Tech-invite3GPPspaceIETFspace
21222324252627282931323334353637384‑5x

Content for  TS 33.163  Word version:  17.0.0

Top   Top   Up   Prev   Next
0…   4…   4.3…   4.6…   5…   6…   6.2.2…   6.2.6…   6.2.7…   7…   A…

 

4.3  Procedures between the UE and the HSEp. 11

4.3.1  Overview of BEST proceduresp. 11

To use the BEST service, the UE shall setup a PDN connection (EPS) or PDU Session (5GS) to connect to the HSE. The UE may either use a locally stored IP address to locate the HSE or use a "BEST APN" (EPS) or "BEST DNN" (5GS) where the traffic is directed by the PDN Gateway (EPS) or UPF (5GS) to the correct HSE for that UE. Once a connection to the HSE exists, the UE may initiate the BEST service. It is up to the UE as to when it establishes the PDN connection (EPS) or PDU session (5GS) that is used for BEST control plane and user plane messages.
The BEST service consists of 5 general processes between the UE and the HSE: session initiation and key agreement, key management, data transfer, session termination, and message rejection. The details of the End to Middle Secure Data Protocol (EMSDP) used for the BEST control plane service and optionally for user plane security service, is detailed in clause 6.
When BEST user plane (UP) security services are used, UP data plane messages are between the UE and the HSE in UE to HSE security mode, and between the UE and the EAS in UE to EAS security mode.
Reproduction of 3GPP TS 33.163, Fig. 4.3.1-1: Generalised BEST service flow
Up

4.3.2  BEST Session Initiation and Key Agreementp. 12

The UE shall initiate a BEST session using the EMSDP Session Request message following the establishment of the PDN connection (EPS) or PDU Session (5GS). To optimise the message flow for battery constrained devices, the EMSDP Session Response is combined with Session Key Agreement.
The EMSDP Session Request message shall include the UE Identity, BEST capabilities of the UE (i.e. BEST UE configuration), the UE serving network (conditionally, cf. clause 6.2.6.1.5) and details of the enterprise service including the Enterprise server Id (EAS Id) that the BEST service is being used for. The BEST capabilities of the UE includes the BEST release supported by the UE and it also includes the BEST key agreement(s) that are supported (e.g. UMTS, EPS, 5G, etc.).
The EMSDP Session Start message shall include the information needed for a key agreement of the BEST keys, the BEST service parameters (i.e. BEST Service configuration), and a checksum validating the previous EMSDP Session Request message. The BEST service parameters include an indication of the BEST key agreement selected by the HSE.
The HSE shall determine the parameters for the BEST service. The HSE may use the location information provided by the UE to determine whether aspects of the BEST service, such as cyphering, can be used in that location. The UE may request that the BEST user plane is confidentiality protected in the EMSDP Session Request message, in this case the HSE should take this information into account to decide whether to activate the user plane confidential service for the UE.
As a result of the key agreement exchange the UE and HSE shall derive the UE-to-HSE keys. In case of UE-to-EAS security mode and in case of Key agreement only service, the UE and HSE shall also derive the intermediate key and the EAS PSK.
To optimise the BEST service for battery constrained devices, confirmation of the BEST session start is not required. The UE sending a UP message to the HSE or EAS is by itself is an implied confirmation. However, if the BEST service is being used for key agreement only, the HSE shall require the UE to send EMSDP Session Start Confirmation by setting the indicator in the EMSDP Session Start message.
Up

4.3.3  BEST Session Key Managementp. 13

At any time during the BEST session, either the UE or the HSE may trigger a re-negotiation of the keys being used for the BEST service using the EMSDP Manage Keys Request and Response exchange. To avoid overloading of the HSE and the HSS, the HSE may throttle or not support UE triggered key renegotiation.
The newly generated keys take effect immediately for EMSDP based BEST UP services. For procedures when BEST Key management service is used to provide a pre-shared key to the application layer protocol, refer clause 4.4.4 for additional details.
Up

4.3.4  BEST Session Terminationp. 13

At any time, either the UE or the HSE may terminate the current BEST session using the EMSDP Session Termination Request and Response message exchange. Once terminated, all relevant keys and IDs shall be discarded and both the UE and HSE shall ignore further messages using that session ID, unless a session with that ID is re-established using the session initiation process.

4.3.5  BEST Message Rejectp. 13

Either the UE or the HSE may at any time respond with a EMSDP Message Reject message, upon which the recipient shall discard all relevant keys and IDs of the session, and both the UE and HSE shall ignore further messages using that session ID.
The EMSDP Message Reject is also used when the HSE needs to prompt a UE to initiate a new session using the Session Start message. For example, if it receives a UP packet from the UE on a BEST session for which it aged out the context.

4.4  Procedures between the HSE and the EASp. 13

4.4.1  Message Exchange Overviewp. 13

The message exchanges between the HSE and the EAS are essentially a mirror of the ones between the UE and the HSE. All BEST control plane messages are terminated or initiated by the HSE. When BEST user plane security services are used in UE-to-EAS mode, the user plane security is end-to-end between the UE and the EAS.
Reproduction of 3GPP TS 33.163, Fig. 4.4.1-1: Generalised BEST EAS service flow
Up

4.4.2  EAS Registration for BEST Servicep. 14

As a prerequisite to using BEST service, the EAS shall register with the HSE over a secure connection by providing its identity (Enterprise server Id). This results in a session context to be established in the HSE for the registered EAS.
A secure connection is established between the HSE and the EAS as part of the management of the BEST service between the Enterprise and the HSE, cf clause 7.1.
NOTE: The procedures for establishing up a secure connection and EAS registration with the HSE are out of scope of this TS.
Up

4.4.3  Key Requestp. 14

During the Key agreement procedure, described in clause 4.3.2, HSE may forward the derived key to the EAS in the EAS Session Request message.
When BEST is used for Key agreement only or when BEST UP service is used in UE-to-EAS mode, the HSE shall forward the pre-shared key (KEAS_PSK) that is specifically derived for the enterprise as defined by key definition rules in clause 5.1.2. It also includes the Intermediate Key Id in this message. The EAS shall respond with the EAS Session Start message.
When BEST is used for Key agreement only, the EAS may initiate a Key Request by sending the EAS Session Request message. The UE includes Intermediate Key Id needed to identify the UE-specific Intermediate key and the associated EAS specific pre-shared key in the HSE. The EAS obtains the key identifier from the UE during application layer session establishment. The HSE shall respond with the pre-shared key (KEAS_PSK).
Up

4.4.4  Key Refreshp. 15

At any time during the BEST session, either the UE or the HSE or the EAS may trigger a re-negotiation of the keys being used for the BEST service. It is optional for the HSE to support UE initiated key refresh, which it signals to the UE in the Session Start message. If not supporting it, an HSE will ignore UE triggered key refresh messages.The UE and the HSE triggered re-negotiation is described in clause 4.3.3. For UE-to-EAS mode BEST UP service and BEST Key agreement only service, the newly derived pre-shared key (EAS PSK) may be sent by the HSE to the EAS. This is further described in clause 6.2.7.2.
The EAS-triggered re-negotiation of keys applies to BEST UP Service in UE-to-EAS mode. The trigger for generating new keys is appropriately propagated to the UE using EMSDP Manage Keys Request. The EAS is provided with newly derived EAS PSK from the HSE.
For BEST key-agreement only service, there is no provision for the application layer to trigger generation of the new EAS PSK. The application layer continues to use the existing pre-shared key to generate fresh session keys for consecutive instances of the protocol. When a new EAS PSK is generated in the HSE, the application layer obtains it either via an update from the HSE or when the EAS contacts the HSE again when a new application layer session is set up.
Up

4.4.5  Session Terminationp. 15

At any time, any of the BEST functions, the UE or the EAS or the HSE may terminate the current BEST session using the BEST or EAS Session Termination Request and Response message exchange. The session terminate request shall be applied to all the involved functions for a given session. Once terminated, all relevant keys and IDs shall be discarded and the UE, the EAS and HSE shall ignore further messages using that session ID, unless a session with that ID is re-established using the session initiation process.
Up

4.4.6  Message Rejectp. 15

The UE or the EAS or the HSE may at any time trigger a EAS Message Reject message, upon which the recipient shall discard all relevant keys and IDs of the session, and the UE, the EAS and HSE shall ignore further messages using that session ID.

4.5  BEST Data Servicep. 15

Once the BEST session is successfully initiated, the UE or the HSE or EAS may send UP data using the negotiated keys.
If the BEST UP session is set up between the UE and the HSE, then the UP packets are initiated or terminated by the HSE. In this case, the low power optimized EMSDP protocol, as detailed in clause 6, is used.
If the BEST UP session is setup between the UE and the EAS, then the HSE passes the UP messages to the EAS after checking the message is formatted correctly and that it is a UP message. The key used by the UE and EAS to encrypt and decrypt data messages (when required) is KE2Eenc and to integrity protect the message is KE2Eint. Verification of any Key ID, counter, message integrity and deciphering is the responsibility of the EAS.
If the BEST key agreement service is used to set up a data session between the UE and EAS, the UE and EAS need to use a security protocol with the EAS PSK other than EMSDP, e.g., IKE/IPsec or (D)TLS for user plane data transmission. In this case, the HSE does not handle the UP.
Up

Up   Top   ToC