High-performance Cryptographic Operations in Compact Form Factor
The Verimatrix EncryptionEngine is a hardware-based high-performance product that manages all VCAS™ for DVB head-end cryptographic operations. It protects cryptographic ciphers and control mechanisms, including the set of operator keys. It also holds the operator-specific Super Master Key (SMK), which is used to encrypt subscriber-related information.
The EncryptionEngine interfaces to, and is controlled by, the Verimatrix Broadcast Content Security Manager (BCSM) over a dedicated Ethernet LAN. BCSM is the core component of VCAS for DVB for one-way networks (i.e. broadcast networks without a return channel from the client devices to the head-end). BCSM includes an entitlement control message (ECM) generator, implementing DVB Simulcrypt with third-party DVB multiplexers, which enables MPEG-compliant Multi-Program Transport Stream (MPTS) encryption. Furthermore, BCSM generates and plays out entitlement management messages (EMMs). ECM and EMM messages are encrypted by the EncryptionEngine and returned to BCSM, which in turn forwards the messages to the DVB Multiplexer via Simulcrypt for insertion into the MPEG-2 TS.
All VCAS keys are provided by Verimatrix to operators in encrypted form. Keys are never stored in the clear. Keys are processed, and messages are encrypted and encapsulated, in the EncryptionEngine only. VCAS keys are never transmitted in the clear and no unencrypted information ever leaves the device. All information is lost if the device is tampered with or powered off.
The EncryptionEngine is initialized with key data during start-up using a Key Injector and a set of EncryptionEngine Arming Cards. The initialization procedure entails the transfer of the SMK to the encryptor. Three unique EncryptionEngine Arming Cards, each holding part of the SMK, are issued to each service operator, together with a 16-digit PIN code for each. Three trusted employees each receive one card together with a PIN code. Any two out of the three cards are required and sufficient to initialize the encryptor using the Key Injector (connected via USB interface). The cards can be inserted in any order. When the PINs have been entered and accepted for any two cards of the three, the initialization is complete. The initialization procedure is performed at system boot-up and after any power cycling, and only needs to be carried out once even if multiple encryptors are configured.
The device supports cryptographic operations for up to 1 million STBs in only 1 rack unit (RU) space. Multiple units can be configured for redundancy and larger STB populations.
- Proprietary, high-performance encryptor card
- Supports cryptographic operations for up to 1 million STBs
- Ethernet/RJ-45 connector
- USB connector for Key Injector interfacing
- Power LED
- Status LED
- Dimensions – H: 1.75” (1RU), D: 5.50”, W: 19”
- EN ISO/IEC 17050-1
- FCC Part 15 for a Class A digital device.
- Directive 2002/95/EC of the European Parliament – RoHS (Restriction of Hazardous Substances)
- 100-240 VAC
- 0.7 A
- 50/60 Hz