PRINS

Protocol for N32 Interconnect Security

Security →
Introduced in Rel-15

PRINS is a 3GPP security protocol that protects signaling messages over the N32 interface between separate 5G core networks, ensuring confidentiality, integrity, and replay protection for inter-PLMN communications like roaming.

Category
Security
Introduced
Rel-15
Where
Core Network › 5G Core
Specifications
2 specs
PRINS Description Purpose Related Classification Detected Changes Specifications

Description

PRINS (Protocol for N32 Interconnect Security) is a standardized security mechanism specified in 3GPP for securing the N32 interface, which interconnects the security edge protection proxies (SEPPs) of two different public land mobile networks (PLMNs). The N32 interface is used for inter-PLMN signaling, primarily in roaming and interconnection scenarios, where network functions (NFs) like the AMF, SMF, or UDM in one PLMN need to communicate with counterparts in another PLMN. PRINS provides end-to-end protection for these signaling messages between the SEPPs, ensuring that sensitive data traversing untrusted network boundaries remains secure.

Architecturally, PRINS operates at the application layer, leveraging JSON Web Encryption (JWE) and JSON Web Signature (JWS) as defined in IETF RFCs, tailored for 3GPP's use cases. The protocol works by having the source SEPP encrypt and integrity-protect the HTTP/2-based N32 messages (using protocols like HTTP/2 with TLS for hop-by-hop security) before forwarding them to the destination SEPP. The destination SEPP then validates and decrypts the messages. PRINS supports two modes: the 'direct mode,' where a pre-shared key or certificate-based trust is established between SEPPs, and the 'indirect mode,' which may involve a security intermediary for key management. Key components include security policies negotiated via the N32-f interface, key derivation mechanisms, and algorithms for encryption (e.g., AES-GCM) and signing (e.g., ES256).

How it works: When an NF in the home PLMN sends a signaling message (e.g., a subscription update) to a visited PLMN, it reaches the home SEPP. The home SEPP applies PRINS by serializing the message into a JWE object for confidentiality and optionally wrapping it in a JWS for integrity. This protected payload is then transmitted over N32 to the visited PLMN's SEPP, which verifies the JWS (if used) and decrypts the JWE using keys established through prior security association. The decrypted message is forwarded to the target NF. This process ensures that even if the inter-PLMN link is compromised, the message content and its origin are safeguarded, preventing eavesdropping, tampering, or replay attacks.

Purpose & Motivation

PRINS was created in 3GPP Release 15 to address the security vulnerabilities inherent in inter-PLMN signaling, which became more critical with 5G's enhanced roaming capabilities and network exposure. Prior to 5G, inter-network signaling often relied on hop-by-hop security (e.g., IPsec or TLS between nodes), but this left messages exposed at intermediate points within foreign networks, risking data breaches and attacks like message injection. The motivation was to provide true end-to-end security between PLMNs, ensuring that only the intended SEPPs can access the signaling content.

The development of PRINS was driven by 5G's service-based architecture (SBA), which uses HTTP/2 APIs for NF communication, extending across network boundaries. Without PRINS, sensitive information such as subscriber identifiers, location data, or service parameters could be intercepted or altered, compromising privacy and network integrity. PRINS solves this by encrypting and signing messages at the application layer, independent of the underlying transport security, thus protecting data even if transport links are breached.

Historically, earlier mobile generations had less formalized inter-PLMN security, relying on bilateral agreements and basic encryption. PRINS introduces a standardized, scalable protocol that supports automated key management and policy negotiation via the N32-f interface, enabling seamless secure roaming in multi-vendor environments. It addresses regulatory requirements for data protection (e.g., GDPR) and enhances trust in 5G ecosystems, facilitating global interoperability while mitigating risks from increasingly sophisticated cyber threats.

Classification

Part ofSEPP
Related approachesJWE

Detected Changes Across Releases

from 3GPP Change Requests

Specific changes extracted from the „Change history“ tables of 3GPP specifications (181 CRs across 6 releases). Complements the general historical overview above with the evidence-based evolution of this function.

Rel-15 64 changes

In Release 15, the PRINS (PRotocol for N32 INterconnect Security) function was newly introduced as the application layer security protocol for the N32 interface. This protocol, initially referred to as Application Layer Security (ALS), was defined to provide message protection for service-based interface communications between SEPPs in different PLMNs. Its use is negotiated via the N32-c interface handshake procedure to secure the N32-f forwarding interface.

  • Clarifications to security requirements and features (clause 5) TS 33.501CR0161
  • Security Negotiation for RRC INACTIVE TS 33.501CR0183
  • Security Mechanism for Steering of Roaming TS 33.501CR0214
  • CR-slice-management-security TS 33.501CR0290
  • Security mechanisms for non-SBA interfaces in 5GC TS 33.501CR0374
  • Application layer security on the N32 interface TS 33.501CR0376

+ 58 more changes

Rel-16 30 changes

In Release 16, the PRINS function was updated with corrections to its N32 procedures and associated call flows. These changes provided normative clarifications and corrections to the protocol operations between SEPPs. Additionally, support for TLS security utilizing a custom HTTP header, specifically the 3gpp-Sbi-Target-apiRoot header on the N32-f interface, was introduced.

  • Exchange IPX security information lists TS 29.573CR0020
  • Security for non-public networks TS 33.501CR0641
  • Security for SRVCC for 5G to UTRAN CS TS 33.501CR0660
  • Security for roaming interfaces in indirect communication TS 33.501CR0675
  • Security requirements for SeCoP TS 33.501CR0692
  • TLS between NF and SEPP based on custom HTTP header TS 33.501CR0696

+ 24 more changes

Rel-17 34 changes

In Release 17, the PRINS function was enhanced with new procedures for SEPP capability negotiation and the ability for a SEPP to be discovered via the NRF. The release also introduced clarifications to the N32 protocol stack and the handling of the N32-c context established after the Security Capability Exchange procedure.

+ 28 more changes

Rel-18 32 changes

In Release 18, the PRINS function was enhanced to support the negotiation of specific security profiles and was modified to enable the operation of Roaming Hubs. Additionally, explicit support was added for using TLS security on the N32-f interface when PRINS is selected.

  • Enable senderN32fFqdn and senderN32fPort when PRINS is selected TS 29.573CR0127
  • Support the negotiation of security profiles TS 29.573CR0174
  • Security aspects of MSGin5G Service in rel-18 TS 33.501CR1565
  • Security aspects of enhanced support of Non-Public Networks phase 2 TS 33.501CR1671
  • Security of EAS discovery procedure via V-EASDF in roaming Scenario TS 33.501CR1741
  • Security handling in network sharing scenario TS 33.501CR1744

+ 26 more changes

Rel-19 19 changes

In Release 19, the key new development for the PRINS function was the introduction of trust anchoring for the N32-f interface, providing a foundational security mechanism for the protocol. This enhancement is detailed alongside other security updates, including a correction to the N32 security capability and refinements to the security procedure for the initial handshake between SEPPs.

  • Adding security aspects of MSGin5G service Ph3 TS 33.501CR2047
  • Security of Signalling Traffic Monitoring TS 33.501CR2089
  • Security of N6 delay measurements TS 33.501CR2092
  • Security for PLMN hosting a NPN TS 33.501CR2137
  • Security procedure for inter-CU LTM TS 33.501CR2153
  • Security aspects of Core Network Enhanced Support for AIML TS 33.501CR2154

+ 13 more changes

Rel-20 2 changes

In Release 20, the PRINS function was refined, introducing a new procedure to make certain security parameters visible to Roaming Intermediaries (RIs). This enhancement specifically relates to the N32-f interface's application layer security protection, where RIs on the path may require modification or observation of content.

  • PRINS Refinement TS 33.501CR2184
  • Procedure to making some security parameters visible to RIs TS 33.501CR2191

Explore further

Broader topics and technologies where PRINS plays a role.

Topics
OAM (Operations & Maintenance)SON (Self-Organizing Networks)Authentication (5G-AKA, EAP)Service Based ArchitectureRoaming & InterconnectEncryption & Integrity
Technologies
LTE5G

Defining Specifications

3GPP specifications that define or reference PRINS, with the latest known release. Sourced from the 3GPP document catalog — see methodology.

SpecificationTitleRelease
TS 29.573 vj50 PLMN/SNPN Interconnection Interface Stage 3 Rel-19
TS 33.501 vk00 5G Security Architecture and Procedures Rel-20