Google’s Widevine Conditional Access Will Disrupt the Broadcast Industry

Launching Widevine Conditional Access System (CAS) is a commercial game changer for the broadcast industry and its suppliers. Google is giving away Widevine CAS components for free, which build on top of Widevine DRM, as part of Android TV. This greatly reduces cost and complexity of deploying IPTV and broadcast services while making traditional Conditional Access vendors obsolete for the Android TV market.

It is a logical and required next step to merge traditional broadcast technology with OTT technology. In the long run video transmission over traditional broadcast services will disappear and all streams to end-customers will be IP based. Widevine CAS offers synergies and a migration path towards pure OTT technology in video distribution. This article explains how Widevine CAS works, what the prerequisites are to use it, and what the differences and similarities are to traditional broadcast technologies.

How Widevine CAS Works

castLabs Widevine CAS workflow

Above, please find a high level architecture which illustrates our Widevine CAS approach.

  1. At the headend, a scrambler encrypts the source video with often changing scrambling keys (control words). This functionality is usually provided by the multiplexer in the headend.
  2. The Simulcrypt Synchronizer (SCS) sends those control words to the Entitlement Control Message Generator (ECMG) which wraps the control words with another, seldom changing service key (entitlement key).
  3. The ECMG talks to castLabs license server, DRMtoday, to ingest and pull entitlement keys.
  4. The ECMG embeds those wrapped keys together with additional metadata into an “ECM” (Entitlement Control Message) and transmits this back to the SCS.
  5. The headend sends the ECM to the Android TV device along the encrypted broadcast video.
  6. On the TV or STB, castLabs PRESTOplay SDK player, with a modified Exoplayer core to integrate Widevine CAS, will now ask the DRMtoday license server for the entitlement key via HTTP.
  7. If the customer is authorized, DRMtoday will then deliver Entitlement Management Messages (EMMs), which are special Widevine DRM licenses, to the customer. Those licenses contain the entitlement keys that are needed to unwrap control words. Then the control words are used to decrypt the encrypted broadcast stream.

The castLabs ECMG is a former product component from our mobileTV system for DVB-H and implements the “DVB Simulcrypt” interface standard. The ECMG will be provided as a Docker container (or similar) so it can run anywhere as each headend needs its own ECMG instance(s). Running it in the cloud is possible via a VPN connection from the headend.

“Android TV with Widevine CAS offers broadcasters a new lower-cost method of secure pay-TV content delivery. Taking advantage of castLabs as a technology partner enables early adoption of this workflow innovation to streamline playback and improve margins for digital video services.”

Brian Baker Senior Director, Head of Widevine Business


To launch a Widevine CAS enabled service you will need to consider the following requirements:

  • Widevine CAS only runs on Android TV starting from Android 9 “Pie”.
  • The SoC vendor of the STB or TV needs to implement at least OEMCrypto for Widevine CAS v14 and must complete the Widevine CAS specific Compliance Test Suite (CTS).
  • The SoC or OEM vendor needs to integrate the Widevine CAS plugin for the MediaCas Java API with the hardware. The integration of OEMCrypto and the Widevine CAS plugin is equivalent to the CDM integration for Widevine L1 DRM and is typically turnkey provided by SoC vendors targeting Android TV.
  • The Android TV hardware must be Google TV Services (GTVS) certified.
  • The DRM service must create Widevine CAS compliant EMM messages.
  • Supported scrambling algorithms are AES-128 CTR, CBC, or DVB CSAv2 (Q1 2019).
  • An ECMG supporting Widevine CAS compliant ECMs is required.

castLabs works with partners on both the headend and device side and can provide an end-to-end solution for broadcasters.

What Changes, What Remains the Same

  • Standard CAS-headend integration via DVB Simulcrypt. Both IPTV and DTV (DVB supported in Q1/2019) can be secured by Widevine CAS.
  • EMM messages are delivered by a license server via HTTP request instead of being part of the broadcast stream.
  • Widevine CAS can be operated in parallel with a legacy Conditional Access System.
  • UHD/4K content can be protected with Widevine CAS as it complies to Widevine Security Level 1.
  • Widevine CAS will streamline the video distribution behavior across CAS and DRM. Industry-standard business policies can be used for entitlements, such as durations (SVOD, TVOD, live use-cases). Additionally, output controls can be set (analog, digital).
  • AES-128 CTR, CBC, or DVB CSAv2 scrambling algorithms are supported.

Get Started Today

castLabs acts as a third party integrator for your end-to-end Widevine CAS workflow. Contact us to discover how we can help you take advantage of Widevine CAS through our video technology solutions.


Consulting and technical support for a fast and efficient complete integration from headend to Android TV devices

Widevine CAS ECMG

Widevine CAS compliant ECMG supporting Simulcrypt (as part of the headend or separately hosted)

Widevine CAS EMM

Widevine CAS compliant EMM generator (as part of DRMtoday or separately hosted)


PRESTOplay IPTV/OTT player providing a unified API and CAS/DRM pre-integration with DRMtoday

Useful Abbreviations

CAS Conditional Access System
SCS SimulCrypt Synchronizer: logical component that generates Control Words, acquires ECMs, and synchronizes their play-out for all connected CAS
CP Crypto Period: time that the Control Word is valid for
EMM Entitlement Management Message
EMMG Entitlement Management Message Generator
ECM Entitlement Control Message
ECMG Entitlement Control Message Generator
SOC System on a Chip: contains CPU, trusted execution environment (TEE), and media processing hardware. Needs to be integrated with OEMCrypto.
STB Set Top Box
CTS / GTS Compatibility Test Suite / Google Test Suite
GTVS Google TV Services


Posted by

Susanne Guth-Orlowski

Dr. Susanne Guth-Orlowski
Sales & Business Development

View more blog posts