Content for  TS 33.535  Word version:  16.0.0

Top   Top   None   None   Next
1…   6…   A…


1  ScopeWord‑p. 6
The present document specifies the security features and mechanisms to support authentication and key management aspects for applications based on subscription credential(s) in 5G system as defined in TS 33.501.

2  References

The following documents contain provisions which, through reference in this text, constitute provisions of the present document.
  • References are either specific (identified by date of publication, edition number, version number, etc.) or non specific.
  • For a specific reference, subsequent revisions do not apply.
  • For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP document (including a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same Release as the present document.
[1]  TR 21.905   "Vocabulary for 3GPP Specifications".
[2]  TS 33.501   "Security architecture and procedures for 5G system".
[3]  TS 23.501   "System Architecture for the 5G System".
[4]  TS 33.220   "Generic Authentication Architecture (GAA); Generic Bootstrapping Architecture (GBA)".
[5]  TS 23.222   "Common API Framework for 3GPP Northbound APIs".

3  Definitions of terms, symbols and abbreviations

3.1  Terms

For the purposes of the present document, the terms given in TR 21.905 and the following apply. A term defined in the present document takes precedence over the definition of the same term, if any, in TR 21.905.
AKMA subscription data:
The data in the home operator's network indicating whether or not the subscriber is allowed to use AKMA.

3.2  Symbols


3.3  Abbreviations

For the purposes of the present document, the abbreviations given in TR 21.905 and the following apply. An abbreviation defined in the present document takes precedence over the definition of the same abbreviation, if any, in TR 21.905.
AKMA Anchor Function
Application Function
AKMA Key IDentifier
Access and Mobility Management Function
AUthentication Server Function
AKMA Application Key
AKMA Anchor Key
Network Exposure Function
Unified Data Management

4  Architecture for Authentication and Key Management for Applications (AKMA)Word‑p. 7

4.1  Reference model

Figure 4.1-1 shows a fundamental network model of AKMA, as well as the interfaces between them.
Reproduction of 3GPP TS 33.535, Figure 4.1-1: Fundamental Network Model for AKMA
The AKMA service requires a new logical entity: AKMA Anchor Function (AAnF).
AAnF is the anchor function in the HPLMN that generates the key material to be used between the UE and the AF and maintains UE AKMA contexts.

4.2  Network elements

4.2.1  AAnF

AAnF enables the AKMA Anchor Key (K AKMA) derivation for AKMA service. Before invoking AKMA service, UE shall have successfully registered to the 5G core, which results in K AUSF being stored at the AUSF and the UE after a successful 5G primary authentication.

4.2.2  AF

AF is defined in TS 23.501 with additional functions:
  • AF with the AKMA service enabling requests for K AF from the AAnF using A-KID.
  • AF shall be authenticated and authorized by the operator network before providing the AKMA Application Key to the AF.

4.2.3  NEF

NEF is defined in TS 23.501 with additional functions:
  • NEF finds the AAnF.

4.2.4  AUSFWord‑p. 8
AUSF is defined in TS 23.501 with additional functions:
  • AUSF Provides the AKMA Anchor Key (K AKMA) to the AAnF.

4.2.5  UDM

UDM is defined in TS 23.501 with the additional functions:
  • UDM stores AKMA subscription data of the subscriber.

4.3  Interface description

The following interfaces are involved in AKMA network architecture:
  • Nnef: Service-based interface exhibited by NEF.
  • Nausf: Service-based interface exhibited by AUSF.
  • Nudm: Service-based interface exhibited by UDM.
  • Naanf: Service-based interface exhibited by AAnF.
  • Naf: Service-based interface exhibited by AF.
The AAnF interacts with the AUSF and the AF using Service-Based Interfaces. When the AF is located in the operator's network, the AAnF shall use Service-Based Interface to communicate with the AF directly. When the AF is located outside the operator's network, the NEF shall be used to exchange the messages between the AF and the AAnF.

4.3.1  Reference point Ua*

The reference point Ua* carries the application protocol, which is secured using the key material agreed between UE and AAnF as a result of successful AKMA procedures.

4.4  Security requirements and principles for AKMA

The following security requirements are applicable to AKMA:
  • AKMA shall reuse the same UE subscription and the same credentials used for 5G access.
  • AKMA shall reuse the 5G primary authentication procedure and methods (both 5G AKA and EAP AKA' shall be supported) for the sake of implicit authentication for AKMA services.
  • AAnF's SBI interface to AUSF shall be confidentiality, integrity and replay protected.
  • The interface between AAnF and AF shall be confidentiality, integrity and replay protected.
  • The AKMA Application Key (K AF) shall be provided with a maximum lifetime. When the AKMA Application Key lifetime is expired, it shall be renegotiated.

4.4.1  Requirements on Ua* Reference point

The Ua* reference point is application specific. The generic requirements for Ua* are:
  • Ua* protocol shall be able to carry AKMA Key Identifier (A-KID);
  • the UE and the AKMA AF shall be able to secure the reference point Ua* using the AKMA Application Key derived from the AKMA Anchor Key.

4.4.2  Requirements on AKMA Key Identifier (A-KID)Word‑p. 9
Requirements for AKMA Key Identifier (A-KID) are:
  • A-KID shall be globally unique;
  • A-KID shall be usable as a key identifier in protocols used in the reference point Ua*;
  • AKMA AF shall be able to identify AAnF of the UE from the A-KID.

5  Key Management

5.1  AKMA key hierarchy

The key hierarchy (see Figure 5.1-1) includes the following keys: K AUSF, K AKMA, K AF. K AUSF is generated by AUSF as specified in clause 6 of TS 33.501.
Keys for AAnF:
  • K AKMA is a key derived by ME and AUSF from K AUSF.
Keys for AF:
  • K AF is a key derived by ME and AAnF from K AKMA.
K AKMA and K AF are derived according to the procedures of clauses 6.1 and 6.2.
Reproduction of 3GPP TS 33.535, Figure 5.1-1: AKMA Key Hierarchy

5.2  AKMA key lifetimes

The K AKMA and A-KID are valid until the next primary authentication is performed (implicit lifetime), in which case the K AKMA and A-KID might be replaced after a successful new authentication or removed after an unsuccessful one.
AKMA Application Keys K AF shall use explicit lifetimes based on the operator's policy. The lifetime of K AF shall be sent by the AAnF as described in clause 6.2. In case that a new AKMA Anchor Key K AKMA is established, the AKMA Application Key K AF can continue to be used until its lifetime expires. When the K AF lifetime expires, a new AKMA Application Key is established based on the current AKMA Anchor Key K AKMA.

Up   Top   ToC