Tech-invite 3GPPspace IETFspace

21 22 23 24 25 26 27 28 29 31 32 33 34 35 36 37 38 4‑5x

Content for TR 33.857 Word version: 17.1.0

0… 5…

5 Key issues p. 11

5.1 Key Issue #1: Credentials owned by an external entity p. 11

5.1.1 Key issue details p. 11

5.1.2 Security threats p. 12

5.1.3 Potential security requirements p. 12

5.2 Key Issue #2: Provisioning of Credentials p. 12

5.2.1 Key issue details p. 12

5.2.2 Security threats p. 13

5.2.3 Potential security requirements p. 13

5.3 Key Issue #3: Security impacts from supporting IMS voice and IMS services in SNPNs p. 13

5.3.1 Key issue details p. 13

5.3.2 Security threats p. 13

5.3.3 Potential security requirements p. 13

5.4 Key Issue #4: Securing initial access for UE onboarding between UE and SNPN p. 14

5.4.1 Introduction p. 14

5.4.2 Security threats p. 14

5.4.3 Potential security requirements p. 14

5.5 Key Issue #5: Roaming-related security mechanisms for SNPNs p. 14

5.5.1 Key issue details p. 14

5.5.2 Security threats p. 14

5.5.3 Potential security requirements p. 14

6 Solutions p. 15

6.0 Mapping of Solutions to Key Issues p. 15

6.1 Solution #1: Primary authentication between an SNPN and third-party AAA server using EAP p. 15

6.1.1 Introduction p. 15

6.1.2 Solution Details p. 16

6.1.2.0 General p. 16

6.1.2.1 Procedure p. 17

6.1.3 System impact p. 18

6.1.4 Evaluation p. 19

6.2 Solution #2: EAP authentication between UE and external AAA via AUSF p. 19

6.2.1 Introduction p. 19

6.2.2 Solution details p. 19

6.2.3 System impact p. 20

6.2.4 Evaluation p. 21

6.3 Solution #3: Primary authentication between an SNPN and third-party AAA server using EAP-TTLS p. 21

6.3.1 Introduction p. 21

6.3.2 Solution Details p. 21

6.3.2.0 General p. 21

6.3.2.1 Procedure p. 22

6.3.3 System impact p. 24

6.3.4 Evaluation p. 24

6.4 Solution #4: Authentication Framework Enhancements to support SNPN access p. 24

6.4.1 Introduction p. 24

6.4.2 Solution details p. 24

6.4.2.1 SNPN access using PLMN owned subscription credentials p. 24

6.4.2.2 SNPN access using third-party owned subscription credentials p. 25

6.4.3 System impact p. 26

6.4.4 Evaluation p. 26

6.5 Solution #5: Network Access Authentication with Credentials owned by an AAA external to the SNPN p. 27

6.5.1 Introduction p. 27

6.5.2 Solution details p. 28

6.5.3 System impact p. 29

6.5.4 Evaluation p. 29

6.6 Solution #6: Network access authentication with credentials owned by an entity separate from the SNPN p. 29

6.6.1 Introduction p. 29

6.6.2 Solution details p. 30

6.6.3 System impact p. 31

6.6.4 Evaluation p. 31

6.7 Solution #7: EAP authentication between UE and external AAA with enhanced security of KAUSF p. 31

6.7.1 Introduction p. 31

6.7.2 Solution details p. 32

6.7.3 System impact p. 34

6.7.4 Evaluation p. 34

6.8 Solution #8: UE onboarding for SNPN with AAA-S as DCS p. 34

6.8.1 Introduction p. 34

6.8.2 Solution details p. 36

6.8.3 System impact p. 37

6.8.4 Evaluation p. 37

6.9 Solution #9: UE onboarding for SNPN with UDM as DCS p. 37

6.9.1 Introduction p. 37

6.9.2 Solution details p. 38

6.9.2.0 General p. 38

6.9.2.1 Procedure p. 38

6.9.3 System impact p. 39

6.9.4 Evaluation p. 39

6.10 Solution #10: Secure initial access to an SNPN onboarding network p. 39

6.10.1 Introduction p. 39

6.10.2 Solution details p. 40

6.10.3 System impact p. 41

6.10.4 Evaluation p. 41

6.11 Solution #11: Securing initial access by using primary authentication p. 41

6.11.1 Introduction p. 41

6.11.2 Solution details p. 42

6.11.3 System impact p. 43

6.11.4 Evaluation p. 43

6.12 Solution #12: Authentication for UE Onboarding for SNPN p. 43

6.12.1 Introduction p. 43

6.12.2 Solution details p. 45

6.12.2.1 Authentication for onboarding with default credentials is provisioned in UDM p. 45

6.12.2.2 Authentication for onboarding with default credentials is provisioned in DCS p. 46

6.12.3 System impact p. 47

6.12.4 Evaluation p. 47

6.13 Solution #13: UE Onboarding for an SNPN from Onboarding SNPN with Secondary Authentication using EAP method with UE identity privacy p. 47

6.13.1 Introduction p. 47

6.13.2 Solution details p. 48

6.13.3 System impact p. 50

6.13.4 Evaluation p. 51

6.14 Solution #14: Initial access for UE Onboarding for an SNPN from Onboarding SNPN using primary and secondary authentication p. 51

6.14.1 Introduction p. 51

6.14.2 Solution details p. 52

6.14.2.0 General p. 52

6.14.2.1 Using EAP-TLS Authentication Procedures over 5G Networks for initial one-way authentication p. 54

6.14.3 System impact p. 56

6.14.4 Evaluation p. 57

6.15 Solution #15: Privacy protection of UE onboarding identifier p. 57

6.15.1 Introduction p. 57

6.15.2 Solution details p. 57

6.15.3 System impact p. 58

6.15.4 Evaluation p. 58

6.16 Solution #16: UE onboarding for SNPN with the interaction between PS and DCS p. 58

6.16.1 Introduction p. 58

6.16.2 Solution details p. 59

6.16.2.1 Procedure p. 59

6.16.2.2 Procedure p. 60

6.16.3 System impact p. 61

6.16.4 Evaluation p. 61

6.17 Solution #17: Solution to Provisioning of PNI-NPN Credentials p. 61

6.17.1 Introduction p. 61

6.17.2 Solution details p. 61

6.17.3 System Impact p. 62

6.17.4 Evaluation p. 62

6.18 Solution #18 Solution on service authorization for SNPNs p. 63

6.18.1 Introduction p. 63

6.18.2 Solution Details p. 63

6.18.3 System impact p. 64

6.18.4 Evaluation p. 64

6.19 Solution #19: Secure onboarding without client authentication p. 65

6.19.1 Introduction p. 65

6.19.2 Solution details p. 65

6.19.3 System impact p. 68

6.19.4 Evaluation p. 68

6.20 Solution #20: Control plane based provisioning: PS to AUSF p. 68

6.20.1 Introduction p. 68

6.20.2 Solution details p. 69

6.20.3 System impact p. 70

6.20.4 Evaluation p. 70

6.21 Solution #21: Control plane based provisioning: PS to UDM p. 71

6.21.1 Introduction p. 71

6.21.2 Solution details p. 72

6.21.3 System impact p. 73

6.21.4 Evaluation p. 73

6.22 Solution #22: Solution for onboarding and provisioning p. 73

6.22.1 Introduction p. 73

6.22.2 Solution details p. 73

6.22.3 System impact p. 75

6.22.4 Evaluation p. 75

6.23 Solution #23: Solution to enable onboarding and secured UE access based on credentials owned by an external entity p. 76

6.23.1 Introduction p. 76

6.23.2 Solution details p. 76

6.23.3 System impact p. 78

6.23.4 Evaluation p. 78

6.24 Solution #24: Secure mutually authenticated onboarding without DCS p. 78

6.24.1 Introduction p. 78

6.24.2 Solution details p. 79

6.24.3 System impact p. 81

6.24.4 Evaluation p. 81

6.25 Solution #25: UE Onboarding for an SNPN with EAP-TLS p. 81

6.25.1 Introduction p. 81

6.25.2 Solution details p. 81

6.25.2.1 General p. 81

6.25.2.2 Procedure p. 82

6.25.3 System impact p. 83

6.25.4 Evaluation p. 83

7 Conclusions p. 84

7.1 Conclusions on KI #1: Credentials owned by an external entity p. 84

7.2 Conclusions on KI #2: Provisioning of Credentials p. 84

7.3 Conclusions on KI #3: Security impacts from supporting IMS voice and IMS services in SNPNs p. 84

7.4 Conclusions on KI #4: Securing initial access for UE onboarding between UE and SNPN p. 85

7.5 Conclusions on KI #5: Roaming-related security mechanisms for SNPNs p. 85

$ Change history p. 86