NR PC5 Encryption Key

Description

The NR PC5 Encryption Key (NRPEK) is a fundamental security element within the 5G sidelink (PC5) security architecture, specifically defined for New Radio (NR) based Proximity Services (ProSe) and Vehicle-to-Everything (V2X) communications. It is a symmetric key derived as part of a key hierarchy during the authentication and key agreement procedures for PC5 communication. The NRPEK is generated by the UE or provided by the network, depending on the security mode and service authorization. Its primary function is to provide confidentiality protection for user plane data and certain control plane signaling messages transmitted directly between UEs over the PC5 reference point, without traversing the network infrastructure.

The key derivation process for NRPEK is specified in 3GPP TS 33.503. Typically, it is derived from a root key established during PC5 authentication and authorization. This process may involve the UE, a ProSe Function in the core network, and in V2X scenarios, a V2X Control Function. The derivation uses Key Derivation Functions (KDFs) with specific input parameters, including freshness parameters to ensure key separation. Once derived and installed in the UE's security environment, the NRPEK is used by the cryptographic algorithms in the PDCP (Packet Data Convergence Protocol) layer for NR sidelink to perform encryption and decryption operations on the data transmitted over the air interface.

The role of NRPEK is critical in enabling secure direct communication. It operates alongside the NR PC5 Integrity Key (NRPIK), which provides integrity protection. The separation of encryption and integrity keys is a standard security practice that limits the impact of a potential key compromise and allows for the independent management of these two security services. The NRPEK is applied per PC5 security association, meaning each secure communication session or group can have its own unique encryption key, providing forward secrecy and containment in case one key is breached. Its management, including activation, deactivation, and refreshment, is handled by the UE's Access Stratum (AS) security mechanisms based on triggers from higher layers or the network.

Purpose & Motivation

The NRPEK was introduced to address the specific confidentiality requirements of 5G NR-based sidelink communications, which are a cornerstone for advanced V2X and ProSe applications. Previous LTE-based PC5 security (defined for LTE V2X) provided a foundation but needed enhancement for the new use cases, higher data rates, and lower latency targets of 5G NR. The creation of a dedicated NR PC5 Encryption Key was motivated by the need for a robust, standardized cryptographic solution that could protect sensitive data exchanged directly between vehicles, between pedestrians and infrastructure, or in public safety scenarios where network coverage might be limited or compromised.

Without NRPEK, direct device-to-device communications over the 5G NR air interface would be vulnerable to eavesdropping, jeopardizing user privacy and safety. For instance, in autonomous driving, location data, sensor sharing, and maneuver coordination messages must be confidential to prevent tracking or malicious interference. The NRPEK, as part of a comprehensive NR PC5 security framework, solves this by providing a standardized, algorithm-agile encryption mechanism that is integrated into the 5G system architecture. It addresses the limitations of pre-5G sidelink security by being natively designed for NR's flexible numerology, resource allocation, and service requirements, ensuring that security does not become a bottleneck for performance or innovation in direct communication services.