Tech-invite3GPPspaceIETF RFCsSIP
Quick21222324252627282931323334353637384‑5x

Content for  TS 23.632  Word version:  17.0.0

Top   Top   Up   Prev   Next
1…   5…   5.3…   5.4…   5.5…   5.6…   6…

 

5  System proceduresWord‑p. 10

5.1  General

Procedures involving communication between HSS and UDM comprise Authentication, Mobilty, IMS interworking, and SMS support.

5.2  Authentication

5.2.1  General

A subscriber's authentication subscription data, including the subscriber's long-term key(s) and sequence number, shall be stored in a single repository so that a single sequence number can be maintained for the subscriber.
The subscriber's long-term key(s) shall not be transferred over the NU1 reference point between HSS and UDM. Also it is not expected that the UDM has direct standardized access to the EPS-UDR. Therefore, the following options exist for subscribers with both 5G and EPS subscription:
  1. Authentication subscription data are stored in the EPS-UDR and all authentication vectors are calculated in the HSS. Subscription data stored in the 5GS-UDR or locally configured in the UDM indicate that the UDM needs to consume the Nhss_UEAuthentication_Get service operation to retrieve a 5G vector from the HSS. See clause 5.2.2 for details.
  2. Authentication subscription data are stored in the 5GS-UDR and all authentication vectors are calculated in the UDM. Subscription data stored in the EPS-UDR or locally configured in the HSS indicate that the HSS needs to consume the Nudm_UEAuthentication_GetHssAv service operation to retrieve an EPS vector from the UDM. See clause 5.2.3 for details.
  3. Authentication subscription data are stored in the 5GS-UDR, 5G vectors are calculated in the UDM and EPS vectors are calculated in the HSS. Subscription data stored in the EPS-UDR or locally configured in the HSS indicate that the HSS needs to consume the Nudr_DM_Query service operation to retrieve authentication subscription data from the 5GS-UDR. See clause 5.2.4 for details.
The following clauses specify the system procedures for these different alternatives.
Up

5.2.2  Vector Generation in HSS

This clause specifies the procedures for authentication vector request when the subscriber's authentication subscription data is stored at the EPS-UDR. In this case, the UDM requests the generation of the Authentication Vector for 5GS to the HSS.
When the UDM receives an authentication information Request from the AUSF it shall check (by means of an 5GS-UDR query or local configuration in the UDM) whether the subscribed authentication method is 5G_AKA or EAP_AKA_PRIME and if so whether 5G authentication vector generation for the identified subscriber shall be done in the HSS. If so, the UDM shall make use of the Nhss_UEAuthentication_Get service operation to retrieve a 5G authentication vector from the HSS.
Figure 5.2.2-1 shows the scenario where the authentication vector request for a 5G subscriber who also has an EPS subscription is received by the UDM.
Reproduction of 3GPP TS 23.632, Figure 5.2.2-1: Authentication for 5G subscriber with authentication vector generation in HSS
Up
Step 1.
The UDM receives an Authentication Vector request, containing the identity of the user (SUPI or SUCI). If SUCI is received, the UDM performs SUCI to SUPI de-concealment. For details of the Nudm_UEAuthentication Service see TS 23.502 and TS 33.501.
Step 2.
If the 5GS-UDR is used, the UDM queries the 5GS-UDR using the SUPI to retrieve Authentication Subscription Information. In this scenario the Authentication Subscription Information contains a subscribed authentication method of 5G_AKA or EAP_AKA_PRIME and an indicator indicating that authentication vector generation shall be performed in the HSS. Optionally, the indication that the authentication vector generation shall be performed in the HSS could be locally configured at the UDM/ARPF.
Step 3.
The UDM uses the Nhss_UEAuthentication_Get service operation to retrieve an authentication vector from the HSS. The request contains the IMSI the authentication method and serving network name.
Step 4.
The HSS reads authentication subscription data from the EPS-UDR. This step is omitted if all relevant authentication subscription data are stored locally in the HSS.
Step 5.
The HSS (AuC/ARPF) calculates the requested authentication vector taking into account the serving network name and authentication method received in step 3 and the authentication subscription information retrieved from the EPS-UDR.
Step 6.
The calculated authentication vector is sent to the UDM.
Step 7.
The HSS updates the EPS-UDR with the new sequence number. This step is omitted if the sequence number is stored locally in the HSS.
Step 8.
The UDM forwards the authentication vector to the AUSF.
Up

5.2.3  Vector Generation in UDM/ARPFWord‑p. 11

This clause specifies the procedures for authentication vector request when the subscriber's authentication subscription data is stored at the 5GS-UDR. In this case, the HSS requests the generation of the Authentication Vector for EPS and/or IMS to the UDM.
When the HSS receives an authentication vector request from a serving node (e.g. MME, SGSN, VLR, S-CSCF, BSF) it shall check (by means of an EPC-UDR query) whether authentication vector generation for the identified subscriber shall be done in the UDM. If so, the HSS shall make use of the Nudm_UEAuthentication GetHssAv service operation to retrieve authentication vectors from the UDM.
Figure 5.2.3-1 shows the scenario where an authentication vector request for a subscriber is received by the HSS and subscription data stored in the EPS-UDR indicate that for the subscriber authentication vector generation is to be performed in the UDM.
Reproduction of 3GPP TS 23.632, Figure 5.2.3-1: Authentication for a subscriber with authentication vector generation in UDM
Up
Step 1.
The HSS receives an Authentication Vector request, containing the identity of the user (IMSI, or Public User Identity and/or Private User Identity).
Step 2.
The HSS queries the EPS-UDR using the identity of the user to retrieve Authentication Subscription Information. In this scenario the Authentication Subscription Information contains an indicator indicating that authentication vector generation shall be performed in the UDM.
Step 3.
The HSS uses the Nudm_UEAuthentication_GetHssAv service operation to retrieve an authentication vector from the UDM. The request contains the identity of the user, the type of the requested vector (E-UTRAN/UTRAN or GERAN/ IMS-AKA and when available the visited PLMN-ID.
Step 4.
The UDM reads authentication subscription data from the 5GS-UDR.
Step 5.
The UDM (ARPF) calculates the requested authentication vectors taking into account the information received in step 3 and the authentication subscription information retrieved from the 5GS-UDR.
Step 6.
The calculated authentication vectors are sent to the HSS.
Step 7.
The UDM updates the 5GS-UDR with the new sequence number.
Step 8.
The HSS forwards the authentication vectors to the serving node.
Up

5.2.4  HSS using the Nudr SBIWord‑p. 13

When the HSS receives an S6a-AIR from the MME, it may check (by means of an EPC-UDR query) whether the subscriber has an 5G subscription. If so, the HSS can use of the Nudr_DM_Query Get service operation to retrieve the authentication subscription data from the 5GS UDR and generate the authentication vector.
Figure 5.2.4-1 shows the scenario where the authentication vector request for a 5G subscriber who also has an EPS subscription is received by the UDM.
Reproduction of 3GPP TS 23.632, Figure 5.2.4-1: Authentication for 5G subscriber with EPS subscription
Up
Step 1.
The HSS receives an Authentication Vector request containing the identity of the user (IMSI).
Step 2.
The HSS queries the EPC-UDR using the IMSI to retrieve Authentication Subscription Information. Since the subscriber is a 5G subscriber the response indicates that the subscriber's authentication information is stored in the 5GS UDR.
Step 3.
The HSS uses the Nudr_DM_Query Get service operation to retrieve the authentication subscription data from the 5GS UDR. The request contains the IMSI formatted as a SUPI.
Step 4.
The HSS (AuC) calculates the requested authentication vector taking into account the serving network name and authentication method received in step 1 and the authentication subscription information retrieved from the 5GS-UDR in step 3.
Step 5.
The calculated authentication vector is returned to the MME.
Step 6.
The HSS updates the 5GS-UDR with the new sequence number.
Up

Up   Top   ToC