Description
A Public Key Infrastructure (PKI) is a comprehensive system that enables secure electronic transfer of information by providing a trusted foundation for issuing, managing, and validating digital certificates that bind public keys to identities. Within the 3GPP architecture, PKI is not a single network element but a pervasive framework that underpins trust for a wide array of services and network functions. Its key components include the Certificate Authority (CA), which issues and signs certificates; the Registration Authority (RA), which verifies identity before a certificate is issued; and the Validation Authority or repository, which stores certificates and Certificate Revocation Lists (CRLs).
How PKI works in a 3GPP context involves several processes. First, a network entity (like a gNB, MME, or an application server) generates a public-private key pair. It then makes a certificate signing request (CSR) to a trusted CA within the operator's or a third-party's PKI. The CA, after verifying the entity's identity through the RA, issues a digital certificate—a digitally signed document stating that the contained public key belongs to that specific entity. This certificate is then used in security protocols. For example, in TLS for securing N interfaces, the server presents its certificate to the client to authenticate itself. The client validates the certificate by checking the CA's signature and the revocation status via a CRL or OCSP.
The role of PKI in the network is fundamental. It enables mutual authentication between network functions in Service-Based Architectures (SBA), secures the provisioning of credentials to UEs and UICCs, supports lawful interception by providing keys for encryption, and authenticates users and devices for application services. It is the trust anchor for technologies like 5G network slicing, where different slices may require distinct security policies and certificates. PKI ensures that every entity in the complex 3GPP ecosystem can be cryptographically identified and trusted.
Purpose & Motivation
PKI was created to solve the fundamental problem of scalable trust in digital communications. Prior to PKI, secure communication required pre-shared secrets between every pair of entities, which is infeasible in large, open networks like the internet or global mobile systems. The purpose of PKI is to provide a mechanism where two parties who have no prior relationship can establish trust through a chain of certificates leading back to a mutually trusted third party (the CA).
In the historical context of 3GPP, the need for PKI grew with each generation. Early GSM relied on symmetric keys in the SIM. With 3G and the introduction of IP-based services, there was a need for secure web access, VPNs, and application security, which required digital certificates. 3GPP standardized PKI to support features like Generic Bootstrapping Architecture (GBA), where a UE obtains application-specific keys from the network, a process secured by PKI. It also addresses the limitations of manual key distribution by automating the lifecycle management of digital identities through issuance, renewal, and revocation. The motivation was to create a flexible, standards-based trust model that could support the evolving security requirements of mobile networks, from device authentication to securing network slicing and edge computing in 5G and beyond.
Evolution Across Releases
PKI concepts were initially introduced in 3GPP Release 1999 (R99), primarily to support emerging IP-based services and security requirements beyond the core circuit-switched network. This release laid the groundwork by referencing PKI for certificate management in early specifications, setting the stage for its use in securing new application domains and network interfaces within the evolving 3G architecture.
Explore further
Broader topics and technologies where PKI plays a role.
Defining Specifications
3GPP specifications that define or reference PKI, with the latest known release. Sourced from the 3GPP document catalog — see methodology.
| Specification | Title | Release |
|---|---|---|
| TS 22.112 v1800 | USAT Gateway System Specification | Rel-8 |
| TS 23.057 vj00 | Mobile Execution Environment (MExE) Specification | Rel-19 |
| TS 24.109 vj00 | HTTP Digest AKA & GAA Stage 3 | Rel-19 |
| TS 26.233 vf00 | 3GPP Packet-Switched Streaming Service (PSS) | Rel-15 |
| TS 29.116 vj00 | REST-based protocol for xMB reference point | Rel-19 |
| TS 29.368 vj00 | Tsp Reference Point Stage 3 Specification | Rel-19 |
| TS 32.101 vj00 | Management principles and high-level requirements | Rel-19 |
| TS 32.808 v1800 | Common User Profile Storage Framework | Rel-8 |
| TS 33.122 vj20 | Security Architecture for CAPIF | Rel-19 |
| TS 33.220 vj00 | Generic Authentication Architecture (GAA); Generic Bootstrapping Architecture (GBA) | Rel-19 |
| TS 33.221 vj00 | Subscriber Certificate Distribution via GBA | Rel-19 |
| TS 33.310 vj50 | 3GPP Authentication Framework for Network Nodes | Rel-19 |
| TS 33.320 vj00 | H(e)NB Subsystem Security Architecture | Rel-19 |
| TS 33.749 vj00 | Study on security aspects of edge computing enhancement | Rel-19 |
| TS 33.812 v920 | M2M Remote Subscription Management Security | Rel-9 |
| TS 33.820 v1830 | Home NodeB/eNodeB Security Architecture | Rel-8 |
| TR 33.834 vg10 | Long Term Key Update Procedures Study | Rel-16 |
| TR 33.876 vi01 | Technical Report on Certificate Management | Rel-18 |
| TS 33.880 vf10 | Security Study for Enhanced Mission Critical Services | Rel-15 |
| TR 33.919 vj00 | GAA Overview TR | Rel-19 |
| TR 33.938 vj10 | 3GPP Cryptographic Inventory for 5G | Rel-19 |