Tech-invite3GPPspaceIETFspace
21222324252627282931323334353637384‑5x

Content for  TR 33.857  Word version:  17.1.0

Top   Top   None   None   Next
0…   5…
0 Introduction1 Scope2 References3 Definitions of terms, symbols and abbreviations4 Architectural and security assumptions
...

 

0  Introductionp. 8

The 5GS already supports certain specific features for Non-Public Networks, these are evolved in the architectural study documented in TR 23.700-07, considering new functionality for Non-Public Networks. One of the main architectural changes in need of security enhancements are the allowance of credentials owned by a separate entity than a Standalone Non-Public Network. The other is onboarding and remote provisioning of non-USIM credentials to allow for a seamless setup of Non-Public Networks.
Up

1  Scopep. 9

The aim of the present document is to study the security aspects for any potential enhancements based on the outcome of the study in TR 23.700-07. For each of the objectives in the scope of the study in TR 23.700-07, the security aspects that are to be covered in the present document are as follows:
  • Enhancements to Support SNPN along with credentials owned by an entity separate from the SNPN
    • Study potential solutions for authentication using credentials owned by an entity separate from the SNPN
  • UE Onboarding and remote provisioning of non-USIM credentials
    • Identify security Key Issues relating to UE Onboarding and remote provisioning with non-USIM credentials
    • Identify methods by which the UE can be verified as "uniquely identifiable and verifiably secure"
    • Critically review the security aspects of the proposed solutions in TR 23.700-07 and make recommendations for security improvements where required.
    • Study potential solutions for the secure provisioning of non-USIM credentials taking into account different deployment scenarios.
  • Support of IMS voice and emergency services for SNPN:
    • Analyse potential security impacts from supporting IMS voice and IMS services in SNPNs. In Rel-16 SNPNs do not support IMS emergency services but for Rel-17 its expected that the enabling of IMS and IMS services for SNPNs is to be studied.
Up

2  Referencesp. 9

The following documents contain provisions which, through reference in this text, constitute provisions of the present document.
  • References are either specific (identified by date of publication, edition number, version number, etc.) or non specific.
  • For a specific reference, subsequent revisions do not apply.
  • For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP document (including a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same Release as the present document.
[1]
TR 21.905: "Vocabulary for 3GPP Specifications".
[2]
TS 33.501: "Security architecture and procedures for 5G System"
[3]
TR 23.700-07: "Study on enhanced support of non-public networks (Release 17)"
[4]
TS 23.501: "System Architecture for the 5G System"
[5]
RFC 5281:  "Extensible Authentication Protocol Tunneled Transport Layer Security Authenticated Protocol Version 0 (EAP-TTLSv0)"
[6]
TS 23.502: "Procedures for the 5G System (5GS)"
[7]
RFC 5216:  "The EAP-TLS Authentication Protocol".
[8]
RFC 7542:  "The Network Access Identifier"
[9]
TS 23.003: "Numbering, addressing and identification"
[10]
TS 33.535: "Authentication and Key Management for Applications (AKMA) based on 3GPP credentials in the 5G System (5GS)"
[11]
TS 24.501: "Non-Access-Stratum (NAS) protocol for 5G System (5GS); Stage 3"
[12]
RFC 2903:  "Generic AAA Architecture"
Up

3  Definitions of terms, symbols and abbreviationsp. 10

3.1  Termsp. 10

For the purposes of the present document, the terms given in TR 21.905 and the following apply. A term defined in the present document takes precedence over the definition of the same term, if any, in TR 21.905.
Provisioning Server:
The server that provisions the authenticated/authorized UE with the NPN credentials.
SNPN credentials:
Information that the UE uses for authentication to access a SNPN.
For the purposes of the present document, the following terms and definitions given in TR 23.700-07 apply:
Default UE credentials:
Information that the UE have before the actual onboarding procedure to make it uniquely identifiable and verifiably secure.
Default Credential Server (DCS):
The server that can authenticate a UE with default UE credentials or provide means to another entity to do it.
NPN:
Non-Public Network as defined in TS 23.501. The terminology NPN refers to both SNPN and PNI-NPN in the present document unless otherwise stated.
Onboarding Network (ON):
The network providing initial registration and/or access to the UE for UE Onboarding.
Onboarding SUCI:
A SUCI created from the Onboarding SUPI and used for onboarding purposes.
Onboarding SUPI:
A SUPI that is based on the Unique UE Identifier and/or the Default UE Credentials and is used for onboarding purposes.
Subscription Owner (SO):
The entity that stores and as result of the UE Onboarding procedures provide the subscription data and optionally other configuration information via the PS to the UE.
Unique UE identifier:
Identifying the UE in the network and the DCS and is assigned and configured by the DCS.
Up

3.2  Symbolsp. 10

Void.

3.3  Abbreviationsp. 10

For the purposes of the present document, the abbreviations given in TR 21.905 and the following apply. An abbreviation defined in the present document takes precedence over the definition of the same abbreviation, if any, in TR 21.905.
DCS
Default Credential Server
EIR
Equipment Identity Register
ON
Onboarding network
PEI
Permanent Equipment Identifier
PS
Provisioning Server
SO
Subscription Owner

4  Architectural and security assumptionsp. 11

4.1  Architectural requirementsp. 11

  • Solutions are built on the 5G System security architectural principles as in TS 33.501 and conclusions drawn in TR 23.700-07, including flexibility and modularity for newly introduced functionalities.

4.2  Security assumptionsp. 11

  • It is assumed for the case where non-USIM credentials are provisioned for SNPN, the non-USIM credentials are of a key generating EAP method type.
  • It is assumed for the case where non-USIM credentials are provisioned for PNI-NPN, the non-USIM credentials are of an EAP method type.

Up   Top   ToC