Content for TS 33.503 Word version: 18.3.0

1… 4… 5… 6… 6.1.3.2… 6.1.3.2.2.2 6.1.3.2.3 6.1.3.3… 6.2… 6.3… 6.3.3.2… 6.3.3.3… 6.3.4… 6.4… 7… A…

6.4 Security for broadcast mode 5G ProSe Direct Communication 6.5 Security for groupcast mode 5G ProSe Direct Communication 6.6 Security for 5G ProSe UE-to-UE Relay Communication 6.6.1 General 6.6.2 Security requirements 6.6.3 Security for 5G ProSe Communication via 5G ProSe Layer-3 UE-to-UE Relay 6.6.3.1 Security of 5G ProSe PC5 Communication for 5G ProSe Layer-3 UE-to-UE Relay with network assistance 6.6.3.2 Security of 5G ProSe PC5 Communication for 5G ProSe Layer-3 UE-to-UE Relay without network assistance 6.6.3.3 Selection between mechanisms with or without network assistance 6.6.3.4 Identity privacy for communication for 5G ProSe Layer-3 UE-to-UE Relay 6.6.4 Security for 5G ProSe Communication via 5G ProSe Layer-2 UE-to-UE Relay 6.6.4.1 General 6.6.4.2 Identity privacy for communication for 5G ProSe Layer-2 UE-to-UE Relay
...

6.4 Security for broadcast mode 5G ProSe Direct Communication p. 48

6.4.1 General p. 48

This clause specifies the security requirements and the procedures of the broadcast mode 5G ProSe Direct Communication.

6.4.2 Security requirements p. 48

There are no requirements for securing the broadcast mode 5G ProSe Direct Communication.

The 5G System shall protect against linkability and trackability attacks on Layer-2 ID and IP address for broadcast mode.

6.4.3 Security procedures p. 48

There are no particular procedures defined for securing the broadcast mode 5G ProSe Direct Communication.

The broadcast mode security mechanism to randomise the UE's source Layer-2 ID and source IP address including IP prefix (if used), as defined in clause 5.5 of TS 33.536, is reused in 5G ProSe to provide broadcast mode 5G ProSe Direct Communication security.

6.5 Security for groupcast mode 5G ProSe Direct Communication p. 49

6.5.1 General p. 49

This clause specifies the security requirements and the procedures of the groupcast mode 5G ProSe Direct Communication.

6.5.2 Security requirements p. 49

There are no requirements for securing the groupcast mode 5G ProSe Direct Communication.

The 5G System shall protect against linkability and trackability attacks on Layer-2 ID and IP address for groupcast mode.

6.5.3 Security procedures p. 49

There are no particular procedures defined for securing the groupcast mode 5G ProSe Direct Communication.

The groupcast mode security mechanism to randomise the UE's source Layer-2 ID and source IP address including IP prefix (if used), as defined in clause 5.5 of TS 33.536, is reused in 5G ProSe to provide groupcast mode 5G ProSe Direct Communication security.

6.6 Security for 5G ProSe UE-to-UE Relay Communication |R18| p. 49

6.6.1 General p. 49

This clause describes the security requirements and the security procedures that are specifically for 5G ProSe UE-to-UE Relay Communication defined in TS 23.304.

The security requirements for 5G ProSe Layer-3 UE-to-UE Relay and 5G ProSe Layer-2 UE-to-UE Relay are defined in clause 6.6.2. The security procedures for 5G ProSe L3 UE-to-UE Relay and 5G ProSe Layer-2 UE-to-UE Relay are defined in clause 6.6.3 and clause 6.6.4 respectively.

6.6.2 Security requirements p. 49

The following security requirements apply to both 5G ProSe Layer-3 UE-to-UE Relay and 5G ProSe Layer-2 UE-to-UE Relay:

The 5G System shall support the authorization of the UE as a 5G ProSe UE-to-UE Relay in the 5G ProSe UE-to-UE Relay scenario.
The 5G System shall support the authorization of the UE as a 5G ProSe End UEs in the 5G ProSe UE-to-UE Relay scenario.
The 5G System shall support confidentiality protection, integrity protection, and replay protection for secure communication between the 5G ProSe End UEs via 5G ProSe UE-to-UE Relays.
The 5G System shall provide means for mitigating trackability and linkability attacks on peer 5G ProSe End UEs during communications over a UE-to-UE Relay.
The PCF shall be able to provision the PC5 security policies to the 5G ProSe End UEs and the 5G ProSe UE-to-UE Relay per Relay Service Code during service authorization and information provisioning procedure as defined in TS 23.304.
The 5G Prose End UEs shall support to establish a secure PC5 link with the 5G Prose UE-to-UE Relay, with or without the network assistance.
The 5G ProSe End UEs shall establish a different PC5 security context with each different 5G ProSe UE-to-UE Relay and for each different Relay Service Code.
The 5G system shall support a means to protect security (i.e., the integrity, confidentiality, and replay protection) of user-plane and control-plane messages, including during 5G ProSe UE-to-UE Relay path switch.

6.6.3 Security for 5G ProSe Communication via 5G ProSe Layer-3 UE-to-UE Relay p. 50

6.6.3.1 Security of 5G ProSe PC5 Communication for 5G ProSe Layer-3 UE-to-UE Relay with network assistance p. 50

The User Plane (UP) based procedures as specified in clause 6.3.3.2 and the Control Plane (CP) based procedures as specified in clause 6.3.3.3 are used to provide authentication, authorisation and security establishment between the 5G ProSe Layer-3 UE-to-UE Relay and Source End UE with the following modification:

The Remote UE is replaced by the Source End UE.
The UE-to-Network Relay is replaced by the UE-to-UE Relay.

The Remote UE is replaced by the Target End UE.
The UE-to-Network Relay is replaced by the UE-to-UE Relay.
The procedure is initiated after security establishment between the 5G ProSe Layer-3 UE-to-UE Relay and the Source End UE is successfully completed, as specified in clause 6.7 of TS 23.304.
Upon receiving the Direct Communication Request (DCR) message from the Source 5G ProSe End UE which includes an RSC and if the Network Assistance Security Indicator associated with the RSC indicates the security procedures with network assistance are required, the 5G ProSe UE-to-UE Relay needs to make sure it is inside network coverage prior to initiating the security procedure with network assistance. If the 5G ProSe UE-to-UE Relay is not in network coverage, it shall reject the Direct Communication Request message.
The steps 4-5d in clause 6.3.3.2.2 and the steps 3-16 in clause 6.3.3.3.2 are not triggered by the Direct Communication Request (DCR) message sent by the UE-to-UE Relay. Upon receiving the DCR message from the UE-to-UE Relay which includes an RSC and if the Network Assistance Security Indicator associated with the RSC indicates the security procedures with network assistance are required which triggers the second hop PC5 link security establishment, the Target End UE shall inform the UE-to-UE Relay to initiate the above steps with the message pair Direct Communication Security Request and Direct Communication Security Accept. The Direct Communication Security Request message shall include the SUCI or UP-/CP-PRUK ID of Target End UE, Relay Service Code and freshness_parameter_1. Upon receiving the Direct Communication Security Request message, the UE-to-UE Relay shall make sure it is inside network coverage prior to initiating the security procedures with network assistance. If it is outside network coverage, it shall reject the Direct Communication Security Request message..
- The Direct Communication Request sent by UE-to-UE relay to target End UE does not include a PRUK-ID, and thus, the security mechanism in clause 6.3.5 is modified to only protect the RSC by modifying Annex A.5 to generate a keystream of the length of the RSC.
The Direct Communication Security Request message is protected by reusing the protection method defined in clause 6.3.5.

Figure 6.6.3.1-1 shows the high level flow for the second hop PC5 link security between the 5G ProSe Layer-3 UE-to-UE Relay and the Target End UE.

Copy of original 3GPP image for 3GPP TS 33.503, Fig. 6.6.3.1-1: PC5 security establishment procedure between 5G ProSe UE-to-UE Relay and the Target 5G ProSe End UE

Figure 6.6.3.1-1: PC5 security establishment procedure between 5G ProSe UE-to-UE Relay and the Target 5G ProSe End UE
(⇒ copy of original 3GPP image)

6.6.3.2 Security of 5G ProSe PC5 Communication for 5G ProSe Layer-3 UE-to-UE Relay without network assistance p. 51

The security procedure in clause 6.2 is used to establish a secure PC5 link between the End UE and the 5G ProSe Layer-3 UE-to-UE Relay without network assistance with the following modifications.

The RSC is included in the DCR message.
The DCR message is protected based on the security mechanism defined in clause 6.3.5 with a modification that the length of the UP-PRUK ID/CP-PRUK ID is set to zero in clause 6.3.5.2.
The Direct Communication Accept message is sent to the Source End UE after the 5G ProSe Layer-3 UE-to-UE Relay receives a Direct Communication Accept message from the Target End UE.

6.6.3.3 Selection between mechanisms with or without network assistance p. 51

A Network Assistance Security Indicator per RSC is provisioned (i.e. follows the authorisation and provisioning for ProSe service as specified in clause 5.1.1 of TS 23.304) in the 5G ProSe End UEs and 5G ProSe UE-to-UE Relay to indicate which mechanism is to be used between the security procedures with the network assistance and the security procedures without network assistance. The 5G ProSe End UEs shall select the mechanism between security procedures with network assistance and security procedures without network assistance based on the Network Assistance Security Indicator, while the 5G ProSe UE-to-UE Relay shall select the mechanism between security procedures with network assistance and security procedures without network assistance based on the Network Assistance Security Indicator and its 3GPP coverage status.

For 5G ProSe UE-to-UE Relay Communication with model A discovery, the 5G ProSe UE-to-UE Relay may select both RSCs associated with the security procedures with network assistance and the security procedures without network assistance when the 5G ProSe UE-to-UE Relay is in 3GPP coverage. The 5G ProSe UE-to-UE Relay shall only select the RSC associated with the security procedures without network assistance when the 5G ProSe UE-to-UE Relay is out of 3GPP coverage. Then, the 5G ProSe UE-to-UE Relay broadcasts a Discovery Announcement message including the selected RSC. The source End UE shall use the security procedures with network assistance if the Network Assistance Security Indicator associated with the RSC indicates the security procedures with network assistance (as described in clause 6.6.3.1). Otherwise, if the Network Assistance Security Indicator associated with the RSC indicates the security procedures without network assistance, the source End UE shall use the security procedures without network assistance (as described in clause 6.6.3.2).

For 5G ProSe UE-to-UE Relay Communication with model B discovery, the source End UE may select both RSCs associated with the security procedures with network assistance and the security procedures without network assistance, based on the desired mechanism. Then, the source End UE broadcasts a Discovery Solicitation message including the selected RSC. The 5G ProSe UE-to-UE Relay shall use the security procedures with network assistance if the Network Assistance Security Indicator associated with the RSC indicates the security procedures with network assistance and it is inside 3GPP coverage. Otherwise, if the Network Assistance Security Indicator associated with the RSC indicates the security procedures without network assistance, the 5G ProSe UE-to-UE Relay shall use the security procedures without network assistance. The 5G ProSe UE-to-UE Relay shall ignore the Discovery Solicitation message if the selected RSC is associated with the security procedures with network assistance and 5G ProSe UE-to-UE Relay is out of the network coverage.

6.6.3.4 Identity privacy for communication for 5G ProSe Layer-3 UE-to-UE Relay p. 52

The privacy protection procedure in clause 6.2.4 of the present document is used for the privacy protection of the communication between the 5G ProSe End UE and the 5G ProSe Layer-3 UE-to-UE Relay, in addition to the link identifier update procedure in clause 6.7.1.2 of TS 23.304.

6.6.4 Security for 5G ProSe Communication via 5G ProSe Layer-2 UE-to-UE Relay p. 52

6.6.4.1 General p. 52

The security procedure in clause 6.6.3 is used to establish a secure PC5 signalling between the End UE and the 5G ProSe Layer-2 UE-to-UE Relay.

The security procedure in clause 6.2 is used to establish End-to-End security link between the End UEs via the 5G ProSe Layer-2 UE-to-UE Relay.

6.6.4.2 Identity privacy for communication for 5G ProSe Layer-2 UE-to-UE Relay p. 52

The privacy protection procedure in clause 6.2.4 of the present document is used for the privacy protection of the End-to-End communication between the 5G ProSe End UEs via a 5G ProSe Layer-2 UE-to-UE Relay and the communication between the 5G ProSe End UE and the 5G ProSe Layer-2 UE-to-UE Relay.

During the negotiated 5G ProSe Layer-2 UE-to-UE Relay reselection defined in clause 6.7.4.2 of TS 23.304, a new KNRP ID is agreed between the 5G ProSe End UEs via a first 5G ProSe Layer-2 UE-to-UE Relay as specified in clause 5.3.3.2.2.2 of TS 33.536 with the following modification:

A new KNRP ID is agreed using a Layer-2 Link Modification procedure via the first 5G ProSe Layer-2 UE-to-UE Relay instead of Layer-2 link release procedure. The 5G ProSe End UEs use the new KNRP ID to establish a connection via the second 5G ProSe Layer-2 UE-to-UE Relay.