Content for TS 33.434 Word version: 18.2.0

3.1 Terms 3.2 Symbols 3.3 Abbreviations 4.1 VAL user authentication and authorization 4.2 Inter-domain
...

1 Scope p. 7

The present document specifies the security features and mechanisms to support the Service Enabler Architecture Layer (SEAL) in 5G. Specifically security architecture, functional model(s), security aspects of SEAL reference points (e.g. SEAL-UU, etc.), Key Management (KM) procedures, Identity Management (IdM) procedures and SEAL access authentication and authorization for supporting efficient use and deployment of vertical applications over the 3GPP systems are specified.

2 References p. 7

The following documents contain provisions which, through reference in this text, constitute provisions of the present document.

References are either specific (identified by date of publication, edition number, version number, etc.) or non-specific.
For a specific reference, subsequent revisions do not apply.
For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP document (including a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same Release as the present document.

[1]

TR 21.905: "Vocabulary for 3GPP Specifications".

[2]

TS 23.434: "Service Enabler Architecture Layer for Verticals (SEAL); Functional architecture and information flows".

[3]

RFC 6749: "The OAuth 2.0 Authorization Framework".

[4]

RFC 6750: "The OAuth 2.0 Authorization Framework: Bearer Token Usage".

[5]

OpenID Connect 1.0: "OpenID Connect Core 1.0 incorporating errata set 1", http://openid.net/specs/openid-connect-core-1_0.html.

[6]

TS 33.310: "Network Domain Security (NDS); Authentication Framework (AF)".

[7]

TS 23.401: "General Packet Radio Service (GPRS) enhancements for Evolved Universal Terrestrial Radio Access Network (E-UTRAN) access".

[8]

TS 23.501: "System Architecture for the 5G System; Stage 2".

[9]

RFC 7521: "Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants".

[10]

RFC 7523: "JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants".

[11]

RFC 7797: " JSON Web Signature (JWS) Unencoded Payload Option".

[12]

RFC 7515: "JSON Web Signature (JWS)".

[13]

RFC 7662: "OAuth 2.0 Token Introspection".

[14]

TS 33.210: " 3G security; Network Domain Security (NDS); IP network layer security".

[15]

TS 33.222: "Generic Authentication Architecture (GAA); Access to network application functions using Hypertext Transfer Protocol over Transport Layer Security (HTTPS)".

[16]

TS 33.501: "Security architecture and procedures for 5G system".

[17]

TS 29.122: "T8 reference point for Northbound Application Programming Interfaces (APIs)".

[18]

RFC 7252: "The Constrained Application Protocol (CoAP)".

[19]

RFC 9200: "Authentication and Authorization for Constrained Environments (ACE) using the OAuth 2.0 Framework (ACE-OAuth)".

[20]

RFC 8152: "CBOR Object Signing and Encryption (COSE)".

[21]

RFC 9202: "Datagram Transport Layer Security (DTLS) Profile for Authentication and Authorization for Constrained Environments (ACE)".

[22]

RFC 9175: "CoAP: Echo, Request-Tag, and Token Processing"

[23]

RFC 8613: "Object Security for Constrained RESTful Environments (OSCORE)".

[24]

RFC 9203: "OSCORE Profile of the Authentication and Authorization for Constrained Environments Framework".

[25]

RFC 9430: "Extension of the ACE CoAP-DTLS Profile to TLS".

[26]

RFC 8392: "CBOR Web Token (CWT)".

[27]

RFC 8747: "Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) ".

[28]

RFC 9201: "Additional OAuth Parameters for Authentication and Authorization for Constrained Environments (ACE)".

[29]

TS 33.122: "Security aspects of Common API Framework (CAPIF) for 3GPP northbound APIs".

[30]

TS 23.433: "Service Enabler Architecture Layer for Verticals (SEAL);Data Delivery enabler for vertical applications".

[31]

TS 33.401: "3GPP System Architecture Evolution (SAE); Security architecture".

[32]

TS 33.246: "3G Security; Security of Multimedia Broadcast/Multicast Service (MBMS)".

3 Definitions of terms, symbols and abbreviations p. 8

3.1 Terms p. 8

For the purposes of the present document, the terms given in TR 21.905 and the following apply. A term defined in the present document takes precedence over the definition of the same term, if any, in TR 21.905.

For the purposes of the present document, the terms and definitions given in TS 23.434 apply.

3.2 Symbols p. 8

Void.

3.3 Abbreviations p. 8

For the purposes of the present document, the abbreviations given in TR 21.905 and the following apply. An abbreviation defined in the present document takes precedence over the definition of the same abbreviation, if any, in TR 21.905.

SEAL

Service Enabler Architecture Layer for Verticals

SIM-C

SEAL Identity Management Client

SIM-S

SEAL Identity Management Server

SKM-C

SEAL-Key Management Client

SKM-S

SEAL Key Management Server

VAL

Vertical Application Layer

4 SEAL security requirements p. 9

4.1 VAL user authentication and authorization p. 9

[SEAL-SEC-4.1-a]

All users of the VAL Service shall be authenticated.

[SEAL-SEC-4.1-b]

The VAL Client and the VAL Server shall mutually authenticate each other prior to providing the VAL UE with the VAL Service User profile and access to user-specific services.

[SEAL-SEC-4.1-c]

The transmission of configuration data and user profile data between an authorized VAL server in the network and the VAL UE shall be confidentiality protected, integrity protected and protected from replays.

[SEAL-SEC-4.1-d]

The VAL service should take measures to detect and mitigate DoS attacks to minimize the impact on the network and on VAL users.

[SEAL-SEC-4.1-e]

The VAL service shall provide a means to support confidentiality of VAL user identities.

[SEAL-SEC-4.1-f]

The VAL service shall provide a means to support confidentiality of VAL signalling.

4.2 Inter-domain p. 9

[SEAL-SEC-4.2-a]

VAL systems should take measures to protect themselves from external attacks at the system border.