Common Scrambling Algorithm

Common Scrambling Algorithm

The Common Scrambling Algorithm (or CSA) is the encryption algorithm used in the DVB digital television broadcasting for encrypting video streams.

CSA was specified by ETSI and adopted by the DVB consortium in May 1994.



CSA was largely kept secret until 2002. The patent papers gave some hints, but important details, like the layout of the so-called S-boxes, remained secret. Without these free implementations of the algorithm were out of question. Initially, CSA was to remain implemented in hardware only, and this would have made it difficult to reverse engineer existing implementations.

In 2002 FreeDec was released, implementing CSA in software. Though released as binary only, disassembly revealed the missing details and allowed reimplementation of the algorithm in higher-level programming languages.

With CSA now publicly known in its entirety, cryptanalysts started looking for weaknesses.

Description of the cipher

The CSA algorithm is composed of two distinct ciphers: a block cipher and a stream cipher.

When used in encryption mode the data are first encrypted using the 64 bits block cipher in CBC mode, starting from packet end. The stream cipher is then applied from packet start.

Block cipher

The block cipher process 64 bits blocks in 56 rounds. It uses 1 byte from expanded key on each round.

Block cipher encryption

Stream cipher

The first 32 round of the stream cipher are used for initialization and do not generate any output. The first 64 bits of data are used as initialization vector during this phase and are left unchanged. The stream cipher then generates 2 bits of pseudo-random stream on each round which are xored starting at bit 64 of the packet.

Stream cipher details


Were CSA to be broken, encrypted DVB transmissions would be decipherable, regardless of any proprietary conditional access (CA) system used. This could seriously compromise paid digital television services, as DVB has been standardised on for digital terrestrial television in Europe and elsewhere, and is used by many satellite television providers. No attack has yet been published, however.


Like other encryption algorithms, a weak spot arises inasmuch that parts of the message are known or at least easily predictable, like MPEG headers. The length of the key is 64 bits, which allows for many different possibilities of encryption. A brute force attack taking 1 μs for each try, through all possible key words, would take around 300,000 years, on average. This could be reduced by using the predictable parts of the encrypted message to rule out potential keys, however this would require cryptanalysis of both stream cipher and block cipher algorithms at the same time which is a complicated task.

Brute force approach

While CSA algorithm uses 64-bit keys, most of the time only 48 bits of key are unknown, since bytes 3 and 7 are used as checksum bytes in CA systems, and may be easily recalculated. This allow reducing the brute force search time.

Theoretical implementation in a FPGA that would consist of 42 hw-threads that each would test 1 key per clock-cycle. At a clock-rate of 50Mhz this would allow the key to be found in ~19 days since we would expect, on average, to find the key after 247 tries for a 248 key. The problematic part in this would be to determine when a valid key was found since that would involve checking the decrypted data for known things like MPEG-headers which could be hard to implement efficiently enough to fit in a today commercially available FPGA. One possible way to reduce the needed complexity in the FPGA could be to have a multi-layer approach where the first one just discards all keys that are known to be invalid with quite simple checks and one or more that checks for additional information.

Most CA systems use short lived keys which are replaced every few seconds, making such implementation useless until computational power increase dramatically. Moreover, the usual 48 bits key length may still be increased to 64 bits in the future to improve system strength, as this is not a limitation of the algorithm.


External links

Wikimedia Foundation. 2010.

Игры ⚽ Нужно решить контрольную?

Look at other dictionaries:

  • Common Scrambling Algorithm — (CSA) és un algoritmo de cifrado utilizado para proteger streams de vídeo en redes de difusión DVB (Digital Video Broadcasting). La televisión digital por pago en Europa y algunos proveedores de televisión por satélite usan este algoritmo para… …   Wikipedia Español

  • Common Scrambling Algorithm — CSA (англ. Common Scrambling Algorithm  общий алгоритм скремблирования)  алгоритм шифрования, используемый для защиты цифрового телевизионного потока от несанкционированного доступа. Алгоритм был разработан организацией ETSI и… …   Википедия

  • Common-Scrambling-Algorithmus — Der Common Scrambling Algorithmus (CSA) ist das Verschlüsselungsverfahren, welches beim Digitalfernsehen DVB verwendet wird, um den Videodatenstrom zu verschlüsseln. CSA wurde über mehrere Jahre geheim gehalten. Einige Hinweise kamen über die… …   Deutsch Wikipedia

  • Common Interface — Various components of Conditional Access Common Interfa …   Wikipedia

  • Common Interface — Interface commune L’interface commune (ou sigle CI de l anglais Common Interface) désigne un système relatif au « contrôle d accès » des programmes et services payants ou optionnels exploité principalement par la norme DVB. Il exploite… …   Wikipédia en Français

  • ГОСТ Р 53531-2009: Телевидение вещательное цифровое. Требования к защите информации от несанкционированного доступа в сетях кабельного и наземного телевизионного вещания. Основные параметры. Технические требования — Терминология ГОСТ Р 53531 2009: Телевидение вещательное цифровое. Требования к защите информации от несанкционированного доступа в сетях кабельного и наземного телевизионного вещания. Основные параметры. Технические требования оригинал документа …   Словарь-справочник терминов нормативно-технической документации

  • DVB-CI — Digital Video Broadcasting – Common Interface (or DVB CI), is a normative for DTV Receiver in order to enable the add of a conditional access module, CAM, in a Receiver DVB CI « standard » to adapt it to different kinds of cryptography. Indeed,… …   Wikipedia

  • Система условного доступа — Необходимо перенести в эту статью содержимое статьи Кодировки спутникового телевидения и поставить оттуда перенаправление. Вы можете помочь проекту, объединив статьи (cм. инструкцию по объединению). В случае необходимости обсуждения… …   Википедия

  • Conditional access — (abbreviated CA) is the protection of content by requiring certain criteria to be met before granting access to this content. The term is commonly used in relation to digital television systems, most notably satellite television. Contents 1… …   Wikipedia

  • ISDB — Integrated Services Digital Broadcasting (ISDB) is a Japanese standard for digital television (DTV) and digital radio used by the country s radio and television stations. ISDB replaced the previously used MUSE Hi vision analogue HDTV… …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”