1.UE and UICC In the mobile communication system defined by 3GPP (3rd Generation Partnership Project), the user's terminal (UE) device is composed of: ME (mobile equipment) + UICC (Universal Integrated Circuit Card); where UICC is a Physical cards that are tamper-proof and resistant to software and hardware attacks.
2. UICC and USIM UICC can contain multiple applications, one of which is USIM; USIM securely stores and processes all sensitive data related to the user and home network. USIM is under the control of the home network operator; the operator selects the data to be configured in the USIM before issuance and remotely manages the USIM in the user's device through the OTA (over-the-air) mechanism.
3.USIM in 5G 3GPP defines USIM for the 5G system in Rel-15 for access and use in 3GPP and non-3GPP networks, allowing UE (user equipment) external data networks. USIM is defined in Rel-16 as network slice specific authentication.
4.First-time authentication is a mandatory procedure to allow UE (user equipment) to access 3GPP or non-3GPP networks. EAP-AKA' or 5G-AKA are the only authentication methods that allow primary authentication and the subscription credentials are always stored in the USIM when the terminal supports 3GPP access functionality. For primary authentication based on AKA, the mutual authentication performed in the USIM and the generation of the key material (integrity key IK and confidentiality key CK) sent by the USIM to the ME remain unchanged compared to 3G, 4G and Meets 3GPP TS 33.102 specification [3]. Changes in 5G Primary Authentication USIM include storing new security context and additional keying material in USIM (depending on the USIM's configuration).
4.1 5G support If the USIM supports storing 5G parameters, the ME will store the new 5G security context and the new keys defined for the 5G key hierarchy (i.e. KAUSF, KSEAF and KAMF) in the USIM. USIM can store a 5G security context for 3GPP access networks and a 5G security context for non-3GPP access networks. Storing the security context and key material in the USIM ensures faster reconnection when roaming (UICC moves from one ME to another).
4.2 NPN support Authentication in private networks (called independent non-public networks) can rely on the EAP framework supported by the 5G system; user equipment and service networks can support 5G AKA, EAP-AKA' or any other key generation EAP authentication method, where:
·When using AKA-based authentication methods, clause 6.1 of 3PPTS 33501[1] applies.
·When selecting an EAP authentication method other than EAP-AKA', the selected method determines the credentials required in the UE and network. How these credentials for EAP methods other than EAPAKA' are stored and processed within the UE is beyond the scope. But to ensure a high level of security for access to private networks, private network operators may decide to require the presence and use of a UICC containing USIM applications in order to securely store and process subscription credentials for EAP methods such as EAP-AKA' or EAP-TLS .
5. Secondary authentication This is an optional authentication based on EAP, conducted between UE (user equipment) and DN (external data network). Although the choice of EAP authentication method and credentials is beyond the scope of 3GPP, external data networks may decide to protect access to their DN by performing strong authentication thanks to the EAP-AKA' or EAP-TLS authentication method, UICC in the user device The presence of USIM on the DN securely stores and processes the credentials used to access the DN. Network Slice Specific Authentication Using network slice specific authentication between the user device and the AAA (Authentication, Authorization and Accounting) server to access the network slice is optional. Network slice specific authentication is based on the EAP framework and its user ID and credentials are different from the 3GPP subscription credentials. It follows the mandatory primary certification. Stakeholders deploying slices may decide to install USIM on the UICC of user devices to ensure a high level of security to access their slices and prevent the emergence of unauthorized users.
