User Identifier for MIKEY-SAKKE

Description

The User Identifier (UID) is a fundamental component within the MIKEY-SAKKE security framework standardized by 3GPP for protecting group communications, such as those in Mission Critical Push-To-Talk (MCPTT) and other secure multimedia services. Technically, the UID is a string that uniquely identifies a user (or device) within the scope of a specific Key Management Service (KMS) domain. It is used within the MIKEY-SAKKE protocol, which is an identity-based encryption (IBE) scheme. The UID serves as the public key for a user; the corresponding private key is generated by the KMS based on this identifier and the KMS's master secret. During a secure session setup, a sender uses the receiver's UID, along with parameters from the KMS, to encrypt a traffic encryption key (TEK). This encrypted key, encapsulated in a MIKEY-SAKKE I_MESSAGE, is sent to the receiver. The receiver, upon authentication with the KMS, can derive its private key and decrypt the TEK to establish secure media communication. The architecture involves the KMS as a trusted entity that manages the cryptographic parameters and user identities (UIDs). The UID is typically formatted as a Uniform Resource Identifier (URI), such as a SIP URI (e.g., sip:[email protected]), ensuring it aligns with existing user addressing schemes in IMS-based services. Its role is central to enabling scalable, efficient key management without requiring pre-shared certificates or complex public key infrastructure (PKI) for every group member.

Purpose & Motivation

The UID and the MIKEY-SAKKE protocol were created to address the critical need for efficient and secure group key management in real-time communication services, particularly for mission-critical users like public safety agencies. Traditional key exchange methods, such as Diffie-Hellman or certificate-based PKI, can introduce significant latency and management overhead when establishing group calls with many participants, which is unacceptable for emergency response. MIKEY-SAKKE, using identity-based encryption, simplifies this process. The UID leverages a user's existing identifier (like a phone number or SIP URI) as their public key, eliminating the need to distribute and validate individual certificates prior to communication. This solves the problem of rapid secure session establishment for large, dynamic groups. Historically, secure group communication in cellular networks was limited or relied on complex infrastructure. The introduction of UID and MIKEY-SAKKE in 3GPP Release 8 provided a standardized, cryptographically sound method tailored for the latency-sensitive and scalability requirements of emerging LTE-based mission-critical services, enabling secure push-to-talk, video, and data with immediate call setup.

Key Features

• Serves as a public key in identity-based encryption (IBE) schemes
• Uniquely identifies a user within a Key Management Service (KMS) domain
• Enables encryption of traffic keys without pre-shared certificates
• Typically formatted as a URI (e.g., SIP URI) for integration with IMS
• Facilitates scalable key distribution for dynamic group communications
• Core component of the MIKEY-SAKKE protocol for 3GPP secure services

Evolution Across Releases

Defining Specifications