GKTP

Group Key Transport Payload

Security →
Introduced in Rel-13

GKTP is a 3GPP security payload for the confidential and integrity-protected transport of group keys, like MBMS Service Keys, to authorized entities for secure group communication and broadcast services.

Category
Security
Introduced
Rel-13
Where
Services
Specifications
1 specs
GKTP Description Purpose Related Classification Detected Changes Specifications

Description

The Group Key Transport Payload (GKTP) is a structured data format specified in 3GPP TS 24.481. Its primary function is to encapsulate and securely transport cryptographic keys intended for group use, such as keys for Multimedia Broadcast Multicast Service (MBMS) or Group Communication System Enablers (GCSE). The payload is designed to be carried within existing signaling protocols, ensuring that keys are delivered from key management servers, like the Bootstrapping Server Function (BSF) or Key Management Function (KMF), to consuming network functions or user equipment.

Architecturally, GKTP operates within the framework of 3GPP's Generic Authentication Architecture (GAA). It leverages the existing GAA infrastructure, where the BSF acts as a central point for key distribution. When a network function or application server requires a group key, it requests it from the BSF. The BSF then generates or retrieves the key, packages it into a GKTP structure, and sends it to the requester. The payload itself contains the key material along with essential metadata, such as key identifiers, validity periods, and associated group identifiers.

The security of the key transport is paramount. The GKTP is typically protected using security associations established during the GAA bootstrapping procedure. This often involves using the shared secret established between the user equipment and the network (e.g., via the Ks_NAF key) to derive encryption and integrity keys. Consequently, the GKTP payload is encrypted and integrity-protected, ensuring that only the intended recipient, possessing the correct keying material, can access and verify the group key. This mechanism prevents eavesdropping and tampering during key distribution.

In practice, GKTP is crucial for services that rely on efficient and secure one-to-many key distribution. For MBMS, it enables the secure delivery of service keys that decrypt broadcast content. For GCSE, it facilitates the distribution of group talk keys for mission-critical push-to-talk communications. By standardizing this payload format, 3GPP ensures interoperability between different vendors' network functions and provides a scalable, secure method for managing group keys across evolving 5G service architectures.

Purpose & Motivation

GKTP was created to address the specific challenge of securely distributing cryptographic keys to multiple recipients—a common requirement for group-oriented services like broadcast/multicast and group communications. Prior to its standardization, ad-hoc methods or proprietary extensions to existing protocols were used for group key distribution, which led to interoperability issues, security vulnerabilities, and increased complexity in service deployment.

The historical context is rooted in the expansion of 3GPP services beyond traditional one-to-one communication. With the introduction of MBMS and later mission-critical services requiring GCSE, there was a clear need for a standardized, efficient, and secure mechanism to provision group keys. The existing GAA provided excellent security for one-to-one key distribution (e.g., for application security), but it lacked a defined container for group keys. GKTP filled this gap by providing a well-specified payload that integrates seamlessly with the GAA infrastructure.

By solving this problem, GKTP enables the commercial and secure rollout of services that depend on shared secrets. It mitigates the risk of key compromise during distribution, ensures that only authorized group members receive the keys, and provides a foundation for lawful interception and key lifecycle management (e.g., key renewal or revocation). Its creation was motivated by the need for a future-proof, standards-based solution that could support the growing demand for secure group-based applications in both 4G and 5G networks.

Classification

Part ofMBMS

Detected Changes Across Releases

from 3GPP Change Requests

Specific changes extracted from the „Change history“ tables of 3GPP specifications (8 CRs across 4 releases). Complements the general historical overview above with the evidence-based evolution of this function.

Studied in Rel-13, normative work from Rel-15.

Rel-15 2 changes

In Release 15, the GKTP (Group Key Transport Payload) function was newly introduced to support secure communication for Mission Critical Services, as defined in the procedures for the Group Management Client (GMC) and Group Management Server (GMS). This introduction included specific configurations for accessing the MCS GKTP document of another MCS provider using a group ID routing database. Furthermore, procedures were defined for the GMC to manage group documents and for the GMS to handle HTTP requests related to group creation and key transport.

  • Group Configuration Multi-Talker TS 24.481CR0028
  • Correction for Group ID usage in group creation TS 24.481CR0037
Rel-16 1 change

In Release 16, the GKTP function was updated to support additional commencement modes for group calls. This enhancement is reflected in the group management procedures, allowing the Group Management Client (GMC) and Group Management Server (GMS) to handle these new modes when accessing or managing group documents. The change specifically integrates these new commencement modes into the existing framework for Mission Critical Services group management.

  • Update group document to support additional commencement modes for group calls TS 24.481CR0039
Rel-17 3 changes

In Release 17, the GKTP function was enhanced with new group configuration capabilities, including a mechanism to update group documents to disable functional alias de-affiliation. Furthermore, the specification introduced the "preconfigured-group-use-only" parameter for group documents and defined new group subscription service elements.

  • Add preconfigured-group-use-only to group document TS 24.481CR0044
  • Group configuration update for disabling FAs de-affiliation TS 24.481CR0060
  • Group subscription service elements TS 24.481CR0057
Rel-18 2 changes

In Release 18, the GKTP function was updated with clarifications for handling multiple GKTPs within a group document, alongside a correction to the associated XML Schema Definition (XSD). These changes provided more precise specifications for the structure and validation of the group documents used in Mission Critical Services group management.

  • Clarification of multiple GKTPs in group document TS 24.481CR0069
  • XSD correction on group document TS 24.481CR0092

Explore further

Broader topics and technologies where GKTP plays a role.

Topics
Authentication (5G-AKA, EAP)Encryption & IntegrityMEC (Edge Computing)Lawful InterceptServices & ApplicationsManagement & Operations
Technologies
LTE5G

Defining Specifications

3GPP specifications that define or reference GKTP, with the latest known release. Sourced from the 3GPP document catalog — see methodology.

SpecificationTitleRelease
TS 24.481 vj20 Mission Critical Services (MCS) group management Rel-19