5G Cell Site Analysis (Positioning)

I have to understand a 5G-5G roaming connection's crypto layer (key derivation and exchange process). Are you a cop and running 5G CSA?

Have to learn the paging in 5G for CSA as the TorPEDO attack has an influence on (unknown) Fake Cell Towers in CSA positioning.

#1 My question Can anybody explain to me the paging in general, its effect on CSA?
#2 Is it important to differentiate between direct and indirect paging in 5G?
#3 Is there a risk of sofrware definded radio paging multi (unaware) Fake Cell Towers?

There is a risk that unaware Fake Cell Towers mismatch a CSA (as its a non-physical/non-proofable approach). I still cannot dive through the crypto key exchange in such an approach.

Any Crypto forensic examiner in the wild?

For those that haven't caught up on the TorPEDO news here are some links…..

https://thehackernews.com/2019/02/location-tracking-imsi-catchers.html
https://www.helpnetsecurity.com/2019/02/25/privacy-attacks-4g-5g-cellular-networks/
https://www.securitynewspaper.com/2019/02/25/%EF%BB%BFnew-attack-variant-against-4g-and-5g-networks/
https://threatpost.com/torpedo-privacy-4g-5g/142174/
https://securityaffairs.co/wordpress/81648/hacking/torpedo-attacks-4g-5g.html

And here is the link to the research paper that originated the current web discussions..

https://www.ndss-symposium.org/wp-content/uploads/2019/02/ndss2019_05B-5_Hussain_paper.pdf

Does a mobile recognize if a paging regquest is delayed from genuine source in comparison to a paging request from a fake cell tower?

The paging runs on PCH Paging CHannel of the physical layer (L1). It seems that a UE cannot detect if after being out of range of a tracking area that it gets paged by a FBS.

Is paging in 5G different from LTE related to crypto?

Can anybody explain how the PCCH and the PCH interwork in 5G?