Analysis of the DVB Common Scrambling Algorithm Ralf-Philipp Weinmann, Kai Wirt Technical University of Darmstadt Department of Computer Science Darmstadt, Germany {weinmann,kwirt}@cdc.informatik.tu-darmstadt.de October 12, 2004 Abstract The Common Scrambling Algorithm (CSA) is used to encrypt streams of video data in the Digital Video Broadcasting (DVB) system. The algorithm cascades a stream and a block cipher, apparently for a larger security margin. In this paper we set out to analyze the block cipher and the stream cipher separately and give an overview of how they interact with each other. We present a practical attack on the stream cipher. Research on the block cipher so far indicates it to be resistant against linear and algebraic cryptanalysis as well as simple slide attacks. Keywords: block cipher, stream cipher, cryptanalysis, dvb, paytv 1 Introduction The DVB Common Scrambling Algorithm is an ETSI-specified algorithm for se- curing MPEG-2 transport streams such as those used for digitally transmitted Pay-TV. It was adopted by the DVB consortium in May 1994, the exact origin and date of the design is unclear. Until 2002, the algorithm was only available under a Non-Disclosure Agreement from an ETSI custodian. This NDA disal- lowed and still disallows licensees to implement the algorithm in software for “security reasons”. The little information that was then available to the pub- lic is contained in an ETSI Technical Report [Eur96] and patent applications [Bew98], [WAJ98]. This changed in the Fall of 2002, when a Windows program called FreeDec appeared which implemented the CSA in software. It was quickly reverse–engineered and details were disseminated on a web site [Pse03]. For keying the CSA, so called control words are used. These control words are provided by a conditional access mechanism, which generates them from encrypted control messages embedded in the transport stream. Conditional access mechanisms vary between broadcasters and can be more easily changed than the actual scrambling algorithm. Examples for commonly used conditional access mechanisms are Irdeto, Betacrypt, Nagravision, CryptoWorks etc. A new common key is usually issued every 10–120 seconds. The great relevance of CSA lies in the fact that every encrypted digital Pay-TV transmission in Europe is 1