Tech-invite3GPPspaceIETFspace
21222324252627282931323334353637384‑5x

Content for  TS 33.328  Word version:  18.1.0

Top   Top   None   None   Next
0…   4…   A…
0 Introduction1 Scope2 References3 Definitions, symbols and abbreviations3.1 Definitions3.2 Symbols3.3 Abbreviations
...

 

0  Introductionp. 8

With Common IMS it has become possible to use IMS over a wide variety of access networks. These access networks provide security of varying strengths, or, in some cases, no security at all. It is therefore desirable to have a standard for IMS media plane security, which provides uniform protection of IMS media against eavesdropping and undetected modification across access networks. Furthermore, media transport in the core network, although generally less vulnerable than in the access network, may also be realised in varying ways with different guarantees of protection. It is therefore also desirable to have a standard for IMS media plane security, which guarantees protection of IMS media against eavesdropping and undetected modification in an end-to-end (e2e) fashion between two terminal devices.
Up

1  Scopep. 9

The present document presents IMS media plane security for RTP and MSRP based media, IMS data channels (i.e., SCTP over DTLS) as well as security for BFCP as used in IMS conferencing. The security mechanisms are designed to meet the following three main objectives:
  1. to provide security for media usable across all access networks
  2. to provide an end-to-end (e2e) media security solution for RTP and data channel-based media to satisfy major user categories
  3. to provide end-to-end (e2e) media security for important user groups like enterprises, National Security and Public Safety (NSPS) organizations and different government authorities who may have weaker trust in the inherent IMS security and/or may desire to provide their own key management service.
The media plane security for RTP based media is based on the well-established protocol SRTP. Key management solutions for SRTP are defined in this specification.
The media plane security for MSRP, used in session-based messaging, is based on TLS. TLS is also used to protect BFCP. Key management solutions for MSRP and BFCP security are defined in the present document. The media plane security for IMS data channels, i.e., SCTP over DTLS, is based on DTLS.
Two normative Annexes to the present document address IMS media plane security for immediate messaging and conferencing, respectively. The media plane security for session-based messaging is addressed in the main body of this specification.
Up

2  Referencesp. 9

The following documents contain provisions which, through reference in this text, constitute provisions of the present document.
  • References are either specific (identified by date of publication, edition number, version number, etc.) or non-specific.
  • For a specific reference, subsequent revisions do not apply.
  • For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP document (including a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same Release as the present document.
[1]
TR 21.905: "Vocabulary for 3GPP Specifications".
[2]
TS 23.002: "Network architecture".
[3]
TS 23.228: "IP Multimedia (IM) Subsystem".
[4]
TS 33.203: "3G Security; Access security for IP-based services".
[5]
TS 33.210: "3G Security; Network domain security; IP network layer security".
[6]
TS 33.220: "Generic Authentication Architecture (GAA); Generic bootstrapping architecture".
[7]
RFC 1035:  "DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION".
[8]
RFC 2616:  "Hypertext Transfer Protocol -- HTTP/1.1".
[9]
RFC 3711:  "The Secure Real-time Transport Protocol (SRTP)".
[10]
RFC 3550:   "RTP: A Transport Protocol for Real-Time Applications".
[11]
RFC 3830:  "MIKEY: Multimedia Internet KEYing".
[12]
RFC 4567:  "Key Management Extensions for Session Description Protocol (SDP) and Real Time Streaming Protocol (RTSP)".
[13]
RFC 4568:  "Session Description Protocol (SDP) Security Descriptions for Media Streams".
[14]
RFC 6043:  "MIKEY-TICKET: Ticket-Based Modes of Key Distribution in Multimedia Internet KEYing (MIKEY)".
[15]
RFC 4771:  "Integrity Transform Carrying Roll-Over Counter for the Secure Real-time Transport Protocol (SRTP)".
[16]
Otway, D. and Rees, O. 1987: "Efficient and timely mutual authentication." SIGOPS Oper. Syst. Rev. 21, 1 (Jan. 1987), 8-10.
[17]  Void
[18]
TS 24.229: "IP multimedia call control protocol based on Session Initiation Protocol (SIP) and Session Description Protocol (SDP)".
[19]
TS 24.109: "Bootstrapping interface (Ub) and network application function interface (Ua); Protocol details".
[20]
TS 29.162: "Interworking between the IM CN subsystem and IP networks ".
[21]
RFC 4975:  "The Message Session Relay Protocol (MSRP)".
[22]
TS 33.310: "Network Domain Security (NDS); Authentication Framework (AF)".
[23]  Void
[24]
RFC 6714:  "Connection Establishment for Media Anchoring (CEMA) for the Message Session Relay Protocol (MSRP)".
[25]
TS 24.147: "Conferencing using the IP Multimedia (IM), Core Network (CN) subsystem".
[26]
RFC 4575:  "A Session Initiation Protocol (SIP) Event Package for Conference State".
[27]
GSM Association, Rich Communication Suite 5.1 Advanced Communications Services and Client Specification, Version 1.0, August 2012.
[28]
TS 24.247: "Messaging service using the IP Multimedia (IM) Core Network (CN) subsystem; Stage 3".
[29]
RFC 5365:  "Multiple-Recipient MESSAGE Requests in the Session Initiation Protocol (SIP)".
[30]  Void
[31]
RFC 5652:  "Cryptographic Message Syntax (CMS)".
[32]
RFC 5083:  " Cryptographic Message Syntax (CMS) Authenticated-Enveloped-Data Content Type".
[33]
RFC 3565:  "Use of the Advanced Encryption Standard (AES) Encryption Algorithm in Cryptographic Message Syntax (CMS)".
[34]
ITU-T recommendation T.38 (09/2010): "Procedures for real-time Group 3 facsimile communication over IP networks".
[35]
TS 26.114: "IP Multimedia Subsystem (IMS); Multimedia telephony; Media handling and interaction".
[36]
RFC 6347:  "Datagram Transport Layer Security Version 1.2".
[37]
RFC 7325:"UDP  Transport Layer (UDPTL) over Datagram Transport Layer Security (DTLS)".
[38]  Void
[39]
RFC 8826:  "Security Considerations for WebRTC".
[40]
RFC 5763:  "Framework for Establishing a Secure Real-time Transport Protocol (SRTP) Security Context Using Datagram Transport Layer Security (DTLS)".
[41]
RFC 5764:  "Datagram Transport Layer Security (DTLS) Extension to Establish Keys for the Secure Real-time Transport Protocol (SRTP)".
[42]
RFC 8832:  " WebRTC Data Channel Establishment Protocol".
[43]
RFC 8851:  "Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 4.0 Message Specification".
[44]
RFC 8855:  "The Binary Floor Control Protocol (BFCP)".
[45]
RFC 8866:  "SDP: Session Description Protocol".
[46]
RFC 7714:  "AES-GCM Authenticated Encryption in the Secure Real-time Transport Protocol (SRTP)".
[47]
TS 33.501: "Security architecture and procedures for 5G system".
[48]
RFC 8841:  "Session Description Protocol (SDP) Offer/Answer Procedures for Stream Control Transmission Protocol (SCTP) over Datagram Transport Layer Security (DTLS) Transport".
[49]
RFC 8842:  "Session Description Protocol (SDP) Offer/Answer Considerations for Datagram Transport Layer Security (DTLS) and Transport Layer Security (TLS)".
[50]
RFC 8831:  "WebRTC Data Channels".
[51]
RFC 8864:  "Negotiation Data Channels Using the Session Description Protocol (SDP)".
Up

3  Definitions, symbols and abbreviationsp. 11

3.1  Definitionsp. 11

For the purposes of the present document, the terms and definitions given in TR 21.905 and the following apply. A term defined in the present document takes precedence over the definition of the same term, if any, in TR 21.905.
End-to-access edge security:
This term refers to media protection extending between an IMS UE and the first IMS core network node in the media path without being terminated by any intermediary.
End-to-end security:
This term refers to media protection extending between two IMS UEs without being terminated by any intermediary.
IMS User Equipment:
User equipment used for IMS media communications over access networks. Use of such equipment for IMS media communications over any 3GPP access network shall require presence of a UICC.
KMS User Identity:
A KMS user identity is derived from a user's public SIP-URI and it is the NAI-part of the SIP URI.
Up

3.2  Symbolsp. 12

Void

3.3  Abbreviationsp. 12

For the purposes of the present document, the abbreviations given in TR 21.905 and the following apply. An abbreviation defined in the present document takes precedence over the definition of the same abbreviation, if any, in TR 21.905.
BFCP
Binary Floor Control Protocol
DCSF
Data Channel Signalling Function
MF
Media Function
DTLS
Datagram Transport Layer Security
DTLS-SRTP
DTLS Extension to Establish Keys for SRTP
e2ae
End-to-access edge
e2e
End-to-end
e2DCe
End-to-Data-Channel edge
GW
Gateway
IMS-ALG
IMS Application Level Gateway
IMS AS
IMS Application Server
IMS UE
IMS User Equipment
KMS
Key Management Service
MIKEY
Multimedia Internet KEYing
MSRP
Message Session Relay Protocol
NAF
Network Application Function
RTP
Real-time Transport Protocol
SRTP
Secure Real-time Transport Protocol
TEK
Traffic Encryption Key
TGK
TEK Generation Key
TLS
Transport Layer Security
WebRTC
Web Real-Time Communication
Up

Up   Top   ToC