第1页 / 共364页
第2页 / 共364页
第3页 / 共364页
第4页 / 共364页
第5页 / 共364页
第6页 / 共364页
第7页 / 共364页
第8页 / 共364页
33501-f50-5G安全架构和程序.docx 中英文对照翻译
Foreword
1Scope
2References
3Definitions and abbreviations3定义和缩写
3.1Definitions
3.2Abbreviations
4Overview of security architecture4安全架构概述
4.1Security domains4.1安全域
4.2Security entity at the perimeter of the 5G Cor
4.3Security entities in the 5G Core network4.3
5Security requirements and features5安全要求和功能
5.1General security requirements5.1一般安全要求
5.1.1Mitigation of bidding down attacks5.1.1减少竞
5.1.2Authentication and Authorization5.1.2认证和授权
5.1.3Requirements on 5GC and NG-RAN related to ke
5.2Requirements on the UE5.2对UE的要求
5.2.1General
5.2.2User data and signalling data confidentialit
5.2.3User data and signalling data integrity 5.
5.2.4Secure storage and processing of subscriptio
5.2.5Subscriber privacy 5.2.5订户隐私
5.3Requirements on the gNB5.3对gNB的要求
5.3.1General
5.3.2User data and signalling data confidentialit
5.3.3User data and signalling data integrity 5.
5.3.4Requirements for the gNB setup and configura
5.3.5Requirements for key management inside the g
5.3.6Requirements for handling user plane data fo
5.3.7Requirements for handling control plane data
5.3.8Requirements for secure environment of the g
5.3.9Requirements for the gNB F1 interfaces5.3.
5.3.10Requirements for the gNB E1 interfaces5.3
5.4Requirements on the ng-eNB5.4对ng-eNB的要求
5.5Requirements on the AMF5.5对AMF的要求
5.5.1Signalling data confidentiality 5.5.1信令数据机
5.5.2Signalling data integrity 5.5.2信令数据完整性
5.5.3Subscriber privacy 5.5.3订户隐私
5.6Requirements on the SEAF5.6对SEAF的要求
5.7Void
5.8Requirements on the UDM 5.8对UDM的要求
5.8.1Generic requirements5.8.1通用要求
5.8.2Subscriber privacy related requirements to U
5.8aRequirements on AUSF5.8a对AUSF的要求
5.9Core network security 5.9核心网络安全
5.9.1Trust boundaries 5.9.1信任边界
5.9.2Requirements on service-based architecture
5.9.2.1Security Requirements for service registra
5.9.2.2NRF security requirements5.9.2.2 NRF安全要求
5.9.2.3NEF security requirements5.9.2.3 NEF安全要求
5.9.3Requirements for e2e core network interconne
5.9.3.1General
5.9.3.2Requirements for Security Edge Protection
5.9.3.3Protection of attributes5.9.3.3属性保护
5.10Visibility and configurability 5.10可见性和可配置性
5.10.1Security visibility5.10.1安全可见性
5.10.2Security configurability5.10.2安全可配置性
5.11Requirements for algorithms, and algorithm se
5.11.1Algorithm identifier values5.11.1算法标识符值
5.11.1.1Ciphering algorithm identifier values5.
5.11.1.2Integrity algorithm identifier values5.
5.11.2Requirements for algorithm selection5.11.
6Security procedures between UE and 5G network fu
6.0General
6.1Primary authentication and key agreement6.1主
6.1.1Authentication framework6.1.1认证框架
6.1.1.1General
6.1.1.2EAP framework6.1.1.2 EAP框架
6.1.1.3Granularity of anchor key binding to servi
6.1.1.4Construction of the serving network name
6.1.1.4.1Serving network name6.1.1.4.1提供网络名称
6.1.1.4.2Construction of the serving network name
6.1.1.4.3Construction of the serving network name
6.1.2Initiation of authentication and selection o
6.1.3Authentication procedures6.1.3认证程序
6.1.3.1Authentication procedure for EAP-AKA'6.1
6.1.3.2Authentication procedure for 5G AKA6.1.3
6.1.3.2.05G AKA
6.1.3.2.1Void
6.1.3.2.2RES* verification failure in SEAF or AUS
6.1.3.3Synchronization failure or MAC failure6.
6.1.3.3.1Synchronization failure or MAC failure i
6.1.3.3.2Synchronization failure recovery in Home
6.1.4Linking increased home control to subsequent
6.1.4.1Introduction 6.1.4.1简介
6.1.4.1aLinking authentication confirmation to Nu
6.1.4.2Guidance on linking authentication confirm
6.2Key hierarchy, key derivation, and distributio
6.2.1Key hierarchy
6.2.2Key derivation and distribution scheme6.2.
6.2.2.1Keys in network entities6.2.2.1网络实体中的密钥
6.2.2.2Keys in the UE6.2.2.2 UE中的密钥
6.2.3Handling of user-related keys 6.2.3处理用户相关密
6.2.3.1Key setting
6.2.3.2Key identification6.2.3.2密钥识别
6.2.3.3Key lifetimes6.2.3.3密钥寿命
6.3Security contexts6.3安全背景
6.3.1Distribution of security contexts 6.3.1安全上
6.3.1.1General
6.3.1.2Distribution of subscriber identities and
6.3.1.3Distribution of subscriber identities and
6.3.1.4Distribution of subscriber identities and
6.3.2Multiple registrations in same or different
6.3.2.0General
6.3.2.1Multiple registrations in different PLMNs
6.3.2.2Multiple registrations in the same PLMN6
6.4NAS security mechanisms6.4 NAS安全机制
6.4.1General
6.4.2Security for multiple NAS connections6.4.2
6.4.2.1Multiple active NAS connections with diffe
6.4.2.2Multiple active NAS connections in the sam
6.4.3NAS integrity mechanisms6.4.3 NAS完整性机制
6.4.3.0General
6.4.3.1NAS input parameters to integrity algorith
6.4.3.2NAS integrity activation6.4.3.2 NAS完整性激活
6.4.3.3NAS integrity failure handling6.4.3.3 NA
6.4.4NAS confidentiality mechanisms6.4.4 NAS机密性
6.4.4.0General
6.4.4.1NAS input parameters to confidentiality al
6.4.4.2NAS confidentiality activation6.4.4.2 NA
6.4.5Handling of NAS COUNTs6.4.5 NAS COUNTs的处理
6.4.6Protection of initial NAS message6.4.6保护初始
6.4.7Security aspects of SMS over NAS6.4.7 SMS
6.5RRC security mechanisms6.5 RRC安全机制
6.5.1RRC integrity mechanisms6.5.1 RRC完整性机制
6.5.2RRC confidentiality mechanisms6.5.2 RRC机密性
6.6UP security mechanisms6.6 UP安全机制
6.6.1UP security policy 6.6.1 UP安全策略
6.6.2UP security activation mechanism6.6.2 UP安全
6.6.3UP confidentiality mechanisms6.6.3 UP保密机制
6.6.4UP integrity mechanisms6.6.4 UP完整性机制
6.7Security algorithm selection, key establishmen
6.7.1Procedures for NAS algorithm selection6.7.
6.7.1.1Initial NAS security context establishment
6.7.1.2AMF change
6.7.2NAS security mode command procedure6.7.2 N
6.7.3Procedures for AS algorithm selection6.7.3
6.7.3.0Initial AS security context establishment
6.7.3.1Xn-handover 6.7.3.1 XN-移交
6.7.3.2N2-handover
6.7.3.3Intra-gNB-CU handover/intra-ng-eNB handove
6.7.3.4Transitions from RRC_INACTIVE to RRC_CONNE
6.7.3.5RNA Update procedure6.7.3.5 RNA更新程序
6.7.3.6Algorithm negotiation for unauthenticated
6.7.4AS security mode command procedure6.7.4 AS
6.8Security handling in state transitions6.8状态转
6.8.1Key handling at connection and registration
6.8.1.1Key handling at transitions between RM-DER
6.8.1.1.0General
6.8.1.1.1Transition from RM-REGISTERED to RM-DERE
6.8.1.1.2Transition from RM-DEREGISTERED to RM-RE
6.8.1.1.2.1General 6.8.1.1.2.1一般
6.8.1.1.2.2Full native 5G NAS security context av
6.8.1.1.2.3Full native 5G NAS security context no
6.8.1.1.2.4UE registration over a second access t
6.8.1.2Key handling at transitions between CM-IDL
6.8.1.2.0General
6.8.1.2.1Transition from CM-IDLE to CM-CONNECTED
6.8.1.2.2Establishment of keys for cryptographica
6.8.1.2.3Establishment of keys for cryptographica
6.8.1.2.4Transition from CM-CONNECTED to CM-IDLE
6.8.1.3Key handling for the Registration procedur
6.8.2Security handling at RRC state transitions
6.8.2.1Security handling at transitions between R
6.8.2.1.1General
6.8.2.1.2State transition from RRC_CONNECTED to R
6.8.2.1.3State transition from RRC_INACTIVE to RR
6.8.2.1.4State transition from RRC_INACTIVE to RR
6.8.2.2Key handling during mobility in RRC_INACTI
6.8.2.2.1General
6.8.2.2.2RAN-based notification area update to a
6.8.2.2.3RAN-based notification area update to th
6.9Security handling in mobility6.9移动中的安全处理
6.9.1General
6.9.2Key handling in handover6.9.2移交中的密钥处理
6.9.2.1General
6.9.2.1.1Access stratum6.9.2.1.1访问层
6.9.2.1.2Non access stratum6.9.2.1.2非接入层
6.9.2.2Key derivations for context modification p
6.9.2.3Key derivations during handover6.9.2.3切换
6.9.2.3.1Intra-gNB-CU handover and intra-ng-eNB h
6.9.2.3.2Xn-handover6.9.2.3.2 XN-移交
6.9.2.3.3N2-Handover6.9.2.3.3 N2切换
6.9.2.3.4UE handling6.9.2.3.4 UE处理
6.9.3Key handling in mobility registration update
6.9.4Key-change-on-the-fly6.9.4主要变化上即时
6.9.4.1General
6.9.4.2NAS key re-keying6.9.4.2 NAS密钥重新密钥
6.9.4.3NAS key refresh6.9.4.3 NAS密钥刷新
6.9.4.4AS key re-keying6.9.4.4 AS密钥重新密钥
6.9.4.5AS key refresh6.9.4.5 AS密钥刷新
6.9.5Rules on concurrent running of security proc
6.9.5.1Rules related to AS and NAS security conte
6.9.5.2Rules related to parallel NAS connections
6.10Dual connectivity 6.10双连接
6.10.1Introduction
6.10.1.1General
6.10.1.2Dual Connectivity protocol architecture f
6.10.2Security mechanisms and procedures for DC
6.10.2.1.SN Addition or modification 6.10.2.1。
6.10.2.2Secondary Node key update6.10.2.2辅助节点密钥
6.10.2.2.1General
6.10.2.2.2MN initiated6.10.2.2.2 MN发起
6.10.2.2.3SN initiated6.10.2.2.3 SN发起
6.10.2.3SN release and change6.10.2.3 SN释放和变化
6.10.3Establishing the security context between t
6.10.3.1SN Counter maintenance6.10.3.1 SN计数器维护
6.10.3.2Derivation of keys 6.10.3.2密钥的推导
6.10.3.3Negotiation of security algorithms6.10.
6.10.4Protection of traffic between UE and SN6.
6.10.5Handover Procedure6.10.5切换程序
6.10.6Signalling procedure for PDCP COUNT check
6.10.7Radio link failure recovery6.10.7无线链路故障恢复
6.11Security handling for RRC connection re-estab
6.12Subscription identifier privacy6.12订阅标识符隐私
6.12.1Subscription permanent identifier 6.12.1订
6.12.2Subscription concealed identifier6.12.2订阅
6.12.3Subscription temporary identifier6.12.3订阅
6.12.4Subscription identification procedure6.12
6.12.5Subscription identifier de-concealing funct
6.13Signalling procedure for PDCP COUNT check6.
6.14Steering of roaming security mechanism6.14漫
6.14.1General
6.14.2Security mechanisms6.14.2安全机制
6.14.2.1Procedure for steering of UE in VPLMN dur
6.14.2.2Procedure for steering of UE in VPLMN aft
6.14.2.3SoR Counter 6.14.2.3 SoR计数器
6.15UE parameters update via UDM control plane pr
6.15.1General
6.15.2Security mechanisms6.15.2安全机制
6.15.2.1Procedure for UE Parameters Update6.15.
6.15.2.2UE Parameters Update Counter 6.15.2.2 U
7Security for non-3GPP access to the 5G core netw
7.1General
7.2Security procedures7.2安全程序
7.2.1Authentication for Untrusted non-3GPP Access
8Security of interworking8互通的安全性
8.1General
8.2Registration procedure for mobility from EPS t
8.3Handover procedure from 5GS to EPS over N268
8.3.1General
8.3.2Procedure
8.4Handover from EPS to 5GS over N268.4通过N26从EP
8.4.1General
8.4.2Procedure
8.5 Idle mode mobility from 5GS to EPS over N26
8.5.1General
8.5.2TAU Procedure
8.5.3Initial Attach Procedure 8.5.3初始附着程序
8.6Mapping of security contexts8.6安全上下文的映射
8.6.1Mapping of a 5G security context to an EPS s
8.6.2Mapping of an EPS security context to a 5G s
8.7Interworking without N26 interface in single-r
9Security procedures for non-service based interf
9.1General
9.1.1Use of NDS/IP
9.1.2Implementation requirements9.1.2实施要求
9.1.3QoS considerations9.1.3 QoS考虑因素
9.2Security mechanisms for the N2 interface9.2
9.3Security requirements and procedures on N3 9
9.4Security mechanisms for the Xn interface9.4
9.5Interfaces based on DIAMETER or GTP9.5基于DIAM
9.5.1Void
9.6Void
9.7Void
9.8Security mechanisms for protection of the gNB
9.8.1General
9.8.2Security mechanisms for the F1 interface9.
9.8.3Security mechanisms for the E1 interface9.
9.9Security mechanisms for non-SBA interfaces int
10Security aspects of IMS emergency session handl
10.1General
10.2Security procedures and their applicability
10.2.1Authenticated IMS Emergency Sessions10.2.
10.2.1.1General
10.2.1.2UE in RM-DEREGISTERED state requests a PD
10.2.1.3UE in RM-REGISTERED state requests a PDU
10.2.2Unauthenticated IMS Emergency Sessions10.
10.2.2.1General
10.2.2.2UE sets up an IMS Emergency session with
10.2.2.3Key generation for Unauthenticated IMS Em
10.2.2.3.1General
10.2.2.3.2Handover
11Security procedures between UE and external dat
11.1EAP based secondary authentication by an exte
11.1.1General
11.1.2Authentication11.1.2认证
11.1.3Re-Authentication11.1.3重认证
12Security aspects of Network Exposure Function (
12.1General
12.2Mutual authentication12.2相互认证
12.3Protection of the NEF – AF interface 12.3 N
12.4Authorization of Application Function’s reque
12.5Support for CAPIFwrong format
13Service Based Interfaces (SBI) 13个基于服务的接口(SBI
13.1Protection at the network or transport layer
13.2Application layer security on the N32 interfa
13.2.1General
13.2.2N32-c connection between SEPPs13.2.2 SEPP
13.2.2.1General
13.2.2.2Procedure for Key agreement and Parameter
13.2.2.3Procedure for error detection and handlin
13.2.2.4N32-f Context13.2.2.4 N32-f上下文
13.2.2.4.0N32-f parts13.2.2.4.0 N32-f部件
13.2.2.4.1N32-f context ID13.2.2.4.1 N32-f上下文ID
13.2.2.4.2N32-f peer information13.2.2.4.2 N32-
13.2.2.4.3N32-f security context13.2.2.4.3 N32-
13.2.2.4.4N32-f context information13.2.2.4.4 N
13.2.3Protection policies for N32 application lay
13.2.3.1Overview of protection policies13.2.3.1
13.2.3.2Data-type encryption policy13.2.3.2数据类型
13.2.3.3NF API data-type placement mapping13.2.
13.2.3.4Modification policy13.2.3.4修改政策
13.2.3.5Provisioning of the policies in the SEPP
13.2.3.6Precedence of policies in the SEPP13.2.
13.2.4N32-f connection between SEPPs13.2.4 SEPP
13.2.4.1General
13.2.4.2Overall Message payload structure for mes
13.2.4.3Message reformatting in sending SEPP13.
13.2.4.3.1dataToIntegrityProtect13.2.4.3.1 data
13.2.4.3.1.1clearTextEncapsulatedMessage13.2.4.
13.2.4.3.1.2metadata13.2.4.3.1.2元
13.2.4.3.2dataToIntegrityProtectAndCipher13.2.4
13.2.4.4Protection using JSON Web Encryption (JWE
13.2.4.4.0General
13.2.4.4.1N32-f key hierarchy13.2.4.4.1 N32-f密钥
13.2.4.5Message modifications in IPX13.2.4.5 IP
13.2.4.5.1modifiedDataToIntegrityProtect13.2.4.
13.2.4.5.2Modifications by IPX13.2.4.5.2 IPX的修改
13.2.4.6Protecting IPX modifications using JSON W
13.2.4.7Message verification by the receiving SEP
13.2.4.8Procedure
13.2.4.9JOSE profile13.2.4.9 JOSE配置文件
13.3Authentication and static authorization13.3
13.3.1Authentication and authorization between ne
13.3.2Authentication and authorization between ne
13.3.3Authentication and authorization between SE
13.3.4Authentication and authorization between SE
13.4Authorization of NF service access13.4 NF服务
13.4.1OAuth 2.0 based authorization of Network Fu
13.4.1.0General
13.4.1.1Service access authorization within the P
13.4.1.2Service access authorization in roaming s
13.5Security capability negotiation between SEPPs
14Security related services 14安全相关服务
14.1Services provided by AUSF14.1 AUSF提供的服务
14.1.1General
14.1.2Nausf_UEAuthentication service14.1.2 Naus
14.1.3Nausf_SoRProtection service14.1.3 Nausf_S
14.1.4Nausf_UPUProtection service14.1.4 Nausf_U
14.2Services provided by UDM14.2 UDM提供的服务
14.2.1General
14.2.2Nudm_UEAuthentication_Get service operation
14.2.3Nudm_UEAuthentication_ResultConfirmation se
14.3Services provided by NRF14.3 NRF提供的服务
14.3.1 General
14.3.2Nnrf_AccessToken_Get Service Operation14.
15Management security for network slices 15网络片的
15.1General
15.2Mutual authentication15.2相互认证
15.3Protection of management interactions between
15.4Authorization of management service consumer’
Annex A (normative): Key derivation functions
A.1KDF interface and input parameter construction
A.1.1General
A.1.2FC value allocationsA.1.2 FC值分配
A.2KAUSF derivation functionA.2 KAUSF推导函数
A.3CK' and IK' derivation functionA.3 CK'和IK'推导
A.4RES* and XRES* derivation function A.4 RES *
A.5HRES* and HXRES* derivation function A.5 HRE
A.6KSEAF derivation functionA.6 KSEAF推导函数
A.7KAMF derivation functionA.7 KAMF推导函数
A.7.0Parameters for the input S to the KDFA.7.0
A.7.1ABBA parameter valuesA.7.1 ABBA参数值
A.8Algorithm key derivation functionsA.8算法密钥推导函
A.9KgNB and KN3IWF derivation functionA.9 KgNB和
A.10NH derivation functionA.10 NH推导函数
A.11KNG-RAN* derivation function for target gNB
A.12KNG-RAN* derivation function for target ng-eN
A.13KAMF to KAMF' derivation in mobilityA.13 K
A.14KAMF to KASME' derivation for interworkingA
A.14.1Idle mode mobilityA.14.1空闲模式移动性
A.14.2Handover
A.15KASME to KAMF' derivation for interworkingA
A.15.1Idle mode mobilityA.15.1空闲模式移动性
A.15.2Handover
A.16Derivation of KSN for dual connectivityA.16
A.17SoR-MAC-IAUSF generation functionA.17 SoR-M
A.18SoR-MAC-IUE generation functionA.18 SoR-MAC
A.19UPU-MAC-IAUSF generation functionA.19 UPU-M
A.20UPU-MAC-IUE generation functionA.20 UPU-MAC
Annex B (informative):Using additional EAP metho
B.1 Introduction
B.2Primary authentication and key agreement B.2
B.2.1EAP TLS
B.2.1.1Security proceduresB.2.1.1安全程序
B.2.1.2Privacy considerations B.2.1.2隐私考虑因素
B.2.1.2.1EAP TLS without subscription identifier
B.2.1.2.2EAP TLS with subscription identifier pri
B.2.2Revocation of subscriber certificates B.2.
B.3Key derivation
Annex C (normative):Protection schemes for conce
C.1Introduction
C.2Null-scheme
C.3Elliptic Curve Integrated Encryption Scheme (E
C.3.1General
C.3.2Processing on UE sideC.3.2 UE侧的处理
C.3.3Processing on home network sideC.3.3家庭网络侧的
C.3.4ECIES profilesC.3.4 ECIES配置文件
C.3.4.0General
C.3.4.1Profile A
C.3.4.2Profile B
C.4Implementers’ test dataC.4实施者的测试数据
C.4.1General
C.4.2Null-scheme
C.4.3ECIES Profile AC.4.3 ECIES简介A.
C.4.4ECIES Profile BC.4.4 ECIES概况B.
Annex D (normative):Algorithms for ciphering and
D.1Null ciphering and integrity protection algori
D.2Ciphering algorithmsD.2加密算法
D.2.1128-bit Ciphering algorithms D.2.1 128位加密算
D.2.1.1Inputs and outputsD.2.1.1输入和输出
D.2.1.2128-NEA1
D.2.1.3128-NEA2
D.2.1.4128-NEA3
D.3Integrity algorithmsD.3完整性算法
D.3.1128-Bit integrity algorithmsD.3.1 128位完整性算
D.3.1.1Inputs and outputsD.3.1.1输入和输出
D.3.1.2128-NIA1
D.3.1.3128-NIA2
D.3.1.4128-NIA3
D.4Test Data for the security algorithmsD.4安全算法
D.4.1General
D.4.2128-NEA1
D.4.3128-NIA1
D.4.4128-NEA2
D.4.5128-NIA2
D.4.6128-NEA3
D.4.7128-NIA3
Annex E (informative):UE-assisted network-based
E.1Introduction
E.2Examples of using measurement reports E.2使用测
Annex F (normative):3GPP 5G profile for EAP-AKA'
F.1Introduction
F.2Subscriber privacyF.2订户隐私
F.3Subscriber identity and key derivation F.3订户
F.4Void
Annex G (informative):Application layer security
G.1 Introduction
G.2Structure of HTTP MessageG.2 HTTP消息的结构
Annex H (informative):Void附件H(资料性附录): 空虚
Annex I (informative):Change history 附件一(资料性附录
3GPP TS 33.501 V15.5.0 (2019-06)
Technical Specification
3rd Generation Partnership Project;
第三代合作伙伴计划;
Technical Specification Group Services and System Aspects;
技术规范组服务和系统方面;
Security architecture and procedures for 5G system
5G系统的安全架构和程序
(Release 15)
The present document has been developed within the 3rd Generation Partnership Project (3GPP TM) and may be further elaborated for the purposes of 3GPP..
The present document has not been subject to any approval process by the 3GPP Organizational Partners and shall not be implemented.
This Specification is provided for future development work within 3GPP only. The Organizational Partners accept no liability for any use of this Specification.
Specifications and Reports for implementation of the 3GPP TM system should be obtained via the 3GPP Organizational Partners' Publications Offices.
本文档是在第三代合作伙伴计划(3GPP TM)内开发的,并且可以出于3GPP的目的进一步详细说明。 本文件未经
3GPP组织合作伙伴的任何批准程序,不得实施。 本规范仅用于3GPP内的未来开发工作。组织合作伙伴对本规范的
Release 15
3
3GPP TS 33.501 V15.5.0 (2019-06)
Keywords
security,5G
3GPP
Postal address
3GPP support office address
3GPP支持办公地址
650 Route des Lucioles – Sophia Antipolis
650 Route des Lucioles
- 索菲亚安提波利斯
Valbonne – France
Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16
电话:33 4 92 94 42 00传真:33 4 93 65 47 16
Internet
http://www.3gpp.org
Copyright Notification
版权声明
No part may be reproduced except as authorized by written permission.
The copyright and the foregoing restriction extend to reproduction in all media.
除非经书面许可,否则不得复制任何部分。 版权和前述限制扩展到所有媒体的复制。
© 2019, 3GPP Organizational Partners (ARIB, ATIS, CCSA, ETSI, TSDSI, TTA, TTC).
©2019,3GPP组织合作伙伴(ARIB,ATIS,CCSA,ETSI,TSDSI,TTA,TTC)。
All rights reserved.
3GPP
Release 15
4
3GPP TS 33.501 V15.5.0 (2019-06)
Contents
Foreword...........................................................................................................................................................12
Scope...................................................................................................................................................... 13
1
2
References.............................................................................................................................................. 13
Definitions and abbreviations.................................................................................................................15
3
3定义和缩写15
Definitions.........................................................................................................................................................15
Abbreviations.................................................................................................................................................... 19
3.1
3.2
3.2缩写19
4
Overview of security architecture.......................................................................................................... 20
4安全架构概述20
Security domains ...............................................................................................................................................20
4.1安全域20
Security entity at the perimeter of the 5G Core network .................................................................................. 21
4.2 5G核心网络周边的安全实体21
Security entities in the 5G Core network .......................................................................................................... 21
4.1
4.2
4.3
4.3 5G核心网络中的安全实体21
5
Security requirements and features........................................................................................................ 21
5安全要求和功能21
General security requirements...........................................................................................................................21
5.1一般安全要求21
Mitigation of bidding down attacks.............................................................................................................21
5.1.1减少竞标减少攻击21
Authentication and Authorization............................................................................................................... 21
5.1.2认证和授权21
Requirements on 5GC and NG-RAN related to keys ..................................................................................22
5.1.3与密钥相关的5GC和NG-RAN的要求22
Requirements on the UE................................................................................................................................... 22
5.2对UE的要求22
General........................................................................................................................................................ 22
User data and signalling data confidentiality .............................................................................................. 22
5.2.2用户数据和信令数据的机密性22
User data and signalling data integrity ........................................................................................................ 23
5.2.3用户数据和信令数据完整性23
Secure storage and processing of subscription credentials ..........................................................................23
5.1
5.1.1
5.1.2
5.1.3
5.2
5.2.1
5.2.2
5.2.3
5.2.4
5.2.4安全存储和处理订阅凭证23
3GPP
Release 15
5
3GPP TS 33.501 V15.5.0 (2019-06)
5.2.5
Subscriber privacy.......................................................................................................................................23
5.3
5.3.1
5.3.2
5.3.3
5.3.4
5.3.5
5.3.6
5.3.7
5.3.8
5.3.9
5.2.5订户隐私23
Requirements on the gNB ................................................................................................................................. 24
5.3对gNB的要求24
General........................................................................................................................................................ 24
User data and signalling data confidentiality .............................................................................................. 24
5.3.2用户数据和信令数据机密性24
User data and signalling data integrity ........................................................................................................ 25
5.3.3用户数据和信令数据完整性25
Requirements for the gNB setup and configuration....................................................................................25
5.3.4 gNB设置和配置的要求25
Requirements for key management inside the gNB ....................................................................................25
5.3.5 gNB内部密钥管理的要求25
Requirements for handling user plane data for the gNB............................................................................. 26
5.3.6处理gNB用户平面数据的要求26
Requirements for handling control plane data for the gNB ........................................................................ 26
5.3.7处理gNB 26的控制平面数据的要求
Requirements for secure environment of the gNB...................................................................................... 26
5.3.8 gNB 26安全环境的要求
Requirements for the gNB F1 interfaces.....................................................................................................26
5.3.10
5.3.9 gNB F1接口的要求26
Requirements for the gNB E1 interfaces .....................................................................................................26
5.4
5.5
5.5.1
5.5.2
5.5.3
5.6
5.7
5.8
5.3.10 gNB E1接口的要求26
Requirements on the ng-eNB............................................................................................................................27
5.4对ng-eNB的要求27
Requirements on the AMF................................................................................................................................27
5.5对AMF的要求27
Signalling data confidentiality .....................................................................................................................27
5.5.1信令数据机密性27
Signalling data integrity .............................................................................................................................. 27
5.5.2信令数据完整性27
Subscriber privacy.......................................................................................................................................27
5.5.3订户隐私27
Requirements on the SEAF...............................................................................................................................27
5.6对SEAF的要求27
Void...................................................................................................................................................................28
Requirements on the UDM ............................................................................................................................... 28
5.8对UDM的要求28
3GPP
Release 15
6
3GPP TS 33.501 V15.5.0 (2019-06)
5.8.1
5.8.2
5.8a
5.9
5.9.1
5.9.2
5.9.2.1
5.9.2.2
5.9.2.3
5.9.3
5.9.3.1
5.9.3.2
5.9.3.3
5.10
5.10.1
5.10.2
5.11
5.11.1
5.11.1.1
5.11.1.2
Generic requirements...................................................................................................................................28
5.8.1通用要求28
Subscriber privacy related requirements to UDM and SIDF...................................................................... 28
5.8.2与UDM和SIDF的订户隐私相关要求28
Requirements on AUSF .................................................................................................................................... 28
5.8a对AUSF的要求28
Core network security....................................................................................................................................... 28
5.9核心网络安全28
Trust boundaries.......................................................................................................................................... 28
5.9.1信任边界28
Requirements on service-based architecture............................................................................................... 28
5.9.2基于服务的体系结构的要求28
Security Requirements for service registration, discovery and authorization....................................... 28
5.9.2.1服务注册,发现和授权的安全要求28
NRF security requirements .................................................................................................................... 29
5.9.2.2 NRF安全要求29
NEF security requirements .................................................................................................................... 29
5.9.2.3 NEF安全要求29
Requirements for e2e core network interconnection security..................................................................... 29
5.9.3 e2e核心网互连安全要求29
General...................................................................................................................................................29
Requirements for Security Edge Protection Proxy (SEPP)................................................................... 30
5.9.3.2安全边缘保护代理(SEPP)的要求30
Protection of attributes ...........................................................................................................................30
5.9.3.3属性保护30
Visibility and configurability ............................................................................................................................ 31
5.10可见性和可配置性31
Security visibility .........................................................................................................................................31
5.10.1安全可见性31
Security configurability ...............................................................................................................................31
5.10.2安全可配置性31
Requirements for algorithms, and algorithm selection ..................................................................................... 31
5.11算法要求和算法选择31
Algorithm identifier values..........................................................................................................................31
5.11.1算法标识符值31
Ciphering algorithm identifier values....................................................................................................31
5.11.1.1加密算法标识符值31
Integrity algorithm identifier values...................................................................................................... 31
5.11.1.2完整性算法标识符值31
3GPP
Release 15
7
3GPP TS 33.501 V15.5.0 (2019-06)
5.11.2
Requirements for algorithm selection......................................................................................................... 32
5.11.2算法选择要求32
6
Security procedures between UE and 5G network functions.................................................................32
6 UE和5G网络功能之间的安全程序32
General.............................................................................................................................................................. 32
Primary authentication and key agreement....................................................................................................... 33
6.1主要认证和密钥协议33
Authentication framework...........................................................................................................................33
6.1.1认证框架33
General...................................................................................................................................................33
EAP framework ..................................................................................................................................... 33
6.0
6.1
6.1.1
6.1.1.1
6.1.1.2
6.1.1.3
6.1.1.4
6.1.1.4.1
6.1.1.4.2
6.1.1.4.3
6.1.2
6.1.3
6.1.3.1
6.1.3.2
6.1.3.2.0
6.1.3.2.1
6.1.3.2.2
6.1.3.3
6.1.3.3.1
6.1.3.3.2
6.1.1.2 EAP框架33
Granularity of anchor key binding to serving network..........................................................................34
6.1.1.3锚点密钥绑定到服务网络34的粒度
Construction of the serving network name ............................................................................................34
6.1.1.4服务网络名称的构建34
Serving network name ......................................................................................................................34
6.1.1.4.1提供网络名称34
Construction of the serving network name by the UE ..................................................................... 34
6.1.1.4.2 UE 34构建服务网络名称
Construction of the serving network name by the SEAF.................................................................34
6.1.1.4.3 SEAF建设服务网络名称34
Initiation of authentication and selection of authentication method........................................................... 35
6.1.2启动认证和选择认证方法35
Authentication procedures...........................................................................................................................36
6.1.3认证程序36
Authentication procedure for EAP-AKA'..............................................................................................36
6.1.3.1 EAP-AKA的认证程序'36
Authentication procedure for 5G AKA ................................................................................................. 38
6.1.3.2 5G AKA的认证程序38
5G AKA........................................................................................................................................... 38
Void..................................................................................................................................................40
RES* verification failure in SEAF or AUSF or both.......................................................................40
6.1.3.2.2 SEAF或AUSF或两者的RES *验证失败40
Synchronization failure or MAC failure ................................................................................................41
6.1.3.3同步失败或MAC失败41
Synchronization failure or MAC failure in USIM ........................................................................... 41
6.1.3.3.1 USIM中的同步失败或MAC故障41
Synchronization failure recovery in Home Network....................................................................... 41
6.1.3.3.2家庭网络中的同步故障恢复41
3GPP
Release 15
8
3GPP TS 33.501 V15.5.0 (2019-06)
6.1.4
Linking increased home control to subsequent procedures.........................................................................42
6.1.4.1
6.1.4.1a
6.1.4.2
6.2
6.2.1
6.2.2
6.2.2.1
6.2.2.2
6.2.3
6.2.3.1
6.2.3.2
6.2.3.3
6.3
6.3.1
6.3.1.1
6.3.1.2
6.3.1.3
6.3.1.4
6.1.4将增加的家庭控制与后续程序联系起来42
Introduction............................................................................................................................................42
6.1.4.1介绍42
Linking authentication confirmation to Nudm_UECM_Registration procedure from AMF ................42
6.1.4.1a将认证确认链接到AMF 42的Nudm_UECM_Registration程序
Guidance on linking authentication confirmation to Nudm_UECM_Registration procedure from
AMF.......................................................................................................................................................43
6.1.4.2将认证确认与AMF 43的Nudm_UECM_Registration程序联系起来的指南
Key hierarchy, key derivation, and distribution scheme ...................................................................................44
6.2密钥层次,密钥推导和分配方案44
Key hierarchy .............................................................................................................................................. 44
6.2.1密钥层次44
Key derivation and distribution scheme ......................................................................................................46
6.2.2密钥推导和分配方案46
Keys in network entities........................................................................................................................ 46
6.2.2.1网络实体中的密钥46
Keys in the UE .......................................................................................................................................47
6.2.2.2 UE中的密钥47
Handling of user-related keys ......................................................................................................................49
6.2.3处理用户相关密钥49
Key setting ............................................................................................................................................. 49
6.2.3.1键设置49
Key identification .................................................................................................................................. 49
6.2.3.2密钥识别49
Key lifetimes ..........................................................................................................................................50
6.2.3.3密钥寿命50
Security contexts............................................................................................................................................... 51
6.3安全背景51
Distribution of security contexts................................................................................................................. 51
6.3.1安全背景的分布51
General...................................................................................................................................................51
Distribution of subscriber identities and security data within one 5G serving network domain ...........51
6.3.1.2在一个5G服务网络域51内分配用户标识和安全数据
Distribution of subscriber identities and security data between 5G serving network domains .............51
6.3.1.3 5G服务网域51之间的用户标识和安全数据的分布
Distribution of subscriber identities and security data between 5G and EPS serving network
domains..................................................................................................................................................51
6.3.1.4 5G和EPS服务网络域之间的用户标识和安全数据的分布51
3GPP
相关推荐
2023年江西萍乡中考道德与法治真题及答案.doc
2012年重庆南川中考生物真题及答案.doc
2013年江西师范大学地理学综合及文艺理论基础考研真题.doc
2020年四川甘孜小升初语文真题及答案I卷.doc
2020年注册岩土工程师专业基础考试真题及答案.doc
2023-2024学年福建省厦门市九年级上学期数学月考试题及答案.doc
2021-2022学年辽宁省沈阳市大东区九年级上学期语文期末试题及答案.doc
2022-2023学年北京东城区初三第一学期物理期末试卷及答案.doc
2018上半年江西教师资格初中地理学科知识与教学能力真题及答案.doc
2012年河北国家公务员申论考试真题及答案-省级.doc
2020-2021学年江苏省扬州市江都区邵樊片九年级上学期数学第一次质量检测试题及答案.doc
2022下半年黑龙江教师资格证中学综合素质真题及答案.doc
