Jan 2017

BISS is supported using an optional card that sits on the encoder motherboard. If the option is fitted and correctly licensed, you will be able to encrypt your content using either BISS mode 1 or BISS E.

BISS mode 1 uses a DVB-CA scrambler in the encoder to encrypt services within the transport stream. To achieve this, the DVB scrambler needs to be provided with a key which determines the encryption algorithm used to perform scrambling. With BISS mode 1 this key, known as the “clear session word” or CSW, is simply entered into the encoder using the front panel. If the same key is entered into a BISS compliant receiver, then it will decrypt the encrypted service (s).


With BISS mode 1, The session word is simply entered into the decoder. As long as this matches the session word entered into the encoder, the transport stream will be decrypted.

BISS mode 1 is the simplest implementation of BISS and is useful for protecting relatively short transmissions, such as a sporting event. The CSW is normally generated at random by the user and is then communicated to the staff at the receive sites authorized to decrypt the transmission, so that they can enter the same key into their receivers.

When using BISS mode 1, you must enter the 12 digit CSW into the encoder. On most TANDBERG decoders, the CA menu is in menu 4. You will need to ensure the receiver is set to use BISS mode 1, and then enter the same CSW into the decoder that has been entered into the encoder.

When using BISS mode 1, anyone privy to the CSW being used can successfully decrypt the transmission. The risk is that someone who knows your CSW can illegally pass this to others, causing a security breach.

You can prevent clear keys, which is what the CSW is, from being passed on to others by using BISS E to encrypt it so that it is only decoded into its clear form by an algorithm within the receiver. The concept is simple: Rather than provide the CSW which will allow any receiver to decrypt, you provide two other numbers that if correct, will return the correct CSW within the receiver when these are passed internally through the BISS algorithm.

In BISS terminology, these two numbers which together describe the CSW are known as the “Encrypted Session Word” (ESW) and “injected user ID” (ID). A critical concept to understand with BISS-E is that the ESW and ID can be (and usually are) different for each receiver. This is because it is the combination of ESW and ID that matters. Just as 4+2 and 3+3 both equal 6, different values of ESW and ID in combination can also reflect the same CSW when passed through the BISS algorithm in a receiver.

The fact that this is the case is critically important because if one of these numbers (the ID) is fixed and electrically burned into a receiver, then only the correct ESW that works as a combination with this ID to return the correct CSW can be used. In other words, if an ESW is issued for this receiver, then it will only work in that receiver if the remainder have different IDs.


The CSW, ID and ESW are all linked by a BISS E algorithm. If you know any two, you can derive the third.


When generating BISS-E keys for distribution to clients, you will know the CSW and the ID for each receiver. A software application then generates the ESW.


In the receiver, you must enter the ESW. The ID will already be burned into the receiver and in most cases will only be known to the system administrator generating the keys. The ESW and ID combination will be used by the receiver to internally derive the CSW. The receiver will only de-crypt correctly if the derived CSW is correct and matches the CSW used in the encoder. In most cases you cannot read the ID back from the receiver and so a receiver operator will not be aware of the value, but may be able to select from a few pre-stored ID’s.


In the above, the top key set is valid (1) and will provide the correct CSW. The same is true for keyset 2. However, in the last example, the wrong ESW has been used for ID2, and so the correct CSW will not be recovered inside the receiver. This example illustrates what would happen if there were 2 receivers with different ID’s, and the recipient of ESW1 decided to pass it to another customer having a receiver with a different ID. The combination of ESW 1 and ID 2 would generate an incorrect CSW and the receiver would not be able to decrypt.

The same concept is used in both the encoder and the decoder and the algorithm used to relate the ESW, ID and the CSW is the same in every BISS-E compliant device.


The encoder and decoder both normally need an ID and ESW to be entered. The only difference is that the ID in the decoder is normally pre-set and cannot be read or changed. This stops key-sharing between customers since an ESW will only work in a receiver with a correct ID, and if all the ID’s are unique, then an ESW will only work in the one, intended receiver and no other!

There are a number of ways in which this concept can be implemented and used in practice. The BISS standard lists two standardized ways known as “user mode” (which is mandatory) and “Buried_ID” (which is an option to EBU-TECH 3292 and is not implemented by TANDBERG for security reasons because it does not prevent the ID within a receiver from being read back by the user). In addition, there is a proprietary “TTV” method which is implemented on all TANDBERG receivers.

ser mode allows the ID to be entered into the receiver manually. Anyone can enter this via the web browser or front panel, but once entered the number cannot be read back again. It is expected that operators will enter the ID into the receivers before shipping them to end users, and will record the values on a database. In TANDBERG receivers, it is possible to enter up to two different IDs into the receiver, so that the end user can easily choose which is active for use with different networks for example.

TANDBERG receivers need to be put in BISS E “user mode” to allow entry of the ESW and the ID. Importantly, these numbers may either be the same for all receivers, or they could be different. This is because what is important is that the combination of ESW and ID results in the correct value for the CSW when processed by the BISS E algorithm. Creating a valid pair of CSW and ID will require knowledge of the CSW that you intend to use as well as the BISS E algorithm that relates all of these parameters. TANDBERG provides a software tool embedded within the encoder to perform this function. This is described in more detail later.

Fixed mode As an alternative to entering the ID through the front panel, which provides the risk of it being inadvertently over-written later, it is possible to electronically burn it into the receiver. This is known as “fixed ID” mode. The mode of operation is otherwise the same as with user mode (above). It is sometimes possible to store more than one burned-in number per receiver.

It is only possible for the manufacturer or specialist service departments to burn numbers into a receiver, and so this method provides an excellent way of obtaining a secure ID that is unique and that the user cannot change or read back from the device. This mode is also widely inter-operable between receivers and is used by large organizations (such as EBU).

TTV Mode The ID can be derived automatically from the electronic serial number of the receiver. Please note that the electronic serial number is different to the unit serial number printed onto the identity label. Using this electronically burned-in serial number means that each receiver will have a unique ID that the user cannot change.

This also means that a unique ESW will be required for each receiver. The ESW will only work in the receiver possessing the correct serial number (and hence ID). Only this combination will result in the correct CSW being generated when this combination is passed through the BISS E algorithm. Using this method is proprietary to TANDBERG receivers, and is selected by placing the receiver in “BISS-E TTV” mode.

It completely prevents the possibility of valid keys being passed to others in an unauthorized way. Additionally, since a proprietary technique is used in addition to the standard BISS tools to translate the serial number into what actually becomes the ID that is used by the BISS algorithm, the fact that the electronic serial number is known and freely displayed on many devices including TT1260, TT1280 and RX1290 does not compromise security.

This is because knowledge of the BISS algorithm alone is not enough to recover the ID that our proprietary technique creates; To achieve this you must have knowledge of how the serial number is used to create the ID which is kept internal to TANDBERG Television. The TANDBERG BISS E software tool is used to create the keys in the normal way and is described in detail later in this section. The tool is able to detect automatically that a TTV serial number has been entered as the receiver ID from the number length, and will then apply the proprietary process that converts it into a standard-length ID.

Once the theory is understood, using BISS E is easy. To start, it will be necessary to configure the encoder and then configure the receivers. Both steps require the use of the TANDBERG (or equivalent) BISS E key generating software. This software is embedded within the encoder, and can be down-loaded onto a PC via an Ethernet connection. To do this, proceed as follows;

1. Establish an Ethernet connection between the PC and the encoder, as though preparing to access the web-browser in the normal way.
2. When entering the IP address of the encoder into the web browser, follow with “/advanced” (for example, enter 192.168.22.50/advanced)
3. Go to “save / load” tab and “download BISS key generator”. Run the installation wizard and install the software onto your computer. You should see the following user interface when the software is run.