NRPIK

NR PC5 Integrity Key

Security
Introduced in Rel-16
A cryptographic key used to provide integrity and replay protection for signaling and data over the 5G NR PC5 sidelink. It ensures messages between devices are not altered or forged, which is vital for the safety and reliability of V2X and direct communication services.

Description

The NR PC5 Integrity Key (NRPIK) is a symmetric cryptographic key that forms the integrity protection component of the security suite for the New Radio (NR) based PC5 interface. This interface enables direct device-to-device (sidelink) communication for 5G Proximity Services (ProSe) and Vehicle-to-Everything (V2X). The NRPIK is derived through a defined key hierarchy, often originating from a master key established during the PC5 link authorization process, which may involve network functions like the ProSe Function or V2X Control Function. Its sole purpose is to enable the receiving UE to verify that a message received over the PC5 interface has not been modified, replayed, or fabricated by an unauthorized party during transmission.

Operationally, the NRPIK is used by the integrity protection algorithm within the PDCP (Packet Data Convergence Protocol) layer for NR sidelink. For each data packet or control message requiring protection, a Message Authentication Code (MAC-I) is calculated using the NRPIK and other inputs, such as the packet data and a count value. This MAC-I is appended to the message before transmission. The receiver, possessing the same NRPIK, recalculates the MAC-I on the received data and compares it to the received value. A mismatch indicates a potential integrity violation, and the packet is discarded. This process protects both user data and critical control signaling, ensuring the authenticity of commands and information exchanges in scenarios like platooning or emergency vehicle notifications.

The NRPIK is always used in tandem with the NR PC5 Encryption Key (NRPEK) for a complete security association, but it is a distinct key. This separation of integrity and encryption keys is a fundamental security design principle that limits the scope of compromise if one key is exposed and allows for independent algorithm evolution. The NRPIK is managed on a per-security-association basis, meaning each secure PC5 communication link or group has its own unique integrity key. Key lifecycle management, including derivation, activation, and potential renewal, is controlled by protocols defined in the 3GPP specifications, ensuring keys remain fresh and resistant to cryptanalytic attacks over time.

Purpose & Motivation

The NRPIK was created to fulfill the critical integrity and origin authentication requirements for 5G NR sidelink communications, which are essential for safety-of-life and reliable commercial applications. In LTE-based V2X, integrity protection was also defined, but the advent of 5G NR sidelink with enhanced capabilities (like advanced resource allocation, higher frequencies, and new use cases such as sensor sharing) necessitated a new, NR-native key hierarchy and integration. The motivation stems from the severe consequences of receiving forged or altered messages in direct communication scenarios; for example, a tampered brake warning message between vehicles could lead to accidents.

Prior to standardized integrity protection, direct communications were vulnerable to message injection, modification, and replay attacks. The NRPIK addresses these threats by providing a standardized, cryptographically robust mechanism to verify message authenticity. Its development was driven by automotive industry demands, public safety requirements, and the general need for trustworthy direct communication as part of the 5G ecosystem. It solves the problem of ensuring data trustworthiness in a decentralized communication model where there is no always-on network intermediary to validate messages, thereby enabling secure and reliable autonomous coordination between devices at the edge of the network.

Key Features

  • Provides integrity and replay protection for data and signaling on the NR PC5 interface
  • Derived alongside the NRPEK as part of the NR PC5 key hierarchy following authentication
  • Utilized by the NR PDCP layer to generate and verify Message Authentication Codes (MAC-I)
  • A distinct key from the NRPEK, enforcing the separation of integrity and confidentiality functions
  • Applied per PC5 security association, ensuring isolation between different communication sessions
  • Essential for guaranteeing message authenticity in safety-critical V2X and ProSe applications

Evolution Across Releases

Rel-16 Initial

Introduced alongside NRPEK as a core component of the new NR PC5 security framework. Defined its derivation method, its application for integrity protection in NR sidelink unicast, groupcast, and broadcast modes, and its mandatory use with specific PDCP security algorithms for NR.

TS 24.587TS 33.503TS 33.536

Defining Specifications

SpecificationTitle
TS 24.587 3GPP TS 24.587
TS 33.503 3GPP TR 33.503
TS 33.536 3GPP TR 33.536