Content for TR 33.700-32 Word version: 19.0.0

...

1 Scope p. 8

The present document studies the security and privacy aspects for the creation and usage of user identities as studied in TR 23.700-32, with the following focus:

Study authentication and authorization of:
1. a user identifier associated with a subscription and used on a UE (i.e., human user) and
2. an identifier associated with a non-3GPP device behind a UE or 5G-RG.
Study privacy and security impacts of usage of user identifiers associated with a subscription or with a non-3GPP device behind a UE or 5G-RG, including exposure of user profile related information.

2 References p. 8

The following documents contain provisions which, through reference in this text, constitute provisions of the present document.

References are either specific (identified by date of publication, edition number, version number, etc.) or non-specific.
For a specific reference, subsequent revisions do not apply.
For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP document (including a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same Release as the present document.

[1]

TR 21.905: "Vocabulary for 3GPP Specifications".

[2]

TR 23.700-32: "Study on User Identities and Authentication Architecture".

[3]

TS 33.501: "Security architecture and procedures for 5G System".

[4]

TS 23.502: "Procedures for the 5G System (5GS)".

[5]

RFC 3748: "Extensible Authentication Protocol (EAP)".

[6]

TS 23.273: "5G System (5GS) Location Services (LCS); Stage 2".

[7]

TS 33.122: "Security aspects of Common API Framework (CAPIF) for 3GPP northbound APIs".

3 Definitions of terms and abbreviations p. 8

3.1 Terms p. 8

For the purposes of the present document, the terms given in TR 21.905, TR 23.700-32, and the following apply. A term defined in the present document takes precedence over the definition of the same term, if any, in TR 21.905.

Non-3GPP device identifier:

an identifier of a non-3GPP device applies to a non-3GPP device connecting to network via a UE or 5G-RG.

3.2 Symbols p. 8

3.3 Abbreviations p. 9

For the purposes of the present document, the abbreviations given in TR 21.905 and the following apply. An abbreviation defined in the present document takes precedence over the definition of the same abbreviation, if any, in TR 21.905.

4 Architecture and security assumptions p. 9

This study should be based on the following assumptions:

The architecture requirements and assumptions as described in TR 23.700-32 apply.
The security architecture, procedures, and security requirements for 5GS as defined in TS 33.501 are used as a baseline.
For the non-3GPP device behind a UE or 5G-RG:
- Credentials are assumed to be provisioned in the non-3GPP device by an operator, human user or a 3rd party.
NOTE:
How this is performed is not in scope of this study. The authentication of the non-3GPP device is not done by the 5GC.
For the human user of the UE:
- The user authentication and primary authentication are independent. The user authentication procedure will not impact UE primary authentication procedure.