What is DPKK-ID? MCData Payload Protection Key Identifier

Description

The MCData Payload Protection Key Identifier (DPKK-ID) is a unique identifier defined in 3GPP TS 24.582 for associating with a specific DPKK in Mission Critical Data services. It serves as a reference or label that endpoints (such as user equipment, servers, or network functions) use to identify which DPKK should be applied for encrypting or decrypting a data payload. The DPKK-ID is typically included in security-related signaling messages or metadata during MCData sessions, allowing parties to agree on the key to use without transmitting the key itself, thus enhancing security by reducing exposure.

In operation, the DPKK-ID is generated and assigned when a DPKK is created or updated, often as part of key establishment procedures like authentication or key derivation. It can be a numeric or alphanumeric value, structured to ensure uniqueness within a given context, such as a specific MCData group or session. During data transmission, the sender includes the DPKK-ID alongside the encrypted payload, enabling the receiver to look up the corresponding DPKK from its local key store for decryption. This mechanism supports key rotation and updates, as new keys can be introduced with new identifiers, while old keys are phased out.

The DPKK-ID plays a critical role in key management scalability and interoperability. By decoupling key identification from key material, it simplifies processes like key distribution, caching, and revocation. In architectures involving multiple keys (e.g., for different services or security levels), the DPKK-ID helps maintain clarity and prevent errors. It integrates with broader MCData security protocols, ensuring that payload protection remains consistent and reliable across diverse network environments and use cases.

Purpose & Motivation

DPKK-ID was created to address the need for efficient and secure key management in MCData services, where multiple payload protection keys may be in use simultaneously. Without a standardized identifier, endpoints might struggle to correlate keys with specific sessions or data streams, leading to decryption failures or security vulnerabilities. Its introduction in Release 14 alongside DPKK provided a mechanism to reference keys uniquely, facilitating key lifecycle operations such as updates, replacements, and synchronization.

The primary problem DPKK-ID solves is enabling dynamic key management without compromising security. By using an identifier rather than transmitting key material, it reduces the risk of key exposure during signaling. This is especially important in mission-critical scenarios where keys must be changed frequently to mitigate threats. DPKK-ID supports interoperability by ensuring all parties in an MCData ecosystem can consistently identify and apply the correct encryption keys, enhancing the reliability and security of critical data communications.

Classification

Part ofDPKK

Detected Changes Across Releases

from 3GPP Change Requests

Specific changes extracted from the „Change history“ tables of 3GPP specifications (9 CRs across 3 releases). Complements the general historical overview above with the evidence-based evolution of this function.

Studied in Rel-14, normative work from Rel-16.

Rel-16 4 changes

In Release 16, the DPKK-ID function was introduced as part of new media plane capabilities to support transmission and reception via MBMS for MCData. This specifically enables media plane control for user plane Short Data Service (SDS) using MBMS and includes procedures for pre-established sessions. The enhancement also involved adding the MCData ID in the signalling payload to identify the sender of the data in MCData media plane session communication.

Add media plane capability to support transmission / reception via MBMS in MCData TS 24.582CR0009
Adding clause for media plane procedures for pre-established session for MCData TS 24.582CR0010
Media plane control in MCData for user plane SDS using MBMS TS 24.582CR0011
Adding mcdata id in signalling payload for sender of the data in MCData media plane (Session) communication TS 24.582CR0012

Rel-17 3 changes

In Release 17, the DPKK-ID function saw no specific new enhancements according to the provided change requests and grounding context. The listed corrections focused on MBMS delivery for File Distribution and MSRP message handling adjustments. The specification text continues to describe DPKK-ID's role in end-to-end payload protection for SDS and FD without indicating new procedures or capabilities introduced in this release.

MCData media plane control for FD using MBMS delivery via MB2 TS 24.582CR0025
MCData - small corrections in 24.582 clause 6.5 TS 24.582CR0026
MCData - adjust the To-Path header of MSRP SEND messages received over MBMS TS 24.582CR0027

Rel-18 2 changes

In Release 18, the DPKK-ID function was introduced as part of new procedures for the end-to-end protection of media control information, notification, and data within MSRP SEND requests. This identifier is specifically used for the protection of the media plane for Mission Critical Data services, including Short Data Service and File Distribution. The addition supports the decoupling of signalling and media plane for MCData IP Connectivity as outlined in the release's key changes.

Addition of 5G MBS in MCData media plane TS 24.582CR0036
Decoupling of signalling and media plane for MCData IP Connectivity TS 24.582CR0037

Explore further

Broader topics and technologies where DPKK-ID plays a role.

Topics

Authentication (5G-AKA, EAP)Mission Critical (MCPTT)Encryption & Integrity MEC (Edge Computing)Lawful Intercept Services & Applications

Defining Specifications

3GPP specifications that define or reference DPKK-ID, with the latest known release. Sourced from the 3GPP document catalog — see methodology.

Specification	Title	Release
TS 24.582 vj00	MCData Media Plane Control Protocols	Rel-19