Foreword1 Scope2 References3 Definitions and abbreviations4 Overview of Mission Critical Security5 Common mission critical security framework5.1 User authentication and authorization5.2 Key management common elements5.2.1 Overview of key management5.2.2 Common key distribution5.2.3 Key distribution with end-point diversity5.2.4 Key distribution with associated parameters5.2.5 Key distribution with SAKKE-to-self payload5.2.6 Key distribution with identity hiding5.2.7 Key distribution across multiple security domains5.2.8 KMS Redirect Responses (KRRs)5.3 User key management5.4 Key management from MC client to MC server (CSK upload)5.5 Key management between MCX servers (SPK)5.6 Key management for one-to-one (private) communications (PCK)5.7 Key management for group communications (GMK)5.8 Key management from MC server to MC client (Key download)5.10 Void5.11 UE key storage and key persistence6 Supporting security mechanisms7 MCPTT and MCVideo7.1 General7.2 Private communications7.3 Group communications7.4 Key derivation for media7.5 Media protection profile8 MCData9 Signalling protection10 Logging, Audit and Discreet Monitoring11 Interconnection, interworking and migration securityB.1 GeneralB.2 MCX tokensB.3 Client registrationB.4 Obtaining tokensB.5 Refreshing an access tokenB.6 MCX client registration with partner IdM serviceB.7 Obtaining an access token from a partner domainB.8 Security tokensB.9 Access tokens for partner servicesB.10 Using the token to access MCX resource serversB.11 Token validationB.12 Token revocationB.12 IdMS interface securityC.1 Detailed flow for MC user authentication and registration using OpenID ConnectC.2 Detailed flow for inter-domain MC user service authorization using OpenID Connect token exchangeD.1 General aspectsD.2 KMS requestsD.3 KMS responsesD.4 KMS Redirect Response (KRR)E.1 General aspectsE.2 MIKEY message structure for GMK distributionE.3 MIKEY message structure for PCK distributionE.4 MIKEY message structure for CSK and MuSiK distributionE.5 MIKEY general extension payload to support 'SAKKE-to-self'E.6 MIKEY general extension payload to encapsulate parameters associated with a keyE.7 Hiding identities within MIKEY messagesF.1 KDF interface and input parameter constructionF.2 Hash functionsJ.1 Elements for Authenticating RequestsJ.2 Request types and parametersJ.3 Authorisation fieldsK.1 GeneralK.2 LMR E2EEL.1 GeneralL.2 Functional model for the MC Security Gateway (SeGy)L.3 Functions of a MC Security Gateway (SeGy)L.4 Security procedures for the MC Security Gateway (SeGy)L.5 Interworking using a MC Security Gateway B.6 MCX client registration with partner IdM service 33.1803GPPRelease 17Security of the Mission Critical (MC) serviceTS Tools: ARFCN - Frequency Conversion for 5G NR/LTE/UMTS/GSM MCX client registration with a partner IdM service shall be as described in clause B.3.