The key distribution mechanisms described in
Clause 5.2.2 and
clause 5.2.3 may be extended to include data associated with the key in the MIKEY I_MESSAGE. This data is stored within a format known as 'associated parameters' and defined in
Annex E.6.
The associated parameters are encrypted using K, the key distributed within the MIKEY I_MESSAGE. The security mechanism is summarised in
Figure 5.2.4-1.
At the receiving MCX entity, the initiating entity's URI is extracted from the initiator field (IDRi) of the message. Along with the time, this is used to check the signature on the payload. If valid, the receiving entity extracts and decrypts the encapsulated key, K, using the (KMS-provisioned) receiving entity's decryption key.
The receiving MCX entity also extracts 'associated parameters' payload from the I_MESSAGE. The receiving entity uses the decrypted key, K, to decrypt these associated parameters. The receiving entity stores these parameters with the distributed key, K. If the Status field within the 'associated parameters' payload indicates the key has been revoked, the distributed key, K, and the K-ID shall not be used. If the decryption process for the encapsulated associated parameters fails, the key is rejected.
The security mechanism is summarised in
Figure 5.2.4-2.