Architectural requirements pertaining to CAPIF security are found in
TS 23.222. The following are CAPIF derived security requirements.
Security requirements that are applicable to all CAPIF entities are:
[CAPIF-SEC-4.2-a]
The CAPIF shall provide mechanisms to hide the topology of the PLMN trust domain from the API invokers accessing the service APIs from outside the PLMN trust domain.
[CAPIF-SEC-4.2-b]
The CAPIF shall provide mechanisms to hide the topology of the 3rd party API provider trust domain from the API invokers accessing the service APIs from outside the 3rd party API provider trust domain.
[CAPIF-SEC-4.2-c]
The CAPIF shall provide authorization mechanism for service APIs from the 3rd party API providers.
[CAPIF-SEC-4.2-d]
The CAPIF shall support a common security mechanism for all API implementations to provide confidentiality and integrity protection.
[CAPIF-SEC-4.2-e]
API invoker authentication and authorization shall support all deployment models listed in
TS 23.222.
[CAPIF-SEC-4.2-f]
The API invoker and CAPIF should enforce the result of the authentication for the duration of communications (e.g. by integrity protection or implicit authentication by encryption with a key that is derived from the authentication and is unknown to the adversary).
The CAPIF-1/1e reference points between the API invoker and the CAPIF core function shall fulfil the following requirements:
[CAPIF-SEC-4.3-a]
Mutual authentication between the API invoker and the CAPIF Core function shall be supported.
[CAPIF-SEC-4.3-b]
The transport of messages over the CAPIF-1 and CAPIF-1e reference points shall be integrity protected.
[CAPIF-SEC-4.3-c]
The transport of messages over the CAPIF-1 and CAPIF-1e reference points shall be protected from replay attacks.
[CAPIF-SEC-4.3-d]
The transport of messages over the CAPIF-1 and CAPIF-1e reference points shall be confidentiality protected.
[CAPIF-SEC-4.3-e]
Privacy of the 3GPP user over the CAPIF-1 and CAPIF-1e reference points shall be protected.
[CAPIF-SEC-4.3-f]
The CAPIF core function shall authorize the API invoker prior to the API invoker accessing the AEF.
[CAPIF-SEC-4.3-g]
The CAPIF core function shall authorize the API invoker prior to accessing the discover service API.
[CAPIF-SEC-4.3-h]
The CAPIF core function shall authenticate the API invoker's onboarding request.
[CAPIF-SEC-4.3-i]
The CAPIF core function shall authenticate the API invoker's offboarding request.
The CAPIF-2/2e reference points between the API invoker and API exposing function shall fulfil the following requirements:
[CAPIF-SEC-4.4-a]
Mutual authentication between the API invoker and the API exposing function shall be supported.
[CAPIF-SEC-4.4-b]
The transport of messages over the CAPIF-2 and CAPIF-2e reference points shall be integrity protected.
[CAPIF-SEC-4.4-c]
The transport of messages over the CAPIF-2 and CAPIF-2e reference points shall be protected from replay attacks.
[CAPIF-SEC-4.4-d]
The transport of messages over the CAPIF-2 and CAPIF-2e reference points shall be confidentiality protected.
[CAPIF-SEC-4.4-e]
Privacy of the 3GPP user over the CAPIF-2 and CAPIF-2e reference points shall be protected.
[CAPIF-SEC-4.4-f]
The API exposing function shall determine whether API invoker is authorized to access service API.
The security requirements for CAPIF-3/4/5 reference points are:
[CAPIF-SEC-4.5-a]
The transport of messages over the CAPIF-3/4/5 reference points shall be integrity protected.
[CAPIF-SEC-4.5-b]
The transport of messages over the CAPIF-3/4/5 reference points shall be confidentiality protected.
[CAPIF-SEC-4.5-c]
The transport of messages over the CAPIF-3/4/5 reference points shall be protected from replay attacks.
[CAPIF-SEC-4.5-d]
The CAPIF core function shall be able to authenticate the service API publishers to publish and manage the service API information.
[CAPIF-SEC-4.5-e]
The CAPIF core function shall be able to authorize the service API publishers to publish and manage the service API information.
[CAPIF-SEC-4.5-f]
The CAPIF core function shall be able to request explicit grant of new API invoker's onboarding.
[CAPIF-SEC-4.5-g]
The CAPIF core function shall be able to authenticate the API Management function's registration request for API Provider domain functions.
[CAPIF-SEC-4.5-h]
The CAPIF core function shall be able to authenticate the API Management function's registration update request for API provider domain functions.
The security requirements for CAPIF-3e/4e/5e reference points are:
[CAPIF-SEC-4.6 -a]
The transport of messages over the CAPIF-3e/4e/5e reference points shall be integrity protected.
[CAPIF-SEC-4. 6 -b]
The transport of messages over the CAPIF-3e/4e/5e reference points shall be confidentiality protected.
[CAPIF-SEC-4. 6 -c]
The transport of messages over the CAPIF-3e/4e/5e reference points shall be protected from replay attacks.
[CAPIF-SEC-4. 6 -d]
The CAPIF core function shall be able to authenticate the service API publishers to publish and manage the service API information.
[CAPIF-SEC-4. 6 -e]
The CAPIF core function shall be able to authorize the service API publishers to publish and manage the service API information.
[CAPIF-SEC-4. 6 -f]
The CAPIF core function shall be able to request explicit grant of new API invoker's onboarding.
[CAPIF-SEC-4.6-g]
The CAPIF core function shall be able to authenticate the API Management function's registration request for API Provider domain functions.
[CAPIF-SEC-4.6-h]
The CAPIF core function shall be able to authenticate the API Management function's registration update request for API provider domain functions.
The security requirements for CAPIF-7/7e reference points are:
[CAPIF-SEC-4.7-a]
The transport of messages over the CAPIF-7 and CAPIF-7e reference points shall be integrity protected.
[CAPIF-SEC-4.7-b]
The transport of messages over the CAPIF-7 and CAPIF-7e reference points shall be protected from replay attacks.
[CAPIF-SEC-4.7-c]
The transport of messages over the CAPIF-7 and CAPIF-7e reference points shall be confidentiality protected.
[CAPIF-SEC-4.7-d]
Privacy of the 3GPP user over the CAPIF-7 and CAPIF-7e reference points shall be protected.
[CAPIF-SEC-4.7-e]
The API exposing function (destination AEF handling service API) shall determine whether AEF that is topology hiding entity, is authorized to access service API.
CAPIF-8 interface is not in scope of the present document. Nevertheless, integrity and confidentiality protection, protection against replay attacks, privacy of the resource owner, authentication between the resource owner and the CCF need to be addressed by mechanism(s) which are out of 3GPP scope.