D.1 General aspects

33.1803GPPRelease 17Security of the Mission Critical (MC) serviceTS

Tools: ARFCN - Frequency Conversion for 5G NR/LTE/UMTS/GSM

This annex specifies the key management procedures between the KMS and the key management client that allows keys to be provisioned to the key management client based on an identity. It describes the requests and responses for the authorization following provisioning messages:

– KMS Initialize.

– KMS KeyProvision.

– KMS CertCache.

– KMS Cert.

– KMS Discovery Lookup

– KMS Discovery Upload

All KMS communications are made via HTTPS. The key management client is provisioned via XML content in the KMS’s response. The XML content is designed to be extendable to allow KMS/client providers to add further information in the XML. Where the interface is extended, a different XML namespace should be used (so that may be ignored by non-compatible clients).

It is assumed that transmissions between the KMS and the key management client are secure and that the KMS has authenticated the identity of the key management client.

Additionally, to allow the transmission of key material securely between a secure element within the KMS and a secure element within the key management client, a security extension is defined which allows messages to be signed using the shared Integrity key (InK) or Transport Key (TrK) and key material to be encrypted using a shared Transport Key (TrK). The signature algorithm used to sign a KMS Request message or a KMS Response message shall be HMAC-SHA256 with a signature length of 256.