Tech-invite3GPPspaceIETFspace
21222324252627282931323334353637384‑5x

Content for  TS 33.434  Word version:  17.3.0

Top   Top   None   None   Next
1…   5…   A…   B…
1 Scope2 References3 Definitions of terms, symbols and abbreviations3.1 Terms3.2 Symbols3.3 Abbreviations4 SEAL security requirements4.1 VAL user authentication and authorization4.2 Inter-domain
...

 

1  Scopep. 7

The present document specifies the security features and mechanisms to support the Service Enabler Architecture Layer (SEAL) in 5G. Specifically security architecture, functional model(s), security aspects of SEAL reference points (e.g. SEAL-UU, etc.), Key Management (KM) procedures, Identity Management (IdM) procedures and SEAL access authentication and authorization for supporting efficient use and deployment of vertical applications over the 3GPP systems are specified.

2  Referencesp. 7

The following documents contain provisions which, through reference in this text, constitute provisions of the present document.
  • References are either specific (identified by date of publication, edition number, version number, etc.) or non-specific.
  • For a specific reference, subsequent revisions do not apply.
  • For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP document (including a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same Release as the present document.
[1]
TR 21.905: "Vocabulary for 3GPP Specifications".
[2]
TS 23.434: "Service Enabler Architecture Layer for Verticals (SEAL); Functional architecture and information flows".
[3]
RFC 6749:  "The OAuth 2.0 Authorization Framework".
[4]
RFC 6750:  "The OAuth 2.0 Authorization Framework: Bearer Token Usage".
[5]
OpenID Connect 1.0: "OpenID Connect Core 1.0 incorporating errata set 1", http://openid.net/specs/openid-connect-core-1_0.html.
[6]
TS 33.310: "Network Domain Security (NDS); Authentication Framework (AF)".
[7]
TS 23.401: "General Packet Radio Service (GPRS) enhancements for Evolved Universal Terrestrial Radio Access Network (E-UTRAN) access".
[8]
TS 23.501: "System Architecture for the 5G System; Stage 2".
[9]
RFC 7521:  "Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants".
[10]
RFC 7523:  "JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants".
[11]
RFC 7797:  " JSON Web Signature (JWS) Unencoded Payload Option".
[12]
RFC 7515:  "JSON Web Signature (JWS)".
[13]
RFC 7662:  "OAuth 2.0 Token Introspection".
[14]
TS 33.210: " 3G security; Network Domain Security (NDS); IP network layer security".
[15]
TS 33.222: "Generic Authentication Architecture (GAA); Access to network application functions using Hypertext Transfer Protocol over Transport Layer Security (HTTPS)".
[16]
TS 33.501: "Security architecture and procedures for 5G system".
[17]
TS 29.122: "T8 reference point for Northbound Application Programming Interfaces (APIs)".
[18]
RFC 7252:  "The Constrained Application Protocol (CoAP)".
[19]
draft-ietf-ace-oauth-authz-45:  "Authentication and Authorization for Constrained Environments (ACE) using the OAuth 2.0 Framework (ACE-OAuth)".
[20]
RFC 8152:  "CBOR Object Signing and Encryption (COSE)".
[21]
draft-ietf-ace-dtls-authorize-18:  "Datagram Transport Layer Security (DTLS) Profile for Authentication and Authorization for Constrained Environments (ACE)".
[22]
RFC 9175:  "CoAP: Echo, Request-Tag, and Token Processing"
[23]
RFC 8613:  "Object Security for Constrained RESTful Environments (OSCORE)".
[24]
draft-ietf-ace-oscore-profile-19:  "OSCORE Profile of the Authentication and Authorization for Constrained Environments Framework".
[25]
draft-ietf-ace-extend-dtls-authorize-00:  "Extension of the ACE CoAP-DTLS Profile to TLS".
[26]
RFC 8392:  "CBOR Web Token (CWT)".
[27]
RFC 8747:  "Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) ".
[28]
draft-ietf-ace-oauth-params-16:  "Additional OAuth Parameters for Authorization in Constrained Environments (ACE)".
[29]
TS 33.122: "Security aspects of Common API Framework (CAPIF) for 3GPP northbound APIs".
Up

3  Definitions of terms, symbols and abbreviationsp. 8

3.1  Termsp. 8

For the purposes of the present document, the terms given in TR 21.905 and the following apply. A term defined in the present document takes precedence over the definition of the same term, if any, in TR 21.905.
For the purposes of the present document, the terms and definitions given in TS 23.434 apply.

3.2  Symbolsp. 8

Void.

3.3  Abbreviationsp. 8

For the purposes of the present document, the abbreviations given in TR 21.905 and the following apply. An abbreviation defined in the present document takes precedence over the definition of the same abbreviation, if any, in TR 21.905.
SEAL
Service Enabler Architecture Layer for Verticals
SIM-C
SEAL Identity Management Client
SIM-S
SEAL Identity Management Server
SKM-C
SEAL-Key Management Client
SKM-S
SEAL Key Management Server
VAL
Vertical Application Layer
Up

4  SEAL security requirementsp. 9

4.1  VAL user authentication and authorizationp. 9

[SEAL-SEC-4.1-a]
All users of the VAL Service shall be authenticated.
[SEAL-SEC-4.1-b]
The VAL Client and the VAL Server shall mutually authenticate each other prior to providing the VAL UE with the VAL Service User profile and access to user-specific services.
[SEAL-SEC-4.1-c]
The transmission of configuration data and user profile data between an authorized VAL server in the network and the VAL UE shall be confidentiality protected, integrity protected and protected from replays.
[SEAL-SEC-4.1-d]
The VAL service should take measures to detect and mitigate DoS attacks to minimize the impact on the network and on VAL users.
[SEAL-SEC-4.1-e]
The VAL service shall provide a means to support confidentiality of VAL user identities.
[SEAL-SEC-4.1-f]
The VAL service shall provide a means to support confidentiality of VAL signalling.
Up

4.2  Inter-domainp. 9

[SEAL-SEC-4.2-a]
VAL systems should take measures to protect themselves from external attacks at the system border.

Up   Top   ToC