5.5.4 Authentication and key agreement procedure for 5G ProSe UE-to-network relay

24.5013GPPNon-Access-Stratum (NAS) protocol for 5G System (5GS)Release 18Stage 3TS

Tools: ARFCN - Frequency Conversion for 5G NR/LTE/UMTS/GSM

5.5.4.1 General

The purpose of the authentication and key agreement procedure for 5G ProSe UE-to-network relay is to perform the authentication for 5G ProSe remote UE initiated by the 5G ProSe UE-to-network relay and to agree on the K_{AUSF_P} and K_{NR_ProSe} when the security for 5G ProSe communication via 5G ProSe UE-to-network relay is performed over control plane as specified in 3GPP TS 33.503 [56].

The procedure as shown in figure 5.5.4.1.1 is initiated by the UE when the UE receives the ProSe direct link establishment request including the SUCI or the CP-PRUK ID of the 5G ProSe remote UE from the 5G ProSe remote UE, for establishing secure PC5 unicast link as specified in 3GPP TS 24.554 [19E].

If the network decides to process the relay key request message, the EAP based authentication and key agreement procedure is initiated and controlled by the network. The exchanges of EAP messages between the 5G ProSe remote UE and the network are relayed by the UE.

Figure 5.5.4.1.1: Authentication and key agreement procedure for 5G ProSe UE-to-network relay

5.5.4.2 ProSe relay transaction identity (PRTI)

Upon receiving a ProSe direct link establishment request from a 5G ProSe remote UE for establishing a secure PC5 unicast link as specified in 3GPP TS 24.554 [19E], the UE shall allocate an available PRTI value for the authentication and key agreement procedure for 5G ProSe UE-to-network relay and associate this PRTI value with the 5G ProSe remote UE.

The UE shall release the PRTI value allocated to the authentication and key agreement procedure for 5G ProSe UE-to-network relay when the authentication and key agreement procedure for 5G ProSe UE-to-network relay completes or is aborted.

5.5.4.3 UE-initiated authentication and key agreement procedure initiation

Upon receiving a ProSe direct link establishment request from the 5G ProSe remote UE including the SUCI or the CP-PRUK ID of the 5G ProSe remote UE, for establishing a secure PC5 unicast link as specified in 3GPP TS 24.554 [19E] when the security for 5G ProSe communication via 5G ProSe UE-to-network relay is performed over control plane as specified in 3GPP TS 33.503 [56], the UE shall:

a) allocate a PRTI value as specified in clause 5.5.4.2;

b) create a RELAY KEY REQUEST message;

c) set the PRTI IE of the RELAY KEY REQUEST message to the allocated PRTI value;

d) set the relay key request parameters IE of the RELAY KEY REQUEST message with SUCI or the CP-PRUK ID, relay service code, and nonce_1 received from the of the 5G ProSe remote UE;

e) send the RELAY KEY REQUEST message; and

f) start the timer T3527 upon sending the RELAY KEY REQUEST message.

5.5.4.4 UE-initiated authentication and key agreement procedure accepted by the network

Upon receiving the RELAY KEY REQUEST message, the AMF processes the message and interacts with the AUSF of the 5G ProSe remote UE as specified in 3GPP TS 33.503 [56]. If EAP-AKA’ authentication for the 5G ProSe remote UE is initiated by the network, the AMF shall:

a) create a RELAY AUTHENTICATION REQUEST message;

b) set the PRTI IE of the RELAY AUTHENTICATION REQUEST message to the PRTI value of the received RELAY KEY REQUEST message;

c) set the EAP message IE of the RELAY AUTHENTICATION REQUEST message to EAP request message received from the AUSF; and

d) send the RELAY AUTHENTICATION REQUEST message to the UE.

Upon receiving the RELAY AUTHENTICATION REQUEST message, the UE stops the timer T3527 and forwards the EAP message to the 5G ProSe remote UE as specified in 3GPP TS 24.554 [19E].

Upon receiving the EAP response message from the 5G ProSe remote UE as specified in 3GPP TS 24.554 [19E], the UE shall:

a) create a RELAY AUTHENTICATION RESPONSE message;

b) set the PRTI IE of the RELAY AUTHENTICATION RESPONSE message to the PRTI value of the received RELAY AUTHENTICATION REQUEST message;

c) set the EAP message IE of the RELAY AUTHENTICATION RESPONSE message to EAP response message received from the 5G ProSe remote UE; and

d) start a timer T3527 upon sending the RELAY AUTHENTICATION RESPONSE message to the AMF.

After receiving the RELAY AUTHENTICATION RESPONSE message, the AMF may send a new RELAY AUTHENTICATION REQUEST message carrying EAP request message according to further handling of EAP-AKA’ authentication from the AUSF as specified in 3GPP TS 33.503 [56]. The UE repeats the handling of the RELAY AUTHENTICATION REQUEST message as described above.

Upon receiving the message from the AUSF that the authentication is successful, the AMF shall:

a) create a RELAY KEY ACCEPT message;

b) set the PRTI IE of the RELAY KEY ACCEPT message to the PRTI value of the RELAY KEY REQUEST message;

c) include the EAP message IE of the RELAY KEY ACCEPT message set to EAP-success message received from the AUSF, if any;

d) include the relay key response parameters IE of the RELAY KEY ACCEPT message set to K_{NR_ProSe} and nonce_2 received from AUSF; and

e) include the CP-PRUK ID in the relay key response parameters IE of the RELAY KEY ACCEPT message.

Upon receiving the RELAY KEY ACCEPT message, the UE shall forward the EAP-success message, if any, and nonce_2 to the 5G ProSe remote UE as specified in 3GPP TS 24.554 [19E], and consider the authentication as completed successfully. The UE shall store the CP-PRUK ID to be used in the remote UE report procedure as specified in clause 6.6.2.2.

5.5.4.5 UE-initiated authentication and key agreement procedure not accepted by the network

If the UE-initiated authentication and key agreement procedure is not accepted by the network, the AMF shall:

a) create a RELAY KEY REJECT message;

b) set the PRTI IE of the RELAY KEY REJECT message to the PRTI value of the received RELAY KEY REQUEST message if the network decides to reject the RELAY KEY REQUEST message; or

set the PRTI IE of the RELAY KEY REJECT message to the PRTI value of the received RELAY AUTHENTICATION RESPONSE message and include the EAP message IE set with EAP-failure message if the AMF receives an EAP-failure message from the AUSF; and

c) send the RELAY KEY REJECT message to the UE.

Upon receiving the RELAY KEY REJECT message, the UE shall consider the authentication has failed and perform the PC5 signalling protocol procedure as specified in subclause 7.2.2.5 of 3GPP 24.554 [19E].

5.5.4.6 Abnormal cases in the UE

The following abnormal cases in the UE can be identified:

a) Transmission failure of RELAY KEY REQUEST message or RELAY KEY AUTHENTICATION RESPONSE message indication from lower layers.

The UE shall abort the authentication and key agreement procedure for 5G ProSe UE-to-network relay and perform the PC5 signalling protocol procedure as specified in subclause 7.2.2.5 of 3GPP 24.554 [19E].

b) Expiry of timer T3527.

The UE shall, on the first expiry of the timer T3527, retransmit the RELAY KEY REQUEST message or the RELAY KEY AUTHENTICATION RESPONSE message and shall reset and start timer T3527. This retransmission is repeated four times, i.e. on the fifth expiry of timer T3527, the procedure shall be aborted.

c) Collision between the authentication and key agreement procedure for 5G ProSe UE-to-network relay and de-registration procedure.

The UE shall abort the authentication and key agreement procedure for 5G ProSe UE-to-network relay, proceed with the network initiated de-registration procedure, and perform the PC5 signalling protocol procedure as specified in subclause 7.2.2.5 of 3GPP 24.554 [19E].

5.5.4.7 Abnormal cases on the network side

The following abnormal cases on the network side can be identified:

a) Lower layer failure before the RELAY KEY AUTHENTICATION RESPONSE message is received.

The network shall abort the authentication and key agreement procedure for 5G ProSe UE-to-network relay.

b) Collision between the authentication and key agreement procedure for 5G ProSe UE-to-network relay and de-registration procedure.

The network shall abort the authentication and key agreement procedure for 5G ProSe UE-to-network relay and proceed with the UE-initiated de-registration procedure.

c) Collision between the authentication and key agreement procedure for 5G ProSe UE-to-network relay and other 5GMM procedures other than in item b.

The network shall progress both procedures.