PEK

ProSe Encryption Key

Security
Introduced in Rel-12
A cryptographic key used in Proximity Services (ProSe) for securing direct communication between nearby User Equipments (UEs). It encrypts user plane data exchanged over the PC5 interface, ensuring confidentiality for Device-to-Device (D2D) and Vehicle-to-Everything (V2X) communications.

Description

The ProSe Encryption Key (PEK) is a fundamental security element within the 3GPP Proximity Services (ProSe) architecture, first standardized in Release 12. It is specifically used to provide confidentiality protection for user data transmitted directly between UEs over the sidelink PC5 reference point. The PEK is generated and managed as part of the ProSe security context. Typically, this context is established during the ProSe Direct Discovery or Direct Communication authorization and key establishment procedures, which may involve the ProSe Function in the network. The key is derived using key derivation functions (KDFs) specified in 3GPP TS 33.303, often from a root key like the ProSe Key (PK). Once derived, the PEK is provided to the involved UEs. In the protocol stack, the PEK is used by the Packet Data Convergence Protocol (PDCP) layer, as specified in TS 36.323 for LTE-based ProSe and its equivalents for NR sidelink. The PDCP layer uses the PEK to perform encryption (and potentially integrity protection, though that may use a separate key) on the user plane packets before they are transmitted over the PC5 interface. The receiving UE's PDCP layer uses the same PEK to decrypt the data. The lifecycle of the PEK, including its derivation, activation, usage, and deletion, is strictly controlled by the UE's security management functions to prevent key reuse and ensure forward secrecy. Its role is critical in scenarios like public safety D2D communication and V2X, where direct UE-to-UE links must be as secure as network-relayed connections.

Purpose & Motivation

The PEK was introduced to address the security requirements of direct Device-to-Device (D2D) communication, a cornerstone of Proximity Services (ProSe). Before ProSe, all UE communication was routed through the network infrastructure (e.g., eNB, gNB), which inherently provided a point for applying standard cellular security mechanisms. The introduction of direct PC5 communication for public safety, commercial D2D, and later V2X created a new attack surface where eavesdroppers could intercept transmissions between nearby devices. Traditional cellular security keys (like K_{eNB}) were not applicable to this direct link. The PEK solves this by providing a dedicated encryption key for the PC5 user plane. Its creation was motivated by the need for secure off-network communication, essential for first responders when cellular infrastructure is damaged. It also enables secure V2X applications where vehicles exchange safety messages (e.g., collision warnings) directly, requiring strong confidentiality to protect driver privacy and prevent spoofing attacks. The PEK fills the security gap for direct communication, ensuring that ProSe services meet the stringent confidentiality requirements expected from 3GPP systems.

Key Features

  • Provides confidentiality for user data on the PC5 sidelink interface
  • Derived as part of the ProSe security key hierarchy defined in TS 33.303
  • Utilized by the PDCP layer for encryption/decryption procedures
  • Supports both LTE-based ProSe and NR sidelink (V2X) communications
  • Managed through ProSe key establishment and management procedures
  • Enables secure direct communication independent of network infrastructure

Evolution Across Releases

Rel-12 Initial

Initial definition of the PEK as part of the ProSe security architecture for LTE-based Device-to-Device (D2D) communication. Specified its derivation from the ProSe Key (PK) and its use for securing direct communication between UEs over the PC5 interface.

TS 33.303TS 36.323

Defining Specifications

SpecificationTitle
TS 33.303 3GPP TR 33.303
TS 36.323 3GPP TR 36.323