For authentication of the HTTP-1 reference point, one of the following authentication mechanisms shall be performed between the HTTP client in the MC UE and the HTTP server endpoint (HTTP proxy, IdM server or KMS):

• one-way authentication of the HTTP server endpoint based on the server certificate;
• mutual authentication based on client and server certificates;
• mutual authentication based on pre-shared key.

Certificate based authentication shall follow the profiles given in clauses 6.1.3a and 6.1.4a of TS 33.310. The structure of the PKI used for the certificate is out of scope of the present document. Guidance on certificate based mutual authentication is provided in TS 33.222, Annex B. The usage of Pre-Shared Key Ciphersuites for Transport Layer Security (TLS-PSK) is specified in the TLS profile given in TS 33.310, Annex E.

The support of Transport Layer Security (TLS) on HTTP-1 is mandatory. The profile for TLS implementation and usage shall follow the provisions given in TS 33.310, Annex E. If the PSK TLS based authentication mechanism is supported, the HTTP client in the MC UE and the HTTP Proxy shall support the TLS version, PSK ciphersuites and TLS Extensions as specified in the TLS profile given in TS 33.310, Annex E. The usage of pre-shared key ciphersuites for TLS is specified in the TLS profile given in TS 33.310, Annex E.

The support of Transport Layer Security (TLS) on HTTP-3 is recommended between HTTP proxies. Where used, the profile for TLS implementation and usage shall follow the provisions given in TS 33.310, Annex E.

This clause specifies the mutual authentication between the UE and the SIP core. IMS AKA authentication shall be performed as specified in TS 33.203 for SIP core access. IMS AKA authentication mechanism as specified in TS 33.203 shall be performed irrespective of whether SIP core architecture is compliant with TS 23.228 or not. Authentication related information shall be provided by SIP database that may be part of the HSS or may be part of the MC service provider's SIP database depending on the SIP core deployment scenarios specified in TS 23.379. Implementation options and requirements on the ISIM or USIM application to support SIP core access security are specified in TS 33.203.

The security mechanisms as specified in TS 33.203 for Gm interface shall be used to provide confidentiality and integrity of signalling on SIP-1 interface.

An MC UE shall perform the authentication and security mechanisms as specified in TS 33.401 for EPS-LTE and as specified in TS 33.501 for 5GS-NR network access security.

To ensure security of the interfaces between network elements within a trusted domain and between trusted domains, namely HTTP-2, HTTP-3, SIP-2 and SIP-3:

• 3GPP TS 33.210 shall be applied to secure signalling messages on the reference points unless specified otherwise; and
• 3GPP TS 33.310 may be applied regarding the use of certificates with the security mechanisms of TS 33.210 unless specified otherwise in the present document.

SEG as specified in TS 33.210 may be used in the trusted domain to terminate the IPsec tunnel.