13 Media plane security

24.5813GPPMission Critical Video (MCVideo) media plane controlProtocol specificationRelease 18TS

Tools: ARFCN - Frequency Conversion for 5G NR/LTE/UMTS/GSM

13.1 General

Media plane security provides integrity and confidentiality protection of individual media streams and media plane control messages in MCVideo sessions.

The media plane security is based on 3GPP MCVideo security solution including key management and end-to-end media and transmission control and reception control messages protection as defined in 3GPP TS 33.180 [8].

Various keys and associated key identifiers protect:

1. RTP transported media;

2. RTCP transported media control messages (i.e. RTCP SR packets, RTCP RR packets, RTCP SDES packets); and

3. RTCP APP transported transmission control and reception control messages.

In an on-network group call of an MCVideo group which is not a constituent MCVideo group of a temporary MCVideo group:

1. if protection of media is negotiated, the GMK and the GMK-ID of the MCVideo group protect the media sent and received by an MCVideo clients;

2. if protection of transmission control and reception control messages sent using unicast between the MCVideo client and the participating MCVideo function serving the the MCVideo client is negotiated, the CSK and the CSK-ID protect the transmission control messages sent and received using unicast by the MCVideo client and by a participating MCVideo function;

3. if protection of transmission control messages sent over the MBMS subchannel from the participating MCVideo function to the served MCVideo clients is required:

A) if a MuSiK and a MuSiK-ID are associated with the on-network group call, the MuSiK and the MuSiK-ID associated with the on-network group call protect the transmission control messages sent over the MBMS subchannel from the participating MCVideo function to the served MCVideo clients; and

B) if a MuSiK and a MuSiK-ID are not associated with the on-network group call, the MKFC and the MKFC-ID of the MCVideo group protect the transmission control messages sent over the MBMS subchannel from the participating MCVideo function to the served MCVideo clients;

NOTE 1: If protection of transmission control messages sent over the MBMS subchannel from the participating MCVideo function to the served MCVideo clients is required and the participating MCVideo function is compliant to Release 15 of the present document, a MuSiK and a MuSiK-ID are always associated with the on-network group call.

4. if protection of transmission control and reception control messages between the participating MCVideo function and the controlling MCVideo function is negotiated, the SPK and the SPK-ID protect the transmission control and reception control messages sent and received between the participating MCVideo function and the controlling MCVideo function;

5. if protection of media control messages sent using unicast between the MCVideo client and the participating MCVideo function serving the the MCVideo client is negotiated, the CSK and the CSK-ID protect the media control messages sent and received using unicast by the MCVideo client and by a participating MCVideo function; and

6. if protection of media control messages between the participating MCVideo function and the controlling MCVideo function is negotiated, the SPK and the SPK-ID protect the media control messages sent and received between the participating MCVideo function and the controlling MCVideo function.

In an on-network private call:

1. if protection of media is negotiated, the PCK and the PCK-ID protect media sent and received by the MCVideo clients;

2. if protection of transmission control and reception control messages sent using unicast between the MCVideo client and the participating MCVideo function serving the the MCVideo client is negotiated, the CSK and the CSK-ID protect the transmission control and reception control messages sent and received by the MCVideo client and by the participating MCVideo function;

3. if protection of transmission control and reception control messages between the participating MCVideo function and the controlling MCVideo function is negotiated, the SPK and the SPK-ID protect the transmission control messages sent and received between the participating MCVideo function and the controlling MCVideo function;

4. if protection of media control messages sent using unicast between the MCVideo client and the participating MCVideo function serving the the MCVideo client is negotiated, the CSK and the CSK-ID protect the media control messages sent and received using unicast by the MCVideo client and by a participating MCVideo function; and

5. if protection of media control messages between the participating MCVideo function and the controlling MCVideo function is negotiated, the SPK and the SPK-ID protect the media control messages sent and received between the participating MCVideo function and the controlling MCVideo function.

In an off-network group call of an MCVideo group:

1. if protection of media is announced, the GMK and the GMK-ID of the MCVideo group protect the media sent and received by an MCVideo client;

2. if protection of transmission control messages is announced, the GMK and the GMK-ID of the MCVideo group protect the transmission control messages sent and received by an MCVideo client; and

3. if protection of media control messages is announced, the GMK and the GMK-ID of the MCVideo group protect the media sent and received by an MCVideo client.

In an off-network private call:

1. if protection of media is negotiated, the PCK and the PCK-ID protect media sent and received by an MCVideo client;

2. if protection of transmission control and reception control messages is negotiated, the PCK and the PCK-ID protect transmission control and reception control messages sent and received by an MCVideo client; and

3. if protection of media control messages is negotiated, the PCK and the PCK-ID protect media control messages and received by an MCVideo client.

In an pre-established session, if the pre-established session call control messages between the MCVideo client and the participating MCVideo function serving the the MCVideo client are negotiated to be protected, the CSK and the CSK-ID protect the pre-established session call control messages sent and received by the MCVideo client and by the participating MCVideo function serving the MCVideo client.

The GMK and the GMK-ID are distributed to the MCVideo clients using the group document subscription and notification procedure specified in 3GPP TS 24.481 [5].

The CSK and the CSK-ID are generated by the MCVideo client and provided to the participating MCVideo function serving the MCVideo client using SIP signalling according to 3GPP TS 24.281 [2].

The MKFC and the MKFC-ID are distributed to the MCVideo clients using the group document subscription and notification procedure specified in 3GPP TS 24.481 [5]. The MKFC and the MKFC-ID are distributed to the controlling MCVideo function using the group document subscription and notification procedure specified in 3GPP TS 24.481 [5] and the controlling MCVideo function provides the MKFC and the MKFC-ID to the participating MCVideo function using SIP signalling according to 3GPP TS 24.281 [2].

The SPK and the SPK-ID are configured in the participating MCVideo function, the controlling MCVideo function and the non-controlling MCVideo function.

The PCK and the PCK-ID are generated by the MCVideo client initiating the private call and provided to the MCVideo client receiving the private call using SIP signalling according to 3GPP TS 24.281 [2], using Connect message described in clause 8.3.4 or using MONP signalling according to 3GPP TS 24.281 [2].

13.2 Derivation of SRTP/SRTCP master keys

Each key (i.e. CSK, GMK, MKFC, PCK, SPK, MSCCK) and its associated key identifier (i.e. CSK-ID, GMK-ID, MKFC-ID, PCK-ID, SPK-ID, MSCCK-ID) described in clause 13.1 are used to derive SRTP-MK, SRTP-MS and SRTP-MKI.

SRTP-MK, SRTP-MS and SRTP-MKI are used in encryption of media or transmission control and reception control messages in SRTP as specified in IETF RFC 3711 [4] and 3GPP TS 33.180 [8].

13.3 Media plane encryption and decryption

13.3.1 General

The clause 13.3 provides the media plane encryption and decryption procedures at the participating MCVideo function, the MCVideo client and the controlling MCVideo function.

13.3.2 The participating MCVideo function

The participating MCVideo function:

1. if protection of media is negotiated, shall be transparent to RTP media streams and shall forward encrypted RTP media streams without decrypting the payload;

2. if protection of transmission control and reception control messages sent using unicast between the participating MCVideo function and the MCVideo client is negotiated and the CSK and the CSK-ID were received from the MCVideo client using SIP signalling according to 3GPP TS 24.281 [2]:

A) shall encrypt transmission control and reception control messages sent using unicast to the served MCVideo client according to IETF RFC 3711 [4] and 3GPP TS 33.180 [8] using SRTP-MK, SRTP-MS and SRTP-MKI generated using the CSK and CSK-ID as specified in clause 13.2; and

B) shall decrypt transmission control and reception control messages received using unicast from the served MCVideo client according to IETF RFC 3711 [4] and 3GPP TS 33.180 [8] using SRTP-MK, SRTP-MS and SRTP-MKI generated using the CSK and CSK-ID as specified in clause 13.2;

3. if protection of transmission control messages sent over the MBMS subchannel from the participating MCVideo function to the served MCVideo clients is required and a MuSiK and a MuSiK-ID are associated with the on-network group call of the transmission control messages:

A) shall encrypt transmission control messages sent over the MBMS subchannel according to IETF RFC 3711 [16] and 3GPP TS 33.180 [8] using SRTP-MK, SRTP-MS and SRTP-MKI generated using the MuSiK and MuSiK-ID as specified in clause 13.2;

4. if protection of transmission control and reception control messages between the participating MCVideo function and the controlling MCVideo function is negotiated and the SPK and the SPK-ID are configured in the participating MCVideo function:

A) shall encrypt transmission control and reception control messages sent to the controlling MCVideo function according to IETF RFC 3711 [4] and 3GPP TS 33.180 [8] using SRTP-MK, SRTP-MS and SRTP-MKI generated using the SPK and SPK-ID as specified in clause 13.2; and

B) shall decrypt transmission control and reception control messages received from the controlling MCVideo function according to IETF RFC 3711 [4] and 3GPP TS 33.180 [8] using SRTP-MK, SRTP-MS and SRTP-MKI generated using the SPK and SPK-ID as specified in clause 13.2;

5. if protection of transmission control and reception control messages between the participating MCVideo function and the non-controlling MCVideo function is negotiated and the SPK and the SPK-ID are configured in the participating MCVideo function:

A) shall encrypt transmission control and reception control messages sent to the non-controlling MCVideo function according to IETF RFC 3711 [4] and 3GPP TS 33.180 [8] using SRTP-MK, SRTP-MS and SRTP-MKI generated using the SPK and SPK-ID as specified in clause 13.2; and

B) shall decrypt transmission control and reception control messages received from the non-controlling MCVideo function according to IETF RFC 3711 [4] and 3GPP TS 33.180 [8] using SRTP-MK, SRTP-MS and SRTP-MKI generated using the SPK and SPK-ID as specified in clause 13.2;

5. if protection of pre-established session call control messages between the participating MCVideo function and the MCVideo client is negotiated and the CSK and the CSK-ID were received from the MCVideo client using SIP signalling according to 3GPP TS 24.281 [2]:

A) shall encrypt pre-established session call control messages sent to the served MCVideo client according to IETF RFC 3711 [4] and 3GPP TS 33.180 [8] using SRTP-MK, SRTP-MS and SRTP-MKI generated using the CSK and CSK-ID as specified in clause 13.2; and

B) shall decrypt pre-established session call control messages received from served MCVideo client according to IETF RFC 3711 [4] and 3GPP TS 33.180 [8] using SRTP-MK, SRTP-MS and SRTP-MKI generated using the CSK and CSK-ID as specified in clause 13.2;

6. if protection of media control messages sent using unicast between the participating MCVideo function and the MCVideo client is negotiated between the participating MCVideo function and the MCVideo client and the CSK and the CSK-ID were received from the MCVideo client using SIP signalling according to 3GPP TS 24.281 [2];

A) shall encrypt media control messages sent using unicast to the served MCVideo client according to IETF RFC 3711 [4] and 3GPP TS 33.180 [8] using SRTP-MK, SRTP-MS and SRTP-MKI generated using the CSK and CSK-ID as specified in clause 13.2; and

B) shall decrypt media control messages received using unicast from the served MCVideo client according to IETF RFC 3711 [4] and 3GPP TS 33.180 [8] using SRTP-MK, SRTP-MS and SRTP-MKI generated using the CSK and CSK-ID as specified in clause 13.2;

7. if protection of media control messages between the participating MCVideo function and the controlling MCVideo function is negotiated and the SPK and the SPK-ID are configured in the participating MCVideo function:

A) shall encrypt media control messages sent to the controlling MCVideo function according to IETF RFC 3711 [4] and 3GPP TS 33.180 [8] using SRTP-MK, SRTP-MS and SRTP-MKI generated using the SPK and SPK-ID as specified in clause 13.2; and

B) shall decrypt media control messages received from the controlling MCVideo function according to IETF RFC 3711 [4] and 3GPP TS 33.180 [8] using SRTP-MK, SRTP-MS and SRTP-MKI generated using the SPK and SPK-ID as specified in clause 13.2;

8. if protection of media control messages between the participating MCVideo function and the non-controlling MCVideo function is negotiated and the SPK and the SPK-ID are configured in the participating MCVideo function:

A) shall encrypt media control messages sent to the non-controlling MCVideo function according to IETF RFC 3711 [4] and 3GPP TS 33.180 [8] using SRTP-MK, SRTP-MS and SRTP-MKI generated using the SPK and SPK-ID as specified in clause 13.2; and

B) shall decrypt media control messages received from the non-controlling MCVideo function according to IETF RFC 3711 [4] and 3GPP TS 33.180 [8] using SRTP-MK, SRTP-MS and SRTP-MKI generated using the SPK and SPK-ID as specified in clause 13.2.

9. if protection of MBMS subchannel control messages sent over the general purpose MBMS subchannel of an MBMS bearer is required and the MSCCK and the MSCCK-ID associated with the MBMS bearer were sent to one or more served MCVideo clients using SIP signalling according to 3GPP TS 24.281 [11]:

A) shall encrypt MBMS subchannel control messages specified in clause 9.3 sent over the general purpose MBMS subchannel of the MBMS bearer according to IETF RFC 3711 [16] and 3GPP TS 33.180 [18] using SRTP-MK, SRTP-MS and SRTP-MKI generated using the MSCCK and MSCCK-ID associated with the MBMS bearer as specified in clause 13.2.

13.3.3 The MCVideo client

The MCVideo client:

1. in an on-network group call of an MCVideo group which is not a constituent MCVideo group of a temporary MCVideo group:

A) if protection of media is negotiated and the GMK and the GMK-ID of the MCVideo group were received using the group document subscription and notification procedure specified in 3GPP TS 24.481 [5] for the MCVideo group:

i) shall encrypt sent media according to IETF RFC 3711 [4] and 3GPP TS 33.180 [8] using SRTP-MK, SRTP-MS and SRTP-MKI generated using the GMK and GMK-ID as specified in clause 13.2; and

ii) shall decrypt received media according to IETF RFC 3711 [4] and 3GPP TS 33.180 [8] using SRTP-MK, SRTP-MS and SRTP-MKI generated using the GMK and GMK-ID as specified in clause 13.2;

B) if protection of transmission control and reception control messages sent using unicast is negotiated and the CSK and the CSK-ID were sent to the participating MCVideo function using SIP signalling according to 3GPP TS 24.281 [2]:

i) shall encrypt transmission control and reception control messages sent using unicast according to IETF RFC 3711 [4] and 3GPP TS 33.180 [8] using SRTP-MK, SRTP-MS and SRTP-MKI generated using the CSK and CSK-ID as specified in clause 13.2; and

ii) shall decrypt transmission control and reception control messages received using unicast according to IETF RFC 3711 [4] and 3GPP TS 33.180 [8] using SRTP-MK, SRTP-MS and SRTP-MKI generated using the CSK and CSK-ID as specified in clause 13.2;

C) if protection of transmission control messages sent over the MBMS subchannel from the participating MCVideo function to the served MCVideo clients is required:

i) if a MuSiK and a MuSiK-ID are associated with the on-network group call, shall decrypt transmission control messages received over the MBMS subchannel for transmission control messages according to IETF RFC 3711 [4] and 3GPP TS 33.180 [8] using SRTP-MK, SRTP-MS and SRTP-MKI generated using the MuSiK and the MuSiK-ID associated with the on-network group call as specified in clause 13.2; and

ii) if a MuSiK and a MuSiK-ID are not associated with the on-network group call and the MKFC and the MKFC-ID of the MCVideo group were received using the group document subscription and notification procedure specified in 3GPP TS 24.481 [12] for the MCVideo group, shall decrypt transmission control messages received over the MBMS subchannel for transmission control messages according to IETF RFC 3711 [4] and 3GPP TS 33.180 [8] using SRTP-MK, SRTP-MS and SRTP-MKI generated using the MKFC and MKFC-ID as specified in clause 13.2; and

D) if protection of media control messages sent using unicast between the participating MCVideo function and the MCVideo client is negotiated and the CSK and the CSK-ID were sent to the participating MCVideo function using SIP signalling according to 3GPP TS 24.281 [2]:

i) shall encrypt media control messages sent using unicast according to IETF RFC 3711 [4] and 3GPP TS 33.180 [8] using SRTP-MK, SRTP-MS and SRTP-MKI generated using the CSK and CSK-ID as specified in clause 13.2; and

ii) shall decrypt media control messages received using unicast according to IETF RFC 3711 [4] and 3GPP TS 33.180 [8] using SRTP-MK, SRTP-MS and SRTP-MKI generated using the CSK and CSK-ID as specified in clause 13.2;

2. in an on-network group call of an MCVideo group which is a constituent MCVideo group of a temporary MCVideo group:

A) if protection of media is negotiated and the GMK and the GMK-ID of the temporary MCVideo group were received using the group document subscription and notification procedure specified in 3GPP TS 24.481 [5] for the constituent MCVideo group:

i) shall encrypt sent media according to IETF RFC 3711 [4] and 3GPP TS 33.180 [8] using SRTP-MK, SRTP-MS and SRTP-MKI generated using the GMK and GMK-ID of the temporary MCVideo group as specified in clause 13.2; and

ii) shall decrypt received media according to IETF RFC 3711 [4] and 3GPP TS 33.180 [8] using SRTP-MK, SRTP-MS and SRTP-MKI generated using the GMK and GMK-ID of the temporary MCVideo group as specified in clause 13.2;

C) if protection of media media control messages sent using unicast between the participating MCVideo function and the MCVideo client is negotiated and the CSK and the CSK-ID were sent to the participating MCVideo function using SIP signalling according to 3GPP TS 24.281 [2]:

3. in an on-network private call:

A) if:

i) protection of media is negotiated in originating call and the PCK and the PCK-ID were sent to the remote MCVideo client using SIP signalling according to 3GPP TS 24.281 [2]; or

ii) protection of media is negotiated in terminating call and the PCK and the PCK-ID were received from the remote MCVideo client using SIP signalling according to 3GPP TS 24.281 [2];

then:

i) shall encrypt sent media according to IETF RFC 3711 [4] and 3GPP TS 33.180 [8] using SRTP-MK, SRTP-MS and SRTP-MKI generated using the PCK and PCK-ID as specified in clause 13.2; and

ii) shall decrypt received media according to IETF RFC 3711 [4] and 3GPP TS 33.180 [8] using SRTP-MK, SRTP-MS and SRTP-MKI generated using the PCK and PCK-ID as specified in clause 13.2;

B) if protection of transmission control and reception control messages is negotiated and the CSK and the CSK-ID were sent to the participating MCVideo function using SIP signalling according to 3GPP TS 24.281 [2]:

i) shall encrypt sent transmission control and reception control messages according to IETF RFC 3711 [4] and 3GPP TS 33.180 [8] using SRTP-MK, SRTP-MS and SRTP-MKI generated using the CSK and CSK-ID as specified in clause 13.2; and

ii) shall decrypt received transmission control and reception control messages according to IETF RFC 3711 [4] and 3GPP TS 33.180 [8] using SRTP-MK, SRTP-MS and SRTP-MKI generated using the CSK and CSK-ID as specified in clause 13.2; and

D) if protection of media media control messages sent using unicast between the participating MCVideo function and the MCVideo client is negotiated and the CSK and the CSK-ID were sent to the participating MCVideo function using SIP signalling according to 3GPP TS 24.281 [2]:

4. in an off-network group call of an MCVideo group:

A) if protection of media is announced and the GMK and GMK-ID of the MCVideo group were received when on-network using the group document subscription and notification procedure specified in 3GPP TS 24.481 [5] for the MCVideo group:

i) shall encrypt sent media according to IETF RFC 3711 [4] and 3GPP TS 33.180 [8] using SRTP-MK, SRTP-MS and SRTP-MKI generated using the GMK and GMK-ID as specified in clause 13.2; and

ii) shall decrypt received media according to IETF RFC 3711 [4] and 3GPP TS 33.180 [8] using SRTP-MK, SRTP-MS and SRTP-MKI generated using the GMK and GMK-ID as specified in clause 13.2;

B) if protection of transmission control and reception control messages is announced and the GMK and the GMK-ID of the MCVideo group were received when on-network using the group document subscription and notification procedure specified in 3GPP TS 24.481 [5] for the MCVideo group:

C) if protection of media control messages is announced and the GMK and GMK-ID of the MCVideo group were received when on-network using the group document subscription and notification procedure specified in 3GPP TS 24.481 [5] for the MCVideo group:

i) shall encrypt sent sent media control messages according to IETF RFC 3711 [4] and 3GPP TS 33.180 [8] using SRTP-MK, SRTP-MS and SRTP-MKI generated using the GMK and GMK-ID as specified in clause 13.2; and

ii) shall decrypt received received media control messages according to IETF RFC 3711 [4] and 3GPP TS 33.180 [8] using SRTP-MK, SRTP-MS and SRTP-MKI generated using the GMK and GMK-ID as specified in clause 13.2;

5. in an off-network private call:

A) if:

i) protection of media is negotiated in originating call and the PCK and the PCK-ID were sent to the remote MCVideo client using MONP signalling according to 3GPP TS 24.281 [2]; or

ii) protection of media is negotiated in terminating call and the PCK and the PCK-ID were received from the remote MCVideo client using MONP signalling according to 3GPP TS 24.281 [2];

then:

i) shall encrypt sent media according to IETF RFC 3711 [4] and 3GPP TS 33.180 [8] using SRTP-MK, SRTP-MS and SRTP-MKI generated using the PCK and PCK-ID as specified in clause 13.2; and

ii) shall decrypt received media according to IETF RFC 3711 [4] and 3GPP TS 33.180 [8] using SRTP-MK, SRTP-MS and SRTP-MKI generated using the PCK and PCK-ID as specified in clause 13.2;

B) if:

i) protection of transmission control and reception control messages is negotiated in originating call and the PCK and the PCK-ID were sent to the remote MCVideo client using MONP signalling according to 3GPP TS 24.281 [2]; or

ii) protection of transmission control and reception control messages is negotiated in terminating call and the PCK and the PCK-ID were received from the remote MCVideo client using MONP signalling according to 3GPP TS 24.281 [2].

then:

C) if:

i) protection of media control messages is negotiated in originating call and the PCK and the PCK-ID were sent to the remote MCVideo client using MONP signalling according to 3GPP TS 24.281 [2]; or

ii) protection of media control messages is negotiated in terminating call and the PCK and the PCK-ID were received from the remote MCVideo client using MONP signalling according to 3GPP TS 24.281 [2];

then:

i) shall encrypt sent sent media control messages according to IETF RFC 3711 [4] and 3GPP TS 33.180 [8] using SRTP-MK, SRTP-MS and SRTP-MKI generated using the PCK and PCK-ID as specified in clause 13.2; and

ii) shall decrypt received received media control messages according to IETF RFC 3711 [4] and 3GPP TS 33.180 [8] using SRTP-MK, SRTP-MS and SRTP-MKI generated using the PCK and PCK-ID as specified in clause 13.2;

6. if protection of pre-established session control messages is negotiated and the CSK and the CSK-ID were sent to the participating MCVideo function using SIP signalling according to 3GPP TS 24.281 [2]:

A) shall encrypt sent pre-established session call control messages according to IETF RFC 3711 [4] and 3GPP TS 33.180 [8] using SRTP-MK, SRTP-MS and SRTP-MKI generated using the CSK and CSK-ID as specified in clause 13.2; and

B) shall decrypt received pre-established session call control messages according to IETF RFC 3711 [4] and 3GPP TS 33.180 [8] using SRTP-MK, SRTP-MS and SRTP-MKI generated using the CSK and CSK-ID as specified in clause 13.2.

13.3.4 The controlling MCVideo function

The controlling MCVideo function:

1. if protection of media is negotiated, shall be transparent to RTP media streams and shall forward encrypted RTP media streams without decrypting the payload;

2. in an on-network group call of an MCVideo group which is not a constituent MCVideo group of a temporary MCVideo group:

A) if protection of transmission control and reception control messages between the controlling MCVideo function and the participating MCVideo function is negotiated and the SPK and the SPK-ID are configured in the controlling MCVideo function:

i) shall encrypt transmission control and reception control messages sent to the participating MCVideo function according to IETF RFC 3711 [4] and 3GPP TS 33.180 [8] using SRTP-MK, SRTP-MS and SRTP-MKI generated using the SPK and SPK-ID as specified in clause 13.2; and

ii) shall decrypt transmission control and reception control messages received from the participating MCVideo function according to IETF RFC 3711 [4] and 3GPP TS 33.180 [8] using SRTP-MK, SRTP-MS and SRTP-MKI generated using the SPK and SPK-ID as specified in clause 13.2; and

B) if protection of media control messages between the controlling MCVideo function and the participating MCVideo function is negotiated and the SPK and the SPK-ID are configured in the controlling MCVideo function:

i) shall encrypt media control messages sent to the participating MCVideo function according to IETF RFC 3711 [4] and 3GPP TS 33.180 [8] using SRTP-MK, SRTP-MS and SRTP-MKI generated using the SPK and SPK-ID as specified in clause 13.2; and

ii) shall decrypt media control messages received from the participating MCVideo function according to IETF RFC 3711 [4] and 3GPP TS 33.180 [8] using SRTP-MK, SRTP-MS and SRTP-MKI generated using the SPK and SPK-ID as specified in clause 13.2;

3. in an on-network group call of an MCVideo group which is a constituent MCVideo group of a temporary MCVideo group:

A) if protection of transmission control and reception control messages between the controlling MCVideo function and the non-controlling MCVideo function is negotiated and the SPK and the SPK-ID are configured in the controlling MCVideo function:

i) shall encrypt transmission control and reception control messages sent to the non-controlling MCVideo function according to IETF RFC 3711 [4] and 3GPP TS 33.180 [8] using SRTP-MK, SRTP-MS and SRTP-MKI generated using the SPK and SPK-ID as specified in clause 13.2; and

ii) shall decrypt transmission control and reception control messages received from the non-controlling MCVideo function according to IETF RFC 3711 [4] and 3GPP TS 33.180 [8] using SRTP-MK, SRTP-MS and SRTP-MKI generated using the SPK and SPK-ID as specified in clause 13.2; and

B) if protection of media control messages between the controlling MCVideo function and the non-controlling MCVideo function is negotiated and the SPK and the SPK-ID are configured in the controlling MCVideo function:

i) shall encrypt media control messages sent to the non-controlling MCVideo function according to IETF RFC 3711 [4] and 3GPP TS 33.180 [8] using SRTP-MK, SRTP-MS and SRTP-MKI generated using the SPK and SPK-ID as specified in clause 13.2; and

ii) shall decrypt media control messages received from the non-controlling MCVideo function according to IETF RFC 3711 [4] and 3GPP TS 33.180 [8] using SRTP-MK, SRTP-MS and SRTP-MKI generated using the SPK and SPK-ID as specified in clause 13.2; and

4. in an on-network private call: