Fastcom increases code signing efficiency while maintaining high levels of security


The pay TV marketplace is highly competitive, with consumers regularly demanding access to new content offerings. Even in Australia, where Foxtel leads the pay TV market, the introduction of new operators means Foxtel needs to stay even more focused on new innovations in order continue delivering a great subscriber experience.

Foxtel introduced the iQ3 set-top box (STB), which offers enhanced content streams, more recording space and other new features meant to increase subscriber satisfaction.

When designing the iQ3, Foxtel engaged with Fastcom, identifying three core requirements. Specifically, the STBs needed to:

  • Support a multi-vendor security strategy, allowing Foxtel the flexibility to offer streams from multiple content providers as well as change providers as needed
  • Prevent unauthorised access to subscription only content
  • Provide Foxtel direct control over deployed devices to allow for efficient updates that respond to customer needs


Based on Foxtel’s needs, Fastcom developed the initial specifications for its multiple conditional access system (MCAS) solution, quickly determining that it would require highly secure cryptography – starting with the manufacture of the STBs. In fact, the root key that provides a root of trust for all encryption and decryption on the device would need to be burned into the iQ3’s core processors, establishing each device’s identity and allowing for the creation of keys to encrypt content from conditional access system (CAS)/ digital rights management (DRM) solutions.

To achieve the level of security demanded by the application, Fastcom determined that they needed to execute their key derivation algorithm within a FIPS-certified environment. Fastcom was familiar with hardware security modules (HSMs) and comfortable that they offered the required security and modularity.

Fastcom increases code signing efficiency while maintaining high levels of security

After reviewing several vendor offerings, Fastcom chose nCipher’s nShield because of its unmatched ability to deliver on all of the project’s security requirements. Specifically, the nShield features CodeSafe, an unmatched capability that allows Fastcom to run its proprietary derivation algorithm and protect keys within a FIPS 140-2 Level 3 boundary.

During the implementation phase the nCipher team developed part of the encryption application code within the CodeSafe environment, which Fastcom then further modified. This provided Fastcom the head start it needed to build out the solution while allowing it to easily take over ownership of the core code.

Using the nShield HSM, Fastcom derives multiple subordinate keys from a single root key for Foxtel to incorporate into the iQ3 STBs. The keys are used by CAS vendors to encrypt content provided through CAS/DRM solutions, ensuring that content can only be rendered on a particular STB.

With the nShield underlying the MCAS solution, Foxtel is able to freely choose the applications, middleware and CAS/DRM solutions for its iQ3 STBs. This enables a multi-vendor approach, as well as efficient, low-cost updates to the STBs as needed, and the delivery of premium content to pay TV subscribers. Looking ahead, Fastcom envisions using the MCAS model to develop other customer premises equipment solutions that leverage its multi-vendor ecurity approach.


  • Easily change CAS vendors and middleware without costly updates to STBs
  • Gain direct control over remotely deployed devices, improving the subscriber experience
  • Protect revenue streams by securing premium content


nCipher HSMs

nCipher HSMs provide a hardened, tamper-resistant environment for performing secure cryptographic processing, key protection, and key management. With these devices you can deploy high assurance security solutions that satisfy widely established and emerging standards of due care for cryptographic systems and practices— while also maintaining high levels of operational efficiency.

nCipher HSMs are certified by independent authorities, establishing quantifiable security benchmarks that give you confidence in your ability to support compliance mandates and internal policies. nCipher HSMs are available in multiple form factors to support all common deployment scenarios ranging from portable devices to high-performance data center appliances.


The nCipher CodeSafe developer toolkit provides the unique capability to move sensitive applications within the protected perimeter of a FIPS 140-2 Level 3 certified nShield HSM. Using this approach, applications are protected from manipulation and can decrypt, process, and encrypt data inside the secure environment.


  • Prevent intellectual property theft by delivering remote control of sensitive applications no matter the environment, and offering cryptographic services regardless of the operating system or configuration used by the customer, whether server or mainframe. CodeSafe also allows application or handheld owners to maintain an up-to-date application execution environment without physical presence
  • Protect applications from attack by hackers or rogue administrators by providing the ability to digitally sign trusted applications so that their integrity is verified prior to launch. CodeSafe also protects applications from theft, even in uncontrolled environments utilizing outsourcing and contracting
  • Protect sensitive SSL data by providing true end-to-end SSL encryption, terminating SSL and processing sensitive data inside the HSM to protect it from attacks


Today’s fast moving digital environment enhances customer satisfaction, gives competitive advantage and improves operational efficiency. It also multiplies the security risks. nCipher Security, a leader in the general purpose hardware security module (HSM) market, empowers world-leading organizations by delivering trust, integrity and control to their business critical information and applications.

Our cryptographic solutions secure emerging technologies – cloud, IoT, blockchain, digital payments – and help meet new compliance mandates, using the same proven technology that global organizations depend on today to protect against threats to their sensitive data, network communications and enterprise infrastructure. We deliver trust for your business critical applications, ensuring the integrity of your data and putting you in complete control – today, tomorrow, at all times.