CP-PRUK

Control Plane Prose Remote User Key

Security →
Introduced in Rel-17

CP-PRUK is a control-plane-managed security key used for ProSe direct device-to-device communication, enabling secure connections without routing all traffic through the network core.

Category
Security
Introduced
Rel-17
Where
Core Network › Legacy Core
Specifications
4 specs
CP-PRUK Description Purpose Related Classification Detected Changes Specifications

Description

The Control Plane Prose Remote User Key (CP-PRUK) is a cryptographic key established between two User Equipments (UEs) to secure their direct ProSe communication link. It is generated and managed through signaling procedures in the 5G Core Network's control plane, specifically involving the ProSe Function. The key derivation follows the 5G Authentication and Key Agreement (5G-AKA) framework, ensuring it is cryptographically separate from other keys used for network access (like K_AMF) or user plane protection. The CP-PRUK is a critical component of the ProSe security architecture, providing confidentiality and integrity protection for the direct communication channel between UEs.

The architecture for CP-PRUK involves several network functions. The ProSe Function, located in the home Public Land Mobile Network (HPLMN) of a UE, is the central entity responsible for ProSe service authorization and security management. When two UEs (UE-A and UE-B) wish to establish a secure direct link, they initiate a ProSe Direct Discovery or Communication procedure. Their requests are routed to their respective ProSe Functions. These functions authenticate the UEs and authorize the ProSe service. For key establishment, the ProSe Functions communicate with each other, often via the PC5 interface reference point, to agree on keying material. The actual CP-PRUK is then derived locally in each UE using parameters provided by their ProSe Function, such as a ProSe Key Identifier and other fresh input values.

The technical operation involves a multi-step key derivation hierarchy. A root key, the ProSe Key (PK), is first established between the UE and its HPLMN ProSe Function during service authorization. From this PK, a ProSe Link Key (PLK) can be derived for a specific communication pair. The CP-PRUK is a further derivative, often serving as the key for the Access Stratum (AS) security between the two UEs over the PC5 interface. This layered approach ensures key separation; compromise of a CP-PRUK for one direct link does not affect the security of the UE's network access or its ProSe links with other devices. The CP-PRUK is used by the PDCP (Packet Data Convergence Protocol) layer in the UE to cipher and integrity-protect the user plane data and certain control plane signaling exchanged directly over PC5.

Its role in the network is to enable trusted, efficient Device-to-Device (D2D) communication. By handling key management in the control plane, the network maintains oversight and policy control over direct communications, which is vital for lawful intercept, emergency services, and preventing unauthorized use. The CP-PRUK mechanism allows the network to provision security for direct links without needing to route the actual user data traffic itself, optimizing latency and network resource usage for proximity-based applications.

Purpose & Motivation

CP-PRUK was created to address the security requirements of Proximity Services (ProSe) introduced and enhanced in 5G, particularly for mission-critical communications and advanced V2X (Vehicle-to-Everything) scenarios. Prior to its specification, direct D2D communication in LTE (under the name ProSe or LTE Direct) had security mechanisms, but the 5G system demanded a more robust, flexible, and scalable security architecture integrated with the new 5G core. The purpose of CP-PRUK is to provide a standardized, network-assisted method for establishing secure direct links between UEs, ensuring that these links are as trustworthy as traditional network-routed connections.

The key problem it solves is how to efficiently bootstrap and manage security between two devices that may have no prior relationship, without requiring complex out-of-band key exchange. In public safety situations (e.g., when cellular network infrastructure is damaged), first responders need to communicate directly. CP-PRUK allows their devices to establish encrypted and integrity-protected channels, with keys ultimately rooted in their home network credentials. This solves the limitation of ad-hoc security setups which are vulnerable to man-in-the-middle attacks. Furthermore, for commercial V2X, it enables secure vehicle-to-vehicle warnings without relying on continuous, high-latency communication with a distant network server.

Historical context shows an evolution from simpler, less integrated D2D security in LTE Release 12/13 towards a more sophisticated, service-based architecture in 5G. CP-PRUK, introduced in 5G Release 17, is part of this evolution, designed to work seamlessly with the 5G Service-Based Architecture (SBA) and provide enhanced key management capabilities. It addresses limitations of previous approaches by offering better key separation, integration with 5G-AKA, and support for more dynamic and granular security policies controlled by the network's ProSe Function.

Classification

Part ofProSe

Detected Changes Across Releases

from 3GPP Change Requests

Specific changes extracted from the „Change history“ tables of 3GPP specifications (580 CRs across 5 releases). Complements the general historical overview above with the evidence-based evolution of this function.

Rel-15 26 changes

In Release 15, the CP-PRUK function was not newly introduced; the provided Change Request titles and grounding context do not describe any introduction or modification of this specific function. The listed CRs focus on enhancements for congestion control, user-plane resource management, and access control procedures within the 5G core network. The grounding context only references ProSe services for general addressing and identification principles, not the CP-PRUK feature.

  • Network control for always-on PDU sessions TS 24.501CR0107
  • Clarification on congestion control upon intersystem change TS 24.501CR0604
  • Correction for establishment of user-plane resources TS 24.501CR0013
  • UAC information and establishment cause when uplink user data packet is to be sent for a PDU session with suspended user-plane resources TS 24.501CR0027
  • Clarification on NAS level MM congestion Control TS 24.501CR0058
  • Correction on UE behaviour for 5GSM congestion control TS 24.501CR0113

+ 20 more changes

Rel-16 77 changes

In Release 16, the CP-PRUK function introduced new control mechanisms for ProSe in the 5G System, including Service Gap control with activation, enforcement in the UE and AMF, and updates via the UCU procedure. These enhancements provided operators with tools for congestion and rate control, specifically for small data transfers and control plane data transport. The release also defined the structure for the ProSe Application ID to support operations in Stand-alone Non-Public Networks (SNPNs).

  • SINE_5G: Back-off control and retry restriction mechanisms in 5GS TS 24.501CR0730
  • Small data rate control, general description TS 24.501CR0970
  • Small data rate control, activation TS 24.501CR0971
  • Serving PLMN rate control, general description TS 24.501CR0972
  • Serving PLMN rate control, activation TS 24.501CR0973
  • Service Gap control in 5GS, general description TS 24.501CR0974

+ 71 more changes

Rel-17 155 changes

In Release 17, the new CP-PRUK (Control Plane ProSe Remote User Key) function introduced the ProSe remote user key procedure as a defined security mechanism. This was part of broader 5G ProSe enhancements, which also included new procedures for authentication and key agreement specifically for the 5G ProSe UE-to-network relay. These additions provided a standardized control plane method for secure key management in ProSe services.

  • Introducion of Network Slice Admission Control TS 24.501CR3111
  • Clarificaiton on behaviors of the UE and the network supporting Network Slice Admission Control TS 24.501CR3112
  • ProSe as a trigger for Service Request procedure TS 24.501CR3125
  • Network shall not release the RRC connection for ProSe services TS 24.501CR3126
  • ProSe policy provisioning start and stop indications TS 24.501CR3127
  • UE ProSe capability negotiation with 5GC TS 24.501CR3159

+ 149 more changes

Rel-18 164 changes

In Release 18, the CP-PRUK function was enhanced to include an authentication and key agreement procedure specifically for 5G ProSe UE-to-UE relay, enabling secure direct communication. Furthermore, it introduced the capability to identify a Remote UE by its PEI (Permanent Equipment Identifier), providing a concrete method for relay authentication and key management within the Proximity-based Services framework.

  • Equivalent SNPNs usage for congestion control TS 24.501CR4838
  • User plane positioning capability indication TS 24.501CR5015
  • CH controlled prioritized list of preferred SNPNs and GINs for access for localized services in SNPN TS 24.501CR5036
  • Capability indication to support of network slice usage control TS 24.501CR5329
  • General introduction on support of network slice usage control TS 24.501CR5328
  • User plane positioning capability TS 24.501CR5285

+ 158 more changes

Rel-19 158 changes

In Release 19, the CP-PRUK function was enhanced to support 5G ProSe in Standalone Non-Public Networks (SNPNs), including updates to the ProSe Application ID format to incorporate the SNPN ID. Specific procedures were updated to operate within SNPNs, such as the 5G ProSe Discoverer request, UE-to-network relay selection, and announce request procedures for restricted discovery. Furthermore, the release introduced the foundational overview and procedures for new 5G ProSe multi-hop relay functionality.

  • Format of SNPN ID description for 5G ProSe applications TS 23.003CR0703
  • Update ProSe App Code format to support 5G ProSe in NPNs TS 23.003CR0705
  • The clarification of the applicability of RAT utilization control TS 24.501CR6350
  • Control of UE RAT utilization by 5GS TS 24.501CR6343
  • ProSe and NPN TS 24.501CR6392
  • Storage and replacement of RAT utilization control information associated to the current PLMN TS 24.501CR6460

+ 152 more changes

Explore further

Broader topics and technologies where CP-PRUK plays a role.

Topics
Authentication (5G-AKA, EAP)Service Based ArchitectureEncryption & IntegrityMEC (Edge Computing)Emergency ServicesLTE / LTE-Advanced
Technologies
LTE5G

Defining Specifications

3GPP specifications that define or reference CP-PRUK, with the latest known release. Sourced from the 3GPP document catalog — see methodology.

SpecificationTitleRelease
TS 23.003 vj50 Numbering, addressing and identification in 3GPP Rel-19
TS 24.501 vj50 5G NAS Protocols Specification Rel-19
TS 24.554 vj40 5G Proximity Services (ProSe) Protocols Rel-19
TS 33.503 vj20 Security for Proximity Services (ProSe) in 5G Rel-19