SAID

Security Association Identifier

Security
Introduced in Rel-8
A unique identifier for a Security Association (SA) established between network entities, primarily defined in the context of Generic Bootstrapping Architecture (GBA). It references a set of security parameters, including keys and algorithms, used to secure communication links for applications like Multimedia Telephony (MMTel) and IP Multimedia Subsystem (IMS) services.

Description

The Security Association Identifier (SAID) is a critical component within 3GPP security frameworks, particularly those governing the Generic Bootstrapping Architecture (GBA) and its application to service layer security. A Security Association (SA) itself is a set of negotiated security parameters that two entities share to enable secure communication. These parameters include cryptographic keys, security algorithms (e.g., for encryption and integrity protection), key lifetimes, and sequence numbers. The SAID is a concise label or reference that uniquely identifies this specific set of parameters between the involved parties.

In practical operation, the SAID is used to efficiently manage and retrieve security contexts. For example, in GBA-based procedures for securing IMS applications like Multimedia Telephony (MMTel), a Network Application Function (NAF) and a User Equipment (UE) establish a shared security context derived from the long-term credentials in the Universal Subscriber Identity Module (USIM). This process results in the generation of application-specific keys (Ks_NAF) and associated parameters. The SAID is assigned to this context. Subsequently, when the UE needs to communicate securely with that NAF, it can reference the SAID instead of re-running the full bootstrapping procedure, enabling fast and efficient session resumption.

The SAID is communicated within protocol messages. In the context defined by TS 33.224, it is used in the security protocol for MMTel services over IMS. The identifier allows the receiving entity (e.g., the NAF or a Media Security Controller) to look up the correct set of keys and algorithms from its local security database. This mechanism separates the identifier from the sensitive key material, enhancing security by not transmitting keys in the clear. The management of SAIDs, including their creation, usage, and eventual expiration or deletion, is integral to maintaining the lifecycle of secure sessions across 3GPP networks, ensuring that services can be protected with minimal latency and signaling overhead.

Purpose & Motivation

The SAID was introduced to address the need for efficient and scalable session security management in IP-based service networks, specifically the IMS. As 3GPP networks evolved to offer rich multimedia services (voice over IP, video calling, etc.), the requirement for robust, per-service, and per-session security became paramount. Simply reusing core network access security keys was insufficient and insecure for the application layer. GBA provided a method to derive service-specific keys, but a mechanism was needed to manage the multiple security contexts that a single user might have with different application servers (NAFs).

Without an identifier like the SAID, entities would need to either store a single implicit context (which is inflexible) or re-authenticate and re-establish keys for every new session, creating excessive signaling delay and load. The SAID solves this by providing a lightweight reference handle. It allows a UE and a NAF to quickly agree on which pre-established set of security parameters to use for a given communication session. This is crucial for service continuity, fast session setup (important for call setup times), and for scenarios where a session is temporarily suspended and later resumed.

The specification in TS 33.224 places the SAID within the security protocol for MMTel, highlighting its role in enabling secure real-time media streams. It addresses the problem of binding security to specific application sessions in a manageable way. By creating an identifiable Security Association, the network can provide strong security guarantees for sensitive media flows while maintaining the performance and user experience expected from telephony-grade services.

Key Features

  • Uniquely identifies a set of security parameters (keys, algorithms) between two entities
  • Enables efficient lookup and reuse of established security contexts
  • Central to session resumption and fast secure connection setup in GBA
  • Used in security protocols for IMS-based services like MMTel
  • Separates key material from session identification for enhanced security
  • Supports lifecycle management (creation, usage, expiration) of Security Associations

Evolution Across Releases

Rel-8 Initial

Introduced in TS 33.224 as part of the security framework for Multimedia Telephony (MMTel) service for IMS. Defined the SAID as an identifier for the Security Association established via the Generic Bootstrapping Architecture (GBA), enabling efficient and secure session management for real-time media services.

TS 33.224

Defining Specifications

SpecificationTitle
TS 33.224 3GPP TR 33.224