Tech-invite3GPPspaceIETF RFCsSIP
Quick21222324252627282931323334353637384‑5x

Content for  TS 33.535  Word version:  17.7.0

Top   Top   Up   Prev   Next
1…   4…   6…   7…   A…

 

4  Architecture for AKMAp. 8

4.1  Reference modelp. 8

Figure 4.1-1 shows a fundamental network model of AKMA, as well as the interfaces between them.
Reproduction of 3GPP TS 33.535, Fig. 4.1-1: Fundamental Network Model for AKMA
Up
Figure 4.1-2 shows the AKMA architecture using the reference point representation.
Reproduction of 3GPP TS 33.535, Fig. 4.1-2: AKMA Architecture in reference point representation for (a) internal AFs and (b) external AFs
Up
The AKMA service requires a new logical entity, called the AKMA Anchor Function (AAnF).

4.2  Network elementsp. 9

4.2.1  AAnFp. 9

The AAnF is the anchor function in the HPLMN. The AAnF stores the AKMA Anchor Key (KAKMA) and SUPI for AKMA service, which is received from the AUSF after the UE completes a successful 5G primary authentication. The AAnF also generates the key material to be used between the UE and the Application Function (AF) and maintains UE AKMA contexts. The AAnF sends SUPI of the UE to AF located inside the operator's network according to the AF request or sends to NEF.
Up

4.2.2  AFp. 9

The AF is defined in TS 23.501 with additional functions:
  • AF with the AKMA service enabling requests for AKMA Application Key, called KAF, from the AAnF using A-KID.
  • AF shall be authenticated and authorized by the operator network before providing the KAF to the AF.
  • The AF located inside the operator's network performs the AAnF selection.

4.2.3  NEFp. 9

The NEF is defined in TS 23.501 with additional functions:
  • The NEF enables and authorizes the external AF assessing AKMA service and forwards the request towards the AAnF.
  • The NEF performs the AAnF selection.

4.2.4  AUSFp. 9

The AUSF is defined in TS 23.501 with additional functions:
  • AUSF provides the SUPI and AKMA key material (A-KID,KAKMA) of the UE to the AAnF.
  • AUSF performs the AAnF selection.

4.2.5  UDMp. 9

The UDM is defined in TS 23.501 with the additional functions:
  • UDM stores AKMA subscription data of the subscriber.

4.3  AKMA Service Based Interfaces(SBIs)p. 10

4.3.0  Generalp. 10

The following interfaces are involved in AKMA network architecture:
  • Nnef: Service-based interface exhibited by NEF.
  • Nudm: Service-based interface exhibited by UDM.
  • Naanf: Service-based interface exhibited by AAnF.
The AAnF interacts with the AUSF and the AF using Service-based Interfaces. When the AF is located in the operator's network, the AAnF shall use Service-Based Interface to communicate with the AF directly. When the AF is located outside the operator's network, the NEF shall be used to exchange the messages between the AF and the AAnF.
Up

4.3.1Void

4.4  Security requirements and principles for AKMAp. 10

4.4.0  Generalp. 10

The following security requirements are applicable to AKMA:
  • AKMA shall reuse the same UE subscription and the same credentials used for 5G access.
  • AKMA shall reuse the 5G primary authentication procedure and methods specified in TS 33.501 for the sake of implicit authentication for AKMA services.
  • The SBA interface between the AAnF and the AUSF shall be confidentiality, integrity and replay protected.
  • The SBA interface between AAnF and AF/NEF shall be confidentiality, integrity and replay protected.
  • The AKMA Application Key (KAF) shall be provided with a maximum lifetime.
  • Up

    4.4.1  Requirements on Ua* reference pointp. 10

    The Ua* reference point is application specific. The generic requirements for Ua* are:
    • Ua* protocol shall be able to carry AKMA Key Identifier (A-KID).
    • The UE and the AKMA AF shall be able to secure the reference point Ua* using the AKMA Application Key derived from the AKMA Anchor Key.
    • The Ua* protocol shall be able to handle the expiration of KAF.
    Up

    4.4.2  Requirements on AKMA Key Identifier (A-KID)p. 11

    Requirements for AKMA Key Identifier (A-KID) are:
    • A-KID shall be globally unique.
    • A-KID shall be usable as a key identifier in protocols used in the reference point Ua*.
    • AKMA AF shall be able to identify the AAnF serving the UE from the A-KID.

    4.4.3  Requirements on the UE |R17|p. 11

    The requirements on the UE are:
    • Applications on the UE shall not be able to get access to KAKMA.
    • An application on the UE shall only get the KAF keys related to specific AF Identifiers (AF_IDs) that the application is authorized to get.
    • An application on the UE shall not be able to get access to the KAF keys that belong to other applications.
    Up

    4.5  AKMA reference pointsp. 11

    The AKMA architecture reuses the following reference point from the 5GC for the execution of the primary authentication procedure:
    N1:
    Reference point between the UE and the AMF.
    N2:
    Reference point between the (R)AN and the AMF.
    N12:
    Reference point between AMF and AUSF.
    N13:
    Reference point between the UDM and the AUSF.
    N33:
    Reference point between NEF and an external AF.
    The AKMA architecture defines the following reference points:
    N61:
    Reference point between the AAnF and the AUSF.
    N62:
    Reference point between the AAnF and an internal AF.
    N63:
    Reference point between the AAnF and NEF.
    Ua*:
    Reference point between the UE and an AF.
    Up

    5  Key managementp. 11

    5.1  AKMA key hierarchyp. 11

    The key hierarchy (see Figure 5.1-1) includes the following keys: KAUSF, KAKMA, KAF. KAUSF is generated by AUSF as specified in clause 6.1 of TS 33.501.
    Keys for AAnF:
    • KAKMA is a key derived by ME and AUSF from KAUSF.
    Keys for AF:
    • KAF is a key derived by ME and AAnF from KAKMA.
    KAKMA and KAF are derived according to the procedures of clauses 6.1 and 6.2.
    Reproduction of 3GPP TS 33.535, Fig. 5.1-1: AKMA Key Hierarchy
    Up

    5.2  AKMA key lifetimesp. 12

    The KAKMA and A-KID are valid until the next successful primary authentication is performed (implicit lifetime), in which case the KAKMA and A-KID are replaced.
    AKMA Application Keys KAF shall use explicit lifetimes based on the operator's policy. The lifetime of KAF shall be sent by the AAnF as described in clauses 6.2 and 6.3. In case that a new AKMA Anchor Key KAKMA is established, the AKMA Application Key KAF can continue to be used for the duration of the current application session or until its lifetime expires, whichever comes first. When the KAF lifetime expires, a new AKMA Application Key is established based on the current AKMA Anchor Key KAKMA.
    Up

    Up   Top   ToC