KMS

Key Management Service

Security →
Introduced in Rel-8 Also in: Security, Core Network

KMS is the functional entity within 3GPP architectures responsible for the generation, distribution, storage, and lifecycle management of cryptographic keys to secure communications.

Category
Security
Introduced
Rel-8
Where
Services › IMS
Also touches
2 segments
Specifications
20 specs
KMS Description Purpose Detected Changes Specifications

Description

The Key Management Service (KMS) in 3GPP is a critical security function that provides end-to-end management of cryptographic keys for various network services and applications. It is not a single monolithic entity but a conceptual service that can be implemented across different network architectures, including the IP Multimedia Subsystem (IMS), Mission Critical Services (MCS), and 5G systems. The KMS is responsible for the entire key lifecycle: generation (or acquisition from a root), secure distribution, activation, deactivation, rotation, revocation, and deletion of keys. It ensures that keys are available to authorized entities—such as user equipment (UE), application servers, and network functions—when needed and are protected from unauthorized access.

Architecturally, the KMS can be integrated within specific network functions or deployed as a standalone, centralized service. In IMS-based services like Voice over LTE (VoLTE) or Mission Critical Push-to-Talk (MCPTT), the KMS often interacts with the Authentication, Authorization, and Accounting (AAA) infrastructure, the Home Subscriber Server (HSS), and application servers. For example, in MCPTT, the KMS generates and distributes service-specific keys like the Kmcptt, from which other keys (e.g., KFC-ID, media encryption keys) are derived. It uses standardized protocols such as the Key Management Protocol (KMP) defined in 3GPP TS 33.179 and 33.180 for secure key delivery over IP networks. The KMS may also interface with Public Key Infrastructure (PKI) for certificate management or with hardware security modules (HSMs) for secure key generation and storage.

In operation, the KMS works in tandem with authentication procedures. Upon successful authentication of a user or device, the KMS is invoked to provision the necessary application-level keys. This can be triggered by an application server request. The KMS authenticates the requestor, verifies authorization policies, and then securely delivers the key material, often encrypted using a pre-shared key or a key established during network access authentication. In 5G and network slicing contexts, the KMS may support slice-specific key management, ensuring isolation between slices by managing separate key hierarchies. It also handles group key management for multicast/broadcast services or group communications, efficiently distributing and updating keys to multiple members.

Its role is foundational for enabling advanced security features like end-to-end encryption, forward secrecy, and secure service onboarding. By centralizing key management, the KMS reduces the complexity and security risk of having keys managed in an ad-hoc manner by individual applications. It provides audit trails, key usage policies, and compliance with cryptographic standards. In mission-critical scenarios, the KMS ensures that emergency communications remain secure even if parts of the network are compromised, as keys can be rapidly revoked and reissued. Thus, the KMS is the backbone of a scalable, manageable, and robust cryptographic infrastructure in modern 3GPP networks.

Purpose & Motivation

The KMS was introduced to solve the growing complexity and security challenges of key management in evolving 3GPP networks. As services moved from basic voice and SMS to rich IP-based multimedia (IMS) and mission-critical applications, each service required its own set of cryptographic keys for confidentiality, integrity, and authentication. Managing these keys separately for each service led to duplication, inconsistent security policies, and increased vulnerability. The KMS was created to provide a unified, standardized approach to key lifecycle management across diverse services.

Historically, earlier mobile networks embedded key management within core network functions like the HSS/AuC, which primarily handled access authentication keys (e.g., CK, IK). However, these were not designed for the dynamic, application-layer key distribution needed for services like secure group chat, push-to-talk, or encrypted video streaming. The limitations included lack of scalability, no standardized protocol for key delivery to application servers, and poor support for group key management. The KMS, formalized from Release 8 onwards, addressed these gaps by decoupling key management from specific access technologies and making it a service available to any authorized network function or application.

Its development was further motivated by the need for regulatory compliance and interoperability in public safety communications (Mission Critical Services). Agencies required assured security with control over cryptographic material, which a dedicated KMS could provide. In 5G, with the advent of network slicing, the KMS's purpose expanded to enable slice-isolated security, where each network slice can have its own key management policies and key spaces. By centralizing and standardizing key management, the KMS reduces operational costs, enhances security posture through consistent policies, and enables rapid deployment of new secure services, which was not feasible with the fragmented approaches of the past.

Detected Changes Across Releases

from 3GPP Change Requests

Specific changes extracted from the „Change history“ tables of 3GPP specifications (33 CRs across 6 releases). Complements the general historical overview above with the evidence-based evolution of this function.

Studied in Rel-8, normative work from Rel-15.

Rel-15 10 changes

In Release 15, the Key Management Service (KMS) was enhanced with new capabilities for discovery and interworking, including the definition of a KMS Redirect Request message format and the addition of KMS Redirect Responses. The release also introduced an integrity key for securing KMS communications and provided clarifications for KMS migration and GMK (Group Master Key) management procedures.

  • Resource Management in CFA TS 23.280CR0059
  • Adding KMS Redirect Responses TS 33.180CR0026
  • KMS enhancement, including Migration KMS TS 33.180CR0027
  • Addition of KMS Requests to support KMS Discovery TS 33.180CR0041
  • Adding Integrity Key for KMS communications TS 33.180CR0051
  • Definition of KMS Redirect Request message format TS 33.180CR0084

+ 4 more changes

Rel-16 9 changes

In Release 16, the Key Management Service (KMS) was updated by removing a duplicated definition for the Key Management Server URI from the initial MC service UE configuration. Furthermore, specific security procedures between the KM client and the KMS were formally defined for this release.

  • Implicit functional alias management TS 23.280CR0188
  • Functional Alias management for interworking between MC service system and LMR system TS 23.283CR0035
  • Functional Alias management for interworking between MC service system and LMR system TS 23.783CR0035
  • Proposal for affiliation status information in group management server TS 23.280CR0165
  • Add location management sever URI to initial MC service UE configuration TS 23.280CR0186
  • Remove the duplicated Key Management Server URI definiton TS 23.280CR0194

+ 3 more changes

Rel-17 3 changes

In Release 17, the primary update for the Key Management Service (KMS) was the clarification of KMS message signatures, as indicated by the dedicated Change Request. This provided necessary refinements to the security procedures within the MC service architecture, where the KMS is a core server entity interacting with a key management client. No other new KMS capabilities or procedures are detailed in the provided context for this release.

  • Corrections to location management procedures TS 23.280CR0291
  • Clarifications for Location management PLUS NEW enhancements for MC service UE label TS 23.280CR0293
  • [33.180] R17 KMS message signature clarification (mirror) TS 33.180CR0180
Rel-18 3 changes

In Release 18, key enhancements for the KMS function were introduced to support user migration in Mission Critical (MC) services. Specifically, the standard defined a new procedure for resolving the target Key Management Server (KMS) URI when an MC service user migrates to a different MC system. This ensures that key management services can be correctly located and accessed for a migrated user, maintaining service continuity and security.

  • MCGWUE 3GPP access network related location information management TS 23.280CR0300
  • Description for the terms used in the location management procedures TS 23.280CR0354
  • Resolving the target KMS URI for a migrated MC service user TS 23.280CR0361
Rel-19 6 changes

In Release 19, the Key Management Service (KMS) function saw enhancements primarily through updates to resources management procedures and information elements, as detailed in the specification's clauses. These changes were part of a broader administrative configuration management framework involving the ACM (Administrative Configuration Management) client and server entities. The updates aimed to refine the management of resources within the MC service architecture, where the KMS is listed as a key functional server alongside group, configuration, identity, and location management servers.

  • ACM Group configuration management TS 23.280CR0466
  • ACM user migration management TS 23.280CR0507
  • Resources management clauses title update TS 23.280CR0418
  • IE related to resources management TS 23.280CR0419
  • Clarifications in general location management clause TS 23.280CR0596
  • Resources management procedures update TS 23.280CR0417
Rel-20 2 changes

In Release 20, key management service (KMS) updates were specifically refined for MCData service, where corrections were made to ensure key management messages apply exclusively to this service. This focused adjustment clarified the scope of the LMR (Land Mobile Radio) Key Management procedures within the broader MC system architecture.

  • Corrections to location management TS 23.280CR0699
  • Correction for LMR Key Management Messages to apply only to MCData service TS 23.283CR0101

Explore further

Broader topics and technologies where KMS plays a role.

Topics
Authentication (5G-AKA, EAP)IMS & Voice (VoLTE, VoNR)Mission Critical (MCPTT)Encryption & IntegrityLTE / LTE-AdvancedEmergency Services
Technologies
LTE5G

Defining Specifications

3GPP specifications that define or reference KMS, with the latest known release. Sourced from the 3GPP document catalog — see methodology.

SpecificationTitleRelease
TS 23.280 vk10 Common Architecture for Mission Critical Services Rel-20
TS 23.283 vk00 Mission Critical Communication Interworking Rel-20
TS 23.333 vj00 MRFC-MRFP Mp Interface Requirements Rel-19
TS 23.782 vf00 Interworking between LTE MC and non-LTE MC systems Rel-15
TR 23.783 vi00 Technical Report on Mission Critical Services over 5GS Rel-18
TS 24.229 vj50 IMS call control protocol based on SIP and SDP Rel-19
TS 24.582 vj00 MCData Media Plane Control Protocols Rel-19
TS 24.883 vg00 MCPTT Interworking with LMR Systems Rel-16
TS 29.379 vj00 MCPTT call control interworking with LMR systems Rel-19
TS 29.828 vc10 IMS Media Plane Security H.248 Profiles Study Rel-12
TS 33.127 vj50 Lawful Interception Architecture and Functions Rel-19
TS 33.179 vdc0 MCPTT Security Architecture and Procedures Rel-13
TS 33.180 vk00 Security of Mission Critical (MC) Service Rel-20
TS 33.303 vj00 ProSe Security Specification for EPS Rel-19
TS 33.328 vj10 IMS Media Plane Security Specification Rel-19
TS 33.700 3GPP TR 33.700 Rel-8
TS 33.828 vb10 IMS Media Plane Security Study Rel-11
TS 33.879 vd10 MCPTT Security Study Rel-13
TS 33.880 vf10 Security Study for Enhanced Mission Critical Services Rel-15
TS 33.885 ve10 Security Study for V2X Services Rel-14