MIKEY

Multimedia Internet KEYing

Security
Introduced in Rel-8
A key management protocol for securing real-time multimedia sessions, such as VoIP and video calls, in IMS and other 3GPP services. It establishes cryptographic keys and security associations between endpoints before media flows commence, ensuring confidentiality and integrity.

Description

MIKEY (Multimedia Internet KEYing) is a key management protocol standardized by the IETF and adopted by 3GPP for securing multimedia sessions, primarily within the IP Multimedia Subsystem (IMS). Its primary function is to negotiate and establish cryptographic keys and security parameters (security associations) between two or more communicating peers before the initiation of real-time media streams, such as voice over IP (VoIP) or video telephony. The protocol operates in a peer-to-peer manner, often with the assistance of a signaling protocol like SIP (Session Initiation Protocol) to transport the MIKEY payloads within SIP messages during session setup.

The architecture of MIKEY is designed to be flexible, supporting several modes of operation to accommodate different deployment scenarios and trust models. The primary modes include the Pre-shared Key (PSK) mode, where a secret key is pre-distributed to the communicating entities; the Public Key Encryption (PKE) mode, which uses asymmetric cryptography (e.g., RSA) for key transport without requiring a pre-shared secret; and the Diffie-Hellman (DH) mode for authenticated key exchange. MIKEY messages carry cryptographic parameters, including key material, cryptographic algorithms (ciphers, authentication algorithms), security policy identifiers (SPIs), and lifetime information. These messages are typically encoded in a binary format and carried as MIME bodies within SIP signaling.

Within the 3GPP ecosystem, MIKEY plays a critical role in implementing end-to-end security for media streams, particularly for the Secure Real-time Transport Protocol (SRTP). Once MIKEY completes its handshake, the derived keys are used to initialize SRTP contexts at both ends, enabling the encryption and authentication of RTP media packets. This process is integral to services like IMS-based Voice over LTE (VoLTE) and Video over LTE (ViLTE), where user plane confidentiality is a requirement. The protocol is defined to work in conjunction with other 3GPP security mechanisms, such as those provided by the Authentication and Key Agreement (AKA) framework for network access, but MIKEY specifically addresses the application-layer key management for the media session itself.

Purpose & Motivation

MIKEY was created to address the lack of a standardized, lightweight, and efficient key management protocol specifically tailored for real-time multimedia applications on the Internet. Prior to its development, securing multimedia sessions often relied on generic security protocols like IPsec or TLS, which were not optimized for the low-latency and connectionless nature of RTP media streams. These protocols could introduce significant setup delay and overhead, detrimental to real-time communication. MIKEY's purpose is to provide a dedicated mechanism for establishing security associations for multimedia flows with minimal impact on session setup time.

The motivation for its adoption within 3GPP stemmed from the need for standardized media security in the IMS architecture. As 3GPP defined all-IP networks for delivering voice and video services, ensuring the confidentiality and integrity of these media streams became paramount. MIKEY offered a solution that could be cleanly integrated into the SIP-based session establishment procedures of IMS. It solved the problem of securely bootstrapping SRTP keys between user equipment (UE) and the network, or between two UEs, in a manner that was scalable and interoperable across different vendor implementations. Its design allows it to leverage existing trust relationships, such as those established by 3GPP AKA, to authenticate the key exchange, providing a comprehensive security solution from network access to application media.

Key Features

  • Supports multiple key management modes: Pre-shared Key (PSK), Public Key Encryption (PKE), and Diffie-Hellman (DH)
  • Designed for low-latency setup to suit real-time multimedia sessions
  • Carries cryptographic parameters, security policy identifiers (SPIs), and key lifetimes
  • Typically transported within SIP signaling messages as a MIME payload
  • Directly provides keying material and parameters for SRTP context initialization
  • Enables end-to-end media encryption between user equipment or between UE and network nodes

Evolution Across Releases

Rel-8 Initial

Introduced MIKEY as the key management protocol for securing IMS multimedia sessions, specifically for SRTP. It was defined for use in IMS-based services like Voice over LTE (VoLTE), supporting PSK and PKE modes to establish secure media channels between UE and the network during session setup.

TS 23.333TS 23.782TS 26.244TS 29.828TS 31.102TS 33.246TS 33.303TS 33.328TS 33.879TS 33.885

Defining Specifications

SpecificationTitle
TS 23.333 3GPP TS 23.333
TS 23.782 3GPP TS 23.782
TS 26.244 3GPP TS 26.244
TS 29.828 3GPP TS 29.828
TS 31.102 3GPP TR 31.102
TS 33.246 3GPP TR 33.246
TS 33.303 3GPP TR 33.303
TS 33.328 3GPP TR 33.328
TS 33.879 3GPP TR 33.879
TS 33.885 3GPP TR 33.885