Content for TS 33.501 Word version: 18.3.0

1… 4… 5… 5.3… 5.9… 5.10… 6… 6.1.3… 6.1.4… 6.2… 6.2.2… 6.3… 6.4… 6.5… 6.6… 6.7… 6.8… 6.9… 6.10… 6.11 6.12… 6.13 6.14… 6.15… 6.16… 7… 7A… 7A.2.3… 7B… 8… 9… 10… 11… 12… 13… 13.2.2… 13.2.4… 13.3… 13.4… 14… 15… 16… A… B… C… D… E… F… G… I… I.9… J… K… M… N… O… P… R S… T… U… V… W… X… Y… Z…

5.10 Visibility and configurability 5.10.1 Security visibility 5.10.2 Security configurability 5.11 Requirements for algorithms, and algorithm selection 5.11.1 Algorithm identifier values 5.11.1.1 Ciphering algorithm identifier values 5.11.1.2 Integrity algorithm identifier values 5.11.2 Requirements for algorithm selection 5.12 Requirements on 5G-RG 5.13 Requirements on NSSAAF
...

5.10 Visibility and configurability p. 41

5.10.1 Security visibility p. 41

Although in general the security features should be transparent to the user or application, for certain events and according to the user's or application's concern, greater visibility of the operation of following security feature shall be provided:

AS confidentiality: (AS confidentiality, Confidentiality algorithm, bearer information)
AS integrity: (AS integrity, Integrity algorithm, bearer information)
NAS confidentiality: (NAS confidentiality, Confidentiality algorithm)
NAS integrity: (NAS integrity, Integrity algorithm)

The UE shall provide above security information to the applications in the UE (e.g. via APIs), on a per PDU session granularity.

The serving network identifier shall be available for applications in the UE.

5.10.2 Security configurability p. 41

Security configurability lets a user to configure certain security feature settings on a UE that allows the user to manage additional capability or use certain advanced security features.

The following configurability feature should be provided:

Granting or denying access to USIM without authentication as described in TS 33.401.

5.11 Requirements for algorithms, and algorithm selection p. 42

5.11.1 Algorithm identifier values

5.11.1.1 Ciphering algorithm identifier values p. 42

All identifiers and names specified in this subclause are for 5G NAS and New Radio. In relation to AS capabilities, the identifiers and names for E-UTRAN connected to 5GC are specified in TS 33.401.

Each encryption algorithm will be assigned a 4-bit identifier. The following values for ciphering algorithms are defined:

"0000₂"	NEA0	Null ciphering algorithm;
"0001₂"	128-NEA1	128-bit SNOW 3G based algorithm;
"0010₂"	128-NEA2	128-bit AES based algorithm; and
"0011₂"	128-NEA3	128-bit ZUC based algorithm.

128-NEA1 is based on SNOW 3G (see TS 35.215).

128-NEA2 is based on 128-bit AES [15] in CTR mode [16].

128-NEA3 is based on 128-bit ZUC (see TS 35.221).

Full details of the algorithms are specified in Annex D.

5.11.1.2 Integrity algorithm identifier values p. 42

All identifiers and names specified in the present subclause are for 5G NAS and New Radio. In relation to AS capabilities, the identifiers and names for E-UTRAN connected to 5GC are specified in TS 33.401.

Each integrity algorithm used for 5G will be assigned a 4-bit identifier. The following values for integrity algorithms are defined:

"0000₂"	NIA0	Null Integrity Protection algorithm;
"0001₂"	128-NIA1	128-bit SNOW 3G based algorithm;
"0010₂"	128-NIA2	128-bit AES based algorithm; and
"0011₂"	128-NIA3	128-bit ZUC based algorithm.

128-NIA1 is based on SNOW 3G (see TS 35.215).

128-NIA2 is based on 128-bit AES [15] in CMAC mode [17].

128-NIA3 is based on 128-bit ZUC (see TS 35.221).

Full details of the algorithms are specified in Annex D.

5.11.2 Requirements for algorithm selection p. 42

UE in RRC_Connected and a serving network shall have agreed upon algorithms for

Ciphering and integrity protection of RRC signalling and user plane (to be used between UE and gNB)
Ciphering and integrity protection of RRC signalling and user plane (to be used between UE and ng-eNB)
NAS ciphering and NAS integrity protection (to be used between UE and AMF)

The serving network shall select the algorithms to use dependent on

the UE security capabilities of the UE,
the configured allowed list of security capabilities of the currently serving network entity

The UE security capabilities shall include NR NAS algorithms for NAS level, NR AS algorithms for AS layer and LTE algorithms for AS level if the UE supports E-UTRAN connected to 5GC.

Each selected algorithm shall be indicated to a UE in a protected manner such that a UE is ensured that the integrity of algorithm selection is protected against manipulation.

The UE security capabilities shall be protected against "bidding down attacks".

It shall be possible that the selected AS and NAS algorithms are different at a given point of time.

5.12 Requirements on 5G-RG |R16| p. 43

The 5G-RG shall be equipped with UICC where the subscription credentials resides. If provisioned by the home operator, the 5G-RG shall store the Home Network Public Key required for concealing the SUPI in the UICC.

The 5G-RG shall support all the security requirements and features of the UE defined in clause 5.2.

5.13 Requirements on NSSAAF |R16| p. 43

The Network slice specific and SNPN authentication and authorization function (NSSAAF) shall handle the Network Slice Specific Authentication requests from the serving AMF as specified in clause 16. The NSSAAF shall also support functionality for access to SNPN using credentials from Credentials Holder using AAA Server as specified in clause I.2.2.2.

The NSSAAF is responsible to send the NSSAA requests to the appropriate AAA-S.

The NSSAAF shall support AAA-S triggered Network Slice-Specific Re-authentication and Re-authorization and Slice-Specific Authorization Revocation and translate any AAA protocol into a Service Based format.

NSSAAF shall translate the Service based messages from the serving AMF or AUSF to AAA protocols towards AAA-P/AAA-S.