GUK-ID

Group User Key Identifier

Security →
Introduced in Rel-13

GUK-ID is the unique identifier for a Group User Key used in 3GPP ProSe to enable secure group communication and discovery by identifying the specific cryptographic key shared by a defined user group.

Category
Security
Introduced
Rel-13
Where
Services
Specifications
7 specs
GUK-ID Description Purpose Related Detected Changes Specifications

Description

The Group User Key Identifier (GUK-ID) is a critical security parameter within the 3GPP architecture for Proximity-based Services (ProSe), which enable Device-to-Device (D2D) communication. It serves as a unique label or reference for a specific Group User Key (GUK), which is a symmetric cryptographic key shared among all members of a ProSe group. The GUK itself is used to secure group communications, for example, by encrypting and integrity-protecting traffic sent between group members over a direct PC5 interface or via a network relay. The GUK-ID does not contain the key material itself; instead, it is a non-secret identifier that allows devices and network functions to unambiguously refer to and retrieve the correct GUK from their secure storage (e.g., a UICC or a trusted execution environment) when needed for cryptographic operations.

Architecturally, the GUK-ID is provisioned to authorized user devices (User Equipment, UE) along with the corresponding GUK by the ProSe Function in the network, as defined in specifications like TS 23.303 and the security specs TS 33.179 and 33.180. The provisioning process is itself secured. When a UE wants to engage in secure group communication or discovery, it includes the relevant GUK-ID in signaling messages. Other UEs in the group, upon receiving this identifier, can use it to locate the same GUK in their local storage to decrypt messages or verify integrity checks. The ProSe Function also uses GUK-IDs to manage the lifecycle of group keys, including key updates, revocation, and membership changes. The identifier is structured to be globally unique within the context of the issuing ProSe Function or a broader domain to avoid collisions.

Its role is foundational for scalable and secure group management in ProSe. Without a concise identifier, devices would need to exchange or reference the full key value, which is insecure and inefficient. The GUK-ID enables efficient key indexing and retrieval. It is used in various ProSe procedures: in direct discovery, a UE may broadcast a message signed with a key associated with a GUK-ID to prove its group membership; in one-to-many group communication, the sending UE encrypts the data with the GUK and receivers use the signaled GUK-ID to select the correct decryption key. This mechanism is vital for public safety scenarios where first responders form dynamic groups, as well as for commercial applications like location-based social networking. The security specifications detail how the GUK-ID binds to the GUK's usage restrictions and the group's metadata, ensuring that the identifier cannot be misused to infer key material or to impersonate a group without possessing the actual key.

Purpose & Motivation

The GUK-ID was created to address the specific security and scalability challenges of group-oriented Device-to-Device communication introduced with Proximity Services (ProSe) in 3GPP Release 12 and enhanced thereafter. Prior to ProSe, cellular security was primarily focused on point-to-point security between a single UE and the network (e.g., using KASME in LTE). ProSe introduced scenarios where devices need to communicate directly in a secure, group-aware manner, especially for public safety where ad-hoc groups of first responders must be established rapidly. The core problem was how to efficiently and securely manage shared cryptographic keys for potentially many dynamic groups. Simply using the key value as an identifier is a security anti-pattern. The GUK-ID provides an indirect reference mechanism, solving this by allowing secure signaling about which key to use without exposing the key itself.

The historical motivation stems from the need for mission-critical communication systems that can operate partially or fully without network infrastructure (network off coverage). In such scenarios, devices must be able to authenticate each other and establish secure channels autonomously. The GUK, identified by the GUK-ID, is pre-shared via the network when it is available, enabling this off-grid security. The GUK-ID mechanism solves the problem of key identification in resource-constrained signaling. It allows a device to indicate, "use the group key we both know as 'ID-12345' for this session," making the protocol lightweight. Furthermore, it enables efficient key renewal; when a GUK is updated, a new GUK-ID is issued, and devices can seamlessly transition to the new key while discarding the old one referenced by the old ID. This is crucial for maintaining forward secrecy and managing compromised devices within a group. Without such an identifier, group key management would be cumbersome, error-prone, and less secure, hindering the adoption of ProSe for critical services.

Detected Changes Across Releases

from 3GPP Change Requests

Specific changes extracted from the „Change history“ tables of 3GPP specifications (16 CRs across 5 releases). Complements the general historical overview above with the evidence-based evolution of this function.

Studied in Rel-13, normative work from Rel-15.

Rel-15 7 changes

In Release 15, the GUK-ID function was enhanced to support the Application Group Paging procedure and MBMS procedures for group dynamic data. These updates facilitated the setup and management of group calls, including the delivery of media over MBMS bearers identified by a TMGI. The specifications also clarified the use of the UDP port as the parameter for differentiating media streams for different groups over the same MBMS bearer.

  • Application Group Paging procedure TS 24.380CR0189
  • Enhanced group call setup TS 24.380CR0196
  • MBMS procedures for group dynamic data TS 24.380CR0214
  • Application Group Paging procedure TS 24.581CR0036
  • MBMS procedures for group dynamic data TS 24.581CR0039
  • Correction on MCVideo Group Identity and SSRC field TS 24.581CR0041

+ 1 more changes

Rel-16 1 change

In Release 16, the specification introduced a correction to the definition concerning temporary group call related procedures for the GUK-ID function. This update provided clarification on the handling of the Group User Key Identifier within these specific temporary procedural contexts. The change ensured more precise technical definitions for group communication system operations.

  • Correction to definition about temporary group call related procedures TS 33.180CR0139
Rel-17 5 changes

In Release 17, enhancements to the Group User Key Identifier (GUK-ID) function included clarifications for preconfigured groups and corrections for scenarios involving group regrouping and the Non-Controlling MCPTT function. These updates refined the handling of group subscription data and the associated floor control procedures, ensuring correct behavior during call setup and media burst arbitration. The changes also addressed terminology consistency for broadcast group calls within the group management framework.

  • [33.180] R17 Preconfigured group clarification TS 33.180CR0177
  • Error in floor control when groups are regrouped. TS 24.380CR0316
  • Corrections in Non-Controlling MCPTT function of an MCPTT group TS 24.380CR0317
  • Group subscription TS 33.180CR0173
  • Broadcast group call terminology TS 24.380CR0288
Rel-18 2 changes

In Release 18, the GUK-ID function was enhanced to support adhoc group calls for both MCPTT and MCVideo services on the media plane. This extension allows the differentiation of media and control packets for different groups over the same MBMS bearer during such calls. The updates ensure that the GUK-ID mechanism, which uses parameters like a UDP port for identification, is fully functional for these new adhoc group call scenarios.

  • Adhoc group call - Media plane for MCPTT TS 24.380CR0369
  • Adhoc group call - Media plane for MCVideo TS 24.581CR0123
Rel-19 1 change

In Release 19, the new capability for multi-talker media management in ad hoc group calls was introduced. This allows an MCPTT group to be configured as a multi-talker group, enabling more than one participant to have permission to send media concurrently. This is a specific enhancement to the floor control procedures for ad hoc group scenarios.

  • Multi-talker media management for ad hoc group call TS 24.380CR0370

Explore further

Broader topics and technologies where GUK-ID plays a role.

Topics
SON (Self-Organizing Networks)Authentication (5G-AKA, EAP)Encryption & IntegrityMEC (Edge Computing)LTE / LTE-AdvancedLawful Intercept
Technologies
LTE

Defining Specifications

3GPP specifications that define or reference GUK-ID, with the latest known release. Sourced from the 3GPP document catalog — see methodology.

SpecificationTitleRelease
TS 24.380 vj10 MCPTT Media Plane Control Protocol Rel-19
TS 24.581 vj00 MCVideo Media Plane Control Protocol Specification Rel-19
TS 29.380 vj00 MCPTT-LMR Interworking Media Plane Control Rel-19
TS 29.582 vj00 MCData Interworking with LMR Systems Rel-19
TS 33.179 vdc0 MCPTT Security Architecture and Procedures Rel-13
TS 33.180 vk00 Security of Mission Critical (MC) Service Rel-20
TS 33.879 vd10 MCPTT Security Study Rel-13