Tech-invite3GPPspecsSIPRFCs
Overview21222324252627282931323334353637384‑5x

Content for  TS 33.501  Word version:  16.3.0

Top   Top   Up   Prev   Next
1…   4…   5…   6…   6.2…   6.3…   6.5…   6.8…   6.9…   6.10…   6.12…   6.14   6.15   6.16   7…   7A…   7B…   8…   9…   10…   11…   13…   13.3…   13.4…   14…   15…   A…   B…   C…   D…   G…   K…   O…

 

14  Security related servicesWord‑p. 181

14.1  Services provided by AUSF

14.1.1  General

The AUSF provides UE authentication service to the requester NF by Nausf_UEAuthentication. For AKA based authentication, this operation can be also used to recover from synchronization failure situations. Clause 14.1.2 describes the Nausf_UEAuthentication_Authenticate service operation. The services listed here are used in procedures that are described in clause 6 of the present document.
Since AUSF is completely security-related, all service operations are described in the present document. TS 23.501, clause 7.2.7, only lists the services and TS 23.502, clause 5.2.10, provides the reference to the present document.
Up

14.1.2  Nausf_UEAuthentication service

Service operation name: Nausf_UEAuthentication_authenticate.
Description:
Authenticate the UE and provides related keying material.
Input, Required:
One of the options below.
  1. In the initial authentication request: SUPI or SUCI, serving network name.
  2. In the subsequent authentication requests depending on the authentication method:
    1. 5G AKA: Authentication confirmation message with RES* as described in clause 6.1.3.2 or Synchronization Failure indication and related information (i.e. RAND/AUTS).
    2. EAP-AKA': EAP packet as described in RFC 4187 [21] and RFC 5448 [12], and Annex F.
Input, Optional:
None.
Output, Required:
One of the options below.
  1. Depending on the authentication method:
    1. 5G AKA: authentication vector, as described in clause 6.1.3.2 or Authentication confirmation acknowledge message.
    2. EAP-AKA': EAP packet as described in RFC 4187 [21] and RFC 5448 [12], and Annex F.
  2. Authentication result and if success the master key which are used by AMF to derive NAS security keys and other security key(s).
Output, Optional:
SUPI if the authentication was initiated with SUCI.
Up

14.1.3  Nausf_SoRProtection serviceWord‑p. 182
The following table illustrates the security related services for SoR that AUSF provides.
Service Name
Service Operations
Operation Semantics
Example Consumer(s)

Nausf_SoRProtection
Protect
Request/Response
UDM

Service operation name:
Nausf_SoRProtection.
Description:
The AUSF calculates the SoR-MAC-IAUSF as specified in the Annex A.17 of this document using UE specific home key (K AUSF) along with the steering information received from the requester NF and delivers the SoR-MAC-IAUSF and CounterSoR to the requester NF. If the ACK Indication input is present, then the AUSF shall compute the SoR-XMAC-IUE and return the computed SoR-XMAC-IUE in the response. The details of the SoR header is specified in TS 24.501.
Input, Required:
Requester ID, SUPI, service name, SoR Header.
Input, Optional:
ACK Indication, list of preferred PLMN/access technology combinations.
Output, Required:
SoR-MAC-IAUSF, CounterSoR or error (counter_wrap).
Output, Optional:
SoR-XMAC-IUE (if the ACK Indication input is present, then the SoR-XMAC-IUE shall be computed and returned).
Up

14.1.4  Nausf_UPUProtection service

The following table illustrates the security related services for UE Parameters Update that AUSF provides.
Service Name
Service Operations
Operation Semantics
Example Consumer(s)

Nausf_UPUProtection
Protect
Request/Response
UDM

Service operation name:
Nausf_UPUProtection.
Description:
The AUSF calculates the UPU-MAC-IAUSF as specified in the Annex A.19 of this document using UE specific home key (K AUSF) along with the UE Parameters Update Data received from the requester NF and delivers the UPU-MAC-IAUSF and CounterUPU to the requester NF. If the ACK Indication input is present, then the AUSF shall compute the UPU-XMAC-IUE and return the computed UPU-XMAC-IUE in the response. The details of the UE Parameters Update Data is specified in TS 24.501.
Input, Required:
Requester ID, SUPI, service name, UE Parameters Update Data.
Input, Optional:
ACK Indication.
Output, Required:
UPU-MAC-IAUSF, CounterUPU or error (counter_wrap).
Output, Optional:
UPU-XMAC-IUE (if the ACK Indication input is present, then the UPU-XMAC-IUE shall be computed and returned).
Up

14.2  Services provided by UDMWord‑p. 183

14.2.1  General

UDM provides within Nudm_UEAuthentication service all authentication-related service operations, which are Nudm_UEAuthentication_Get (clause 14.2.2) and Nudm_UEAuthentication_ResultConfirmation (clause 14.2.3).
The complete list of UDM services is defined in TS 23.501, clause 7.2.5, and further refined in TS 23.502, clause 5.2.3.1.
Up

14.2.2  Nudm_UEAuthentication_Get service operation

Service operation name:
Nudm_UEAuthentication_Get
Description:
Requester NF gets the authentication data from UDM. For AKA based authentication, this operation can be also used to recover from synchronization failure situations. If SUCI is included, this service operation returns the SUPI.
Inputs, Required:
SUPI or SUCI, serving network name.
Inputs, Optional:
Synchronization Failure indication and related information (i.e. RAND/AUTS).
Outputs, Required:
Authentication method and corresponding authentication data for a certain UE as identified by SUPI or SUCI input.
Outputs, Optional:
SUPI if SUCI was used as input. AKMA Indication, if the subscriber has an AKMA subscription (see TS 33.535).
Up

14.2.3  Nudm_UEAuthentication_ResultConfirmation service operation

Service operation name:
UEAuthentication_ResultConfirmation
Description:
Requester NF informs UDM about the result of an authentication procedure with a UE.
Inputs, Required:
SUPI, timestamp of the authentication, the authentication type (e.g. EAP method or 5G-AKA), and the serving network name.
Inputs, Optional:
None.
Outputs, Required:
None.
Outputs, Optional:
None.

14.3  Services provided by NRF

14.3.1  General

NRF provides within Nnrf_OAuth2Auth services, which includes Nnrf_OAuth2Auth_AccessTokenGet (clause 13.4.1.1) and Nnrf_OAuth2Auth_AccessTokenAuthorization(clause 13.4.1.1) two service operation.
The following table illustrates the security related services for OAuth 2.0 that NRF provides.
Service Name
Service Operations
Operation Semantics
Example Consumer(s)

Nnrf_AccessToken
Get
Request/Response
AMF, SMF, PCF, NEF, NSSF, SMSF, AUSF

The complete list of NRF services is defined in TS 23.501, clause 7.2.6, and further refined in TS 23.502, clause 5.2.7.
Up

14.3.2  Nnrf_AccessToken_Get Service OperationWord‑p. 184
Service Operation name:
Nnrf_ AccessToken_Get.
Description:
NF consumer request NRF to provide Access Token.
Known NF Consumers:
AMF, SMF, PCF, NEF, NSSF, SMSF, and AUSF.
Inputs, Required:
the NF Instance Id of the NF service consumer, expected NF service name(s), NF types of the expected NF producer instance and NF consumer.
Inputs, Optional:
Home and serving PLMN IDs.
Outputs, Required:
Access Token with appropriate claims, where the claims shall include NF Instance Id of NRF (issuer), NF Instance Id of the NF Service consumer (subject), NF type of the producers (audience), expected service name (scope) and expiration time (expiration).
Outputs, Optional:
None.
Up

14.4  Services provided by NSSAAF |R16|

14.4.1  Nnssaaf_NSSAA services

14.4.1.1  General

The following table illustrates the security related services for Network Slice Specific Authentication and Authorisation that NSSAAF provides.
Service Name
Service Operations
Operation Semantics
Example Consumer(s)

Nnssaaf_NSSAA
Authenticate
Request/Response
AMF
Re-AuthenticationNotification
Notify
AMF
RevocationNotification
Subscribe/Notify
AMF

14.4.1.2  Nnssaaf_NSSAA_Authenticate service operation

Service operation name:
Nnssaaf_NSSAA_Authenticate
Description:
NF requester requires the NSSAAF to relay Network Slice specific authentication messages towards the corresponding AAA-S handling the Network Slice specific authentication for the requested S-NSSAI.
Input, Required:
  1. In the initial NSSAA requests: EAP ID Response, GPSI, S-NSSAI
  2. In subsequent NSSAA requests: EAP message, GPSI, S-NSSAI
Input, Optional:
None
Output, Required:
EAP message, GPSI, S-NSSAI
Output, Optional:
None
Up

14.4.1.3  Nnssaaf_NSSAA_Re-AuthenticationNotification service operation

Service operation name:
Nnssaaf_NSSAA_Re-AuthenticationNotification
Description:
NSSAAF notifies the NF consumer to trigger a Network Slice specific reauthentication procedure for a given UE and S-NSSAI.
Input, Required:
GPSI, S-NSSAI
Input, Optional:
None
Output, Required:
None
Output, Optional:
None

14.4.1.4  Nnssaaf_NSSAA_RevocationNotification service operationWord‑p. 185
Service operation name:
Nnssaaf_NSSAA_RevocationNotification
Description:
NSSAAF notifies the NF consumer to trigger a Network Slice specific revocation procedure for a given UE and S-NSSAI.
Input, Required:
GPSI, S-NSSAI
Input, Optional:
None
Output, Required:
None
Output, Optional:
None


Up   Top   ToC