12 Security aspects of Network Exposure Function (NEF)
33.5013GPPRelease 18Security architecture and procedures for 5G SystemTS
12.1 General
In the 5G system, the Network Functions securely expose capabilities and events to 3rd party Application Functions via NEF. The NEF also enable secure provision of information in the 3GPP network by authenticated and authorized Application Functions.
Requirements on security aspects of NEF are captured in clause 5.9.2.3.
12.2 Mutual authentication
For authentication between NEF and an Application Function that resides outside the 3GPP operator domain, mutual authentication based on client and server certificates shall be performed between the NEF and AF using TLS.
Certificate based authentication shall follow the profiles given in 3GPP TS 33.310 [5], clause 6.1.3a. The identities in the end entity certificates shall be used for authentication and policy checks. The structure of the PKI used for the certificate is out of scope of the present document.
12.3 Protection of the NEF – AF interface
TLS shall be used to provide integrity protection, replay protection and confidentiality protection for the interface between the NEF and the Application Function. The support of TLS is mandatory.
Security profiles for TLS implementation and usage shall follow the provisions given in clause 6.2 of TS 33.210 [3].
12.4 Authorization of Application Function’s requests
After the authentication, NEF determines whether the Application Function is authorized to send requests for the 3GPP Network Entity. The NEF shall authorize the requests from Application Function using OAuth-based authorization mechanism, the specific authorization mechanisms shall follow the provisions given in RFC 6749 [43].
12.5 Support for CAPIF
When the NEF supports CAPIF for external exposure as specified in clause 6.2.5.1 in TS 23.501[2], then CAPIF core function shall choose the appropriate CAPIF-2e security method as defined in the sub-clause 6.5.2 in TS 33.122[53] for mutual authentication and protection of the NEF – AF interface.