Tech-invite3GPPspaceIETFspace
21222324252627282931323334353637384‑5x

Content for  TS 33.501  Word version:  18.4.0

Top   Top   Up   Prev   Next
1…   4…   5…   5.3…   5.9…   5.10…   6…   6.1.3…   6.1.4…   6.2…   6.2.2…   6.3…   6.4…   6.5…   6.6…   6.7…   6.8…   6.9…   6.10…   6.11   6.12…   6.13   6.14…   6.15…   6.16…   7…   7A…   7A.2.3…   7B…   8…   9…   10…   11…   12…   13…   13.2.2…   13.2.4…   13.3…   13.4…   14…   15…   16…   A…   B…   C…   D…   E…   F…   G…   I…   I.9…   J…   K…   M…   N…   O…   P…   R   S…   T…   U…   V…   W…   X…   Y…   Z…

 

14  Security related servicesp. 202

14.1  Services provided by AUSFp. 202

14.1.1  Generalp. 202

The AUSF provides UE authentication service to the requester NF by Nausf_UEAuthentication. For AKA based authentication, this operation can be also used to recover from synchronization failure situations. Clause 14.1.2 describes the Nausf_UEAuthentication service. The service operations listed here are used in procedures that are described in clause 6 of the present document and in TS 33.503.
Clause 14.1.3 describes the Nausf_SoRProtection service used in procedures that are described in clause 6.14 of the present document.
Clause 14.1.4 describes the Nausf_UPUProtection service used in procedures that are described in clause 6.15 of the present document.
Since AUSF is completely security-related, all service operations are described in the present document. Clause 7.2.7 of TS 23.501 only lists the services and clause 5.2.10 of TS 23.502 provides the reference to the present document.
Up

14.1.2  Nausf_UEAuthentication servicep. 203

14.1.2.1  Nausf_UEAuthentication_Authenticate service operation |R17|p. 203

Service operation name:
Nausf_UEAuthentication_authenticate.
Description:
Authenticate the UE and provides related keying material.
Input, Required:
One of the options below.
  1. In the initial authentication request: SUPI or SUCI, serving network name.
  2. In the subsequent authentication requests depending on the authentication method:
    1. 5G AKA: Authentication confirmation message with RES* as described in clause 6.1.3.2 or Synchronization Failure indication and related information (i.e. RAND/AUTS).
    2. EAP-AKA': EAP packet as described in RFC 4187 and RFC 5448, and Annex F.
Input, Optional:
Disaster Roaming service indication, NSWO indicator.
Output, Required:
One of the options below.
  1. Depending on the authentication method:
    1. 5G AKA: authentication vector, as described in clause 6.1.3.2 or Authentication confirmation acknowledge message.
    2. EAP-AKA': EAP packet as described in RFC 4187 and RFC 5448, and Annex F.
  2. Authentication result and if success the master key which are used by AMF to derive NAS security keys and other security key(s).
Output, Optional:
SUPI if the authentication was initiated with SUCI, MSK if either NSWO indicator was received as input or MSK indicator was received from UDM.
Up

14.1.2.2  Nausf_UEAuthentication_deregister service operation |R17|p. 203

Service operation name:
Nausf_UEAuthentication_deregister
Description:
Deletion of stale security parameters (KAUSF, SOR counter and UE parameter update counter) in AUSF. UDM uses this service operation to request the AUSF to clear the stale security parameters, after the UE has been successfully (re)authenticated in different AUSF Instance.
Input, Required:
SUPI
Input, Optional:
None
Output, Required:
None
Output, Optional:
None

14.1.2.3  Nausf_UEAuthentication_ProseAuthenticate service operation |R17|p. 204

See TS 33.503.

14.1.3  Nausf_SoRProtection servicep. 204

The following table illustrates the security related services for SoR that AUSF provides.
Service Name Service Operations Operation Semantics Example Consumer(s)
Nausf_SoRProtectionProtectRequest/ResponseUDM
 
Service operation name:
Nausf_SoRProtection.
Description:
The AUSF calculates the SoR-MAC-IAUSF as specified in the Annex A.17 of this document using UE specific home key (KAUSF), the Steering Information List and ACK Indication received from the requester NF and delivers the SoR-MAC-IAUSF and CounterSoR to the requester NF. If the ACK Indication input is set to indicate that the acknowledgement is requested, then the AUSF shall compute the SoR-MAC-IIUE as specified in Annex A.18 of the present document, and return it in the response.
Input, Required:
Requester ID, SUPI, service name, ACK Indication.
Input, Optional:
list of preferred PLMN/access technology combinations or secured packet or SoR transparent container.
Output, Required:
SoR-MAC-IAUSF, CounterSoR or error (counter_wrap).
Output, Optional:
SoR-MAC-IIUE (if the ACK Indication input is set to indicate that the acknowledgement is requested, then the SoR-MAC-IIUE shall be computed and returned).
Up

14.1.4  Nausf_UPUProtection servicep. 204

The following Table illustrates the security related services for UE Parameters Update that AUSF provides.
Service Name Service Operations Operation Semantics Example Consumer(s)
Nausf_UPUProtectionProtectRequest/ResponseUDM
 
Service operation name:
Nausf_UPUProtection.
Description:
The AUSF calculates the UPU-MAC-IAUSF as specified in the Annex A.19 of this document using UE specific home key (KAUSF) along with the UE Parameters Update Data received from the requester NF (see clause A.19) and delivers the UPU-MAC-IAUSF and CounterUPU to the requester NF. If the ACK Indication input is present, then the AUSF shall compute the UPU-MAC-IIUE and return the computed UPU-MAC-IIUE as specified in Annex A.20 of the present document, in the response. The details of the UE Parameters Update Data is specified in TS 24.501.
Input, Required:
Requester ID, SUPI, service name, UE Parameters Update Data.
Input, Optional:
ACK Indication.
Output, Required:
UPU-MAC-IAUSF, CounterUPU or error (counter_wrap).
Output, Optional:
UPU-MAC-IIUE (if the ACK Indication input is present, then the UPU-MAC-IIUE shall be computed and returned).
Up

14.1.5Void

14.2  Services provided by UDMp. 205

14.2.1  Generalp. 205

UDM provides within Nudm_UEAuthentication service all authentication-related service operations, which are Nudm_UEAuthentication_Get (clause 14.2.2), Nudm_UEAuthentication_ResultConfirmation (clause 14.2.3), Nudm_UEAuthentication_GetProseAv (clause 14.2.4) and Nudm_UEAuthentication_GetGbaAv (clause 14.2.5).
The complete list of UDM services is defined in clause 7.2.5 of TS 23.501, and further refined in clause 5.2.3.1 of TS 23.502.
Up

14.2.2  Nudm_UEAuthentication_Get service operationp. 205

Service operation name:
Nudm_UEAuthentication_Get
Description:
Requester NF gets the authentication data from UDM. For AKA based authentication, this operation can be also used to recover from synchronization failure situations. If SUCI is included, this service operation returns the SUPI.
Inputs, Required
SUPI or SUCI, serving network name.
Inputs, Optional:
Synchronization Failure indication and related information (i.e. RAND/AUTS) , Disaster Roaming service indication, NSWO indicator.
Outputs, Required:
Authentication method and corresponding authentication data for a certain UE as identified by SUPI or SUCI input.
Outputs, Required:
Authentication method
Outputs, Optional:
SUPI if SUCI was used as input. Depending on the authentication method, authentication data (e.g. AKA authentication vector) for the SUPI. AKMA Indication and Routing indicator, if the subscriber has an AKMA subscription (see TS 33.535). MSK indicator.
Up

14.2.3  Nudm_UEAuthentication_ResultConfirmation service operationp. 205

Service operation name:
UEAuthentication_ResultConfirmation
Description:
Requester NF informs UDM about the result of an authentication procedure with a UE.
Inputs, Required:
SUPI, timestamp of the authentication, the authentication type (e.g. EAP method or 5G-AKA), and the serving network name.
Inputs, Optional:
None.
Outputs, Required:
None.
Outputs, Optional:
None.

14.2.4  Nudm_UEAuthentication_GetProseAv service operation |R17|p. 205

See TS 33.503.

14.2.5  Nudm_UEAuthentication_GetGbaAv service operation |R17|p. 205

14.2.6  Nudm_UECM_AuthTrigger service operation |R18|p. 206

Service operation name:
Nudm_UECM_AuthTrigger.
Description:
This service operation allows the NF to request UDM to trigger a primary (re-)authentication as described in clause 6.1.5.
Input, Required:
SUPI.
Input, Optional:
None.
Output, Required:
None.
Output, Optional:
None.

14.2.7  Nudm_UECM_Re-AuthenticationNotification service operation |R18|p. 206

Service operation name:
Nudm_UECM_Re-AuthenticationNotification
Description:
The UDM requests the AMF to perform a primary authentication for a specific UE.
Inputs, Required:
SUPI
Inputs, Optional:
None.
Outputs, Required:
Success/Failure cause.
Outputs, Optional:
None.

14.3  Services provided by NRFp. 206

14.3.1  Generalp. 206

The following Table illustrates the security related services for OAuth 2.0 that NRF provides. OAuth 2.0 based authorization is described in clause 13.4.1.
Service Name Service Operations Operation Semantics Example Consumer(s)
Nnrf_AccessTokenGetRequest/ResponseAMF, SMF, PCF, NEF, NSSF, SMSF, AUSF
 
The complete list of NRF services is defined in clause 7.2.6 of TS 23.501, and further refined in clause 5.2.7 of TS 23.502.
Up

14.3.2  Nnrf_AccessToken_Get Service Operationp. 206

Service Operation name:
Nnrf_AccessToken_Get.
Description:
NF Service Consumer requests NRF to provide an Access Token.
Inputs, Required:
the NF Instance Id of the NF Service Consumer, the requested "scope" including the expected NF service name(s).
Inputs, Optional:
PLMN ID (or SNPN ID) of the requester NF Service Consumer, PLMN ID (or SNPN ID)of the requested NF Service Producer, NF Instance Id(s) of the requested NF Service Producer, NF type of the expected NF Service Producer instance and NF Service Consumer, "additional scope" information (i.e. requested resources and requested actions (service operations) on the resources), list of NSSAIs or list of NSI IDs for the expected NF Service Producer instances, NF Set ID of the expected NF Service Producer instances, list of S-NSSAIs of the NF Service Consumer.
Outputs, Required:
Access Token with appropriate claims, where the claims shall include NF Instance Id of NRF (issuer), NF Instance Id of the NF Service Consumer potentially appended with its PLMN ID (or SNPN ID) (subject), NF type of the NF Service Producers or NF Instance Id or several NF Instance Id(s) of the requested NF Service Producer, potentially appended with PLMN ID (or SNPN ID) (audience), expected service name (scope), optionally "additional scope" information (allowed resources and allowed actions (service operations) on the resources) and expiration time (expiration), may include list of NSSAIs or NSI IDs for the expected NF Service Producer instances, and may include the NF Set ID of the expected NF Service Producer instances.
Outputs, Optional:
None.
Up

14.4  Services provided by NSSAAF |R16|p. 207

14.4.1  Nnssaaf_NSSAA servicesp. 207

14.4.1.1  Generalp. 207

The following Table illustrates the security related services for Network Slice Specific Authentication and Authorisation that NSSAAF provides.
Service Name Service Operations Operation Semantics Example Consumer(s)
Nnssaaf_NSSAAAuthenticateRequest/ResponseAMF
Re-AuthenticationNotificationNotifyAMF
RevocationNotificationNotifyAMF
Up

14.4.1.2  Nnssaaf_NSSAA_Authenticate service operationp. 207

Service operation name:
Nnssaaf_NSSAA_Authenticate
Description:
NF consumer requires the NSSAAF to relay Network Slice specific authentication messages towards the corresponding AAA-S handling the Network Slice specific authentication for the requested S-NSSAI (see clause 16).
Input, Required:
  1. In the initial NSSAA requests: EAP ID Response, GPSI, S-NSSAI
  2. In subsequent NSSAA requests: EAP message, GPSI, S-NSSAI
Input, Optional:
None
Output, Required:
EAP message, GPSI, S-NSSAI
Output, Optional:
None
Up

14.4.1.3  Nnssaaf_NSSAA_Re-AuthenticationNotification service operationp. 207

Service operation name:
Nnssaaf_NSSAA_Re-AuthenticationNotification
Description:
NSSAAF notifies the NF consumer to trigger a Network Slice specific reauthentication procedure for a given UE and S-NSSAI.
Input, Required:
GPSI, S-NSSAI
Input, Optional:
None
Output, Required:
None
Output, Optional:
None

14.4.1.4  Nnssaaf_NSSAA_RevocationNotification service operationp. 208

Service operation name:
Nnssaaf_NSSAA_RevocationNotification
Description:
NSSAAF notifies the NF consumer to trigger a Network Slice specific revocation procedure for a given UE and S-NSSAI.
Input, Required:
GPSI, S-NSSAI
Input, Optional:
None
Output, Required:
None
Output, Optional:
None

14.4.2  Nnssaaf_AIW services |R17|p. 208

14.4.2.1  Generalp. 208

The following Table illustrates the security related services provided by the NSSAAF for primary authentication in SNPN with Credentials holder using AAA server (see clause I.2.2.2).
Service Name Service Operations Operation Semantics Example Consumer(s)
Nnssaaf_AIWAuthenticateRequest/ResponseAUSF
Up

14.4.2.2  Nnssaaf_AIW_Authenticate service operationp. 208

Service operation name:
Nnssaaf_AIW_Authenticate
Description:
The NSSAAF provides Authentication and Authorization service to the consumer NF by relaying EAP or EAP-TTLS inner method messages towards a AAA Server and performing related protocol conversion as needed.
Input, Required:
  1. In EAP Authentication:
    1. In the initial authentication request: SUPI.
    2. In subsequent authentication requests: EAP message.
  2. In case EAP-TTLS mechanisms are implemented: inner method container.
Input, Optional:
None
Output, Required:
  1. In EAP authentication: EAP message, authentication result and if success MSK and SUPI.
  2. In case EAP-TTLS mechanisms are implemented: inner method container.
Output, Optional:
None
Up

Up   Top   ToC