Tech-invite  3GPPspecsRELsGlossariesSIP
Info21222324252627282931323334353637384‑5x

full Contents for  TS 22.261  Word version:   17.2.0

Top   Up   Prev   Next
0…   4…   6…   6.4…   6.8…   6.12…   6.22…   6.26…   7…   8…   A   B   C   D…   F…

 

8  SecurityWord-p. 59
8.1  Description
IoT introduces new UEs with different life cycles, including IoT devices with no user interface (e.g. embedded sensors), long life spans during which an IoT device may change ownership several times (e.g. consumer goods), and which may not be pre-provisioned (e.g. consumer goods). These drive a need for secure mechanisms to dynamically establish or refresh credentials and subscriptions. New access technologies, including licensed and unlicensed, 3GPP and non-3GPP, drive a need for access independent security that is seamlessly available while the IoT device is active. High-end smartphones, UAVs, and factory automation drive a need for protection against theft and fraud. A high level of 5G security is essential for critical communication, e.g. in industrial automation, industrial IoT, and the Smart Grid. Expansion into enterprise, vehicular, medical, and public safety markets drive a need for increased end user privacy protection. 5G security addresses all of these new needs while continuing to provide security consistent with prior 3GPP systems.
Up
8.2  GeneralWord-p. 60
The 5G system shall support a secure mechanism to store cached data.
The 5G system shall support a secure mechanism to access a content caching application.
The 5G system shall support a secure mechanism to access a service or an application in an operator's Service Hosting Environment.
The 5G system shall enable support of an access independent security framework.
The 5G system shall support a mechanism for the operator to authorize subscribers of other PLMNs to receive temporary service (e.g. mission critical services).
The 5G system shall be able to provide temporary service for authorized users without access to their home network (e.g. IOPS, mission critical services).
The 5G system shall allow the operator to authorize a third-party to create, modify and delete network slices, subject to an agreement between the third-party and the network operator.
Based on operator policy, a 5G network shall provide suitable means to allow a trusted and authorized third-party to create and modify network slices used for the third-party with appropriate security policies (e.g. user data privacy handling, slices isolation, enhanced logging).
The 5G system shall support a secure mechanism to protect relayed data from being intercepted by a relay UE.
Subject to HPLMN policy as well as its service and operational needs, any USIM able to access EPS instead of a 5G USIM may be used to authenticate a user in a 5G system to access supported services according to the user's subscription.
The 5G system shall provide integrity protection and confidentiality for communications between authorized UEs using a 5G LAN-type service.
The 5G LAN-VN shall be able to verify the identity of a UE requesting to join a specific private communication.
The 5G system shall provide suitable means to allow use of a trusted third-party provided encryption between any UE served by a private slice and a core network entity in that private slice.
The 5G system shall provide suitable means to allow use of a trusted and authorized third-party provided integrity protection mechanism for data exchanged between an authorized UE served by a private slice and a core network entity in that private slice.
The 5G system shall provide suitable means to allow use of a trusted and authorized third-party provided integrity protection mechanism for data exchanged between an authorized UE served by a non-public network and a core network entity in that non-public network.
Up
8.3  Authentication
The 5G system shall support an efficient means to authenticate a user to an IoT device (e.g. biometrics).
The 5G system shall be able to support authentication over a non-3GPP access technology using 3GPP credentials.
The 5G system shall support operator controlled alternative authentication methods (i.e. alternative to AKA) with different types of credentials for network access for IoT devices in isolated deployment scenarios (e.g. for industrial automation).
The 5G system shall support a suitable framework (e.g. EAP) allowing alternative (e.g. to AKA) authentication methods with non-3GPP identities and credentials to be used for UE network access authentication in non-public networks.
NOTE 2:
Non-public networks can use 3GPP authentication methods, identities, and credentials for a UE to access network but are also allowed to utilize non-AKA based authentication methods such as provided by the EAP framework.
Subject to an agreement between an MNO and a 3rd party, the 5G system shall support a mechanism for the PLMN to authenticate and authorize UEs for access to both a hosted non-public network and private slice(s) of the PLMN associated with the hosted non-public network.
The 5G network shall support a 3GPP supported mechanism to authenticate legacy non-3GPP devices for 5G LAN-VN access.
Up
8.4  AuthorizationWord-p. 61
The 5G system shall allow the operator to authorize an IoT device to use one or more 5G system features that are restricted to IoT devices.
The 5G system shall allow the operator to authorize /de-authorize UEs for using 5G LAN-type service.
NOTE:
when a UE is de-authorized from using 5G LAN-type service, it is removed from all 5G LAN-VNs.
Based on operator policy, before establishing a direct device connection using a non-3GPP access technology, IoT devices may use 3GPP credentials to determine if they are authorized to engage in direct device connection.
Based on operator policy, the 5G system shall provide a means to verify whether a UE is authorized to use prioritized network access for a specific service.
Up
8.5  Identity management
The 5G system shall provide a mechanism for an operator to allow access from a UE using a temporary identifier that hides its subscriber identity.
The 5G system shall provide a mechanism for an operator to allow access from a UE connected in an indirect network connection using a temporary identifier that hides its subscriber identity.
The HPLMN shall be able to associate a temporary identifier to a UE's subscriber identity.
The 5G system shall be able to protect subscriber identity and other user identifying information from passive attacks.
Subject to regional or national regulatory requirements, the 5G system shall be able to protect subscriber identity and other user identifying information from active attacks.
The 5G system shall be able to allow the equipment identifier to be collected by legitimate entity regardless of UE's user interface, when required.
The 5G system shall be able to support identification of subscriptions independently of identification of equipment.
The 5G system shall support a secure mechanism to collect system information while ensuring end-user and application privacy (e.g. application level information is not to be related to an individual user identity or subscriber identity and UE information is not to be related to an individual subscriber identity).
Subject to regional or national regulatory requirements, the 5G system shall be able to provide the 5G positioning services while ensuring the protection of the privacy of the UE's user or owner, including the respect of his consent to the positioning services.
NOTE 1:
this includes the ability for the 5G system to provide the positioning services on demand without having to track continuously the position of the involved UE.
NOTE 2:
the respect of the user's consent to some positioning services could abide by different rules in case of emergency (for example, rules that would also receive consent from the user, but well before the emergency occurs).
For a private network using 5G technology, the 5G system shall support network access using identities, credentials, and authentication methods provided and managed by a third-party and supported by 3GPP.
Up
8.6  RegulatoryWord-p. 62
The 5G system shall support regional or national regulatory requirements for all supported access networks.
The 5G system shall support Lawful Interception, subject to regional or national regulatory requirements.
A 5G satellite access network connected to 5G core networks in multiple countries shall be able to meet the corresponding regulatory requirements from these countries (e.g. Lawful Interception).
A 5G system shall support regulatory requirements for 5G LAN-type services.
8.7  Fraud protection
Subject to regional or national regulatory requirements, the 5G system shall support a secure mechanism for allowing an authorized entity to disable from normal operation of a UE reported as stolen.
Subject to regional or national regulatory requirements, the 5G system shall support a secure mechanism for allowing an authorized entity to re-enable a recovered stolen UE to normal operation.
The 5G system shall be able to protect user location information from passive attacks.
Subject to regional or national regulatory requirements, the 5G system shall be able to protect user location information from active attacks.
Subject to regional or national regulatory requirements, the 5G system shall support mechanisms to protect the production of the user location information and user positioning-related data against tampering and spoofing.
Subject to regional or national regulatory requirements, the 5G system shall support mechanisms to detect tampering and spoofing attempts on the production of the user location information and the user position-related data.
Up
8.8  Resource efficiency
The 5G system shall minimize security signalling overhead without compromising the security level of the 3GPP system.
The 5G system shall support an efficient secure mechanism to transmit the same data (e.g. service provisioning multiple sensors) to multiple UEs.
8.9  Data security and privacy [R16]
The 5G system shall support data integrity protection and confidentiality methods that serve URLLC, high data rates and energy constrained devices.
The 5G system shall support a mechanism to verify the integrity of a message as well as the authenticity of the sender of the message.
The 5G system shall support encryption for URLLC services within the requested end-to-end latency.
Subject to regulatory requirements, the 5G system shall enable an MNO to provide end-to-end integrity protection, confidentiality, and protection against replay attacks between a UE and third-party application server, such that the 3GPP network is not able to intercept or modify the data transferred between a UE and third-party application server.
Up
9  Charging aspects
9.1  General [R16]
The following set of requirements complement the requirements listed in 3GPP TS 22.115. The requirements apply for both home and roaming cases.
The 5G core network shall support collection of all charging information on either a network or a slice basis.
The 5G core network shall support collection of charging information for alternative authentication mechanisms.
The 5G core network shall support collection of charging information associated with each serving MNO when multi-network connectivity is used under the control of the home operator.
The 5G core network shall support charging for services/applications in an operator's Service Hosting Environment.
The 5G core network shall support charging for content delivered from a content caching application.
The 5G core network shall support collection of charging information based on the access type (e.g. 3GPP, non-3GPP, satellite access).
The 5G core network shall support collection of charging information based on the slice that the UE accesses.
The 5G core network shall support collection of charging information based on the capacity and performance metrics.
In a 5G system with satellite access, charging call records associated with satellite access(es) shall include the location of the associated UE(s) with satellite access
NOTE:
The precision of the location of the UE can be based on the capabilities of the UE or of the network.
The 5G system shall be able to support an indirect network connection even when the UE is in E-UTRAN or NG-RAN coverage.
Up
9.2  5G LAN [R16]Word-p. 63
A 5G core network shall support collection of charging information for a 5G LAN-type service based on resource usage (e.g. licensed or unlicensed spectrum, QoS, applications).
The 5G core network shall support collection of charging information for a 5G LAN-type service when a UE joins or leaves a specific private communication.
The 5G core network shall support collection of charging information for a 5G LAN-type service for both home and roaming UEs based on the UE's HPLMN.

Up   Top   ToC