https://labs.ericsson.com/apis/key-management-service/ With the Key Management Service, two parties can establish a shared secret key via an easy-to-use API. The service provides strong, mutual authentication and the shared key can be used to secure any type of communication including voice calls, conferencing, video, chat, immediate messaging, file transfer, and so forth.

1. key management
service
A labs.ericsson.com API
https://labs.ericsson.com/apis/key-management-service/

2. Key management service
› Secure P2P service
› This service allows two clients to establish a shared
secret key via an easy-to-use API
› The key can be used to secure all types of peer-to-peer
communication e.g. voice calls, conferencing, video, chat,
immediate messaging, file transfer, etc.
› Since MWSB (GBA) is used for bootstrapping, nothing
new needs to be managed or distributed
© Ericsson AB 2010 | Page 2

3. WHY key management service?
› Existing security enablers (MWSB and Oauth2) are client-
server – not peer-to-peer
› Currently key management for P2P is complicated and
therefore not used
› The Secure P2P enabler gives app developers an easy-to-
use API
› Extensibility – can be used to secure any type of P2P
communication
› Standard – recently standardized in 3GPP and IETF
© Ericsson AB 2010 | Page 3

4. Overview
© Ericsson AB 2010 | Page 4

5. C API Usage
› An easy-to-use C library is available on the Ericsson Labs
portal
› The library handles message creation/parsing and the
communication with the KMS
› As a developer, all you need to do is:
– Setup the Initiator and Responder
– Deliver the Initiator’s initmsg (output by the library) to the Responder
– Deliver the Responder’s respmsg (also output by the library) to the
Initiator
› Once the above is done, the shared key can be retrieved
by calling the function getKey()
© Ericsson AB 2010 | Page 5

6. C API usage – Initiator
client_t *initiator;
char *initmsg, *respmsg;
unsigned char key[KEY_LEN];
// Setup the Initiator KMS client
initiator = client_init(IMPI_I, IMPU_I, KEY_I, APIKEY, HTTP-PROXY);
initmsg = create_transfer_init(initiator);
< application specific: initmsg is sent and respmsg is received >
parse_transfer_resp(initiator, respmsg);
get_key(initiator, key);
< Use key to secure Initiator-Responder communication >
Note: The Initiator IMPI, IMPU, and key are obtained via the MWSB API at Ericsson Labs
© Ericsson AB 2010 | Page 6

7. C API usage – Responder
client_t *responder;
char *respmsg, *initmsg;
unsigned char key[KEY_LEN];
// Setup the Responder KMS client
responder = client_init(IMPI_R, IMPU_R, KEY_R, APIKEY, HTTP-PROXY);
< application specific: initmsg is received from Initiator >
respmsg = parse_transfer_init(responder, initmsg)
< application specific: respmsg is sent to Initiator >
get_key(responder, key);
< Use key to secure Initiator-Responder communication >
Note: The Responder IMPI, IMPU, and key are obtained via the MWSB API at Ericsson Labs
© Ericsson AB 2010 | Page 7

8. Example applications
Secure messaging
Secure video Secure voice
Secure chat
Secure conferencing
Secure file transfer
Any application requiring confidentiality, authentication, or integrity
© Ericsson AB 2010 | Page 8

9. © Ericsson AB 2010 | Page 9