| |
Figure 4-1 | Overview of the security architecture |
Figure 6.1.2-1 | Initiation of authentication procedure and selection of authentication method |
Figure 6.1.3.1-1 | Authentication procedure for EAP-AKA' |
Figure 6.1.3.2-1 | Authentication procedure for 5G AKA |
Figure 6.1.4.1a-1 | Linking increased Home control to subsequent procedures |
Figure 6.1.5.2-1 | Home Network triggered primary authentication procedure |
Figure 6.2.1-1 | Key hierarchy generation in 5GS |
Figure 6.2.2-1 | Key distribution and key derivation scheme for 5G for network nodes |
Figure 6.2.2-2 | Key distribution and key derivation scheme for 5G for the UE |
Figure 6.4.6-1 | Protecting the initial NAS message |
Figure 6.6.2-1 | User plane (UP) security activation mechanism |
Figure 6.7.2-1 | NAS Security Mode Command procedure |
Figure 6.7.4-1 | AS Security Mode Command Procedure |
Figure 6.9.2.1.1-1 | Model for the handover key chaining |
Figure 6.10.1.2-1 | Multi-Radio dual connectivity (MR-DC) protocol architecture. |
Figure 6.10.2.1-1 | Security aspects in SN Addition/Modification procedures (MN initiated) |
Figure 6.10.2.2.3-1 | SN Key update procedure using SN Modification procedure (SN initiated with MN involvement) |
Figure 6.10.2.4.4-1 | Security procedures for SCPAC |
Figure 6.12.4-1 | Subscription identifier query |
Figure 6.13-1 | gNB periodic local authentication procedure |
Figure 6.14.2.1-1 | Procedure for providing list of preferred PLMN/access technology combinations during registration in VPLMN |
Figure 6.14.2.2-1 | Procedure for providing list of preferred PLMN/access technology combinations after registration |
Figure 6.15.2.1-1 | Procedure for UE Parameters Update |
Figure 7.2.1-1 | Authentication for untrusted non-3GPP access |
Figure 7A.2.1-1 | Registration / Authentication and PDU Session establishment for trusted non-3GPP access |
Figure 7A.2.3-1 | Key hierarchy for trusted non-3GPP access |
Figure 7A.2.4-1 | Authentication Procedure for N5CW |
Figure 7B.2-1 | 5G-RG authentication procedure |
Figure 7B.c | FN-RG authentication procedure |
Figure 7B.7-1 | Authentication Procedure for AUN3 devices using EAP-AKA' |
Figure 7B.7.3-1 | Authentication Procedure for AUN3 devices supporting 5G key hierarchy using EAP-AKA' |
Figure 8.3.2-1 | Handover from 5GS to EPC over N26 |
Figure 8.4.2-1 | Handover from EPS to 5GS over N26 |
Figure 8.5.2-1 | Idle mode mobility from 5G to 4G |
Figure 11.1.2-1 | Initial EAP Authentication with an external AAA server |
Figure 11.1.3-1 | EAP Re-Authentication with an external AAA server |
Figure 13.2.1-1 | Overview of PRINS (IPX as the exemplary Roaming Intermediary) |
Figure 13.2.2.4.0-1 | N32-f context overview |
Figure 13.2.4.5.1-1 | Example of JSON representation for RI with modifications by IPX1 |
Figure 13.2.4.8-1 | Message flow between two SEPPs |
Figure 13.4.1.1-1b | NF Service Producer registers in NRF |
Figure 13.4.1.1.2-1 | NF Service Consumer obtaining access token before NF Service access |
Figure 13.4.1.1.2-2 | NF Service Consumer requesting service access with an access token |
Figure 13.4.1.2.2-1 | NF Service Consumer obtaining access token before NF Service access (roaming) |
Figure 13.4.1.2.2-2 | NF Service Consumer requesting service access with an access token in roaming case |
Figure 13.4.1.3.1.1-1 | Authorization and service invocation procedure, for indirect communication without delegated discovery, with mutual authentication between NF and NRF at the transport layer |
Figure 13.4.1.3.1.2-1 | Authorization and service invocation procedure, for indirect communication without delegated discovery, without mutual authentication between NF and NRF at the transport layer |
Figure 13.4.1.3.2-1 | Authorization and service invocation procedure, for indirect communication with delegated discovery |
Figure 13.5-1 | Security capability negotiation |
Table 13.5-1 | NF service-related signalling traffic protection mechanisms over N32 |
Table 14.1.3-1 | NF services for SoR provided by AUSF |
Table 14.1.4-1 | NF services for UE Parameters Update provided by AUSF |
Table 14.4.1.1-1 | NF services for the NSSAA service provided by NSSAAF |
Table 14.4.2.1-1 | NF services for CH using AAA for primary authentication provided by NSSAAF |
Figure 16.2-1 | Relationship between primary authentication and NSSAA |
Figure 16.3-1 | NSSAA procedure |
Figure 16.4-1 | AAA Server initiated Network Slice-Specific Re-authentication and Re-authorization procedure |
Figure 16.5-1 | AAA Server-initiated Network Slice-Specific Authorization Revocation procedure |
Figure 16.6.3-1 | Subscription/unsubscription of NSACF notification procedure |
Figure 17.1-1 | Signalling Traffic Monitor trust zones example |
Figure 18.2.1-1 | Overview of the connect-UDP Tunnelling mode architecture for protection of XRM Media related information |
Figure 18.2.3-1 | Overview of the connect-UDP Forward mode architecture for protection of XRM Media related information |
Table A.7.1-1 | ABBA parameter definitions |
Table A.8-1 | Algorithm type distinguishers |
Table A.9-1 | Access type distinguishers |
Table A.22-1 | Usage type distinguishers |
Figure B.2.1.1-1 | Using EAP-TLS 1.2 Authentication Procedures over 5G Networks for initial authentication |
Figure B.2.1.1-2 | Using EAP-TLS 1.3 Authentication Procedures over 5G Networks for initial authentication |
Figure B.2.2-1 | AUSF requests CRL from UDM/ARPF |
Figure B.2.2-2 | AUSF requests the status of TLS certificate from UDM/ARPF |
Figure C.3.2-1 | Encryption based on ECIES at UE |
Figure C.3.3-1 | Decryption based on ECIES at home network |
Figure D.2.1.1-1 | Ciphering of data |
Figure D.3.1.1-1 | Derivation of MAC-I/NAS-MAC (or XMAC-I/XNAS-MAC) |
Table F.2-1 | 5G UE behaviour when receiving EAP identity requests |
Figure G.1-1 | Signaling message from AMF (vPLMN) to AUSF (hPLMN) traversing the respective SEPPs |
Figure G.2-1 | Typical structure of the HTTP message received by SEPP |
Figure I.2.2.2.2-1 | Primary authentication with external domain |
Figure I.2.3.1-1 | KAUSF derivation for key-generating EAP authentication methods other than EAP-AKA' |
Figure I.2.3.2-1 | KAUSF derivation for primary authentication towards an external Credentials holder using AAA server |
Figure I.10.2.2-1 | Procedure for Untrusted non-3GPP Access using Credentials Holder AAA Server |
Figure I.10.3.2-1 | Procedure for Trusted Non-3GPP Access using Credentials Holder AAA Server |
Figure I.10.4.2-1 | Procedure for trusted WLAN access using Credentials Holder AAA Server |
Figure I.10.5.1.2-1 | Procedure for NSWO authentication using CH with AAA server via 5GC |
Figure J.1.2-1 | Key derivation of 5G SRVCC from NR to UTRAN |
Figure N.2.2-1 | Redundant transmission with two N3 tunnels between the UPF and a single NG-RAN node |
Figure O.3-1 | Registration and authentication of a non-5G capable device to the 5GC |
Figure R-1 | Illustration of authorization aspects in direct deployment models |
Figure R-2 | Illustration of authorization aspects in indirect deployment models |
Figure S.3-1 | Authentication procedure for NSWO in 5GS |
Figure U.2-1 | Primary authentication using EAP-TTLS and AAA |
Figure X.2-1 | NF Service Consumer Authorization to receive data from NF Service Producers via DCCF |
Figure X.3-1 | Service Consumer Authorization to receive data from Service Producers via MFAF |
Figure X.8.2.1-1 | Protection of analytics exchange when policies configured locally in Roaming entry NWDAF |
Figure X.8.2.2-1 | Protection of analytics exchange when policies configured as extended claims in access token |
Figure X.9-1 | FL Authorization for selecting participant NWDAF instances |
Figure X.10-1 | Secured and authorized AI/ML model sharing between different vendors |
Figure Z.2-1 | Authentication Procedure for AUN3 devices by 5GC using key-generating EAP method |
Figure Z.3-1 | Authentication Procedure for AUN3 devices by AAA using key-generating EAP method |