Tech-invite3GPPspaceIETFspace
21222324252627282931323334353637384‑5x
Top   in Index   Prev   Next

TS 33.501
Security Architecture and Procedures for 5G System

V19.3.0 (Wzip)2025/06  … p.
V18.10.0 (PDF)2025/06  … p.
V17.14.0  2024/06  298 p.
V16.18.0  2024/03  262 p.
V15.18.0  2024/03  196 p.
Rapporteur:
Dr. Zugenmaier, Alf
NTT DOCOMO INC.

3GPP 33.501 5GS key hierarchy

essential Table of Contents for  TS 33.501  Word version:  19.2.0

each title, in the "available" or "not available yet" area, links to the equivalent title in the CONTENT
Here   Top

Up   Top

List of Figures and Tables

Figure 4-1Overview of the security architecture
Figure 6.1.2-1Initiation of authentication procedure and selection of authentication method
Figure 6.1.3.1-1Authentication procedure for EAP-AKA'
Figure 6.1.3.2-1Authentication procedure for 5G AKA
Figure 6.1.4.1a-1Linking increased Home control to subsequent procedures
Figure 6.1.5.2-1Home Network triggered primary authentication procedure
Figure 6.2.1-1Key hierarchy generation in 5GS
Figure 6.2.2-1Key distribution and key derivation scheme for 5G for network nodes
Figure 6.2.2-2Key distribution and key derivation scheme for 5G for the UE
Figure 6.4.6-1Protecting the initial NAS message
Figure 6.6.2-1User plane (UP) security activation mechanism
Figure 6.7.2-1NAS Security Mode Command procedure
Figure 6.7.4-1AS Security Mode Command Procedure
Figure 6.9.2.1.1-1Model for the handover key chaining
Figure 6.10.1.2-1Multi-Radio dual connectivity (MR-DC) protocol architecture.
Figure 6.10.2.1-1Security aspects in SN Addition/Modification procedures (MN initiated)
Figure 6.10.2.2.3-1SN Key update procedure using SN Modification procedure (SN initiated with MN involvement)
Figure 6.10.2.4.4-1Security procedures for SCPAC
Figure 6.12.4-1Subscription identifier query
Figure 6.13-1gNB periodic local authentication procedure
Figure 6.14.2.1-1Procedure for providing list of preferred PLMN/access technology combinations during registration in VPLMN
Figure 6.14.2.2-1Procedure for providing list of preferred PLMN/access technology combinations after registration
Figure 6.15.2.1-1Procedure for UE Parameters Update
Figure 7.2.1-1Authentication for untrusted non-3GPP access
Figure 7A.2.1-1Registration / Authentication and PDU Session establishment for trusted non-3GPP access
Figure 7A.2.3-1Key hierarchy for trusted non-3GPP access
Figure 7A.2.4-1Authentication Procedure for N5CW
Figure 7B.2-15G-RG authentication procedure
Figure 7B.cFN-RG authentication procedure
Figure 7B.7-1Authentication Procedure for AUN3 devices using EAP-AKA'
Figure 7B.7.3-1Authentication Procedure for AUN3 devices supporting 5G key hierarchy using EAP-AKA'
Figure 8.3.2-1Handover from 5GS to EPC over N26
Figure 8.4.2-1Handover from EPS to 5GS over N26
Figure 8.5.2-1Idle mode mobility from 5G to 4G
Figure 11.1.2-1Initial EAP Authentication with an external AAA server
Figure 11.1.3-1EAP Re-Authentication with an external AAA server
Figure 13.2.1-1Overview of PRINS (IPX as the exemplary Roaming Intermediary)
Figure 13.2.2.4.0-1N32-f context overview
Figure 13.2.4.5.1-1Example of JSON representation for RI with modifications by IPX1
Figure 13.2.4.8-1Message flow between two SEPPs
Figure 13.4.1.1-1bNF Service Producer registers in NRF
Figure 13.4.1.1.2-1NF Service Consumer obtaining access token before NF Service access
Figure 13.4.1.1.2-2NF Service Consumer requesting service access with an access token
Figure 13.4.1.2.2-1NF Service Consumer obtaining access token before NF Service access (roaming)
Figure 13.4.1.2.2-2NF Service Consumer requesting service access with an access token in roaming case
Figure 13.4.1.3.1.1-1Authorization and service invocation procedure, for indirect communication without delegated discovery, with mutual authentication between NF and NRF at the transport layer
Figure 13.4.1.3.1.2-1Authorization and service invocation procedure, for indirect communication without delegated discovery, without mutual authentication between NF and NRF at the transport layer
Figure 13.4.1.3.2-1Authorization and service invocation procedure, for indirect communication with delegated discovery
Figure 13.5-1Security capability negotiation
Table 13.5-1NF service-related signalling traffic protection mechanisms over N32
Table 14.1.3-1NF services for SoR provided by AUSF
Table 14.1.4-1NF services for UE Parameters Update provided by AUSF
Table 14.4.1.1-1NF services for the NSSAA service provided by NSSAAF
Table 14.4.2.1-1NF services for CH using AAA for primary authentication provided by NSSAAF
Figure 16.2-1Relationship between primary authentication and NSSAA
Figure 16.3-1NSSAA procedure
Figure 16.4-1AAA Server initiated Network Slice-Specific Re-authentication and Re-authorization procedure
Figure 16.5-1AAA Server-initiated Network Slice-Specific Authorization Revocation procedure
Figure 16.6.3-1Subscription/unsubscription of NSACF notification procedure
Figure 17.1-1Signalling Traffic Monitor trust zones example
Figure 18.2.1-1Overview of the connect-UDP Tunnelling mode architecture for protection of XRM Media related information
Figure 18.2.3-1Overview of the connect-UDP Forward mode architecture for protection of XRM Media related information
Table A.7.1-1ABBA parameter definitions
Table A.8-1Algorithm type distinguishers
Table A.9-1Access type distinguishers
Table A.22-1Usage type distinguishers
Figure B.2.1.1-1Using EAP-TLS 1.2 Authentication Procedures over 5G Networks for initial authentication
Figure B.2.1.1-2Using EAP-TLS 1.3 Authentication Procedures over 5G Networks for initial authentication
Figure B.2.2-1AUSF requests CRL from UDM/ARPF
Figure B.2.2-2AUSF requests the status of TLS certificate from UDM/ARPF
Figure C.3.2-1Encryption based on ECIES at UE
Figure C.3.3-1Decryption based on ECIES at home network
Figure D.2.1.1-1Ciphering of data
Figure D.3.1.1-1Derivation of MAC-I/NAS-MAC (or XMAC-I/XNAS-MAC)
Table F.2-15G UE behaviour when receiving EAP identity requests
Figure G.1-1Signaling message from AMF (vPLMN) to AUSF (hPLMN) traversing the respective SEPPs
Figure G.2-1Typical structure of the HTTP message received by SEPP
Figure I.2.2.2.2-1Primary authentication with external domain
Figure I.2.3.1-1KAUSF derivation for key-generating EAP authentication methods other than EAP-AKA'
Figure I.2.3.2-1KAUSF derivation for primary authentication towards an external Credentials holder using AAA server
Figure I.10.2.2-1Procedure for Untrusted non-3GPP Access using Credentials Holder AAA Server
Figure I.10.3.2-1Procedure for Trusted Non-3GPP Access using Credentials Holder AAA Server
Figure I.10.4.2-1Procedure for trusted WLAN access using Credentials Holder AAA Server
Figure I.10.5.1.2-1Procedure for NSWO authentication using CH with AAA server via 5GC
Figure J.1.2-1Key derivation of 5G SRVCC from NR to UTRAN
Figure N.2.2-1Redundant transmission with two N3 tunnels between the UPF and a single NG-RAN node
Figure O.3-1Registration and authentication of a non-5G capable device to the 5GC
Figure R-1Illustration of authorization aspects in direct deployment models
Figure R-2Illustration of authorization aspects in indirect deployment models
Figure S.3-1Authentication procedure for NSWO in 5GS
Figure U.2-1Primary authentication using EAP-TTLS and AAA
Figure X.2-1NF Service Consumer Authorization to receive data from NF Service Producers via DCCF
Figure X.3-1Service Consumer Authorization to receive data from Service Producers via MFAF
Figure X.8.2.1-1Protection of analytics exchange when policies configured locally in Roaming entry NWDAF
Figure X.8.2.2-1Protection of analytics exchange when policies configured as extended claims in access token
Figure X.9-1FL Authorization for selecting participant NWDAF instances
Figure X.10-1Secured and authorized AI/ML model sharing between different vendors
Figure Z.2-1Authentication Procedure for AUN3 devices by 5GC using key-generating EAP method
Figure Z.3-1Authentication Procedure for AUN3 devices by AAA using key-generating EAP method

Top