Content for TS 33.328 Word version: 17.1.0
0 Introduction
1 Scope
2 References
3 Definitions, symbols and abbreviations
3.1 Definitions
3.2 Symbols
3.3 Abbreviations
...
...
0 Introduction p. 8
With Common IMS it has become possible to use IMS over a wide variety of access networks. These access networks provide security of varying strengths, or, in some cases, no security at all. It is therefore desirable to have a standard for IMS media plane security, which provides uniform protection of IMS media against eavesdropping and undetected modification across access networks. Furthermore, media transport in the core network, although generally less vulnerable than in the access network, may also be realised in varying ways with different guarantees of protection. It is therefore also desirable to have a standard for IMS media plane security, which guarantees protection of IMS media against eavesdropping and undetected modification in an end-to-end (e2e) fashion between two terminal devices.
1 Scope p. 9
The present document presents IMS media plane security for RTP and MSRP based media as well as security for BFCP as used in IMS conferencing. The security mechanisms are designed to meet the following three main objectives:
- to provide security for media usable across all access networks
- to provide an end-to-end (e2e) media security solution for RTP based media to satisfy major user categories
- to provide end-to-end (e2e) media security for important user groups like enterprises, National Security and Public Safety (NSPS) organizations and different government authorities who may have weaker trust in the inherent IMS security and/or may desire to provide their own key management service.
2 References p. 9
The following documents contain provisions which, through reference in this text, constitute provisions of the present document.
- References are either specific (identified by date of publication, edition number, version number, etc.) or non specific.
- For a specific reference, subsequent revisions do not apply.
- For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP document (including a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same Release as the present document.
[1]
TR 21.905: "Vocabulary for 3GPP Specifications".
[2]
TS 23.002: "Network architecture".
[3]
TS 23.228: "IP Multimedia (IM) Subsystem".
[4]
TS 33.203: "3G Security; Access security for IP-based services".
[5]
TS 33.210: "3G Security; Network domain security; IP network layer security".
[6]
TS 33.220: "Generic Authentication Architecture (GAA); Generic bootstrapping architecture".
[7]
RFC 1035: "DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION".
[8]
RFC 2616: "Hypertext Transfer Protocol -- HTTP/1.1".
[9]
RFC 3711: "The Secure Real-time Transport Protocol (SRTP)".
[10]
RFC 3550: "RTP: A Transport Protocol for Real-Time Applications".
[11]
RFC 3830: "MIKEY: Multimedia Internet KEYing".
[12]
RFC 4567: "Key Management Extensions for Session Description Protocol (SDP) and Real Time Streaming Protocol (RTSP)".
[13]
RFC 4568: "Session Description Protocol (SDP) Security Descriptions for Media Streams".
[14]
RFC 6043: "MIKEY-TICKET: Ticket-Based Modes of Key Distribution in Multimedia Internet KEYing (MIKEY)".
[15]
RFC 4771: "Integrity Transform Carrying Roll-Over Counter for the Secure Real-time Transport Protocol (SRTP)".
[16]
Otway, D. and Rees, O. 1987: "Efficient and timely mutual authentication." SIGOPS Oper. Syst. Rev. 21, 1 (Jan. 1987), 8-10.
[17] Void
[18]
TS 24.229: "IP multimedia call control protocol based on Session Initiation Protocol (SIP) and Session Description Protocol (SDP)".
[19]
TS 24.109: "Bootstrapping interface (Ub) and network application function interface (Ua); Protocol details".
[20]
TS 29.162: "Interworking between the IM CN subsystem and IP networks ".
[21]
RFC 4975: "The Message Session Relay Protocol (MSRP)".
[22]
TS 33.310: "Network Domain Security (NDS); Authentication Framework (AF)".
[23] Void
[24]
RFC 6714: "Connection Establishment for Media Anchoring (CEMA) for the Message Session Relay Protocol (MSRP)".
[25]
TS 24.147: "Conferencing using the IP Multimedia (IM), Core Network (CN) subsystem".
[26]
RFC 4575: "A Session Initiation Protocol (SIP) Event Package for Conference State".
[27]
GSM Association, Rich Communication Suite 5.1 Advanced Communications Services and Client Specification, Version 1.0, August 2012.
[28]
TS 24.247: "Messaging service using the IP Multimedia (IM) Core Network (CN) subsystem; Stage 3".
[29]
RFC 5365: "Multiple-Recipient MESSAGE Requests in the Session Initiation Protocol (SIP)".
[30] Void
[31]
RFC 5652: "Cryptographic Message Syntax (CMS)".
[32]
RFC 5083: " Cryptographic Message Syntax (CMS) Authenticated-Enveloped-Data Content Type".
[33]
RFC 3565: "Use of the Advanced Encryption Standard (AES) Encryption Algorithm in Cryptographic Message Syntax (CMS)".
[34]
ITU-T recommendation T.38 (09/2010): "Procedures for real-time Group 3 facsimile communication over IP networks".
[35]
TS 26.114: "IP Multimedia Subsystem (IMS); Multimedia telephony; Media handling and interaction".
[36]
RFC 6347: "Datagram Transport Layer Security Version 1.2".
[37]
RFC 7325:"UDP Transport Layer (UDPTL) over Datagram Transport Layer Security (DTLS)".
[38] Void
[39]
RFC 8826: "Security Considerations for WebRTC".
[40]
RFC 5763: "Framework for Establishing a Secure Real-time Transport Protocol (SRTP) Security Context Using Datagram Transport Layer Security (DTLS)".
[41]
RFC 5764: "Datagram Transport Layer Security (DTLS) Extension to Establish Keys for the Secure Real-time Transport Protocol (SRTP)".
[42]
RFC 8832: " WebRTC Data Channel Establishment Protocol".
[43]
RFC 8851: "Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 4.0 Message Specification".
[44]
RFC 8855: "The Binary Floor Control Protocol (BFCP)".
[45]
RFC 8866: "SDP: Session Description Protocol".
[46]
RFC 7714: "AES-GCM Authenticated Encryption in the Secure Real-time Transport Protocol (SRTP)".
3 Definitions, symbols and abbreviations p. 11
3.1 Definitions p. 11
For the purposes of the present document, the terms and definitions given in TR 21.905 and the following apply. A term defined in the present document takes precedence over the definition of the same term, if any, in TR 21.905.
End-to-access edge security:
This term refers to media protection extending between an IMS UE and the first IMS core network node in the media path without being terminated by any intermediary.
End-to-end security:
This term refers to media protection extending between two IMS UEs without being terminated by any intermediary.
IMS User Equipment:
User equipment used for IMS media communications over access networks. Use of such equipment for IMS media communications over any 3GPP access network shall require presence of a UICC.
KMS User Identity:
A KMS user identity is derived from a user's public SIP-URI and it is the NAI-part of the SIP URI.
3.2 Symbols p. 11
Void
3.3 Abbreviations p. 11
For the purposes of the present document, the abbreviations given in TR 21.905 and the following apply. An abbreviation defined in the present document takes precedence over the definition of the same abbreviation, if any, in TR 21.905.
BFCP
Binary Floor Control Protocol
DTLS
Datagram Transport Layer Security
DTLS-SRTP
DTLS Extension to Establish Keys for SRTP
e2ae
End-to-access edge
e2e
End-to-end
GW
Gateway
IMS-ALG
IMS Application Level Gateway
IMS UE
IMS User Equipment
KMS
Key Management Service
MIKEY
Multimedia Internet KEYing
MSRP
Message Session Relay Protocol
NAF
Network Application Function
RTP
Real-time Transport Protocol
SRTP
Secure Real-time Transport Protocol
TEK
Traffic Encryption Key
TGK
TEK Generation Key
TLS
Transport Layer Security
WebRTC
Web Real-Time Communication
