UKEK

Unique Key Encryption Key (P25)

Security →
Introduced in Rel-15

UKEK is a cryptographic key used in 3GPP Proximity Services that encrypts the ProSe Group Key to protect secure group communications for public safety.

Category
Security
Introduced
Rel-15
Where
Services › IMS
Specifications
3 specs
UKEK Description Purpose Related Classification Detected Changes Specifications

Description

The Unique Key Encryption Key (UKEK) is a security key defined within the 3GPP architecture for Proximity-based Services (ProSe), specifically for Public Safety applications. Its primary function is to encrypt another key, the ProSe Group Key (PGK), which is used to secure group communications (e.g., push-to-talk voice, data) between User Equipments (UEs) in a ProSe Direct Discovery and Communication scenario. The UKEK is derived by the ProSe Function in the network, specifically for a particular ProSe Application and a specific UE. It forms a crucial part of the key hierarchy for securing ProSe Group Communication.

Architecturally, the UKEK is generated and managed by the ProSe Function in the home Public Land Mobile Network (HPLMN). The process begins when a UE, acting as a ProSe Group Owner, requests authorization for group communication. The ProSe Function authenticates the request and, if authorized, derives the UKEK. This derivation typically uses the ProSe Application Code, the UE's identity, and a root key shared between the UE and the network. The UKEK is then used to encrypt the ProSe Group Key (PGK) before it is sent to the requesting UE over a secure channel. The UE, possessing the necessary credentials, can decrypt the UKEK and subsequently the PGK.

In operation, the encrypted PGK (wrapped by the UKEK) is distributed to group members. Each member's UE uses its own unique UKEK to decrypt the PGK. Once decrypted, the common PGK is used to derive traffic encryption keys for securing the actual media and signaling of the group communication session over the PC5 reference point (direct device-to-device interface). This two-layer key hierarchy (UKEK protecting PGK, PGK protecting traffic) provides both security and scalability. It ensures that even if a group key is compromised for one user, it does not directly expose the group communications of other members, as their UKEK-wrapped versions remain secure. This mechanism is vital for ensuring confidentiality and integrity in mission-critical, off-network communications used by public safety personnel.

Purpose & Motivation

The UKEK was introduced to address specific security challenges in 3GPP's Proximity Services (ProSe) for Public Safety, standardized notably from Release 13 onwards and enhanced in later releases. The core problem is securing group communications when devices communicate directly (Device-to-Device, D2D) without always relying on network infrastructure, which is common in disaster scenarios where base stations may be damaged. Traditional cellular security relies on keys anchored in the network core, which is not always accessible in direct mode.

The motivation for creating the UKEK stems from the need for a secure, efficient, and manageable key distribution mechanism for group communications. Without it, distributing a common group key to many devices securely would be challenging. A simple approach of sending the same key to all members is insecure. The UKEK solves this by providing a unique wrapper for each member. It allows the network's ProSe Function to distribute a single encrypted version of the group key (PGK) that can only be decrypted by the intended recipient UE using its unique UKEK. This addresses the limitation of earlier or non-standardized D2D systems which often had weaker, less scalable security models.

Historically, its specification in Release 15 (and related specs) was part of maturing the ProSe and Mission Critical Services (MCS) frameworks. It enables secure Mission Critical Push-To-Talk (MCPTT) in both on-network and off-network (direct) modes, which is a fundamental requirement for public safety agencies adopting LTE and 5G. The UKEK ensures that the robust, standardized security of 3GPP networks extends reliably into the challenging direct communication environments used by first responders.

Classification

Part ofPGK

Detected Changes Across Releases

from 3GPP Change Requests

Specific changes extracted from the „Change history“ tables of 3GPP specifications (8 CRs across 4 releases). Complements the general historical overview above with the evidence-based evolution of this function.

Rel-15 4 changes

In Release 15, the UKEK function was introduced as part of the enhanced security mechanisms for interworking between MCPTT and LMR systems, specifically to enable the encryption of LMR-formatted media when End-to-End Encryption (E2EE) is used. This allows the MCPTT system, along with the Interworking Function (IWF), to encrypt media traversing the IWF-1 reference point using 3GPP mechanisms, ensuring secure transmission to and from LMR-aware MCPTT clients. The introduction supports scenarios where the IWF cannot decrypt the media, requiring it to be routed securely within the MCPTT system as defined in TS 23.379.

  • Flow name update from MCPTT call end to MCPTT private call end TS 23.283CR0001
  • Corrections to Imminent peril group call initiated by MCPTT user TS 23.283CR0002
  • Flow name update from MCPTT call end to MCPTT private call end TS 23.783CR0001
  • Corrections to Imminent peril group call initiated by MCPTT user TS 23.783CR0002
Rel-16 2 changes

In Release 16, the new function for the Unique Key Encryption Key (UKEK) was not detailed in the provided grounding context. The context instead specifies enhancements for interworking, such as carrying LMR formatted media over the IWF-1 interface and using the MCPTT ID for identity mapping in procedures like the IWF group call request and response.

  • MCPTT ID in interworking floor control TS 23.283CR0023
  • MCPTT ID in interworking floor control TS 23.783CR0023
Rel-17 1 change

In Release 17, enhancements were introduced for the interworking of MCPTT group calls with GSM-R systems. These enhancements specifically involved the IWF (Interworking Function) and its IWF-1 reference point, enabling procedures like the IWF group call request and IWF group-broadcast group call setup to support these interworking sessions. The updates ensured proper identity mapping and media handling for calls between MCPTT systems and GSM-R, a specific type of Land Mobile Radio (LMR) system.

  • Add enhancements for interworking of MCPTT group calls with GSM-R TS 23.283CR0049
Rel-20 1 change

In Release 20, the new UKEK function was introduced to support **interworking for ad hoc group emergency alerts initiated by an MCPTT user**. This enhancement specifically enables the secure delivery of such alerts within the interworking architecture, involving the **IWF-1 reference point** and procedures like the **IWF group call request** to facilitate communication between MCPTT systems and LMR systems.

  • Interworking support for ad hoc group emergency alerts (MCPTT user initiated) TS 23.283CR0091

Explore further

Broader topics and technologies where UKEK plays a role.

Topics
SON (Self-Organizing Networks)Authentication (5G-AKA, EAP)Mission Critical (MCPTT)Encryption & IntegrityMEC (Edge Computing)LTE / LTE-Advanced
Technologies
LTE5G

Defining Specifications

3GPP specifications that define or reference UKEK, with the latest known release. Sourced from the 3GPP document catalog — see methodology.

SpecificationTitleRelease
TS 23.283 vk00 Mission Critical Communication Interworking Rel-20
TR 23.783 vi00 Technical Report on Mission Critical Services over 5GS Rel-18
TS 24.883 vg00 MCPTT Interworking with LMR Systems Rel-16