- 5G Security Architecture Inherits 4G Security Architecture
Currently, 3GPP SA3 has developed 5G R16 security standards and is developing 5G R17 security standards. To ensure that 5G standards move ahead consistently at all technical levels, the 3GPP is developing security standards at the same pace as that of architecture and wireless standards. 5G R15 standards have defined security architectures and security standards for eMBB scenarios, covering Standalone (SA) and Non-Standalone (NSA) architectures. Based on the 5G R15 security architecture, 5G R16 and R17 standards will cover security optimization for mMTC and URLLC scenarios, and provide further enhancements to the security infrastructure.
The security architecture of mobile networks is hierarchical and classified by domain in design. The 5G security architecture contains the following security domains: network access security, network domain security, user domain security, application domain security, SBA security, and visibility and configurability of security, where SBA security is a new security domain in 5G. SBA security is the set of security features that enable network functions of the SBA architecture to securely communicate within the serving network domain and with other network domains. These features include network function registration, discovery, and authorization security aspects, as well as protection for service-based interfaces. An SBA forms the basis of the 5G core network. To ensure security between UEs in the SBA, security mechanisms such as Transport Layer Security (TLS) and Open Authorization (OAuth) are needed.
The 5G network inherits the 4G network security framework, but provides enhanced security features. The 5G access and core networks have clear boundaries. Even though some 5G core network functions (such as the User Plane Function [UPF]) are moving closer to applications, they are still part of the 5G core network and therefore comply with its traffic distribution policy. The access and core networks interconnect through standard protocols, support inter-vendor interoperability, and have standards-based security protection mechanisms.
- Security Hardening of 5G Standards over 4G Standards
The 5G SA network supports more security features to tackle potential security challenges in the future 5G lifecycle. 5G NSA and 4G networks share the same security mechanisms and work in standard and practice consistently to keep improving their security levels. R15 defined the following 5G security hardening features:
- Stronger air interface security: In addition to user data encryption on 2G, 3G, and 4G networks, the 5G SA architecture provides user data integrity protection to prevent user data from being tampered with.
- Enhanced user privacy protection: In 2G, 3G, and 4G networks, users’ permanent IDs (international mobile subscriber identities — IMSIs), are transmitted in plain text over the air interface. Attackers can exploit this vulnerability using IMSI catcher attacks to track users. In 5G networks, users’ permanent IDs (in this case, subscription permanent identifiers [SUPIs]) are transmitted in ciphertext to defend against such attacks.
- Better roaming security: Operators usually need to set up connections via third-party operators. Attackers can forge legitimate core network nodes to initiate Signaling System 7 and other attacks by manipulating third-party operators’ devices. 5G SBA defines Security Edge Protection Proxy (SEPP) to implement security protection for inter-operator signaling at the transport and application strata. This prevents third- party operators’ devices from tampering with sensitive data (e.g. key, user ID, and SMS) exchanged between core networks.
- Enhanced cryptographic algorithms: 5G R15 standards currently define security mechanisms such as 256-bit key transmission. Future 5G standards will support 256-bit cryptographic algorithms to ensure that such algorithms used on 5G networks are sufficiently resistant to attacks by quantum computers.
In R16 and R17, the existing security infrastructure was further optimized by enhancing SBA security, providing user-plane integrity protection for 5G NSA and 4G networks, and other means.
- Enhanced SBA security: The new SBA architecture of the 5G core network provides network functions as services. The relevant standard defines service security mechanisms for the architecture, including finer-grained authorization between network functions (NFs) and stronger protection for user-plane data transmission between operators, which ensures the security of data transmission on the signaling and user planes of the core network.
- User-plane integrity protection for 5G NSA and 4G networks: The user-plane integrity protection mechanism of 5G SA networks is introduced to 5G NSA and 4G networks to enhance air interface security.
Figure: 5G security hardening features
As standards evolve, 5G cyber security features continue to be expanded and enhanced to tackle potential security challenges and enhance security throughout the 5G lifecycle.
- Vertical Industries Empowered by 5G Standards Security
Based on R15’s basic security architecture, R16 and R17 provided diversified and customized security features for vertical industries, for example, security of small data transmission on IoT devices, security of redundant session transmission in URLLC, authentication and authorization for slices, and flexible authentication for multiple forms of private networks, to meet diversified security requirements of different industries and open up 3GPP security capabilities to third parties.
- Cellular Internet of Things (CIoT) data transmission security: Defined secure transmission and simplified mobility protection mechanisms for small data transmission to meet requirements for user data protection on IoT devices in unique small-scale data transmission scenarios. Redundant session transmission security: Defined equivalent user-plane security policies of the redundant session transmission mechanism to implement the same level of security protection for two user sessions during redundant transmission in high-reliability and low-latency scenarios.
- Slice access security: Defined the authentication and authorization process for slice access from UEs to meet vertical industries’ requirements for controllable user access and authorization when using 5G networks.
- Private network authentication security: Defined authentication modes in different enterprise private network forms to flexibly meet different industries’ authentication requirements. In the public network integrated non-public network (PNI-NPN), for example, in scenarios where a slice provided by the operator is used to access a private network, slice authentication can be used to authenticate and authorize access from vertical industry users. When the data network provided by the operator is used to access a private network, enterprises authenticate and authorize vertical industry users. For independent private networks, initial authentication modes (EAP framework) other than symmetric authentication are introduced for UEs.
- Security capability openness: Used the basic key provided on operators’ networks to protect the data transmission of third-party applications, and provided a security capability openness framework for third-party services to use operators’ networks. 5G networks provide mobile network services for more and more vertical industries. The security of 5G networks addresses potential security challenges to services.
- 5G Security Assessment Becoming Standardized
Cyber security assessment mechanisms shall follow globally accepted uniform standards to ensure that their operations are cost-effective and sustainable for the ecosystem. NESAS jointly defined by the GSMA and 3GPP has been used to assess the security of mobile network equipment.
It provides an industry-wide security assurance framework to improve security across the mobile industry. NESAS defines the security requirements and assessment framework for security product development and lifecycle processes, and uses security test cases in the Security Assurance Specifications (SCAS) defined by 3GPP to assess the security of network equipment. Currently, 3GPP has initiated security evaluation of multiple 5G network equipment, and major equipment vendors and operators are actively participating in the NESAS standard formulation. NESAS promotes security cooperation and mutual trust in the global mobile communications industry, and enables operators, equipment vendors, and other stakeholders to jointly promote 5G security construction. It provides customized, authoritative, efficient, unified, open, and constantly evolving cyber security assessment standards for the communications industry, and is a good reference for stakeholders such as operators, equipment vendors, and government regulators.
Huawei R&D focuses heavily on security throughout product development, adhering to the principle of security by design and security in process.
Cyber security activities built into the process are performed in strict compliance throughout the entire product lifecycle, so that security requirements can be implemented in each phase. Huawei R&D provides the Integrated Product Development (IPD) process to guide end to end (E2E) product development. Since 2010, Huawei has started to build cyber security activities into the IPD process according to industry security practices and standards such as OWASP’s Open Software Assurance Maturity Model (OpenSAMM), Building Security In Maturity Model (BSIMM), Microsoft Security Development Lifecycle (SDL), and NIST CSF as well as cyber security requirements of customers and governments. Such activities include security requirement analysis, security design, security development, security test, secure release, and vulnerability management. Check points are used in the process to ensure that security activities are effectively implemented in product and solution development.
This practice improves the robustness of products and solutions, enhances privacy protection, and ensures Huawei provides customers with secure products and solutions.
Report is from Huawei Uganda CSPO Mr. Kevin.
Do you have a story in your community or an opinion to share with us: Email us at editorial@watchdoguganda.com