Tech-invite3GPPspaceIETFspace
21222324252627282931323334353637384‑5x

Content for  TS 33.503  Word version:  17.2.0

Top   Top   Up   Prev   Next
1…   4…   5…   6…   6.1.3.2…   6.1.3.2.2.2…   6.2…   6.3…   6.3.3.2…   6.3.3.3…   6.3.4…   6.4…   7…   A…
6.3.4 Security for 5G ProSe Communication via 5G ProSe Layer-2 UE-to-Network Relay6.3.5 Direct Communication Request in 5G ProSe UE-to-Network Relay Communication
...

 

6.3.4  Security for 5G ProSe Communication via 5G ProSe Layer-2 UE-to-Network Relayp. 39

Connection establishment for 5G ProSe Communication via 5G ProSe Layer-2 UE-to-Network Relay is specified in clause 6.5.2.2 of TS 23.304. During the connection establishment, the 5G ProSe Remote UE and NG-RAN node shall establish AS security as specified in TS 33.501.
The 5G ProSe Remote UE and the 5G ProSe UE-to-Network Relay shall establish security for PC5 connection using either User Plane based solution as specified in clause 6.3.3.2 or Control Plane based solution as specified in clause 6.3.3.3.2. The requirements on security policies for PC5 connection between the 5G ProSe Remote UE and the Layer-2 UE-to-Network Relay are as follows:
  • The PCF shall be able to provision the PC5 security policies to the 5G ProSe Remote UE and Layer-2 UE-to-Network Relay respectively per ProSe relay service during their service authorization and information provisioning procedures as defined in TS 23.304.
Up

6.3.5  Direct Communication Request in 5G ProSe UE-to-Network Relay Communicationp. 39

6.3.5.1  Generalp. 39

This clause describes the mechanism to protect the privacy of the UP-PRUK ID/CP-PRUK-ID and RSC in Direct Communication Request (DCR) message when restricted discovery is used for the UE-to-Network Relay service. This clause also describes a mechanism to integrity protect the DCR message when DUIK is provisioned for discovery.

6.3.5.2  Privacy protection of UP-PRUK ID and RSC in DCRp. 39

The 5G ProSe Remote UE encrypts the UP-PRUK ID/CP-PRUK ID and RSC using the code-receiving security parameters used for discovery. The 5G ProSe UE-to-Network Relay, on receiving the DCR message, decrypts the encrypted UP-PRUK ID/CP-PRUK ID and RSC using the code-sending security parameters used for discovery and verifies if the RSC matches with the one that it sent in the discovery message. If the RSC does not match, the 5G ProSe UE-to-Network Relay shall abort the PC5 direct link establishment procedure.
The 5G ProSe Remote UE shall encrypt the UP-PRUK ID/CP-PRUK ID and RSC as follows:
  1. If the UE is configured with Discovery User Confidentiality Key (DUCK), the DCR ciphering key KDCR is set to DUCK. If the UE is configured with Discovery User Scrambling Key (DUSK) but not DUCK, KDCR is set to DUSK. If the UE is neither configured with DUCK nor DUSK, the DCR message is not protected, and Steps 2-3 are skipped.
  2. Set Keystream to DCR confidentiality keystream calculated using KDCR, UTC-based counter and RSC as described in clause A.5.
  3. XOR the first L bits of the Keystream with the RSC where L is the length of the RSC, and XOR the remaining bits of the Keystream with the UP-PRUK ID/CP-PRUK ID.
The 5G ProSe UE-to-Network Relay shall decrypt the encrypted UP-PRUK ID/CP-PRUK ID and RSC as follows:
  1. If the UE is configured with DUCK, the DCR ciphering key KDCR is set to DUCK. If the UE is configured with DUSK but not DUCK, KDCR is set to DUSK. If the UE is neither configured with DUCK nor DUSK, the DCR message is not protected, and steps 2-3 are skipped.
  2. Set Keystream to DCR confidentiality keystream calculated using KDCR, UTC-based counter and RSC as described in clause A.5.
  3. XOR the first L bits of Keystream with the encrypted RSC where L is the length of the encrypted RSC, and XOR the remaining bits of Keystream with the encrypted UP-PRUK ID/CP-PRUK ID.
Up

6.3.5.3  Integrity protection of DCRp. 40

The 5G ProSe Remote UE integrity protects the DCR message using the code-receiving security parameters used for discovery. The integrity protection of the DCR message is performed after the privacy protection of UP-PRUK ID/CP-PRUK ID and RSC.
The 5G ProSe UE-to-Network Relay, on receiving the DCR message, verifies the integrity of the received DCR message using the code-sending security parameters used for discovery. If the integrity verification of the DCR fails, the 5G ProSe UE-to-Network Relay shall abort the PC5 direct link establishment procedure.
The 5G ProSe Remote UE shall integrity protect the DCR as follows:
  1. If the UE is configured with DUIK, the DCR integrity key KINT is set to DUIK. Otherwise, the DCR message is not integrity protected, and steps 2-3 are skipped.
  2. Calculate Message Integrity Check (MIC) using KINT, UTC-based counter and the DCR message as described in clause A.9.
  3. Set the MIC IE to the calculated MIC.
The 5G ProSe UE-to-Network Relay shall verify the integrity of the received DCR message as follows:
  1. If the UE is configured with DUIK, the DCR integrity key KINT is set to DUIK. Otherwise, the DCR message is not integrity protected, and step 2 is skipped.
  2. Calculate a MIC using KINT, UTC-based counter and the received DCR message as described in clause A.9 and compare the calculated MIC with the MIC included in the DCR message. If they mismatch, the integrity check fails.
Up

Up   Top   ToC