L.3 Functions of a MC Security Gateway (SeGy)

33.1803GPPRelease 17Security of the Mission Critical (MC) serviceTS

Tools: ARFCN - Frequency Conversion for 5G NR/LTE/UMTS/GSM

L.3.1 Components of a MC Security Gateway (SeGy)

At a high-level, the MC Security gateway is composed of four components:

– Pseudo KMS.

– Pseudo GMS.

– Pseudo MCX Server(s).

– Pseudo MC clients.

The term "pseudo" in this case is used to indicate that the security functionality of these components shall be implemented as part of a SeGy however physical entities and servers (i.e. KMS, GMS, MC service servers and MC clients) are not required. The method used to implement a pseudo KMS, GMS, MC service server or MC clients and associated key material within a SeGy is left to the manufacturer and is outside the scope of 3GPP. These components are shown in Figure L.3.1-1.

Figure L.3.1-1: Components of a MC Security Gateway (SeGy)

L.3.2 Pseudo KMS

The SeGy contains a KMS function. This establishes the SeGy as containing its own security domain (Security Domain X). The Pseudo KMS does not perform key management functions with any clients, but allows the SeGy to represent external system functions and users as members of the SeGy’s security domain within the 3GPP MC System.

The Pseudo KMS shall cross-sign with KMSs in partner protected MC systems that use the SeGy. This means that the SeGy’s KMS Certificate shall be provided to the KMS in a partner protected MC system (and vice-versa). As a consequence of cross-signing, users in partner security domains will be able to securely communicate with (external users and groups represented by) the SeGy. As cross-signing is a manual process, no communication is required between KMSs in partner protected MC systems and the SeGy’s pseudo KMS.

The SeGy shall create a KMS Certificate as defined in Annex D. The KMS Certificate generated by the SeGy shall include the information that the Certificate originates from an MC Security Gateway. The SeGy’s KMS Certificate represents the security domain for the external users that use the SeGy’s unencrypted interface and the pseudo network entities within the SeGy itself. This type of KMS Certificate is known as a SeGy KMS Certificate. The use of a SeGy KMS Certificate ensures that 3GPP MC systems and 3GPP MC clients that use the SeGy are aware that a gateway is in use. A visual reference shall be provided to MC users when communicating with a user whose KMS URI corresponds to a SeGy.

In partner systems, the Pseudo KMS shall never be a Migration KMS, but shall be an External KMS.

L.3.3 Pseudo GMS

Should the MC Security Gateway support group communications, the SeGy shall contain a Pseudo GMS. The SeGy’s GMS will perform the security functionality of a GMS towards partner GMSs on the encrypted interface. In terms of security, the SeGy GMS will create and add GMKs to Notification messages sent to GMSs in partner protected systems. The SeGy GMS will also receive GMKs from within Notification messages sent by GMSs in partner protected systems. Specifically, on the encrypted interface the SeGy:

– Shall support inter-GMS GMK distribution functionality defined in Clauses 5.7 and 11.1.2.2.

– May support verification of EAR elements attached to incoming signalling messages from external security domains as defined in Clause 9.6.

– May support attaching EAR elements to outgoing signalling messages as defined in Clause 9.6.

The SeGy is able to sign and encrypt messages on the encrypted interface as the pseudo GMS using key material provided by the SeGy’s Pseudo KMS.

L.3.4 Pseudo MCX Server or IS Proxy

The SeGy performs the security functions of an IS Proxy (or equivalently, the MCX Server) towards protected MC systems. Specifically, the on the encrypted interface SeGy may:

– Establish and use a SPK with protected MC systems as defined in Clauses 5.5 and 9.

– Verify EAR elements attached to incoming signalling messages from external security domains as defined in Clause 9.6.

– Attach EAR elements to outgoing signalling messages as defined in Clause 9.6.

The SeGy is able to sign and encrypt messages as the IS Proxy using key material provided by the Pseudo KMS.

L.3.5 Pseudo MC clients

For each client in an external or unprotected MC system that uses the SeGy’s unenrypted interface, the SeGy performs the security functions of an MC client on behalf of the external user. As an external user is signalled from the protected MC system, or sends signalling from within the unprotected MC system, the SeGy creates security credentials on behalf of the user using the Pseudo KMS. Consequently, any group or private communications directed towards a user in the unprotected MC system can be decrypted by the SeGy. Unencrypted communications can then be sent towards the client in the unprotected MC system over the unencrypted interface.

Specifically, on the encrypted interface the SeGy:

– Shall support end-to-end security functionality for MCPTT, MCVideo and MCData defined in Clauses 7 and 8.

– May support verification of EAR elements attached to incoming signalling messages from external security domains as defined in Clause 9.6.

– May support attaching EAR elements to outgoing signalling messages as defined in Clause 9.6.