SAVP

Secure Audio-Video Profile

Services
Introduced in Rel-13
A 3GPP profile defining security requirements and mechanisms for real-time audio and video communication services. It ensures confidentiality, integrity, and authentication for media streams, particularly for mission-critical services like MCPTT.

Description

The Secure Audio-Video Profile (SAVP) is a specification within 3GPP that defines a comprehensive security framework for real-time multimedia communication services. It is primarily architected to support Mission Critical Services (MCS) such as Mission Critical Push-To-Talk (MCPTT), Mission Critical Video (MCVideo), and Mission Critical Data (MCData). SAVP operates at the service layer, specifying how media (audio/video) and associated signaling must be protected from eavesdropping, tampering, and spoofing. It works by mandating the use of specific cryptographic protocols, key management procedures, and security algorithms for end-to-end protection of media streams between users or between a user and a server.

The profile details the use of the Secure Real-time Transport Protocol (SRTP) and its associated key management protocol, MIKEY (Multimedia Internet KEYing), as the foundational technologies. For media confidentiality and integrity, SAVP specifies the use of SRTP with AES-CM (Counter Mode) for encryption and HMAC-SHA1 for authentication. For key management, it defines the use of MIKEY in pre-shared key (MIKEY-PSK) and public key (MIKEY-RSA) modes, with specific profiles for how keys are established and distributed within the mission-critical service architecture. A key component is the Key Management Server (KMS), which facilitates the distribution of keying material to authorized users and groups.

Its role in the network is to provide a standardized, interoperable, and high-assurance security layer for mission-critical communications over 3GPP systems. It ensures that even if the underlying access network (e.g., LTE, 5G NR) provides its own security (AS and NAS security), the media content itself receives an additional, service-specific layer of end-to-end protection. This is crucial for public safety and critical infrastructure users where communication must be secure against sophisticated threats. SAVP integrates with the overall MCPTT/MCVideo architecture, interfacing with call control servers and group management systems to enforce security policies based on user roles and group memberships.

Purpose & Motivation

SAVP was created to address the specific and stringent security requirements of professional and mission-critical communication services deployed over commercial 3GPP networks. Prior to its introduction in Rel-13, real-time communication services (like VoLTE) relied primarily on the underlying network access security. However, for mission-critical users (e.g., police, firefighters), this was insufficient due to threats like insider attacks within the operator network, the need for secure group communication, and the requirement for end-to-end security independent of the transport. The problem was the lack of a standardized, high-security profile for media that could guarantee interoperability across different vendors' mission-critical service implementations.

The motivation for SAVP stemmed from global public safety projects like 3GPP's work on MCPTT, which required a security framework that could meet governmental and regulatory standards for secure communications. It solved the limitations of using generic SRTP profiles by defining a strict subset of algorithms, mandatory security features, and specific key management procedures tailored for the operational and trust models of critical services. Its creation ensured that mission-critical media streams are protected with strong, validated cryptography and that key management is integrated with the service's authentication and authorization framework, providing a holistic security solution for life-critical applications.

Key Features

  • Mandates SRTP with AES-CM encryption and HMAC-SHA1 authentication
  • Specifies MIKEY-based key management (PSK and RSA modes)
  • Defines end-to-end security for audio/video media streams
  • Integrates with Mission Critical Service (MCS) architecture
  • Supports secure group communication keying
  • Provides profiles for interoperability between vendor equipment

Evolution Across Releases

Rel-13 Initial

Initial introduction of the Secure Audio-Video Profile in TS 26.179. Defined the core security requirements and mechanisms for MCPTT service, establishing the mandatory use of SRTP and MIKEY for protecting real-time audio media. Laid the foundation for securing mission-critical communications over LTE.

TS 26.179

Defining Specifications

SpecificationTitle
TS 26.179 3GPP TS 26.179