What is DPCK? MCData Payload Cipher Key

Description

The MCData Payload Cipher Key (DPCK) is a security key defined within the 3GPP architecture for Mission Critical Services (MCS). It is generated and managed as part of the key hierarchy established during the authentication and key agreement procedures between the User Equipment (UE) and the network. The DPCK is specifically derived for use with MCData applications to provide confidentiality protection for the payload (user data) of MCData messages, such as those used in file transfer, text messaging, or data streaming within public safety operations.

Operationally, the DPCK is used by the cryptographic functions in the UE and the MCData application server. When an MCData user sends a secured message, the application layer uses the DPCK (along with a specified encryption algorithm) to encrypt the message payload before transmission. The corresponding recipient's UE, which possesses the same DPCK (having been distributed via secure key management protocols), uses it to decrypt the payload upon receipt. The key itself is not transmitted with the message. The specific encryption algorithms (e.g., based on AES) are defined in the 3GPP security specifications.

The DPCK exists within a broader key hierarchy. It is typically derived from a longer-term anchor key, such as the KMCData, which is itself established from the primary authentication keys. This derivation uses standardized Key Derivation Functions (KDFs). The lifecycle of the DPCK—including its generation, distribution, usage, and deletion—is managed by the security functions within the MCData system, often involving the Key Management Function (KMF) or analogous entities. The separation of the payload cipher key (DPCK) from signaling protection keys is a principle of security segregation, limiting the impact of a potential key compromise.

Purpose & Motivation

DPCK was introduced with 3GPP Mission Critical Data services in Release 14 to address the stringent security requirements of public safety and critical communications. Traditional commercial cellular data security (e.g., in EPS) primarily protects the user plane between the UE and the network with keys like CK (Ciphering Key). However, MC services require end-to-end application layer security for group communications, ensuring confidentiality even within the core network and application server domain.

Its creation was motivated by the need for a dedicated, service-specific cryptographic key for MCData payload confidentiality. This approach provides greater flexibility and security compared to reusing existing access stratum keys. It allows independent key management for the MCData application, enabling features like forward secrecy (where a compromised long-term key doesn't compromise past communications) and the ability to change the payload encryption key without re-authenticating the UE to the access network. DPCK enables the secure exchange of sensitive operational data (e.g., maps, building plans, patient information) among first responders, which is a fundamental requirement for modern mission-critical operations.

Detected Changes Across Releases

from 3GPP Change Requests

Specific changes extracted from the „Change history“ tables of 3GPP specifications (17 CRs across 5 releases). Complements the general historical overview above with the evidence-based evolution of this function.

Studied in Rel-14, normative work from Rel-15.

Rel-15 2 changes

In Release 15, the DPCK (MCData Payload Cipher Key) function was newly introduced to provide specific security for Mission Critical Data (MCData) services, including Short Data Service (SDS) and File Distribution (FD) over the media plane. This introduction was part of the work to include defined MCData message types and to establish the corresponding security framework values for MCData, mirroring the security mechanisms used for other mission-critical services. The key ensures the ciphering of payload data exchanged between MCData clients and the controlling MCData function via the media plane protocols.

Inclusion of MCData message types as defined by CT1 TS 33.180CR0082
[MCSec] 33180 R15 FC values for MCData (mirror) TS 33.180CR0093

Rel-16 6 changes

In Release 16, the DPCK (MCData Payload Cipher Key) function was newly established to provide security for the media plane. This addition specifically enabled payload encryption for Mission Critical Data services like Short Data Service (SDS) and File Distribution (FD) that use protocols such as MSRP and IP for data transmission. The introduction of this key establishment procedure enhanced the confidentiality of user data within these media plane communications.

Add media plane capability to support transmission / reception via MBMS in MCData TS 24.582CR0009
Adding clause for media plane procedures for pre-established session for MCData TS 24.582CR0010
Media plane control in MCData for user plane SDS using MBMS TS 24.582CR0011
[33.180] R16 Establishment of PCK for MCData TS 33.180CR0112
Algorithm selection for MCData signalling protection TS 33.180CR0134
Adding mcdata id in signalling payload for sender of the data in MCData media plane (Session) communication TS 24.582CR0012

Rel-17 6 changes

In Release 17, the DPCK (MCData Payload Cipher Key) function was enhanced to support new security and delivery mechanisms for Mission Critical Data services. Specifically, it was extended to secure the MCData message store and to enable MCData media plane control for File Distribution using MBMS delivery via the MB2 interface. These additions provided new authorization procedures between the message store and the MCData Server while maintaining the established media plane protocols like MSRP for SDS and IP for connectivity.

MCData media plane control for FD using MBMS delivery via MB2 TS 24.582CR0025
MCData message store security TS 33.180CR0150
Authorization between MCData message store and MCData Server TS 33.180CR0189
MCData - small corrections in 24.582 clause 6.5 TS 24.582CR0026
MCData - adjust the To-Path header of MSRP SEND messages received over MBMS TS 24.582CR0027
[33.180] R16 Clarify protected KmsResponse payloads (mirror) TS 33.180CR0206

Rel-18 2 changes

In Release 18, key updates to the DPCK function stemmed from the decoupling of the signalling and media plane for MCData IP Connectivity. This change was complemented by the addition of 5G Multicast-Broadcast Service (MBS) support within the MCData media plane. These enhancements applied to the established media plane protocols like MSRP and IP, used by the controlling and participating MCData functions to distribute data.

Addition of 5G MBS in MCData media plane TS 24.582CR0036
Decoupling of signalling and media plane for MCData IP Connectivity TS 24.582CR0037

Rel-19 1 change

In Release 19, the changes for the DPCK (MCData Payload Cipher Key) function were focused on providing additional clarifications within the MCData overview. These clarifications pertain to the established media plane control protocols for Mission Critical Data services, including Short Data Service (SDS) and File Distribution (FD), which operate between the MCData client and server functions. The update aimed to refine the understanding of these existing procedures without introducing new functional entities or capabilities.

Providing additional clarifications on MCData for Overview. TS 33.180CR0224

Explore further

Broader topics and technologies where DPCK plays a role.

Topics

Authentication (5G-AKA, EAP)Mission Critical (MCPTT)Encryption & Integrity Lawful Intercept SMS & Messaging Services & Applications

Defining Specifications

3GPP specifications that define or reference DPCK, with the latest known release. Sourced from the 3GPP document catalog — see methodology.

Specification	Title	Release
TS 24.582 vj00	MCData Media Plane Control Protocols	Rel-19
TS 33.180 vk00	Security of Mission Critical (MC) Service	Rel-20