ProSe Encryption Key

Description

The ProSe Encryption Key (PEK) is a fundamental security element within the 3GPP Proximity Services (ProSe) architecture, first standardized in Release 12. It is specifically used to provide confidentiality protection for user data transmitted directly between UEs over the sidelink PC5 reference point. The PEK is generated and managed as part of the ProSe security context. Typically, this context is established during the ProSe Direct Discovery or Direct Communication authorization and key establishment procedures, which may involve the ProSe Function in the network. The key is derived using key derivation functions (KDFs) specified in 3GPP TS 33.303, often from a root key like the ProSe Key (PK). Once derived, the PEK is provided to the involved UEs. In the protocol stack, the PEK is used by the Packet Data Convergence Protocol (PDCP) layer, as specified in TS 36.323 for LTE-based ProSe and its equivalents for NR sidelink. The PDCP layer uses the PEK to perform encryption (and potentially integrity protection, though that may use a separate key) on the user plane packets before they are transmitted over the PC5 interface. The receiving UE's PDCP layer uses the same PEK to decrypt the data. The lifecycle of the PEK, including its derivation, activation, usage, and deletion, is strictly controlled by the UE's security management functions to prevent key reuse and ensure forward secrecy. Its role is critical in scenarios like public safety D2D communication and V2X, where direct UE-to-UE links must be as secure as network-relayed connections.

Purpose & Motivation

The PEK was introduced to address the security requirements of direct Device-to-Device (D2D) communication, a cornerstone of Proximity Services (ProSe). Before ProSe, all UE communication was routed through the network infrastructure (e.g., eNB, gNB), which inherently provided a point for applying standard cellular security mechanisms. The introduction of direct PC5 communication for public safety, commercial D2D, and later V2X created a new attack surface where eavesdroppers could intercept transmissions between nearby devices. Traditional cellular security keys (like K_{eNB}) were not applicable to this direct link. The PEK solves this by providing a dedicated encryption key for the PC5 user plane. Its creation was motivated by the need for secure off-network communication, essential for first responders when cellular infrastructure is damaged. It also enables secure V2X applications where vehicles exchange safety messages (e.g., collision warnings) directly, requiring strong confidentiality to protect driver privacy and prevent spoofing attacks. The PEK fills the security gap for direct communication, ensuring that ProSe services meet the stringent confidentiality requirements expected from 3GPP systems.