1 © Nokia Solutions and Networks 2019 Public
5G Security
Future of Networking, March 19, 2019
Peter Schneider, Nokia Bell Labs
2 © Nokia Solutions and Networks 2019
• Mobile network security today – example LTE
• 5G security: drivers, requirements, vision
• 5G networking paradigms: Network Function Virtualization (NFV), Software Defined Networking (SDN), Network Slicing
• Elements of a 5G security architecture
• NFV Security
• Network slicing security
• 3GPP 5G security specification
• Summary and conclusion
Agenda
Public
3 © Nokia Solutions and Networks 2019
Layers of Mobile Network Security as of Today (Example LTE)
Public
PCRF
eNB
PDN-GW Internet
IMS,Application
Servers
MME
Backhaul
link
security
Core interface
security
HSSAuC
K
UEUSIM
K
User Identity Privacy
Secure Environment
VoLTE/IMS security
ServingGateway
PDNGateway
Non access stratum
signaling security
Authentication and Key Agreement
KASME
KASME
Access
stratum
security
KeNB
KeNB
SEG
Network security not
specified by 3GPP
3GPP-specified security architecture
Network element security measures
4 © Nokia Solutions and Networks 2019
5G Security Drivers
Public
Growing need for dependability
Growing need for flexibility
New use cases
New threats
Changing ecosystem
New networking paradigmsNew use cases
5GSecurity
?
5 © Nokia Solutions and Networks 2019
5G Security Drivers
For internal use
Growing need for flexibility
New use cases
New threats
Changing ecosystem
New networking paradigmsNew use cases
Supremebuilt-in security
Automation
Flexible securitymechanisms
5G Security
Growing need for dependability
6 © Nokia Solutions and Networks 2019 Public
From LTE to 5G: Adopting New Networking Paradigms
LTE
5G
7 © Nokia Solutions and Networks 2019 Public
Edge Cloud
Internet
Central Cloud
Cell
Cell
Cell
Slice A
Slice B
Common parts
SDN switches
Virtual network functions
A 5G Mobile Network Implemented on Distributed Telco Cloudsand Supporting Multiple Network Slices
8 © Nokia Solutions and Networks 2019
Elements of a 5G Security Architecture
Public
Cell
Subscriber/device identifiers/credentials
Secure hardware
Security negotiation, key hierarchyEnhanced control plane robustness
Enhanced subscriber privacy
Crypto algorithmsPhysical layer
securityJamming protection
Authentication/authorization, key agreement
NFV/SDN security
Network slicingsecurity
Security assurance for NFV environments
Security management and orchestration
Self-adaptive, intelligent security controls
9 © Nokia Solutions and Networks 2019
Network Function Virtualization Security
Public
10 © Nokia Solutions and Networks 2019
Network elementsreplaced by VNFsrunning on a cloudplatform
➢Secure the platform
➢Secure the VNFs
➢Security assurance for VNFs that can be deployed on different platforms
Public
“Network Element Security” for Virtualized Networks
11 © Nokia Solutions and Networks 2019
Isolation and Traffic Separation in the Telco Cloud
Public
• Separation of VMs relies on the hypervisor –software flaws may compromise it completely (e.g. allow VM1 to access the memory of VM2)
• Virtual networking allows logical traffic separation
• No physical separation of interfaces for different traffic types at a single VM
• No physical separation of traffic of different VMs running on the same HW platform
• Traffic separation relies on the hypervisor
12 © Nokia Solutions and Networks 2019 Public
Network Security Measures for Virtualized Networks
Network zoning can be implemented in a straightforward way:• The NFV environment facilitates separation, e.g. virtual machines are
separated by a hypervisor
• Dedicated VLANs to provide connectivity between the VMs forming a zone
• Traffic between zones may be filtered by virtual firewalls
• Even physical separation may be possible – on the cost of resource usage efficiency
Traffic separation by dedicated virtual switches, VLANs and wide area VPNs – physical separation is hardly applicable
The external perimeter may be secured by a virtual firewall; physically separated firewalls can protect the overall data center infrastructure
13 © Nokia Solutions and Networks 2019
Network Slicing Security
Public
14 © Nokia Solutions and Networks 2019 Public
Network Slice Isolation – The Crucial Slicing Security Aspect
Isolation in the cloud by NFV mechanisms in the (central/edge) cloud
Isolation in the transport by VPNs created via SDN
Isolation by equipment-specific mechanisms on (non virtualized) RAN equipment
Isolation means resource isolation + security isolation
➢ Slice isolation can be achieved assuming sound implementations (NFV environment, SDN transport, non-virtualized equipment)
15 © Nokia Solutions and Networks 2019
Slicing-specific attacks
Other Slicing Security Aspects
DoS attacks on “small” slices
Attacks on interfaces to common network
parts (vertical → mobile network operator)
Attacks on management interfaces
provided for verticals to manage their
slices
Attacks on slicing-specific procedures:
Slice selection, slicing-specific
authentication and authorization, slice
management
Malicious message routing between
different slices
➢ Mitigation by state-of-the-art means – with room for improvement
Slicing facilitates different security assurance levels per slice
Slicing facilitates individual security mechanisms per slice
For internal use
16 © Nokia Solutions and Networks 2019
3GPP 5G Security Specification
Public
17 © Nokia Solutions and Networks 2019
Overview 3GPP 5G Security Standardization
Public
3GPP Technical Specification 33.501, Release15“Security Architecture and Procedures for 5G System”
• New access-agnostic authentication framework
with improved home network control in roaming
scenarios
• Enhanced subscription privacy
• User plane integrity protection
• EAP-based “secondary authentication”
• Security for service-based interfaces
• Enhancements for interconnection security
➢ New 5G security features at a glance:
18 © Nokia Solutions and Networks 2019
New Security Features in 3GPP Release 15
Public
UE SEAF/AMF AUSF UDM/ARPF
Request to establisha signalling connection
Authentication Request
Authentication Request
Decision: Use 5G AKA
Authentication Response(AV with XRES*, KAUSF)Authentication Response
(AV with HXRES*,KSEAF)
5G AKA Response (RES*)
Compute HRES*,equal to HXRES* ?
Authentication Request (RES*)
RES* equal to XRES* ?
Auth Confirmation Req
UDM: Store UE authentication status
Auth Confirmation Resp
5G AKA Challenge
Authentication Response(Success)
• Two authentication methods, 5G AKA (enhancing
LTE’s EPS AKA) and EAP-AKA’
• Both provide assurance to the Home Network that
the UE is present in the Visited Network
• Besides EAP-AKA’, other EAP methods can be
implemented by operators (not for public use)
• “Access agnostic”: Both methods applicable for
3GPP as well as non-3GPP access
New access-agnostic authentication framework
with improved home network control in roaming
scenarios
UE SEAF/AMF AUSF UDM/ARPF
Request to establisha signalling connection
Authentication Request
Authentication Request
Decision: Use EAP-AKA’
Authentication Response(AV with CK',IK')Authent Response (EAP-
Request/AKA'-Challenge)
Auth Request (EAP-Response/AKA'-Challenge)
Auth Confirmation Req
UDM: Store UE authentication status
Auth Confirmation Resp
EAP-RequestAKA'-Challenge
Auth Response(EAP-Success, KSEAF)
EAP-Success
EAP-ResponseAKA'-Challenge
Scaled up pictures in the backup
19 © Nokia Solutions and Networks 2019
Enhanced Subscription Privacy, User Plane Integrity Protection
IMSI catching (and thus subscriber location tracking) is possible in LTE(a deliberate decision in LTE)
Public
➢ Fully covered in 5G by Subscription Concealed Identity (SUCI)➢ However, there is also a “null scheme” (without encryption)
➢ Will some legislations prefer their law enforcement agencies remain capable of IMSI catching ?
No user plane integrity protection(a deliberate decision in LTE)
➢ Fully covered in 5G: Mandatory to support by network and UE➢ Not mandatory to use – not all traffic will require it
20 © Nokia Solutions and Networks 2019
Summary: 5G Security
Public
21 © Nokia Solutions and Networks 2019
Summary: Layers of Mobile Network Security in a 3GPP 5G System
Public
Network security not specified by 3GPP
3GPP-specified security architecture
VNF security Telco cloud security
New access-agnostic authentication framework
Enhanced subscription privacy and user plane protection
EAP-based “secondary authentication”
Security for service-based interfaces
Enhancements for interconnection security
Sound, robust implementations of the virtualization layer
(e.g. hypervisor) and the overall cloud platform software
Sound, robust, security aware implementation of the VNFs
Integrity (trust) assurance for both platform and VNFs
Perimeter security and traffic filtering by virtual firewalls
Logically or even physically separated security zones
Traffic separation by VLANs and wide area VPNs
Holistic, automated security management and orchestration
Automated, self-adaptive, intelligent security controls