Multimedia Internet KEYing

Description

MIKEY (Multimedia Internet KEYing) is a key management protocol standardized by the IETF and adopted by 3GPP for securing multimedia sessions, primarily within the IP Multimedia Subsystem (IMS). Its primary function is to negotiate and establish cryptographic keys and security parameters (security associations) between two or more communicating peers before the initiation of real-time media streams, such as voice over IP (VoIP) or video telephony. The protocol operates in a peer-to-peer manner, often with the assistance of a signaling protocol like SIP (Session Initiation Protocol) to transport the MIKEY payloads within SIP messages during session setup.

The architecture of MIKEY is designed to be flexible, supporting several modes of operation to accommodate different deployment scenarios and trust models. The primary modes include the Pre-shared Key (PSK) mode, where a secret key is pre-distributed to the communicating entities; the Public Key Encryption (PKE) mode, which uses asymmetric cryptography (e.g., RSA) for key transport without requiring a pre-shared secret; and the Diffie-Hellman (DH) mode for authenticated key exchange. MIKEY messages carry cryptographic parameters, including key material, cryptographic algorithms (ciphers, authentication algorithms), security policy identifiers (SPIs), and lifetime information. These messages are typically encoded in a binary format and carried as MIME bodies within SIP signaling.

Within the 3GPP ecosystem, MIKEY plays a critical role in implementing end-to-end security for media streams, particularly for the Secure Real-time Transport Protocol (SRTP). Once MIKEY completes its handshake, the derived keys are used to initialize SRTP contexts at both ends, enabling the encryption and authentication of RTP media packets. This process is integral to services like IMS-based Voice over LTE (VoLTE) and Video over LTE (ViLTE), where user plane confidentiality is a requirement. The protocol is defined to work in conjunction with other 3GPP security mechanisms, such as those provided by the Authentication and Key Agreement (AKA) framework for network access, but MIKEY specifically addresses the application-layer key management for the media session itself.

Purpose & Motivation

MIKEY was created to address the lack of a standardized, lightweight, and efficient key management protocol specifically tailored for real-time multimedia applications on the Internet. Prior to its development, securing multimedia sessions often relied on generic security protocols like IPsec or TLS, which were not optimized for the low-latency and connectionless nature of RTP media streams. These protocols could introduce significant setup delay and overhead, detrimental to real-time communication. MIKEY's purpose is to provide a dedicated mechanism for establishing security associations for multimedia flows with minimal impact on session setup time.

The motivation for its adoption within 3GPP stemmed from the need for standardized media security in the IMS architecture. As 3GPP defined all-IP networks for delivering voice and video services, ensuring the confidentiality and integrity of these media streams became paramount. MIKEY offered a solution that could be cleanly integrated into the SIP-based session establishment procedures of IMS. It solved the problem of securely bootstrapping SRTP keys between user equipment (UE) and the network, or between two UEs, in a manner that was scalable and interoperable across different vendor implementations. Its design allows it to leverage existing trust relationships, such as those established by 3GPP AKA, to authenticate the key exchange, providing a comprehensive security solution from network access to application media.