TR 33.702
Security for Mobility over non-3GPP access to avoid full Primary Authentication

3GPP‑Page fToC_↓ Partial Content _→

V19.0.0 (Wzip) 2024/09 65 p.

Rapporteur:: Mr. Khare, Saurabh
Nokia Germany

full Table of Contents for TR 33.702 Word version: 19.0.0

each clause number in 'red' refers to the equivalent title in the Partial Content

Scope p. 8

References p. 8

Definitions of terms, symbols and abbreviations p. 8

3.1	Terms p. 8
3.2	Symbols p. 9
3.3	Abbreviations p. 9

Security Assumptions p. 9

4.1	Task 1: UE connecting to the new TNAP within the same TNGF p. 9
4.2	Task 2: AUN3 device connecting to a new 5G-RG under the same W-AGF p. 9
4.3	Task 3: N5CW device connecting to a new TWAP under the same TWIF p. 10
4.4	Task 4: UE connecting to a new WLAN AP connected via the same NSWOF p. 11

Key issues p. 11

5.1

Key issue #1: Security aspect of UE connecting to a new TNAP within the same TNGF. p. 11

5.1.1	Key issue details p. 11
5.1.2	Threats p. 12
5.1.3	Potential security requirements p. 12

5.2

Key issue #2: Security aspect of AUN3 device connecting to a new 5G-RG within the same W-AGF. p. 12

5.2.1	Key issue details p. 12
5.2.2	Threats p. 12
5.2.3	Potential security requirements p. 12

5.3

Key issue #3: Security aspect of N5CW device connecting to a new TWAP within the same TWIF. p. 12

5.3.1	Key issue details p. 12
5.3.2	Threats p. 12
5.3.3	Potential security requirements p. 13

5.4

Key issue #4: Security aspect of UE connecting to a new WLAN AP connected via the same NSWOF. p. 13

5.4.1	Key issue details p. 13
5.4.2	Threats p. 13
5.4.3	Potential security requirements p. 13

Solutions p. 14

6.0

Mapping of solutions to key issues p. 14

6.1

Solution #1: TNAP mobility solution with rand p. 14

6.1.1

Introduction p. 14

6.1.2

Solution details p. 15

6.1.2.1	Procedure p. 15
6.1.2.2	Key derivation p. 16

6.1.3

Evaluation p. 16

6.2

Solution #2: TNAP mobility solution with count p. 17

6.2.1

Introduction p. 17

6.2.2

Solution details p. 17

6.2.2.1	Procedure p. 17
6.2.2.2	Key derivation p. 18

6.2.3

Evaluation p. 19

6.3

Solution #3: Using Fast BSS Transition for TNAP mobility p. 19

6.3.1

Introduction p. 19

6.3.2

Solution details p. 19

6.3.2.1	Solution overview p. 19
6.3.2.2	Details of FT p. 20

6.3.3

Evaluation p. 22

6.4

Solution #4: Security Establishment for TNAP Mobility p. 23

6.4.1	Introduction p. 23
6.4.2	Solution details p. 23
6.4.3	Evaluation p. 25

6.5

Solution #5: TNAP mobility solution without full authentication p. 25

6.5.1	Introduction p. 25
6.5.2	Solution details p. 26
6.5.3	Evaluation p. 27

6.6

Solution #6: TNAP mobility using modified ERP p. 27

6.6.1	Introduction p. 27
6.6.2	Solution details p. 27
6.6.3	Evaluation p. 30

6.7

Solution #7: Using Fast BSS Transition for N5CW mobility p. 30

6.7.1

Introduction p. 30

6.7.2

Solution details p. 31

6.7.2.1

Solution overview p. 31

6.7.3

Evaluation p. 31

6.8

Solution #8: N5CW device reconnecting p. 31

6.8.1	Introduction p. 31
6.8.2	Solution details p. 32
6.8.3	Evaluation p. 33

6.9

Solution #9: N5CW device mobility solution with Nonce p. 33

6.9.1

Introduction p. 33

6.9.2

Solution details p. 34

6.9.2.1	Procedure p. 34
6.9.2.2	Horizontal key derivation on KAMF p. 35

6.9.3

Evaluation p. 36

6.10

Solution #10: FBSS over 5G architecture p. 36

6.10.1	Introduction p. 36
6.10.2	Solution details p. 36
6.10.3	Evaluation p. 36

6.11

Solution #11: Mobility of N5CW devices p. 37

6.11.1	Introduction p. 37
6.11.2	Solution details p. 37
6.11.3	Evaluation p. 38

6.12

Solution #12: AUN3 device mobility solution with Nonce p. 38

6.12.1

Introduction p. 38

6.12.2

Solution details p. 39

6.12.2.1

AUN3 device not supporting 5G key hierarchy p. 39

6.12.2.1.1	Procedure p. 39
6.12.2.1.2	PMK key derivation p. 40

6.12.2.2

AUN3 device supporting 5G key hierarchy p. 41

6.12.2.2.1	Procedure p. 41
6.12.2.2.2	Horizontal key derivation on KAMF p. 42

6.12.3

Evaluation p. 42

6.13

Solution #13: ERP based re-authentication for NSWO p. 43

6.13.1

Introduction p. 43

6.13.2

Solution details p. 43

6.13.2.1	Solution overview p. 43
6.13.2.2	UE Re-Authentication Procedure for NSWO p. 44

6.13.3

Evaluation p. 44

6.14

Solution #14: solution for UE connecting to a new WLAN AP connected via the same NSWOF. p. 45

6.14.1

Introduction p. 45

6.14.2

Solution details p. 46

6.14.2.1

MSK refresh p. 47

6.14.3

Evaluation p. 47

6.15

Solution #15: Using FT for NSWO p. 48

6.15.1	Introduction p. 48
6.15.2	Solution details p. 48
6.15.3	Evaluation p. 48

6.16

Solution #16: N5CW device mobility using security context in AMF p. 48

6.16.1	Introduction p. 48
6.16.2	Solution details p. 49
6.16.3	Evaluation p. 50

6.17

Solution #17: N5CW device mobility solution without AMF impact p. 50

6.17.1

Introduction p. 50

6.17.2

Solution details p. 51

6.17.2.1	Procedure p. 51
6.17.2.2	New KTNAP derivation from KTWIF p. 52

6.17.3

Evaluation p. 52

6.18

Solution #18: AUN3 device reconnecting p. 52

6.18.1

Introduction p. 52

6.18.2

Procedures p. 53

6.18.2.1	Procedure for AUN3 device not supporting key hierarchy p. 53
6.18.2.2	Procedure for AUN3 device supporting key hierarchy p. 55

6.18.3

Evaluation p. 56

6.19

Solution #19: AUN3 device mobility solution without AMF impact p. 56

6.19.1

Introduction p. 56

6.19.2

Solution details p. 57

6.19.2.1

AUN3 device not supporting 5G key hierarchy p. 57

6.19.2.1.1	Procedure p. 57
6.19.2.1.2	Key derivation from MSK in AUN3 mobility case p. 58

6.19.2.2

AUN3 device supporting 5G key hierarchy p. 59

6.19.2.2.1	Procedure p. 59
6.19.2.2.2	Key derivation from KWAGF in AUN3 mobility case p. 60

6.19.3

Evaluation p. 60

6.20

Solution #20: Using Fast BSS Transition for AUN3 mobility p. 60

6.20.1

Introduction p. 60

6.20.2

Solution details p. 61

6.20.2.1

Solution overview p. 61

6.20.3

Evaluation p. 61

6.21

Solution #21: IPSec and MOBIKE based solution for IPSec connection optimization between UE and TNGF during re-authentication p. 61

6.21.1

Introduction p. 61

6.21.2

Solution details p. 61

6.21.2.1	Solution overview p. 61
6.21.2.2	IPSec optimization during UE Re-Authentication Procedure for connectivity with TNGF p. 62

6.21.3

Evaluation p. 63

Conclusions p. 64

7.1	Key issue #1: Security aspect of UE connecting to a new TNAP within the same TNGF p. 64
7.2	Key issue #2: Security aspect of AUN3 device connecting to a new 5G-RG within the same W-AGF: p. 64
7.3	Key issue #3: Security aspect of N5CW device connecting to a new TWAP within the same TWIF p. 64
7.4	Key issue #4: Security aspect of UE connecting to a new WLAN AP connected via the same NSWOF p. 64

Change history p. 65

TR 33.702 Security for Mobility over non-3GPP access to avoid full Primary Authentication

full Table of Contents for TR 33.702 Word version: 19.0.0

TR 33.702
Security for Mobility over non-3GPP access to avoid full Primary Authentication