional-access-systems-in-two-way-environments/, see p.14

Copyright 2013 Farncombe

Page 6

Farncombe White Paper

smartphones and they derive economic efficiencies from these being as undifferentiated as possible. A
player like Microsoft can offer them a single DRM solution across their entire product range, something that
CAS vendors do not generally have the reach to deliver.
Competition from native IP players
The traditional security system providers have been slow to develop their own cardless solutions, and
even where they have done so they have encountered competition from technology providers in the IPTV
and OTT space especially Microsoft and Apple, whose respective installed bases are much larger than
any pay-TV platforms. Since these consumer device manufacturers address businesses and usages that
are natively IP-based, they have naturally constructed their security and cost models from the outset on
very different paradigms from those on which traditional pay-TV businesses were grown, and these have
proved attractive to IPTV and OTT players. The result is that smartcard-based security systems have found
it difficult to colonize these native IP environments.
Product differentiation failure
Comparisons between CA and DRM solutions are often misleading because the former tends to be aimed at
addressing security of the transport of broadcast content, while the latter tends to be used for facilitating
transactions. In practice, solutions falling into the first category usually appear more expensive than the
second, for reasons we explore later. However, when pricing their own cardless solutions for the
transactional end of the market, traditional security system vendors have often ignored industry perceptions,
and have not adjusted their offers accordingly.
The control-word sharing risk
It is now well-known that the way in which the DVB approach to CA implements the CSA makes piracy
attacks possible through so-called control-word sharing7. However, the DVB argues that this is not an
issue anymore because in modern STB SoCs the descrambler is integrated in the chip: there is therefore no
need to transfer the control word between two devices. Moreover, compliance and robustness regimes
for CA integration typically request the STB provider to guarantee that there is no access to the control
words or content in the clear a requirement which can be fulfilled by today's SoCs. However, even for
the latest version of the CSA (CSA-3), the DVB does not mandate specific control word protection
requirements, which is not ideal.

3. Business and Technology Challenges

3.1 The differences between CA and DRM
The CA model
When a pay-TV operator purchases a traditional security system from a CA vendor, it is not merely buying
smartcards: it is buying an end-to-end, managed system with prescriptive hardware and software security
requirements, where the CA vendor is responsible not only for certification and verification but factory-
based provisioning of key material.
Typically, this managed offering will include, among other things, the vendor:

specifying and providing the SoC and/or manufacturer-based provisioning methods

specifying hardware requirements, SoC security firmware and options
specifying and enabling OS and software hardening measures
supporting the integration of its technology into receivers
proactively detecting and disabling potential security threats
countering actual hacks and where possible prosecuting the perpetrators
enabling and supporting renewability
supplying software upgrades on an on-going basis in response to threats/hacks

Ibid, p.4

Copyright 2013 Farncombe

Page 7

Farncombe White Paper

reviewing/certifying/auditing implementations on an on-going basis

providing some liability coverage
All of the above elements form part of the overall CA package.
The DRM model
A DRM vendor will typically provide DRM software (server and client) and require compliance with a range of
robustness rules. These act as guidelines for the integration of the DRM client and allow the DRM provider to
limit its liability in case of loss, since these rules move responsibility from the vendor to the party
implementing the device.
However, DRM vendors typically do not review any of the implementations themselves in which case, it
will need to be done by somebody else, and it will therefore be up to the implementer to take responsibility
for this. Such reviews need to address multiple issues, including:
Responsibility for the overall security of the end-to-end system from provisioning to operation and
for providing solutions in these areas
Overall systems management and integration of the DRM solution into the entire security chain,
including:
o Implementing the root of trust
o Security of the hardware, OS and application environment
o Specifying or creating a secure player
o Backend systems security
o Anti-piracy activities and monitoring
o Liability coverage for security breaches, loss of critical data, etc.
o System updates
What the DRM model therefore requires is that the purchaser of the DRM solution either take on the burden
of addressing such issues themselves or pay a third party to do it. With CA, the difference is that those
costs are generally bundled in with the CA vendors price from the outset.

3.2 The changing nature of content piracy

As noted in Section 2, currently we are seeing far fewer attacks on the key management system housed in
the smartcard or the software CA client, and growth in the number of attacks that depend on illegally
accessing and distributing over the Internet either the control words that offer access to premium content,
or the content itself.
The reasons for this are that:
1. Internet distribution has become very inexpensive. With respect to the distribution of control words,
which take up little bandwidth, the issue is trivial but it makes the illegal distribution of the content
itself much cheaper.
2. Operators find it difficult to analyse the source of control word leakage using traditional methods,
which in turn makes it difficult for them to curb this form of piracy.
3. In the case of content re-distribution, the protection of the video outputs on STBs or other devices
has proven to be very weak in practice and professional-quality video encoding has also become
much cheaper. Even would-be pirates with very little technical know-how can create a video
distribution service simply by capturing content from a badly-protected STB video output or with a
video camera, re-encoding it using off-the-shelf software and loading it onto a video streaming
server to distribute over the Internet. This practice is particularly resistant to any of the counter-
measures provided by traditional CA- or DRM-based content protection systems.
4. The business models for pirates have become more attractive:
a. instead of selling illicit hardware (a practice which is vulnerable to legal action), they can
distribute pirated content online which is more difficult to counter, particularly where
performed from off-shore locations.
b. the content re-distribution model also provides recurring revenues (from content) rather
than one-off sales (from hardware) and has the additional advantage that the barrier to
subscriber adoption is substantially reduced (in some cases consumers do not even realize
that they are viewing pirated material when acquired in this way).

Copyright 2013 Farncombe

Page 8

Farncombe White Paper

In this new environment, the role of security technologies needs to be extended. Previously it was important
that these systems remained un-hacked so that pirates could not reproduce clones or modify clients to
pirate content. Today it is becoming equally important for security solutions to enable traceability of leaked
keys or leaked content and to allow suspect services to be swiftly cordoned-off.
For example, where a pirate outside a friendly jurisdiction is using a legitimate subscription to illegally
redistribute control words or content, if that pirates source cannot be identified, there is nothing that can be
done to stop the operation, since takedown orders cannot be enforced.
If, on the other hand, the security system contains the necessary features (such as session-based
watermarking) to allow the offending subscription account to be traced, it can in principle be disrupted.
The operators ability to cause disruption becomes dependent on how fast it can trace the source of leakage
and once identified how fast the pirated subscription can be disabled.
These new piracy challenges add extra weight to our contention that implementation of a security system
requires much more than simply deploying a CA or DRM solution in isolation.

3.3 Ongoing management of devices

If it is true that security implementation requires more than just deploying the technology, why then are PC
and Apple products apparently able to construct a viable business out of the consumption of premium
content simply through the deployment of their Microsoft PlayReady and Apple FairPlay DRM products?
The simple answer is that Microsoft and Apple invest substantial sums in maintaining their end-to-end
security systems such as those used in Xbox and iTunes as well as the security of the operating systems
themselves. In this context, they assume the responsibilities of DRM implementer as described in The DRM
Model in Section 3.1.
Their set-up, in fact, resembles to some extent that of a vertically integrated pay-TV operator, with a unified
environment that is controlled and managed. This extends to controls over how consumers are allowed to
use their products and a compliance regime for software/app developers.
However these are only quasi-managed environments when compared to full-blown, end-to-end eco-
systems as deployed in a traditional pay-TV environment. Although in principle, each company can in one
way or another force a user to implement a recommended software update (see Figure 4 below) they may
not always choose to do so; and it is possible for users to jail-break devices without having them being
disabled or having usage rights revoked. Typically neither of these activities would be allowable in a truly
managed security environment.
However, the Microsoft and Apple cases illustrate the need for on-going management of devices where
premium content consumption is involved, and its associated complexity and expense where this is a burden
borne by the implementer.
Figure 4: Microsoft Security Updates (April 2013)

Bulletin
ID

Bulletin Title

Maximum
Severity

Restart
Requirement

Affected Software

MS13-
028

Cumulative Security Update for Internet Explorer

(2817183)

Critical
Remote Code
Execution

Requires restart

Microsoft Windows,
Internet Explorer

MS13-
029

Vulnerability in Remote Desktop Client Could Allow

Remote Code Execution (2828223)

Critical
Remote Code
Execution

May require
restart

Microsoft Windows

MS13-
030

Vulnerability in SharePoint Could Allow Information

Disclosure (2827663)

Important
Information
Disclosure

May require
restart

Microsoft Office,
Microsoft Server
Software

MS13-
031

Vulnerabilities in Windows Kernel Could Allow

Elevation of Privilege (2813170)

Important
Elevation of
Privilege

Requires restart

Microsoft Windows

MS13-
032

Vulnerability in Active Directory Could Lead to Denial

of Service (2830914)

Important
Requires restart
Denial of Service

Microsoft Windows

Copyright 2013 Farncombe

Page 9

Farncombe White Paper

MS13-
033

Vulnerability in Windows Client/Server Run-time

Subsystem (CSRSS) Could Allow Elevation of Privilege
(2820917)

Important
Elevation of
Privilege

Requires restart

Microsoft Windows

MS13-
034

Vulnerability in Microsoft Antimalware Client Could

Allow Elevation of Privilege (2823482)

Important
Elevation of
Privilege

Requires restart

Microsoft Security
Software

MS13-
035

Vulnerability in HTML Sanitization Component Could

Allow Elevation of Privilege (2821818)

Important
Elevation of
Privilege

May require
restart

Microsoft Office,
Microsoft Server
Software

MS13-
036

Vulnerabilities in Kernel-Mode Driver Could Allow

Elevation Of Privilege (2829996)

Important
Elevation of
Privilege

Requires restart

Microsoft Windows

Source: Microsoft, April 24 2013

3.4 Implications for pricing

Whereas a CA system may be regarded as a security platform, a DRM technology is in effect a small
component of the end-to-end solution.
While this makes DRM appear less expensive than CA, services such as provisioning and key generation have
to be paid for in addition to the cost of the DRM components, and there may be additional fees such as
transaction charges for key usage8. This is before any expenditure is incurred actually securing the platform.
The pricing differential is therefore deceptive, and in any case being steadily eroded as technology advances
bring down the price of fully-fledged CA systems, and through increasing competition from new security
system providers in China as well as from Western vendors increasing sales into the Chinese market.
As we stated at the outset, properly-implemented DRM can be as effective a mechanism for protecting
premium video content as properly-implemented CAS. The real argument, then, is not between CA and DRM
themselves, but about which vendors offer a complete solution. This probably entails a fully-managed
system that makes use of one or more third-party DRM solutions.

3.5 Implementing DRM in Devices

When considering in-home distribution of the operators paid-for content to devices such as PCs, games
consoles, tablets and smart-phones (i.e. the devices the operator does not control), the final step of the
process is nearly always going to involve the use of DRM because that is the type of content solution such
devices use.
However, the precise manner in which such a DRM-based security system is implemented depends on a
number of variables including the nature of the content, the type of distribution network being used, the
nature of the trust model available, and the mix of devices being targeted. Some examples are listed below.
Native DRM
We define a Native DRM implementation here as one which has a hardware-based root of trust in other
words, the software is bound to a secret key which is hidden in hardware.
An example might be Apples use of its FairPlay DRM, which is integrated into Quicktime (of which the iTunes
application is a subset), and is bundled with products using the Apple OS, iOS.
If a premium iTunes movie is downloaded or streamed to an Apple device, this iTunes content will be
protected by the FairPlay implementation, which is bound to the device hardware (iPhone, iPad, iPod, etc.).
Non-native DRM
We define a Non-native DRM implementation as one that does not rely on a hardware-based root of trust.
For instance, several non-iTunes content aggregators deliver movies to iPhones that are protected using
Microsofts PlayReady DRM but because they are not part of the iTunes/Apple eco-system, they do not
have access to the secret key buried in the device to which Apples FairPlay DRM is bound.

8

With a CA platform it is usual to pay a fee per user to use the system, but not transaction fees

Copyright 2013 Farncombe

Page 10

Farncombe White Paper

In these situations, the aggregator needs to rely on software-based measures to protect the secret keys used
to authenticate the device and decrypt premium content, such as White Box Cryptography or code
obfuscation.
Such techniques, while effective, have a cost associated with their implementation (someone has to develop,
test and integrate the solution before it can be deployed) and they may have an impact on performance (for
instance, it takes longer to decrypt content that uses entirely software-based modes of protection).
Moreover, the rights-holders may not regard such software-based techniques as adequate for protecting
their top-level premium content. Thus, for instance, while Apple devices are allowed to access HD iTunes
movies protected with hardware-based FairPlay, they may only be permitted to access SD movies protected
with software-based PlayReady.
In a non-native DRM situation, it is also difficult to find a solution that allows for secure device
authentication.
Implementing DRM in a legacy environment
The imperative for traditional pay-TV operators to address their subscribers requirements for a user-
friendly multiscreen eco-system is made harder by the need to support legacy systems.9
Given that the final step of the distribution chain will almost invariably involve the use of DRM, a bridging
solution between the two types of security approach is required.
There are two broad approaches an operator can take:
the first is to use its existing primary distribution network (i.e. cable, satellite, terrestrial or IPTV) to
pipe paid-for content into the home, and then convert it locally for the various security solutions
used by the non-legacy devices wanting to receive it.
the second is to deliver separate streams from the headend, over broadband, for instance, which are
encoded and encrypted for access by non-legacy devices.
The first route can be described as a gateway approach the second as cloud-based. In practice, early
implementations have tended to take the cloud-based approach rather than the gateway one. These types
of hybrid security implementations involve a number of complexities that are outside the scope of this White
Paper.

4. Market adoption
At the beginning of this White Paper we noted that we had found there to be a perception that DRM content
protection solutions are less expensive to implement than CAS-based solutions. This view is bundled with a
number of other associated notions, such as compliance procedures being more straightforward,
implementation being simpler, and so on.
Yet the expense, complexity, and time-to-market of any security implementation depend critically on a range
of factors which have nothing to do with whether the solution happens to be CAS or DRM-based such as
the type of content, the legacy network, and the mix of devices being targeted.
If an operator is seeking to protect the distribution of early-release window movies or premium sports, then
there will likely be little difference in the rigour of the implementation required and the timeline for its
deployment, whether the solution is CAS or DRM-based because it implies the creation of an end-to-end
system using a managed network where security is actively controlled for the lifetime of the platform.
Increasingly, operators have an alternative to what used to be a binary choice: that is to say either to
purchase the entire technology integration-and-management bundle from a single source (e.g. a CA vendor);
or just to purchase a standalone solution, and manage the rest of the process themselves.
The third alternative is to buy a technology package from one of the new platform system vendors who are
starting to integrate DRM into their back-end solutions, offering these as an off-the-shelf product.
The difficulty for an operator deciding to go it alone is that if for some reason vital security steps are missed
because it is keen to launch as early as possible, it may find itself with no access to premium content or a

9

See our recent White Paper on cable and multiscreen for a more detailed analysis of these issues, at
http://www.farncombe.com/wp-content/uploads/2013/03/NagraWhitePaperFinal-copy1.pdf

Copyright 2013 Farncombe

Page 11

Farncombe White Paper

short lifetime for the devices under its control for example, if a hardware root of trust cannot be retro-
fitted when a rights-holder suddenly demands it, or the level of attack on the system makes it necessary.
In this situation, operators need to consider the full life cycle of their eco-system and how it matches their
content aspirations. The introduction of a new video compression technology such as HEVC may enable it to
offer HD content to second screens in two or three years time but if its security implementation today
assumes a need only to protect standard-definition content, it could find itself wrong-footed.
Platform-based solutions may appear to present an attractive new alternative to these risks but while the
vendor may integrate DRM into their system and do so in a secure way, even taking on responsibility for this,
they will still not be responsible for the DRM technology itself. Moreover, to the extent that a secure player
is required, or the security of devices needs to be assessed, these remain matters the operator has to
manage.

5. Conclusions and Recommendations for DRM Adopters

The need for robust security implementations on connected devices is increasing
Given the growing trend towards watching premium video OTT on second screens and the degree to which
the increasing bandwidth available to consumers is facilitating the consumption of HD content, connected
devices will require increasingly robust content security solutions.
CAS and DRM have different models and pricing cannot easily be compared
DRM and CAS are typically sold by different types of vendor with different business models. The difference in
perceived cost is not so much down to the nature of the technology solution itself, as to the services bundled
with it. If the ambition is to create an end-to-end security system designed to protect premium content using
a managed approach, the overall costs and implementation complexity will be broadly similar whether the
solution is CAS- or DRM-based, even though these costs may be allocated between the vendor and the
customer in different ways.
AES is facilitating the growth of DRM-based security solutions
The trend towards the adoption of software-based security solutions has been facilitated by the ease of
implementation of AES-based encryption in non-broadcast devices (and arguably in hybrid broadcast devices
such as connected TVs). Meanwhile, the continued mandation of hardware-based Common Scrambling
Algorithms in the CAS world is looking increasingly out-dated in the context of the computing power now
available to second-screen devices.
In-home distribution of premium content requires bridging solutions
For operators seeking to make their pay-TV offers available on all connected devices, the adoption of some
sort of bridging solution is necessary. The most obvious example relates to the need to transcode/re-encrypt
content delivered through a legacy network using CAS for consumption by non-legacy devices using DRM.
Given the different requirements of rights-holders and device manufacturers, implementations are likely to
be complex. Implementation within a new infrastructure using end-to-end software-based security does not
remove this problem: local re-encryption or over-encryption of content is still likely to be required where
content has been broadcast or multicast using a common key.
Complexity of DRM implementation (and time-to-market) is context-dependent
Implementation complexity depends on five factors un-related to the nature of the technology solution
itself:
1. How much of the work required to deliver an appropriately robust security system needs to be
carried out by the operator as opposed to the vendor
2. The nature of the content being consumed
3. The type of distribution network being used
4. The nature of the trust model available
5. The mix of devices being targeted

Copyright 2013 Farncombe

Page 12

Farncombe White Paper

Combating modern piracy requires more than just CA and DRM

New forms of attack require that operators be empowered to detect how their content is being pirated and
to disrupt the piracy as much as possible either by identifying the source of leakage using session-based
watermarking (thereby disrupting the pirates access to the content) or through issuing takedown notices (so
that consumers have greater difficulty locating the pirated content). This in turn requires a robust and
tamper-proof device identity supported by the content security system. This underlines the conclusion that
for the operator, piracy management is no longer simply about the purchase of a DRM or CA system, but
involves the overall management of the end-to-end security operation. This in turn implies that
understanding the full cost of security ownership and operation is essential to the long-term viability of any
paid-for service.

6. About Farncombe
Farncombe is a leading provider of specialist strategy, technology consultancy and engineering services to
the digital TV industry, with a global reputation in the content security field. With offices in the UK, France
and Germany, Farncombes roster of clients includes many of the worlds leading broadcasters, platform
operators, telecom operators, hardware and software technology providers as well as government and
regulatory bodies, private equity companies and other industry stakeholders.
We are renowned for our versatility: we cover everything from initial commercial analysis and strategy
through to implementation and testing. We combine sector expertise with a strong analytical methodology,
and are known for our experience with new technologies, particularly in a content security context.
These skills ensure we can we can deliver and implement any digital video project, no matter how complex,
on time and to budget - whilst never losing sight of the big picture.
For further information visit www.farncombe.com, where you can also register to receive news updates and
further White Papers as they are published.

7. About Irdeto
Irdeto is a world leader in media protection, multi-screen and revenue assurance solutions for pay TV
operators, OTT service providers and content owners. Irdeto enables pay media companies to provide a
personal media experience for their consumers, uncover new revenue opportunities and offer new forms of
entertainment on broadcast, broadband and mobile networks. The company offers an advanced portfolio of
conditional access, multi-rights management, multi-screen, home networking, piracy control and business
intelligence services. Irdetos success in the market is evidenced by its software security solutions being the
most widely deployed in the world for pay TV on satellite, cable, terrestrial and IP networks and by helping
customers generate a quarter of a billion dollars a year in business value with its Multiscreen services. Irdeto
is a subsidiary of multinational media group Naspers (JSE: NPN). Please visit Irdeto at www.irdeto.com.

Copyright 2013 Farncombe

Page 13