KEK

Key Encryption Key (TETRA)

Security
Introduced in Rel-15
A Key Encryption Key used in the TETRA (Terrestrial Trunked Radio) security context within 3GPP standards. It is a cryptographic key specifically employed to protect other keys during transport or storage, ensuring secure key distribution within critical communication systems.

Description

Within the 3GPP specifications that address interworking and security for critical communications, the Key Encryption Key (KEK) is a concept adopted from the TETRA (Terrestrial Trunked Radio) standard. TETRA is a professional mobile radio and trunked radio system used by public safety, transportation, and military organizations. The KEK plays a vital role in TETRA's cryptographic key management system. Its primary function is to provide a layer of indirection and protection for traffic-encrypting keys or other sensitive key material.

Architecturally, the KEK is a symmetric key that is pre-shared or established via a secure protocol between authorized entities, such as a Key Management Centre (KMC) and a TETRA terminal or network node. It is not used to encrypt user voice or data traffic directly. Instead, it is used to encrypt other keys, known as Traffic Encryption Keys (TEKs) or Session Keys, which are then transmitted over potentially insecure channels. This process is often referred to as key wrapping or key encryption. The entity receiving the encrypted TEK uses the same KEK to decrypt it, after which the TEK can be used for securing actual communications.

How it works involves a key hierarchy. A long-term KEK, which has a relatively long lifecycle, is used to protect short-term TEKs. When a new session is established or a TEK needs to be updated, the KMC generates the TEK, encrypts it using the KEK (e.g., using a standard algorithm like AES), and sends the ciphertext to the target device. The device, possessing the same KEK, performs the decryption to retrieve the TEK. This method ensures that the sensitive TEK is never exposed in plaintext during distribution. The 3GPP specifications (e.g., TS 23.283, TS 24.883) reference this mechanism in the context of interworking between 3GPP networks (like LTE/5G for critical communications) and TETRA networks, ensuring end-to-end security can be maintained when keys or security contexts need to be translated or managed across these heterogeneous systems.

Purpose & Motivation

The KEK exists to solve the fundamental problem of secure key distribution in a managed, closed-group radio system like TETRA. Distributing a unique traffic key to every member of a large group for every session would be logistically challenging if done via physical means. The KEK provides a scalable solution. By establishing a shared KEK within a group (e.g., a police force unit), the network can efficiently and securely broadcast or multicast new session keys to all members by encrypting them with the group's KEK.

Historically, TETRA was designed for high-security critical communications where traditional cellular key agreement protocols might not suffice for all operational models, especially group communication and over-the-air rekeying. The KEK model provides direct control and efficiency for group key management. Its inclusion in 3GPP standards, particularly from Release 15 onwards, was motivated by the need for Mission Critical Services (MCS) over 3GPP networks to seamlessly interwork with existing TETRA networks, which are widely deployed for public safety.

This approach addresses the limitation of having to treat every key distribution as a unique, point-to-point secured transaction. The KEK allows for efficient bulk or group key updates, which is essential during security incidents or routine key rotation. For 3GPP, incorporating understanding of the TETRA KEK is necessary for security gateway functions or interworking functions (IWF) that need to map or translate security contexts between a 3GPP MCPTT (Mission Critical Push-To-Talk) service and a legacy TETRA network, ensuring the end-to-end security chain is not broken.

Key Features

  • Used for encrypting (wrapping) other cryptographic keys, primarily Traffic Encryption Keys (TEKs)
  • Establishes a two-layer key hierarchy: long-term KEK protects short-term session keys
  • Enables efficient and secure over-the-air distribution of session keys to groups of devices
  • Based on symmetric cryptography, requiring pre-shared key establishment between entities
  • Referenced in 3GPP specs for TETRA-3GPP interworking for critical communications
  • Supports secure group communication key management models

Evolution Across Releases

Rel-15 Initial

Introduced in 3GPP specifications related to Mission Critical Services interworking. The initial inclusion defined the role of the TETRA KEK within the architecture for interworking between 3GPP MCPTT and TETRA systems, specifying how key management concepts from TETRA are acknowledged and potentially mapped in an interworking scenario.

TS 23.283TS 23.783TS 24.883
Rel-16

Enhancements to Mission Critical services likely refined the requirements and procedures for security interworking, potentially involving more detailed specifications on how KEK-based key transport from TETRA systems is handled by 3GPP interworking functions for services like MCData and MCVideo.

TS 23.283TS 23.783TS 24.883
Rel-17

Further evolution of Mission Critical and industrial IoT services may have extended the use cases or requirements for secure interworking with legacy professional radio systems like TETRA, reinforcing the need for standardized understanding of the KEK mechanism.

TS 23.283TS 23.783TS 24.883

Defining Specifications

SpecificationTitle
TS 23.283 3GPP TS 23.283
TS 23.783 3GPP TS 23.783
TS 24.883 3GPP TS 24.883