E.3 MIKEY message structure for PCK distribution

33.1803GPPRelease 17Security of the Mission Critical (MC) serviceTS

Tools: ARFCN - Frequency Conversion for 5G NR/LTE/UMTS/GSM

E.3.1 General

In the Common Header payload, the CSB ID field of MIKEY common header shall be the PCK-ID.

Where no crypto sessions are included in the payload, (CS# is 0), the default security profile defined in Annex E.3.2 shall be used, and no Secuirty Properties payload (SP) is required. The profile in Annex E.3.2 is mandatory to support.

Identity payloads shall be IDR payloads as defined in section 6.6 of IETF RFC 6043 [25]. The IDRi payload shall contain the MC Service user ID associated with the initiating user. The IDRr payload shall contain the MC Service user ID associated to the receiving user. The message shall also include IDRkmsi and IDRkmsr that contains the URI of the KMS used by the initiating user and terminating user respectively

NOTE: In some deployments MC Service user IDs (i.e. MCPTT ID, MCVideo ID, MCData ID) within these payloads may be treated as private. In this case, these identities may be hidden using the mechanism in clause E.7.

The SAKKE payload shall encapsulate the PCK to the UID generated from the MC Service user ID of the terminating user. The ID Scheme in the SAKKE payload shall be ‘URI Scheme’ to reflect the generation scheme defined in clause F.2.1.

A SAKKE-to-SELF payload may be included. It is recommended that where the PCK is being transported beyond a single MC system, the message should include a SAKKE-to-SELF payload as described in clause E.5.

The signature shall use the UID generated from the MC Service user ID of the initiating user.

E.3.2 Default SRTP security profile for PCK

The default security profile is used to support MCPTT and MCVideo communications. It defines the mandatory to support security settings for distribution and use of the PCK. It is the profile that should be used should no information (Crypto session information or security policies) be provided in the MIKEY message.

The CS-ID (for input into the MIKEY PRF) shall be ‘0’ for the MCPTT session from the initiator, ‘1’ for MCPTT session from the receiver, ‘2’ for the MCVideo session from the initiator and ‘3’ for the MCVideo session from the receiver.

The Security Policies are shown in Table E.3.2-1.

Table E.3.2-1: MIKEY Private call SRTP Default Profile

SRTP Type	Meaning	Value	Meaning
0	Encryption Algorithm	6	AES-GCM
1	Session encryption key length	16	16 octets
4	Session salt key length	12	12 octets
5	SRTP PRF	0	AES-CM
6	Key derivation rate	0	No session key refresh.
20	AEAD authentication tag length	16	16 octets

E.3.3 Providing a SRTP security profile for PCK use

Should a security profile be provided by the initiator, the mapping is provided in a GENERIC-ID component of the MIKEY HDR. The CS-ID shall be ‘0’ for the MCPTT session from the initiator, ‘1’ for MCPTT session from the receiver, ‘2’ for the MCVideo session from the initiator and ‘3’ for the MCVideo session from the receiver. Consequently, the CS# shall be between 1 and 4 inclusive. The ‘Prot Type’ shall be ‘0’ (SRTP).

In each GENERIC-ID crypto session, ‘#P’ shall be 1 (a single security policy shall be referenced). It is recommended that the ‘Session Data length’ is ‘0’ as SSRCs do not need to be provided. The MKI (PCK-ID) may be included in the SPI field.