TR 33.737
Study on Authentication and Key Management for Applications (AKMA)
Phase 2

3GPP‑Page fToC_↓ Partial Content _→

V18.1.0 (Wzip) 2023/09 48 p.

Rapporteur:: Miss Huang, Xiaoting
China Mobile Com. Corporation

full Table of Contents for TR 33.737 Word version: 18.1.0

each clause number in 'red' refers to the equivalent title in the Partial Content

Scope p. 7

References p. 7

Definitions of terms, symbols and abbreviations p. 7

3.1	Terms p. 7
3.2	Symbols p. 7
3.3	Abbreviations p. 8

Architectural assumptions p. 8

4.1	General p. 8
4.2	AKMA Non-Roaming network model p. 8
4.3	AKMA Roaming network model p. 8

Key issues p. 9

5.1

Key Issue #1: Support for AKMA roaming scenario p. 9

5.1.1	Issue details p. 9
5.1.2	Security Threats p. 10
5.1.3	Potential security requirements p. 10

5.2

Key Issue #2: Introducing the Authentication proxy into AKMA p. 10

5.2.1	Key issue details p. 10
5.2.2	Security threats p. 10
5.2.3	Potential architectural and security requirements p. 10

Solutions p. 10

6.1

Solution #1: AKMA roaming solution for Ua* encryption key p. 10

6.1.1

Introduction p. 10

6.1.2

Solution details p. 11

6.1.2.1	Internal AF in HPLMN p. 11
6.1.2.2	External AF p. 12
6.1.2.3	Internal AF in VPLMN p. 13

6.1.3

Evaluation p. 13

6.2

Solution #2: New solution for AKMA roaming when both UE and AF are in VPLMN p. 14

6.2.1

Introduction p. 14

6.2.2

Solution details p. 14

6.2.2.1

Architecture p. 14

6.2.2.2

Solution detail p. 15

6.2.2.2.1

AKMA Application Key request via NEF p. 15

6.2.3

Evaluation p. 15

6.3

Solution #3: Roaming AKMA architecture of the AF in the HPLMN p. 15

6.3.1

Introduction p. 15

6.3.2

Solution details p. 15

6.3.2.1	Roaming AKMA architecture of the AF in the HPLMN p. 15
6.3.2.2	Roaming AKMA procedure of the AF in the HPLMN p. 16
6.3.2.3	New service: Nudm_Get_Roaming_NFid service operation p. 17

6.3.3

Evaluation p. 18

6.4

Solution #4: Roaming AKMA architecture of the AF in the VPLMN p. 18

6.4.1	Introduction p. 18
6.4.2	Solution details p. 18
6.4.3	Evaluation p. 19

6.5

Solution #5: AKMA anchor key registration to the AAnF in VPLMN after primary authentication p. 19

6.5.1

Introduction p. 19

6.5.2

Solution details p. 19

6.5.2.1	AKMA anchor key registration in roaming scenario p. 19
6.5.2.2	UE in VPLMN accessing internal VPLMN AF p. 20
6.5.2.3	UE in VPLMN accessing internal HPLMN AF p. 21

6.5.3

Evaluation p. 22

6.6

Solution #6: AKMA roaming with VAAnF for LI p. 22

6.6.1	Introduction p. 22
6.6.2	Solution details p. 22
6.6.3	Evaluation p. 25

6.7

Solution #7: Introducing AP into AKMA p. 25

6.7.1

Introduction p. 25

6.7.2

Solution details p. 25

6.7.2.1	Architecture of using AP p. 25
6.7.2.2	AP-AS reference point p. 26
6.7.2.3	Example of using AP for TLS tunnels p. 26

6.7.3

Evaluation p. 27

6.8

Solution#8: AAnF discovery and selection for internal AF in AKMA roaming p. 27

6.8.1

Introduction p. 27

6.8.2

Solution details p. 28

6.8.2.1

AAnF discovery and selection for internal AF p. 28

6.8.3

Evaluation p. 29

6.9

Solution #9: Roaming AKMA architecture of the AF in Data Network (Internet) p. 29

6.9.1

Introduction p. 29

6.9.2

Solution details p. 29

6.9.2.1	Roaming AKMA architecture of the AF in Data Network (Internet) p. 29
6.9.2.2	Roaming AKMA procedure of the AF in Data Network (Internet) p. 29
6.9.2.3	New service: Nudm_Get_Roaming_NFid service operation p. 30

6.9.3

Evaluation p. 30

6.10

Solution #10: Support of AKMA roaming with K_SEAF p. 31

6.10.1	Introduction p. 31
6.10.2	Solution details p. 31
6.10.3	Evaluation p. 32

6.11

Solution #11: AKMA Authentication in roaming scenario p. 32

6.11.1

Introduction p. 32

6.11.2

Solution details p. 32

6.11.2.1

Option#1 details p. 33

6.11.2.2

Option#2 details p. 34

6.11.2.2.1

New service: Nausf_AKMA_Key_Get service operation p. 34

6.11.3

Evaluation p. 35

6.12

Solution #12: AKMA anchor key forwarding to the VPLMN during primary authentication procedure p. 35

6.12.1

Introduction p. 35

6.12.2

Solution details p. 35

6.12.2.1	AKMA anchor key registration in roaming scenario p. 35
6.12.2.2	UE in VPLMN accessing internal VPLMN AF p. 36
6.12.2.3	UE in VPLMN accessing internal HPLMN AF p. 37

6.12.3

Evaluation p. 37

6.13

Solution #13: AKMA support in roaming p. 38

6.13.1	Introduction p. 38
6.13.2	Solution details p. 40
6.13.3	Evaluation p. 41

6.14

Solution #14: AKMA roaming with AF outside VPLMN p. 41

6.14.1	Introduction p. 41
6.14.2	Solution details p. 41
6.14.3	Evaluation p. 43

6.15

Solution #15: AKMA roaming for external AF in Data Network p. 43

6.15.1	Introduction p. 43
6.15.2	Solution details p. 43
6.15.3	Solution Evaluation p. 44

6.16

Solution #16: AKMA roaming with VPLMN AKMA Support NF for inbound roamers p. 44

6.16.1	Introduction p. 44
6.16.2	Solution details p. 44
6.16.3	Evaluation p. 46

Conclusions p. 47

7.1	Conclusion to Key Issue#1 p. 47
7.2	Conclusion to Key Issue#2 p. 47

Change history p. 48

TR 33.737 Study on Authentication and Key Management for Applications (AKMA) Phase 2

full Table of Contents for TR 33.737 Word version: 18.1.0

TR 33.737
Study on Authentication and Key Management for Applications (AKMA)
Phase 2