Content for TS 23.434 Word version: 18.5.0

0… 4… 5 6… 6.4… 6.5… 6.5.3… 7… 8… 8.2.2… 9… 9.3… 9.3.2.21… 9.3.3… 9.3.6… 9.3.11… 9.3.13… 9.3.14… 9.4… 9.4.6… 9.5… 10… 10.3… 10.3.2.22… 10.3.3… 10.3.7… 10.3.10… 10.4… 11… 11.3… 11.3.3… 11.4… 12… 12.3… 13… 14… 14.2.2.2… 14.3… 14.3.2.20… 14.3.2.40… 14.3.3… 14.3.3.3… 14.3.4… 14.3.4.6 14.3.4.7… 14.3.4A… 14.3.4A.3… 14.3.4A.4… 14.3.4A.6… 14.3.4A.8… 14.3.4A.9… 14.3.4A.10… 14.3.5… 14.3.6… 14.3.9… 14.3.12… 14.4… 15… 16… 17… 18… A B…

13.1 General 13.2 Functional model for key management 13.2.1 General 13.2.2 On-network functional model description 13.2.3 Off-network functional model description 13.2.4 Functional entities description 13.2.4.1 General 13.2.4.2 Key management client 13.2.4.3 Key management server 13.2.5 Reference points description 13.2.5.1 General 13.2.5.2 KM-UU 13.2.5.3 KM-PC5 13.2.5.4 KM-C 13.2.5.5 KM-S 13.2.5.6 KM-E 13.2.5.7 SEAL-X1 13.3 Procedures and information flows for key management 13.3.1 Information flows 13.3.1.1 VAL server provisioning request 13.3.1.2 VAL server provisioning response 13.3.2 VAL server provisioning for key management service 13.4 SEAL APIs for key management 13.4.1 General 13.4.3 SS_KmParameterProvisioning API
...

13 Key management p. 143

13.1 General p. 143

The key management is a SEAL service that offers the key management related capabilities to one or more vertical applications.

13.2 Functional model for key management p. 143

The functional model for the key management is based on the generic functional model specified in clause 6. It is organized into functional entities to describe a functional architecture which addresses the support for key management aspects for vertical applications. The on-network and off-network functional model is specified in this clause.

13.2.2 On-network functional model description p. 143

Figure 13.2.2-1 illustrates the generic on-network functional model for key management.

Reproduction of 3GPP TS 23.434, Fig. 13.2.2-1: On-network functional model for key management

Figure 13.2.2-1: On-network functional model for key management

The key management client communicates with the key management server over the KM-UU reference point. The key management client provides the support for key management functions to the VAL client(s) over KM-C reference point. The VAL server(s) communicate with the key management server over the KM-S reference point.

13.2.3 Off-network functional model description p. 144

Figure 13.2.3-1 illustrates the off-network functional model for key management.

Reproduction of 3GPP TS 23.434, Fig. 13.2.3-1: Off-network functional model for key management

Figure 13.2.3-1: Off-network functional model for key management

The key management client of the UE1 communicates with the key management client of the UE2 over the KM-PC5 reference point.

13.2.4 Functional entities description p. 144

13.2.4.1 General p. 144

The functional entities for key management SEAL service are described in the following subclauses.

13.2.4.2 Key management client p. 144

The key management functional entity acts as the application client for key management functions. It interacts with the key management server. The key management client also supports interactions with the corresponding key management client between the two UEs.

13.2.4.3 Key management server p. 145

The key management server is a functional entity that stores and provides security related information (e.g. encryption keys) to the key management client, group management server and vertical application server to achieve the security goals of confidentiality and integrity of media and signalling. The key management server acts as CAPIF's API exposing function as specified in TS 23.222. The key management server also supports interactions with the corresponding key management server in distributed SEAL deployments.

13.2.5 Reference points description p. 145

13.2.5.1 General p. 145

The reference points for the functional model for key management are described in the following subclauses.

13.2.5.2 KM-UU p. 145

The interactions related to key management functions between the key management client and the key management server are supported by KM-UU reference point. This reference point utilizes Uu reference point as described in TS 23.401 and TS 23.501.

KM-UU reference point provides a means for the key management server to provide security related information (e.g. encryption keys) to the key management client. The KM-UU reference point shall use the HTTP-1 and HTTP-2 signalling control plane reference points for transport and routing of security related information to the key management client.

13.2.5.3 KM-PC5 p. 145

The interactions related to key management functions between the key management clients located in different VAL UEs are supported by KM-PC5 reference point. This reference point utilizes PC5 reference point as described in TS 23.303.

13.2.5.4 KM-C p. 145

The interactions related to key management functions between the VAL client(s) and the key management client within a VAL UE are supported by KM-C reference point.

13.2.5.5 KM-S p. 145

The interactions related to key management functions between the VAL server(s) and the key management server are supported by KM-S reference point. This reference point is an instance of CAPIF-2 reference point as specified in TS 23.222.

KM-S reference point provides a means for the key management server to provide security related information (e.g. encryption keys) to the VAL server. The KM-S reference point shall use the HTTP-1 and HTTP-2 signalling control plane reference points for transport and routing of security related information to the VAL server.

13.2.5.6 KM-E p. 145

The interactions related to key management functions between the key management servers in a distributed deployment are supported by KM-E reference point.

13.2.5.7 SEAL-X1 p. 146

13.3 Procedures and information flows for key management p. 146

13.3.1 Information flows |R18| p. 146

13.3.1.1 VAL server provisioning request p. 146

Table 13.3.1.1-1 describes the information flow from the VAL server to the key management server for providing provisioning configuration.

Table 13.3.1.1-1: VAL server provisioning request

Information element	Status	Description
Requester Identity	M	The identity of the VAL server performing the request.
List of VAL service specific information	M	Provides the list of VAL service specific information.
> VAL service ID	M	Identify of the VAL service for which the configuration information is provided.
> key-format	M	Provides the format and content of a key management record.

13.3.1.2 VAL server provisioning response p. 146

Table 13.3.1.2-1 describes the information flow from the key management server to the VAL server as a response for providing provisioning configuration.

Table 13.3.1.2-1: VAL server provisioning response

Information element	Status	Description
Result	M	Indicates success or failure of the request

13.3.2 VAL server provisioning for key management service |R18| p. 146

13.3.2.1 General p. 146

The high level procedure for VAL server to provision required information to SEAL key management server in order to provide the format and content of a key management record is described in the following subclause.

13.3.2.2 Procedure p. 146

The procedure for VAL server to provision required information to SEAL key management server in order to support VAL user authentication is illustrated in Figure 13.3.2.2-1.

Reproduction of 3GPP TS 23.434, Fig. 13.3.2.2-1: VAL Server provisioning to SEAL Key Management Server

Figure 13.3.2.2-1: VAL Server provisioning to SEAL Key Management Server

Step 1.

The VAL server sends a request message to key management server to provision required information. The request message includes identity of the VAL server, endpoint information of the VAL server, security credentials of the VAL server, and service provider specific information like key format per VAL service.

Step 2.

Upon receiving the request, the key management server authorizes the request based on the security credentials provided in the request and considering the service level agreement between VAL service provider and SEAL service provider. If VAL server is authorized to use the SEAL service, then the key management server stores the details about the VAL server including the key format per VAL service. The key management server sends the response message to the VAL server.

13.4 SEAL APIs for key management p. 147

13.4.1 General p. 147

Table 13.4.1-1 illustrates the SEAL APIs for key management.

Table 13.4.1-1: List of SEAL APIs for key management

API Name	API Operations	Known Consumer(s)	Communication Type
SS_KmParameterProvisioning	Provide_Configuration	VAL server	Request /Response

The other SEAL APIs for Key Management are specified in subclauses 5.7.1 and 7.6.1 of TS 29.549.

13.4.3.1 General p. 148

API description:

This API enables the VAL server to provision configuration for the VAL service to the SEAL KM-S.

13.4.3.2 Provide_Configuration operation p. 148

API operation name:

Provide_Configuration

Description:

Provisioning of VAL service configuration to IM-S.

Known Consumers:

VAL server.

Inputs:

See subclause 13.3.2.1

Outputs:

See subclause 13.3.2.2

See subclause 13.3.1.2 for the details of usage of this API operation.