Tech-invite3GPPspaceIETFspace
21222324252627282931323334353637384‑5x

Content for  TS 33.501  Word version:  19.0.0

Top   Top   Up   Prev   Next
1…   4…   5…   5.3…   5.9…   5.10…   6…   6.1.3…   6.1.4…   6.2…   6.2.2…   6.3…   6.4…   6.5…   6.6…   6.7…   6.8…   6.9…   6.10…   6.11   6.12…   6.13   6.14…   6.15…   6.16…   7…   7A…   7A.2.3…   7B…   8…   9…   10…   11…   12…   13…   13.2.2…   13.2.4…   13.3…   13.4…   14…   15…   16…   A…   B…   C…   D…   E…   F…   G…   I…   I.9…   J…   K…   M…   N…   O…   P…   R   S…   T…   U…   V…   W…   X…   Y…   Z…

 

5  Security requirements and featuresp. 31

5.1  General security requirementsp. 31

5.1.1  Mitigation of bidding down attacksp. 31

An attacker could attempt a bidding down attack by making the UE and the network entities respectively believe that the other side does not support a security feature, even when both sides in fact support that security feature. It shall be ensured that a bidding down attack, in the above sense, can be prevented.

5.1.2  Authentication and Authorizationp. 31

The 5G system shall satisfy the following requirements:
Subscription authentication:
The serving network shall authenticate the Subscription Permanent Identifier (SUPI) in the process of authentication and key agreement between UE and network.
Serving network authentication:
The UE shall authenticate the serving network identifier through implicit key authentication.
UE authorization:
The serving network shall authorize the UE through the subscription profile obtained from the home network. UE authorization is based on the authenticated SUPI.
Serving network authorization by the home network:
Assurance shall be provided to the UE that it is connected to a serving network that is authorized by the home network to provide services to the UE. This authorization is 'implicit' in the sense that it is implied by a successful authentication and key agreement run.
Access network authorization:
Assurance shall be provided to the UE that it is connected to an access network that is authorized by the serving network to provide services to the UE. This authorization is 'implicit' in the sense that it is implied by a successful establishment of access network security. This access network authorization applies to all types of access networks.
Unauthenticated Emergency Services:
In order to meet regulatory requirements in some regions, the 5G system shall support unauthenticated access for emergency services. This requirement applies to all MEs and only to those serving networks where regulatory requirements for unauthenticated emergency services exist. Serving networks located in regions where unauthenticated emergency services are forbidden shall not support this feature.
Up

5.1.3  Requirements on 5GC and NG-RAN related to keysp. 31

The 5GC and NG-RAN shall allow for use of encryption and integrity protection algorithms for AS and NAS protection having keys of length 128 bits. The network interfaces shall support the transport of 256 bit keys.
The keys used for UP, NAS and AS protection shall be dependent on the algorithm with which they are used.

5.2  Requirements on the UEp. 31

5.2.1  Generalp. 31

The support and usage of ciphering and integrity protection between the UE and the ng-eNB is identical to the support and usage of ciphering and integrity protection between the UE and the eNB as specified in TS 33.401 with the following additional requirement(s):
  • The UE shall support the use of integrity protection with the ng-eNB over the Uu interface if it supports E-UTRA connected to 5GC.
  • The UE shall indicate its support of integrity protection with the ng-eNB if it supports E-UTRA connected to 5GC.
The PEI shall be securely stored in the UE to ensure the integrity of the PEI.
Up

5.2.2  User data and signalling data confidentialityp. 32

The UE shall support ciphering of user data between the UE and the gNB.
The UE shall activate ciphering of user data based on the indication sent by the gNB.
The UE shall support ciphering of RRC and NAS-signalling.
The UE shall implement the following ciphering algorithms:
NEA0, 128-NEA1, 128-NEA2 as defined in Annex D of the present document.
The UE may implement the following ciphering algorithm:
128-NEA3 as defined in Annex D of the present document.
The UE shall implement the ciphering algorithms as specified in TS 33.401 if it supports E-UTRA connected to 5GC.
Confidentiality protection of the user data between the UE and the gNB is optional to use.
Confidentiality protection of the RRC-signalling, and NAS-signalling is optional to use.
Confidentiality protection should be used whenever regulations permit.
Up

5.2.3  User data and signalling data integrityp. 32

The UE shall support integrity protection and replay protection of user data between the UE and the gNB. The UE shall support integrity protection of user data at any data rate, up to and including, the highest data rate supported by the UE.
The UE shall activate integrity protection of user data based on the indication sent by the gNB.
The UE shall support integrity protection and replay protection of RRC and NAS-signalling.
The UE shall implement the following integrity protection algorithms:
NIA0, 128-NIA1, 128-NIA2 as defined in Annex D of the present document.
The UE may implement the following integrity protection algorithm:
128-NIA3 as defined in Annex D of the present document.
The UE shall implement the integrity algorithms as specified in TS 33.401 if it supports E-UTRA connected to 5GC.
Integrity protection of the user data between the UE and the gNB is optional to use.
Integrity protection of the RRC-signalling, and NAS-signalling is mandatory to use, except in the following cases:
All NAS signalling messages except those explicitly listed in TS 24.501 as exceptions shall be integrity-protected.
All RRC signalling messages except those explicitly listed in TS 38.331 as exceptions shall be integrity-protected with an integrity protection algorithm different from NIA0, except for unauthenticated emergency calls.
The UE shall implement NIA0 for integrity protection of NAS and RRC signalling. NIA0 is only allowed for unauthenticated emergency session as specified in clause 10.2.2.
Up

5.2.4  Secure storage and processing of subscription credentialsp. 33

The following requirements apply for the storage and processing of the subscription credentials used to access the 5G network:
  • The subscription credential(s) shall be integrity protected within the UE using a tamper resistant secure hardware component.
  • The long-term key(s) of the subscription credential(s) (i.e. K) shall be confidentiality protected within the UE using a tamper resistant secure hardware component.
  • The long-term key(s) of the subscription credential(s) shall never be available in the clear outside of the tamper resistant secure hardware component.
  • The authentication algorithm(s) that make use of the subscription credentials shall always be executed within the tamper resistant secure hardware component.
  • It shall be possible to perform a security evaluation / assessment according to the respective security requirements of the tamper resistant secure hardware component.
Up

5.2.5  Subscriber privacyp. 33

The UE shall support 5G-GUTI.
The SUPI should not be transferred in clear text over NG-RAN except routing information, e.g. Mobile Country Code (MCC) and Mobile Network Code (MNC).
The Home Network Public Key shall be stored in the USIM.
The protection scheme identifier shall be stored in the USIM.
The Home Network Public Key Identifier shall be stored in the USIM.
The SUCI calculation indication, either USIM or ME calculating the SUCI, shall be stored in USIM.
The ME shall support the null-scheme.If the home network has not provisioned the Home Network Public Key in USIM, the SUPI protection in initial registration procedure is not provided. In this case, the null-scheme shall be used by the ME.
Based on home operator's decision, indicated by the USIM, the calculation of the SUCI shall be performed either by the USIM or by the ME.
In case of an unauthenticated emergency call, privacy protection for SUPI is not required.
Provisioning, and updating the Home Network Public Key, Home Network Public Key Identifier, protection scheme identifier, Routing Indicator, and SUCI calculation indication in the USIM shall be in the control of the home network operator.
Subscriber privacy enablement shall be under the control of the home network of the subscriber.
The UE shall only send the PEI in the NAS protocol after NAS security context is established, unless during emergency registration when no NAS security context can be established.
The Routing Indicator shall be stored in the USIM. If the Routing Indicator is not present in the USIM, the ME shall set it to a default value as defined in TS 23.003.
Up

Up   Top   ToC