VideoCrypt is a cryptographic, smartcard-based conditional access

Conditional access

Conditional Access is the protection of content by requiring certain criteria to be met before granting access to this content...

 television encryption

Television encryption

Television encryption, often referred to as "scrambling", is encryption used to control access to pay television services, usually cable or satellite television services.-History:...

 system that scramble

Scramble

Scramble may refer to:* Scramble , a 1981 arcade game* Scramble , an enemy of the Marvel Comics Canadian superhero team Alpha Flight* Scramble , a 1970 British drama film...

s analogue pay-TV signals. It was introduced in 1989 by News Datacom and was used initially by Sky TV and subsequently by several other broadcasters on the SES Astra

SES Astra

Astra is the name for the geostationary communication satellites, both individually and as a group, which are owned and operated by SES S.A., a global satellite operator based in Betzdorf, in eastern Luxembourg. The name is sometimes also used to describe the channels broadcasting from these...

 satellites at 19.2° east

Astra 19.2°E

Astra 19.2°E is the name for the group of communications satellites co-located at the 19.2°East orbital position in the Clarke Belt that are owned and operated by SES Astra, a subsidiary of SES based in Betzdorf, Luxembourg....

.

Users

Broadcaster	Market	Medium
British Sky Broadcasting British Sky Broadcasting British Sky Broadcasting Group plc is a satellite broadcasting, broadband and telephony services company headquartered in London, United Kingdom, with operations in the United Kingdom and the Ireland....	United Kingdom United Kingdom The United Kingdom of Great Britain and Northern IrelandIn the United Kingdom and Dependencies, other languages have been officially recognised as legitimate autochthonous languages under the European Charter for Regional or Minority Languages... , Ireland Ireland Ireland is an island to the northwest of continental Europe. It is the third-largest island in Europe and the twentieth-largest island on Earth...	SES Astra SES Astra Astra is the name for the geostationary communication satellites, both individually and as a group, which are owned and operated by SES S.A., a global satellite operator based in Betzdorf, in eastern Luxembourg. The name is sometimes also used to describe the channels broadcasting from these...  satellites
The Adult Channel The Adult Channel The Adult Channel is a broadcast just for adults pay-per-view cable/satellite/IPTV channel available in the United Kingdom and Republic of Ireland, replacing the Home Video Channel on 30th June 1999...	Europe Europe Europe is, by convention, one of the world's seven continents. Comprising the westernmost peninsula of Eurasia, Europe is generally 'divided' from Asia to its east by the watershed divides of the Ural and Caucasus Mountains, the Ural River, the Caspian and Black Seas, and the waterways connecting...	SES Astra SES Astra Astra is the name for the geostationary communication satellites, both individually and as a group, which are owned and operated by SES S.A., a global satellite operator based in Betzdorf, in eastern Luxembourg. The name is sometimes also used to describe the channels broadcasting from these...  satellite
JSTV JSTV is a Japanese broadcaster in the Middle East, Europe, Russia and North Africa. Launched in March 1990, broadcasting from London, the channel has broadcast for two hours each night from 8pm on the Lifestyle transponder 5 on the Astra 1A satellite in analogue format...	Europe Europe Europe is, by convention, one of the world's seven continents. Comprising the westernmost peninsula of Eurasia, Europe is generally 'divided' from Asia to its east by the watershed divides of the Ural and Caucasus Mountains, the Ural River, the Caspian and Black Seas, and the waterways connecting...	SES Astra SES Astra Astra is the name for the geostationary communication satellites, both individually and as a group, which are owned and operated by SES S.A., a global satellite operator based in Betzdorf, in eastern Luxembourg. The name is sometimes also used to describe the channels broadcasting from these...  satellite
SKY Network Television SKY Network Television Sky Network Television Limited , , is a New Zealand pay television service. On 30 June 2011, Sky had 829,421 subscribers, which comprises:*808,617 digital subscribers*20,840 other subscribers...	New Zealand New Zealand New Zealand is an island country in the south-western Pacific Ocean comprising two main landmasses and numerous smaller islands. The country is situated some east of Australia across the Tasman Sea, and roughly south of the Pacific island nations of New Caledonia, Fiji, and Tonga...	terrestrial UHF (Ended 10 Mar 2010)
Sky Fiji Sky Fiji SKY Fiji is Fijian pay-tv package which carries 3 pay channels Sky Plus, Sky Entertainment and Sky Sports plus one free-to-view channel, Fiji One. It operates on an analogue platform and its encrypted signals are delivered from one transmitter site to another...	Fiji Fiji Fiji , officially the Republic of Fiji , is an island nation in Melanesia in the South Pacific Ocean about northeast of New Zealand's North Island...	terrestrial VHF
Filmnet Filmnet Nova Cinema is a premium television service available in Greece that broadcasts blockbuster movies and hit series. It is the only 24/7 Movie service in Greece and it launched in 1994. It is owned by Forthnet, who own and operate Nova a DTH satellite service and Nova Sports—a sports channel.Nova...	Europe Europe Europe is, by convention, one of the world's seven continents. Comprising the westernmost peninsula of Eurasia, Europe is generally 'divided' from Asia to its east by the watershed divides of the Ural and Caucasus Mountains, the Ural River, the Caspian and Black Seas, and the waterways connecting...	SES Astra SES Astra Astra is the name for the geostationary communication satellites, both individually and as a group, which are owned and operated by SES S.A., a global satellite operator based in Betzdorf, in eastern Luxembourg. The name is sometimes also used to describe the channels broadcasting from these...  satellite
MTV Europe MTV Europe MTV Europe is a pan-European 24-hour entertainment cable and digital television network launched on August 1, 1987. Initially, the channel served all regions within Europe being one of the very few channels that targeted the entire European continent...	Europe Europe Europe is, by convention, one of the world's seven continents. Comprising the westernmost peninsula of Eurasia, Europe is generally 'divided' from Asia to its east by the watershed divides of the Ural and Caucasus Mountains, the Ural River, the Caspian and Black Seas, and the waterways connecting...	SES Astra SES Astra Astra is the name for the geostationary communication satellites, both individually and as a group, which are owned and operated by SES S.A., a global satellite operator based in Betzdorf, in eastern Luxembourg. The name is sometimes also used to describe the channels broadcasting from these...  satellite
Foxtel Foxtel Foxtel is an Australian pay television company, operating cable, direct broadcast satellite television and IPTV services. It was formed in 1995 through a joint venture established between Telstra and News Corporation....  (until 2005)	Australia Australia Australia , officially the Commonwealth of Australia, is a country in the Southern Hemisphere comprising the mainland of the Australian continent, the island of Tasmania, and numerous smaller islands in the Indian and Pacific Oceans. It is the world's sixth-largest country by total area...	Telstra terrestrial HFC

Versions

Three variants of the VideoCrypt system were deployed in Europe: VideoCrypt I for the UK and Irish market and VideoCrypt II for continental Europe. The third variant, VideoCrypt-S was used on a short-lived BBC Select

BBC Select

BBC Select was an overnight television service run by the BBC during the hours when BBC1 or BBC2 had closed down, usually between 2am and 6am.The channel showed programming intended for specialist audiences, such as businessmen, lawyers, nurses and teachers, and was designed to be viewed after...

 service. The VideoCrypt-S system differed from the typical VideoCrypt implementation as it used line shuffle scrambling.

• Sky NZ and Sky Fiji may use different versions of the VideoCrypt standard.
• Sky NZ used NICAM
  NICAM
  Near Instantaneous Companded Audio Multiplex is an early form of lossy compression for digital audio. It was originally developed in the early 1970s for point-to-point links within broadcasting networks...
  
   stereo for many years until abandoning it when the Sky DTH
  DTH
  DTH may refer to:* The Daily Tar Heel, a student newspaper at the University of North Carolina at Chapel Hill* Dance Theatre of Harlem, New York City* Danmarks Tekniske Højskole, a previous name for the Technical University of Denmark...
  
   technology started replacing Sky UHF.

Operating principle

The system scrambles the picture using a technique known as Line Cut-and-Rotate. Each line that made up each picture (video frame) is cut at one of 256 possible "cut points", and the two halves of each line are swapped around for transmission. The series of cutpoints is determined by a pseudo-random sequence. Channels were decoded using a pseudorandom number generator

Pseudorandom number generator

A pseudorandom number generator , also known as a deterministic random bit generator , is an algorithm for generating a sequence of numbers that approximates the properties of random numbers...

 (PRNG) sequence stored on a smart card

Smart card

A smart card, chip card, or integrated circuit card , is any pocket-sized card with embedded integrated circuits. A smart card or microprocessor cards contain volatile memory and microprocessor components. The card is made of plastic, generally polyvinyl chloride, but sometimes acrylonitrile...

 (aka Viewing Card).

To decode a channel the decoder would read the smart card to check if the card is authorised for the specific channel. If not, a message would appear on screen. Otherwise the decoder seeds the card's PRNG with a seed transmitted with the video signal to generate the correct sequence of cut points.

The system also included a cryptographic element called the Fiat Shamir

Adi Shamir

Adi Shamir is an Israeli cryptographer. He is a co-inventor of the RSA algorithm , a co-inventor of the Feige–Fiat–Shamir identification scheme , one of the inventors of differential cryptanalysis and has made numerous contributions to the fields of cryptography and computer...

 Zero Knowledge Test. This element was a routine in the smartcard that would prove to the decoder that the card was indeed a genuine card. The basic model was that the decoder would present the card with a packet of data (the question or challenge) which the card would process and effectively return the result (the answer) to the decoder proving that it was a genuine card without disclosing any critical information. If the decoder received the wrong result from the card, it was supposed to stop decoding the video. However a technologically insecure implementation of this otherwise strong cryptographic element made it redundant.

The VideoCrypt-S variant, used by the BBC Select service, was based on line shuffle scrambling. This form of video scrambling changes the order in which lines are transmitted thus line 20 may be transmitted as line 32. The VideoCrypt-S variant used six blocks of forty seven lines per field. It had three scrambling formats: full shuffle in which 282 lines were affected; half shuffle, in which every alternate field was scrambled; and a line delay scramble in which the start position of the video in each line was pseudo-randomly delayed.

Attacks

The VideoCrypt system was far from secure and a number of hacks were employed.

Card attacks

• Hackers discovered methods of preventing Sky from killing or deactivating their cards. The simplest of these attacks relied on the fact that Sky was using EPROM technology for its smartcards at the time. Thus by modifying the decoder to limit the write voltage to the card, it was possible to stop cards being turned off over the air. Another, known as the KENtucky Fried Chip attack relied on replacing the microcontroller that controlled the smartcard to decoder interface. This attack relied on blocking packets with the smartcard's identification number. The voltage based attack failed after Sky changed to smartcards that used EEPROM technology.

• Commercial pirates completely reverse engineered the Sky smartcard, removed the access control routines and created working pirate smartcards using different microcontroller types (typically the PIC16C84) from that used by Sky.

• Hackers also discovered, (after the commercial pirate code became public) ways of switching on "dead" cards using a computer and smartcard interface by sending a properly formatted and addressed activation packet to the card. Variations on this attack also allowed existing subscriber cards to be upgraded to more expensive subscription packages. This attack was known as the "Phoenix Hack" after the mythical bird
  Phoenix (mythology)
  The phoenix or phenix is a mythical sacred firebird that can be found in the mythologies of the Arabian, Persians, Greeks, Romans, Egyptians, Chinese, Indian and Phoenicians....
  
   that could bring itself back to life.

Datastream attacks

• Other successful hacks involved sampling the datastream between the card and the decoder, for example you could record a movie and store the decoder information so that people could then use it to decode the same movie that they recorded earlier with a decoder and "dummy" card (the dummy smartcard was an interface that received the synchronised decryption seeds from a computer). The attack was known as the Delayed Data Transfer hack and it worked because the conditional access data, decoder addressing and encrypted keys, were on the video lines that are recorded by normal VCRs and the data rate, unlike that of Teletext
  Teletext
  Teletext is a television information retrieval service developed in the United Kingdom in the early 1970s. It offers a range of text-based information, typically including national, international and sporting news, weather and TV schedules...
  
  , was slow enough to allow the data to be recorded with the encrypted video.

Decoder card datastream attacks

• The most successful hack on the VideoCrypt system is the "McCormac Hack" devised by John McCormac. This attack involved broadcasting the decryption keys from the decoder-card data live so that other decoders could use it to watch the encrypted channels effectively sharing a card with several decoders. This particular attack is extremely dangerous if the internet is used to redistribute the decryption keys since a single card can be used, virtually, in a multitude of decoders. Card Sharing
  Card Sharing
  Card sharing, also known as control word sharing, is a method of allowing multiple clients or digital television receivers to access a subscription television network with only one valid subscription card...
  
   is an implementation of the McCormac Hack.

Brute force

• As desktop computing power increased, such a simple system was always inherently vulnerable to brute force 'image-processing' attacks.
• Even without any information at all about the cutpoint sequence, adjacent lines in a picture can be 'correlated' to find the best match, and the picture reconstructed.
• The Brute force method will not work for all pictures, but is an interesting proof-of-concept.
• Markus Kuhn
  Markus Kuhn
  Markus G. Kuhn is a German computer scientist, currently teaching and researching at the University of Cambridge Computer Laboratory. A graduate of the University of Erlangen , he received his MSc at Purdue University and PhD at the University of Cambridge...
  
  's Antisky.c program from 1994 is an early example of such an attack.
• More recently it has been shown that, using detailed knowledge of the way colour is transmitted in analogue TV systems, 'perfect' reconstruction could be achieved for many scenes.
• Cheap PC TV cards (~£40) with particular chipsets (e.g: Brooktree) were capable of descrambling the image in near real time (sound was delayed to match). This was made possible with software such as MoreTV or hVCPlus and a reasonably fast PC. The picture quality was on par with an old VHS videotape, with some colour distortion depending on PC performance.

Although, the analog UHF option is still available, the introduction of Sky Digital has ameliorated these issues significantly, as the VideoGuard

VideoGuard

VideoGuard , produced by NDS, is a digital encryption system for use with conditional access television broadcasting. It is used on digital satellite television systems - some of which are operated by News Corporation, which owns about half of NDS...

system employed by SkyDigital has not been widely defeated, as of 2009.