Description
The Group Master Key Identifier (GMK-ID) is a critical security parameter within 3GPP's group communication architecture, defined primarily for services such as Proximity Services (ProSe), Vehicle-to-Everything (V2X) communication, and Multimedia Broadcast Multicast Service (MBMS). It functions as a unique label or reference that points to a specific Group Master Key (GMK), which is the root cryptographic key used to derive subordinate keys for securing group communications. The GMK itself is a symmetric key, typically distributed by a key management center or a group controller, and is used to generate Traffic Encryption Keys (TEKs) and other keying material for encrypting and integrity-protecting data sent to a group of users. The GMK-ID does not contain the key material itself but serves as an index, allowing authorized network functions and user equipment to request or identify the correct GMK from a key management server or local storage based on the group context.
Architecturally, the GMK-ID is utilized within the security protocols and interfaces defined for group communication. For instance, in ProSe and V2X, the GMK-ID is referenced in signaling messages between the ProSe Function, Key Management Function (KMF), and user equipment (UE). When a UE joins a group or needs to communicate securely within a group, it may receive a GMK-ID as part of the group membership authorization. The UE then uses this GMK-ID to fetch the corresponding GMK from a secure key storage or derive session keys. This separation of identifier and key enhances security by limiting exposure of the actual key during transmission and simplifying key lifecycle management—keys can be updated or rotated while keeping the GMK-ID constant for continuity.
The role of GMK-ID extends to ensuring scalability and efficiency in group key management. In large-scale deployments like MBMS, where thousands of users may subscribe to a broadcast service, the GMK-ID helps streamline key distribution. The network can broadcast the GMK-ID alongside encrypted content, and only authorized UEs with the corresponding GMK can decrypt it. This reduces signaling overhead compared to per-user key distribution. Specifications such as 3GPP TS 33.179 and TS 33.180 detail the use of GMK-ID in V2X security, while TS 24.380 and TS 29.380 cover its application in ProSe. The identifier is typically formatted as a binary or alphanumeric string, with its structure and encoding specified in relevant protocols to ensure interoperability across different network elements and releases.
Purpose & Motivation
The GMK-ID was introduced to address the growing need for secure group communication in 3GPP networks, particularly with the emergence of services like ProSe and V2X in Release 13 and beyond. Prior to its introduction, group communications often relied on pairwise security keys or less scalable methods, which were inefficient for dynamic groups where members frequently join or leave. The GMK-ID enables efficient key management by decoupling the key identifier from the key material, allowing for secure key retrieval and updates without re-establishing group contexts.
Historically, as 3GPP evolved to support IoT, public safety, and automotive applications, the limitations of existing security mechanisms became apparent. For example, in early MBMS implementations, key distribution was more centralized and less flexible, making it challenging to support real-time group formations in V2X scenarios. The GMK-ID, as part of a broader group security framework, solves this by providing a lightweight reference that facilitates dynamic key derivation and distribution. It supports scenarios where groups are temporary or geographically dispersed, such as in vehicle platooning or public safety communications, ensuring that only authorized members can access group data.
Furthermore, the GMK-ID enhances security by reducing the risk of key exposure during transmission. Since only the identifier is sent over the air or network interfaces, the actual GMK remains protected in secure storage. This aligns with 3GPP's security principles of confidentiality and integrity, addressing threats like eavesdropping or replay attacks in group settings. Its creation was motivated by the need for a standardized, interoperable approach to group key management across multiple releases and services, enabling seamless evolution from LTE to 5G and beyond.
Detected Changes Across Releases
from 3GPP Change RequestsSpecific changes extracted from the „Change history“ tables of 3GPP specifications (12 CRs across 5 releases). Complements the general historical overview above with the evidence-based evolution of this function.
Studied in Rel-13, normative work from Rel-15.
In Release 15, the GMK-ID function was newly introduced to support enhanced group call setup and the Application Group Paging procedure. This identifier enables the management of security for group communications, particularly within the context of MBMS procedures for group dynamic data. The specifications also include a note clarifying that a temporary group regroup mechanism is not secured.
In Release 16, the specification introduced a correction to the definition concerning temporary group call related procedures for the GMK-ID function. This update provided clarification on the handling of the Group Master Key Identifier within these specific temporary procedural contexts. The change ensured precise technical alignment for key management during group communication operations.
- Correction to definition about temporary group call related procedures TS 33.180CR0139
In Release 17, the enhancements for the GMK-ID function primarily focused on providing clarifications and corrections for preconfigured groups, as indicated by the CR title for "R17 Preconfigured group clarification." This included addressing specific operational errors, such as those occurring in floor control during group regrouping, and making corrections to the Non-Controlling MCPTT function within an MCPTT group to ensure proper group management and subscription handling.
In Release 18, the new "GMK-ID" (Group Master Key Identifier) function was introduced to support the media plane for MCPTT adhoc group calls. This enhancement enables the secure identification and management of cryptographic keys specifically for the media traffic within these dynamically formed groups. The update integrates this key management capability into the existing group call and floor control procedures defined for Mission Critical Services.
- Adhoc group call - Media plane for MCPTT TS 24.380CR0369
In Release 19, the specification for GMK-ID was updated to support multi-talker media management for ad hoc group calls. This enhancement allows a group, configured as a multi-talker group, to handle concurrent media bursts from multiple participants.
- Multi-talker media management for ad hoc group call TS 24.380CR0370
Explore further
Broader topics and technologies where GMK-ID plays a role.
Defining Specifications
3GPP specifications that define or reference GMK-ID, with the latest known release. Sourced from the 3GPP document catalog — see methodology.
| Specification | Title | Release |
|---|---|---|
| TS 24.380 vj10 | MCPTT Media Plane Control Protocol | Rel-19 |
| TS 24.582 vj00 | MCData Media Plane Control Protocols | Rel-19 |
| TS 29.380 vj00 | MCPTT-LMR Interworking Media Plane Control | Rel-19 |
| TS 29.582 vj00 | MCData Interworking with LMR Systems | Rel-19 |
| TS 33.179 vdc0 | MCPTT Security Architecture and Procedures | Rel-13 |
| TS 33.180 vk00 | Security of Mission Critical (MC) Service | Rel-20 |
| TS 33.879 vd10 | MCPTT Security Study | Rel-13 |