Description
The Private Call Key Identifier (PCK-ID) is a critical security parameter within the 3GPP Mission Critical Services (MCS) architecture, specifically for Mission Critical Push-to-Talk (MCPTT). It functions as a unique label or reference to a specific Private Call Key (PCK), which is a symmetric cryptographic key. This key is used to protect private group calls, which are a core feature of MCPTT allowing a predefined, closed group of users to communicate securely. The PCK-ID is not the key itself but a handle used by the network and user equipment (UE) to identify which key should be used for a particular private group session.
The architecture involves several functional entities defined in 3GPP TS 23.280. The Key Management Server (KMS) is responsible for generating, distributing, and managing the lifecycle of Private Call Keys. When a private group is established or its key is updated, the KMS generates a new PCK and assigns it a unique PCK-ID. This PCK and its associated PCK-ID are then securely provisioned to the group members' UEs via the MCPTT server. The provisioning typically occurs over secure signaling channels, often leveraging the MCPTT service authorization and key establishment procedures.
During the setup of a private group call, the calling MCPTT client includes the relevant PCK-ID in the session initiation signaling (e.g., within SIP/SDP or specific MCPTT protocol messages). Upon receiving this, the called UEs use the PCK-ID to locate the corresponding PCK stored securely in their local key storage. Once the correct key is identified, it is used for media encryption (e.g., using AES) and message authentication for the duration of the call. This process ensures that only UEs possessing the key referenced by the PCK-ID can decrypt the media and verify the authenticity of the transmission, thereby enforcing group confidentiality and integrity.
The role of the PCK-ID extends beyond simple call setup. It is integral to key management operations such as key renewal, revocation, and synchronization. If a key is compromised or a member leaves the group, the KMS can generate a new PCK, assign a new PCK-ID, and distribute it to the remaining authorized members, effectively re-keying the group. The PCK-ID allows the system to clearly distinguish between the old and new keys, ensuring a seamless transition without service interruption. Its specification across multiple technical specifications (TS), including those for security (33-series) and protocol details (24-series and 29-series), underscores its foundational role in the end-to-end security model for mission-critical group communications.
Purpose & Motivation
The PCK-ID was introduced to address the stringent security requirements of professional and mission-critical communications, such as those used by public safety, emergency services, and utility organizations. Traditional commercial group communication services lacked the robust, managed cryptographic security needed for sensitive operations where eavesdropping or impersonation could have severe consequences. The primary problem solved by the PCK-ID is the secure and efficient binding of cryptographic keys to specific private communication groups within a scalable, standardized framework.
Historically, secure group voice communications often relied on proprietary systems or less dynamic key management, making interoperability difficult and key updates cumbersome. The 3GPP's standardization of Mission Critical Services (MCS) aimed to create a global, LTE/5G-based standard. A core requirement was enabling secure private group calls. The PCK-ID concept provides the necessary abstraction, allowing the key management infrastructure to update cryptographic material without changing the group's logical identity, and enabling UEs to unambiguously select the correct key from potentially several stored keys for different groups.
Its creation was motivated by the need for a standardized identifier that works in conjunction with 3GPP's security architecture for MCPTT, defined in TS 33.179 and TS 33.180. It solves the problem of key identification and lifecycle management in a network where users may belong to multiple private groups simultaneously. By using a PCK-ID, the system ensures that the correct key is applied for encryption and integrity protection of each private call, maintaining confidentiality and preventing unauthorized access, which is paramount for life-critical communications.
Key Features
- Unique identifier for a symmetric Private Call Key (PCK) used in MCPTT.
- Enables secure binding between a cryptographic key and a specific private group call session.
- Facilitates key distribution and lifecycle management (e.g., renewal, revocation) by the Key Management Server (KMS).
- Used in call signaling (e.g., SIP/SDP) to indicate which key should be used by participants.
- Allows User Equipment (UE) to select the correct key from local secure storage for media encryption/decryption.
- Essential for maintaining confidentiality and integrity of mission-critical private group communications.
Evolution Across Releases
Initially introduced as part of the first phase of Mission Critical Push-to-Talk (MCPTT) standardization. The PCK-ID was defined within the security architecture for group communications, specifying its role in identifying keys for private calls. The initial architecture established the Key Management Server (KMS) for key generation and distribution, with the PCK-ID being a fundamental parameter in the key delivery and call setup procedures for secure MCPTT private group calls.
Defining Specifications
| Specification | Title |
|---|---|
| TS 24.380 | 3GPP TS 24.380 |
| TS 24.581 | 3GPP TS 24.581 |
| TS 24.582 | 3GPP TS 24.582 |
| TS 29.380 | 3GPP TS 29.380 |
| TS 29.582 | 3GPP TS 29.582 |
| TS 33.179 | 3GPP TR 33.179 |
| TS 33.180 | 3GPP TR 33.180 |
| TS 33.879 | 3GPP TR 33.879 |