ProSe Relay User Key Identity

Description

The ProSe Relay User Key Identity (PRUK) is a critical security identifier within the 3GPP Proximity Services (ProSe) architecture, specifically for the UE-to-Network Relay function. A UE-to-Network Relay is a UE that provides connectivity to the network for other 'remote' UEs that are out of cellular coverage, using Device-to-Device (D2D) sidelink communications (PC5 interface). The PRUK is associated with a long-term security key, the ProSe Relay User Key (PRUK key), which is derived and provisioned securely to authorized UEs.

The PRUK serves as a reference for this key during security procedures. When a remote UE discovers and selects a relay UE, they establish a secure connection over the PC5 interface. This security context is based on keys derived from the PRUK key. The PRUK identity itself is used in signaling messages to indicate which keying material should be used for authentication and encryption. The core network, specifically the ProSe Function, manages the lifecycle of PRUKs and PRUK keys, including their generation, distribution to authorized UEs (both remote UEs and potential relay UEs), and revocation.

Architecturally, the PRUK is part of a larger key hierarchy defined for ProSe. The PRUK key may be derived from a root key shared between the UE and the network. The use of the PRUK enables mutual authentication between the remote UE and the network via the relay. It ensures that only authorized UEs can act as relays or use relay services, protecting against unauthorized network access and eavesdropping on the sidelink. The security procedures involving the PRUK are detailed in 3GPP security specifications, defining how it is used in authentication and key agreement protocols for the PC5 link.

Purpose & Motivation

The PRUK was created to solve the security challenges inherent in UE-to-Network Relay communication for ProSe, a feature introduced to extend network coverage and support public safety and commercial group communications. Without a relay, a UE out of network coverage is isolated. A relay UE can extend coverage, but this creates a security vulnerability: how does the network authenticate a remote UE connecting via an untrusted, user-controlled relay? How is the communication over the sidelink (PC5) between the remote UE and the relay protected?

Previous D2D communication models lacked this specific relay-to-network security context. The PRUK mechanism provides a scalable way to provision relay-specific credentials to UEs authorized for ProSe services. It allows the network to maintain control and policy enforcement even when the UE's communication path involves a hop over a sidelink. The PRUK identity enables the involved parties (remote UE, relay UE, and network functions) to efficiently reference the correct security key material without transmitting the key itself in signaling. This architecture addresses the limitations of simple peer-to-peer security by integrating the relay scenario into the network's authentication and key management framework, which is essential for operator-controlled services, especially for mission-critical public safety communications where secure and reliable connectivity is paramount.

Key Features

• Uniquely identifies the ProSe Relay User Key (PRUK key) for a UE
• Enables secure authentication between a remote UE and the network via a relay
• Used in security signaling over the PC5 sidelink interface for relay scenarios
• Managed and provisioned by the network-based ProSe Function
• Supports authorization control for UE-to-Network Relay functionality
• Integrates relay security into the overall ProSe key hierarchy

Evolution Across Releases

Defining Specifications