Multicast broadcast service keys

What is claimed: 1. A processor of a user equipment (UE) configured to perform operations comprising: generating, for transmission to a network function, a protocol data unit (PDU) modification request comprising a request to join a multicast broadcast service (MBS) session; generating a first key (K MBS-UE ), wherein the K MBS-UE is generated using a primary authentication key and a temporary mobile group identification (TMGI), wherein the primary authentication key is established between the UE and a second network function; receiving a PDU session modification complete message comprising an encrypted second key (K MBS ) and a key identification (KID) corresponding to the K MBS ; and decrypting the K MBS using the K MBS-UE . 2. The processor of claim 1 , wherein the PDU modification request comprises an MBS session identification of the MBS session that the UE is requesting to join. 3. The processor of claim 1 , wherein at least one of the K MBs and the KID is used by the UE to decrypt MBS session data. 4. The processor of claim 1 , wherein the K MBS is used to derive session keys for encrypting the MBS session data. 5. One or more processors of a first network function configured to perform operations comprising: receiving an indication that a user equipment (UE) is requesting to join a multicast broadcast service (MBS) session; generating, in response to receiving the indication, a MBS key request to be transmitted a second network function; receiving, in response to the MBS key request, an MBS key response comprising a first key (K MBS-UE ) from the second network function, wherein the first key is generated independently by both the second network function and the UE; receiving, from a third network function, information related to the MBS session, wherein the information comprises a second key (K MBS ) and a key identification (KID) corresponding to the K MBS ; and generating, for transmission to the UE, a PDU session modification complete message comprising the K MBS and the KID, wherein at least the K MBS is encrypted using the K MBS-UE . 6. The one or more processors of the first network function of claim 5 , wherein the first network function comprises an access and mobility management function (AMF). 7. The one or more processors of the first network function of claim 5 , wherein at least one of the K MBs and the KID is used to decrypt MBS session data and the K MBS is used to derive session keys for encrypting the MBS session data. 8. The one or more processors of the first network function of claim 5 , wherein the second network function comprises an authentication server function (AUSF). 9. The one or more processors of the first network function of claim 5 , wherein the third network function comprises a session management function (SMF). 10. The one or more processors of the first network function of claim 5 , wherein the indication comprises a PDU session modification request by the UE. 11. A method, comprising: at a user equipment (UE): sending a protocol data unit (PDU) modification request comprising a request to join a multicast broadcast service (MBS) session; generating a first key (K MBS-UE ), wherein the K MBS-UE is generated using a primary authentication key and a temporary mobile group identification (TMGI), wherein the primary authentication key is established between the UE and a second network function; receiving a PDU session modification complete message comprising an encrypted second key (K MBS ) and a key identification (KID) corresponding to the K MBS , and decrypting the K MBS using the K MBS-UE . 12. The method of claim 11 , wherein the PDU modification request comprises an MBS session identification of the MBS session that the UE is requesting to join. 13. The method of claim 11 , wherein at least one of the K MBs and the KID is used by the UE to decrypt MBS session data. 14. The method of claim 11 , wherein the K MBS is used to derive session keys for encrypting the MBS session data.