NRPEK

NR PC5 Encryption Key

Security
Introduced in Rel-16
A cryptographic key used to encrypt user data and control signaling over the NR PC5 sidelink interface in 5G V2X and ProSe. It ensures confidentiality for direct device-to-device communications, protecting against eavesdropping in critical applications like autonomous driving and public safety.

Description

The NR PC5 Encryption Key (NRPEK) is a fundamental security element within the 5G sidelink (PC5) security architecture, specifically defined for New Radio (NR) based Proximity Services (ProSe) and Vehicle-to-Everything (V2X) communications. It is a symmetric key derived as part of a key hierarchy during the authentication and key agreement procedures for PC5 communication. The NRPEK is generated by the UE or provided by the network, depending on the security mode and service authorization. Its primary function is to provide confidentiality protection for user plane data and certain control plane signaling messages transmitted directly between UEs over the PC5 reference point, without traversing the network infrastructure.

The key derivation process for NRPEK is specified in 3GPP TS 33.503. Typically, it is derived from a root key established during PC5 authentication and authorization. This process may involve the UE, a ProSe Function in the core network, and in V2X scenarios, a V2X Control Function. The derivation uses Key Derivation Functions (KDFs) with specific input parameters, including freshness parameters to ensure key separation. Once derived and installed in the UE's security environment, the NRPEK is used by the cryptographic algorithms in the PDCP (Packet Data Convergence Protocol) layer for NR sidelink to perform encryption and decryption operations on the data transmitted over the air interface.

The role of NRPEK is critical in enabling secure direct communication. It operates alongside the NR PC5 Integrity Key (NRPIK), which provides integrity protection. The separation of encryption and integrity keys is a standard security practice that limits the impact of a potential key compromise and allows for the independent management of these two security services. The NRPEK is applied per PC5 security association, meaning each secure communication session or group can have its own unique encryption key, providing forward secrecy and containment in case one key is breached. Its management, including activation, deactivation, and refreshment, is handled by the UE's Access Stratum (AS) security mechanisms based on triggers from higher layers or the network.

Purpose & Motivation

The NRPEK was introduced to address the specific confidentiality requirements of 5G NR-based sidelink communications, which are a cornerstone for advanced V2X and ProSe applications. Previous LTE-based PC5 security (defined for LTE V2X) provided a foundation but needed enhancement for the new use cases, higher data rates, and lower latency targets of 5G NR. The creation of a dedicated NR PC5 Encryption Key was motivated by the need for a robust, standardized cryptographic solution that could protect sensitive data exchanged directly between vehicles, between pedestrians and infrastructure, or in public safety scenarios where network coverage might be limited or compromised.

Without NRPEK, direct device-to-device communications over the 5G NR air interface would be vulnerable to eavesdropping, jeopardizing user privacy and safety. For instance, in autonomous driving, location data, sensor sharing, and maneuver coordination messages must be confidential to prevent tracking or malicious interference. The NRPEK, as part of a comprehensive NR PC5 security framework, solves this by providing a standardized, algorithm-agile encryption mechanism that is integrated into the 5G system architecture. It addresses the limitations of pre-5G sidelink security by being natively designed for NR's flexible numerology, resource allocation, and service requirements, ensuring that security does not become a bottleneck for performance or innovation in direct communication services.

Key Features

  • Provides confidentiality protection for user plane data on the NR PC5 interface
  • Derived from a root key established during PC5-specific authentication and authorization procedures
  • Used by NR PDCP layer cryptographic algorithms for encryption/decryption
  • Operates in conjunction with a separate NRPIK for integrity, following the principle of key separation
  • Managed per PC5 security association, enabling session-specific keying and forward secrecy
  • Supports algorithm agility, allowing for the use of different encryption algorithms as defined by 3GPP

Evolution Across Releases

Rel-16 Initial

Introduced as part of the foundational NR sidelink (PC5) security architecture for 5G V2X. Defined the key derivation hierarchy, its role in protecting PC5 unicast, groupcast, and broadcast communications, and its integration with the PDCP layer for NR sidelink. Established the separation from LTE PC5 security keys.

TS 24.587TS 33.503TS 33.536

Defining Specifications

SpecificationTitle
TS 24.587 3GPP TS 24.587
TS 33.503 3GPP TR 33.503
TS 33.536 3GPP TR 33.536