Multicast/Broadcast Service Security Function

Description

The Multicast/Broadcast Service Security Function is a critical security component within the 5G Core Network's Multicast/Broadcast Service architecture. It is responsible for the complete security lifecycle of a Multicast/Broadcast Service (MBS) session. The MBSSF generates, manages, and distributes the cryptographic keys used to protect MBS traffic (user plane confidentiality and integrity) and related signaling. It interfaces with other core network functions, primarily the MB-SMF (MBS Session Management Function) and the UDM (Unified Data Management), to authenticate and authorize UEs for specific MBS sessions.

Operationally, when an MBS session is established, the MB-SMF requests the MBSSF to initiate security procedures. The MBSSF generates a Master Session Key (MSK) for the MBS session. For each UE joining the session, the MBSSF derives a User-specific Key (UK) from the MSK and the UE's subscription identifier. This UK is then provisioned to the UE through a secure unicast channel, typically via the MB-SMF and the Access and Mobility Management Function (AMF) using NAS security. The UE uses this UK to derive the necessary traffic encryption keys (TEKs) for decrypting the multicast/broadcast data flow.

The MBSSF also supports key renewal and revocation processes to maintain security over time. It can periodically update the MSK and push new derived keys to authorized UEs, mitigating the risk of key compromise. Architecturally, the MBSSF may be a standalone Network Function (NF) or collocated with another function like the MB-SMF. It uses the 3GPP-defined service-based interfaces, notably Nmbsf, to communicate with other NFs. Its design ensures that multicast/broadcast security is integrated into the 5G security framework, leveraging the existing authentication infrastructure (5G AKA) while addressing the unique point-to-multipoint delivery model.

Purpose & Motivation

The MBSSF was created to address the specific security challenges inherent in multicast and broadcast services, which were reintroduced and enhanced in 5G. In a point-to-multipoint model, traditional unicast security mechanisms (like those between a UPF and a single UE) are inefficient and inadequate. The purpose of the MBSSF is to provide a standardized, scalable, and secure method for managing keys and access control for potentially massive numbers of receivers.

It solves the problem of secure key distribution for broadcast groups. Without a dedicated function like the MBSSF, the network would need to establish individual secure contexts with each UE for the same content, wasting signaling resources and complicating synchronized key updates. Previous MBMS security in 4G used the BM-SC for similar functions, but the MBSSF is redesigned as a native 5G Core service-based function, integrating with the new authentication framework and network slicing capabilities.

The motivation for its specification in Release 17 was driven by the expanded use cases for 5G MBS, including mission-critical group communications, public safety, V2X applications, and IPTV. These services demand robust security to prevent eavesdropping, service theft, and spoofing. The MBSSF provides the necessary foundation for commercial broadcast services where content protection (Digital Rights Management) is paramount, and for public safety where communication integrity and group authentication are critical.

Key Features

• Generation and management of a Master Session Key (MSK) for each MBS session
• Derivation and secure distribution of User-specific Keys (UK) to individual UEs
• Support for multicast/broadcast traffic confidentiality and integrity protection
• Integration with 5G core authentication (via UDM) for UE authorization
• Procedures for key renewal, revocation, and synchronization across the user group
• Service-based interface (Nmbsf) for interaction with other 5G Core Network Functions

Evolution Across Releases

Defining Specifications