SPK

Signalling Protection Key

Security →
Introduced in Rel-13 Also in: Security

SPK is a cryptographic key used in 5G to protect the integrity and confidentiality of sensitive signaling messages, such as Steering of Roaming and UE Parameter Update commands, between the UE and the network.

Category
Security
Introduced
Rel-13
Where
Services › IMS
Also touches
1 segments
Specifications
11 specs
SPK Description Purpose Related Detected Changes Specifications

Description

The Signalling Protection Key (SPK) is a security key introduced in 5G to provide targeted protection for certain non-access stratum (NAS) signaling messages that carry sensitive network management instructions to the User Equipment (UE). It is distinct from the primary authentication and key agreement keys (like K_AUSF) and is derived specifically for securing the delivery of Steering of Roaming (SoR) and UE Parameters Update (UPU) information. The SPK is generated by the network's Authentication Server Function (AUSF) and securely provisioned to both the Unified Data Management (UDM) function, which originates the protected information, and the UE.

The derivation of the SPK occurs during the primary authentication procedure. The AUSF calculates it using the anchor key K_AUSF, a specific string label ("N5G-SOR"), and other parameters like the serving network name. This key is then sent to the UDM. When the UDM needs to send an SoR or UPU message to the UE, it uses the SPK to compute a message authentication code (MAC) for integrity protection and may use it for encryption. The protected message, along with the MAC, is sent via the AMF to the UE. The UE, which has independently derived the same SPK using its stored K_AUSF and the received parameters, can verify the MAC (and decrypt if needed). This proves the message originated from the home network's authorized UDM and was not tampered with.

This mechanism is crucial because SoR and UPU messages have the power to modify the UE's behavior. An SoR message can update the UE's list of preferred Public Land Mobile Networks (PLMNs) for roaming, while a UPU message can update configuration parameters like the IMSI of a embedded SIM (eSIM). Without cryptographic protection, a malicious actor could forge such messages to steer a UE to a rogue network or alter its subscription details. The SPK provides a layer of end-to-end security between the UDM and the UE that is independent of the NAS security context established between the UE and the AMF, ensuring the home network's direct control over these critical procedures.

Purpose & Motivation

The SPK was created to address a security gap in the management of roaming and subscriber parameters in 5G. In previous generations, mechanisms like Steering of Roaming often relied on less secure methods or were not cryptographically verified from the home network directly to the UE. As 5G enables more dynamic network steering and remote SIM provisioning (e.g., for IoT devices), the risk of attackers intercepting or injecting fraudulent management commands increased. A compromised or fake SoR message could, for example, steer millions of devices to a malicious network for eavesdropping.

The motivation for SPK stems from the 5G security principle of providing service-based, granular security. While primary authentication secures the initial link, and NAS security protects general signaling, specific procedures with high impact required dedicated, verifiable home network control. The SPK mechanism ensures that only the legitimate home network operator, through its UDM, can issue authoritative SoR and UPU commands. This protects both the subscriber from fraud and the operator from losing control over their subscribers' roaming behavior or subscription data. It is a key enabler for secure, policy-driven mobility and remote device management in 5G, particularly for IoT deployments where manual intervention is impossible.

Detected Changes Across Releases

from 3GPP Change Requests

Specific changes extracted from the „Change history“ tables of 3GPP specifications (29 CRs across 5 releases). Complements the general historical overview above with the evidence-based evolution of this function.

Studied in Rel-13, normative work from Rel-15.

Rel-15 4 changes

In Release 15, the SPK (Signalling Protection Key) function was newly introduced to provide integrity and confidentiality protection for sensitive application data in signalling between MCVideo servers and across different trust domains. Specifically, the SPK serves as the shared XML protection key (XPK) for encrypting and signing data exchanged between servers, enabling secure interconnection. This introduction is directly associated with the functional enhancements for the "Addition of Signalling Proxies" and the "Protection of functional alias" within the MCVideo service architecture.

  • Header compression over MBMS - signalling control TS 24.379CR0417
  • Addition of Signalling Proxies TS 33.180CR0029
  • Clarification of encoding of MCData signalling content and MCData payload content TS 24.282CR0063
  • Protection of functional alias TS 24.379CR0407
Rel-16 5 changes

In Release 16, the new SPK function introduced support for signalling plane capabilities to enable transmission and reception via MBMS in MCData, including for user plane SDS. Furthermore, the release specified procedures for algorithm selection specifically for MCData signalling protection.

  • Add signalling plane capability to support transmission / reception via MBMS in MCData TS 24.282CR0092
  • Signalling plane support in MCData for user plane SDS using MBMS TS 24.282CR0170
  • Algorithm selection for MCData signalling protection TS 33.180CR0134
  • Adding mcdata id in signalling payload for sender of the data in MCData media plane (Session) communication TS 24.282CR0174
  • Adding mcdata id in signalling payload for sender of the data in MCData media plane (Session) communication TS 24.582CR0012
Rel-17 8 changes

In Release 17, the SPK (Signalling Protection Key) function was enhanced to provide integrity protection for specific XML MIME bodies, namely `pidf+xml` and `xcap-diff+xml`, used within MCData and MCVideo services. This extended the scope of signalling security between MCVideo servers and across domains where the SPK acts as the shared XML protection key (XPK). Additionally, clarifications and corrections were made regarding data payload protection and the protection attributes for specific location data elements.

  • MCData signalling plane support for FD using MBMS delivery via MB2 TS 24.282CR0227
  • functional alias as a target user for 1-1 SDS request using signalling plane TS 24.282CR0290
  • Integrity protection of pidf+xml and xcap-diff+xml MIME bodies TS 24.281CR0119
  • Integrity protection of pidf+xml and xcap-diff+xml MCData TS 24.282CR0225
  • Data payload protection clarification TS 24.282CR0312
  • Corrections to protection attribute for altitude and loctimestamp elements TS 24.379CR0669

+ 2 more changes

Rel-18 11 changes

In Release 18, the SPK (Signalling Protection Key) function was extended to provide integrity protection for specific signalling elements and messages. This included the protection of the `<associated-group-id>` and `<group-geo-area-ind>` elements, as well as adding integrity protection to NOTIFY requests for xcap-diff. These enhancements strengthened the security of XML-based signalling between MCVideo servers and across different trust domains.

  • Use of 5G MBS transmission in MCVideo signalling plane TS 24.281CR0199
  • MCData Standalone SDS over signalling control plane to group regroup TS 24.282CR0340
  • Use of 5G MBS transmission in MCData signalling plane TS 24.282CR0350
  • Addition of 5G MBS inter-RAT information in MCData signalling TS 24.282CR0349
  • Decoupling of signalling and media plane for MCData IP Connectivity TS 24.282CR0353
  • Addition of 5G MBS inter-RAT information in MCPTT signalling TS 24.379CR0873

+ 5 more changes

Rel-19 1 change

In Release 19, the new work for the Signalling Protection Key (SPK) function involved determining the applicability of standalone SDS (Supplementary Data Service) using signalling control plane mechanisms through an ad hoc group study. This determination clarified the procedural and configuration requirements for using the SPK as the XML protection key (XPK) for integrity and confidentiality protection between MCVideo servers and across different trust domains.

  • Ad hoc group standalone SDS using signalling CP - AHG determination TS 24.282CR0453

Explore further

Broader topics and technologies where SPK plays a role.

Topics
OAM (Operations & Maintenance)Authentication (5G-AKA, EAP)IMS & Voice (VoLTE, VoNR)NAS (Non-Access Stratum)Encryption & IntegrityRoaming & Interconnect
Technologies
LTE5G

Defining Specifications

3GPP specifications that define or reference SPK, with the latest known release. Sourced from the 3GPP document catalog — see methodology.

SpecificationTitleRelease
TS 24.281 vj40 MCVideo Signalling Control Specification Rel-19
TS 24.282 vj50 MCData Signalling Control Protocols Rel-19
TS 24.379 vj50 Mission Critical Push To Talk (MCPTT) call control Rel-19
TS 24.380 vj10 MCPTT Media Plane Control Protocol Rel-19
TS 24.582 vj00 MCData Media Plane Control Protocols Rel-19
TS 29.380 vj00 MCPTT-LMR Interworking Media Plane Control Rel-19
TS 29.582 vj00 MCData Interworking with LMR Systems Rel-19
TS 33.179 vdc0 MCPTT Security Architecture and Procedures Rel-13
TS 33.180 vk00 Security of Mission Critical (MC) Service Rel-20
TS 33.880 vf10 Security Study for Enhanced Mission Critical Services Rel-15
TS 37.579 vi40 Mission Critical services conformance testing Rel-18