Tech-invite3GPPspaceIETFspace
21222324252627282931323334353637384‑5x
Top   in Index   Prev   Next

TR 33.857
Study on enhanced Security support for Non-Public Networks (NPN)

3GPP‑Page   fToC   Partial Content
V17.1.0 (Wzip)  2022/03  85 p.
Rapporteur:
Dr. Jost, Christine
Ericsson LM

full Table of Contents for  TR 33.857  Word version:  17.1.0

each clause number in 'red' refers to the equivalent title in the Partial Content
Here   Top
0Introduction  p. 8
1Scope  p. 9
2References  p. 9
3Definitions of terms, symbols and abbreviations  p. 10
3.1Terms  p. 10
3.2Symbols  p. 10
3.3Abbreviations  p. 10
4Architectural and security assumptions  p. 11
4.1Architectural requirements  p. 11
4.2Security assumptions  p. 11
5Key issues  p. 11
5.1Key Issue #1: Credentials owned by an external entity  p. 11
5.1.1Key issue details  p. 11
5.1.2Security threats  p. 12
5.1.3Potential security requirements  p. 12
5.2Key Issue #2: Provisioning of Credentials  p. 12
5.2.1Key issue details  p. 12
5.2.2Security threats  p. 13
5.2.3Potential security requirements  p. 13
5.3Key Issue #3: Security impacts from supporting IMS voice and IMS services in SNPNs  p. 13
5.3.1Key issue details  p. 13
5.3.2Security threats  p. 13
5.3.3Potential security requirements  p. 13
5.4Key Issue #4: Securing initial access for UE onboarding between UE and SNPN  p. 14
5.4.1Introduction  p. 14
5.4.2Security threats  p. 14
5.4.3Potential security requirements  p. 14
5.5Key Issue #5: Roaming-related security mechanisms for SNPNs  p. 14
5.5.1Key issue details  p. 14
5.5.2Security threats  p. 14
5.5.3Potential security requirements  p. 14
6Solutions  p. 15
6.0Mapping of Solutions to Key Issues  p. 15
6.1Solution #1: Primary authentication between an SNPN and third-party AAA server using EAP  p. 15
6.1.1Introduction  p. 15
6.1.2Solution Details  p. 16
6.1.2.0General  p. 16
6.1.2.1Procedure  p. 17
6.1.3System impact  p. 18
6.1.4Evaluation  p. 19
6.2Solution #2: EAP authentication between UE and external AAA via AUSF  p. 19
6.2.1Introduction  p. 19
6.2.2Solution details  p. 19
6.2.3System impact  p. 20
6.2.4Evaluation  p. 21
6.3Solution #3: Primary authentication between an SNPN and third-party AAA server using EAP-TTLS  p. 21
6.3.1Introduction  p. 21
6.3.2Solution Details  p. 21
6.3.2.0General  p. 21
6.3.2.1Procedure  p. 22
6.3.3System impact  p. 24
6.3.4Evaluation  p. 24
6.4Solution #4: Authentication Framework Enhancements to support SNPN access  p. 24
6.4.1Introduction  p. 24
6.4.2Solution details  p. 24
6.4.2.1SNPN access using PLMN owned subscription credentials  p. 24
6.4.2.2SNPN access using third-party owned subscription credentials  p. 25
6.4.3System impact  p. 26
6.4.4Evaluation  p. 26
6.5Solution #5: Network Access Authentication with Credentials owned by an AAA external to the SNPN  p. 27
6.5.1Introduction  p. 27
6.5.2Solution details  p. 28
6.5.3System impact  p. 29
6.5.4Evaluation  p. 29
6.6Solution #6: Network access authentication with credentials owned by an entity separate from the SNPN  p. 29
6.6.1Introduction  p. 29
6.6.2Solution details  p. 30
6.6.3System impact  p. 31
6.6.4Evaluation  p. 31
6.7Solution #7: EAP authentication between UE and external AAA with enhanced security of KAUSF  p. 31
6.7.1Introduction  p. 31
6.7.2Solution details  p. 32
6.7.3System impact  p. 34
6.7.4Evaluation  p. 34
6.8Solution #8: UE onboarding for SNPN with AAA-S as DCS  p. 34
6.8.1Introduction  p. 34
6.8.2Solution details  p. 36
6.8.3System impact  p. 37
6.8.4Evaluation  p. 37
6.9Solution #9: UE onboarding for SNPN with UDM as DCS  p. 37
6.9.1Introduction  p. 37
6.9.2Solution details  p. 38
6.9.2.0General  p. 38
6.9.2.1Procedure  p. 38
6.9.3System impact  p. 39
6.9.4Evaluation  p. 39
6.10Solution #10: Secure initial access to an SNPN onboarding network  p. 39
6.10.1Introduction  p. 39
6.10.2Solution details  p. 40
6.10.3System impact  p. 41
6.10.4Evaluation  p. 41
6.11Solution #11: Securing initial access by using primary authentication  p. 41
6.11.1Introduction  p. 41
6.11.2Solution details  p. 42
6.11.3System impact  p. 43
6.11.4Evaluation  p. 43
6.12Solution #12: Authentication for UE Onboarding for SNPN  p. 43
6.12.1Introduction  p. 43
6.12.2Solution details  p. 45
6.12.2.1Authentication for onboarding with default credentials is provisioned in UDM  p. 45
6.12.2.2Authentication for onboarding with default credentials is provisioned in DCS  p. 46
6.12.3System impact  p. 47
6.12.4Evaluation  p. 47
6.13Solution #13: UE Onboarding for an SNPN from Onboarding SNPN with Secondary Authentication using EAP method with UE identity privacy  p. 47
6.13.1Introduction  p. 47
6.13.2Solution details  p. 48
6.13.3System impact  p. 50
6.13.4Evaluation  p. 51
6.14Solution #14: Initial access for UE Onboarding for an SNPN from Onboarding SNPN using primary and secondary authentication  p. 51
6.14.1Introduction  p. 51
6.14.2Solution details  p. 52
6.14.2.0General  p. 52
6.14.2.1Using EAP-TLS Authentication Procedures over 5G Networks for initial one-way authentication  p. 54
6.14.3System impact  p. 56
6.14.4Evaluation  p. 57
6.15Solution #15: Privacy protection of UE onboarding identifier  p. 57
6.15.1Introduction  p. 57
6.15.2Solution details  p. 57
6.15.3System impact  p. 58
6.15.4Evaluation  p. 58
6.16Solution #16: UE onboarding for SNPN with the interaction between PS and DCS  p. 58
6.16.1Introduction  p. 58
6.16.2Solution details  p. 59
6.16.2.1Procedure  p. 59
6.16.2.2Procedure  p. 60
6.16.3System impact  p. 61
6.16.4Evaluation  p. 61
6.17Solution #17: Solution to Provisioning of PNI-NPN Credentials  p. 61
6.17.1Introduction  p. 61
6.17.2Solution details  p. 61
6.17.3System Impact  p. 62
6.17.4Evaluation  p. 62
6.18Solution #18 Solution on service authorization for SNPNs  p. 63
6.18.1Introduction  p. 63
6.18.2Solution Details  p. 63
6.18.3System impact  p. 64
6.18.4Evaluation  p. 64
6.19Solution #19: Secure onboarding without client authentication  p. 65
6.19.1Introduction  p. 65
6.19.2Solution details  p. 65
6.19.3System impact  p. 68
6.19.4Evaluation  p. 68
6.20Solution #20: Control plane based provisioning: PS to AUSF  p. 68
6.20.1Introduction  p. 68
6.20.2Solution details  p. 69
6.20.3System impact  p. 70
6.20.4Evaluation  p. 70
6.21Solution #21: Control plane based provisioning: PS to UDM  p. 71
6.21.1Introduction  p. 71
6.21.2Solution details  p. 72
6.21.3System impact  p. 73
6.21.4Evaluation  p. 73
6.22Solution #22: Solution for onboarding and provisioning  p. 73
6.22.1Introduction  p. 73
6.22.2Solution details  p. 73
6.22.3System impact  p. 75
6.22.4Evaluation  p. 75
6.23Solution #23: Solution to enable onboarding and secured UE access based on credentials owned by an external entity  p. 76
6.23.1Introduction  p. 76
6.23.2Solution details  p. 76
6.23.3System impact  p. 78
6.23.4Evaluation  p. 78
6.24Solution #24: Secure mutually authenticated onboarding without DCS  p. 78
6.24.1Introduction  p. 78
6.24.2Solution details  p. 79
6.24.3System impact  p. 81
6.24.4Evaluation  p. 81
6.25Solution #25: UE Onboarding for an SNPN with EAP-TLS  p. 81
6.25.1Introduction  p. 81
6.25.2Solution details  p. 81
6.25.2.1General  p. 81
6.25.2.2Procedure  p. 82
6.25.3System impact  p. 83
6.25.4Evaluation  p. 83
7Conclusions  p. 84
7.1Conclusions on KI #1: Credentials owned by an external entity  p. 84
7.2Conclusions on KI #2: Provisioning of Credentials  p. 84
7.3Conclusions on KI #3: Security impacts from supporting IMS voice and IMS services in SNPNs  p. 84
7.4Conclusions on KI #4: Securing initial access for UE onboarding between UE and SNPN  p. 85
7.5Conclusions on KI #5: Roaming-related security mechanisms for SNPNs  p. 85
$Change history  p. 86

Up   Top