Npc2 is the reference point between the ProSe Application Server and the 5G DDNMF as specified in clause 4 of TS 23.304. When the ProSe Application Server is in a 3rd party's network, the Npc2 comprises two interfaces, i.e. the service-based interface between the 5G DDNMF and the NEF, and the N33 interface between the NEF and the Prose Application Server. When the Prose Application Server is in a MNO's network, the Npc2 is a purely service-based interface.

When the ProSe Application Server is controlled by a 3rd party, requirements on security aspects of NEF are captured in clause 5.9.2.3 of TS 33.501.

When the ProSe Application Server is controlled by a 3rd party, security procedures specified in clause 12 of TS 33.501 is applicable. When the Prose Application Server is controlled by a MNO, security procedures specified in clause 13 of TS 33.501 is applicable. As specified in TS 23.304, the 5G System architecture supports the service based Npc2 interface between 5G DDNMF and ProSe Application Server and optionally supports PC2 interface between the 5G DDNMF and the ProSe Application Server. The security of PC2 reference point specified in TS 33.303 shall be reused.

PC3a is the reference point between the 5G Prose-enabled UE and the 5G DDNMF as specified in clause 4.2.5 of TS 23.304.

3rd parties shall not be allowed to provide configuration data impacting the 5G ProSe-related network operations to the 5G ProSe-enabled UE. The 5G ProSe-enabled UE and the 5G DDNMF shall mutually authenticate each other. The transmission of the material for 5G Prose discovery between the 5G DDNMF and the 5G ProSe-enabled UE shall be integrity protected. The transmission of the material for 5G Prose discovery between the 5G DDNMF and the 5G ProSe-enabled UE shall be confidentiality protected. The transmission of the material for 5G Prose discovery between the 5G DDNMF and the 5G ProSe-enabled UE shall be protected from replays.

See clause 5.3.3.1 in TS 33.303.

For the security procedures for protecting data transfer between the UE and the 5G DDNMF on the PC3a interface, the use of either TLS v1.2 or TLS v. 1.3, as described in clause 5.3.3.2 in TS 33.303 applies with the following modifications:

• The ProSe function is replaced by the 5G DDNMF.
• Confidentiality protection shall be enabled.

Security procedures specified in clause B.1.3.2 of TS 33.535 is applicable with the additional changes:

• The 5G DDNMF takes the role of AF.
• Confidentiality protection shall be enabled.

PC3a interface will be used to transfer the configuration data that is used to perform 5G ProSe Direct Discovery. According to clause 6.3.1.4 of TS 23.304, the UE identity is included in the Discovery Request message. Privacy of UE identity is ensured by the confidentiality protection over PC3a interface.

The 5G Prose network entities shall be able to authenticate the source of the received data communications. The transmission of data between 5G Prose network entities shall be integrity protected. The transmission of data between 5G Prose network entities shall be confidentiality protected. The transmission of data between 5G Prose network entities shall be protected from replays.

Npc4, Npc6, Npc7, Npc8, Npc9 and Npc10 specified in clause 4.2.5 of TS 23.304, Npc11 and Npc12 specified in clause 4.2.2 are realized by corresponding NF service-based interfaces, therefore security procedures specified in clause 13 of TS 33.501 apply to these interfaces.

The 5G ProSe-enabled UEs have interactions with the 5G PKMF over the PC8 interface in the ProSe features described in clause 4.2.2.

The 5G PKMF for commercial services and for public safety services provides the security keys and security material affecting the 5G ProSe-related network operations to the 5G ProSe-enabled UE for discovery of a 5G ProSe UE-to-Network Relay, PC5 communication with a 5G ProSe UE-to-Network Relay, discovery of a 5G ProSe UE-to-UE Relay, and PC5 communication with a 5G ProSe UE-to-UE Relay. The 5G ProSe-enabled UE and the 5G PKMF shall mutually authenticate each other. The 5G System shall support that the transmission of the security keys and security material between the 5G PKMF and the 5G ProSe-enabled UE shall be integrity protected. The 5G System shall support that the transmission of the security keys and security material between the 5G PKMF and the 5G ProSe-enabled UE shall be confidentiality protected. The 5G System shall support that the transmission of the security keys and security material between the 5G PKMF and the 5G ProSe-enabled UE shall be protected from replays. The 5G System shall support that the transmission of the UE identity on the PC8 interface shall be confidentiality protected.

For the security procedures for protecting data transfer between the UE and the 5G PKMF on the PC8 interface, the use of either TLS v1.2 or TLS v.1.3, as described in clause 5.3.3.2 of TS 33.303 applies with the following modifications:

• The ProSe function is replaced by the 5G PKMF.
• Confidentiality protection shall be enabled.

Security procedures specified in clause B.1.3.2 of TS 33.535 is applicable with the additional change:

• The 5G PKMF takes the role of AF.
• Confidentiality protection shall be enabled.