Description
The SS7 Security Gateway Integrity Key (SIK) is a symmetric cryptographic key employed within the 3GPP security architecture to safeguard Signaling System No. 7 (SS7) protocols used in core network signaling. Specifically, it is used in the context of a Security Gateway (SEG), which acts as a firewall and security mediator for signaling traffic between different network operators or between network domains. The SIK is utilized to generate and verify Message Authentication Codes (MACs) for signaling messages, ensuring their integrity and providing protection against modification, insertion, or replay attacks. The key is typically derived from a long-term shared secret established between peer SEGs through a key management protocol, such as Internet Key Exchange (IKE) within the IPsec framework. In operation, when a signaling message (e.g., a MAP or CAP message) is sent from one SEG to another over an IP network (using SIGTRAN or other transport), the originating SEG uses the SIK to compute a MAC over the message payload and critical headers. This MAC is appended to the message. The receiving SEG, possessing the same SIK, recalculates the MAC and compares it with the received value. If they match, the message is accepted as authentic and unaltered; otherwise, it is discarded. The SIK is distinct from encryption keys (like the SEK - SS7 Security Gateway Encryption Key) and is specifically dedicated to integrity protection. Its management is crucial for maintaining the trustworthiness of inter-operator signaling, which is foundational for functions like roaming, authentication, and billing.
Purpose & Motivation
The SIK was introduced to address security vulnerabilities in traditional SS7 networks, which were originally designed for trusted, closed operator environments. As mobile networks evolved and interconnections expanded over IP networks, SS7 signaling became exposed to threats like message forgery and tampering, which could lead to fraud (e.g., unauthorized location tracking or call interception) and service disruption. The 3GPP security working group defined the Security Gateway architecture in Release 8 to protect these critical signaling interfaces. The SIK, as part of this architecture, solves the problem of ensuring message integrity in transit between operators. It provides a cryptographic assurance that signaling commands have not been altered, which is essential for billing accuracy, subscriber privacy, and network reliability. The creation of the SIK was motivated by the need to modernize SS7 security without replacing the entire signaling infrastructure, allowing operators to gradually implement IP-based security measures while maintaining interoperability with legacy systems. It represents a key component in the transition towards fully secured next-generation signaling (e.g., in 5G).
Key Features
- Symmetric key for generating and verifying Message Authentication Codes (MACs)
- Used specifically by SS7 Security Gateways (SEGs) for integrity protection
- Protects SS7 application protocols like MAP and CAP over IP networks
- Typically derived from shared secrets established via IKE/IPsec
- Prevents message tampering, insertion, and replay attacks
- Distinct from encryption keys (SEK) to allow separate integrity and confidentiality controls
Evolution Across Releases
Introduced as part of the new Security Gateway (SEG) architecture for protecting inter-operator SS7 signaling over IP. Defined the SIK for integrity protection of MAP and CAP messages. Specified key derivation and usage within the IPsec/IKE framework for NDS/IP (Network Domain Security for IP).
Defining Specifications
| Specification | Title |
|---|---|
| TS 33.204 | 3GPP TR 33.204 |