Below image is taken from TS 38.300
Legend:
USIM: Universal Subscriber Identity Module
ME: Mobile Equipment
SEAF: SEcurity Anchor Function
AUSF: AUthentication Function
ARPF: Authentication credential Repository and Processing Function,it keeps the authentication credentials.
k: Key
CK: Ciphering Key
IK: Integrity Key
EAP-AKA: Extensible Authentication Protocol Method for UMTS Authentication and Key Agreement.
K, CK, IK are the keys related to authentication.
Below are the principles followed to NR connected to 5GC:
1. For user data (DRBs), ciphering provides user data confidentiality and integrity protection provides user data integrity.
2. For RRC signalling (SRBs), ciphering provides user data confidentiality and integrity protection provides user data integrity.
3. Entity handling key management and data handling in cleartext should be protected from physical attacks and located in secure environment.
4. gNB(AS) keys are cryptographically separated from the 5GC (NAS) keys;
5. Separate AS and NAS level Security Mode Command (SMC) procedures are used;
The keys are organised and derived as follows:
Key for AMF:
KAMF is a key derived by ME and SEAF from KSEAF.
K AUSF is the derived key via ME and AUSF from CK and IK.
K SEAF is the anchor key derived from k AUSF by ME and AUSF
Keys for NAS signalling:
-> KNASint is a key derived by ME and AMF from KAMF, which shall only be used for the protection of NAS signalling with a particular integrity algorithm;
-> KNASenc is a key derived by ME and AMF from KAMF, which shall only be used for the protection of NAS signalling with a particular encryption algorithm.
Key for gNB:
KgNB is a key derived by ME and AMF from KAMF. KgNB is further derived by ME and source gNB when performing horizontal or vertical key derivation.
Keys for UP traffic:
KUPenc is a key derived by ME and gNB from KgNB, which shall only be used for the protection of UP traffic between ME and gNB with a particular encryption algorithm;
KUPint is a key derived by ME and gNB from KgNB, which shall only be used for the protection of UP traffic between ME and gNB with a particular integrity algorithm.
Keys for RRC signalling:
KRRCint is a key derived by ME and gNB from KgNB, which shall only be used for the protection of RRC signalling with a particular integrity algorithm;
KRRCenc is a key derived by ME and gNB from KgNB, which shall only be used for the protection of RRC signalling with a particular encryption algorithm.
Intermediate keys:
NH is a key derived by ME and AMF to provide forward security.
KgNB* is a key derived by ME and gNB when performing a horizontal or vertical key derivation.
Reference: TS 38.300