What is UP-PRUK? User Plane ProSe Remote User Key

Description

The User Plane ProSe Remote User Key (UP-PRUK) is a cryptographic key defined within the 3GPP security architecture for Proximity-based Services (ProSe), specifically for securing direct communication between User Equipments (UEs) over the PC5 interface. This key is central to the security of the user plane in ProSe Direct Communication, where devices exchange application data directly (e.g., in Vehicle-to-Everything (V2X) or public safety scenarios) without routing through network infrastructure. The UP-PRUK is derived as part of a key hierarchy established during the ProSe direct communication authorization and key management procedures.

The generation of the UP-PRUK involves the ProSe Key Management Function (PKMF) within the network. The process typically starts with a long-term key shared between the UE and its home network. For direct communication with a remote UE, the local UE's ProSe Function requests necessary keys from the PKMF. The PKMF then generates or derives the UP-PRUK along with other related keys like the ProSe Remote User Key (PRUK). The UP-PRUK is subsequently provisioned securely to the authorized UE intending to establish the direct link. It is uniquely associated with a specific pair of communicating UEs (or a group for group communication) and a specific service.

In operation, the UP-PRUK is used by the UE's protocol stack to derive the necessary ciphering and integrity protection keys for the user plane data transmitted over the PC5 interface. These session keys are used by the security protocol layer (likely within the PDCP layer for NR PC5) to encrypt the user data for confidentiality and to apply integrity protection to prevent tampering. The use of a dedicated key for the user plane separates security concerns, allowing independent key management from the control plane signaling security of the PC5 link. The lifecycle of the UP-PRUK is managed by the network; it has associated validity conditions (like a timestamp or usage limit) and can be refreshed or revoked by the PKMF as needed, providing robust security management for dynamic direct communication scenarios.

Purpose & Motivation

UP-PRUK was created to address the critical security requirements of direct device-to-device (D2D) communication introduced and expanded in 3GPP standards, particularly for 5G ProSe and V2X. Traditional cellular security relies on a UE-to-network trust model, but direct PC5 communication bypasses the network infrastructure, creating a new attack surface. The UP-PRUK solves the problem of how to secure the actual user data (e.g., sensor data, safety messages, chat content) flowing directly between devices, ensuring it remains confidential and unaltered even without continuous network coverage.

Its introduction in Release 17 was motivated by the evolution of ProSe towards more advanced and sensitive use cases, including advanced V2X applications and public safety communications, which demand a robust, standardized, and scalable security mechanism. Previous approaches in earlier ProSe releases had less mature or comprehensive key management for the user plane. The UP-PRUK provides a structured, network-assisted key derivation and distribution framework, balancing security (keys are network-derived and managed) with the off-network nature of the communication (keys are pre-provisioned for use without instantaneous network connection). This enables trusted direct communication in both in-coverage and out-of-coverage scenarios, which is vital for life-critical V2X and public safety operations.

Classification

Part ofPRUK

Related approaches

Detected Changes Across Releases

from 3GPP Change Requests

Specific changes extracted from the „Change history“ tables of 3GPP specifications (436 CRs across 5 releases). Complements the general historical overview above with the evidence-based evolution of this function.

Rel-15 6 changes

In Release 15, the UP-PRUK function was newly introduced as part of the security framework for Proximity-based Services (ProSe) in the 5G System, as detailed in the specification for security aspects. This function specifically provides a User Plane ProSe Remote User Key to secure direct communication between devices. The related groundwork for ProSe identification, including the structured ProSe Application ID with its PLMN ID and name components, was defined to support such ProSe features.

Correction for establishment of user-plane resources TS 24.501CR0013
UAC information and establishment cause when uplink user data packet is to be sent for a PDU session with suspended user-plane resources TS 24.501CR0027
Definition of user-plane resources TS 24.501CR0345
SOR over control plane in non-3GPP access TS 24.501CR0592
Lower layer indication on the establishment/release of user plane resources TS 24.501CR0664
Definition of Service ID for WLAN based ProSe Direct Discovery TS 23.003CR0489

Rel-16 28 changes

In Release 16, the new UP-PRUK (User Plane ProSe Remote User Key) function was introduced to enhance Proximity-based Services (ProSe) in the 5G System. It specifically enables user-plane based ProSe direct discovery and communication by establishing secure user-plane paths between UEs, utilizing the ProSe Application ID format defined for 5GS. This function works in conjunction with the control plane procedures to manage the security context and keys for direct user-plane data transfer.

User plane CIoT 5GS optimization TS 24.501CR1130
Idle mode optimizations for 5G Control plane CIoT small data transfer t TS 24.501CR1311
Header compression for control plane user datat TS 24.501CR1318
Control plane service request message and abnornal cases on the network side TS 24.501CR1532
Resolving Editor's notes on the Data Type field for the Control Plane Service Request message TS 24.501CR1585
Access stratum connection and user-plane resources for trusted non-3GPP access and wireline access TS 24.501CR1685

+ 22 more changes

Rel-17 145 changes

In Release 17, the new UP-PRUK (User Plane ProSe Remote User Key) function was introduced as part of the "ProSe remote user key procedure," which is a key security enhancement for 5G ProSe UE-to-network relay. This procedure works alongside other new security mechanisms like the authentication and key agreement for the relay and the introduction of GBA Push Info (GPI) in the direct link security mode control procedure. These additions collectively strengthen the security framework for user plane data in ProSe relay scenarios.

ProSe as a trigger for Service Request procedure TS 24.501CR3125
Network shall not release the RRC connection for ProSe services TS 24.501CR3126
ProSe policy provisioning start and stop indications TS 24.501CR3127
UE ProSe capability negotiation with 5GC TS 24.501CR3159
UE ProSe policy transmission TS 24.501CR3110
Using Service Request procedure for removing paging restrictions in 5GS for MUSIM UE that uses the control plane CIoT 5GS optimization TS 24.501CR3439

+ 139 more changes

Rel-18 137 changes

In Release 18, the new UP-PRUK function was introduced as part of the enhanced security framework for 5G ProSe UE-to-UE relay, specifically defined within the Authentication and key agreement procedure for this relay scenario. This function is integral to the secure establishment of unicast direct communication over the PC5 interface, as outlined in the procedures for 5G ProSe U2U relay discovery and direct link modification. The updates ensure secure key management for remote UEs, which can now be identified by their PEI, within the evolving 5G ProSe architecture.

User plane positioning capability indication TS 24.501CR5015
User plane positioning capability TS 24.501CR5285
UL/DL NAS transport updates for user plane positioning TS 24.501CR5215
control plane user data associated with S-NSSAI not allowed in current TA TS 24.501CR5612
Support indications for user plane positioning TS 24.501CR5501
Remote UE identified by PEI TS 24.501CR5704

+ 131 more changes

Rel-19 120 changes

In Release 19, the UP-PRUK function was extended to support 5G ProSe within Standalone Non-Public Networks (SNPNs), which required updates to the format of the ProSe Application ID and ProSe Application Code to incorporate the SNPN ID. Specifically, the SNPN ID, structured as "mcc.MCC.mnc.MNC.nid.NID", was added as a prefix to the ProSe Application ID, and an optional NID part was introduced into the ProSe Application Code format. This enabled key ProSe procedures—such as direct discovery, direct link management, and UE-to-network relay selection—to operate within SNPN environments.

Format of SNPN ID description for 5G ProSe applications TS 23.003CR0703
Update ProSe App Code format to support 5G ProSe in NPNs TS 23.003CR0705
ProSe and NPN TS 24.501CR6392
Enhancement of 5G ProSe capability for multi-hop relays TS 24.501CR6552
Update 5GMM capability for 5G ProSe multi-hop relays TS 24.501CR6692
Update on 5G ProSe Discoverer request procedure to support 5G ProSe in SNPN TS 24.554CR0634

+ 114 more changes

Explore further

Broader topics and technologies where UP-PRUK plays a role.

Topics

Authentication (5G-AKA, EAP)Encryption & Integrity MEC (Edge Computing)LTE / LTE-Advanced 5G NR (New Radio)Lawful Intercept

Technologies

LTE 5G

Defining Specifications

3GPP specifications that define or reference UP-PRUK, with the latest known release. Sourced from the 3GPP document catalog — see methodology.

Specification	Title	Release
TS 23.003 vj50	Numbering, addressing and identification in 3GPP	Rel-19
TS 24.501 vj50	5G NAS Protocols Specification	Rel-19
TS 24.554 vj40	5G Proximity Services (ProSe) Protocols	Rel-19
TS 29.559 vj40	5G PKMF Service Based Interface Stage 3	Rel-19
TS 33.503 vj20	Security for Proximity Services (ProSe) in 5G	Rel-19