User Plane ProSe Remote User Key

Description

The User Plane ProSe Remote User Key (UP-PRUK) is a cryptographic key defined within the 3GPP security architecture for Proximity-based Services (ProSe), specifically for securing direct communication between User Equipments (UEs) over the PC5 interface. This key is central to the security of the user plane in ProSe Direct Communication, where devices exchange application data directly (e.g., in Vehicle-to-Everything (V2X) or public safety scenarios) without routing through network infrastructure. The UP-PRUK is derived as part of a key hierarchy established during the ProSe direct communication authorization and key management procedures.

The generation of the UP-PRUK involves the ProSe Key Management Function (PKMF) within the network. The process typically starts with a long-term key shared between the UE and its home network. For direct communication with a remote UE, the local UE's ProSe Function requests necessary keys from the PKMF. The PKMF then generates or derives the UP-PRUK along with other related keys like the ProSe Remote User Key (PRUK). The UP-PRUK is subsequently provisioned securely to the authorized UE intending to establish the direct link. It is uniquely associated with a specific pair of communicating UEs (or a group for group communication) and a specific service.

In operation, the UP-PRUK is used by the UE's protocol stack to derive the necessary ciphering and integrity protection keys for the user plane data transmitted over the PC5 interface. These session keys are used by the security protocol layer (likely within the PDCP layer for NR PC5) to encrypt the user data for confidentiality and to apply integrity protection to prevent tampering. The use of a dedicated key for the user plane separates security concerns, allowing independent key management from the control plane signaling security of the PC5 link. The lifecycle of the UP-PRUK is managed by the network; it has associated validity conditions (like a timestamp or usage limit) and can be refreshed or revoked by the PKMF as needed, providing robust security management for dynamic direct communication scenarios.

Purpose & Motivation

UP-PRUK was created to address the critical security requirements of direct device-to-device (D2D) communication introduced and expanded in 3GPP standards, particularly for 5G ProSe and V2X. Traditional cellular security relies on a UE-to-network trust model, but direct PC5 communication bypasses the network infrastructure, creating a new attack surface. The UP-PRUK solves the problem of how to secure the actual user data (e.g., sensor data, safety messages, chat content) flowing directly between devices, ensuring it remains confidential and unaltered even without continuous network coverage.

Its introduction in Release 17 was motivated by the evolution of ProSe towards more advanced and sensitive use cases, including advanced V2X applications and public safety communications, which demand a robust, standardized, and scalable security mechanism. Previous approaches in earlier ProSe releases had less mature or comprehensive key management for the user plane. The UP-PRUK provides a structured, network-assisted key derivation and distribution framework, balancing security (keys are network-derived and managed) with the off-network nature of the communication (keys are pre-provisioned for use without instantaneous network connection). This enables trusted direct communication in both in-coverage and out-of-coverage scenarios, which is vital for life-critical V2X and public safety operations.

Key Features

• Cryptographic key for securing user plane data on the PC5 direct link.
• Derived and provisioned by the network-based ProSe Key Management Function (PKMF).
• Enables confidentiality and integrity protection for ProSe Direct Communication.
• Uniquely bound to a specific pair or group of UEs and a service.
• Part of a key hierarchy separate from control plane ProSe keys.
• Supports both in-coverage and out-of-coverage (partial or full) operation scenarios.

Evolution Across Releases

Defining Specifications