7.2.12 5G ProSe direct link authentication procedure
24.5543GPPProximity-services (ProSe) in 5G System (5GS) protocol aspectsRelease 17Stage 3TS
7.2.12.1 General
The 5G ProSe direct link authentication procedure is used to perform mutual authentication of UEs establishing a 5G ProSe direct link and to derive a new KNRP shared between two UEs during a 5G ProSe direct link establishment procedure or a 5G ProSe direct link re-keying procedure. After successful completion of the 5G ProSe direct link authentication procedure, the new KNRP is used for security establishment during the 5G ProSe direct link security mode control procedure as specified in clause 7.2.10. The UE sending the PROSE DIRECT LINK AUTHENTICATION REQUEST message is called the "initiating UE" and the other UE is called the "target UE".
NOTE: The 5G ProSe direct link authentication procedure is applicable for neither 5G ProSe layer-3 UE-to-network relay nor 5G ProSe layer-2 UE-to-network relay.
7.2.12.2 5G ProSe direct link authentication procedure initiation by the initiating UE
The initiating UE shall meet one of the following pre-conditions when establishing the non-null signalling integrity protection based on the decision of the initiating UE, before initiating the 5G ProSe direct link authentication procedure:
a) the target UE has initiated a 5G ProSe direct link establishment procedure toward the initiating UE by sending a PROSE DIRECT LINK ESTABLISHMENT REQUEST message and:
1) the PROSE DIRECT LINK ESTABLISHMENT REQUEST message:
i) includes a target user info IE which includes the application layer ID of the initiating UE; or
ii) does not include a target user info IE and the initiating UE is interested in the ProSe service identified by the ProSe identifier in the PROSE DIRECT LINK ESTABLISHMENT REQUEST message; and
2) the KNRP ID is not included in the PROSE DIRECT LINK ESTABLISHMENT REQUEST message or the initiating UE does not have an existing KNRP for the KNRP ID included in PROSE DIRECT LINK ESTABLISHMENT REQUEST message or the initiating UE derives a new KNRP; or
b) the target UE has initiated a 5G ProSe direct link re-keying procedure toward the initiating UE by sending a PROSE DIRECT LINK REKEYING REQUEST message and the PROSE DIRECT LINK REKEYING REQUEST message includes a Re-authentication indication.
In order to initiate the 5G ProSe direct link authentication procedure, the initiating UE shall create a PROSE DIRECT LINK AUTHENTICATION REQUEST message. In this message, the initiating UE:
a) shall include the key establishment information container IE.
NOTE 1: The Key establishment information container is provided by upper layers.
The initiating UE shall self-assign a source layer-2 ID, and the destination layer-2 ID set to the source layer-2 ID in the PROSE DIRECT LINK ESTABLISHMENT REQUEST message.
NOTE 2: The UE implementation ensures that any value of the self-assigned source layer-2 ID is different from any other self-assigned source layer-2 ID(s) in use for 5G ProSe direct discovery as specified in clause 6.2.14, clause 6.2.15 and clause 8.2.1 and is different from any other provisioned destination layer-2 ID(s) as specified in clause 5.2.
NOTE 3: It is possible for the target UE to reuse the target UE’s layer-2 ID used in previous 5G ProSe direct link with the same peer UE.
After the PROSE DIRECT LINK AUTHENTICATION REQUEST message is generated, the initiating UE shall pass this message to the lower layers for transmission along with the initiating UE’s layer-2 ID for unicast communication and the target UE’s layer-2 ID for unicast communication.
The initiating UE shall start timer T5092. The UE shall not send a new PROSE DIRECT LINK AUTHENTICATION REQUEST message to the same target UE while timer T5092 is running.
Figure 7.2.12.2.1: 5G ProSe direct link authentication procedure
7.2.12.3 5G ProSe direct link authentication procedure accepted by the target UE
Upon receipt of a PROSE DIRECT LINK AUTHENTICATION REQUEST message, if a new assigned initiating UE’s layer-2 ID is included, the target UE shall replace the original initiating UE’s layer-2 ID with the new assigned initiating UE’s layer-2 ID for unicast communication. If the target UE determines that the PROSE DIRECT LINK AUTHENTICATION REQUEST message can be accepted, the target UE shall create a PROSE DIRECT LINK AUTHENTICATION RESPONSE message. The target UE shall check if the number of established 5G ProSe direct links is less than the implementation-specific maximum number of established NR 5G ProSe direct links allowed in the UE at a time. In this message, the target UE:
a) shall include the Key establishment information container IE.
NOTE: The key establishment information container is provided by upper layers.
After the PROSE DIRECT LINK AUTHENTICATION RESPONSE message is generated, the target UE shall pass this message to the lower layers for transmission along with the target UE’s layer-2 ID for unicast communication and the initiating UE’s layer-2 ID for unicast communication.
7.2.12.4 5G ProSe direct link authentication procedure completion by the initiating UE
Upon receiving a PROSE DIRECT LINK AUTHENTICATION RESPONSE message, if the initiating UE determines that the PROSE DIRECT LINK AUTHENTICATION RESPONSE message can be accepted, the initiating UE shall stop timer T5092.
NOTE: When the initiating UE derives the new KNRP during the 5G ProSe direct link authentication procedure depends on the authentication method in use.
7.2.12.5 5G ProSe direct link authentication procedure not accepted by the target UE
If the PROSE DIRECT LINK AUTHENTICATION REQUEST message cannot be accepted, the target UE shall create a PROSE DIRECT LINK AUTHENTICATION REJECT message. In this message, the target UE shall include a PC5 signalling protocol cause IE indicating one of the following cause values:
#5: lack of resources for 5G ProSe direct link;
#6: authentication failure.
If this 5G ProSe direct link authentication procedure is triggered during the 5G ProSe direct link establishment procedure and the implementation-specific maximum number of established NR 5G ProSe direct links has been reached, then the target UE shall send a PROSE DIRECT LINK AUTHENTICATION REJECT message containing PC5 signalling protocol cause value #5 "lack of resources for 5G ProSe direct link".
After the PROSE DIRECT LINK AUTHENTICATION REJECT message is generated, the target UE shall pass this message to the lower layers for transmission along with the initiating UE’s layer-2 ID for unicast communication and the target UE’s layer-2 ID for unicast communication.
The target UE shall abort the ongoing procedure that triggered the initiation of the 5G ProSe direct link authentication procedure if the ongoing procedure is the 5G ProSe direct link establishment procedure and the target user info is included in the PROSE DIRECT LINK ESTABLISHMENT REQUEST message.
Upon receipt of the PROSE DIRECT LINK AUTHENTICATION REJECT message, the initiating UE shall stop timer T5092 and abort the ongoing procedure that triggered the initiation of the 5G ProSe direct link authentication procedure.
7.2.12.6 5G ProSe direct link authentication procedure not accepted by the initiating UE
If the PROSE DIRECT LINK AUTHENTICATION RESPONSE message cannot be accepted, the initiating UE shall stop timer T5092 and create a PROSE DIRECT LINK AUTHENTICATION FAILURE message. In this message, the initiating UE may include the Key establishment information container IE if provided by upper layers.
After the PROSE DIRECT LINK AUTHENTICATION FAILURE message is generated, the initiating UE shall pass this message to the lower layers for transmission along with the initiating UE’s layer-2 ID for unicast communication and the target UE’s layer-2 ID for unicast communication.
The initiating UE shall abort the ongoing procedure that triggered the initiation of the 5G ProSe direct link authentication procedure.
Upon receipt of the PROSE DIRECT LINK AUTHENTICATION FAILURE message, the target UE shall abort the ongoing procedure that triggered the initiation of the 5G ProSe direct link authentication procedure and shall indicate to upper layers that authentication has failed.
7.2.12.7 Abnormal cases
7.2.12.7.1 Abnormal cases at the initiating UE
a) Timer T5092 expires.
The initiating UE shall retransmit the PROSE DIRECT LINK AUTHENTICATION REQUEST message and restart timer T5092. After reaching the maximum number of allowed retransmissions, the initiating UE shall abort the 5G ProSe direct link authentication procedure and shall abort the ongoing procedure that triggered the initiation of the 5G ProSe direct link authentication procedure.
NOTE 1: The maximum number of allowed retransmissions is UE implementation specific.
b) The need to use this 5G ProSe direct link no longer exists before the 5G ProSe direct link authentication procedure is completed.
The initiating UE shall abort the 5G ProSe direct link authentication procedure and shall abort the ongoing procedure that triggered the initiation of the 5G ProSe direct link authentication procedure.
c) For the same 5G ProSe direct link, if the initiating UE receives a PROSE DIRECT LINK RELEASE REQUEST message during the 5G ProSe direct link authentication procedure, the initiating UE shall stop all running timers for this 5G ProSe direct link, abort the 5G ProSe direct link authentication procedure and proceed with the 5G ProSe direct link release procedure.
NOTE 2: The abnormal cases as described in bullet c) only happens when the 5G ProSe direct link authentication procedure is used to perform mutual authentication of UEs during a 5G ProSe direct link re-keying procedure.