PRUK

ProSe Relay User Key Identity

Security →
Introduced in Rel-13

PRUK is a security key identifier used in ProSe relay communication to uniquely identify the key protecting communication between a remote UE and a ProSe UE-to-Network Relay.

Category
Security
Introduced
Rel-13
Where
Security
Specifications
3 specs
PRUK Description Purpose Related Classification Detected Changes Specifications

Description

The ProSe Relay User Key Identity (PRUK) is a critical security identifier within the 3GPP Proximity Services (ProSe) architecture, specifically for the UE-to-Network Relay function. A UE-to-Network Relay is a UE that provides connectivity to the network for other 'remote' UEs that are out of cellular coverage, using Device-to-Device (D2D) sidelink communications (PC5 interface). The PRUK is associated with a long-term security key, the ProSe Relay User Key (PRUK key), which is derived and provisioned securely to authorized UEs.

The PRUK serves as a reference for this key during security procedures. When a remote UE discovers and selects a relay UE, they establish a secure connection over the PC5 interface. This security context is based on keys derived from the PRUK key. The PRUK identity itself is used in signaling messages to indicate which keying material should be used for authentication and encryption. The core network, specifically the ProSe Function, manages the lifecycle of PRUKs and PRUK keys, including their generation, distribution to authorized UEs (both remote UEs and potential relay UEs), and revocation.

Architecturally, the PRUK is part of a larger key hierarchy defined for ProSe. The PRUK key may be derived from a root key shared between the UE and the network. The use of the PRUK enables mutual authentication between the remote UE and the network via the relay. It ensures that only authorized UEs can act as relays or use relay services, protecting against unauthorized network access and eavesdropping on the sidelink. The security procedures involving the PRUK are detailed in 3GPP security specifications, defining how it is used in authentication and key agreement protocols for the PC5 link.

Purpose & Motivation

The PRUK was created to solve the security challenges inherent in UE-to-Network Relay communication for ProSe, a feature introduced to extend network coverage and support public safety and commercial group communications. Without a relay, a UE out of network coverage is isolated. A relay UE can extend coverage, but this creates a security vulnerability: how does the network authenticate a remote UE connecting via an untrusted, user-controlled relay? How is the communication over the sidelink (PC5) between the remote UE and the relay protected?

Previous D2D communication models lacked this specific relay-to-network security context. The PRUK mechanism provides a scalable way to provision relay-specific credentials to UEs authorized for ProSe services. It allows the network to maintain control and policy enforcement even when the UE's communication path involves a hop over a sidelink. The PRUK identity enables the involved parties (remote UE, relay UE, and network functions) to efficiently reference the correct security key material without transmitting the key itself in signaling. This architecture addresses the limitations of simple peer-to-peer security by integrating the relay scenario into the network's authentication and key management framework, which is essential for operator-controlled services, especially for mission-critical public safety communications where secure and reliable connectivity is paramount.

Classification

Part ofProSe
Specific typesUP-PRUK

Detected Changes Across Releases

from 3GPP Change Requests

Specific changes extracted from the „Change history“ tables of 3GPP specifications (13 CRs across 1 releases). Complements the general historical overview above with the evidence-based evolution of this function.

Studied in Rel-13, normative work from Rel-15.

Rel-15 13 changes

In Release 15, the PRUK (ProSe Relay User Key Identity) function was not newly introduced; the provided grounding context and list of Change Requests exclusively detail updates to procedures for ProSe service authorisation and WLAN-based direct discovery. The technical modifications focus on the Announce, Monitor, Discoveree, Discoverer, and Match report procedures for both open and restricted discovery models over the PC3 and PC5 interfaces.

  • Updates to ProSe Service Authorisation for WLAN Direct Discovery TS 24.334CR0298
  • Updates to Announce request procedure for open WLAN based ProSe direct discovery TS 24.334CR0299
  • Updates to Announce request procedure for restricted WLAN based ProSe direct discovery model A TS 24.334CR0300
  • Updates to Discoveree request procedure for restricted ProSe direct discovery model B TS 24.334CR0301
  • Updates to Discoverer request procedure for restricted ProSe direct discovery model B TS 24.334CR0302
  • Updates to Monitor request procedure for open ProSe direct discovery TS 24.334CR0303

+ 7 more changes

Explore further

Broader topics and technologies where PRUK plays a role.

Topics
Authentication (5G-AKA, EAP)Encryption & IntegrityMEC (Edge Computing)Lawful InterceptServices & ApplicationsManagement & Operations

Defining Specifications

3GPP specifications that define or reference PRUK, with the latest known release. Sourced from the 3GPP document catalog — see methodology.

SpecificationTitleRelease
TS 24.334 vj00 ProSe Protocols and Procedures Rel-19
TR 33.740 vi10 Security and Privacy Aspects of Proximity Based Services in 5G System Phase 2 Rel-18
TS 33.843 vf10 Security Study for ProSe UE-to-Network Relay Rel-15