GMK-ID

Group Master Key Identifier

Security
Introduced in Rel-13
An identifier used in 3GPP networks to uniquely reference a Group Master Key (GMK) within group communication security contexts. It enables secure group management for services like ProSe, V2X, and MBMS by allowing entities to retrieve the correct cryptographic key for encrypting/decrypting group traffic, ensuring confidentiality and integrity.

Description

The Group Master Key Identifier (GMK-ID) is a critical security parameter within 3GPP's group communication architecture, defined primarily for services such as Proximity Services (ProSe), Vehicle-to-Everything (V2X) communication, and Multimedia Broadcast Multicast Service (MBMS). It functions as a unique label or reference that points to a specific Group Master Key (GMK), which is the root cryptographic key used to derive subordinate keys for securing group communications. The GMK itself is a symmetric key, typically distributed by a key management center or a group controller, and is used to generate Traffic Encryption Keys (TEKs) and other keying material for encrypting and integrity-protecting data sent to a group of users. The GMK-ID does not contain the key material itself but serves as an index, allowing authorized network functions and user equipment to request or identify the correct GMK from a key management server or local storage based on the group context.

Architecturally, the GMK-ID is utilized within the security protocols and interfaces defined for group communication. For instance, in ProSe and V2X, the GMK-ID is referenced in signaling messages between the ProSe Function, Key Management Function (KMF), and user equipment (UE). When a UE joins a group or needs to communicate securely within a group, it may receive a GMK-ID as part of the group membership authorization. The UE then uses this GMK-ID to fetch the corresponding GMK from a secure key storage or derive session keys. This separation of identifier and key enhances security by limiting exposure of the actual key during transmission and simplifying key lifecycle management—keys can be updated or rotated while keeping the GMK-ID constant for continuity.

The role of GMK-ID extends to ensuring scalability and efficiency in group key management. In large-scale deployments like MBMS, where thousands of users may subscribe to a broadcast service, the GMK-ID helps streamline key distribution. The network can broadcast the GMK-ID alongside encrypted content, and only authorized UEs with the corresponding GMK can decrypt it. This reduces signaling overhead compared to per-user key distribution. Specifications such as 3GPP TS 33.179 and TS 33.180 detail the use of GMK-ID in V2X security, while TS 24.380 and TS 29.380 cover its application in ProSe. The identifier is typically formatted as a binary or alphanumeric string, with its structure and encoding specified in relevant protocols to ensure interoperability across different network elements and releases.

Purpose & Motivation

The GMK-ID was introduced to address the growing need for secure group communication in 3GPP networks, particularly with the emergence of services like ProSe and V2X in Release 13 and beyond. Prior to its introduction, group communications often relied on pairwise security keys or less scalable methods, which were inefficient for dynamic groups where members frequently join or leave. The GMK-ID enables efficient key management by decoupling the key identifier from the key material, allowing for secure key retrieval and updates without re-establishing group contexts.

Historically, as 3GPP evolved to support IoT, public safety, and automotive applications, the limitations of existing security mechanisms became apparent. For example, in early MBMS implementations, key distribution was more centralized and less flexible, making it challenging to support real-time group formations in V2X scenarios. The GMK-ID, as part of a broader group security framework, solves this by providing a lightweight reference that facilitates dynamic key derivation and distribution. It supports scenarios where groups are temporary or geographically dispersed, such as in vehicle platooning or public safety communications, ensuring that only authorized members can access group data.

Furthermore, the GMK-ID enhances security by reducing the risk of key exposure during transmission. Since only the identifier is sent over the air or network interfaces, the actual GMK remains protected in secure storage. This aligns with 3GPP's security principles of confidentiality and integrity, addressing threats like eavesdropping or replay attacks in group settings. Its creation was motivated by the need for a standardized, interoperable approach to group key management across multiple releases and services, enabling seamless evolution from LTE to 5G and beyond.

Key Features

  • Uniquely identifies a Group Master Key (GMK) for secure group communications
  • Enables efficient key retrieval and management in dynamic group scenarios
  • Supports services like ProSe, V2X, and MBMS for scalable security
  • Decouples key reference from key material to enhance transmission security
  • Facilitates key rotation and updates without disrupting group membership
  • Interoperable across multiple 3GPP releases and network architectures

Evolution Across Releases

Rel-13 Initial

Introduced as part of the Proximity Services (ProSe) and V2X security framework. Defined the initial architecture for group key management, where GMK-ID serves as a reference to a GMK stored in a Key Management Function (KMF). Enabled secure group communication for public safety and automotive use cases, with specifications detailing its use in signaling and key derivation procedures.

TS 24.380TS 24.582TS 29.380TS 29.582TS 33.179TS 33.180TS 33.879

Defining Specifications

SpecificationTitle
TS 24.380 3GPP TS 24.380
TS 24.582 3GPP TS 24.582
TS 29.380 3GPP TS 29.380
TS 29.582 3GPP TS 29.582
TS 33.179 3GPP TR 33.179
TS 33.180 3GPP TR 33.180
TS 33.879 3GPP TR 33.879