6.3 Security contexts
33.5013GPPRelease 18Security architecture and procedures for 5G SystemTS
6.3.1 Distribution of security contexts
6.3.1.1 General
The present clause focuses on the security contexts themselves; the handling of security contexts in mobility procedures is described in clause 6.9.
6.3.1.2 Distribution of subscriber identities and security data within one 5G serving network domain
The transmission of the following subscriber identities and security data is permitted between 5G core network entities of the same serving network domain:
– SUPI in the clear
– 5G security contexts, as described in clause 6.9
A 5G authentication vector shall not be transmitted between SEAFs.
Once the subscriber identities and security data have been transmitted from an old to a new network entity the old network entity shall delete the data.
6.3.1.3 Distribution of subscriber identities and security data between 5G serving network domains
The transmission of the following subscriber identities and security data is permitted between 5G core network entities of different serving network domains:
– SUPI in the clear
– 5G security contexts, as described in clause 6.9, if the security policy of the transmitting 5G serving network domain allows this.
A 5G authentication vector or non-current 5G security contexts shall not be transmitted to a different 5G serving network domain.
6.3.1.4 Distribution of subscriber identities and security data between 5G and EPS serving network domains
NOTE 1: No direct interworking between 5G networks and network of generations prior to EPS are foreseen. Therefore, only the interaction between 5G and EPS serving network domains is addressed here.
The transmission of the SUPI in the clear is permitted between 5G and EPS core network entities if it has the form of an IMSI.
The transmission of any unmodified 5G security contexts to a EPS core network entity is not permitted. Details of security context transfer between EPS and 5G core network entities can be found in clause 8.
The transmission of a 5G authentication vector to an EPS core network entity is not permitted. The transmission of any unused EPS authentication vectors to a 5G core network entity is not permitted. If SEAF receives any unused authentication vectors (e.g. in mobility scenarios from legacy MME) they shall be dropped without any processing.
NOTE 2: The rules above differ from the corresponding rules in 3GPP TS 33.401, clause 6.1.6: The latter allows forwarding of UMTS authentication vectors from an SGSN to an MME and back to the same SGSN under certain conditions. But this feature goes against a strict security separation of EPS and 5G domains. As its performance advantage is questionable it was not copied into 5G.
NOTE 3: Security context mapping between EPS and 5G serving networks is allowed, according to clause 8.
6.3.2 Multiple registrations in same or different serving networks
6.3.2.0 General
There are two cases where the UE can be multiple registered in different PLMN’s serving networks or in the same PLMN’s serving networks. The first case is when the UE is registered in one PLMN serving network over a certain type of access (e.g. 3GPP) and is registered to another PLMN serving network over the other type of access (e.g. non-3GPP). The second case is where the UE is registered in the same AMF in the same PLMN serving network over both 3GPP and non-3GPP accesses. The UE will establish two NAS connections with the network in both cases.
NOTE: The UE uses the same subscription credential(s) for multiple registrations in the same or different serving networks.
6.3.2.1 Multiple registrations in different PLMNs
The UE shall independently maintain and use two different 5G security contexts, one per PLMN’s serving network. Each security context shall be established separately via a successful primary authentication procedure with the Home PLMN.
The ME shall store the two different 5G security contexts on the USIM if the USIM supports the 5G parameters storage. If the USIM does not support the 5G parameters storage, then the ME shall store the two different 5G security contexts in the ME non-volatile memory. Both of the two different 5G security contexts are current 5G security context.
The latest KAUSF result of the successful completion of the latest primary authentication shall be used by the UE and the HN regardless over which access network type (3GPP or non-3GPP) it was generated.
The HN shall keep the latest KAUSF generated during successful authentication over a given access even if the UE is deregistered from that access, but the UE is registered via another access.
6.3.2.2 Multiple registrations in the same PLMN
When the UE is registered in the same AMF in the same PLMN serving network over both 3GPP and non-3GPP accesses, the UE shall establish two NAS connections with the network. Upon receiving the registration request message, the AMF should check whether the UE is authenticated by the network. The AMF may decide to skip a new authentication run in case there is an available 5G security context for this UE by means of 5G-GUTI, e.g. when the UE successfully registered to 3GPP access.
If the UE registers to the same AMF via non-3GPP access, the AMF can decide not to run a new authentication if it has an available security context to use. In this case, the UE shall directly take into use the available common 5G NAS security context and use it to protect the registration over the non-3GPP access. If there are stored NAS counts for the non-3GPP access for the PLMN in the UE, then the stored NAS counts for the non-3GPP access for the PLMN shall be used to protect the registration over the non-3GPP access. Otherwise, the common 5G NAS security context is taken into use for the first time (partial) over non-3GPP access. In this case, the UL NAS COUNT value and DL NAS COUNT value for the non-3GPP access needs to be set to zero by the UE before the UE is taking the 5G NAS security context into use over non 3GPP access.
The AMF and the UE shall establish a common NAS security context consisting of a single set of NAS keys and algorithm at the time of first registration over any access. The AMF and the UE shall also store parameters specific to each NAS connection in the common NAS security context including two pairs of NAS COUNTs for each access (i.e. 3GPP access and non-3GPP access). The connection specific parameters are specified in clause 6.4.2.2 of the present document.