DPPK-ID

MCData Payload Protection Key Identifier

Identifier →
Introduced in Rel-15

DPPK-ID is the unique identifier for a specific MCData Payload Protection Key, enabling communicating clients to identify the correct cryptographic key for decrypting and verifying a protected payload.

Category
Identifier
Introduced
Rel-15
Where
Security
Specifications
1 specs
DPPK-ID Description Purpose Detected Changes Specifications

Description

The MCData Payload Protection Key Identifier (DPPK-ID) is a crucial component in the key management and security protocol for 3GPP Mission Critical Data services. It is a unique label or reference that is unambiguously associated with a specific instance of a DPPK. When an MCData client sends a protected payload (encrypted and integrity-protected using a DPPK), it includes the corresponding DPPPK-ID within the message or associated signaling. This allows the receiving MCData client to identify which key from its local secure storage should be used to process the incoming data.

Operationally, the DPPK-ID is generated or assigned during the DPPK derivation and provisioning process. It is typically managed by the Key Management Function (KMF) or the MCData server responsible for key distribution. The identifier is then securely communicated to the authorized client applications alongside the DPPK itself. The format and structure of the DPPK-ID are defined within the 3GPP specifications to ensure interoperability. It may be a simple index, a hash-based value, or a structured identifier that conveys metadata about the key's context, such as the group session it belongs to.

In the network architecture, the DPPK-ID facilitates efficient and secure key usage without needing to transmit the key itself in the clear. It acts as a secure pointer. When a client receives data, it extracts the DPPK-ID, performs a lookup in its protected key store, and retrieves the corresponding DPPK for decryption and integrity verification. This mechanism is essential for scenarios involving multiple concurrent sessions or group communications where a client may possess several active DPPKs. It ensures the correct key is applied, maintaining the security association and preventing processing errors or security breaches. The DPPK-ID is therefore integral to the scalable and manageable deployment of end-to-end security in large-scale MCData systems.

Purpose & Motivation

The DPPK-ID was created to solve the key identification problem in secure group and session-based communications for MCData. In complex mission-critical scenarios, a single user device may participate in multiple simultaneous data sessions (e.g., separate chats with different emergency teams) or be part of large group communications. Each session or group typically uses a distinct DPPK for security isolation and forward secrecy. Without a clear identifier, a receiving client would have no way to determine which of its many keys should be used to decrypt an incoming message, leading to processing failures or security vulnerabilities.

Prior to its standardization, ad-hoc methods for key identification could lead to interoperability issues and increased complexity in client software. The DPPK-ID provides a standardized, lightweight mechanism to bind a protected payload to its specific encryption key. This enables efficient and unambiguous key retrieval, which is critical for the low-latency requirements of mission-critical communications. Its introduction in Release 15 alongside the DPPK was motivated by the need for a robust, scalable key management framework that supports dynamic group memberships and multiple parallel secure contexts within the 3GPP MCData service, ensuring reliable and secure operation for first responders.

Detected Changes Across Releases

from 3GPP Change Requests

Specific changes extracted from the „Change history“ tables of 3GPP specifications (8 CRs across 4 releases). Complements the general historical overview above with the evidence-based evolution of this function.

Rel-15 2 changes

In Release 15, the DPPK-ID function was introduced as part of new security mechanisms for the Mission Critical Data (MCData) service. This specifically enabled the protection of MCData signalling payloads within SIP payloads on the application plane. The introduction included defining the necessary functional architecture and protocol specifications for MCData, aligning its security framework with that of MCPTT and MCVideo.

  • Inclusion of MCData message types as defined by CT1 TS 33.180CR0082
  • [MCSec] 33180 R15 FC values for MCData (mirror) TS 33.180CR0093
Rel-16 2 changes

In Release 16, the establishment of a Payload Protection Key (PCK) for MCData was newly specified, providing a dedicated mechanism for securing MCData payloads. This introduced the DPPK-ID (MCData Payload Protection Key Identifier) function to identify the key used for protecting data signalling within the MCData service, as detailed in the security architecture. The release also defined algorithm selection procedures specifically for MCData signalling protection.

  • [33.180] R16 Establishment of PCK for MCData TS 33.180CR0112
  • Algorithm selection for MCData signalling protection TS 33.180CR0134
Rel-17 3 changes

In Release 17, the enhancements for the DPPK-ID function focused on strengthening the security of the MCData message store. Specifically, new security mechanisms were introduced for the MCData message store itself and for authorization between the MCData message store and the MCData Server. These updates built upon the existing framework for protecting MCData signalling and data payloads within the mission critical security architecture.

  • MCData message store security TS 33.180CR0150
  • Authorization between MCData message store and MCData Server TS 33.180CR0189
  • [33.180] R16 Clarify protected KmsResponse payloads (mirror) TS 33.180CR0206
Rel-19 1 change

In Release 19, the 3GPP specifications provided additional clarifications on the MCData service overview. These clarifications specifically addressed the security architecture for MCData, which includes mechanisms for protecting data signalling and securing MCData payloads. The updates further detail the procedures for key management and the use of access tokens for MCData user service authorization.

  • Providing additional clarifications on MCData for Overview. TS 33.180CR0224

Explore further

Broader topics and technologies where DPPK-ID plays a role.

Topics
Authentication (5G-AKA, EAP)Mission Critical (MCPTT)Encryption & IntegrityMEC (Edge Computing)Emergency ServicesLawful Intercept

Defining Specifications

3GPP specifications that define or reference DPPK-ID, with the latest known release. Sourced from the 3GPP document catalog — see methodology.

SpecificationTitleRelease
TS 33.180 vk00 Security of Mission Critical (MC) Service Rel-20