10 Media plane security aspects

24.5823GPPMission Critical Data (MCData) media plane controlProtocol specificationRelease 17TS

Tools: ARFCN - Frequency Conversion for 5G NR/LTE/UMTS/GSM

10.1 General

Media plane security provides integrity and confidentiality protection for the MCData media information and media plane control information transmitted using media plane. Media plane security also provides the authentication of MCData media information.

The media plane security is based on 3GPP MCData security solution including key management as defined in 3GPP TS 33.180 [15].

NOTE: In 3GPP TS 33.180 [15] media information is denoted as MCData Data Payload and media plane control information is denoted as MCData Data signalling Payload.

Various keys and associated key identifiers protect the media information and media plane control information carried in the body of an MSRP SEND message.

The media plane control information may be:

1. SDS SIGNALLING PAYLOAD; or

2. SDS NOTIFICATION.

The media information may be:

1. DATA PAYLOAD; or

2. File or file portion.

In an on-network MCData communication for an MCData group, if protection of media is negotiated, the GMK and the GMK-ID of the MCData group shall be used for protecting the media sent and received by MCData clients.

In an on-network one-to-one MCData communication, if protection of media is negotiated, the PCK and the PCK-ID shall be used for protecting the media sent and received by MCData clients.

If protection of media control information sent using unicast between the MCData client and the participating MCData function serving the the MCData client is negotiated, the CSK and the CSK-ID shall be used for protecting the media control information sent and received using unicast by the MCData client and by a participating MCData function.

If protection of media control information between the participating MCData function and the controlling MCData function is configured, the SPK and the SPK-ID shall be used for protecting the media control information sent and received between the participating MCData function and the controlling MCData function.

The GMK and the GMK-ID are distributed to the MCData clients using the group document subscription and notification procedure specified in 3GPP TS 24.481 [4].

The PCK and the PCK-ID are generated by the MCData client initiating the standalone one-to-one SDS using media plane or one-to-one SDS session or one-to-one FD using media plane and provided to the MCData client receiving the SIP signalling according to 3GPP TS 24.282 [8].

The CSK and the CSK-ID are generated by the MCData client and provided to the participating MCData function serving the MCData client using SIP signalling according to 3GPP TS 24.282 [8].

The SPK and the SPK-ID are configured in the participating MCData function and the controlling MCData function.

The key material for creating and verifying the authentication signature (SSK, PVT and KPAK) is provisioned to the MCData clients by the KMS as specified in 3GPP TS 33.180 [15].

10.2 Derivation of master keys for media and media control

Each MCData Payload Protection Key (DPPK) (i.e. GMK, PCK, CSK, SPK) and its associated key identifier DPPK-ID (i.e. GMK-ID, PCK-ID, CSK-ID, SPK -ID) described in clause 10.1 shall be used to derive a MCData Payload Cipher Key (DPCK) and its associated DPCK-ID as specified in 3GPP TS 33.180 [15].

DPCK and DPCK-ID shall be used in the protection of media or media plane control information as specified in 3GPP TS 33.180 [15].

10.3 Protection of media and media control and authentication of media

10.3.1 General

The media information may be protected. Protection shall be applied as specified in clause 8.5.4 in 3GPP TS 33.180 [15].

The media control information may be protected. Protection shall be applied as specified in clause 8.5.4 in 3GPP TS 33.180 [15].

MCData media information or protected MCData media information may also be authenticated as specified in clause 8.5.5 in 3GPP TS 33.180 [15].

10.3.2 The MCData client

A MCData client transmitting media information shall protect the media information using the related DPPK and DPPK-ID according to the negotiatd protection method. For one-to-one communication PCK and PCK-ID shall be used as DPPK and DPPK-ID. For group communication GMK and GMK-ID shall be used as DPPK and DPPK-ID.

A MCData client transmitting media information or protected media information shall use the key material provisioned by the KMS when generating the authentication signature.

A MCData client which receives protected media information shall decrypt and check the integrity of the protected media using the related DPPK and DPPK-ID according to the negotiated protection method.

A MCData client which receives signed media information or signed and protected media information shall verify the signature by using the signature, the identity of the originating MCData client and the KPAK provisioned by the KMS.

A MCData client transmitting media control information shall protect the media control information using CPK and CPK-ID if media control information protection is negotiated.

A MCData client which receives protected media control information shall decrypt and check the integrity of the protected media control information using CPK and CPK-ID.

10.3.3 The participating MCData function

A participating MCData function which receives protected media information shall forward it to the next entity without any additional action related to the security framework.

A participating MCData function, when receiving a protected media control information from a MCData client shall decrypt and integrity check the protected media control using the CSK and CSK-ID negotiated with the MCData client which has sent the media control. Then, the participating MCData function shall forward the media control information to the controlling MCData function by protecting the media control information using SPK and SPK-ID, if protection is configured between the participating MCData function and the controlling MCData function.

A participating MCData function, when receiving a protected media control information from the controlling MCData function shall decrypt and integrity check the protected media control information using the SPK and SPK-ID configured between the participating MCData function and the controlling MCData function. Then, the participating MCData function shall forward the media control information to the destination MCData client by protecting the media control information using the CSK and CSK-ID if protection is negotiated between the participating MCData function and the MCData client.

10.3.4 The controlling MCData function

A controlling MCData function which receives protected media information shall forward it to the next entity without any additional action related to the security framework.

A controlling MCData function, when receiving a protected media control information from a participating MCData function shall decrypt and integrity check the protected media control information using the SPK and SPK-ID configured between the participating MCData function and the controlling MCData function. Then, the controlling MCData function shall forward the media control information to the participating MCData function serving the destination MCData client by protecting the media control information using SPK and SPK-ID, if protection is configured between the participating MCData function and the controlling MCData function.