Control Plane Prose Remote User Key

Description

The Control Plane Prose Remote User Key (CP-PRUK) is a cryptographic key established between two User Equipments (UEs) to secure their direct ProSe communication link. It is generated and managed through signaling procedures in the 5G Core Network's control plane, specifically involving the ProSe Function. The key derivation follows the 5G Authentication and Key Agreement (5G-AKA) framework, ensuring it is cryptographically separate from other keys used for network access (like K_AMF) or user plane protection. The CP-PRUK is a critical component of the ProSe security architecture, providing confidentiality and integrity protection for the direct communication channel between UEs.

The architecture for CP-PRUK involves several network functions. The ProSe Function, located in the home Public Land Mobile Network (HPLMN) of a UE, is the central entity responsible for ProSe service authorization and security management. When two UEs (UE-A and UE-B) wish to establish a secure direct link, they initiate a ProSe Direct Discovery or Communication procedure. Their requests are routed to their respective ProSe Functions. These functions authenticate the UEs and authorize the ProSe service. For key establishment, the ProSe Functions communicate with each other, often via the PC5 interface reference point, to agree on keying material. The actual CP-PRUK is then derived locally in each UE using parameters provided by their ProSe Function, such as a ProSe Key Identifier and other fresh input values.

The technical operation involves a multi-step key derivation hierarchy. A root key, the ProSe Key (PK), is first established between the UE and its HPLMN ProSe Function during service authorization. From this PK, a ProSe Link Key (PLK) can be derived for a specific communication pair. The CP-PRUK is a further derivative, often serving as the key for the Access Stratum (AS) security between the two UEs over the PC5 interface. This layered approach ensures key separation; compromise of a CP-PRUK for one direct link does not affect the security of the UE's network access or its ProSe links with other devices. The CP-PRUK is used by the PDCP (Packet Data Convergence Protocol) layer in the UE to cipher and integrity-protect the user plane data and certain control plane signaling exchanged directly over PC5.

Its role in the network is to enable trusted, efficient Device-to-Device (D2D) communication. By handling key management in the control plane, the network maintains oversight and policy control over direct communications, which is vital for lawful intercept, emergency services, and preventing unauthorized use. The CP-PRUK mechanism allows the network to provision security for direct links without needing to route the actual user data traffic itself, optimizing latency and network resource usage for proximity-based applications.

Purpose & Motivation

CP-PRUK was created to address the security requirements of Proximity Services (ProSe) introduced and enhanced in 5G, particularly for mission-critical communications and advanced V2X (Vehicle-to-Everything) scenarios. Prior to its specification, direct D2D communication in LTE (under the name ProSe or LTE Direct) had security mechanisms, but the 5G system demanded a more robust, flexible, and scalable security architecture integrated with the new 5G core. The purpose of CP-PRUK is to provide a standardized, network-assisted method for establishing secure direct links between UEs, ensuring that these links are as trustworthy as traditional network-routed connections.

The key problem it solves is how to efficiently bootstrap and manage security between two devices that may have no prior relationship, without requiring complex out-of-band key exchange. In public safety situations (e.g., when cellular network infrastructure is damaged), first responders need to communicate directly. CP-PRUK allows their devices to establish encrypted and integrity-protected channels, with keys ultimately rooted in their home network credentials. This solves the limitation of ad-hoc security setups which are vulnerable to man-in-the-middle attacks. Furthermore, for commercial V2X, it enables secure vehicle-to-vehicle warnings without relying on continuous, high-latency communication with a distant network server.

Historical context shows an evolution from simpler, less integrated D2D security in LTE Release 12/13 towards a more sophisticated, service-based architecture in 5G. CP-PRUK, introduced in 5G Release 17, is part of this evolution, designed to work seamlessly with the 5G Service-Based Architecture (SBA) and provide enhanced key management capabilities. It addresses limitations of previous approaches by offering better key separation, integration with 5G-AKA, and support for more dynamic and granular security policies controlled by the network's ProSe Function.

Key Features

• Enables network-controlled establishment of secure keys for UE-to-UE direct (PC5) communication
• Derived from a root ProSe Key (PK) managed by the home network's ProSe Function
• Provides confidentiality and integrity protection for user plane and control plane data on the PC5 interface
• Ensures key separation from access network security keys (e.g., K_AMF) and other ProSe links
• Supports both one-to-one and one-to-many ProSe direct communication modes
• Integrates with the 5G Authentication and Key Agreement (5G-AKA) security framework

Evolution Across Releases

Defining Specifications