Tech-invite3GPPspaceIETFspace
21222324252627282931323334353637384‑5x

Content for  TS 33.180  Word version:  17.8.0

Top   Top   None   None   Next
1…   4…   4.3.4   4.3.5   5…   5.1.3   5.1.4…   5.2…   5.2.3   5.2.4   5.2.5   5.2.6…   5.3…   5.4…   6…   7…   7.3…   8…   9…   9.4…   10…   A…   B…   C…   D…   E…   F…   J…   L…
1 Scope2 References3 Definitions and abbreviations3.1 Definitions3.2 Abbreviations
...

 

1  Scopep. 13

The present document specifies the security architecture, procedures and information flows needed to protect the mission critical service (MCX). The architecture includes mechanisms to protect the Common Functional Architecture and security mechanisms for mission critical applications. This includes Push-To-Talk (MCPTT), Video (MCVideo) and Data (MCData). Additionally, security mechanisms relating to on-network use, off-network use, roaming, migration, interconnection, interworking and multiple security domains are described.
This specification complements the Common Functional Architecture defined in TS 23.280, the functional architecture for MCPTT defined in TS 23.379, the functional architecture for MCVideo defined in TS 23.281, the functional architecture for MCData defined in TS 23.282 and mission critical services using 5GS in TS 23.289.
The MC service can be used for public safety applications and also for general commercial applications e.g. utility companies and railways. As the security model is based on the public safety environment, some MC security features may not be applicable for commercial purposes.
Up

2  Referencesp. 13

The following documents contain provisions which, through reference in this text, constitute provisions of the present document.
  • References are either specific (identified by date of publication, edition number, version number, etc.) or non-specific.
  • For a specific reference, subsequent revisions do not apply.
  • For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP document (including a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same Release as the present document.
[1]
TR 21.905: "Vocabulary for 3GPP Specifications".
[2]
TS 23.379: "Functional architecture and information flows to support Mission Critical Push To Talk (MCPTT); Stage 2".
[3]
TS 22.179: "Mission Critical Push To Talk (MCPTT); Stage 1".
[4]
TS 33.210: "3G security; Network Domain Security (NDS); IP network layer security".
[5]
TS 33.310: "Network Domain Security (NDS); Authentication Framework (AF)".
[6]
TS 33.203: "3G security; Access security for IP-based services".
[7]
TS 33.179: Release 13: "Security of Mission Critical Push To Talk (MCPTT) over LTE".
[8]
TS 33.328: "IP Multimedia Subsystem (IMS) media plane security".
[9]
RFC 6507:  "Elliptic Curve-Based Certificateless Signatures for Identity-Based Encryption (ECCSI)".
[10]
RFC 6508:  "Sakai-Kasahara Key Encryption (SAKKE)".
[11]
RFC 6509:  "MIKEY-SAKKE: Sakai-Kasahara Key Encryption in Multimedia Internet KEYing (MIKEY)".
[12]
RFC 3550:  "RTP: A Transport Protocol for Real-Time Applications".
[13]
RFC 3711:  "The Secure Real-time Transport Protocol (SRTP)".
[14]
TS 33.401: "3GPP System Architecture Evolution (SAE); Security architecture".
[15]
TS 23.228: "IP Multimedia Subsystem (IMS); Stage 2".
[16]
TS 33.222: "Generic Authentication Architecture (GAA); Access to network application functions using Hypertext Transfer Protocol over Transport Layer Security (HTTPS)".
[17]
TS 33.220: "Generic Authentication Architecture (GAA); Generic Bootstrapping Architecture (GBA)".
[18]
NIST FIPS 180-4: "Secure Hash Standard (SHS)".
[19]
RFC 6749:  "The OAuth 2.0 Authorization Framework".
[20]
RFC 6750:  "The OAuth 2.0 Authorization Framework: Bearer Token Usage".
[21]
OpenID Connect 1.0: "OpenID Connect Core 1.0 incorporating errata set 1", http://openid.net/specs/openid-connect-core-1_0.html.
[22]
RFC 3830:  "MIKEY: Multimedia Internet KEYing".
[23]
RFC 3602:  "The AES-CBC Cipher Algorithm and Its Use with IPsec".
[24]
RFC 4771:  "Integrity Transform Carrying Roll-Over Counter for the Secure Real-time Transport Protocol (SRTP)".
[25]
RFC 6043:  "MIKEY-TICKET: Ticket-Based Modes of Key Distribution in Multimedia Internet KEYing (MIKEY)".
[26]
RFC 7714:  "AES-GCM Authenticated Encryption in the Secure Real-time Transport Protocol (SRTP)".
[27]
W3C: "XML Encryption Syntax and Processing Version 1.1", https://www.w3.org/TR/xmlenc-core1/.
[28]
W3C: "XML Signature Syntax and Processing (Second Edition)", http://www.w3.org/TR/xmldsig-core/.
[29]
RFC 5905:  "Network Time Protocol Version 4: Protocol and Algorithms Specification".
[30]
RFC 5480:  "Elliptic Curve Cryptography Subject Public Key Information".
[31]
RFC 6090:  "Fundamental Elliptic Curve Cryptography Algorithms".
[32]
RFC 7519:  "JSON Web Token (JWT)".
[33]
RFC 7662:  "OAuth 2.0 Token Introspection".
[34]
RFC 3394:  "Advanced Encryption Standard (AES) Key Wrap Algorithm".
[35]
RFC 7515:  "JSON Web Signature (JWS)".
[36]
TS 23.280: "Common functional architecture to support mission critical services; Stage 2".
[37]
TS 23.281: "Functional architecture and information flows for mission critical video; Stage 2".
[38]
TS 23.282: "Functional model and information flows for Mission Critical Data".
[39]
TS 23.002: "Network Architecture".
[40]
RFC 2045:  "Multipurpose Internet Mail Extensions (MIME) Part One: Format of Internet Message Bodies".
[41]
RFC 2392:  "Content-ID and Message-ID Uniform Resource Locators".
[42]
NIST Special Publication 800-38D: "Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC".
[43]
RFC 5116:  "An Interface and Algorithms for Authenticated Encryption".
[45]
RFC 7521:  "Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants".
[46]
RFC 7523:  "JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants".
[47]
TS 22.280: " Mission Critical Services Common Requirements; Stage 1".
[48]
TS 23.283: " Mission Critical Communication Interworking with Land Mobile Radio Systems; Stage 2".
[49]
TS 24.379: "Mission Critical Push To Talk (MCPTT) call control; Protocol specification."
[50]
TS 24.282: "Mission Critical Data (MCData) signalling control; Protocol specification. "
[51]
RFC 3711  Errata ID 3712, https://www.rfc-editor.org/errata/eid3712.
[52]
IANA: "Multimedia Internet KEYing (MIKEY) Payload Name Spaces", https://www.iana.org/assignments/mikey-payloads/mikey-payloads.xhtml.
[53]
RFC 7636:  "Proof Key for Code Exchange by OAuth public clients".
[54]
TS 23.289: "Mission Critical services over 5G System; Stage 2".
[55]
TS 33.501: "Security architecture and procedures for 5G System".
Up

3  Definitions and abbreviationsp. 15

3.1  Definitionsp. 15

For the purposes of the present document, the terms and definitions given in TR 21.905 and the following apply. A term defined in the present document takes precedence over the definition of the same term, if any, in TR 21.905.
Authorised Identity:
An application identity given to an authorised user or network entity (e.g. MC Service ID) containing authorisation information.
External KMS:
The KMS which is the root of trust for a specific External Security Domain.
External Security Domain:
A security domain that the user is not a member of, but with which the user may communicate.
Floor:
Floor(x) is the largest integer smaller than or equal to x.
Home KMS:
The KMS that is the root of trust of the Home Security Domain.
Home Security Domain:
The MCX user's primary security domain.
Identity Management Domain:
The MC clients and MC functions that share an Identity Management Server (IdMS). To be specific, the MC clients request access tokens from the same primary IdMS, and the MC functions accept access tokens from this IdMS.
KMS Certificate:
A certificate containing the security parameters for a security domain. This is required to support identity-based cryptography and differs from X.509 certificates used for traditional PKI. See Annex D.3.1 for details.
KMS URI:
A unique identifier for a security domain, or equivalently, a logical KMS.
MCX:
Mission critical services where "MCX" may be substituted with the term "MCPTT", "MCVideo", "MCData", or any combination thereof.
Migration KMS:
The KMS that is the root of trust of a specific Migration Security Domain.
Migration Security Domain:
A security domain that a user is a (temporary) member of, and may be keyed to use, but is not the user's Home security domain.
Partner domain:
A secondary MC domain which may support MC services for MC users who are home to a different MC domain. See also External Security Domain.
Primary domain:
The "home" MC domain where MC users receive their primary identity management and MC services. See also Home Security Domain.
Privileged signalling:
Signalling which is performed by an authorised user and allows the authorised userto cause an intrusive action on a target client without the target user's permission.
Security Domain:
A security domain is a group of MCX users who share common security requirements and policies for their communications. From a technical perspective, users within a security domain share a KMS and KMS certificate. MCX users may be members of one or more security domains.
Up

3.2  Abbreviationsp. 16

For the purposes of the present document, the abbreviations given in TR 21.905 and the following apply. An abbreviation defined in the present document takes precedence over the definition of the same abbreviation, if any, in TR 21.905.
CMS
Configuration Management Server
CS
Crypto Session
CSB-ID
Crypto Session Bundle Identifier
CSC
Common Services Core
CSK
Client-Server Key
CSK-ID
Client-Server Key Identifier
DPCK
MCData Payload Cipher Key
DPPK
MCData Payload Protection Key
DPPK-ID
MCData Payload Protection Key Identifier
GBA
Generic Bootstrapping Architecture
GMK
Group Master Key
GMK-ID
Group Master Key Identifier
GMS
Group Management Server
GUK-ID
Group User Key Identifier
IdM
Identity Management
IdMS
Identity Management Server
InK
Integrity Key
InK-ID
Integrity Key Identifier
InterKMRec
Interworking Key Management Record
InterKMRec-ID
Interworking Key Management Record Identifier
InterSD
Interworking Security Data
IWF
InterWorking Function
JSON
JavaScript Object Notation
JWS
JSON Web Signature
JWT
JSON Web Token
KDF
Key Derivation Function
KFC
Key For Control Signalling
KFC-ID
Key for Floor Control Identifier
KMS
Key Management Server
MBCP
Media Burst Control Protocol
MCData
Mission Critical Data
MCPTT
Mission Critical Push to Talk
MCVideo
Mission Critical Video
MCX
Mission Critical Services
MKFC
Multicast Key for Floor Control
MSCCK
MBMS subchannel control key
MSRP
Message Session Relay Protocol
MuSiK
Multicast Signalling Key
MKI
Master Key Identifier
NTP
Network Time Protocol
NTP-UTC
Network Time Protocol - Coordinated Universal Time
OIDC
OpenID Connect
PCK
Private Call Key
PCK-ID
Private Call Key Identifier
PKCE
Proof Key for Code Exchange
PSK
Pre-Shared Key
SEG
Security Gateway
SeGy
Security Gateway
SPK
Signalling Protection Key
SRTCP
Secure Real-Time Transport Control Protocol
SRTP
Secure Real-Time Transport Protocol
SSRC
Synchronization Source
TBCP
Talk Burst Control Protocol
TGK
Traffic Generating Key
TrK
KMS Transport Key
TrK-ID
KMS Transport Key Identifier
UID
User Identifier for MIKEY-SAKKE (referred to as the 'Identifier' in RFC 6509)
XPK
XML Protection Key
Up

Up   Top   ToC