Cloakware Reveals DTA Security PlanCloakware Reveals DTA Security Plan

Cloakware Corp. has unveiled a solution that, it claims, will apply an extra, critical layer of security to the kind of low-end digital set-top boxes and simple, one-way digital terminal adapters that MSOs such as Comcast Corp. (Nasdaq: CMCSA, CMCSK) are using as part of their all-digital migrations. (See Cloakware Targets STBs & DTAs.)

Cloakware's software-based platform is designed to hide the encryption keys of the underlying content protection or conditional access (CA) system.

The company, acquired by content security specialist Irdeto Access B.V. in late 2007 for $72.7 million, claims to have 1.6 billion software "instances" worldwide on various PC applications and inside devices ranging from mobile phones, portable media players, and set-top boxes.

Cloakware is "CA-agnostic," according to Irdeto chief technology officer Andrew Wajs.

Irdeto, however, is the only publicly announced CA vendor that has adopted the Cloakware technology, using it in its smart cards.

In the digital terminal adapter (DTA) and set-top box world, Cloakware aims to "conceal the operation of software," Wajs explains. That means the security system is allowed to operate as intended, but the keys and the software license remain hidden from digital pirates.

Even if a hacker is able to unlock the conditional access system, Cloakware's technology jumbles everything up and "turns the code to spaghetti," adds Zoltan Costin, Irdeto's market development manager for digital television. "They [the hackers] can't read that mess."

Securing DTAs
Costin and Wajs acknowledge they haven't moved beyond the "discussion" stage with U.S. cable operators about how Cloakware's technology might be used in the DTA environment.

"But many operators are seriously considering it," Costin claims.

Comcast, the operator with the most aggressive DTA strategy by far -- it may deploy as many as 25 million units to complete its digital migration during the next 12 to 18 months -- is deploying those brick-like devices without any content security enabled, at least in the early going. (See Comcast IDs First DTA Market, Comcast Seeds Digital Shift With Free Boxes, and DTAs on Parade .)

However, such DTAs are capable of activating Motorola Inc. (NYSE: MOT)'s "privacy mode" -– a fixed key content protection scheme already used for video on demand (VOD) -– through a firmware download. (See Comcast's DTAs: Security Optional and The Comcast DTA Dance.)

Cloakware (and others) contend that fixed key privacy mode won't be difficult for pirates to compromise if it's enabled in DTAs later on. (See The Comcast DTA Dance.)

Cloakware, Costin contends, "will harden the privacy mode."

Although Comcast has not activated the privacy mode in its DTAs yet, it may have to if content owners raise a stink about their products being sent through DTAs "in the clear."

However, Comcast cable division president Steve Burke downplayed those concerns during the MSO's third quarter earnings call. "In many senses, it [digital video fed through DTAs] will be more secure than the analog distribution," he said. "We will not be using encryption initially, and that's fine in terms of our programming contracts."

But expect Comcast to be prepared if the temperature changes. The MSO is looking at a wide range of future content protection options for the DTA that it considers "open."

Irdeto and Cloakware are likely to be just two of a larger group of encryption vendors with which the MSO is holding discussions. Depending how wide a net is cast, Comcast could end up considering proposals from the existing U.S. cable CA "duopoly" of Motorola and Cisco Systems Inc. (Nasdaq: CSCO), as well as the likes of NDS Ltd. , Widevine Technologies Inc. , Verimatrix Inc. , Conax AS , and Latens Systems Ltd.

But applying more content protection to the DTA could open up Comcast to regulatory tangles, particularly the Federal Communications Commission (FCC) 's ban on integrated set-top security that went into effect last July. (See Countdown to 'Seven-Oh-Seven' and Boxing Up 'Seven-Oh-Seven' .)

If Comcast deems it necessary to add more security, it may have to seek out a special waiver from the FCC just as Evolution Broadband LLC is attempting to do with a DTA that embeds the Conax CA. (See Evolution Thinks Small and Conax: Blankom Must Go Through Evolution.)

Comcast may also try to argue that the DTA is a limited function device that isn't subject to the separable security rules.

If security is implemented through software, Comcast might also try to make a case that a downloadable approach qualifies as "separable" under the FCC set-top security rules, something that Beyond Broadband Technology LLC (BBT) is attempting to do with its downloadable conditional access system (DCAS). (See BBT Loads Up for First Field Test , BBT Inches Toward DCAS Solution, and Cable Group Faces DCAS Debate.)

But, given Comcast's dreadful track record in obtaining set-top waivers, no one expects the MSO to make any sudden moves until FCC Chairman Kevin Martin is gone or the Commission becomes a bit more cable-friendly. (See Comcast Denied Set-Top Waiver (Again).)

— Jeff Baumgartner, Site Editor, Cable Digital News