15 Authentication procedure and NAS security context handling for 5G
31.1273GPPnon-removable Universal Subscriber Identity Module (nrUSIM) application behavioural test specificationRelease 17TSUICC-terminal interaction
15.1 Authentication procedure for EAP-AKA’
15.1.1 Authentication procedure for EAP-AKA’ – Authentication is successful
15.1.1.1 Definition and applicability
The purpose of the primary authentication and key agreement procedure is to enable mutual authentication between the UE and the network and to provide keying material that can be used between the UE and network in subsequent security procedures. The UE and the AMF shall support the EAP based primary authentication and key agreement procedure.
In order to initiate the EAP based primary authentication and key agreement procedure using EAP-AKA’, the AUSF shall send an EAP message IE with EAP-request/AKA’-challenge message in the AuthenticationRequest message.
The 5G NAS security context parameters from a full native 5G NAS security context shall be stored on the USIM if the corresponding file is present on the USIM as specified in 3GPP TS 31.102 [19]. If the corresponding file is not present on the USIM, this 5GMM parameters is stored in a non-volatile memory in the ME together with the SUPI from the USIM.
The EF5GS3GPPNSC contains the 5GS 3GPP access NAS security context as defined in 3GPP TS 24.501 [25], consisting of KAMF with the associated key set identifier, the UE security capabilities, and the uplink and downlink NAS COUNT values. This file shall contain one record.
The EF5GAUTHKEYS contains KAUSF and KSEAF that are generated on the ME using CK and IK as part of AKA procedures as described in 3GPP TS 33.501 [24].
15.1.1.2 Conformance requirement
CR 1 The UE shall support the EAP based primary authentication and key agreement procedure.
CR 2 The ME shall forward the RAND and AUTN received in EAP-Request/AKA’-Challenge message to the USIM.
CR 3 The ME shall return the EAP message IE with EAP-response/AKA’-challenge in AuthenticationResponse message.
CR 4 As a result of successful authentication procedure and upon receipt of the EAP-Success message, the 5G NAS security context parameters shall be stored on the USIM if the corresponding file is present on the USIM when entering state 5GMM-Deregistered.
CR 5 If service n°122 is "available", the ME shall store KAMF with the associated key set identifier, the UE security capabilities, and the uplink and downlink NASCount values in EF5GS3GPPNSC on the USIM.
CR 6 If service n°123 is "available", the ME shall store the KAUSF and KSEAF in EF5GAUTHKEYS on the USIM.
CR 7 The UE can successfully register to the network.
Reference:
– TS 31.102 [4], clauses 4.4.11.3, 4.4.11.4 and 4.4.11.6;
– TS 33.501 [41], clause 6.1.3.1;
– TS 24.501 [42], clause 5.4.1.2 and Annex C.
15.1.1.3 Test purpose
The purpose of this test is to verify that:
1) the primary authentication and key agreement procedure enables mutual authentication between the UE and the network and provides keying material that can be used between the UE and network in subsequent security procedures.
2) the UE and the AMF support the EAP based primary authentication and key agreement procedure.
3) the EAP based primary authentication and key agreement procedure using EAP-AKA’ is performed if the AUSF has initiated an EAP message IE with EAP-request/AKA’-challenge message in the AuthenticationRequest message.
4) if the corresponding file is present on the USIM the 5G NAS security context parameters from a full native 5G NAS security context are stored on the USIM
5) EF5GS3GPPNSC contains one record with the 5GS 3GPP access NAS security context as defined in TS 24.501 [42], consisting of KAMF with the associated key set identifier, the UE security capabilities, and the uplink and downlink NASCount values.
6) EF5GAUTHKEYS contains KAUSF and KSEAF that are generated on the ME using CK and IK as part of AKA procedures as described in TS 33.501 [41].
7) the UE can successfully register to the network.
15.1.1.4 Method of test
15.1.1.4.1 Initial conditions
The values of the 5G-NR UICC as defined in clause 4.5.7 of the present document are used with the following exceptions:
EFUST (USIM Service Table)
Logically:
|
Service n°124: |
Subscription identifier privacy support |
available/not available |
Coding:
|
Byte: |
B1 |
B2 |
B3 |
B4 |
B5 |
B6 |
B7 |
B8 |
|
Binary: |
xxxx xx1x |
xxxx xxxx |
xxxx 1×00 |
xxxx x1xx |
xxxx xx11 |
xxx1 xx1x |
xxxx xxxx |
xxxx xxxx |
|
B9 |
B10 |
B11 |
… |
B16 |
||||
|
xxxx xxxx |
xxxx xxxx |
xx11 xxxx |
… |
xxx0 y11x |
EF5GS3GPPNSC and EF5GAUTHKEYS
The NG-SS generates authentication vectors using the RAND value send to the ME. It uses the CK/IK values to derive the 5G Authentication Keys (KAUSF and KSEAF) and the NAS security context.
– The RAND value shall be different each time TC is initialized.
The TT updates EF5GS3GPPNSC with the NAS Security Context and EF5GAUTHKEYS with the KAUSF and KSEAF generated.
Editor’s Note:
SQN values and handling is done in accordance to TT implementation.
The NG-SS is configured to transmit on the BCCH, with the following network parameters:
– TAI (MCC/MNC/TAC): 244/083/000001
– Access control: unrestricted.
The Home Network Private Key on the NG-SS shall be configured as follows:
Coding:
|
Byte: |
B1 |
B2 |
B3 |
B4 |
B5 |
B6 |
B7 |
B8 |
B9 |
B10 |
B11 |
B12 |
|
Hex |
F1 |
AB |
10 |
74 |
47 |
7E |
BC |
C7 |
F5 |
54 |
EA |
1C |
|
B13 |
B14 |
B15 |
B16 |
B17 |
B18 |
B19 |
B20 |
B21 |
B22 |
B23 |
B24 |
|
|
5F |
C3 |
68 |
B1 |
61 |
67 |
30 |
15 |
5E |
00 |
41 |
AC |
|
|
B25 |
B26 |
B27 |
B28 |
B29 |
B30 |
B31 |
B32 |
|||||
|
44 |
7D |
63 |
01 |
97 |
5F |
EC |
DA |
NOTE: The Home Network Private Key is to be used if the TT updates UST Service n°124 as available
15.1.1.4.2 Procedure
|
Step |
Direction |
Action |
Comment |
REQ |
SA |
|---|---|---|---|---|---|
|
1 |
TT |
Activate the RF output on the BCCH with: |
The NG-SS on the TT is activated |
||
|
UE |
The UE is switched on |
||||
|
2 |
UE > TT |
Send RRCSetupRequest |
|||
|
3 |
TT > UE |
Send a RRCSetup message |
|||
|
4 |
UE > TT |
Send RRCSetupComplete |
|||
|
5 |
UE > TT |
Send RegistrationRequest |
The NG-SS on the TT initiated the EAP-AKA’ authentication procedure |
||
|
6 |
TT > UE |
Send the AuthenticationRequest message with EAP message IE with EAP request/AKA’ challenge message with: – EAP message: |
The NG-SS on the TT generates KAMF, KAUSF and KSEAF values |
||
|
ME > USIM |
Pass the RAND and AUTN values to the USIM |
The ME provides the EAP request/AKA’ challenge data received in the AuthenticationRequest to the USIM |
CR1 |
||
|
7 |
UE > TT |
Send AuthenticationResponse message with EAP message IE with EAP response/AKA’ challenge message |
CR3 |
||
|
8 |
TT > UE |
Send SecurityModeCommand message with EAP-success |
The NG-SS on the TT sends the SecurityModeCommand message |
||
|
9 |
TT > UE |
Send RegistrationAccept message with: – 5G-GUTI: 24408300010266436587 – TAI: 42 34 80 00 00 01 |
The NG-SS on the TT sends the RegistrationAccept message |
||
|
10 |
UE |
The UE is switched off and/or signalling on RAN is deactivated. |
When entering the state 5GMM‑Deregistered the ME stores the 5G NAS security context parameters on the USIM |
CR4 |
A.2/1 OR A.2/2 OR A.2/4 |
|
TT > USIM |
Toggle the bit for service no 124 in EFUST |
The TT or the test operator shall perform whatever action is needed to modify the contents of EFUST. |
A.2/1 OR A.2/2 OR A.2/4 |
||
|
11 |
UE |
The UE is switched on and/or signalling on RAN is activated. |
Depending on the required procedure the UE has to be reactivated or to re-enable its RAN |
||
|
12 |
UE > TT |
Send REGISTRATION REQUEST message |
|||
|
13 |
TT > UE |
Send REGISTRATION ACCEPT message |
CR 7 |
||
|
14 |
TT |
Read EF5GS3GPPNSC and EF5GAUTHKEYS |
The TT or the test operator shall perform whatever action is needed to get read access to EF5GS3GPPNSC and EF5GAUTHKEYS |
CR 5 |
A.2/1 OR A.2/2 OR A.2/4 |
|
15 |
UE |
Switch off the UE |
NOTE: The deactivation of the UE might have been executed in step 14) if required to allow the read access |
15.1.1.5 Acceptance criteria
CR 1 is verified if CR 2 is met, and the ME forwards the RAND and AUTN received in EAP-Request/AKA’-Challenge message to the USIM.
CR 3 requirements are met if the NG-SS receives an EAP message IE with EAP-response/AKA’-challenge in the AuthenticationResponse message sent in response to the AuthenticationRequest in step 6).
CR 4 can be verified in step 10) after the state 5GMM-Deregistered is entered and if an appropriate method to read the EF content is provided by the UE manufacturer.
CR 5 and CR 6 can be verified in step 14) if an appropriate method to read the EF content is provided by the UE manufacturer.
CR 7 is verified if the UE is capable to register to the NG-SS at step 13).
15.1.2 Authentication procedure for EAP-AKA’ – Authentication is successful – GSM UICC
RFU – agreed method to verify READ commands on EF_UST needed.
15.1.3 Authentication procedure for EAP-AKA’ – AUTN fails on the USIM
TBD? – probably random values shall be used. No other modification needed to align with the present document. But CR to verify the transfer of RAND and AUTN missing.
15.1.4 Authentication procedure for EAP-AKA’ – after SUPI is changed
TBD? – probably random values shall be used. No other modification needed to align with the present document
15.2 Authentication procedure for 5G AKA
15.2.1 Authentication procedure for 5G AKA – Authentication is successful
RFU – agreed method to verify READ commands on EF_UST, EF_5GS3GPPNSC and EF_5GAUTHKEYS and UPDATE commands on EF_5GS3GPPNSC and EF_5GAUTHKEYS needed.
15.2.2 Authentication procedure for 5G AKA – Authentication is successful – GSM UICC
RFU – agreed method to verify READ commands on EF_UST needed.
15.2.3 Authentication procedure 5G AKA – AUTN fails on the USIM
RFU – agreed method to verify the transfer of RAND and AUTN to the USIM needed – align with 15.1.3.
15.2.4 Authentication procedure for 5G AKA – after SUPI is changed
TBD? – probably random values shall be used. No other modification needed to align with the present document