An attacker could attempt a bidding down attack by making the UE and the network entities respectively believe that the other side does not support a security feature, even when both sides in fact support that security feature. It shall be ensured that a bidding down attack, in the above sense, can be prevented.

The 5G system shall satisfy the following requirements: Subscription authentication: Serving network authentication: UE authorization: Serving network authorization by the home network: Access network authorization: Unauthenticated Emergency Services:

The 5GC and NG-RAN shall allow for use of encryption and integrity protection algorithms for AS and NAS protection having keys of length 128 bits. The network interfaces shall support the transport of 256 bit keys. The keys used for UP, NAS and AS protection shall be dependent on the algorithm with which they are used.

The support and usage of ciphering and integrity protection between the UE and the ng-eNB is identical to the support and usage of ciphering and integrity protection between the UE and the eNB as specified in TS 33.401 with the following additional requirement(s):

• The UE shall support the use of integrity protection with the ng-eNB over the Uu interface if it supports E-UTRA connected to 5GC.
• The UE shall indicate its support of integrity protection with the ng-eNB if it supports E-UTRA connected to 5GC.

The PEI shall be securely stored in the UE to ensure the integrity of the PEI.

The UE shall support ciphering of user data between the UE and the gNB. The UE shall activate ciphering of user data based on the indication sent by the gNB. The UE shall support ciphering of RRC and NAS-signalling. The UE shall implement the following ciphering algorithms: The UE may implement the following ciphering algorithm: The UE shall implement the ciphering algorithms as specified in TS 33.401 if it supports E-UTRA connected to 5GC. Confidentiality protection of the user data between the UE and the gNB is optional to use. Confidentiality protection of the RRC-signalling, and NAS-signalling is optional to use. Confidentiality protection should be used whenever regulations permit.

The UE shall support integrity protection and replay protection of user data between the UE and the gNB. The UE shall support integrity protection of user data at any data rate, up to and including, the highest data rate supported by the UE. The UE shall activate integrity protection of user data based on the indication sent by the gNB. The UE shall support integrity protection and replay protection of RRC and NAS-signalling. The UE shall implement the following integrity protection algorithms: The UE may implement the following integrity protection algorithm: The UE shall implement the integrity algorithms as specified in TS 33.401 if it supports E-UTRA connected to 5GC. Integrity protection of the user data between the UE and the gNB is optional to use. Integrity protection of the RRC-signalling, and NAS-signalling is mandatory to use, except in the following cases: All NAS signalling messages except those explicitly listed in TS 24.501 as exceptions shall be integrity-protected. All RRC signalling messages except those explicitly listed in TS 38.331 as exceptions shall be integrity-protected with an integrity protection algorithm different from NIA0, except for unauthenticated emergency calls. The UE shall implement NIA0 for integrity protection of NAS and RRC signalling. NIA0 is only allowed for unauthenticated emergency session as specified in clause 10.2.2.

The following requirements apply for the storage and processing of the subscription credentials used to access the 5G network:

• The subscription credential(s) shall be integrity protected within the UE using a tamper resistant secure hardware component.
• The long-term key(s) of the subscription credential(s) (i.e. K) shall be confidentiality protected within the UE using a tamper resistant secure hardware component.
• The long-term key(s) of the subscription credential(s) shall never be available in the clear outside of the tamper resistant secure hardware component.
• The authentication algorithm(s) that make use of the subscription credentials shall always be executed within the tamper resistant secure hardware component.
• It shall be possible to perform a security evaluation / assessment according to the respective security requirements of the tamper resistant secure hardware component.

The UE shall support 5G-GUTI. The SUPI should not be transferred in clear text over NG-RAN except routing information, e.g. Mobile Country Code (MCC) and Mobile Network Code (MNC). The Home Network Public Key shall be stored in the USIM. The protection scheme identifier shall be stored in the USIM. The Home Network Public Key Identifier shall be stored in the USIM. The SUCI calculation indication, either USIM or ME calculating the SUCI, shall be stored in USIM. The ME shall support the null-scheme.If the home network has not provisioned the Home Network Public Key in USIM, the SUPI protection in initial registration procedure is not provided. In this case, the null-scheme shall be used by the ME. Based on home operator's decision, indicated by the USIM, the calculation of the SUCI shall be performed either by the USIM or by the ME. In case of an unauthenticated emergency call, privacy protection for SUPI is not required. Provisioning, and updating the Home Network Public Key, Home Network Public Key Identifier, protection scheme identifier, Routing Indicator, and SUCI calculation indication in the USIM shall be in the control of the home network operator. Subscriber privacy enablement shall be under the control of the home network of the subscriber. The UE shall only send the PEI in the NAS protocol after NAS security context is established, unless during emergency registration when no NAS security context can be established. The Routing Indicator shall be stored in the USIM. If the Routing Indicator is not present in the USIM, the ME shall set it to a default value as defined in TS 23.003.