NR PC5 Integrity Key

Description

The NR PC5 Integrity Key (NRPIK) is a symmetric cryptographic key that forms the integrity protection component of the security suite for the New Radio (NR) based PC5 interface. This interface enables direct device-to-device (sidelink) communication for 5G Proximity Services (ProSe) and Vehicle-to-Everything (V2X). The NRPIK is derived through a defined key hierarchy, often originating from a master key established during the PC5 link authorization process, which may involve network functions like the ProSe Function or V2X Control Function. Its sole purpose is to enable the receiving UE to verify that a message received over the PC5 interface has not been modified, replayed, or fabricated by an unauthorized party during transmission.

Operationally, the NRPIK is used by the integrity protection algorithm within the PDCP (Packet Data Convergence Protocol) layer for NR sidelink. For each data packet or control message requiring protection, a Message Authentication Code (MAC-I) is calculated using the NRPIK and other inputs, such as the packet data and a count value. This MAC-I is appended to the message before transmission. The receiver, possessing the same NRPIK, recalculates the MAC-I on the received data and compares it to the received value. A mismatch indicates a potential integrity violation, and the packet is discarded. This process protects both user data and critical control signaling, ensuring the authenticity of commands and information exchanges in scenarios like platooning or emergency vehicle notifications.

The NRPIK is always used in tandem with the NR PC5 Encryption Key (NRPEK) for a complete security association, but it is a distinct key. This separation of integrity and encryption keys is a fundamental security design principle that limits the scope of compromise if one key is exposed and allows for independent algorithm evolution. The NRPIK is managed on a per-security-association basis, meaning each secure PC5 communication link or group has its own unique integrity key. Key lifecycle management, including derivation, activation, and potential renewal, is controlled by protocols defined in the 3GPP specifications, ensuring keys remain fresh and resistant to cryptanalytic attacks over time.

Purpose & Motivation

The NRPIK was created to fulfill the critical integrity and origin authentication requirements for 5G NR sidelink communications, which are essential for safety-of-life and reliable commercial applications. In LTE-based V2X, integrity protection was also defined, but the advent of 5G NR sidelink with enhanced capabilities (like advanced resource allocation, higher frequencies, and new use cases such as sensor sharing) necessitated a new, NR-native key hierarchy and integration. The motivation stems from the severe consequences of receiving forged or altered messages in direct communication scenarios; for example, a tampered brake warning message between vehicles could lead to accidents.

Prior to standardized integrity protection, direct communications were vulnerable to message injection, modification, and replay attacks. The NRPIK addresses these threats by providing a standardized, cryptographically robust mechanism to verify message authenticity. Its development was driven by automotive industry demands, public safety requirements, and the general need for trustworthy direct communication as part of the 5G ecosystem. It solves the problem of ensuring data trustworthiness in a decentralized communication model where there is no always-on network intermediary to validate messages, thereby enabling secure and reliable autonomous coordination between devices at the edge of the network.