TS 33.501
Security Architecture and Procedures for 5G System
V19.3.0 (Wzip)
2025/06 … p.
V18.10.0 (PDF)
2025/06 … p.
V17.14.0
2024/06 298 p.
V16.18.0
2024/03 262 p.
V15.18.0
2024/03 196 p.
- Rapporteur:
- Dr. Zugenmaier, Alf
NTT DOCOMO INC.
essential Table of Contents for TS 33.501 Word version: 19.2.0
each title, in the "available" or "not available yet" area, links to the equivalent title in the CONTENT
List of Figures and Tables
| Figure 4-1 | Overview of the security architecture |
| Figure 6.1.2-1 | Initiation of authentication procedure and selection of authentication method |
| Figure 6.1.3.1-1 | Authentication procedure for EAP-AKA' |
| Figure 6.1.3.2-1 | Authentication procedure for 5G AKA |
| Figure 6.1.4.1a-1 | Linking increased Home control to subsequent procedures |
| Figure 6.1.5.2-1 | Home Network triggered primary authentication procedure |
| Figure 6.2.1-1 | Key hierarchy generation in 5GS |
| Figure 6.2.2-1 | Key distribution and key derivation scheme for 5G for network nodes |
| Figure 6.2.2-2 | Key distribution and key derivation scheme for 5G for the UE |
| Figure 6.4.6-1 | Protecting the initial NAS message |
| Figure 6.6.2-1 | User plane (UP) security activation mechanism |
| Figure 6.7.2-1 | NAS Security Mode Command procedure |
| Figure 6.7.4-1 | AS Security Mode Command Procedure |
| Figure 6.9.2.1.1-1 | Model for the handover key chaining |
| Figure 6.10.1.2-1 | Multi-Radio dual connectivity (MR-DC) protocol architecture. |
| Figure 6.10.2.1-1 | Security aspects in SN Addition/Modification procedures (MN initiated) |
| Figure 6.10.2.2.3-1 | SN Key update procedure using SN Modification procedure (SN initiated with MN involvement) |
| Figure 6.10.2.4.4-1 | Security procedures for SCPAC |
| Figure 6.12.4-1 | Subscription identifier query |
| Figure 6.13-1 | gNB periodic local authentication procedure |
| Figure 6.14.2.1-1 | Procedure for providing list of preferred PLMN/access technology combinations during registration in VPLMN |
| Figure 6.14.2.2-1 | Procedure for providing list of preferred PLMN/access technology combinations after registration |
| Figure 6.15.2.1-1 | Procedure for UE Parameters Update |
| Figure 7.2.1-1 | Authentication for untrusted non-3GPP access |
| Figure 7A.2.1-1 | Registration / Authentication and PDU Session establishment for trusted non-3GPP access |
| Figure 7A.2.3-1 | Key hierarchy for trusted non-3GPP access |
| Figure 7A.2.4-1 | Authentication Procedure for N5CW |
| Figure 7B.2-1 | 5G-RG authentication procedure |
| Figure 7B.c | FN-RG authentication procedure |
| Figure 7B.7-1 | Authentication Procedure for AUN3 devices using EAP-AKA' |
| Figure 7B.7.3-1 | Authentication Procedure for AUN3 devices supporting 5G key hierarchy using EAP-AKA' |
| Figure 8.3.2-1 | Handover from 5GS to EPC over N26 |
| Figure 8.4.2-1 | Handover from EPS to 5GS over N26 |
| Figure 8.5.2-1 | Idle mode mobility from 5G to 4G |
| Figure 11.1.2-1 | Initial EAP Authentication with an external AAA server |
| Figure 11.1.3-1 | EAP Re-Authentication with an external AAA server |
| Figure 13.2.1-1 | Overview of PRINS (IPX as the exemplary Roaming Intermediary) |
| Figure 13.2.2.4.0-1 | N32-f context overview |
| Figure 13.2.4.5.1-1 | Example of JSON representation for RI with modifications by IPX1 |
| Figure 13.2.4.8-1 | Message flow between two SEPPs |
| Figure 13.4.1.1-1b | NF Service Producer registers in NRF |
| Figure 13.4.1.1.2-1 | NF Service Consumer obtaining access token before NF Service access |
| Figure 13.4.1.1.2-2 | NF Service Consumer requesting service access with an access token |
| Figure 13.4.1.2.2-1 | NF Service Consumer obtaining access token before NF Service access (roaming) |
| Figure 13.4.1.2.2-2 | NF Service Consumer requesting service access with an access token in roaming case |
| Figure 13.4.1.3.1.1-1 | Authorization and service invocation procedure, for indirect communication without delegated discovery, with mutual authentication between NF and NRF at the transport layer |
| Figure 13.4.1.3.1.2-1 | Authorization and service invocation procedure, for indirect communication without delegated discovery, without mutual authentication between NF and NRF at the transport layer |
| Figure 13.4.1.3.2-1 | Authorization and service invocation procedure, for indirect communication with delegated discovery |
| Figure 13.5-1 | Security capability negotiation |
| Table 13.5-1 | NF service-related signalling traffic protection mechanisms over N32 |
| Table 14.1.3-1 | NF services for SoR provided by AUSF |
| Table 14.1.4-1 | NF services for UE Parameters Update provided by AUSF |
| Table 14.4.1.1-1 | NF services for the NSSAA service provided by NSSAAF |
| Table 14.4.2.1-1 | NF services for CH using AAA for primary authentication provided by NSSAAF |
| Figure 16.2-1 | Relationship between primary authentication and NSSAA |
| Figure 16.3-1 | NSSAA procedure |
| Figure 16.4-1 | AAA Server initiated Network Slice-Specific Re-authentication and Re-authorization procedure |
| Figure 16.5-1 | AAA Server-initiated Network Slice-Specific Authorization Revocation procedure |
| Figure 16.6.3-1 | Subscription/unsubscription of NSACF notification procedure |
| Figure 17.1-1 | Signalling Traffic Monitor trust zones example |
| Figure 18.2.1-1 | Overview of the connect-UDP Tunnelling mode architecture for protection of XRM Media related information |
| Figure 18.2.3-1 | Overview of the connect-UDP Forward mode architecture for protection of XRM Media related information |
| Table A.7.1-1 | ABBA parameter definitions |
| Table A.8-1 | Algorithm type distinguishers |
| Table A.9-1 | Access type distinguishers |
| Table A.22-1 | Usage type distinguishers |
| Figure B.2.1.1-1 | Using EAP-TLS 1.2 Authentication Procedures over 5G Networks for initial authentication |
| Figure B.2.1.1-2 | Using EAP-TLS 1.3 Authentication Procedures over 5G Networks for initial authentication |
| Figure B.2.2-1 | AUSF requests CRL from UDM/ARPF |
| Figure B.2.2-2 | AUSF requests the status of TLS certificate from UDM/ARPF |
| Figure C.3.2-1 | Encryption based on ECIES at UE |
| Figure C.3.3-1 | Decryption based on ECIES at home network |
| Figure D.2.1.1-1 | Ciphering of data |
| Figure D.3.1.1-1 | Derivation of MAC-I/NAS-MAC (or XMAC-I/XNAS-MAC) |
| Table F.2-1 | 5G UE behaviour when receiving EAP identity requests |
| Figure G.1-1 | Signaling message from AMF (vPLMN) to AUSF (hPLMN) traversing the respective SEPPs |
| Figure G.2-1 | Typical structure of the HTTP message received by SEPP |
| Figure I.2.2.2.2-1 | Primary authentication with external domain |
| Figure I.2.3.1-1 | KAUSF derivation for key-generating EAP authentication methods other than EAP-AKA' |
| Figure I.2.3.2-1 | KAUSF derivation for primary authentication towards an external Credentials holder using AAA server |
| Figure I.10.2.2-1 | Procedure for Untrusted non-3GPP Access using Credentials Holder AAA Server |
| Figure I.10.3.2-1 | Procedure for Trusted Non-3GPP Access using Credentials Holder AAA Server |
| Figure I.10.4.2-1 | Procedure for trusted WLAN access using Credentials Holder AAA Server |
| Figure I.10.5.1.2-1 | Procedure for NSWO authentication using CH with AAA server via 5GC |
| Figure J.1.2-1 | Key derivation of 5G SRVCC from NR to UTRAN |
| Figure N.2.2-1 | Redundant transmission with two N3 tunnels between the UPF and a single NG-RAN node |
| Figure O.3-1 | Registration and authentication of a non-5G capable device to the 5GC |
| Figure R-1 | Illustration of authorization aspects in direct deployment models |
| Figure R-2 | Illustration of authorization aspects in indirect deployment models |
| Figure S.3-1 | Authentication procedure for NSWO in 5GS |
| Figure U.2-1 | Primary authentication using EAP-TTLS and AAA |
| Figure X.2-1 | NF Service Consumer Authorization to receive data from NF Service Producers via DCCF |
| Figure X.3-1 | Service Consumer Authorization to receive data from Service Producers via MFAF |
| Figure X.8.2.1-1 | Protection of analytics exchange when policies configured locally in Roaming entry NWDAF |
| Figure X.8.2.2-1 | Protection of analytics exchange when policies configured as extended claims in access token |
| Figure X.9-1 | FL Authorization for selecting participant NWDAF instances |
| Figure X.10-1 | Secured and authorized AI/ML model sharing between different vendors |
| Figure Z.2-1 | Authentication Procedure for AUN3 devices by 5GC using key-generating EAP method |
| Figure Z.3-1 | Authentication Procedure for AUN3 devices by AAA using key-generating EAP method |