security aspects of nextgen system (5g) · 2 5g systems –security aspects (snapshot of ts 33.501...

Standard font:

Security aspects of NextGen System (5G)

Rajavelsamy R

([email protected])

10-9-2018

mailto:[email protected]

2

5G Systems – Security Aspects (Snapshot of TS 33.501 : Phase-1)– Architecture

– Security Areas

– Security Features

• Authentication

• Key Hierarchy

• RAN and NAS Security

• Mobility

• NDS/IP

• Service Based Architecture

• Interworking

• User Privacy

– Summary

Presentation Outline

© Samsung Electronics. All Rights Reserved. Confidential and Proprietary. 3

5G Security Architecture

5G Security Architecture


Authentication Framework

Unified Authentication Framework– To manage access security of multiple access technologies (3GPP and non-3GPP) in a unified manner

– Unified Authentication Framework supports:

• sharing the security context between different access technologies (level of security is maintained)

• reduces the latency in adapting security context to different access technologies

• to support multiple security credentials (Symmetric key (K), PKI (Certificate),….)

• Extensible Access Protocol (EAP) authentication framework is one of the supported unified authentication method

5G Authentication Framework

Authentication Methods– EAP-AKA’ and 5G-AKA authentication methods are mandatory to support and EAP-TLS is optional to support/use (Phase-1)

– Primary authentication shall create a unified anchor key, to protect the subsequent communication

– Support for general EAP methods for optional secondary authentication between a UE and an external data network

Security Functionalities– Authentication Credential Repository and Processing Function (ARPF/UDM) (AuC)

• stores the long-term security credentials

• reside in an operator’s Home Network or a 3rd party system

– Authentication Server Function (AUSF) (HSS , EAP Server)• interacts with the ARPF and terminates requests from the SEAF

• reside in an operator’s network or a 3rd party system

– Security Anchor Function (SEAF) (Authenticator)• receives intermediate key from the AUSF

• Security Anchor in core network – SEAF and the AMF are co-located

– single anchor per PLMN for all access networks.

• Security Context Management Function (SCMF) – derives further keys for securing the communication (AN specific)

5G Authentication Framework

VPLMN 8

Enhanced EPS AKA for more home control– Useful in preventing certain types of fraud,

• e.g. fraudulent Update Location request for subscribers that are not actually present in the visite

d network

• 5G HE AV: RAND, AUTN, XRES*, and KAUSF

– RES* = {CK, IK, RES, RAND, SN-ID}

• 5G AV : RAND, AUTN, HXRES*, and KSEAF.– HRES* = {RES*, RAND}

5G AKA

SEAFUE AUSF UDM/ARPF

5G-AIA (5GAV (RAND, AUTN,

HXRES*, KSEAF))Auth-Req (RAND, AUTN)

Auth-Resp (RES*)

Auth-info Req

Auth-info Resp (RAND, AUTN,

XRES*, and KAUSF)

5G-AC (RES*)

HRES* = HXRES* ?

RES* = XRES* ?

9

Key Hierarchy

ARPF store the long-term key K

During AKA, the ARPF generate key material from K

AUSF generate anchor key KSEAF, from the key material

AUSF may generate a further key KAUSF from the key material

SEAF receives KSEAF, upon a successful primary authentication

SEAF generate KAMF from KSEAF immediately and hands it to AMF

AMF generate keys KNASint and KNASenc and access specific keys AMF shall generate KgNB , NH and transfer it to the gNB.

AMF shall generate KN3IWF and transfer it to the N3IWF.

gNB generate further keys dedicated to protecting the 5G NR

N3IWF use KN3IWF as MSK for IKEv2 procedures

KAMF

KNASencKNASint

KRRCint KRRCenc KUPint KUPenc

AMF

KN3IWF KgNB, NH

N3IWF gNB

SEAF

AUSF ME

ME

ME

ME ME

UE sideNetwork side

K

5G AKA EAP-AKA'

USIM

ME

UDM/ARPF

UDM/ARPF

CK, IK

KAUSF

KSEAF

CK', IK'

KAUSF

HPLMN

VPLMN

Secure storage and processing of credentials and identities– Agreed requirements for storage and processing of subscription credentials for Phase 1

• The subscription credential(s) shall be confidentiality and integrity protected within the NG-UE using a tamper resistant secure hardware component.

• The authentication algorithm(s) that make use of the subscription credentials shall always be executed within the tamper resistant secure hardware component.

– The solutions for credentials storage and processing shall be the

• Removable UICC or Non-Removable UICC

Security within NG-UE

Cryptographic algorithms– No new cryptographic algorithm or new i/p parameter for 5G in Phase-1

– EEA1, EEA2 and EEA3 with the rule for being mandatory/optional as same in LTE.

– EIA1, EIA2 and EIA3 with the rule for mandatory/optional as same in LTE.

• Note: The algorithms are given 5G specific names

Cryptographic Algorithms

Algorithm Identifier Algorithm details

NEA0 Null ciphering algorithm;

128-NEA1 128-bit SNOW 3G based algorithm;

128-NEA2 128-bit AES based algorithm;

128-NEA3 128-bit ZUC based algorithm;

NIA0 Null Integrity Protection algorithm;

128-NIA1 128-bit SNOW 3G based algorithm;

128-NIA2 128-bit AES based algorithm;

128-NIA3 128-bit ZUC based algorithm;


Control Plane and User Plane Security aspects

Control Plane Security Aspects

NAS Sec

UP Sec

AS Sec

Control plane security between UE and network– CP integrity is mandatory to support by 5G UEs and 5G network.

Except for a well-defined list of exceptions in certain procedures

– CP confidentiality is mandatory to support by 5G UEs and 5G networks.

Should always be used where regulations permit.

– AMF is the single security termination point for all NAS messages (MM and SM messages).

User Plane Protection Mechanisms

User plane security between UE and network– UP integrity is mandatory to support and optional to use by 5G UEs and 5G networks in 5G phase 1.

• With the exception of 5G UE which can only access EPC.

– It shall be possible to negotiate the use of UP protection between UEs and networks (Selective Protection)

• Shall be determined by the network based PDU session.

– The UP security termination point is in the RAN and located in the PDCP layer.

UE NR NG-Core DN

DRB-1 NG3 Connectivity

DRB-2

DRB-3NG3 Connectivity

DRB-4

DRB-5 NG3 Connectivity

DRB-6

PDU Session -1Integrity Protected

and Ciphered

PDU Session -2No Protection

PDU Session -3Ciphered


Security Aspects of Radio Access Network

(Dual Connectivity - NSA)

RAN Security Aspects

Security aspects of Dual Connectivity– EUTRA + NR dual connectivity

– Similar to LTE Dual Connectivity (E-UTRAN + E-UTRAN).

LTE eNB

PDCP

RLC NR RLCRLC

MAC

PDCP

gNB

NR PDCP

NR RLC

NR MAC

S1S1

MCG bearer Split bearer SCG bearer

Xx

EPC

LTE eNB

NGC

gNB

CP and UP UP

CP and UP


Mobility

18

Key Handling during Mobility

Source AMF derive a key K’AMF from KAMF for transfer to the target AMF set in inter-AMF mobility.

If KgNB* is derived from the currently active KgNB this is referred to as a horizontal key derivation

If the KgNB* is derived from the NH parameter the derivation is referred to as a vertical key derivation

NH parameters are only computable by the UE and the AMF

NH parameters are provided to gNBs from the AMF in such a way that forward security can be achieved


User Privacy

From LTE to 5G – IMSI catcher

attacks no longer possible

Privacy in 5G

TR 33.899, Figure 5.7.3.2.1-1: Various points whe

re IMSI and MSISDN are exposed in a current LTE

system

Concealing permanent or long-term subscription identifier (SUPI)– A privacy preserving solution is specified for a 5G core network (both 3GPP and non-3GPP access).

• This implies that gNB and eLTE eNB shall be prepared to transport privacy enabled identifier.

– Subscription identifier privacy shall be based upon HN asymmetric key solution.

– Subscription Concealed Identifier (SUCI) includes partially encrypted SUPI data

– The Subscription Identifier De-concealing Function (SIDF) is defined for obtaining SUPI out of the SUCI.

Subscriber Identifier Privacy

SIDF

SUCI

SUPI


Steering of Roaming

23

Steering of Roaming during Registration procedure

UDM

AMF

AUSF

UE

Flow:1. Registration Request 2. Get Subscriber Data (after Authentication, KAUSF derivation) 3. UDM retrieves the SoR list4. Request AUSF for SoR list protection5. AUSF applies protection 6. AUSF provides Security infoof the protected SoR list7. Subscriber Data Response includes protected SoR list 8. Registration Accept includes protected SoR list9. Verifies the integrity and performs PLMN selection procedure

1

3

45

6

8gNB

9

2

7

HPLMNVPLMN

SoR List{SoR List}

SoR List

{SoR List}

{SoR List}

HPLMN – UE security association : Key Kausf

New AUSF service : SoR list protection

USIM configuration to indicate to UE to expect SoR list

Mandatory IE, if CP SoR is configured by HPLMN

If SoR list removed/modified, UE moves out under suspicion


Network Domain Security

25

Network Domain Security (NDS/IP)

– Security for IP based control plane between network elements that reside in different security domains

– Supports both PKI based security mechanism (TS 33.310) and pre-shared key mechanism (TS 33.210)

– Security Gateway (SEG) sits at the edge of the security domain

– Security Protocol: IPSec and TLS based

Security features for AN-CN interfaces– Confidentiality and integrity are mandatory to support on N2 for CP.

• The use of confidentiality and integrity is mandatory unless N2 is secured by physical means.

• If confidentiality and integrity are used the solution shall follow the principles of TS 33.210 (NDS/IP).

• Support by the gNB for the certificate enrolment procedure as specified in TS 33.310 is mandatory.

– Confidentiality and integrity are mandatory to support on N3 for UP.

• For deployments where UP security does not terminate in a secure location and the N3 interface is not secured by physical means the use of confidential ity and integrity is mandatory on N3.

Backhaul Security


Security for Service Based Architecture (SBA)

Architecture for SBA

Service Based Architecture with Security Edge Protection Proxy (SEPP) in roaming scenarios

Service Based Architecture (SBA) use the following set of protocols:

– HTTP/2 (see IETF RFC 7540) as the application layer protocol for the service based interfaces;

– TCP (see IETF RFC 793) as the transport layer protocol;

– JSON (see IETF RFC 7159) as the serialization protocol to carry information elements (IEs)

Service-based interfaces are based on RESTful APIs

Most interfaces between core network nodes in 5G will be service-based

– In 4G, the corresponding interfaces were based on DIAMETER or GTP

– In 5G, some interfaces will remain GTP-based

• e.g. N3 interface between RAN and UPF, and N26 interface for interworking with MME

This feature covers the following types of interfaces:

– Intra-domain service-based intefaces between NFs

– Inter-domain service-based interfaces between NFs which use IPX based networks between different PLMNs (i.e. roaming interface between visiting PLMN and home PLMN networks)

Service Based Architecture

IPX is interconnection network between operators

In 4G, intermediate DIAMETER Edge (DEA)/Routing Agents (DRAs) modify headers and

AVPs

– Therefore no e2e security by IPsec or TLS possible is possible in general

– NDS/IP model of 3GPP TS 33.210 not applicable either

– Major security hole in 4G (and earlier generations) as user information is available in clear text across IPXnetworks

GSMA – DESS subgroup

– Working on application layer e2e security for selected DIAMETER AVPs to overcome this problem

In addition, DEAs not present in 3GPP specs; 3GPP never worked on this problem

– 3GPP specs not relevant for interconnection network security in 4G

Problem with IPX in 4G roaming interfaces

Inter-domain interconnect networks

– Confidentiality and integrity is provided at the edge of the network of the operator (DESS recommendation)

– SEPP (Security Edge protection proxy) used as the edge network element

– Application layer security implemented at the edge. i.e. HTTP body is protected at the Edge Proxy

Architecture considerations for SBA

SP2Edge Proxy

SP1Edge Proxy

AMF

AUSF

IPXIPX

AMF

AUSF

Intra-domain service based Interfaces

– No need for edge proxy

– NFs communicate directly with each other

– Transport layer security needed

Application layer security is needed between two NFs residing in different PLMNs

– i.e. need a mechanism to protect JSON based information elements

Application layer security is implemented at the edge in SEPP

There is no support for IPX operators to modify/update/add HTTP headers or payload

Protection for SBI traffic will include the following:

– Integrity protection of ALL IE’s

– Confidentiality protection (Encryption) of Authentication vectors

o which contains Ck and Ik keys; used in AKA based primary authentication)

Service access authorization is needed for the NF-consumer to obtain service from NF-producer

Transport layer security may be used between two NFs within an operator domain

Need to support service discovery across PLMNs –

– this’ll mean that if SEPP is providing topology hiding, direct access to NFs in the other PLMN is not possible, and SEPP

in the other PLMN will act as proxy for all service accesses terminating in the other PLMN

Key decisions taken for SBA security work in Phase 1

– N26 interface is an inter-CN interface between the MME and AMF.

• To transfer context information between the source and target network.

– Networks that support interworking with EPC, may support interworking procedures that use the N26 interface or interworking procedures that do not use the N26 interface.

– In the following slides we look at Interworking with N26 interface (for SR-mode UEs).

Overview

A UE that supports both 5GC NAS and EPC NAS can operate in:

– Single-registration mode: UE is either connects to 5GC or connects to EPC

– Dual-registration mode: UE can independently register with 5GC and EPC.

• The UE may be registered to 5GC only, EPC only or to both EPC and 5GC

Support of SR mode is mandatory for UEs that support both 5GC NAS and EPC NAS.

Mobility using N26

– Idle-mode mobility between EPC and 5GC

– Connected-mode mobility (inter-system handover) between EPC and 5GC

Mobility without N26

– Only Inter-system handover between EPC and 5GC supported

It‘s mandatory in phase 1 to support interworking with a legacy MME

– Legacy MME sees N26 as a S10 interface, does not know that it is talking to a AMF on the other side

Security for Interworking will largely follow the security mechanism for MME <-> MME scenarios

Interworking with N26 interface

Security impact during each of the four mobility scenarios with N26

– Idle mode mobility from 5GC to EPC

– Idle mode mobility from EPC to 5GC

– Intersystem handover from EPC to 5GC

– Intersystem handover from 5GC to EPC

No security impact for mobility scenarios without N26

– In principle, lack of N26 means that the UE has to register with the target network with full authentication and key establishment.

Idea is to avoid authentication when moving into a target network.

New keys are generated in the target network based on the source network key

(obtained via N26)

Security for interworking

Basic principle behind idle mode mobility (taking 4g to 5g as an example):

– Idle mode UE initiates a request (Registration request) to the target network (5G) with 4G TAU Request embedded in the message. TAU Request is integrity protected with the existing 4G security context.

– Target network (AMF) requests context info from the source network (MME). It includes the TAU Request message.

– Source network (MME) verifies the TAU Request and provides its master key K-ASME.

– Target network (AMF) creates a mapped 5G security context from K-ASME

– AMF triggers NAS SMC procedure with UE

– UE creates a mapped 5G security context from K-ASME

Basic principle behind inter-system handover (taking 4g to 5g as an example):

– Source network (eNB) initiates the handover

– Source network (MME) provides security context info to the target network (AMF)

– Target network (AMF) derives keys (AS and NAS) from the source network (MME) key and updates gNB

– Handover Command to UE (sent by the source network) triggers UE to derive the required AS and NAS keys;

– UE sends HO complete. This activates AS security in gNB; gNB to AMF Handover Notify activates NAS security in AMF.

Security for interworking


Snapshot on 5G security Agreements

Snapshot on 5G security

NAS Sec

UP Sec

AS Sec

NDS/IP Interface

40

4G vs 5G Security Aspects

Security Feature 4G 5GAccess Agnostic Authentication Not Access agnostic Unified Authentication for all access

Authentication Credentials Only AKA credentialsAKA credentials

OrCertificate for IoT/Private networks(optional , informative annex)

Authentication Protocol EPS-AKA over 4G NAS5G-AKA over 5G NAS

or EAP-AKA’/EAP-TLS over 5G NAS

Security Platform for Authentication Credentials

UICC UICC or Non-removable UICC

Home Control for authentication Not SupportedSupported

(HPLMN involves in Authentication and holds a key)Integrity Protection of UP traffic Not Supported Supported (optional to use)

Security of UP traffic Enabled/disabled for all DRBS Per PDU session based Selective Protection

Subscription Identity protection IMSI is not protected, if there is no

security contextSUPI is always protected using Asymmetric Cryptography

Network Domain Security IPSec (Point-to-Point Architecure) TLS/Application layer Protection (SBA)

Steering of Roaming OTA based (optional to support)New native solution using control plane (mandatory to implement

and optional to use) + OTA based (optional to support)

Protection of North bound APIs Fragment security mechanism CAPIF


Thank You

security aspects of nextgen system (5g) · 2 5g systems –security aspects (snapshot of ts 33.501...

Documents