MSCCK

MBMS Sub-Channel Control Key

Security →
Introduced in Rel-13 Also in: Security

MSCCK is a security key used in MBMS to protect the integrity and confidentiality of sub-channel control information, such as scheduling and configuration data, preventing unauthorized access and service disruption.

Category
Security
Introduced
Rel-13
Where
Services
Also touches
1 segments
Specifications
4 specs
MSCCK Description Purpose Related Classification Detected Changes Specifications

Description

The MBMS Sub-Channel Control Key (MSCCK) is a cryptographic key defined within the 3GPP security architecture for Multimedia Broadcast Multicast Service (MBMS). Its primary function is to secure the control plane information associated with MBMS sub-channels. An MBMS service can be divided into multiple sub-channels, each potentially carrying different content or quality levels. The control information for these sub-channels, which includes scheduling details, configuration parameters, and service announcements, is transmitted over the air interface and must be protected to ensure service reliability and prevent spoofing or denial-of-service attacks.

The MSCCK is derived within the BM-SC (Broadcast Multicast Service Centre) as part of the MBMS key hierarchy. It is generated from a parent key, the MBMS Service Key (MUK), using a Key Derivation Function (KDF) with specific input parameters that identify the service and the control channel. This derived key is then used to compute integrity protection values (MACs) and, optionally, to encrypt the control messages sent on channels like the MCCH (MBMS Control Channel) or MSCH (MBMS Scheduling Channel). The UE (User Equipment) receiving the MBMS service must also derive the same MSCCK using the MUK it has securely obtained, allowing it to verify the integrity and decrypt the control information.

Architecturally, the MSCCK operates within the MBMS security framework defined in TS 33.246 and related specs. It is a crucial element for enabling secure selective decryption in MBMS. By having separate keys for control and traffic, the network can provide free-to-air control information (protected by MSCCK) while keeping the actual media content encrypted with a different key (the MTK - MBMS Traffic Key). This separation allows for flexible service models, such as enabling users to discover and subscribe to services via protected control channels before purchasing the key for the content itself. The MSCCK's role is therefore foundational for secure service provisioning, efficient key management, and robust protection against attacks targeting the service discovery and configuration mechanisms in broadcast networks.

Purpose & Motivation

The MSCCK was introduced to address specific security vulnerabilities in the MBMS control plane. Early MBMS deployments focused on securing the user plane traffic (the actual video or data stream) with the MTK. However, the control information necessary for a UE to find, subscribe to, and correctly receive an MBMS service was often sent in the clear or with insufficient protection. This created a vector for attacks where malicious actors could inject false scheduling information, causing UEs to tune to incorrect frequencies or time slots, leading to service disruption (denial-of-service) or battery drain.

The creation of the MSCCK was motivated by the need for a holistic security approach for broadcast services. It solves the problem of ensuring the authenticity and integrity of critical service metadata. Without it, an attacker could forge service announcements or modify scheduling parameters, undermining the entire MBMS service model. The MSCCK enables the network to cryptographically bind control information to the legitimate service provider (the BM-SC), ensuring that UEs only act on commands from a trusted source. This is especially important for commercial services, including mobile TV and public safety communications, where reliable and tamper-proof service discovery is essential. Its introduction in Rel-13 as part of enhanced MBMS security (eMBMS) reflects the growing emphasis on robust security for broadcast-based 5G enablers like LTE-based 5G Broadcast.

Classification

Part ofMTK
Related approachesMUK

Detected Changes Across Releases

from 3GPP Change Requests

Specific changes extracted from the „Change history“ tables of 3GPP specifications (26 CRs across 5 releases). Complements the general historical overview above with the evidence-based evolution of this function.

Studied in Rel-13, normative work from Rel-15.

Rel-15 12 changes

In Release 15, the MSCCK (MBMS Sub-Channel Control Key) function was newly introduced to manage MBMS subchannels over MBMS bearers, specifically enabling floor control messages like the Floor Release Multi Talker message to be sent over an MBMS subchannel. This release introduced procedures for floor control messages to support functional aliases and defined MBMS procedures for group dynamic data. Additionally, it specified the use of a UDP port as the parameter for differentiating media and media plane control packets for different groups over the same MBMS bearer.

  • Multi-Talker floor control server TS 24.380CR0178
  • Mutli-talker – floor control towards the participant TS 24.380CR0179
  • Updates to Non-controlling MCPTT function for Multi Talker TS 24.380CR0183
  • Floor Release Multi Talker message over MBMS subchannel TS 24.380CR0185
  • Floor Control Server towards participant TS 24.380CR0187
  • Coding of floor control messages to support functional alias TS 24.380CR0192

+ 6 more changes

Rel-16 2 changes

In Release 16, the MSCCK function saw specific corrections and clarifications to its associated floor control procedures. These included corrections to the Off-Network Floor Control procedures and updates to the timers and events for the On-Network Floor Control procedures. These changes aimed to improve the reliability and interoperability of MBMS subchannel management within MCPTT services.

  • Corrections to Off-Network Floor Control procedures TS 24.380CR0235
  • Corrections to timers-events of On-Network Floor Control procedures TS 24.380CR0249
Rel-17 7 changes

In Release 17, the MSCCK function saw specific corrections and updates primarily focused on enhancing the reliability of floor control procedures within MBMS sub-channel management. These included corrections to the handling of floor control messages during the upgrade or downgrade of a broadcast call and fixes for errors occurring when groups are regrouped. The updates also addressed the state transition diagram for basic floor control operation towards the floor participant and refined procedures for call setup control over a pre-established session.

  • Corrections to floor indicator of On-Network Floor Control procedures TS 24.380CR0274
  • Corrections to floor control messages handling for upgrade/downgrade of broadcast call TS 24.380CR0289
  • Updates to clause 6.3.5 Floor control server state transition diagram for basic floor control operation towards the floor participant and related editorials TS 24.380CR0298
  • Corrections in call setup control over pre-established session state machine TS 24.380CR0307
  • Error in floor control when groups are regrouped. TS 24.380CR0316
  • Corrections in Non-Controlling MCPTT function of an MCPTT group TS 24.380CR0317

+ 1 more changes

Rel-18 3 changes

In Release 18, the MSCCK (MBMS Sub-Channel Control Key) function was enhanced to support the management of MBMS subchannels over MBMS bearers for MCPTT. Specifically, new timers and counters were added in the participating MCPTT function for MBMS channel control. Furthermore, the release introduced support for multiplexing RTP audio and RTCP floor control streams on a single port when using MBMS subchannels.

  • Add timers and counters in the participating MCPTT function for MBS channel control TS 24.380CR0347
  • MCPTT support of multiplexing - SSRCs used for RTP audio and RTCP floor control TS 24.380CR0356
  • Addition of Reason cause value in Pre-Established Session Call Control Disconnect Message to indicate media bearer failure TS 24.380CR0349
Rel-19 2 changes

In Release 19, the MSCCK (MBMS Sub-Channel Control Key) function was enhanced with an addition to the floor control release message and received miscellaneous corrections to floor control procedures. These updates refined the protocols for managing MBMS subchannels over MBMS bearers, which are used for media and media plane control packet differentiation in Mission Critical Push To Talk (MCPTT) services. The changes specifically improved the mechanisms within the media plane control protocols that handle floor control release actions and related message handling.

  • Addition to floor control release message TS 24.380CR0371
  • Miscellaneous corrections to floor control TS 24.380CR0374

Explore further

Broader topics and technologies where MSCCK plays a role.

Topics
Authentication (5G-AKA, EAP)Mission Critical (MCPTT)Encryption & IntegrityMEC (Edge Computing)LTE / LTE-AdvancedLawful Intercept
Technologies
LTE5G

Defining Specifications

3GPP specifications that define or reference MSCCK, with the latest known release. Sourced from the 3GPP document catalog — see methodology.

SpecificationTitleRelease
TS 24.380 vj10 MCPTT Media Plane Control Protocol Rel-19
TS 33.179 vdc0 MCPTT Security Architecture and Procedures Rel-13
TS 33.180 vk00 Security of Mission Critical (MC) Service Rel-20
TS 33.880 vf10 Security Study for Enhanced Mission Critical Services Rel-15