Jan 2017

BISS is supported using an optional card that sits on the encoder motherboard. If the option is fitted and correctly licensed, you will be able to encrypt your content using either BISS mode 1 or BISS E.

BISS mode 1 uses a DVB-CA scrambler in the encoder to encrypt services within the transport stream. To achieve this, the DVB scrambler needs to be provided with a key which determines the encryption algorithm used to perform scrambling. With BISS mode 1 this key, known as the “clear session word” or CSW, is simply entered into the encoder using the front panel. If the same key is entered into a BISS compliant receiver, then it will decrypt the encrypted service (s).


With BISS mode 1, The session word is simply entered into the decoder. As long as this matches the session word entered into the encoder, the transport stream will be decrypted.

BISS mode 1 is the simplest implementation of BISS and is useful for protecting relatively short transmissions, such as a sporting event. The CSW is normally generated at random by the user and is then communicated to the staff at the receive sites authorized to decrypt the transmission, so that they can enter the same key into their receivers.

When using BISS mode 1, you must enter the 12 digit CSW into the encoder. On most TANDBERG decoders, the CA menu is in menu 4. You will need to ensure the receiver is set to use BISS mode 1, and then enter the same CSW into the decoder that has been entered into the encoder.

When using BISS mode 1, anyone privy to the CSW being used can successfully decrypt the transmission. The risk is that someone who knows your CSW can illegally pass this to others, causing a security breach.

You can prevent clear keys, which is what the CSW is, from being passed on to others by using BISS E to encrypt it so that it is only decoded into its clear form by an algorithm within the receiver. The concept is simple: Rather than provide the CSW which will allow any receiver to decrypt, you provide two other numbers that if correct, will return the correct CSW within the receiver when these are passed internally through the BISS algorithm.

In BISS terminology, these two numbers which together describe the CSW are known as the “Encrypted Session Word” (ESW) and “injected user ID” (ID). A critical concept to understand with BISS-E is that the ESW and ID can be (and usually are) different for each receiver. This is because it is the combination of ESW and ID that matters. Just as 4+2 and 3+3 both equal 6, different values of ESW and ID in combination can also reflect the same CSW when passed through the BISS algorithm in a receiver.

The fact that this is the case is critically important because if one of these numbers (the ID) is fixed and electrically burned into a receiver, then only the correct ESW that works as a combination with this ID to return the correct CSW can be used. In other words, if an ESW is issued for this receiver, then it will only work in that receiver if the remainder have different IDs.


The CSW, ID and ESW are all linked by a BISS E algorithm. If you know any two, you can derive the third.