5.2.1 Overview of key management

33.1803GPPRelease 17Security of the Mission Critical (MC) serviceTS

Tools: ARFCN - Frequency Conversion for 5G NR/LTE/UMTS/GSM

This clause details the key management procedures for MCX users. It allows entities in MCX systems to establish a security association to support future communications.

The primary purpose of these procedures is to allow MCX entities to communicate with each other using end-to-end security. End-to-end security provides assurance to MCX users that no unauthorized access to communications is taking place within the MCX network. End-to-end communication security may be applied to media when operating on-network and media, floor control, transmission control, and media control when operating off-network.

A security domain is managed by a Key Management Server (KMS). The KMS is a component of the Common Services Core within the MCX system architecture. For any end-point to use or access end-to-end secure communications, it needs to be provisioned with key material associated to its identity by the KMS. Through the use of the KMS, MC administrators are able to manage the use of, and access to, secure communications within the MCX network.

Key provisioning for groups is performed by a Group Management Server (GMS), authorized and provisioned by the KMS. The Group Management Server is responsible for distributing the key material to MCX users within the group. This establishes a group security context. With the group security context established, MCX users can communicate using end-to-end security.

Prior to protecting group communications during off-network operation, the UE shall acquire the necessary group key material either while operating on-network or through off-network provisioning.

NOTE: Void

Key provisioning for private communications is performed by the initiating UE as the communication is setup. This creates an end-to-end security context that is unique to the pair of users involved in the call. With a security context established, it may be used to encrypt media when on-network and, when off-network, media, floor control, transmission control, and media control traffic between the end-points.

Prior to protecting private calls during off-network operation, the UE shall acquire the necessary individual key material either while operating on-network or through off-network provisioning.

The key provisioning procedures described in this specification use common security methodologies for key distribution.