TS 33.501
Security Architecture and Procedures for 5G System
V20.0.0 (Wzip)
2025/12 … p.
V19.5.0 (PDF)
2025/12 … p.
V18.10.0
2025/06 335 p.
V17.14.0
2024/06 298 p.
V16.18.0
2024/03 262 p.
V15.18.0
2024/03 196 p.
- Rapporteur:
- Dr. Zugenmaier, Alf
NTT DOCOMO INC.
essential Table of Contents for TS 33.501 Word version: 19.4.0
each title links to the equivalent title in the CONTENT
List of Figures and Tables
| Figure 4-1 | Overview of the security architecture |
| Figure 6.1.2-1 | Initiation of authentication procedure and selection of authentication method |
| Figure 6.1.3.1-1 | Authentication procedure for EAP-AKA' |
| Figure 6.1.3.2-1 | Authentication procedure for 5G AKA |
| Figure 6.1.4.1a-1 | Linking increased Home control to subsequent procedures |
| Figure 6.1.5.2-1 | Home Network triggered primary authentication procedure |
| Figure 6.2.1-1 | Key hierarchy generation in 5GS |
| Figure 6.2.2-1 | Key distribution and key derivation scheme for 5G for network nodes |
| Figure 6.2.2-2 | Key distribution and key derivation scheme for 5G for the UE |
| Figure 6.4.6-1 | Protecting the initial NAS message |
| Figure 6.6.2-1 | User plane (UP) security activation mechanism |
| Figure 6.7.2-1 | NAS Security Mode Command procedure |
| Figure 6.7.4-1 | AS Security Mode Command Procedure |
| Figure 6.9.2.1.1-1 | Model for the handover key chaining |
| Figure 6.10.1.2-1 | Multi-Radio dual connectivity (MR-DC) protocol architecture. |
| Figure 6.10.2.1-1 | Security aspects in SN Addition/Modification procedures (MN initiated) |
| Figure 6.10.2.2.3-1 | SN Key update procedure using SN Modification procedure (SN initiated with MN involvement) |
| Figure 6.10.2.4.4-1 | Security procedures for SCPAC |
| Figure 6.12.4-1 | Subscription identifier query |
| Figure 6.13-1 | gNB periodic local authentication procedure |
| Figure 6.14.2.1-1 | Procedure for providing list of preferred PLMN/access technology combinations during registration in VPLMN |
| Figure 6.14.2.2-1 | Procedure for providing list of preferred PLMN/access technology combinations after registration |
| Figure 6.15.2.1-1 | Procedure for UE Parameters Update |
| Figure 7.2.1-1 | Authentication for untrusted non-3GPP access |
| Figure 7A.2.1-1 | Registration / Authentication and PDU Session establishment for trusted non-3GPP access |
| Figure 7A.2.3-1 | Key hierarchy for trusted non-3GPP access |
| Figure 7A.2.4-1 | Authentication Procedure for N5CW |
| Figure 7B.2-1 | 5G-RG authentication procedure |
| Figure 7B.c | FN-RG authentication procedure |
| Figure 7B.7-1 | Authentication Procedure for AUN3 devices using EAP-AKA' |
| Figure 7B.7.3-1 | Authentication Procedure for AUN3 devices supporting 5G key hierarchy using EAP-AKA' |
| Figure 8.3.2-1 | Handover from 5GS to EPC over N26 |
| Figure 8.4.2-1 | Handover from EPS to 5GS over N26 |
| Figure 8.5.2-1 | Idle mode mobility from 5G to 4G |
| Figure 11.1.2-1 | Initial EAP Authentication with an external AAA server |
| Figure 11.1.3-1 | EAP Re-Authentication with an external AAA server |
| Figure 13.2.1-1 | Overview of PRINS (IPX as the exemplary Roaming Intermediary) |
| Figure 13.2.2.4.0-1 | N32-f context overview |
| Figure 13.2.4.5.1-1 | Example of JSON representation for RI with modifications by IPX1 |
| Figure 13.2.4.8-1 | Message flow between two SEPPs |
| Figure 13.4.1.1-1b | NF Service Producer registers in NRF |
| Figure 13.4.1.1.2-1 | NF Service Consumer obtaining access token before NF Service access |
| Figure 13.4.1.1.2-2 | NF Service Consumer requesting service access with an access token |
| Figure 13.4.1.2.2-1 | NF Service Consumer obtaining access token before NF Service access (roaming) |
| Figure 13.4.1.2.2-2 | NF Service Consumer requesting service access with an access token in roaming case |
| Figure 13.4.1.3.1.1-1 | Authorization and service invocation procedure, for indirect communication without delegated discovery, with mutual authentication between NF and NRF at the transport layer |
| Figure 13.4.1.3.1.2-1 | Authorization and service invocation procedure, for indirect communication without delegated discovery, without mutual authentication between NF and NRF at the transport layer |
| Figure 13.4.1.3.2-1 | Authorization and service invocation procedure, for indirect communication with delegated discovery |
| Figure 13.4.1.5.2.2-1 | Service access authorization in indirect communication (with or without delegated discovery) when NF Service Consumer and NF Service Producer are in different PLMNs and NF selection is at the source PLMN |
| Figure 13.4.1.5.3.2-1 | Service access authorization when NF Service Consumer and NF Service Producer are in different PLMNs with indirect communication without delegated discovery and NF selection is at target PLMN |
| Figure 13.4.1.5.3.3-1 | Service access authorization when NF Service Consumer and NF Service Producer are in different PLMNs with indirect communication with delegated discovery and NF selection is at target PLMN |
| Figure 13.5-1 | Security capability negotiation |
| Table 13.5-1 | NF service-related signalling traffic protection mechanisms over N32 |
| Table 14.1.3-1 | NF services for SoR provided by AUSF |
| Table 14.1.4-1 | NF services for UE Parameters Update provided by AUSF |
| Table 14.4.1.1-1 | NF services for the NSSAA service provided by NSSAAF |
| Table 14.4.2.1-1 | NF services for CH using AAA for primary authentication provided by NSSAAF |
| Figure 16.2-1 | Relationship between primary authentication and NSSAA |
| Figure 16.3-1 | NSSAA procedure |
| Figure 16.4-1 | AAA Server initiated Network Slice-Specific Re-authentication and Re-authorization procedure |
| Figure 16.5-1 | AAA Server-initiated Network Slice-Specific Authorization Revocation procedure |
| Figure 16.6.3-1 | Subscription/unsubscription of NSACF notification procedure |
| Figure 17.1-1 | Signalling Traffic Monitor trust zones example |
| Figure 18.2.1-1 | Overview of the connect-UDP Tunnelling mode architecture for protection of XRM Media related information |
| Figure 18.2.3-1 | Overview of the connect-UDP Forward mode architecture for protection of XRM Media related information |
| Table A.7.1-1 | ABBA parameter definitions |
| Table A.8-1 | Algorithm type distinguishers |
| Table A.9-1 | Access type distinguishers |
| Table A.22-1 | Usage type distinguishers |
| Figure B.2.1.1-1 | Using EAP-TLS 1.2 Authentication Procedures over 5G Networks for initial authentication |
| Figure B.2.1.1-2 | Using EAP-TLS 1.3 Authentication Procedures over 5G Networks for initial authentication |
| Figure B.2.2-1 | AUSF requests CRL from UDM/ARPF |
| Figure B.2.2-2 | AUSF requests the status of TLS certificate from UDM/ARPF |
| Figure C.3.2-1 | Encryption based on ECIES at UE |
| Figure C.3.3-1 | Decryption based on ECIES at home network |
| Figure D.2.1.1-1 | Ciphering of data |
| Figure D.3.1.1-1 | Derivation of MAC-I/NAS-MAC (or XMAC-I/XNAS-MAC) |
| Table F.2-1 | 5G UE behaviour when receiving EAP identity requests |
| Figure G.1-1 | Signaling message from AMF (vPLMN) to AUSF (hPLMN) traversing the respective SEPPs |
| Figure G.2-1 | Typical structure of the HTTP message received by SEPP |
| Figure I.2.2.2.2-1 | Primary authentication with external domain |
| Figure I.2.3.1-1 | KAUSF derivation for key-generating EAP authentication methods other than EAP-AKA' |
| Figure I.2.3.2-1 | KAUSF derivation for primary authentication towards an external Credentials holder using AAA server |
| Figure I.10.2.2-1 | Procedure for Untrusted non-3GPP Access using Credentials Holder AAA Server |
| Figure I.10.3.2-1 | Procedure for Trusted Non-3GPP Access using Credentials Holder AAA Server |
| Figure I.10.4.2-1 | Procedure for trusted WLAN access using Credentials Holder AAA Server |
| Figure I.10.5.1.2-1 | Procedure for NSWO authentication using CH with AAA server via 5GC |
| Figure J.1.2-1 | Key derivation of 5G SRVCC from NR to UTRAN |
| Figure N.2.2-1 | Redundant transmission with two N3 tunnels between the UPF and a single NG-RAN node |
| Figure O.3-1 | Registration and authentication of a non-5G capable device to the 5GC |
| Figure R-1 | Illustration of authorization aspects in direct deployment models |
| Figure R-2 | Illustration of authorization aspects in indirect deployment models |
| Figure S.3-1 | Authentication procedure for NSWO in 5GS |
| Figure U.2-1 | Primary authentication using EAP-TTLS and AAA |
| Figure X.2-1 | NF Service Consumer Authorization to receive data from NF Service Producers via DCCF |
| Figure X.3-1 | Service Consumer Authorization to receive data from Service Producers via MFAF |
| Figure X.8.2.1-1 | Protection of analytics exchange when policies configured locally in Roaming entry NWDAF |
| Figure X.8.2.2-1 | Protection of analytics exchange when policies configured as extended claims in access token |
| Figure X.9-1 | FL Authorization for selecting participant NWDAF instances |
| Figure X.10-1 | Secured and authorized AI/ML model sharing between different vendors |
| Figure X.12.2.1-1 | Authorization of VFL participants (NWDAF or Internal AF acts as VFL Server) |
| Figure X.12.2.2-1 | Authorization of candidate VFL participants for VFL when external AF is acting as the VFL server |
| Figure Z.2-1 | Authentication Procedure for AUN3 devices by 5GC using key-generating EAP method |
| Figure Z.3-1 | Authentication Procedure for AUN3 devices by AAA using key-generating EAP method |
| Figure AB.2-1 | Example of dedicated NFs deployed in the PNI-NPN operational domain |