Description
The MCData Payload Cipher Key Identifier (DPCK-ID) is a crucial component of the key management and security signaling protocol within 3GPP Mission Critical Data services. It is a unique label or reference associated with a specific instance of an MCData Payload Cipher Key (DPCK). The DPCK-ID itself is not a secret value; it is transmitted in clear text within the signaling or header information of an MCData message. Its sole purpose is to indicate to the receiving entity which of the potentially multiple stored DPCKs should be used to decrypt the accompanying encrypted payload.
In practice, when an MCData application server or UE needs to send an encrypted data message, it encrypts the payload using the current active DPCK. It then includes the corresponding DPCK-ID in the message's metadata (e.g., in a specific security header defined in TS 24.582). Upon receipt, the recipient's MCData client parses the DPCK-ID, looks up its local key storage for a DPCK with that identifier, and uses the found key to perform decryption. This mechanism is essential in dynamic group communication scenarios where keys can be updated, rolled over, or where different keys are used for different groups or sessions.
The management of the binding between a DPCK and its DPCK-ID is handled by the Key Management Function (KMF) or the entity responsible for key distribution. When a new DPCK is generated and distributed to group members (e.g., following a key refresh or when a new user joins a group), the distribution protocol communicates both the key material and its associated DPCK-ID. The identifier must be synchronized across all authorized entities that possess the key. The structure and format of the DPCK-ID are defined in the relevant 3GPP specifications to ensure interoperability.
Purpose & Motivation
DPCK-ID was introduced alongside DPCK in Release 14 to solve the problem of key identification in group-based, secure MCData communications. In a system where multiple cipher keys can be active simultaneously (e.g., for different talkgroups, for different temporal sessions, or as a result of periodic key updates), a simple mechanism is required to signal which key was used for encryption. Without an explicit identifier, receivers would have to trial-decrypt with all available keys, which is inefficient, increases latency, and could lead to operational failures.
Its creation was motivated by the need for robust and scalable key management for mission-critical applications. The use of an identifier allows for seamless key rollover without service interruption: a new key with a new ID can be distributed before the old one expires. Messages encrypted with the old key can still be decrypted as long as the key and its ID are retained for a grace period. The DPCK-ID enables the core principle of "cryptographic separation," allowing the system to manage a portfolio of keys for different security contexts and ensuring that the correct key is always applied, which is vital for the reliability and security demanded by public safety agencies.
Key Features
- Uniquely identifies a specific MCData Payload Cipher Key (DPCK) instance
- Transmitted in clear text within MCData message signaling headers
- Enables receivers to select the correct key from local storage for decryption
- Essential for supporting key updates, rollovers, and multiple concurrent keys
- Format and usage defined in 3GPP MCData signaling specifications
- Managed and distributed in conjunction with the DPCK by key management entities
Evolution Across Releases
Initially defined in Release 14 with the introduction of Mission Critical Data. It established the DPCK-ID as the mandatory identifier for the DPCK, specifying its role in MCData signaling protocols (TS 24.582) to enable unambiguous key referencing for payload encryption and decryption in group communications.
Defining Specifications
| Specification | Title |
|---|---|
| TS 24.582 | 3GPP TS 24.582 |