What is DPCK-ID? MCData Payload Cipher Key Identifier

Description

The MCData Payload Cipher Key Identifier (DPCK-ID) is a crucial component of the key management and security signaling protocol within 3GPP Mission Critical Data services. It is a unique label or reference associated with a specific instance of an MCData Payload Cipher Key (DPCK). The DPCK-ID itself is not a secret value; it is transmitted in clear text within the signaling or header information of an MCData message. Its sole purpose is to indicate to the receiving entity which of the potentially multiple stored DPCKs should be used to decrypt the accompanying encrypted payload.

In practice, when an MCData application server or UE needs to send an encrypted data message, it encrypts the payload using the current active DPCK. It then includes the corresponding DPCK-ID in the message's metadata (e.g., in a specific security header defined in TS 24.582). Upon receipt, the recipient's MCData client parses the DPCK-ID, looks up its local key storage for a DPCK with that identifier, and uses the found key to perform decryption. This mechanism is essential in dynamic group communication scenarios where keys can be updated, rolled over, or where different keys are used for different groups or sessions.

The management of the binding between a DPCK and its DPCK-ID is handled by the Key Management Function (KMF) or the entity responsible for key distribution. When a new DPCK is generated and distributed to group members (e.g., following a key refresh or when a new user joins a group), the distribution protocol communicates both the key material and its associated DPCK-ID. The identifier must be synchronized across all authorized entities that possess the key. The structure and format of the DPCK-ID are defined in the relevant 3GPP specifications to ensure interoperability.

Purpose & Motivation

DPCK-ID was introduced alongside DPCK in Release 14 to solve the problem of key identification in group-based, secure MCData communications. In a system where multiple cipher keys can be active simultaneously (e.g., for different talkgroups, for different temporal sessions, or as a result of periodic key updates), a simple mechanism is required to signal which key was used for encryption. Without an explicit identifier, receivers would have to trial-decrypt with all available keys, which is inefficient, increases latency, and could lead to operational failures.

Its creation was motivated by the need for robust and scalable key management for mission-critical applications. The use of an identifier allows for seamless key rollover without service interruption: a new key with a new ID can be distributed before the old one expires. Messages encrypted with the old key can still be decrypted as long as the key and its ID are retained for a grace period. The DPCK-ID enables the core principle of "cryptographic separation," allowing the system to manage a portfolio of keys for different security contexts and ensuring that the correct key is always applied, which is vital for the reliability and security demanded by public safety agencies.

Classification

Part ofDPCK

Detected Changes Across Releases

from 3GPP Change Requests

Specific changes extracted from the „Change history“ tables of 3GPP specifications (9 CRs across 3 releases). Complements the general historical overview above with the evidence-based evolution of this function.

Studied in Rel-14, normative work from Rel-16.

Rel-16 4 changes

In Release 16, the DPCK-ID function was newly introduced as part of adding an mcdata id in the signalling payload for the sender of the data in MCData media plane session communication. This identifier is communicated by the MCData client which sends the SDS message or file in the media control part of the protocol, specifically within the MSRP SEND request body for SDS. The change provides a mechanism to identify the sender within the media plane procedures for pre-established sessions and standalone SDS.

Add media plane capability to support transmission / reception via MBMS in MCData TS 24.582CR0009
Adding clause for media plane procedures for pre-established session for MCData TS 24.582CR0010
Media plane control in MCData for user plane SDS using MBMS TS 24.582CR0011
Adding mcdata id in signalling payload for sender of the data in MCData media plane (Session) communication TS 24.582CR0012

Rel-17 3 changes

In Release 17, the DPCK-ID function was enhanced to support Mission Critical Data File Distribution using MBMS delivery via the MB2 interface. This introduced new media plane control procedures for FD over MBMS, requiring adjustments to MSRP SEND message handling. These changes ensured the proper routing and processing of secured file distribution payloads within the MBMS framework.

MCData media plane control for FD using MBMS delivery via MB2 TS 24.582CR0025
MCData - small corrections in 24.582 clause 6.5 TS 24.582CR0026
MCData - adjust the To-Path header of MSRP SEND messages received over MBMS TS 24.582CR0027

Rel-18 2 changes

In Release 18, the DPCK-ID function was extended to support the new 5G Multicast/Broadcast Service (MBS) in the MCData media plane, enabling efficient group data delivery. This enhancement was part of the broader addition of 5G MBS capabilities for MCData. Furthermore, the release facilitated the decoupling of signalling and media plane for MCData IP Connectivity, allowing these planes to be established and managed independently.

Addition of 5G MBS in MCData media plane TS 24.582CR0036
Decoupling of signalling and media plane for MCData IP Connectivity TS 24.582CR0037

Explore further

Broader topics and technologies where DPCK-ID plays a role.

Topics

Authentication (5G-AKA, EAP)Mission Critical (MCPTT)Encryption & Integrity MEC (Edge Computing)Lawful Intercept Services & Applications

Defining Specifications

3GPP specifications that define or reference DPCK-ID, with the latest known release. Sourced from the 3GPP document catalog — see methodology.

Specification	Title	Release
TS 24.582 vj00	MCData Media Plane Control Protocols	Rel-19