DUCK

Discovery User Confidentiality Key

Security →
Introduced in Rel-13 Also in: User Equipment, Security

DUCK is a cryptographic key used in ProSe to ensure the confidentiality of messages and protect user identity during device-to-device discovery in LTE and 5G networks.

Category
Security
Introduced
Rel-13
Where
Services
Also touches
2 segments
Specifications
8 specs
DUCK Description Purpose Detected Changes Specifications

Description

The Discovery User Confidentiality Key (DUCK) is a security key defined within the 3GPP architecture for Proximity-based Services (ProSe). It is derived as part of a key hierarchy specifically for the protection of discovery-related communication between User Equipments (UEs) operating in direct device-to-device (D2D) mode or via a network. The primary purpose of the DUCK is to provide confidentiality protection for discovery messages, which are signals or announcements broadcast by a UE to make its presence or services known to other nearby UEs. Without such protection, these messages could reveal sensitive information about the user's identity, location, or intent.

The DUCK is generated through a key derivation function (KDF) specified in 3GPP TS 33.220. Its derivation typically uses a root key shared between the UE and the network (such as the K_ProSe key) along with other input parameters like the ProSe Application Code and the key purpose identifier. Once derived, the DUCK is used within the UE's ProSe protocol stack. When a UE wishes to send a secured discovery message, it uses the DUCK to encrypt the payload of the discovery announcement or solicitation. The corresponding receiving UEs, which have derived the same DUCK (based on shared network-provided parameters or direct establishment), can decrypt the message to process the discovery information. This process ensures that only authorized UEs participating in the same discovery session can understand the content.

Architecturally, the DUCK is managed by the ProSe function in the network and securely provisioned to authorized UEs. It operates alongside the Discovery User Integrity Key (DUIK), which provides integrity protection. The combination of DUCK and DUIK forms a complete security suite for discovery signaling. The key's lifecycle is tied to the discovery session or the validity of the higher-layer root key. Its use is detailed in specifications governing the ProSe protocol layers (24.334) and the security architecture (33.503). The DUCK is a critical enabler for secure commercial find-and-connect services and, more importantly, for public safety communications where discovery between first responders must be both reliable and confidential.

Purpose & Motivation

The DUCK was introduced in 3GPP Release 13 to address the security requirements of the newly standardized Proximity Services (ProSe). ProSe enables direct device-to-device communication, a paradigm shift from traditional cellular networks where all traffic routes through a base station. One of the foundational operations in ProSe is discovery—the process by which devices find each other. Early ProSe work identified that discovery messages, if sent in plaintext, would pose significant privacy and security risks, potentially exposing user identities and enabling tracking or spoofing attacks.

The creation of the DUCK was motivated by the need to provide confidentiality for these discovery procedures, particularly for applications like public safety where communication must be secure from eavesdropping. Prior to ProSe, cellular security focused on the UE-to-network link. D2D discovery required a new security model for the direct UE-to-UE link. The DUCK, as part of a dedicated ProSe key hierarchy, solved the problem of how to efficiently and securely encrypt discovery payloads without requiring a prior direct secure connection between the discovering devices. It allowed the network to delegate cryptographic capability to devices for off-network operation, a crucial feature for public safety scenarios where network infrastructure might be unavailable. The DUCK thus filled a critical gap in the security architecture, enabling trustworthy discovery as a precursor to secure D2D communication.

Detected Changes Across Releases

from 3GPP Change Requests

Specific changes extracted from the „Change history“ tables of 3GPP specifications (207 CRs across 4 releases). Complements the general historical overview above with the evidence-based evolution of this function.

Studied in Rel-13, normative work from Rel-15.

Rel-15 14 changes

In Release 15, the DUCK function was newly introduced as part of the enhanced security mechanisms for restricted ProSe direct discovery, specifically within the updated procedures for the Discoveree and Discoverer request processes for model B. These updates ensure that explicit permission is obtained from the ProSe-enabled UE being discovered, integrating the DUCK to protect user confidentiality during discovery over the PC5 interface. The changes are detailed across multiple procedure updates for WLAN-based direct discovery, including authorisation, monitoring, and match reporting.

  • Updates to ProSe Service Authorisation for WLAN Direct Discovery TS 24.334CR0298
  • Updates to Announce request procedure for open WLAN based ProSe direct discovery TS 24.334CR0299
  • Updates to Announce request procedure for restricted WLAN based ProSe direct discovery model A TS 24.334CR0300
  • Updates to Discoveree request procedure for restricted ProSe direct discovery model B TS 24.334CR0301
  • Updates to Discoverer request procedure for restricted ProSe direct discovery model B TS 24.334CR0302
  • Updates to Monitor request procedure for open ProSe direct discovery TS 24.334CR0303

+ 8 more changes

Rel-17 45 changes

In Release 17, the DUCK function was enhanced to support security for UE-to-network relay discovery, including the introduction of a validity timer for security parameters and the provisioning of discovery security material from the 5G DDNMF. These updates also involved security protection for restricted ProSe direct discovery messages over the PC5 interface and clarifications on procedures for handling these security parameters on both the PC5 and PC8 interfaces.

  • 5G ProSe UE-to-network relay discovery security parameters request procedure for PC8 interface TS 24.554CR0012
  • Add target user ID in relay discovery solicitation message TS 24.554CR0028
  • Charging information collection for 5G ProSe Direct Discovery TS 24.554CR0078
  • Introducing the validity timer of the security related parameters for discovery TS 24.554CR0095
  • Providing the discovery security material for UE-to-network relay from 5G DDNMF TS 24.554CR0154
  • Resolving the EN related to security parameters used for the UE-to-network relay discovery over PC5 interface TS 24.555CR0010

+ 39 more changes

Rel-18 67 changes

In Release 18, the DUCK function was enhanced to support new security procedures for UE-to-UE relay discovery, specifically introducing distinct security procedures for U2U discovery when using the PKMF (Public Key Management Function) and the DDNMF (Direct Discovery Name Management Function). These updates were part of a broader set of security-related enhancements for 5G ProSe UE-to-UE relay discovery over the PC5 interface, covering both Model A and Model B discovery models. The release also included updates to the encoding of security materials and messages to ensure confidentiality and integrity for these new relay discovery scenarios.

  • 5G ProSe U2U relay discovery over PC5 interface with model A TS 24.554CR0229
  • 5G ProSe U2U relay discovery over PC5 interface with model B TS 24.554CR0230
  • U2U link establishment without integrated discovery TS 24.554CR0249
  • Discovery message encoding for UE-to-UE relay discovery TS 24.554CR0245
  • Update to U2U relay discovery procedures TS 24.554CR0310
  • Destination layer-2 ID for U2U relay communication with integrated discovery TS 24.554CR0347

+ 61 more changes

Rel-19 81 changes

In Release 19, the DUCK function was enhanced to support ProSe direct discovery and relay operations within Standalone Non-Public Networks (SNPN). Key updates included extending the announce and monitor request procedures for both open and restricted discovery models to function in SNPN environments. Furthermore, the release introduced new multi-hop UE-to-network relay discovery and link establishment procedures over the PC5 interface, supporting both Model A and Model B discovery.

  • Update on announce request procedure for restricted 5G ProSe direct discovery model A to support 5G ProSe in SNPN TS 24.554CR0645
  • Update on Direct discovery update procedure for open discovery to support 5G ProSe in SNPN TS 24.554CR0635
  • Update on Direct discovery update procedure for restricted discovery to support 5G ProSe in SNPN TS 24.554CR0636
  • Update on the parameter in 5G ProSe direct discovery messages over PC3a to support 5G ProSe in SNPN TS 24.554CR0666
  • Multi-hop UE-to-network relay discovery over PC5 interface with model A TS 24.554CR0621
  • Update on 5G ProSe UE-to-UE relay discovery over PC5 interface to support 5G ProSe in SNPN TS 24.554CR0661

+ 75 more changes

Explore further

Broader topics and technologies where DUCK plays a role.

Topics
Authentication (5G-AKA, EAP)Encryption & IntegrityPrivacy (SUPI, SUCI)LTE / LTE-AdvancedLawful InterceptServices & Applications
Technologies
LTE5G

Defining Specifications

3GPP specifications that define or reference DUCK, with the latest known release. Sourced from the 3GPP document catalog — see methodology.

SpecificationTitleRelease
TS 24.334 vj00 ProSe Protocols and Procedures Rel-19
TS 24.514 vj30 Ranging & Sidelink Positioning in 5GS Rel-19
TS 24.554 vj40 5G Proximity Services (ProSe) Protocols Rel-19
TS 24.555 vj30 5G ProSe UE Policies Specification Rel-19
TS 29.345 vj00 Diameter-based PC6/PC7 interfaces for ProSe Rel-19
TS 31.102 vj40 USIM Application Specification Rel-19
TS 33.503 vj20 Security for Proximity Services (ProSe) in 5G Rel-19
TS 33.843 vf10 Security Study for ProSe UE-to-Network Relay Rel-15