Unique Key Encryption Key (P25)

Description

The Unique Key Encryption Key (UKEK) is a security key defined within the 3GPP architecture for Proximity-based Services (ProSe), specifically for Public Safety applications. Its primary function is to encrypt another key, the ProSe Group Key (PGK), which is used to secure group communications (e.g., push-to-talk voice, data) between User Equipments (UEs) in a ProSe Direct Discovery and Communication scenario. The UKEK is derived by the ProSe Function in the network, specifically for a particular ProSe Application and a specific UE. It forms a crucial part of the key hierarchy for securing ProSe Group Communication.

Architecturally, the UKEK is generated and managed by the ProSe Function in the home Public Land Mobile Network (HPLMN). The process begins when a UE, acting as a ProSe Group Owner, requests authorization for group communication. The ProSe Function authenticates the request and, if authorized, derives the UKEK. This derivation typically uses the ProSe Application Code, the UE's identity, and a root key shared between the UE and the network. The UKEK is then used to encrypt the ProSe Group Key (PGK) before it is sent to the requesting UE over a secure channel. The UE, possessing the necessary credentials, can decrypt the UKEK and subsequently the PGK.

In operation, the encrypted PGK (wrapped by the UKEK) is distributed to group members. Each member's UE uses its own unique UKEK to decrypt the PGK. Once decrypted, the common PGK is used to derive traffic encryption keys for securing the actual media and signaling of the group communication session over the PC5 reference point (direct device-to-device interface). This two-layer key hierarchy (UKEK protecting PGK, PGK protecting traffic) provides both security and scalability. It ensures that even if a group key is compromised for one user, it does not directly expose the group communications of other members, as their UKEK-wrapped versions remain secure. This mechanism is vital for ensuring confidentiality and integrity in mission-critical, off-network communications used by public safety personnel.

Purpose & Motivation

The UKEK was introduced to address specific security challenges in 3GPP's Proximity Services (ProSe) for Public Safety, standardized notably from Release 13 onwards and enhanced in later releases. The core problem is securing group communications when devices communicate directly (Device-to-Device, D2D) without always relying on network infrastructure, which is common in disaster scenarios where base stations may be damaged. Traditional cellular security relies on keys anchored in the network core, which is not always accessible in direct mode.

The motivation for creating the UKEK stems from the need for a secure, efficient, and manageable key distribution mechanism for group communications. Without it, distributing a common group key to many devices securely would be challenging. A simple approach of sending the same key to all members is insecure. The UKEK solves this by providing a unique wrapper for each member. It allows the network's ProSe Function to distribute a single encrypted version of the group key (PGK) that can only be decrypted by the intended recipient UE using its unique UKEK. This addresses the limitation of earlier or non-standardized D2D systems which often had weaker, less scalable security models.

Historically, its specification in Release 15 (and related specs) was part of maturing the ProSe and Mission Critical Services (MCS) frameworks. It enables secure Mission Critical Push-To-Talk (MCPTT) in both on-network and off-network (direct) modes, which is a fundamental requirement for public safety agencies adopting LTE and 5G. The UKEK ensures that the robust, standardized security of 3GPP networks extends reliably into the challenging direct communication environments used by first responders.

Key Features

• Unique per-UE key used to encrypt the ProSe Group Key (PGK)
• Derived by the network's ProSe Function using UE-specific credentials
• Enables secure distribution of group keys for ProSe Direct Communication
• Part of a two-layer key hierarchy for enhanced group communication security
• Essential for securing Mission Critical Services (MCS) like push-to-talk in off-network mode
• Protects confidentiality of group communications over the PC5 interface

Evolution Across Releases

Defining Specifications