6 Security for 5G ProSe features

33.5033GPPRelease 17Security Aspects of Proximity based Services (ProSe) in the 5G System (5GS)TS

6.1 Security for 5G ProSe Discovery

6.1.1 General

6.1.2 Security requirements

The 5G System shall support integrity protection and replay protection of discovery messages in open 5G ProSe Direct Discovery.

The 5G System shall support confidentiality protection, integrity protection and replay protection of discovery messages in restricted 5G ProSe Direct Discovery.

The 5G System shall support a method to verify source authenticity of discovery messages.

6.1.3 Security procedures

6.1.3.1 Open 5G ProSe Direct Discovery

The open 5G ProSe Direct Discovery security procedure is described as follows.

Figure 6.1.3.1-1: Open 5G ProSe Direct Discovery security procedure

1. The Announcing UE sends a Discovery Request message containing the ProSe Application ID to the 5G DDNMF in its HPLMN in order to be allowed to announce a code on its serving PLMN (either VPLMN or HPLMN).

2. If the Announcing UE wants to send announcements in the VPLMN, it needs to be authorized from the VPLMN 5G DDNMF. The 5G DDNMF in the HPLMN requests authorization from the VPLMN 5G DDNMF by sending Announce Auth.() message.

3. VPLMN 5G DDNMF responds with an Announce Auth. Ack () message, if authorization is granted. There are no changes to these messages for the purpose of protecting the transmitted code for open 5G ProSe Direct Discovery. If the Announcing UE is not roaming, these steps do not take place.

4. The 5G DDNMF in HPLMN of the Announcing UE returns the ProSe Application Code that the Announcing UE can announce and a Discovery Key associated with it. The 5G DDNMF stores the Discovery Key with the ProSe Application Code. In addition, the 5G DDNMF provides the UE with a CURRENT_TIME parameter, which contains the current UTC-based time at the 5G DDNMF, a MAX_OFFSET parameter, and a Validity Timer. The UE sets a clock which is used for ProSe authentication (i.e. ProSe clock) to the value of CURRENT_TIME and the UE stores the MAX_OFFSET parameter, overwriting any previous values. The Announcing UE obtains a value for a UTC-based counter associated with a discovery slot based on UTC time. The counter is set to a value of UTC time in a granularity of seconds. The UE may obtain UTC time from any sources available, e.g. the RAN via SIB9, NITZ, NTP, GPS, via Ub interface (in GBA) (depending on which is available).

NOTE 1: The UE may use unprotected time to obtain the UTC-based counter associated with a discovery slot. This means that the discovery message could be successfully replayed if a UE is fooled into using a time different to the current time. The MAX_OFFSET parameter is used to limit the ability of an attacker to successfully replay discovery messages or obtain correctly MICed discovery message for later use. This is achieved by using MAX_OFFSET as a maximum difference between the UTC-based counter associated with the discovery slot and the ProSe clock held by the UE.

NOTE 2: A discovery slot is the time at which an Announcing UE sends the announcement.

5. The Announcing UE starts announcing, if the difference between UTC-based counter provided by the system associated with the discovery slot and the UE’s ProSe clock is not greater than the MAX_OFFSET and if the Validity Timer has not expired. For each discovery slot it uses to announce, the Announcing UE calculates a 32-bit Message Integrity Check (MIC) to include with the ProSe Application Code in the discovery message. Four least significant bits of UTC-based counter are transmitted along with the discovery message. The MIC is calculated as described in clause A.6 using the Discovery Key and the UTC-based counter associated with the discovery slot.

6. The Monitoring UE sends a Discovery Request message containing the ProSe Application ID to the 5G DDNMF in its HPLMN in order to get the Discovery Filters that it wants to listen for.

7. The 5G DDNMF in the HPLMN of the Monitoring UE sends Monitor Req. message to the 5G DDNMF in the HPLMN of the Announcing UE.

8. The 5G DDNMF in the HPLMN of the Announcing UE sends Monitor Resp. message to the 5G DDNMF in the HPLMN of the Monitoring UE.

9. The 5G DDNMF returns the Discovery Filter containing either the ProSe Application Code(s), the ProSe Application Mask(s) or both along with the CURRENT_TIME and the MAX_OFFSET parameters. The Monitoring UE sets its ProSe clock to CURRENT_TIME and stores the MAX_OFFSET parameter, overwriting any previous values. The Monitoring UE obtains a value for a UTC-based counter associated with a discovery slot based on UTC time. The counter is set to a value of UTC time in a granularity of seconds. The Monitoring UE may obtain UTC time from any sources available, e.g. the RAN via SIB9, NITZ, NTP, GPS (depending on which is available).

10. The Monitoring UE listens for a discovery message that satisfies its Discovery Filter, if the difference between UTC-based counter associated with that discovery slot and UE’s ProSe clock is not greater than the MAX_OFFSET of the Monitoring UE’s ProSe clock.

11. On hearing such a discovery message, and if the UE has either not checked the MIC for the discovered ProSe App Code via Match Report previously or has checked a MIC for the ProSe App Code via Match Report and the associated Match Report refresh timer (see steps 14 and 15 for details of this timer) has expired, or as required based on the procedure specified in TS 23.304 [2], the Monitoring UE sends a Match Report message to the 5G DDNMF in the HPLMN of the Monitoring UE. The Match Report contains the UTC-based counter value with four least significant bits equal to four least significant bits received along with discovery message and nearest to the Monitoring UE’s UTC-based counter associated with the discovery slot where it heard the announcement, and other discovery message parameters including the ProSe App Code and MIC. If a Match Report is not required, the Monitoring UE shall locally process the discovery message and the rest of the procedure is not performed.

12. The 5G DDNMF in the HPLMN of the Monitoring UE passes the discovery message parameters including the ProSe Application Code and MIC and associated counter parameter to the 5G DDNMF in the HPLMN of the Announcing UE in the Match Report message.

13. The 5G DDNMF in the HPLMN of the Announcing UE shall check the MIC is valid. The relevant Discovery Key is identified by the ProSe Application Code.

14. The 5G DDNMF in the HPLMN of the Announcing UE shall acknowledge a successful check of the MIC to the 5G DDNMF in the HPLMN of the Monitoring UE via the Match Report Ack message. The 5G DDNMF in the HPLMN of the Announcing UE include a Match Report refresh timer in the Match Report Ack message. The Match Report refresh timer indicates how long the UE will wait before sending a new Match Report for the ProSe Application Code.

15. The 5G DDNMF in the HPLMN of the Monitoring UE acknowledges the MIC check result to the Monitoring UE. The 5G DDNMF returns the parameter ProSe Application ID to the UE. It also provides the CURRENT_TIME parameter, by which the UE (re)sets its ProSe clock. The 5G DDNMF in the HPLMN of the Monitoring UE may optionally modify the received Match Report refresh timer based on local policy and then include the Match Report refresh timer in the message to the Monitoring UE.

6.1.3.2 Restricted 5G ProSe Direct Discovery

6.1.3.2.1 General

The security for both models of restricted 5G ProSe Direct Discovery is similar to that of open 5G ProSe Direct Discovery described in clause 6.1.3.1. Both models also use a UTC-based counter (see step 9 in clause 6.1.3.1) to provide freshness for the protection of the restricted 5G ProSe Direct Discovery message on the PC5 interface. The parameters CURRENT_TIME and MAX_OFFSET are also provided to the UE from the 5G DDNMF in its HPLMN to ensure that the obtained UTC-based counter is sufficiently close to real time to protect against replays.

The major differences are that restricted 5G ProSe Direct Discovery requires confidentiality protection of the discovery messages (e.g. to ensure a UE’s privacy is not disclosed to unauthorized parties or tracked due to constantly sending the same ProSe Restricted/Response Code in the clear) and that the MIC checking may be performed by the receiving UE (if allowed by the 5G DDNMF).

The security parameters needed by a sending UE to protect a discovery message (i.e. in Model A the Announcing UE and in Model B the Discoverer UE sending the ProSe Query Code and the Discoveree UE sending the ProSe Response Code) are provided in the Code-Sending Security Parameters. Similarly, the security parameters needed by a UE receiving a discovery message (i.e. in Model A the Monitoring UE and in Model B the Discoverer UE receiving a ProSe Response Code and the Discoveree receiving a ProSe Query Code) are provided in the Code-Receiving Security Parameters.

In addition to clause 6.1.3.4.1 in TS 33.303 [4], 5G Prose introduced two new features:

– During the discovery request procedure, 5G DDNMF may optionally provide the PC5 security policies to the UEs.

– A ciphering algorithm for message-specific confidentiality is configured at the UE during the Discovery Request procedure.

5G ProSe UE-to-Network Relay discovery is different from 5G ProSe Restricted Direct Discovery. In 5G ProSe UE‑to-Network Relay discovery, the discovery security materials are provided by the PKMF for RSC(s) representing user-plane based security procedure, and by the DDNMF or the PCF for RSC(s) with Control Plane Security Indicator set representing control-plane based security procedure. The 5G ProSe UE-to-Network Relay discovery procedures described in clause 6.1.3.2.2.1 and clause 6.1.3.2.2.2 apply with adjustment when 5G DDNMF or 5G PKMF is used for 5G ProSe UE-to-Network Relay discovery.

6.1.3.2.2 Security flows

6.1.3.2.2.1 Restricted 5G ProSe Direct Discovery Model AThe security procedure for restricted 5G ProSe Direct Discovery Model A is described as follows.

Figure 6.1.3.2.2.1-1: Security procedure for restricted 5G ProSe Direct Discovery Model A

NOTE 1: When the user-plane based security procedure for the UE-to-Network Relay is used, the 5G PKMF takes the role of the 5G DDNMF as described in 6.3.3.2 of the present document.

Steps 1-4 refer to an Announcing UE:

1. Announcing UE sends a Discovery Request message containing the Restricted ProSe Application User ID (RPAUID) to the 5G DDNMF in its HPLMN in order to get the ProSe Code to announce and to get the associated security material. In addition, the Announcing UE shall include its PC5 UE security capability that contains the list of supported ciphering algorithms by the UE in the Discovery Request message.

For 5G ProSe UE-to-Network Relay discovery, the 5G ProSe UE-to-Network Relay plays the role of the Announcing UE and sends a Relay Discovery Key Request instead of a Discovery Request. The Relay Discovery Key Request message includes the Relay Service Code (RSC) and the 5G ProSe UE-to-Network Relay’s PC5 security capability.

2. The 5G DDNMF may check for the announce authorization with the ProSe Application Server.

For 5G ProSe UE-to-Network Relay discovery, the 5G DDNMF may check with the UDM whether the UE-to-Network relay is authorized to announce UE-to-Network relay discovery.

3. If the Announcing UE is roaming, the 5G DDNMFs in the HPLMN and VPLMN of the Announcing UE exchange Announce Auth.

4. The 5G DDNMF in the HPLMN of the Announcing UE returns the ProSe Restricted Code and the corresponding Code-Sending Security Parameters, along with the CURRENT_TIME and MAX_OFFSET parameters. The Code-Sending Security Parameters provide the necessary information for the Announcing UE to protect the transmission of the ProSe Restricted Code and are stored with the ProSe Restricted Code. The Announcing UE takes the same actions with CURRENT_TIME and MAX_OFFSET as described for the Announcing UE in step 4 of clause 6.1.3.1 of the present document. The 5G DDNMF in the HPLMN of the Announcing UE shall include the chosen PC5 ciphering algorithm in the Discovery Response message. The 5G DDNMF determines the chosen PC5 ciphering algorithm based on the ProSe Restricted Code and the received PC5 UE security capability in step 1. The UE stores the chosen PC5 ciphering algorithm together with the ProSe Restricted Code.

In addition, the 5G DDNMF in the HPLMN of the Announcing UE may associate the ProSe Restricted Code with the PC5 security policies and include the PC5 security policies in the Discovery Response message.

For 5G ProSe UE-to-Network Relay discovery, a Relay Discovery Key Response is used instead of the Discovery Response, and the RSC is used instead of the ProSe Restricted Code.

NOTE 2: 5G DDNMF may get the PC5 security policies in different ways (e.g. from PCF, from ProSe Application Server, or based on local configuration).

Steps 5-10 refer to a Monitoring UE:

5. The Monitoring UE sends a Discovery Request message containing the RPAUID and its PC5 UE security capability to the 5G DDNMF in its HPLMN in order to be allowed to monitor for one or more Restricted ProSe Application User IDs.

For 5G ProSe UE-to-Network Relay discovery, the 5G ProSe Remote UE plays the role of the Monitoring UE and sends a Relay Discovery Key Request instead of the Discovery Request. The Relay Discovery Key Request message includes the RSC and the 5G ProSe Remote UE’s PC5 security capability.

6. The 5G DDNMF in the HPLMN of the Monitoring UE sends an authorization request to the ProSe Application Server. If, based on the permission settings, the RPAUID is allowed to discover at least one of the Target RPAUIDs contained in the Application Level Container, the ProSe Application Server returns an authorization response.

For 5G ProSe UE-to-Network Relay discovery, the 5G DDNMF of the Remote UE may check with the UDM whether the Remote UE is authorized to monitor UE-to-Network relay discovery.

7. If the Discovery Request is authorized, and the PLMN ID in the Target RPAUID indicates a different PLMN, the 5G DDNMF in the HPLMN of the Monitoring UE contacts the indicated PLMN’s 5G DDNMF (i.e. the 5G DDNMF in the HPLMN of the Announcing UE) by sending a Monitor Request message including the PC5 UE security capability received in step 5.

For 5G ProSe UE-to-Network Relay Discovery, Relay Discovery Key Request and RSC are used instead of Discovery Request and RPAUID.

8. The 5G DDNMF in the HPLMN of the Announcing UE may exchange authorization messages with the ProSe Application Server.

For 5G ProSe UE-to-Network Relay discovery, this step is skipped.

9. If the PC5 UE security capability in step 5 includes the chosen PC5 ciphering algorithm, the 5G DDNMF in the HPLMN of the Announcing UE responds to the 5G DDNMF in the HPLMN of the Monitoring UE with a Monitor Response message including the ProSe Restricted Code, the corresponding Code-Receiving Security Parameters, an optional Discovery User Integrity Key (DUIK), and the chosen PC5 ciphering algorithm (based on the information/keys stored in step 4). The Code-Receiving Security Parameters provide the information needed by the Monitoring UE to undo the protection applied by the Announcing UE. The DUIK shall be included as a separate parameter if the Code-Receiving Security Parameters indicate that the Monitoring UE use Match Reports for MIC checking. The 5G DDNMF in the HPLMN of the Monitoring UE stores the ProSe Restricted Code and the Discovery User Integrity Key (if it received one outside of the Code-Receiving Security Parameters).

For 5G ProSe UE-to-Network Relay discovery, a Relay Discovery Key Response is used instead of the Monitor Response, and the RSC is used instead of the ProSe Restricted Code.

The 5G DDNMF in the HPLMN of the Announcing UE may send the PC5 security policies associated with the ProSe Restricted Code to the 5G DDNMF in the HPLMN of the Monitoring UE.

NOTE 3: For 5G ProSe Direct Discovery, there are two possible configurations for integrity checking, namely, MIC checked by the 5G DDNMF of the Monitoring UE, and MIC checked at the Monitoring UE side. Which configuration to use is decided by the 5G DDNMF, which assigns the monitored ProSe Restricted Code and signals the Monitoring UE in the Code-Receiving Security Parameters.

For 5G ProSe UE-to-Network Relay discovery, MIC checking is performed only at the Remote UE and the 5G DDNMF of the Remote UE does not need to configure integrity checking for UE-to-Network Relay discovery.

NOTE 4: The chosen PC5 ciphering algorithm is associated with the ProSe Restricted Code.

10. The 5G DDNMF in the HPLMN of the Monitoring UE returns the Discovery Filter and the Code-Receiving Security Parameters, along with the CURRENT_TIME and MAX_OFFSET parameters and the chosen PC5 ciphering algorithm. The Monitoring UE takes the same actions with CURRENT_TIME and MAX_OFFSET as described for the Monitoring UE in step 9 of clause 6.1.3.1 of the present document. The UE stores the Discovery Filter, Code-Receiving Security Parameters, and the chosen PC5 ciphering algorithm together with the ProSe Restricted Code.

For 5G ProSe UE-to-Network Relay discovery, a Relay Discovery Key Response is returned instead of the Discovery Response, and the RSC is included instead of the ProSe Restricted Code. The response message contains the discovery security materials as contained in step 9.

If the 5G DDNMF in the HPLMN of the Monitoring UE receives the PC5 security policies associated with the ProSe Restricted Code in step 9, the Monitoring UE’s 5G DDNMF forwards the PC5 security policies to the Monitoring UE.

For 5G ProSe UE-to-Network Relay discovery, a Relay Discovery Key Response is used instead of the Discovery Response, and the RSC is used instead of the ProSe Restricted Code.

Steps 11 and 12 occur over PC5:

11. The UE starts announcing, if the UTC-based counter provided by the system associated with the discovery slot is within the MAX_OFFSET of the Announcing UE’s ProSe clock and if the Validity Timer has not expired. The UE forms the discovery message and protects it. The four least significant bits of UTC-based counter are transmitted along with the protected discovery message.

12. The Monitoring UE listens for a discovery message that satisfies its Discovery Filter if the UTC-based counter associated with that discovery slot is within the MAX_OFFSET of the monitoring UE’s ProSe clock. In order to find such a matching message, it processes the message. If the Monitoring UE was not asked to send Match Reports for MIC checking, it stops at this step from a security perspective. Otherwise, it proceeds to step 13.

NOTE 5: The UE checking the integrity of the discovery message on its own does not prevent the UE from sending a Match Report due to requirements in TS 23.304 [2]. If such a Match Report is sent, then there is no security functionality involved.

Steps 13-16 refer to a Monitoring UE that has encountered a match:

NOTE 6: For 5G ProSe UE-to-Network Relay discovery, the steps 13-16 are skipped.

13. If the UE has either not had the 5G DDNMF check the MIC for the discovered ProSe Restricted Code previously or the 5G DDNMF has checked a MIC for the ProSe Restricted Code and the associated Match Report refresh timer (see step 15 for details of this timer) has expired, or as required based on the procedure specified in TS 23.304 [2], then the Monitoring UE sends a Match Report message to the 5G DDNMF in the HPLMN of the Monitoring UE. The Match Report contains the UTC-based counter value with four least significant bits equal to four least significant bits received along with discovery message and nearest to the Monitoring UE’s UTC-based counter associated with the discovery slot where it heard the announcement, and other discovery message parameters including the ProSe Restricted Code and MIC. The 5G DDNMF checks the MIC.

14. The 5G DDNMF in the HPLMN of the Monitoring UE may exchange an Auth Req/Auth Resp with the ProSe Application Server to ensure that Monitoring UE is authorized to discover the Announcing UE.

15. The 5G DDNMF in the HPLMN of the Monitoring UE returns to the Monitoring UE an acknowledgement that the integrity check passed. It also provides the CURRENT_TIME parameter, by which the UE (re)sets its ProSe clock. The 5G DDNMF in the HPLMN of the Monitoring UE included the Match Report refresh timer in the message to the Monitoring UE. The Match Report refresh timer indicates how long the UE will wait before sending a new Match Report for the ProSe Restricted Code.

16. The 5G DDNMF in the HPLMN of the Monitoring UE may send a Match Report Info message to the 5G DDNMF in the HPLMN of the Announcing UE.

6.1.3.2.2.2 Restricted 5G ProSe Direct Discovery Model B

The security procedure for restricted 5G ProSe Direct Discovery Model B is described as follows.

Figure 6.1.3.2.2.2-1: Security procedure for restricted 5G ProSe Direct Discovery Model B

NOTE 1: When the user-plane based security procedure for the UE-to-Network Relay is used, the 5G PKMF takes the role of the 5G DDNMF as described in 6.3.3.2 of the present document.

Steps 1-4 refer to a Discoveree UE:

1. Discoveree UE sends a Discovery Request message containing the RPAUID to the 5G DDNMF in its HPLMN in order to get Discovery Query Filter(s) to monitor a query, the ProSe Response Code to announce and associated security materials. The command indicates that this is for ProSe Response (Model B) operation, i.e. for a Discoveree UE. In addition, the Discoveree UE shall include its PC5 UE security capability that contains the list of supported ciphering algorithms by the UE in the Discovery Request message.

For 5G ProSe UE-to-Network Relay discovery, the 5G ProSe UE-to-Network Relay plays the role of the Discoveree UE and sends a Relay Discovery Key Request instead of a Discovery Request. The Relay Discovery Key Request message includes the Relay Service Code (RSC) and the 5G ProSe UE-to-Network Relay’s PC5 security capabilities.

2. The 5G DDNMF may check for the announce authorization with the ProSe Application Server depending on 5G DDNMF configuration.

For 5G ProSe UE-to-Network Relay discovery, the 5G DDNMF may check with the UDM whether the UE-to-Network relay is authorized to announce UE-to-Network relay discovery.

3. The 5G DDNMFs in the HPLMN and VPLMN of the Discoveree UE exchange Announce Auth. Messages. If the Discoveree UE is not roaming, these steps do not take place.

4. The 5G DDNMF in the HPLMN of the Discoveree UE returns the ProSe Response Code and the Code-Sending Security Parameters, Discovery Query Filter(s), Code-Receiving Security Parameters corresponding to each discovery filter along with the CURRENT_TIME and MAX_OFFSET parameters and the chosen PC5 ciphering algorithm. The Code-Sending Security Parameters provide the necessary information for the Discoveree UE to protect the transmission of the ProSe Response Code and are stored with the ProSe Response Code. The Code-Receiving Security Parameters provide the information needed by the Discoveree UE to undo the protection applied to the ProSe Query Code by the Discoverer UE. The Code-Receiving Security Parameters indicate a Match Report will not be used for MIC checking. The UE stores each Discovery Filter with its associated Code-Receiving Security Parameters. The Discoveree UE takes the same actions with CURRENT_TIME and MAX_OFFSET as described for the Announcing UE in step 4 of clause 6.1.3.1 of the present document. The 5G DDNMF in the HPLMN of the Discoveree UE shall include the chosen PC5 ciphering algorithm in the Discovery Response message. The 5G DDNMF determines the chosen PC5 ciphering algorithm based on the ProSe Response Code and the received PC5 UE security capability in step 1. The UE stores the chosen PC5 ciphering algorithm together with the ProSe Response Code.

In addition, the 5G DDNMF in the HPLMN of the Discoveree UE may associate the ProSe Response Code with the PC5 security policies and include the PC5 security policies in the Discovery Response message.

For 5G ProSe UE-to-Network Relay discovery, a Relay Discovery Key Response is used instead of the Discovery Response, and the RSC is used instead of ProSe Query Code and ProSe Response Code.

NOTE 2: 5G DDNMF may get the PC5 security policies in different ways (e.g. from PCF, from ProSe Application Server, or based on local configuration).

Steps 5-10 refer to a Discoverer UE:

5. The Discoverer UE sends a Discovery Request message containing the RPAUID and its PC5 UE security capability to the 5G DDNMF in its HPLMN in order to be allowed to discover one or more Restricted ProSe Application User IDs.

For 5G ProSe UE-to-Network Relay discovery, the 5G ProSe Remote UE plays the role of the Discoverer UE and sends a Relay Discovery Key Request instead of the Discovery Request. The Relay Discovery Key Request message includes the RSC and the 5G ProSe Remote UE’s PC5 security capabilities.

6. The 5G DDNMF in the HPLMN of the Discoverer UE sends an authorization request to the ProSe Application Server. If the RPAUID is allowed to discover at least one of the Target RPAUIDs contained in the Application Level Container, the ProSe Application Server returns an authorization response.

For 5G ProSe UE-to-Network Relay discovery, the 5G DDNMF of the Remote UE may check with the UDM whether the Remote UE is authorized to monitor UE-to-Network relay discovery.

7. If the Discovery Request is authorized, and the PLMN ID in the Target RPAUID indicates a different PLMN, the 5G DDNMF in the HPLMN of the Discoverer UE contacts the indicated PLMN’s 5G DDNMF (i.e. the 5G DDNMF in the HPLMN of the Discoveree UE) by sending a Discovery Request message including the PC5 UE security capability in step 5.

For 5G ProSe UE-to-Network Relay Discovery, Relay Discovery Key Request and RSC are used instead of Discovery Request and RPAUID.

8. The 5G DDNMF in the HPLMN of the Discoveree UE may exchange authorization messages with the ProSe Application Server.

For 5G ProSe UE-to-Network Relay discovery, this step is skipped.

9. If the PC5 UE security capability in step 5 includes the chosen PC5 ciphering algorithm, the 5G DDNMF in the HPLMN of the Discoveree UE responds to the 5G DDNMF in the HPLMN of the Discoverer UE with a Discovery Response message including the ProSe Query Code(s) and their associated Code-Sending Security Parameters, ProSe Response Code and its associated Code-Receiving Security Parameters, an optional Discovery User Integrity Key (DUIK) for the ProSe Response Code, and a chosen PC5 ciphering algorithm. The Code-Receiving Security Parameters provide the information needed by the Discoverer UE to undo the protection applied by the Discoveree UE. The DUIK shall be included as a separate parameter if the Code-Receiving Security Parameters indicate that the Discoverer UE use Match Reports for MIC checking. The 5G DDNMF in the HPLMN of the Discoverer UE stores the ProSe Response Code and the Discovery User Integrity Key (if it received one outside of the Code-Receiving Security Parameters). The Code-Sending Security Parameters provide the information needed by the Discoverer UE to protect the ProSe Query Code.

The 5G DDNMF in the HPLMN of the Discoveree UE may send the PC5 security policies associated with the ProSe Response Code to the 5G DDNMF in the HPLMN of the Discoverer UE.

For 5G ProSe UE-to-Network Relay discovery, a Relay Discovery Key Response is used instead of the Discovery Response, and the RSC is used instead of ProSe Query Code and ProSe Response Code.

NOTE 3: For 5G ProSe Direct Discovery, there are two possible configurations for integrity checking, namely, MIC checked by the 5G DDNMF of the Discoverer UE, and MIC checked at the Discoverer UE side; this is decided by the 5G DDNMF that assigns the ProSe Restricted Code, and signals the Discoverer UE in the Code-Receiving Security Parameters.

For 5G ProSe UE-to-Network Relay discovery, MIC checking is performed only at the Remote UE and the 5G DDNMF of the Remote UE does not need to configure integrity checking for UE-to-Network Relay discovery.

NOTE 4: The chosen PC5 ciphering algorithm is associated with the ProSe Response Code.

10. The 5G DDNMFs in the HPLMN and VPLMN of the Discoverer UE exchange Announce Auth. messages. If the Discoverer UE is not roaming, these steps do not take place.

11. The 5G DDNMF in the HPLMN of the Discoverer UE returns the Discovery Response Filter and the Code-Receiving Security Parameters, the ProSe Query Code, the Code-Sending Security Parameters along with the CURRENT_TIME and MAX_OFFSET parameters and the chosen PC5 ciphering algorithm. The Discoverer UE takes the same actions with CURRENT_TIME and MAX_OFFSET as described for the Monitoring UE in step 9 of clause 6.1.3.1 of the present document. The UE stores the Discovery Response Filter and its Code-Receiving Security Parameters and the ProSe Query Code and its Code-Sending Security Parameters, and the chosen PC5 ciphering algorithm together with the ProSe Response Code.

If the 5G DDNMF in the HPLMN of the Discoverer UE receives the PC5 security policies associated with the ProSe Response Code in step 9, the Discoverer UE’s 5G DDNMF forwards the PC5 security policies to the Discoverer UE.

For 5G ProSe UE-to-Network Relay discovery, a Relay Discovery Key Response is used instead of the Discovery Response, and the RSC is used instead of the ProSe Restricted Code.

Steps 12 to 15 occur over PC5:

12. The Discoverer UE sends the ProSe Query Code and also listens for a response message if the UTC-based counter provided by the system associated with the discovery slot is within the MAX_OFFSET of the Announcing UE’s ProSe clock and if the Validity Timer has not expired. The Discoverer UE forms the discovery message and protects it. The four least significant bits of UTC-based counter are transmitted along with the protected discovery message.

13. The Discoveree UE listens for a discovery message that satisfies its Discovery Filter if the UTC-based counter associated with that discovery slot is within the MAX_OFFSET of the Discoverer UE’s ProSe clock. In order to find such a matching message, it processes the message.

NOTE 5: Match Reports are not used for the MIC checking of ProSe Query Codes.

14. The Discoveree sends the ProSe Response Code associated with the discovered ProSe Query Code. The Discoveree UE forms the discovery message and protects it. The four least significant bits of UTC-based counter are transmitted along with the protected discovery message.

15. The Discoverer UE listens for a discovery message that satisfies its Discovery Filter. In order to find such a matching message, it processes the message. If the Discoverer UE was not asked to send Match Reports for MIC checking, it stops at this step from a security perspective. Otherwise, it proceeds to step 16.

NOTE 6: The UE checking the integrity of the discovery message on its own does not prevent the UE from sending a Match Report due to requirements in TS 23.304 [2]. If such a Match Report is sent, then there is no security functionality involved.

NOTE 7: The security keys in the Code-Sending Security Parameters of discover UE and the security keys in the Code-Sending Security Parameters of Discoveree UE need to be generated independently and randomly.

Steps 16-19 refer to a Discoverer UE that has encountered a match:

NOTE 8: For 5G ProSe UE-to-Network Relay discovery, the steps 16-19 are skipped.

16. If the Discoverer UE has either not had the 5G DDNMF check the MIC for the discovered ProSe Response Code previously or the 5G DDNMF has checked a MIC for the ProSe Response Code and the associated Match Report refresh timer (see step 18 for details of this timer) has expired, or as required based on the procedure specified in TS 23.304 [2], then the Discoverer UE sends a Match Report message to the 5G DDNMF in the HPLMN of the Discoverer UE. The Match Report contains the UTC-based counter value with four least significant bits equal to four least significant bits received along with discovery message and nearest to the Monitoring UE’s UTC-based counter associated with the discovery slot where it heard the announcement, and other discovery message parameters including the ProSe Response Code and MIC. The 5G DDNMF checks the MIC.

17. The 5G DDNMF in the HPLMN of the Discoverer UE may exchange an Auth Req/Auth Resp with the ProSe Application Server to ensure that Discoverer UE is authorized to discover the Discoveree UE.

18. The 5G DDNMF in the HPLMN of the Discoverer UE returns to the Discoverer UE an acknowledgement that the integrity check passed. It also provides the CURRENT_TIME parameter, by which the UE (re)sets its ProSe clock. The 5G DDNMF in the HPLMN of the Discoverer UE include the Match Report refresh timer in the message to the Discoverer UE. The Match Report refresh timer indicates how long the UE will wait before sending a new Match Report for the ProSe Response Code.

19. The 5G DDNMF in the HPLMN of the Discoverer UE may send a Match Report Info message to the 5G DDNMF in the HPLMN of the Discoveree UE.

6.1.3.2.3 Protection of discovery messages over PC5 interface

There are three types of security that are used to protect the restricted 5G ProSe Direct Discovery messages over the PC5 interface: integrity protection, scrambling protection, and message-specific confidentiality which are defined in clause 6.1.3.4.3 in TS 33.303 [4]. The protection mechanisms specified in TS 33.303 [4] are reused with the following changes:

– Input parameters to integrity protection algorithm as specified in clause A.6 in the present document.

– Message-specific confidentiality mechanisms as specified in clause A.7 in the present document.

– In A.5 of TS 33.303 [4], the time-hash-bitsequence keystream is set to L least significant bits of the output of the KDF, where L is the bit length of the discovery message to be scrambled and set to Min (the length of discovery message – 16, 256).

– Step 3 of clause 6.1.3.4.3.5 of TS 33.303 [4] becomes:

XOR (0xFFFF || time-hash-bitsequence) with the most significant (L + 16) bits of discovery message.

NOTE 1: 16 is the size of Message Type and UTC-based counter LSB in bit length.

NOTE 2: The maximum length of the discovery message to be scrambled is limited to 256 bits.

– Step 2 of clause 6.1.3.4.3.2 of TS 33.303 [4] becomes:

Calculate MIC if a DUIK was provided, otherwise set MIC to a 32-bit random string. Then, set the MIC IE to the MIC.

– Step 4 of clause 6.1.3.4.3.2 of TS 33.303 [4] is not processed.

6.2 Security for unicast mode 5G ProSe Direct Communication

6.2.1 General

The unicast mode 5G ProSe Direct Communication procedures are described in TS 23.304 [2]. Unicast mode 5G ProSe Direct Communication is used by two UEs that directly exchange traffic for the ProSe applications running between the peer UEs.

PC5 security policy provisioning by 5G DDNMF for unicast mode 5G Prose Direct Communication during the restricted 5G ProSe Discovery procedure is specified in clause 6.1.3.2.

PC5 direct communication security for relay services is specified in clause 6.3.

If the UE receives PC5 security policies from 5G DDNMF as specified in clause 6.1.3.2.2, the UE uses the PC5 security policies from 5G DDNMF to establish PC5 unicast communication security instead of the PC5 security policies provisioned by PCF or pre-configured in UE as defined in TS 23.304 [2].

6.2.2 Security requirements

The initiating UE shall establish a different security context for each peer UE during the PC5 unicast establishment if the security is activated. It shall be possible to establish security context also when either one or both the 5G ProSe-enabled UEs are out of coverage.

The mutual authentication between two 5G ProSe-enabled UEs during PC5 unicast shall be supported.

The PC5 unicast signalling shall support confidentiality protection, integrity protection and anti-replay protection.

The PC5 unicast user plane shall support confidentiality protection, integrity protection and anti-replay protection.

The PCF shall be able to provision the PC5 security policies to the UE per ProSe application during service authorization and information provisioning procedure as defined in TS 23.304 [2].

The system shall support means for a secure refresh of the UE security context.

NOTE 1: The security context refresh may be triggered based on various options (e.g. validity time etc.).

The 5G System should provide means for mitigating trackability attacks on a UE during PC5 unicast communications.

The 5G System should provide means for mitigating link ability attacks on a UE during PC5 unicast communications.

NOTE 2: The 5G system provides means for mitigating trackability and link ability if security of the connection is activated.

6.2.3 Security procedures

The unicast mode security mechanism defined in clause 5.3 of TS 33.536 [6] is reused in 5G ProSe to provide unicast mode 5G ProSe Direct Communication security.

6.2.4 Identity privacy for the PC5 unicast link

The privacy protection procedures defined in clause 5.3.3.2 of TS 33.536 [6] are reused in 5G ProSe to provide unicast mode 5G ProSe Direct Communication security.

6.3 Security for 5G ProSe UE-to-Network Relay Communication

6.3.1 General

This clause describes the security requirements and the procedures that are specifically applied to 5G ProSe UE‑to‑Network Relay communication defined in TS 23.304 [2]. The security requirements for 5G ProSe Layer‑3 UE-to-Network Relay and 5G ProSe Layer-2 UE-to-Network Relay are different and are defined in clause 6.3.3 and clause 6.3.4 respectively.

There are two security mechanism options for 5G ProSe UE-to-Network Relay: security procedure over User Plane as defined in clause 6.3.3.2 and security procedure over Control Plane as defined in clause 6.3.3.3. The 5G ProSe remote UE and 5G ProSe UE-to-Network Relay determine the security mechanism based on the Control Plane Security Indicator associated with the RSC, the Control Plane Security Indicator and the associated RSC are specified in clause 5.1.4.3.2 of TS 23.304 [2].

The functionality in this clause is supported by both 5G ProSe-enabled UEs for commercial services and public safety.

6.3.2 Security requirements

The following security requirements apply to both 5G ProSe Layer-3 UE-to-Network Relay and 5G ProSe Layer-2 UE-to-Network Relay:

– The 5G System shall support the authorization of the UE as a 5G ProSe UE-to-Network Relay in the 5G ProSe UE-to-Network Relay scenario.

– The 5G System shall support the authorization of the UE as a 5G ProSe Remote UE in the 5G ProSe UE‑to‑Network Relay scenario.

– For UE-to-Network Relay discovery, the security requirements in clause 6.1.2 apply.

– The 5G System shall support a secure means to establish a PC5 link between the 5G ProSe Remote UE and the 5G ProSe UE-to-Network Relay.

– The 5G System shall support confidentiality protection, integrity protection and replay protection for secure communication between the 5G ProSe Remote UE and the network via 5G ProSe UE-to-Network Relays.

– PC5 signalling integrity security policy is set to "REQUIRED" for the 5G ProSe Remote UE and the 5G ProSe UE-to-Network Relay.

– The 5G ProSe Remote UE shall establish a different PC5 security context with each different 5G ProSe UE-to-Network Relay and for each different Relay Service Code. It shall also be possible to establish a PC5 security context when the 5G ProSe Remote UE is out of coverage.

6.3.3 Security for 5G ProSe Communication via 5G ProSe Layer-3 UE‑to-Network Relay

6.3.3.1 Security requirements

Both user-plane (UP) based and control-plane (CP) based procedures can be used for 5G ProSe UE-to-Network Relay authorization and security establishment. The UP based procedure uses a UP connection to the 5G PKMF, while the CP based procedure uses the ProSe authentication for PC5 key establishment.

The following are the security requirements for 5G ProSe Layer-3 UE-to-Network Relay communication:

– For 5G ProSe Layer-3 UE-to-Network Relay security established over control plane, the PCF shall be able to provision the PC5 security policies to the 5G ProSe Remote UE and the UE-to-Network Relay respectively per 5G ProSe UE-to-Network Relay service, during service authorization and information provisioning procedure as defined in TS 23.304 [2].

– For 5G ProSe Layer-3 UE-to-Network Relay security established over user plane, the 5G PKMF shall be able to provision the PC5 security policies to the 5G ProSe Remote UE and the 5G ProSe UE-to-Network Relay respectively per 5G ProSe UE-to-Network Relay service, during security materials provisioning procedure defined in clause 6.3.3.2.

– The PC5 UP security policies for protecting 5G ProSe UE-to-Network Relay communication shall be configured per 5G ProSe UE-to-Network Relay service based on the security requirements of the specific relay service.

– The activation of PC5 signalling security shall be based on PC5 CP security policies of the specific 5G ProSe UE-to-Network Relay service.

– The activation of PC5 user plane security shall be based on PC5 UP security policies of the specific 5G ProSe UE-to-Network Relay service.

– 5G PKMF shall be configured with the PC5 security policies associated with each 5G ProSe Layer-3 UE‑to‑Network Relay service.

6.3.3.2 Security procedure over User Plane

6.3.3.2.1 General

This clause describes a mechanism to setup a PC5 link between a 5G ProSe Remote UE and 5G ProSe UE-to-Network Relay. The mechanism includes how a 5G ProSe Remote UE and 5G ProSe UE-to-Network Relay get authorized by the 5G ProSe Key Management Function (5G PKMF) and verify each other’s roles.

6.3.3.2.2 PC5 security establishment for 5G ProSe UE-to-Network relay communication over User Plane

Figure 6.3.3.2.2-1: PC5 security establishment procedure for 5G ProSe UE-to-Network relay communication over User Plane

The 5G ProSe Remote UE is provisioned with the discovery security materials (see clause 6.1.3.2) and Prose Remote User Key (UP-PRUK) when it is in coverage. These security materials are associated with an expiration time, after which they become invalid. If the UE does not have valid discovery security materials, the 5G ProSe Remote UE needs to connect to the 5G PKMF and obtain fresh ones to use the 5G ProSe UE-to-Network Relay services.

NOTE 1: The procedure is described for the scenario that the 5G PKMF of the 5G ProSe Remote UE is different from the 5G PKMF of the 5G ProSe UE-to-Network Relay. If both the 5G ProSe Remote UE and the 5G ProSe UE-to-Network Relay are served by a single 5G PKMF, the 5G PKMF takes the role of the 5G PKMF of the 5G ProSe Remote UE and the 5G PKMF of the 5G ProSe UE-to-Network Relay and the inter-5G PKMF message exchanges are not needed.

NOTE 2: Steps 0a, 0b, 1a, 1b are performed when the 5G ProSe Remote UE is in coverage.

0a. The 5G ProSe Remote UE gets the 5G PKMF address from the 5G DDNMF of its HPLMN. Alternatively, the 5G ProSe Remote UE may be provisioned with the 5G PKMF address by PCF. If the 5G ProSe Remote UE is provisioned with the 5G PKMF address, the 5G ProSe Remote UE may access the 5G PKMF directly without requesting it from the 5G DDNMF. In case that the 5G ProSe Remote UE cannot access the 5G PKMF using the provisioned 5G PKMF address, the 5G ProSe Remote UE may request the 5G PMKF address to the 5G DDNMF.

0b. The 5G ProSe Remote UE shall establish a secure connection with the 5G PKMF via PC8 reference point. Security for PC8 interface relies on Ua security if GBA specified in TS 33.220 [8] is used (see clause 5.2.3.4) or Ua* security if AKMA specified in TS 33.535 [5] is used (see clause 5.2.5.4). The 5G PKMF of the 5G ProSe Remote UE shall check whether the 5G ProSe Remote UE is authorized to receive UE-to-Network Relay service, and if the UE is authorized, the 5G PKMF of the 5G ProSe Remote UE provides the discovery security materials to the 5G ProSe Remote UE. If the 5G ProSe Remote UE provides a list of visited networks, the 5G PKMF of the 5G ProSe Remote UE shall request the discovery security materials from the 5G PKMFs of the potential 5G ProSe UE-to-Network Relays from which the 5G ProSe Remote UE gets the relay services. The 5G PKMF of the 5G ProSe UE-to-Network Relay may include the PC5 security policies to the 5G ProSe Remote UE.

NOTE 3: The 5G PKMF may be locally configured with the UE’s authorization information. Otherwise, the 5G PKMF interacts with the UDM of the UE to retrieve the UE’s authorization information.

NOTE 4: The 5G ProSe Remote UE is provisioned by PCF with a list of the potential visited networks for the 5G ProSe UE-to-Network Relay service (which is identified by RSC).

0c. The 5G ProSe UE-to-Network Relay gets the 5G PKMF address from its HPLMN in the same way as described in step 0a.

0d. The 5G ProSe UE-to-Network Relay shall establish a secure connection with the 5G PKMF via PC8 reference point as in step 0b. The 5G PKMF of the 5G ProSe UE-to-Network Relay shall check whether the 5G ProSe UE-to-Network Relay is authorized to provide 5G ProSe UE-to-Network Relay service, and if the UE is authorized, the 5G PKMF of the 5G ProSe UE-to-Network Relay provides the discovery security materials to the 5G ProSe UE-to-Network Relay. The 5G PKMF of the 5G ProSe UE-to-Network Relay may include the PC5 security policies to the 5G ProSe UE-to-Network Relay.

1a. The 5G ProSe Remote UE sends a UP-PRUK Request message to its 5G PKMF. The message indicates that the 5G ProSe Remote UE is requesting a UP-PRUK from the 5G PKMF. If the 5G ProSe Remote UE already has a UP-PRUK from this 5G PKMF, the message shall also contain the UP-PRUK ID of the UP-PRUK.

UP-PRUK ID shall take the form of either the NAI format or the 64-bit string. If the UP-PRUK ID is in NAI format, i.e. username@realm, the realm part shall include Home Network Identifier (i.e. HPLMN ID). The username part shall include the 64-bit string.

1b. The 5G PKMF checks whether the 5G ProSe Remote UE is authorized to receive UE-to-Network Relay services. This is done by using the 5G ProSe Remote UE’s identity associated with the key used to establish the secure connection between the 5G ProSe Remote UE and 5G PKMF in step 0b. If the 5G ProSe Remote UE is authorized to receive the service, the 5G PKMF sends a UP-PRUK and UP-PRUK ID to the 5G ProSe Remote UE. If a UP-PRUK and UP-PRUK ID are included, the 5G ProSe Remote UE shall store these and delete any previously stored ones for this 5G PKMF.

2. The discovery procedure is performed between the 5G ProSe Remote UE and the 5G ProSe UE-to-Network Relay using the discovery parameters and discovery security material as described in clause 6.1.3.2.

3. The 5G ProSe Remote UE sends a Direct Communication Request (DCR) that contains the UP-PRUK ID or a SUCI if the Remote UE does not have a valid UP-PRUK, Relay Service Code (RSC) of the 5G ProSe UE-to-Network Relay service and K_NRP freshness parameter 1 to the 5G ProSe UE-to-Network Relay. If the UP-PRUK ID is not in NAI format, the DCR message shall include the HPLMN ID of the 5G ProSe Remote UE. The PC5 security establishment procedure between the 5G ProSe Remote UE and the 5G ProSe UE-to-Network Relay including security parameters and security policy negotiation and protection of messages hereafter shall follow the one-to-one security establishment described in clause 6.2.3 of the present document. Only additional parameters required for the 5G ProSe Layer-3 UE-to-Network Relay scenario are described in this clause. The privacy and integrity protection of DCR are described in clause 6.3.5.

4a. The 5G ProSe UE-to-Network Relay sends a Key Request message that contains UP-PRUK ID or SUCI, RSC and K_NRP freshness parameter 1 to its 5G PKMF. The Key Request message shall also include the HPLMN ID of the 5G ProSe Remote UE if it is included in the DCR.

4b. On receiving the Key Request message, the 5G PKMF of the 5G ProSe UE-to-Network Relay shall check if the 5G ProSe UE-to-Network Relay is authorized to provide relay service to the 5G ProSe Remote UE based on the 5G ProSe UE-to-Network Relay’s identity associated with the key used to establish the secure PC8 connection and the received RSC.

NOTE 4a: The 5G PKMF of the 5G ProSe UE-to-Network Relay needs to do the authorization of RSC based on its implementation.

If the 5G ProSe UE-to-Network Relay’s authorization information is not locally available, the 5G PKMF shall request the authorization information from the UDM of the 5G ProSe UE-to-Network Relay (not shown in the figure) using Nudm_SDM_Get service as described in TS 23.502 [13]. If the 5G ProSe UE-to-Network Relay is authorized to provide the relay service based on ProSe Subscription data as specified in TS 23.502 [10], the 5G PKMF of the 5G ProSe UE-to-Network Relay sends the Key Request with the UP-PRUK ID or the SUCI to the 5G PKMF of the 5G ProSe Remote UE. The 5G PKMF of the 5G ProSe UE-to-Network Relay identifies the 5G PKMF address of the 5G ProSe Remote UE based on the UP-PRUK ID or HPLMN ID or SUCI of the 5G ProSe Remote UE if it is included in the Key Request message.

NOTE 4b: The 5G PKMF of the 5G ProSe Remote UE needs to do the authorization of RSC based on its implementation.

4c. On receiving the Key Request message from the 5G PKMF of the 5G ProSe UE-to-Network Relay, the 5G PKMF of the 5G ProSe Remote UE shall check if the 5G ProSe Remote UE is authorized to use the relay service. The relay service authorization check shall be based on the UP-PRUK ID and RSC included in the Key Request message or the SUPI of the Remote UE and the RSC included in the Key Request message. If a SUCI is included in the Key Request message, the 5G PKMF of the 5G ProSe Remote UE shall request the UDM of the 5G ProSe Remote UE to de-conceal the SUCI to gain the SUPI using Nudm_UEIdentifier_Deconceal service, and the UDM invokes SIDF to de-conceal SUCI to gain SUPI. If the 5G ProSe Remote UE’s authorization information is not locally available, the 5G PKMF shall request the authorization information from the UDM of the 5G ProSe Remote UE (not shown in figure 6.3.3.2.2-1).

NOTE 5: Privacy issues need to be considered while determining whether the SUPI is to be sent to the PKMF. For a privacy control, the UDM can authorize the PKMF based on its NF type or the service provider domain.

If a new UP-PRUK is required, the 5G PKMF shall perform the one of the following procedures (as shown in the step 4c in figure 6.3.3.2.2-1):

– If the 5G PKMF of the 5G ProSe Remote UE supports the Zpn interface to the BSF of the 5G ProSe Remote UE, the 5G PKMF of the 5G ProSe Remote UE may request a GBA Push Info (GPI – see TS 33.223 [9]) for the 5G ProSe Remote UE from the BSF. When requesting the GPI, the 5G PKMF shall include a UP-PRUK ID in the P-TID field. On receiving the GPI, the 5G PKMF shall use Ks(_ext)_NAF as the UP-PRUK.

– If the 5G PKMF of the 5G ProSe Remote UE supports the SBI interface to the BSF of the 5G ProSe Remote UE, the 5G PKMF may request the GPI via SBI interface as described in TS 33.223 [9]. On receiving the GPI, the 5G PKMF shall use Ks(_ext)_NAF as the UP-PRUK.

– If the 5G PKMF of the 5G ProSe Remote UE supports the PC4a interface to the HSS of the UE, then the 5G PKMF of 5G ProSe Remote UE may request a GBA Authentication Vector (AV) for the 5G ProSe Remote UE from the HSS. On receiving the AV, the 5G PKMF locally forms the GPI including a UP-PRUK ID in the P-TID field. The 5G PKMF shall use Ks(_ext)_NAF as the UP-PRUK.

– If the 5G PKMF of the 5G ProSe Remote UE is co-located or integrated with BSF functionality and supports the SBI interface to the UDM/HSS of the 5G ProSe Remote UE, the 5G PKMF may request the GBA AV via SBI interface as described in TS 33.220 [8]. On receiving the AV, the 5G PKMF locally forms the GPI including a UP-PRUK ID in the P-TID field. The 5G PKMF shall use Ks(_ext)_NAF as the UP-PRUK.

NOTE 6: GPI is supported only when GBA is used.

4d. The 5G PKMF of the 5G ProSe Remote UE shall generate K_NRP freshness parameter 2 and derive K_NRP using the UP-PRUK identified by UP-PRUK ID, RSC, K_NRP freshness parameter 1 and K_NRP freshness parameter 2 as specified in A.8. Then, the 5G PKMF of the 5G ProSe Remote UE sends a Key Response message that contains K_NRP and K_NRP freshness parameter 2 to the 5G PKMF of the 5G ProSe UE-to-Network Relay. This message shall include GPI if generated. The 5G PKMF of the 5G ProSe Remote UE shall also include the Remote User ID of the 5G ProSe Remote UE in the Key Response message to the 5G ProSe UE-to-Network Relay. UP-PRUK ID is used as a Remote User ID in the present document.

4e. The 5G PKMF of the 5G ProSe UE-to-Network Relay sends the Key Response message to the 5G ProSe UE-to-Network Relay, which includes Remote User ID, K_NRP, K_NRP freshness parameter 2, the GPI if used to calculate a fresh UP-PRUK to the UE-to-Network Relay.

5a. The 5G ProSe UE-to-Network Relay shall derive the session key (K_NRP-SESS) from K_NRP and then derive the confidentiality key (NRPEK) (if applicable) and integrity key (NRPIK) based on the PC5 security policies as specified in TS 33.536 [6]. The 5G ProSe UE-to-Network Relay shall store the Remote User ID received in step 4d. The 5G ProSe UE-to-Network Relay sends a Direct Security Mode Command message to the 5G ProSe Remote UE. This message shall also include the K_NRP Freshness Parameter 2 in addition to the parameters specified in TS 33.536 [6] and shall be protected as specified in TS 33.536 [6].

5b. If the 5G ProSe Remote UE receives the message containing the GPI, it processes the GPI as described in TS 33.223 [9]. The 5G ProSe Remote UE shall derive the UP-PRUK and obtain the UP-PRUK ID from the GPI.

The 5G ProSe Remote UE shall derive K_NRP from its UP-PRUK, RSC, K_NRP Freshness Parameter 1 and the received K_NRP Freshness Parameter 2 as specified in A.8. It shall then derive the session key (K_NRP-SESS) and the confidentiality key (NRPEK) (if applicable) and integrity key (NRPIK) based on the PC5 security policies in the same manner as the 5G ProSe UE-to-Network Relay and process the Direct Security Mode Command. Successful verification of the Direct Security Mode Command assures the 5G ProSe Remote UE that the 5G ProSe UE-to-Network Relay is authorized to provide the relay service.

Handling of synchronization failure (for details of synchronization failures – see TS 33.102 [11]) when UE processes the authentication challenge in the GPI is performed similarly to clause 6.7.3.2.1.2 in TS 33.303 [4]. The 5G ProSe Remote UE shall send Direct Security Mode Failure message and include RAND and AUTS in the message. The 5G ProSe UE-to-Network Relay shall send the key request message to the 5G PKMF of the 5G ProSe Remote UE via the 5G PKMF of the 5G ProSe UE-to-Network Relay upon receiving the Direct Security Mode Failure message from the 5G ProSe Remote UE. The key request message shall include the HPLMN ID of the 5G ProSe Remote UE, if provided in step 3, the UP-PRUK ID or the SUCI of the 5G ProSe Remote UE received in step 3, Relay Service Code and K_NRP freshness parameter 1 together with the RAND and the AUTS received from the 5G ProSe Remote UE. If the 5G PKMF of the 5G ProSe Remote UE decides to retry GBA Push procedure, the 5G PKMF of the 5G ProSe Remote UE shall request GPI as described in step 4c.

5c. The 5G ProSe Remote UE responds with a Direct Security Mode Complete message to the 5G ProSe UE‑to‑Network Relay as specified in TS 33.536 [6].

5d. On receiving the Direct Security Mode Complete message, the 5G ProSe UE-to-Network Relay shall verify the Direct Security Mode Complete message. Successful verification of the Direct Security Mode Complete message assures the 5G ProSe UE-to-Network Relay that the 5G ProSe Remote UE is authorized to get the relay service.

5e. After successful verification, the 5G ProSe UE-to-Network Relay responds a Direct Communication Accept message to the 5G ProSe Remote UE to complete the PC5 connection establishment procedure.

6. The 5G ProSe Remote UE and 5G ProSe UE-to-Network Relay continues the rest of procedure for the relay service over the secure PC5 link such as establishing a new PDU session or modifying an existing PDU session for relaying, if needed etc.

When the 5G ProSe Layer-3 UE-to-Network Relay sends a Remote UE Report to the SMF as specified in TS 23.304 [2], the 5G ProSe Layer-3 UE-to-Network Relay shall include Remote User ID received in step 4d. If the UP-PRUK ID used as Remote User ID is not in NAI format, the 5G ProSe Layer-3 UE-to-Network Relay shall include the HPLMN ID of the 5G ProSe Remote UE in the Remote UE Report.

If the 5G ProSe Remote UE receives from the 5G ProSe UE-to-Network Relay a Direct Connection Reject due to UP-PRUK ID not found in the network, the 5G ProSe Remote UE shall not attempt to reconnect with the 5G ProSe UE-to-Network Relay using the UP-PRUK ID. The 5G ProSe Remote UE may attempt to connect with the 5G ProSe UE-to-Network Relay using its SUCI.

NOTE: The UP-PRUK ID not being found condition is detected by the 5G PKMF of the 5G ProSe Remote UE if it does not find a valid UP-PRUK that corresponds to the received UP-PRUK ID. The 5G ProSe UE-to-Network Relay is informed of this condition via the 5G PKMF of the 5G ProSe UE-to-Network Relay.

6.3.3.2.3 PC5 Key Hierarchy over User Plane

Figure 6.3.3.2.3-1: PC5 Key Hierarchy for 5G ProSe UE-to-Network Relay security over User Plane

The different layers of keys (see figure 6.3.3.2.3-1) are the following:

– UP-PRUK: The root key of the PC5 unicast link.

– K_NRP: The key is equivalent to K_NRP as specified in TS 33.536 [6]. This key is derived as specified in clause A.8.

– K_NRP-SESS: This key is derived as specified in TS 33.536 [6].

– NRPEK, NRPIK: These keys are derived as specified in TS 33.536 [6].

6.3.3.3 Security procedure over Control Plane

6.3.3.3.1 General

This clause describes the security mechanisms for the 5G ProSe Layer-3 UE-to-Network Relay authentication, authorization and key management using the 5G ProSe Remote UE specific authentication for PC5 keys establishment. EAP-AKA’, as specified in RFC 9048 [xx] shall be used for 5G ProSe Remote UE authentication. The EAP-AKA’ implementations shall comply with the EAP-AKA’ profile specified in Annex F of of TS 33.501 [3]. Network entities AMF, AUSF and UDM are involved for key derivation and distribution of keys used for 5G ProSe UE-to-Network Relay communication. The UE shall be provisioned with necessary policies and parameters to use 5G ProSe services, as part of the UE ProSe Policy information as defined in clause 4.2.2 of TS 23.503 [7]. PCF shall provision the authorization policy and parameters for 5G ProSe UE-to-Network Relay discovery and communication as specified in clause 5.1.4 of TS 23.304 [2].

6.3.3.3.2 PC5 security establishment for 5G ProSe UE-to-Network relay communication over Control Plane

This clause describes the procedure for establishing a PC5 link between the 5G ProSe Remote UE and the 5G ProSe UE-to-Network Relay. The procedure includes how the 5G ProSe Remote UE is authenticated by the AUSF of the 5G ProSe Remote UE via the 5G ProSe UE-to-Network Relay and the AMF of the 5G ProSe UE-to-Network Relay during 5G ProSe PC5 establishment. This mechanism can be used when the 5G ProSe Remote UE is out of coverage.

Figure 6.3.3.3.2-1: PC5 security establishment procedure for 5G ProSe UE-to-Network relay communication over Control Plane

0. The 5G ProSe Remote UE and the 5G ProSe UE-to-Network Relay shall be registered with the network. The 5G ProSe UE-to-Network Relay shall be authenticated and authorized by the network to provide UE-to-Network Relay service. The 5G ProSe Remote UE shall be authenticated and authorized by the network to receive UE-to-Network Relay service. PC5 security policies are provisioned to the 5G ProSe Remote UE and the 5G ProSe UE-to-Network Relay respectively during this authorization and information provisioning procedure.

1. The 5G ProSe Remote UE or Relay UE shall initiate discovery procedure using any of Model A or Model B method as specified in clause 6.3.1.2 or 6.3.1.3 of TS 23.304 [2] respectively.

2. After the discovery of the 5G ProSe UE-to-Network Relay, the 5G ProSe Remote UE shall send a Direct Communication Request to the 5G ProSe UE-to-Network Relay for establishing secure PC5 unicast link. The 5G ProSe Remote UE shall include its security capabilities and PC5 signalling security policy in the DCR message as specified in TS 33.536 [6]. The message shall also include Relay Service Code, Nonce_1.

If the 5G ProSe Remote UE does not have a valid 5G Prose Remote User Key (CP-PRUK), the 5G ProSe Remote UE shall include SUCI in the DCR to trigger 5G ProSe Remote UE specific authentication and establish a CP-PRUK.

If the 5G ProSe Remote UE already has a valid CP-PRUK for Relay Service Code, the 5G ProSe Remote UE shall include associated the CP-PRUK ID in the DCR to indicate that the 5G ProSe Remote UE wants to get relay connectivity using the CP-PRUK. The privacy and integrity protection of DCR are described in clause 6.3.5

3. Upon receiving the DCR message, the 5G ProSe UE-to-Network Relay shall send the Relay Key Request to the AMF of the 5G ProSe UE-to-Network Relay, including SUCI or CP-PRUK ID, RSC and Nonce_1 received in the DCR message. The 5G ProSe UE-to-Network Relay shall also include in the message a transaction identifier that identifies the 5G ProSe Remote UE for the subsequent messages over 5G ProSe UE‑to‑Network Relay’s NAS messages.

4. The AMF of the 5G ProSe UE-to-Network Relay shall verify with the UDM whether the 5G ProSe UE-to-Network Relay is authorized to provide the UE-to-Network Relay service.

5. The AMF of the 5G ProSe UE-to-Network Relay shall select an AUSF based on SUCI or CP-PRUK ID and forward the parameters received in Relay Key Request to the AUSF in Nausf_UEAuthentication_ProseAuthenticate Request message. The Nausf_UEAuthentication_ProseAuthenticate Request message shall contain the 5G ProSe Remote UE’s SUCI or CP-PRUK ID, Relay Service Code, Nonce_1. If CP-PRUK ID is received from AMF of the 5G ProSe UE‑to‑Network Relay, the AUSF of the 5G ProSe Remote temporarily stores Nonce_1 and UE skips steps 6-9. If the 5G ProSe Remote UE’s SUCI is received from AMF of the 5G ProSe UE-to-Network Relay, the AUSF of the 5G ProSe Remote UE temporarily stores Nonce_1 and Relay Service Code and skips step 10.

6. The AUSF shall initiate a 5G ProSe Remote UE specific authentication using the ProSe specific parameters received (i.e. RSC, etc.). The serving network name handling is the same as defined in TS 33.501 [3].

The AUSF of the 5G ProSe Remote UE shall retrieve the Authentication Vectors and the Routing Indicator of the 5G ProSe Remote UE from the UDM via Nudm_UEAuthentication_GetProseAv Request message. Upon reception of the Nudm_UEAuthentication_GetProSeAv Request, the UDM shall invoke SIDF de-conceal SUCI to gain SUPI before UDM can process the request. The UDM checks whether the UE is authorized to use a ProSe UE-to-Network Relay service based on authorization information in UE’s Subscription data. If the UE is authorized, the UDM shall choose the EAP-AKA´ authentication method based on the received Nudm_UEAuthentication_GetProseAv Request.

7a. The AUSF shall temporarily store XRES, Routing indicator and SUPI. The AUSF of the 5G ProSe Remote UE shall trigger authentication of the 5G ProSe Remote UE based on EAP-AKA’. The AUSF of the 5G ProSe Remote UE generates the EAP-Request/AKA’-Challenge message defined in clause 6.1.3.1 of TS 33.501 [3] and send EAP-Request/AKA’-Challenge message to the AMF of the 5G ProSe UE-to-Network Relay in a Nausf_UEAuthentication_ProSeAuthenticate Response message.

7b. The AMF of the 5G ProSe UE-to-Network Relay shall forward the Relay Authentication Request (including the EAP-Request/AKA’-Challenge) to the 5G ProSe UE-to-Network Relay over NAS message, including transaction identifier of the 5G ProSe Remote UE in the message. The NAS message is protected using the NAS security context created for the 5G ProSe UE-to-Network Relay.

7c. Based on the transaction identifier, the 5G ProSe UE-to-Network Relay shall forwards the EAP-Request/AKA’-Challenge to the 5G ProSe Remote UE over PC5 messages.

The USIM in the 5G ProSe Remote UE verifies the freshness of the received values by checking whether AUTN can be accepted as described in TS 33.102 [11].

For EAP-AKA’, the USIM computes a response RES. The USIM shall return RES, CK, IK to the ME. The ME shall derive CK’ and IK’ according to clause A.3 in TS 33.501 [3].

7d. The 5G ProSe Remote UE shall return EAP-Response/AKA’-Challenge to the 5G ProSe UE-to-Network Relay over PC5 messages.

7e. The 5G ProSe UE-to-Network Relay forwards the EAP-Response/AKA’-Challenge together with the transaction identifier of the 5G ProSe Remote UE to the AMF of the 5G ProSe UE-to-Network Relay in a NAS message Relay Authentication Response.

7f. The AMF of the 5G ProSe UE-to-Network Relay forwards EAP-Response/AKA’-Challenge to the AUSF of the 5G ProSe Remote UE via Nausf_UEAuthentication_ProSeAuthenticate Request.

The AUSF of the 5G ProSe Remote UE performs the UE authentication by verifying the received information as described in TS 33.501 [3].

For EAP-AKA’, the AUSF of the 5G ProSe Remote UE and the 5G ProSe Remote UE may exchange EAP-Request/AKA’-Notification and EAP-Response /AKA’-Notification messages via the AMF of the 5G ProSe UE-to-Network Relay and the 5G ProSe UE-to-Network Relay. After the exchanges, the AUSF of the 5G ProSe Remote UE and the 5G ProSe Remote UE shall derive the K_{AUSF_P} in the same way as K_AUSF is derived in TS 33.501 [3].

8. On successful authentication, the AUSF of the 5G ProSe Remote UE and the 5G ProSe Remote UE shall generate CP-PRUK as specified in clause A.2 and CP-PRUK ID.

The CP-PRUK ID is in NAI format as specified in clause 2.2 of IETF RFC 7542 [14], i.e. username@realm. The username part includes the Routing Indicator from step 6 and the CP-PRUK ID*, and the realm part includes Home Network Identifier. The CP-PRUK ID* is specified in clause A.3.

9a. The AUSF of the 5G ProSe Remote UE shall select the PAnF (Prose Anchor Function) based on CP-PRUK ID and send the SUPI, RSC, CP-PRUK and CP-PRUK ID in Npanf_ProseKey_Register Request message to the PAnF.

9b. The PAnF shall store the Prose context info (i.e. SUPI, RSC, CP-PRUK, CP-PRUK ID) for the 5G ProSe Remote UE and send Npanf_ProseKey_Register Response message to the AUSF.

10a. The AUSF of the 5G ProSe Remote UE shall select the PAnF based on CP-PRUK ID and send received CP-PRUK ID and RSC in Npanf_ProseKey_get Request message.

10b. The PAnF retrieves CP-PRUK based on the CP-PRUK ID and checks whether the 5G ProSe Remote UE is authorized to use the UE-to-Network Relay service based on received RSC, i.e. the PAnF uses Nudm_SDM operation defined in TS 23.502 [10] to check with the UDM whether the Remote UE is authorized to use ProSe UE-to-Network Relay service by using the SUPI. If the 5G ProSe Remote UE is authorized and the retrieved CP-PRUK is valid, the PAnF sends Npanf_ProseKey_get Response message with CP-PRUK to the AUSF.

If the CP-PRUK is stale, the PAnF treats it as invalid based on local policy. When receiving a Npanf_ProseKey_get request in such case, the PAnF responses with CP-PRUK not found.

11. The AUSF of the 5G ProSe Remote UE shall generate Nonce_2 and derive the K_{NR_ProSe} key using CP-PRUK, Nonce_1 and Nonce_2 as defined in clause A.4.

12. The AUSF of the 5G ProSe Remote UE shall send the K_{NR_ProSe}, Nonce_2 in Nausf_UEAuthentication_ProseAuthenticate Response message to the 5G ProSe UE-to-Network Relay via the AMF of the 5G ProSe UE-to-Network Relay. EAP Success message shall be included if step 7 is performed successfully. The AUSF of the 5G ProSe Remote UE shall also include the CP-PRUK ID in the message.

13. When receiving a K_{NR_ProSe} from the AUSF of the 5G ProSe Remote UE via the AMF of the 5G ProSe UE-to-Network Relay, the 5G ProSe UE-to-Network Relay derives PC5 session key K_relay-sess and confidentiality key K_relay-enc (if applicable) and integrity key K_relay-int from K_{NR_ProSe}, as defined in clause 6.3.3.3.3 of the present document. K_{NR_ProSe} ID and K_relay-sess ID are established in the same way as K_NRP ID and K_NRP-sess ID in TS 33.536 [6]. The CP-PRUK ID is sent from the AMF of the 5G ProSe UE to-Network Relay to UE-to-Network Relay. The EAP Success message is also sent from the AMF of the 5G ProSe UE‑to-Network Relay to UE-to-Network Relay if received from AUSF.

14. The 5G ProSe UE-to-Network Relay shall send the received Nonce_2 and 5G ProSe Remote UE’s PC5 signalling security policy to the 5G ProSe Remote UE in Direct Security mode command message, which is integrity protected using K_relay-int. EAP Success message shall be included if received from the AMF of the 5G ProSe UE-to-Network Relay.

15. The 5G ProSe Remote UE shall generate the K_{NR_ProSe} key to be used for remote access via the 5G ProSe UE‑to-Network Relay in the same way as defined in step 11. The 5G ProSe Remote UE shall derive PC5 session key K_relay-sess and confidentiality and integrity keys from K_{NR_ProSe} in the same way as defined in step 13.

The 5G ProSe Remote UE shall verify the Direct Security Mode Command message. Successful verification of the Direct Security Mode Command message assures the 5G ProSe Remote UE that the 5G ProSe UE-to-Network Relay is authorized to provide the relay service.

16. The 5G ProSe Remote UE shall send the Direct Security Mode Complete message containing its PC5 user plane security policies to the 5G ProSe UE-to-Network relay, which is protected by K_relay-int or/and K_relay-enc derived from K_relay-sess according to the negotiated PC5 signalling policies between the 5G ProSe Remote UE and the 5G ProSe UE-to-Network Relay.

17. On receiving the Direct Security Mode Complete message, the 5G ProSe UE-to-Network Relay shall verify the Direct Security Mode Complete message. Successful verification of the Direct Security Mode Complete message assures the 5G ProSe UE-to-Network Relay that the 5G ProSe Remote UE is authorized to get the relay service.

After the successful verification of the Direct Security Mode complete message, the 5G ProSe UE-to-Network Relay responds a Direct Communication Accept message to the 5G ProSe Remote UE to finish the PC5 connection establishment procedures and store the CP-PRUK ID in the security context associated to the PC5 link with the 5G ProSe Remote UE.

Further communication between the 5G ProSe Remote UE and the Network takes place securely via the 5G ProSe UE‑to-Network Relay.

When the 5G ProSe Layer-3 UE-to-Network Relay sends a Remote UE Report to the SMF as specified in TS 23.304 [2], the 5G ProSe Layer-3 UE-to-Network Relay shall include Remote User ID (i.e. the CP-PRUK ID received in step 13) in the message .

If the 5G ProSe Remote UE receives from the 5G ProSe UE-to-Network Relay a Direct Connection Reject due to CP-PRUK ID not found in the network, the 5G ProSe Remote UE shall not attempt to reconnect with the 5G ProSe UE-to-Network Relay using the CP-PRUK ID. The 5G ProSe Remote UE may attempt to connect with the 5G ProSe UE-to-Network Relay using its SUCI.

NOTE: The CP-PRUK ID not being found condition is detected by the PAnF if it does not find a ProSe context info for the 5G ProSe Remote UE that corresponds to the received CP-PRUK ID. The 5G ProSe UE-to-Network Relay is informed of this condition via the AUSF of the 5G ProSe Remote UE and AMF of the 5G ProSe UE-to-Network Relay.

6.3.3.3.3 PC5 Key Hierarchy over Control Plane

Figure 6.3.3.3.3-1: PC5 Key Hierarchy for 5G ProSe UE-to-Network Relay security over Control Plane

The different layers of keys (see figure 6.3.3.3.3-1) are the following:

– K_{AUSF_P}: A key derived based on 5G ProSe Remote UE specific authentication, only used to derive CP-PRUK.

– CP-PRUK: The root credential derived from K_{AUSF_P} that is the root of security of the PC5 unicast link used for 5G ProSe UE-to-Network Relay service.

– K_{NR_ProSe}: This is a 256-bit root key that is established between the two entities that communicating using NR PC5 unicast link.

– K_relay-sess: This is the 256-bit key that is derived by UE from K_{NR_ProSe} and is used derive keys that to protect the transfer of data between the UEs. The K_relay-sess is derived per unicast link same as K_NRP-sess specified in TS 33.536 [6]. During activated unicast communication session between the UEs, the K_relay-sess may be refreshed by running the rekeying procedure. The keys for confidentiality and integrity algorithms are derived directly from K_relay-sess. The 16-bit K_relay-sess ID identifies the K_relay-sess.

– K_relay-int, K_relay-enc: The K_relay-int and K_relay-enc are used in the chosen confidentiality and integrity algorithms respectively for protecting PC5-S signalling, PC5 RRC signalling, and PC5 user plane data. These keys are equivalent to NRPIK and NRPEK as specified in TS 33.536 [6]. They are derived from K_relay-sess and are refreshed automatically every time K_relay-sess is changed.

6.3.3.3.4 Void

6.3.3.4 Security for 5G ProSe Communication via Layer-3 UE-to-Network Relay with N3IWF support

The 5G ProSe Layer-3 Remote UE selects N3IWF as specified in TS 23.304 [2].

The 5G ProSe Remote UE and the 5G ProSe UE-to-Network Relay shall establish security for PC5 connection using either User Plane based solution as specified in clause 6.3.3.2 or Control Plane based solution as specified in clause 6.3.3.3. Then, the 5G ProSe Layer-3 Remote UE performs the security procedures as specified in clause 7.2.1 of TS 33.501 [3].

6.3.4 Security for 5G ProSe Communication via 5G ProSe Layer-2 UE-to-Network Relay

Connection establishment for 5G ProSe Communication via 5G ProSe Layer-2 UE-to-Network Relay is specified in clause 6.5.2.2 of TS 23.304 [2]. During the connection establishment, the 5G ProSe Remote UE and NG-RAN node shall establish AS security as specified in TS 33.501 [3].

The 5G ProSe Remote UE and the 5G ProSe UE-to-Network Relay shall establish security for PC5 connection using either User Plane based solution as specified in clause 6.3.3.2 or Control Plane based solution as specified in clause 6.3.3.3.2. The requirements on security policies for PC5 connection between the 5G ProSe Remote UE and the Layer-2 UE-to-Network Relay are as follows:

– The PCF shall be able to provision the PC5 security policies to the 5G ProSe Remote UE and Layer-2 UE‑to‑Network Relay respectively per ProSe relay service during their service authorization and information provisioning procedures as defined in TS 23.304 [2].

NOTE: If PC5 UP security policies are included in the PC5 security policies, they are negotiated but not enforced by the 5G ProSe Layer-2 UE-to-Network Relay.

6.3.5 Direct Communication Request in 5G ProSe UE-to-Network Relay Communication

6.3.5.1 General

This clause describes the mechanism to protect the privacy of the UP-PRUK ID/CP-PRUK-ID and RSC in Direct Communication Request (DCR) message when restricted discovery is used for the UE-to-Network Relay service. This clause also describes a mechanism to integrity protect the DCR message when DUIK is provisioned for discovery.

6.3.5.2 Privacy protection of UP-PRUK ID and RSC in DCR

The 5G ProSe Remote UE encrypts the UP-PRUK ID/CP-PRUK ID and RSC using the code-receiving security parameters used for discovery. The 5G ProSe UE-to-Network Relay, on receiving the DCR message, decrypts the encrypted UP-PRUK ID/CP-PRUK ID and RSC using the code-sending security parameters used for discovery and verifies if the RSC matches with the one that it sent in the discovery message. If the RSC does not match, the 5G ProSe UE-to-Network Relay shall abort the PC5 direct link establishment procedure.

The 5G ProSe Remote UE shall encrypt the UP-PRUK ID/CP-PRUK ID and RSC as follows:

1) If the UE is configured with Discovery User Confidentiality Key (DUCK), the DCR ciphering key K_DCR is set to DUCK. If the UE is configured with Discovery User Scrambling Key (DUSK) but not DUCK, K_DCR is set to DUSK. If the UE is neither configured with DUCK nor DUSK, the DCR message is not protected, and Steps 2-3 are skipped.

2) Set Keystream to DCR confidentiality keystream calculated using K_DCR, UTC-based counter and RSC as described in clause A.5.

3) XOR the first L bits of the Keystream with the RSC where L is the length of the RSC, and XOR the remaining bits of the Keystream with the UP-PRUK ID/CP-PRUK ID.

NOTE 1: If UP-PRUK ID/CP-PRUK ID is in NAI format, encryption of the UP-PRUK ID/CP-PRUK ID is performed on the username part of the UP-PRUK ID/CP-PRUK ID.

The 5G ProSe UE-to-Network Relay shall decrypt the encrypted UP-PRUK ID/CP-PRUK ID and RSC as follows:

1) If the UE is configured with DUCK, the DCR ciphering key K_DCR is set to DUCK. If the UE is configured with DUSK but not DUCK, K_DCR is set to DUSK. If the UE is neither configured with DUCK nor DUSK, the DCR message is not protected, and steps 2-3 are skipped.

2) Set Keystream to DCR confidentiality keystream calculated using K_DCR, UTC-based counter and RSC as described in clause A.5.

3) XOR the first L bits of Keystream with the encrypted RSC where L is the length of the encrypted RSC, and XOR the remaining bits of Keystream with the encrypted UP-PRUK ID/CP-PRUK ID.

NOTE 2: If UP-PRUK ID/CP-PRUK ID is in NAI format, decryption of the UP-PRUK ID//CP-PRUK ID is performed on the username part of the UP-PRUK ID/CP-PRUK ID.

6.3.5.3 Integrity protection of DCR

The 5G ProSe Remote UE integrity protects the DCR message using the code-receiving security parameters used for discovery. The integrity protection of the DCR message is performed after the privacy protection of UP-PRUK ID/CP-PRUK ID and RSC.

The 5G ProSe UE-to-Network Relay, on receiving the DCR message, verifies the integrity of the received DCR message using the code-sending security parameters used for discovery. If the integrity verification of the DCR fails, the 5G ProSe UE-to-Network Relay shall abort the PC5 direct link establishment procedure.

The 5G ProSe Remote UE shall integrity protect the DCR as follows:

1. If the UE is configured with DUIK, the DCR integrity key K_INT is set to DUIK. Otherwise, the DCR message is not integrity protected, and steps 2-3 are skipped.

2. Calculate Message Integrity Check (MIC) using K_INT, UTC-based counter and the DCR message as described in clause A.9.

3. Set the MIC IE to the calculated MIC.

The 5G ProSe UE-to-Network Relay shall verify the integrity of the received DCR message as follows:

1. If the UE is configured with DUIK, the DCR integrity key K_INT is set to DUIK. Otherwise, the DCR message is not integrity protected, and step 2 is skipped.

2. Calculate a MIC using K_INT, UTC-based counter and the received DCR message as described in clause A.9 and compare the calculated MIC with the MIC included in the DCR message. If they mismatch, the integrity check fails.

6.4 Security for broadcast mode 5G ProSe Direct Communication

6.4.1 General

This clause specifies the security requirements and the procedures of the broadcast mode 5G ProSe Direct Communication.

6.4.2 Security requirements

There are no requirements for securing the broadcast mode 5G ProSe Direct Communication.

The 5G System shall protect against linkability and trackability attacks on Layer-2 ID and IP address for broadcast mode.

6.4.3 Security procedures

There are no particular procedures defined for securing the broadcast mode 5G ProSe Direct Communication.

The broadcast mode security mechanism to randomise the UE’s source Layer-2 ID and source IP address including IP prefix (if used), as defined in clause 5.5 of TS 33.536 [6], is reused in 5G ProSe to provide broadcast mode 5G ProSe Direct Communication security.

6.5 Security for groupcast mode 5G ProSe Direct Communication

6.5.1 General

This clause specifies the security requirements and the procedures of the groupcast mode 5G ProSe Direct Communication.

6.5.2 Security requirements

There are no requirements for securing the groupcast mode 5G ProSe Direct Communication.

The 5G System shall protect against linkability and trackability attacks on Layer-2 ID and IP address for groupcast mode.

6.5.3 Security procedures

There are no particular procedures defined for securing the groupcast mode 5G ProSe Direct Communication.

The groupcast mode security mechanism to randomise the UE’s source Layer-2 ID and source IP address including IP prefix (if used), as defined in clause 5.5 of TS 33.536 [6], is reused in 5G ProSe to provide groupcast mode 5G ProSe Direct Communication security.