D.4 KMS Redirect Response (KRR)
33.1803GPPRelease 17Security of the Mission Critical (MC) serviceTS
D.4.1 General
A KMS Redirect Response is generated by an entity within the MC system on detection that a KMS URI within a MIKEY I_MESSAGE is not acceptable in the current circumstance, or on receipt of a KRR containing KMS URIs that are not acceptable to be returned to the sender.
The entity returns a SIP 488 response ‘Not Acceptable Here’, attaching an XML MIME body to the response. The MIME body shall have content type: ‘application/vnd.3gpp.kmsredirectresponse+xml’. The MIME body shall adhere to the XML schema in Clause D.4.4.
D.4.2 KRR XML signature profile
Signatures should be used to authenticate KRRs. Where supported, senders and processors of KRRs shall support the following XML Signature 1.1 profile as defined in [28]:
Digest: SHA256 (http://www.w3.org/2001/04/xmlenc#sha256)
Signature: ECDSAwithSHA256 (http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256)
Canonicalization: http://www.w3.org/TR/2001/REC-xml-c14n-20010315
KeyInfo: X509 certificate
Verification of the X509 certificate is out of scope of this document.
D.4.3 Example XML
In this example, ‘example:initiator@example.org’ has sent a MIKEY I_MESSAGE to ‘example:receiver@example.org’ with KMS ‘kms.reject.example.org’. At some point along the message flow, the KMS used for the receiver is rejected by entity ‘example:processor.1@example.org’. The rejecting entity creates and returns a KRR proposing two KMS URIs for the receiver (‘kms.option1.example.org’ and ‘kms.option2.example.org’). The KRR is received by ‘example:processor.2@example.org’ who rejects one of the proposed KMS URIs and creates a new KRR, embedding the old KRR within the new KRR and updating the list of receiver KMS URIs to the one that is acceptable (‘kms.option1.example.org’).
<?xml version="1.0" encoding="UTF-8"?>
<KmsRedirectResponse xmlns= "urn:3gpp:ns:mcsecKMSKRR:1.0"
xmlns:xsi = "http://www.w3.org/2001/XMLSchema-instance"
xmlns:ds = "http://www.w3.org/2000/09/xmldsig#"
Version = "1.0.0" Id = "0123456789abcdef">
<Time>2018-01-26T11:15:43</Time>
<KRRCreatorUri>example:processor.2@example.org</KRRCreatorUri>
<InitiatorUri>example:initiator@example.org</InitiatorUri>
<InitiatorKmsUri>kms.init.example.org</InitiatorKmsUri>
<ReceiverUri>example:receiver@example.org</ReceiverUri>
<ReceiverKmsUri>kms.reject.example.org</ReceiverKmsUri>
<InitiatorKmsList>
<ANY></ANY>
</InitiatorKmsList>
<ReceiverKmsList>
<KmsUri>kms.option1.example.org</KmsUri>
</ReceiverKmsList>
<ReceivedKmsRedirectResponse>
<KmsRedirectResponse Version = "1.0.0" Id = "001122334455667788">
<Time>2018-01-26T11:15:40</Time>
<KRRCreatorUri>example:processor.1@example.org</KRRCreatorUri>
<InitiatorUri>example:initiator@example.org</InitiatorUri>
<InitiatorKmsUri>kms.init.example.org</InitiatorKmsUri>
<ReceiverUri>example:receiver@example.org</ReceiverUri>
<ReceiverKmsUri>kms.reject.example.org</ReceiverKmsUri>
<InitiatorKmsList>
<ANY></ANY>
</InitiatorKmsList>
<ReceiverKmsList>
<KmsUri>kms.option1.example.org</KmsUri>
<KmsUri>kms.option2.example.org</KmsUri>
</ReceiverKmsList>
<Signature xmlns = "http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/>
<Reference URI="#001122334455667788">
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>…</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>…</SignatureValue>
<KeyInfo>
<X509Data>
…
</X509Data>
</KeyInfo>
</Signature>
</KmsRedirectResponse >
</ReceivedKmsRedirectResponse>
<Signature>
<SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<CanonicalizationMethod Algorithm=" http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/>
<Reference URI="#0123456789abcdef">
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>…</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue xmlns="http://www.w3.org/2000/09/xmldsig#">…</SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
…
</X509Data>
</KeyInfo>
</Signature>
</KmsRedirectResponse>
D.4.4 Example XML schema
This clause contains the XML schema for KMS Redirect Responses:
<?xml version="1.0" encoding="utf-8"?>
<xsd:schema xmlns:xsd = "http://www.w3.org/2001/XMLSchema" xmlns:ds = "http://www.w3.org/2000/09/xmldsig#"
xmlns = "urn:3gpp:ns:mcsecKMSKRR:1.0" targetNamespace = "urn:3gpp:ns:mcsecKMSKRR:1.0" elementFormDefault = "qualified" version = "1.0">
<xsd:import namespace = "http://www.w3.org/2000/09/xmldsig#"/>
<!– An identifier for this type of response –>
<xsd:element type = "KmsRedirectResponseType" name = "KmsRedirectResponse"/>
<xsd:complexType name = "KmsRedirectResponseType">
<xsd:sequence>
<!– The date and time –>
<xsd:element type = "xsd:dateTime" name = "Time" minOccurs = "1" maxOccurs = "1"/>
<!– The identity of the KRR creator. –>
<xsd:element type = "xsd:anyURI" name = "KRRCreatorUri" minOccurs = "1" maxOccurs = "1"/>
<!– The MIKEY initiating identity used within the MIKEY message (IDRi). –>
<xsd:element type = "xsd:anyURI" name = "InitiatorUri" minOccurs = "1" maxOccurs = "1"/>
<!– The MIKEY initiating KMS URI used within the MIKEY message (IDRkmsi). –>
<xsd:element type = "xsd:anyURI" name = "InitiatorKmsUri" minOccurs = "1" maxOccurs = "1"/>
<!– The MIKEY receiving identity used within the MIKEY message (IDRr). –>
<xsd:element type = "xsd:anyURI" name = "ReceiverUri" minOccurs = "1" maxOccurs = "1"/>
<!– The MIKEY receiving KMS URI used within the MIKEY message (IDRkmsr). –>
<xsd:element type = "xsd:anyURI" name = "ReceiverKmsUri" minOccurs = "1" maxOccurs = "1"/>
<!– The initiator list containing a list of acceptable KMS URIs (List of IDRkmsi’s). –>
<xsd:element name = "InitiatorKmsList" type = "KmsUriListType" minOccurs = "1" maxOccurs = "1"/>
<!– The receiver list containing a list of acceptable KMS URIs (List of IDRkmsr’s). –>
<xsd:element name = "ReceiverKmsList" type = "KmsUriListType" minOccurs = "1" maxOccurs = "1"/>
<!– An embedded received KRR (optional, used if KRR is generated from a received KRR). –>
<xsd:element name = "ReceivedKmsRedirectResponse" type = "ReceivedKmsRedirectResponseType" minOccurs = "0" maxOccurs = "1"/>
<!– Allow extensions –>
<xsd:any namespace = "##other" processContents = "lax" minOccurs = "0" maxOccurs = "unbounded"/>
<!– A signature (using the originating identity) over the entire message (optional, but recommended). –>
<xsd:element name="Signature" type = "ds:SignatureType" minOccurs = "0"/>
</xsd:sequence>
<xsd:attribute name = "Id" type = "xsd:string"/>
<xsd:attribute name = "Version" type = "xsd:string" fixed="1.0.0"/>
<xsd:anyAttribute namespace = "##other" processContents = "lax"/>
</xsd:complexType>
<xsd:complexType name = "KmsUriListType">
<xsd:sequence>
<xsd:choice maxOccurs = "1">
<xsd:sequence>
<xsd:element type="xsd:string" name="ANY" fixed=""/>
</xsd:sequence>
<xsd:sequence>
<xsd:element type = "xsd:anyURI" name = "KmsUri" minOccurs = "0" maxOccurs = "unbounded"/>
</xsd:sequence>
</xsd:choice>
<xsd:any namespace = "##other" processContents = "lax" minOccurs = "0" maxOccurs = "unbounded"/>
</xsd:sequence>
<xsd:anyAttribute namespace = "##other" processContents = "lax"/>
</xsd:complexType>
<xsd:complexType name = "ReceivedKmsRedirectResponseType">
<xsd:sequence>
<xsd:element name = "KmsRedirectResponse" type = "KmsRedirectResponseType" minOccurs = "1" maxOccurs = "1"/>
</xsd:sequence>
</xsd:complexType>
</xsd:schema>
Annex E (normative):
MIKEY message formats for media security