7.1 Overview

33.1793GPPRelease 13Security of Mission Critical Push To Talk (MCPTT) over LTETS

Tools: ARFCN - Frequency Conversion for 5G NR/LTE/UMTS/GSM

This clause details the procedures for MCPTT users communicating using end-to-end security. This provides assurance to MCPTT users that no unauthorized access to communications is taking place within the MCPTT network. End-to-end communication security can be applied to media and when operating off-network, to floor and media control signalling.

An MCPTT Key Management Server (KMS) manages the security domain. For any end-point to use or access end-to-end secure communications, it shall be provisioned with key material associated to its identity by the KMS. Through the use of the KMS, MCPTT administrators are able to manage access to communications within the MCPTT network.

NOTE 1: For the purposes of this release, it is assumed that all MCPTT users are within a single security domain managed by a single KMS.

Key provisioning for group calls is performed by a group management server, authorized and provisioned by the KMS. The group management server is responsible for distributing the key material to MCPTT users within the group. With the group security context established, MCPTT users can communicate using end-to-end security.

Prior to protecting group calls during off-network operation, the UE shall acquire the necessary group key material either while operating on-network or through offline provisioning.

NOTE 2: It is a deployment option whether the MCPTT Server is included in the end-to-end security context. Where the MCPTT Server is not included in the security context, it will be unable to mix content on behalf of the users.

Key provisioning for private calls is performed by the initiating UE as the call is setup. This creates an end-to-end security context that is unique to the pair of users involved in the call. With a security context established, it may be used to encrypt media and, when off-network, floor and media control traffic between the end-points.

Prior to protecting private calls during off-network operation, the UE shall acquire the necessary individual key material either while operating on-network or through offline provisioning.

End-to-end security is independent of the transmission path and hence is applicable to both on and off-network communications.