Public Key Infrastructure

Description

A Public Key Infrastructure (PKI) is a comprehensive system that enables secure electronic transfer of information by providing a trusted foundation for issuing, managing, and validating digital certificates that bind public keys to identities. Within the 3GPP architecture, PKI is not a single network element but a pervasive framework that underpins trust for a wide array of services and network functions. Its key components include the Certificate Authority (CA), which issues and signs certificates; the Registration Authority (RA), which verifies identity before a certificate is issued; and the Validation Authority or repository, which stores certificates and Certificate Revocation Lists (CRLs).

How PKI works in a 3GPP context involves several processes. First, a network entity (like a gNB, MME, or an application server) generates a public-private key pair. It then makes a certificate signing request (CSR) to a trusted CA within the operator's or a third-party's PKI. The CA, after verifying the entity's identity through the RA, issues a digital certificate—a digitally signed document stating that the contained public key belongs to that specific entity. This certificate is then used in security protocols. For example, in TLS for securing N interfaces, the server presents its certificate to the client to authenticate itself. The client validates the certificate by checking the CA's signature and the revocation status via a CRL or OCSP.

The role of PKI in the network is fundamental. It enables mutual authentication between network functions in Service-Based Architectures (SBA), secures the provisioning of credentials to UEs and UICCs, supports lawful interception by providing keys for encryption, and authenticates users and devices for application services. It is the trust anchor for technologies like 5G network slicing, where different slices may require distinct security policies and certificates. PKI ensures that every entity in the complex 3GPP ecosystem can be cryptographically identified and trusted.

Purpose & Motivation

PKI was created to solve the fundamental problem of scalable trust in digital communications. Prior to PKI, secure communication required pre-shared secrets between every pair of entities, which is infeasible in large, open networks like the internet or global mobile systems. The purpose of PKI is to provide a mechanism where two parties who have no prior relationship can establish trust through a chain of certificates leading back to a mutually trusted third party (the CA).

In the historical context of 3GPP, the need for PKI grew with each generation. Early GSM relied on symmetric keys in the SIM. With 3G and the introduction of IP-based services, there was a need for secure web access, VPNs, and application security, which required digital certificates. 3GPP standardized PKI to support features like Generic Bootstrapping Architecture (GBA), where a UE obtains application-specific keys from the network, a process secured by PKI. It also addresses the limitations of manual key distribution by automating the lifecycle management of digital identities through issuance, renewal, and revocation. The motivation was to create a flexible, standards-based trust model that could support the evolving security requirements of mobile networks, from device authentication to securing network slicing and edge computing in 5G and beyond.

Key Features

• Issues and manages X.509 digital certificates binding keys to identities
• Provides a trusted hierarchy of Certificate Authorities (CAs)
• Manages certificate lifecycle: issuance, renewal, suspension, and revocation
• Supports Certificate Revocation Lists (CRLs) and Online Certificate Status Protocol (OCSP)
• Enables secure mutual authentication between network functions and entities
• Forms the trust foundation for TLS/SSL, digital signatures, and secure credential provisioning

Evolution Across Releases

Defining Specifications