TR 33.737
Study on Authentication and Key Management for Applications (AKMA)
Phase 2
V18.1.0 (Wzip)
2023/09 48 p.
- Rapporteur:
- Miss Huang, Xiaoting
China Mobile Com. Corporation
full Table of Contents for TR 33.737 Word version: 18.1.0
1 Scope
2 References
3 Definitions of terms, symbols and abbreviations
4 Architectural assumptions
5 Key issues
6 Solutions
7 Conclusions
$ Change history
1 Scope p. 7
The present document studies key issues and potential solutions to support roaming aspects and the Authentication Proxy in AKMA, which is specified in TS 33.535. Specifically, the present document:
- Investigates AKMA roaming architecture and requirements by taking regulatory compliance into account;
- Studies the architecture impact and procedures of introducing the Authentication Proxy (similar as the AP specified in GBA) into AKMA.
2 References p. 7
3 Definitions of terms, symbols and abbreviations p. 7
4 Architectural assumptions p. 8
5 Key issues p. 9
5.1 Key Issue #1: Support for AKMA roaming scenario p. 9
5.2 Key Issue #2: Introducing the Authentication proxy into AKMA p. 10
6 Solutions p. 10
6.1 Solution #1: AKMA roaming solution for Ua* encryption key p. 10
6.2 Solution #2: New solution for AKMA roaming when both UE and AF are in VPLMN p. 14
6.2.1 Introduction p. 14
6.2.2 Solution details p. 14
6.2.2.1 Architecture p. 14
6.2.2.2 Solution detail p. 15
6.2.3 Evaluation p. 15
6.3 Solution #3: Roaming AKMA architecture of the AF in the HPLMN p. 15
6.3.1 Introduction p. 15
6.3.2 Solution details p. 15
6.3.2.1 Roaming AKMA architecture of the AF in the HPLMN p. 15
6.3.2.2 Roaming AKMA procedure of the AF in the HPLMN p. 16
6.3.2.3 New service: Nudm_Get_Roaming_NFid service operation p. 17
6.3.3 Evaluation p. 18
6.4 Solution #4: Roaming AKMA architecture of the AF in the VPLMN p. 18
6.5 Solution #5: AKMA anchor key registration to the AAnF in VPLMN after primary authentication p. 19
6.5.1 Introduction p. 19
6.5.2 Solution details p. 19
6.5.2.1 AKMA anchor key registration in roaming scenario p. 19
6.5.2.2 UE in VPLMN accessing internal VPLMN AF p. 20
6.5.2.3 UE in VPLMN accessing internal HPLMN AF p. 21
6.5.3 Evaluation p. 22
6.6 Solution #6: AKMA roaming with VAAnF for LI p. 22
6.7 Solution #7: Introducing AP into AKMA p. 25
6.7.1 Introduction p. 25
6.7.2 Solution details p. 25
6.7.2.1 Architecture of using AP p. 25
6.7.2.2 AP-AS reference point p. 26
6.7.2.3 Example of using AP for TLS tunnels p. 26
6.7.3 Evaluation p. 27
6.8 Solution#8: AAnF discovery and selection for internal AF in AKMA roaming p. 27
6.9 Solution #9: Roaming AKMA architecture of the AF in Data Network (Internet) p. 29
6.9.1 Introduction p. 29
6.9.2 Solution details p. 29
6.9.2.1 Roaming AKMA architecture of the AF in Data Network (Internet) p. 29
6.9.2.2 Roaming AKMA procedure of the AF in Data Network (Internet) p. 29
6.9.2.3 New service: Nudm_Get_Roaming_NFid service operation p. 30
6.9.3 Evaluation p. 30
6.10 Solution #10: Support of AKMA roaming with K_SEAF p. 31
6.11 Solution #11: AKMA Authentication in roaming scenario p. 32
6.11.1 Introduction p. 32
6.11.2 Solution details p. 32
6.11.2.1 Option#1 details p. 33
6.11.2.2 Option#2 details p. 34
6.11.3 Evaluation p. 35
6.12 Solution #12: AKMA anchor key forwarding to the VPLMN during primary authentication procedure p. 35
6.12.1 Introduction p. 35
6.12.2 Solution details p. 35
6.12.2.1 AKMA anchor key registration in roaming scenario p. 35
6.12.2.2 UE in VPLMN accessing internal VPLMN AF p. 36
6.12.2.3 UE in VPLMN accessing internal HPLMN AF p. 37
6.12.3 Evaluation p. 37
6.13 Solution #13: AKMA support in roaming p. 38
6.14 Solution #14: AKMA roaming with AF outside VPLMN p. 41
6.15 Solution #15: AKMA roaming for external AF in Data Network p. 43
6.16 Solution #16: AKMA roaming with VPLMN AKMA Support NF for inbound roamers p. 44
7 Conclusions p. 47
$ Change history p. 48
