KEK

Key Encryption Key (TETRA)

Security →
Introduced in Rel-15

KEK is a Key Encryption Key used in TETRA systems to cryptographically protect other keys during transport or storage, ensuring secure key distribution.

Category
Security
Introduced
Rel-15
Where
Services › IMS
Specifications
3 specs
KEK Description Purpose Related Classification Detected Changes Specifications

Description

Within the 3GPP specifications that address interworking and security for critical communications, the Key Encryption Key (KEK) is a concept adopted from the TETRA (Terrestrial Trunked Radio) standard. TETRA is a professional mobile radio and trunked radio system used by public safety, transportation, and military organizations. The KEK plays a vital role in TETRA's cryptographic key management system. Its primary function is to provide a layer of indirection and protection for traffic-encrypting keys or other sensitive key material.

Architecturally, the KEK is a symmetric key that is pre-shared or established via a secure protocol between authorized entities, such as a Key Management Centre (KMC) and a TETRA terminal or network node. It is not used to encrypt user voice or data traffic directly. Instead, it is used to encrypt other keys, known as Traffic Encryption Keys (TEKs) or Session Keys, which are then transmitted over potentially insecure channels. This process is often referred to as key wrapping or key encryption. The entity receiving the encrypted TEK uses the same KEK to decrypt it, after which the TEK can be used for securing actual communications.

How it works involves a key hierarchy. A long-term KEK, which has a relatively long lifecycle, is used to protect short-term TEKs. When a new session is established or a TEK needs to be updated, the KMC generates the TEK, encrypts it using the KEK (e.g., using a standard algorithm like AES), and sends the ciphertext to the target device. The device, possessing the same KEK, performs the decryption to retrieve the TEK. This method ensures that the sensitive TEK is never exposed in plaintext during distribution. The 3GPP specifications (e.g., TS 23.283, TS 24.883) reference this mechanism in the context of interworking between 3GPP networks (like LTE/5G for critical communications) and TETRA networks, ensuring end-to-end security can be maintained when keys or security contexts need to be translated or managed across these heterogeneous systems.

Purpose & Motivation

The KEK exists to solve the fundamental problem of secure key distribution in a managed, closed-group radio system like TETRA. Distributing a unique traffic key to every member of a large group for every session would be logistically challenging if done via physical means. The KEK provides a scalable solution. By establishing a shared KEK within a group (e.g., a police force unit), the network can efficiently and securely broadcast or multicast new session keys to all members by encrypting them with the group's KEK.

Historically, TETRA was designed for high-security critical communications where traditional cellular key agreement protocols might not suffice for all operational models, especially group communication and over-the-air rekeying. The KEK model provides direct control and efficiency for group key management. Its inclusion in 3GPP standards, particularly from Release 15 onwards, was motivated by the need for Mission Critical Services (MCS) over 3GPP networks to seamlessly interwork with existing TETRA networks, which are widely deployed for public safety.

This approach addresses the limitation of having to treat every key distribution as a unique, point-to-point secured transaction. The KEK allows for efficient bulk or group key updates, which is essential during security incidents or routine key rotation. For 3GPP, incorporating understanding of the TETRA KEK is necessary for security gateway functions or interworking functions (IWF) that need to map or translate security contexts between a 3GPP MCPTT (Mission Critical Push-To-Talk) service and a legacy TETRA network, ensuring the end-to-end security chain is not broken.

Classification

Part ofTETRA
Related approachesMCPTT

Detected Changes Across Releases

from 3GPP Change Requests

Specific changes extracted from the „Change history“ tables of 3GPP specifications (8 CRs across 4 releases). Complements the general historical overview above with the evidence-based evolution of this function.

Rel-15 4 changes

In Release 15, the specification introduced the **KEK (Key Encryption Key (TETRA))** function to enable secure media transmission for interworking sessions involving End-to-End Encryption (E2EE). This function allows the MCPTT system and the Interworking Function (IWF) to encrypt LMR-formatted media using 3GPP mechanisms when it must be carried between the IWF and LMR-aware MCPTT clients over the IWF-1 interface. The introduction of the KEK specifically addresses cases where the IWF cannot decrypt the media due to E2EE, ensuring the media remains protected while routed within the MCPTT system.

  • Flow name update from MCPTT call end to MCPTT private call end TS 23.283CR0001
  • Corrections to Imminent peril group call initiated by MCPTT user TS 23.283CR0002
  • Flow name update from MCPTT call end to MCPTT private call end TS 23.783CR0001
  • Corrections to Imminent peril group call initiated by MCPTT user TS 23.783CR0002
Rel-16 2 changes

In Release 16, the new KEK function for TETRA interworking specifically enabled the secure transport of LMR-formatted media when End-to-End Encryption (E2EE) is used, as the Interworking Function (IWF) cannot decrypt such media. This involved defining mechanisms for the MCPTT system and IWF to encrypt this media using 3GPP methods for transmission across the IWF-1 interface to LMR-aware MCPTT clients. The update ensured that media routing and security for interworking sessions could be maintained even with active E2EE.

  • MCPTT ID in interworking floor control TS 23.283CR0023
  • MCPTT ID in interworking floor control TS 23.783CR0023
Rel-17 1 change

In Release 17, the enhancements for the KEK function specifically addressed the interworking of MCPTT group calls with GSM-R systems. This involved defining procedures for identity mapping and media handling, such as routing LMR-formatted media over the IWF-1 interface to support scenarios including End-to-End Encryption. The updates ensured the Interworking Function (IWF) could properly manage group call signaling and media between MCPTT and LMR systems like GSM-R.

  • Add enhancements for interworking of MCPTT group calls with GSM-R TS 23.283CR0049
Rel-20 1 change

In Release 20, the new KEK function for TETRA interworking introduced specific procedures for handling group-broadcast calls and group information between the Interworking Function (IWF) and the MCPTT server. This included defining the IWF group-broadcast group call setup and release request/response flows across the IWF-1 interface. These additions provided the structured signaling necessary for the IWF to manage group calls on behalf of the LMR system when interworking with MCPTT services.

  • Interworking support for ad hoc group emergency alerts (MCPTT user initiated) TS 23.283CR0091

Explore further

Broader topics and technologies where KEK plays a role.

Topics
Authentication (5G-AKA, EAP)Mission Critical (MCPTT)Encryption & IntegrityMEC (Edge Computing)LTE / LTE-AdvancedLawful Intercept
Technologies
LTE5G

Defining Specifications

3GPP specifications that define or reference KEK, with the latest known release. Sourced from the 3GPP document catalog — see methodology.

SpecificationTitleRelease
TS 23.283 vk00 Mission Critical Communication Interworking Rel-20
TR 23.783 vi00 Technical Report on Mission Critical Services over 5GS Rel-18
TS 24.883 vg00 MCPTT Interworking with LMR Systems Rel-16