TR 33.938
3GPP Cryptographic Inventory

3GPP‑Page ETSI‑search CONTENT_↓

V19.2.0 (PDF) 2025/12 … p.

Rapporteur:: Mr. Orkopoulos, Stawros
Nokia Germany

Content for TR 33.938 Word version: 19.1.0

1 Scope p. 6

The present document lists the security protocols that use cryptography in 3GPP specifications for the 5G System in the Standalone mode. They

include the type of cryptography used by the protocol (symmetric/asymmetric)
include the pointers to the protocol specification
include the pointers to the relevant 3GPP cryptographic profiles
include usage type (e.g., integrity, confidentiality, and/or authentication)

2 References p. 6

The following documents contain provisions which, through reference in this text, constitute provisions of the present document.

References are either specific (identified by date of publication, edition number, version number, etc.) or non-specific.
For a specific reference, subsequent revisions do not apply.
For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP document (including a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same Release as the present document.

[1]

TR 21.905: "Vocabulary for 3GPP Specifications".

[2]

TS 33.210: "3G security; Network Domain Security (NDS); IP network layer security".

[3]

TS 33.310: "Network Domain Security (NDS); Authentication Framework (AF)".

[4]

TS 33.501: "Security architecture and procedures for 5G system".

[5]

RFC 9190: "EAP-TLS 1.3: Using the Extensible Authentication Protocol with TLS 1.3".

[6]

RFC 5216: "The EAP-TLS Authentication Protocol".

[7]

SECG SEC 1: "Recommended Elliptic Curve Cryptography", Version 2.0, 2009. Available at http://www.secg.org/sec1-v2.pdf.

[8]

SECG SEC 2: "Recommended Elliptic Curve Domain Parameters", Version 2.0, 2010. Available at http://www.secg.org/sec2-v2.pdf.

[9]

RFC 9001: "Using TLS to Secure QUIC".

[10]

RFC 8152: "CBOR Object Signing and Encryption (COSE)".

[11]

TS 33.220: "Generic Authentication Architecture (GAA); Generic Bootstrapping Architecture (GBA)".

[12]

RFC 8613: "Object Security for Constrained RESTful Environments (OSCORE)".

[13]

TS 33.180: "Security of the Mission Critical (MC) service".

[14]

RFC 6509: "MIKEY-SAKKE: Sakai-Kasahara Key Encryption in Multimedia Internet KEYing (MIKEY)''.

[15]

RFC 5448: "Improved Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP-AKA')".

[16]

TS 35.205: "3G Security; Specification of the MILENAGE algorithm set: An example algorithm set for the 3GPP authentication and key generation functions f1, f1*, f2, f3, f4, f5 and f5*".

[17]

TS 35.231: "Specification of the TUAK algorithm set: A second example algorithm set for the 3GPP authentication and key generation functions f1, f1*, f2, f3, f4, f5 and f5*; Document 1: Algorithm specification".

[18]

TS 35.234: "Specification of the MILENAGE-256 algorithm set; An example set of 256-bit 3GPP authentication and key generation functions f1, f1*, f2, f3, f4, f5, f5* and f5**; Document 1: General".

[19]

NIST IR 8547 ipd: "Transition to Post-Quantum Cryptography Standards"

[20]

RFC 9147: "The Datagram Transport Layer Security (DTLS) Protocol Version 1.3".

[21]

RFC 8446: "The Transport Layer Security (TLS) Protocol Version 1.3".

[22]

RFC 6960: "X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP".

[23]

RFC 7296: "Internet Key Exchange Protocol Version 2 (IKEv2)".

[24]

RFC 4303: "IP Encapsulating Security Payload (ESP)".

[25]

RFC 8221: "Cryptographic Algorithm Implementation Requirements and Usage Guidance for Encapsulating Security Payload (ESP) and Authentication Header (AH)".

[26]

RFC 8750: "Implicit Initialization Vector (IV) for Counter-Based Ciphers in Encapsulating Security Payload (ESP)".`

[27]

RFC 7516: "JSON Web Encryption".

[28]

RFC 7515: "JSON Web Signature (JWS)".

[29]

RFC 6507: "Elliptic Curve-Based Certificateless Signatures for Identity-Based Encryption (ECCSI)"

[30]

RFC 6508: "Sakai-Kasahara Key Encryption (SAKKE)''

[31]

RFC 5869: "HMAC-based Extract-and-Expand Key Derivation Function (HKDF)".

[32]

RFC 4303: "IP Encapsulating Security Payload (ESP)".

[33]

RFC 3602: "The AES-CBC Cipher Algorithm and Its Use with IPsec".

[34]

RFC 4106: "The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP)".

[35]

RFC 4543: "The Use of Galois Message Authentication Code (GMAC) in IPsec ESP and AH".

[36]

RFC 4868: "Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with IPs".

[37]

RFC 6347: "Datagram Transport Layer Security Version 1.2".

[38]

RFC 5246: "The Transport Layer Security (TLS) Protocol Version 1.2".

[39]

RFC 5281: "Extensible Authentication Protocol Tunnelled Transport Layer Security Authenticated Protocol Version 0 (EAP-TTLSv0)".

[40]

RFC 6749: "The OAuth 2.0 Authorization Framework".

[41]

RFC 6750: "The OAuth 2.0 Authorization Framework: Bearer Token Usage".

[42]

RFC 7519: "JSON Web Token (JWT)".

[43]

TS 29.500: "Technical Realization of Service Based Architecture".

[44]

TS 38.323: "Packet Data Convergence Protocol (PDCP) specification".

[45]

RFC 8017: "PKCS#1: RSA Cryptography Specifications Version 2.2".

[46]

RFC 4754: "IKE and IKEv2 Authentication Using the Elliptic Curve Digital Signature Algorithm (ECDSA)".

[47]

NIST FIPS PUB 180-4: "Secure Hash Standard (SHS)".

[48]

RFC 8442: "ECDHE_PSK with AES-GCM and AES-CCM Cipher Suites for TLS 1.2 and DTLS 1.2".

[49]

TS 33.128: "Protocol and procedures for Lawful Interception (LI)".

3 Definitions of terms, symbols and abbreviations p. 8

3.1 Terms p. 8

For the purposes of the present document, the terms given in TR 21.905 and the following apply. A term defined in the present document takes precedence over the definition of the same term, if any, in TR 21.905.

Asymmetric Cryptography:

(NIST IR 8547 [19]) Also known as public-key cryptography, it is the cryptography that uses two separate keys to exchange data: one to encrypt or digitally sign the data and one to decrypt the data or verify the digital signature.

Key Agreement:

(NIST IR 8547 [19]) A (pair-wise) key-establishment procedure where the resultant secret keying material is a function of information contributed by two participants so that no party can predetermine the value of the secret keying material independently from the contributions of the other party.

Key Derivation:

(NIST IR 8547 [19]) The process of deriving a key in a non-reversible manner from shared information, some of which is secret.

Symmetric Key Cryptography:

(NIST IR 8547 [19]) A cryptographic algorithm that uses the same secret key for its operation and, if applicable, for reversing the effects of the operation.

3.2 Symbols p. 8

Void

3.3 Abbreviations p. 8

For the purposes of the present document, the abbreviations given in TR 21.905 and the following apply. An abbreviation defined in the present document takes precedence over the definition of the same abbreviation, if any, in TR 21.905.

5G-AKA

5G Authentication and Key Agreement

AEAD

Authenticated Encryption with Associated Data

BSF

Bootstrapping Server Function

CBOR

Concise Binary Object Representation

COSE

CBOR Object Signing and Encryption

CSK

Client-Server Key

DTLS

Datagram Transport Layer Security

EAP-AKA'

Improved Extensible Authentication Protocol Method for 3GPP Mobile Network Authentication and Key Agreement

EAP-TLS

Extensible Authentication Protocol Transport Layer Security

EAP-TTLS

Extensible Authentication Protocol Tunnelled Transport Layer Security

ECDH

Elliptic Curve Diffie-Hellman

ECDSA

Elliptic Curve Digital Signature Algorithm

ECIES

Elliptic Curve Integrated Encryption Scheme

ESP

Encapsulating Security Payload

GMK

Group Master Key

HKDF

HMAC-based Key Derivation Function

HMAC

Hash-Based Message Authentication Code

IKE

Internet Key Exchange

IKEv2

Internet Key Exchange Protocol Version 2

IPsec

Internet Protocol Security

JSON

JavaScript Object Notation

JWE

JSON Web Encryption

JWS

JSON Web Signature

JWT

JSON Web Token

KDF

Key Derivation Function

MIKEY-SAKKE

Multimedia Internet KEYing - Sakai-Kasahara Key Encryption

MPQUIC

Multipath QUIC

MuSiK

Multicast Signalling Key

NAS

Non-Access Stratum

NDS

Network Domain Security

OAuth

Open Authorization

OCSP

Online Certificate Status Protocol

OSCORE

Object Security for Constrained RESTful Environments

PCK

Private Call Key

PDCP

Packet Data Convergence Protocol

PKI

Public Key Infrastructure

QUIC

Quick UDP Internet Connections

REST

Representational State Transfer

RSA

Rivest-Shamir-Adleman

Security Association

SECG

Standards for Efficient Cryptography

SHA

Secure Hash Algorithm

SUPI

Subscription Permanent Identifier

TLS

Transport Layer Security

UDP

User Datagram Protocol

4 3GPP Cryptographic Inventory - 5G System p. 9

4.1 General p. 9

This clause provides inventory of security protocols that use cryptography in 3GPP specifications for 5G systems (limited to the standalone mode). The clause 4.2 presents inventory in detailed lists, and the clause 4.3 summarizes them in tables.

4.2 Detailed Protocol List p. 9

4.2.1 DTLS p. 9

DTLS specified in RFC 9147 is used in 5G system in standalone mode to protect the following:

N2 interface (see clause 9.2 of TS 33.501).
Xn interface (see clause 9.4 of TS 33.501).
DIAMETER or GTP-based interfaces (see clause 9.5 of TS 33.501).
gNB internal interfaces (see clause 9.8 of TS 33.501).

Security profiles for DTLS implementation and usage in 3GPP are given in clause 6.2 of TS 33.210 and the certificate profile is given in clause 6.1.3a of TS 33.310.

DTLS employs symmetric cryptography for confidentiality and integrity protection.

DTLS employs asymmetric cryptography for digital signature and key agreement.

4.2.2 TLS p. 9

TLS specified in RFC 8446 is used in 5G system in standalone mode to protect the following:

NIDD interfaces (see clause 6.16.3 of TS 33.501).
DIAMETER or GTP-based interfaces (see clause 9.5 of TS 33.501).
NEF - AF interface (see clauses 12.2 and 12.3 of TS 33.501).
Interfaces between network functions (see clauses 13.1, 13.2, 13.5 of TS 33.501).
N32 interface (see clause 13.2 of TS 33.501).
Network slice management interfaces (see clauses 15.2 and 15.3 of TS 33.501).
Message Service interfaces for MIoT over the 5G System (see clauses Y.2 - Y.4 of TS 33.501).
Security profiles for TLS implementation and usage in 3GPP are given in clause 6.2 of TS 33.210 and the certificate profile is given in clause 6.1.3a of TS 33.310.

TLS employs symmetric cryptography for confidentiality and integrity protection.

TLS employs asymmetric cryptography for digital signature and key agreement.

4.2.3 EAP-TLS p. 10

EAP-TLS [5] [6] is used in 5G system in standalone mode to realise the following:

Mutual authentication between UE and AUSF (see Annex B, Annex I of TS 33.501)
Mutual authentication between UE and AAA (see Annex I of TS 33.501)
Mutual authentication between N5GC and AUSF (see Annex O of TS 33.501)

The 3GPP TLS protocol profile related to supported TLS versions and supported TLS cipher suites in 3GPP networks is specified in clause 6.2 of TS 33.210. The 3GPP profile of TLS certificates is specified in clause 6.1.3a of TS 33.310.

EAP-TLS employs asymmetric cryptography for authentication and key agreement.

EAP-TLS employs symmetric cryptography for authentication and key agreement.

EAP-TLS employs hash function for session key derivation.

4.2.4 ECIES p. 10

ECIES is used in 5G system in standalone mode for the following:

Confidentiality and Integrity Protection of the SUPI (see Annex C.3 of TS 33.501).

The ECIES profiles follow the terminology and processing specified in SECG version 2 [7] and [8]. The security profiles for the ECIES implementation and usage in 3GPP is given in clause C.3.4 of TS 33.501.

ECIES employs asymmetric cryptography for the key agreement of the symmetric keys.

ECIES employs symmetric cryptography for the confidentiality and integrity protection of the SUPI.

4.2.5 PKI p. 10

PKI is used in 5G system in standalone mode for the following:

Issuing of X.509 certificates (see clause 4 of TS 33.310).
PKI architecture for NDS/AF (see clause 5.1 of TS 33.310).

PKI employs asymmetric cryptography for certificate signing and verification.

PKI employs hash function for computation of digests.

4.2.6 Online Certificate Status Protocol (OCSP) p. 11

Online Certificate Status Protocol (OCSP) specified in RFC 6960 is used in 5G system in standalone mode for the following:

Certificate status request, i.e., OCSP stapling (see clause B.2.2 of TS 33.501).
Revocation of subscriber certificates (see clause B.2.2 of TS 33.501).

OCSP and the related profiles are in clause 6.1b of TS 33.310.

OCSP employs asymmetric cryptography for digital signing and signature verification.

OCSP employs hash algorithms for computation of digests.

4.2.7 QUIC and MPQUIC p. 11

The QUIC and MPQUIC are used in 5G system in standalone mode for the following:

QUIC is used for the security of connection between UPF and AS proxy (see clause 18 of TS 33.501).
MPQUIC steering functionality is used for ATSSS (see Annex AA of TS 33.501).

For the QUIC establishment, the RFC 9001 mandates the use of TLS with the exception of TLS_AES_128_CCM_8_SHA256.

4.2.8 CBOR Object Signing and Encryption (COSE) p. 11

The COSE [10] is used in 5G system in standalone mode for the following:

OSCORE [12] for cryptographic algorithm selection between UE and BSE (reference point Ua) (see clause P.3.3 of TS 33.220).

COSE employs asymmetric cryptography for digital signature and key agreement.

COSE employs symmetric cryptography for confidentiality and integrity protection.

COSE employs hash functions for session key derivation.

4.2.9 MIKEY-SAKKE p. 11

MIKEY-SAKKE is used in the 5G system to securely transport cryptographic keys for Mission Critical Services. It is used in the following scenarios:

Group Master Keys (GMKs) from a Group Management Server to a Group Management Client on a MC UE (see Annex E clause E.2 of TS 33.180)
Private Call Keys (PCKs) between MC UEs (see Annex E clause E.3 of TS 33.180)
Client-Server keys (CSKs) between MCX Server and MC client (see Annex E clause E.3 of TS 33.180)
Multicast Signalling Keys (MuSiK) from MCX Servers to MC clients (see Annex E clause E.3 of TS 33.180)

Security profiles for MIKEY-SAKKE are left for implementation.

MIKEY-SAKKE is specified in RFC 6509.

MIKEY-SAKKE employs asymmetric cryptography for key distribution.

4.2.10 IKEv2 p. 11

IKEv2 protocol is specified in RFC 7296 to perform authentication and setup Security Associations (SA) for IPsec tunnels. The IPsec ESP protocol is described in clause 4.2.15.

IKEv2 is used in 5G system to provide security for the following:

Untrusted non-3GPP access to the 5G core network (see clause 7 of TS 33.501) and trusted non-3GPP access to the 5G core network (see clause 7 of TS 33.501)
IP based interfaces for 5GC and 5G-AN according to NDS/IP (see clause 9 of TS 33.501)
N2 interface between the AMF and the 5G-AN (see clause 9.2 of TS 33.501)
N3 interface between the UPF and 5G-AN (see clause 9.3 of TS 33.501)
Xn interface between 5G-AN (see clause 9.4 of TS 33.501)
F1 and E1 of the gNB internal interfaces (see clause 9.8 of TS 33.501)
Non-SBA interfaces internal to 5GC and between PLMNs (see clause 9.9 of TS 33.501)
F1 interface between the IAB-node (gNB-DU) and the IAB-donor-CU (see clause M.3.3 and M.5 of TS 33.501)

Security profiles for IKEv2 implementation and usage in 3GPP are given in clauses 5.2, 5.4, and 5.6 of TS 33.210 and clauses 5, 6.2, and 7.5 of TS 33.310.

IKEv2 employs symmetric cryptography for confidentiality and integrity protection.

IKEv2 employs asymmetric cryptography for digital signature and key agreement.

IKEv2 employs both symmetric cryptography and asymmetric cryptography for authentication.

4.2.11 PDCP security p. 12

The PDCP security protocol between the UE and the NG-RAN is responsible for the security protection of the following scenarios in 5G system:

RRC integrity and confidentiality protection between UE and gNB (see clause 6.5.1 and 6.5.2 of TS 33.501).
User plane data integrity and confidentiality protection between UE and gNB (see clause 6.6.3 and 6.6.4 of TS 33.501).

PDCP security protocol employs symmetric cryptography for confidentiality and integrity protection.

4.2.12 NAS security p. 12

The NAS security mechanisms are to protect NAS signaling and data between the UE and the AMF over the N1 reference point in 5G system:

NAS signaling integrity and confidentiality protection between UE and AMF (see clause 6.4.3 and 6.4.4 of TS 33.501).
Integrity and confidentiality protection for small user data or SMS as payload of a NAS message between UE and AMF (see clauses 6.16.1 and 6.4.7 of TS 33.501).

NAS security protocol employs symmetric cryptography for confidentiality and integrity protection.

4.2.13 EAP-AKA' p. 12

EAP-AKA' enables mutual authentication between the UE and AUSF and provides keying material that can be used between the UE and the serving network in subsequent security procedures.

The long term key K and the SUPI are preconfigured in the USIM (in the UE) and in the UDM/ARPF.

EAP-AKA' is specified in RFC 5448.

The 3GPP 5G profile for EAP-AKA' is specified in the normative Annex F of TS 33.501.

KDF for key generation is HMAC-SHA-256 as per Annex B.2.0 of TS 33.220.

EAP-AKA' requires functions as described for 128 Bit MILENAGE in TS 35.205, 128 Bit or 256 Bit TUAK in TS 35.231 and in TS 35.234 for 256 Bit MILENAGE.

EAP-AKA' employs symmetric cryptography for authentication and key agreement.

EAP-AKA' employs hash function for session key derivation.

4.2.14 5G-AKA p. 13

5G-AKA enables mutual authentication between the UE and AUSF with proof of successful authentication of the UE from the visited network. 5G-AKA provides keying material that can be used between the UE and the serving network in subsequent security procedures.

The long term key K and the SUPI are preconfigured in the USIM (in the UE) and in the UDM/ARPF.

5G-AKA is specified in TS 33.501.
KDF for key generation is HMAC-SHA-256 as per Annex B.2.0 of TS 33.220.

5G-AKA requires functions as described for 128 Bit MILENAGE in TS 35.205, 128 Bit or 256 Bit TUAK in TS 35.231 and in TS 35.234 for 256 Bit MILENAGE.

5G-AKA employs symmetric cryptography for authentication and key agreement.

5G-AKA employs hash function for session key derivation.

4.2.15 IPsec ESP p. 13

IPsec ESP specified in RFC 4303, RFC 8221, RFC 8750 is used in 5G system to provide security for the following:

Untrusted non-3GPP access to the 5G core network (see clause 7 of TS 33.501) and trusted non-3GPP access to the 5G core network (see clause 7 of TS 33.501)
IP based interfaces for 5GC and 5G-AN according to NDS/IP (see clause 9 of TS 33.501)
N2 interface between the AMF and the 5G-AN (see clause 9.2 of TS 33.501)
N3 interface between the UPF and 5G-AN (see clause 9.3 of TS 33.501)
Xn interface between 5G-AN (see clause 9.4 of TS 33.501)
F1 and E1 of the gNB internal interfaces (see clause 9.8 of TS 33.501)
Non-SBA interfaces internal to 5GC and between PLMNs (see clause 9.9 of TS 33.501)
F1 interface between the IAB-node (gNB-DU) and the IAB-donor-CU (see Annex M.3.3 and M.5 of TS 33.501)
Policy discrimination of GTP-C, GTP-U and protection of GTP-C transport protocol (see Annex B of TS 33.210)
Protection of IMS protocols and interfaces for all SIP signalling traversing inter-security domain boundaries. (see Annex C of TS 33.210)
Protection of UTRAN/GERAN IP transport protocols and interfaces for all RANAP and RNSAP messages traversing inter-security domain boundaries. (see Annex D of TS 33.210)

Security profile for IPsec ESP implementation in 3GPP are given in clause 5.3 of TS 33.210.

IPSec ESP employs symmetric cryptography for confidentiality, integrity and replay protection.

Keying happens using IKEv2 (Internet Key Exchange Protocol Version 2 (IKEv2) as mentioned in clause 4.2.10.

4.2.16 Key Derivation Function (KDF) p. 14

The KDF is used in 5G system in standalone mode and is defined in the normative Annex A of TS 33.501.

The generic KDF for the purpose of a cryptographic key computation is specified in the normative Annex B.2 of TS 33.220.

The KDF employs hash function for key derivation.

4.2.17 JWE and JWS p. 14

JSON Web Encryption (JWE) specified in RFC 7516 and/or JSON Web Signature (JWS) specified in RFC 7515 are used in 5G system in standalone mode to protect the following:

N32 interface (see clause 13.2 of TS 33.501).
NF service access (see clause 13.4 of TS 33.501).

Profiles for JWE/JWS implementation and usage in 3GPP are given in clause 6.3 of TS 33.210.

JWE/JWS employ symmetric cryptography for confidentiality and integrity protection.

JWE/JWS employ asymmetric cryptography for digital signature and key agreement.

4.2.18 EAP-TTLS p. 14

EAP-TTLS is an authentication protocol specified in RFC 5281.

EAP-TTLS is used in 5G system to provide security for the following:

Security of UE onboarding in SNPNs (clause I.9 of TS 33.501)
Primary authentication using EAP-TTLS in SNPNs (Annex U of TS 33.501)
Authentication of AUN3 devices using additional EAP methods (clause Z.2 of TS 33.501)

EAP-TTLS employs both asymmetric cryptography and symmetric cryptography for authentication and key agreement.

EAP-TTLS employs hash function for session key derivation.

4.2.19 OAuth 2.0 p. 14

The OAuth 2.0 protocol is an authorization framework enabling a third-party application to obtain limited access to an HTTP service as specified in RFC 6749. The usage of bearer tokens in OAuth 2.0 and JSON Web Token (JWT) are specified in RFC 6750 and RFC 7519 respectively. The former requires TLS (see also in the clause 4.2.2) to secure transmission of token whereas the latter uses JSON Web Signature (JWS) (see also in the clause 4.2.17) for integrity protection of token.

OAuth 2.0, using JWT bearer token, is used in 5G system to provide security for the following:

Authorization of Application Function (clause 12.4 of TS 33.501)
Authorization for the Service Based Interface (clauses 13 and 14 of TS 33.501 and clause 6.7 of TS 29.500)
Authentication for the management service for network slices (clause 15 of TS 33.501)
Authorization of NF Service for network automation (clause X.2 of TS 33.501)

Cryptographic algorithms, features and usage types for TLS and JWT are described in clauses 4.2.2 and 4.2.17 respectively.

4.3 Summary Tables p. 15

4.3.1 3GPP Symmetric Cryptographic Algorithms p. 15

The following Table summarizes the security related protocols used in 3GPP employing symmetric cryptographic algorithms including hash functions (5G System).

Table 4.3.1-1: Protocols Used in 3GPP Employing Symmetric Cryptographic Algorithms (5G System)

Protocol/Function	Protocol Profile, Clauses	Cryptographic Algorithm(s)	Feature(s), Usage Type
COSE (RFC 8152)	clause P.3.3 of TS 33.220	HMAC-based KDF with SHA-256 [31]	Session Key Derivation / Hash Function
COSE (RFC 8152)	clause P.3.3 of TS 33.220	AES-CCM-16-64-128	Confidentiality and Integrity Protection
DTLS 1.2 (RFC 6347)	Clause 6.2.1 of TS 33.210	See TLS 1.2 in this Table	Confidentiality and Integrity Protection
DTLS 1.3 (RFC 9147)	Clause 6.2.1 of TS 33.210	See TLS 1.3 in this Table	Confidentiality and Integrity Protection
EAP-TLS (RFC 9190, RFC 5216)	Clause B.2.1 of TS 33.501	AEAD_AES_128_GCM	Confidentiality and Integrity Protection
EAP-TLS (RFC 9190, RFC 5216)	Clause B.2.1 of TS 33.501	HKDF (RFC 5869)	Session Key Derivation
EAP TTLS (RFC 5281)	TS 33.501, Annex U Clause 6.2 of TS 33.210 for TLS	See TLS in this Table	Confidentiality and Integrity Protection
EAP TTLS (RFC 5281)	TS 33.501, Annex U Clause 6.2 of TS 33.210 for TLS	See TLS in this Table	Session Key Derivation
ECIES ([7], [8])	Clause C.3 of TS 33.501	SHA-256, HMAC-SHA-256	Session Key Derivation
		HMAC-SHA-256	Integrity Protection
		AES-128-CTR	Confidentiality Protection
IKEv2 (RFC 7296)	Clause 5.4 of TS 33.210	128-AES GCM SHA-256 (RFC 8442) 256-AES GCM SHA-384 (RFC 8442)	Confidentiality and Integrity Protection
IKEv2 (RFC 7296)	Clauses 5, 6, 7 of TS 33.310	SHA2-256/384 [47]	Hash Function
IPsec ESP (RFC 4303, RFC 8221, RFC 8750)	TS 33.210	ENCR_AES_CBC (RFC 3602)	Confidentiality Protection
		ENCR_AES_GCM_16 (RFC 4106) ENCR_AES_GCM_16_IIV (RFC 8750)	Confidentiality and Integrity Protection
		AUTH_AES_128_GMAC (RFC 4543) AUTH_HMAC_SHA2_256_128 (RFC 4868)	Authentication
JWE (RFC 7516)	Clauses 6.3.1, 6.3.2 of TS 33.210	AES_128_GCM, AES_256_GCM	Confidentiality and Integrity Protection
JWS (RFC 7515)	Clauses 6.3.1, 6.3.3 of TS 33.210	SHA-256	Hash Function
KDF (Clause B.2 of TS 33.220)	Clause B.2.0 of TS 33.220	HMAC-SHA-256	Session Key Derivation
KDF (Clause B.2 of TS 33.220)	Clause C.3 of TS 33.501	ANSI-X9.63-KDF	Session Key Derivation
MIKEY-SAKKE (RFC 6509)	Appendix A of RFC 6509	SHA-256	Hash Function
NAS security (TS 33.501)	TS 33.501, Annex D	128-NEA1, 128-NIA1 128-NEA2, 128-NIA2 128-NEA3, 128-NIA3	Confidentiality and Integrity Protection
OAuth 2.0 (RFC 6749, RFC 6750)	Clause 6.2 of TS 33.210 for TLS	See TLS 1.2 and TLS 1.3 in this Table	Confidentiality and Integrity Protection
	Clause 6.2 of TS 33.210 for TLS	See TLS 1.2 and TLS 1.3 in this Table	Hash Function
	Clause 6.3 of TS 33.210 for JWE/JWS	See JWE and JWS in this Table	Confidentiality and Integrity Protection
	Clause 6.3 of TS 33.210 for JWE/JWS	See JWE and JWS in this Table	Hash Function
OCSP (RFC 6960)	Clause 6.1b of TS 33.310	SHA-256 SHA-384	Hash Function
PDCP security (TS 38.323)	TS 33.501, Annex D	128-NEA1, 128-NIA1 128-NEA2, 128-NIA2 128-NEA3, 128-NIA3	Confidentiality and Integrity Protection
PKI	Clause 6.1.1 of TS 33.310	SHA-256 SHA-384	Hash Function
TLS 1.2 (RFC 5246)	Clauses 6.2.1, 6.2.3 of TS 33.210	AES_128_GCM, AES_256_GCM	Confidentiality and Integrity Protection
TLS 1.2 (RFC 5246)	Clauses 6.2.1, 6.2.3 of TS 33.210	SHA256, SHA384	Hash Function
TLS 1.3 (RFC 8446)	Clauses 6.2.1, 6.2.2 of TS 33.210	AES_128_GCM, AES_256_GCM, CHACHA20_POLY1305	Confidentiality and Integrity Protection
TLS 1.3 (RFC 8446)	Clauses 6.2.1, 6.2.2 of TS 33.210	SHA-256, SHA-384	Hash Function

4.3.2 3GPP Asymmetric Cryptographic Algorithms p. 17

The following Table summarizes the security related protocols used in 3GPP employing asymmetric cryptographic algorithms (5G System).

Table 4.3.2-1: Protocols Used in 3GPP Employing Asymmetric Cryptographic Algorithms (5G System)

Protocol/Function	Protocol Profile, Clauses	Cryptographic Algorithm(s)	Feature(s), Usage Type
DTLS 1.2 (RFC 6347)	Clause 6.2.1 of TS 33.210	See TLS 1.2 in this Table	Confidentiality and Integrity Protection
DTLS 1.3 (RFC 9147)	Clause 6.2.1 of TS 33.210	See TLS 1.2 in this Table	Confidentiality and Integrity Protection
EAP-TLS (RFC 9190, RFC 5216)	Clause B.2.1 of TS 33.501	See TLS in this Table.	Authentication / Digital Signature / Confidentiality Protection / Hash Function
EAP-TLS (RFC 9190, RFC 5216)	TS 33.501 RFC 9190 (TLS 1.3)	ECDHE	Key Agreement
EAP-TTLS (RFC 5281)	TS 33.501, Annex U Clause 6.2 of TS 33.210 for TLS	See TLS in this Table	Key Agreement
EAP-TTLS (RFC 5281)	TS 33.501, Annex U Clause 6.2 of TS 33.210 for TLS	See TLS in this Table	Authentication / Digital Signature / Confidentiality Protection / Hash Function
ECIES ([7], [8])	Clause C.3 of TS 33.501	ECDH	Key Agreement
IKEv2 (RFC 7296)	Clause 5.4 of TS 33.210	DH	Key Agreement
	Clauses 5, 6, 7 of TS 33.310	RSA Sha-256/384 (RFC 8017) ECDSA SHA-256/384/512 (RFC 4754) RSASSA-PSS SHA-256 [47]	Digital Signature
	Clauses 5, 6, 7 of TS 33.310	SHA2-256/384 [47]	Hash Function
JWE (RFC 7516)	Clauses 6.3.1, 6.3.2 of TS 33.210	ECDH-ES	Key Agreement
JWS (RFC 7515)	Clauses 6.3.1, 6.3.3 of TS 33.210	ECDSA	Digital Signature
MIKEY-SAKKE (RFC 6509)	RFC 6507	ECCSI	Digital signature
MIKEY-SAKKE (RFC 6509)	RFC 6508	SAKKE	Key agreement
OAuth 2.0 (RFC 6749, RFC 6750)	Clause 6.2 of TS 33.210 for TLS	See TLS 1.2 and TLS 1.3 in this Table	Key Agreement
	Clause 6.2 of TS 33.210 for TLS	See TLS 1.2 and TLS 1.3 in this Table	Digital Signature
	Clause 6.3 of TS 33.210 for JWE/JWS	See JWE and JWS in this Table	Key Agreement
	Clause 6.3 of TS 33.210 for JWE/JWS	See JWE and JWS in this Table	Digital Signature
OCSP (RFC 6960)	Clause 6.1b of TS 33.310	RSA ECDSA	Authentication / Digital Signature
PKI	Clause 6.1.1 of TS 33.310	RSA, ECDSA	Authentication / Digital Signature
TLS 1.2 (RFC 5246)	Clauses 6.2.1, 6.2.3 of TS 33.210	ECDHE	Key Agreement
TLS 1.2 (RFC 5246)	Clauses 6.2.1, 6.2.3 of TS 33.210	ECDSA, RSA	Digital Signature
TLS 1.3 (RFC 8446)	Clauses 6.2.1, 6.2.2 of TS 33.210	ECDHE	Key Agreement
TLS 1.3 (RFC 8446)	Clauses 6.2.1, 6.2.2 of TS 33.210	ECDSA, RSA	Digital Signature