E.3 MIKEY message structure for PCK distribution

33.1793GPPRelease 13Security of Mission Critical Push To Talk (MCPTT) over LTETS

Tools: ARFCN - Frequency Conversion for 5G NR/LTE/UMTS/GSM

The MIKEY-SAKKE message shall include the Common Header payload, Timestamp payload, RAND payload, IDRi payload, IDRr payload, IDRkmsi payload, IDRkmsr payload, SAKKE payload and a SIGN (ECCSI) payload. It is recommended that the message also includes a Security Properties payload. Optionally, the message may include a General Extension payload containing a second SAKKE message as described in clause E.5.

In the Common Header payload, the CSB ID field of MIKEY common header shall be the PCK-ID. The CS-ID map type shall be GENERIC-ID as defined in IETF RFC 6043 [25].

The Security Properties payload is used to specify the security properties of private calls using the PCK. Where no security profile is provided, the following default security profile shall be used.

Table E.3-1: MIKEY Group call SRTP Default Profile

SRTP Type	Meaning	Value	Meaning
0	Encryption Algorithm	6	AES-GCM
1	Session encryption key length	16	16 octets
4	Session salt key length	12	12 octets
5	SRTP PRF	0	AES-CM
6	Key derivation rate	0	No session key refresh.
20	AEAD authentication tag length	16	16 octets

Identity payloads shall be IDR payloads as defined in section 6.6 of IETF RFC 6043 [25]. The IDRi payload shall contain the MCPTT ID associated with the initiating user. The IDRr payload shall contain the MCPTT ID associated to the receiving user. The message shall also include IDRkmsi and IDRkmsr that contains the URI of the MCPTT KMS used by the initiating user and terminating user respectively.

NOTE: In some deployments MCPTT IDs within these payloads may treated as private. In this case, the initiating and terminating MCPTT UEs should substitute these private identities for public identities via a privately-defined mapping.

The SAKKE payload shall encapsulate the PCK to the UID generated from the MCPTT ID of the terminating user. The ID Scheme in the SAKKE payload shall be ‘URI Scheme’ to reflect the generation scheme defined in clause F.2.1.

The entire MIKEY message shall be signed by including an SIGN payload providing authentication of initiating user. The signature shall be of type 2 (ECCSI). The signature shall use the UID generated from the MCPTT ID of the initiating user.