Content for TR 33.833 Word version: 13.0.0

1 Scope p. 13

The present document contains a study of the security aspects of Proximity Services (ProSe) and an evaluation of possible technical solutions needed to support such services. The Stage 1 requirements for these services are defined in TS 22.278 and TS 22.115. These requirements include a list of general requirements on ProSe Security, Authorization and Privacy (clause 9.4 of TS 22.278), which are taken into consideration when developing the security key issues, security requirements and security solutions in the present document.

Different possible Stage 2 solutions for Proximity Services are studied in TR 23.703.

Normative provisions/requirements are included in the present specification solely for the purposes of studying solutions and are not to be considered as implying normative requirements on 3GPP entities.

2 References p. 13

The following documents contain provisions which, through reference in this text, constitute provisions of the present document.

References are either specific (identified by date of publication, edition number, version number, etc.) or non-specific.
For a specific reference, subsequent revisions do not apply.
For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP document (including a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same Release as the present document.

[1]

TR 21.905: "Vocabulary for 3GPP Specifications".

[2]

TS 22.278: "Service requirements for the Evolved Packet System (EPS) ".

[3]

TS 22.115: "Service aspects; Charging and billing".

[4]

TR 23.703: "Study on architecture enhancements to support Proximity Services (ProSe)".

[5]

TS 33.222: "Generic Authentication Architecture (GAA); Access to network application functions using Hypertext Transfer Protocol over Transport Layer Security (HTTPS)".

[6]

TS 33.220: "Generic Authentication Architecture (GAA); Generic Bootstrapping Architecture (GBA)".

[7]

TS 33.223: "Generic Authentication Architecture (GAA); Generic Bootstrapping Architecture (GBA) Push function".

[8]

ETSI TS 102 225: "Smart Cards; Secured packet structure for UICC based applications (Release 9)

[9]

ETSI TS 102 226: "Smart cards; Remote APDU structure for UICC based applications (Release 6)"

[10]

TS 31.115: "Secured packet structure for (Universal) Subscriber Identity Module (U)SIM Toolkit applications".

[11]

TS 31.116: "Remote APDU Structure for (U)SIM Toolkit applications".

[12]

RFC 6509: "MIKEY-SAKKE: Sakai-Kasahara Key Encryption in Multimedia Internet KEYing (MIKEY)".

[13]

TS 36.331: "Evolved Universal Terrestrial Radio Access (E-UTRA); Radio Resource Control (RRC); Protocol specification".

[14]

RFC 3830: "MIKEY: Multimedia Internet KEYing", August 2004.

[15]

RFC 6507: "Elliptic Curve-Based Certificateless Signatures for Identity-Based Encryption (ECCSI)".

[16]

TS 33.328: "IP Multimedia Subsystem (IMS) media plane security".

[17]

RFC 6043: "MIKEY-TICKET: Ticket-Based Modes of Key Distribution in Multimedia Internet KEYing (MIKEY)".

[18]

TS 33.210: "3G security; Network Domain Security (NDS); IP network layer security".

[19]

TS 33.310: "Network Domain Security (NDS); Authentication Framework (AF)".

[20]

TS 23.303: "Proximity based Services (ProSe); Stage 2".

[21]

TS 33.401: "3GPP System Architecture Evolution (SAE); Security architecture".

[22]

RFC 3550: "RTP: A Transport Protocol for Real-Time Applications".

[23]

RFC 3711: "The Secure Real-time Transport Protocol (SRTP)".

[24]

NIST FIPS 186-4: "Digital Signature Standard (DSS)"

[25]

BSI TR-03111: "Technical Guideline TR-03111; Elliptic Curve Cryptography"

[26]

RFC 5639: "Elliptic Curve Cryptography (ECC) Brainpool Standard; Curves and Curve Generation"

[27]

RFC 3339: "Date and Time on the Internet: Timestamps"

[28]

RFC 5280: "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile"

[29]

NIST FIPS 180-4: "Secure Hash Standard (SHS)"

[30]

Open Mobile Alliance, OMA AD SUPL: "Secure User Plane Location Architecture", (http://www.openmobilealliance.org).

[31]

ETSI TS 102 223: "Smart Cards; Card Application Toolkit (CAT)".

[32]

TR 23.713: "Study on extended architecture support for Proximity-based services".

[33]

TS 33.303: "Proximity-based Services (ProSe); Security aspects".

[34]

TS 33.259: "Key establishment between a UICC Hosting Device and a Remote Device".

[35]

TS 24.334: "Proximity-services (ProSe) User Equipment (UE) to ProSe function protocol aspects"

[36]

TS 33.187: "Security aspects of Machine-Type Communications (MTC) and other mobile data applications communications enhancements"

[37]

TS 33.246: "3G Security; Security of Multimedia Broadcast/Multicast Service (MBMS)".

3 Definitions and abbreviations p. 14

3.1 Definitions p. 14

For the purposes of the present document, the terms and definitions given in TR 21.905 and the following apply. A term defined in the present document takes precedence over the definition of the same term, if any, in TR 21.905.

Open ProSe Discovery:

is ProSe Discovery without explicit permission from the UE being discovered.

ProSe Application Identity:

An identity identifying application related information for the ProSe enabled UE. There can exist more than one ProSe Application Identities per UE.

ProSe Application Key:

A key associated with a ProSe Application Identity, meant to be used for restricted discovery.

ProSe Discovery:

A process that identifies that a ProSe-enabled UE is in proximity of another, using E-UTRA (with or without E-UTRAN) or EPC.

ProSe Direct Discovery:

A procedure employed by a ProSe-enabled UE to discover other ProSe-enabled UEs in its vicinity by using only the capabilities of the two UEs with Rel-12 E-UTRA technology.

EPC-level ProSe Discovery:

A process by which the EPC determines the proximity of two ProSe-enabled UEs and informs them of their proximity.

ProSe UE-to-Network Relay:

is a form of relay in which a Public Safety ProSe-enabled UE acts as a ProSe E-UTRA communication relay between a Public Safety ProSe-enabled UE and the ProSe-enabled network using E-UTRA.

ProSe UE-to-UE Relay:

is a form of relay in which a Public Safety ProSe-enabled UE acts as a ProSe E-UTRA Communication relay between two other Public Safety ProSe-enabled UEs.

ProSe-enabled UE:

An UE that fulfils ProSe requirements for ProSe Discovery and/or ProSe Communication. Unless explicitly stated otherwise, a ProSe-enabled UE refers to any ProSe-enabled UE (I.e. Public Safety or not).

ProSe-enabled Network:

A network that supports ProSe Discovery and/or ProSe Communication. Unless explicitly stated otherwise in the present document, a network refers to a ProSe-enabled Network.

ProSe Communication:

A communication between two or more ProSe-enabled UEs in proximity by means of a ProSe Communication path. Unless explicitly stated otherwise, the term "ProSe Communication" refers to any/all of the following:

ProSe E-UTRA Communication between only two ProSe-enabled UEs; or
ProSe Group Communication or ProSe Broadcast Communication among Public Safety ProSe-enabled UEs; or
ProSe-assisted WLAN direct communication.

ProSe Broadcast Communication:

An One-to-all ProSe E-UTRA Communication, between all authorized Public Safety ProSe-enabled UEs in proximity, by means of a common ProSe E-UTRA Communication path established between these UEs.

ProSe Group Communication:

An One-to-many ProSe E-UTRA Communication, between more than two Public Safety ProSe-enabled UEs in proximity, by means of a common ProSe E-UTRA Communication path established between the Public Safety ProSe-enabled UEs.

ProSe UE Identity:

An unique identity allocated by EPS which identifies the ProSe enabled UE. It can be assigned to a UE at any moment in time for a configurable duration, can be stored at the UE, but its value cannot be assigned by the user, and is subject to operator assignment and re-assignment.

Proximity:

is determined ("a UE is in proximity of another UE") when given proximity criteria are fulfilled. Proximity criteria can be different for discovery and communication.

Restricted ProSe Discovery:

A ProSe Discovery that only takes place with explicit permission from the UE being discovered.

EPC ProSe User ID:

An identifier for EPC-level ProSe Discovery and EPC support for WLAN direct communication that uniquely identifies a UE registered for ProSe. This identifier can be occasionally reassigned by the ProSe Function.

Remote UE:

A ProSe-enabled Public Safety UE, that is not served by E-UTRAN, and that communicates with a PDN via a ProSe UE-to-Network Relay.

3.2 Abbreviations p. 16

For the purposes of the present document, the abbreviations given in TR 21.905 and the following apply. An abbreviation defined in the present document takes precedence over the definition of the same abbreviation, if any, in TR 21.905.

ProSe

Proximity Services