5.4 Key management from MC client to MC server (CSK upload)

33.1803GPPRelease 17Security of the Mission Critical (MC) serviceTS

Tools: ARFCN - Frequency Conversion for 5G NR/LTE/UMTS/GSM

The key (CSK) is distributed from the MCX client to the MCX Server(s) using the ‘CSK upload’ procedure. The procedure shall use the common key distribution mechanism described in clause 5.2.2, transported over the SIP bearer. Identity hiding may be supported as defined in clause 5.2.6. The MCX Server may respond with a KMS Redirect Response (KRR) as described in clause 5.2.8 (e.g. if the MC client has migrated or is roaming).

The initiating entity of the CSK upload procedure shall be the MCX UE and the receiving entity shall be the MCX Server. With respect to the common key distribution procedure, the initiating entity URI shall be the MCX Service user ID of the user andthe receiving entity URI shall be the MCX Server Domain Security Identifier (MDSI). The MDSI is added to the recipient field (IDRr) of the message. The distributed key, K, shall be the CSK and the distributed identifier K-ID shall be the CSK-ID.

Clause E.4 provides MIKEY message structure for CSK distribution.

Before the CSK upload procedure can be used by the client to securely share the encryption key, the MC user shall first be authorized by KMS for key management services. Once the MC user is authorized, the KMS distributes the user’s key material to the client as specified in clause 5.3.3.

The server receives the SIP message with the protected CSK and retrieves it from the message. It associates the MC User’s SIP Core identity (IMPU), MC Service user ID (e.g. MCPTT ID) and the received CSK. Identity binding is used to uniquely identify the CSK used in protection of the SIP payload in subsequent SIP messages sent by both the client and the servers within a MC domain.