6 Supporting security mechanisms

33.1803GPPRelease 17Security of the Mission Critical (MC) serviceTS

Tools: ARFCN - Frequency Conversion for 5G NR/LTE/UMTS/GSM

6.1 HTTP

6.1.1 Authentication for HTTP-1 interface

For authentication of the HTTP-1 reference point, one of the following authentication mechanisms shall be performed between the HTTP client in the MC UE and the HTTP server endpoint (HTTP proxy, IdM server or KMS):

– one-way authentication of the HTTP server endpoint based on the server certificate;

– mutual authentication based on client and server certificates;

– mutual authentication based on pre-shared key.

Certificate based authentication shall follow the profiles given in 3GPP TS 33.310 [5], clauses 6.1.3a and 6.1.4a. The structure of the PKI used for the certificate is out of scope of the present document. Guidance on certificate based mutual authentication is provided in 3GPP TS 33.222 [16], annex B.

The usage of Pre-Shared Key Ciphersuites for Transport Layer Security (TLS-PSK) is specified in the TLS profile given in 3GPP TS 33.310 [5], annex E.

6.1.2 HTTP-1 interface security

The support of Transport Layer Security (TLS) on HTTP-1 is mandatory. The profile for TLS implementation and usage shall follow the provisions given in 3GPP TS 33.310 [5], annex E.

If the PSK TLS based authentication mechanism is supported, the HTTP client in the MC UE and the HTTP Proxy shall support the TLS version, PSK ciphersuites and TLS Extensions as specified in the TLS profile given in 3GPP TS 33.310 [5], annex E. The usage of pre-shared key ciphersuites for TLS is specified in the TLS profile given in 3GPP TS 33.310 [5], annex E.

6.1.3 HTTP-3 interface security

The support of Transport Layer Security (TLS) on HTTP-3 is recommended between HTTP proxies. Where used, the profile for TLS implementation and usage shall follow the provisions given in 3GPP TS 33.310 [5], annex E.

6.2 SIP

6.2.1 Authentication for SIP core access

This clause specifies the mutual authentication between the UE and the SIP core.

IMS AKA authentication shall be performed as specified in 3GPP TS 33.203 [6] for SIP core access. IMS AKA authentication mechanism as specified in 3GPP TS 33.203 [6] shall be performed irrespective of whether SIP core architecture is compliant with 3GPP TS 23.228 [15] or not.

Authentication related information shall be provided by SIP database that may be part of the HSS or may be part of the MC service provider’s SIP database depending on the SIP core deployment scenarios specified in 3GPP TS 23.379 [2].

Implementation options and requirements on the ISIM or USIM application to support SIP core access security are specified in 3GPP TS 33.203 [6].

6.2.2 SIP-1 interface security

The security mechanisms as specified in 3GPP TS 33.203 [6] for Gm interface shall be used to provide confidentiality and integrity of signalling on SIP-1 interface.

6.3 Network domain security

6.3.1 EPS-LTE/5GS-NR access authentication and security

An MC UE shall perform the authentication and security mechanisms as specified in 3GPP TS 33.401 [14] for EPS-LTE and as specified in 3GPP TS 33.501 [55] for 5GS-NR network access security.

6.3.2 Inter/Intra domain interface security

To ensure security of the interfaces between network elements within a trusted domain and between trusted domains, namely HTTP‑2, HTTP-3, SIP-2 and SIP-3:

– 3GPP TS 33.210 [4] shall be applied to secure signalling messages on the reference points unless specified otherwise; and

– 3GPP TS 33.310 [5] may be applied regarding the use of certificates with the security mechanisms of 3GPP TS 33.210 [4] unless specified otherwise in the present document.

NOTE: For the case of an interface between two network elements in the same trusted domain, 3GPP TS 33.210 [4] does not mandate the protection of the interface by means of IPsec. However, it is up to the domain administrator’s policy to also protect interfaces within the same trusted domain.

SEG as specified in 3GPP TS 33.210 [4] may be used in the trusted domain to terminate the IPsec tunnel.