5G standards and procedures have security deeply embedded by design. This is a complete departure from earlier generations of telecom networks.
The 5G core network is a complete transformation in itself as compared to legacy 4G networks in terms of security.
In this note I am explaining the overall architecture which is globally agreed, standardized and being implemented.
Before we go deeper into 5G security, it is important to consider security at the perimeter of the cloud native infrastructure. If the perimeter itself is compromised, then irrespective of 2G, 3G, 4G or 5G, all other measures will be neutralized.
A popular analogy of this condition is to have a house with the front door open (perimeter), while the other sections of the house are continuously monitored by Cameras and Sensors. Here, the front door of the house becomes a single point of failure.
5G takes this as the core requirement of the design basis to avoid single points of failures in its security design. This front-door analogy could otherwise have been further amplified in 5G, especially while deploying IoT devices and MEC equipment — all of which is in close proximity of 3rd party users.
For example, we will need to proliferate IoT devices at the customer premises where they are directly accessible and potentially vulnerable. This makes Non-IP Data Delivery (NIDD) a pre-requisite for large scale deployments in MMTC and IoT. NIDD is being built into the 5G standards under the MMTC banner.
This challenge was foreseen by the standards bodies when designing the specifications. An appliance/ tool based approach to security in 5G is not viable as a result as it will become a single point of failure in distributed deployments.
In case of 5G, the concept of security is extended far beyond just network security or regular patching of the operating systems. It is blended into the architecture, call flows and procedures in a highly distributed fashion with no single point of failure.
For 5G edge networks where we will deploy uRLLC use cases, security has to be in the DNA of the network at every edge site, even for sites which may not be in direct control of the operator (Eg: Private and Enterprise 5G use cases).
External security appliances may not be feasible in uRLLC, as it may impact the latency of the 5G network right up to the gNodeB scheduler. uRLLC demands a resource TTI of 0.0125 milliseconds and this latency budget has to be complied with.
1. NAS Security and the SUCI
The 5G NAS and Radio interface encrypts the permanent identity of the subscriber (which is burnt into the SIM). This was not the case in 4G. The encryption of the Subscription Permanent Identifier (SUPI), results in the Subscription Concealed Identifier (SUCI), which can be done either in the mobile device or in the SIM itself (which is under operator control).
This is a good feature of 5G, which was not present in earlier standards and completely masks the customer identity information in transit.
2. Public + Private Key Pairs, Authentication & Integrity Protection
The SUCI described above is interpreted by the home network by using the public-private key functionality of the 5G UDM depicted below:
Any spurious or fraudulent requests from another network are authenticated by the 5G AUSF network function. The HPLMN thus controls the authentication of UEs by design.
There are multiple authentication mechanisms defined in the standards which follow each other during the call flows. The primary authentication mechanism has in-built home control allowing the home operator to know whether the device is authenticated in a given network and to take final call of authentication.
For roaming scenarios, the network assigns the 5G Globally Unique Temporary Identity (5G-GUTI) , which is used to identify the mobile handset in lieu of the SUPI so it is not ever required to send the latter over the air.
Also, full Integrity Protection is supported in Standalone Mode (SA) in the 5G network.
3. NAS Security
Non-Access Stratum (NAS) security procedures are defined as part of the NAS protocol itself and embedded by design in the call flows of 5G.
For example, if we consider the 5G CN nodes below the security keys are managed in a distributed fashion and applied at different stages of the call flow making the overall network extremely secure:
4. Security Anchor Function (SEAF) as part of the AMF
The 5G AMF can be collocated with the SEcurity Anchor Function (SEAF) that holds the root key (known as anchor key) for the visited network.
The security architecture is defined in a future proof fashion, as it allows separation of the security anchor from the mobility function that could be possible in a future evolution of the system architecture.
5. The 5G Network Interconnect Protection (SEPP)
In the roaming and interconnect architecture, the home and the visited network are connected through the 5G SEcurity Protection Proxy (SEPP) for the control plane of the interconnect network.
This is known as the N32 PRINS (Protocol for Interconnect Security) Architecture in 5G. The following algorithms are possible as part of this architecture:
a) A128CBC-HS256
b) A192CBC-HS384
c) A256CBC-HS512
d) A128GCM
e) A192GCM
f) A256GCM
6. Primary and Secondary Authentication
In 5G Phase 1, there are two mandatory authentication options: namely —5G Authentication and Key Agreement (5G-AKA) and Extensible Authentication Protocol (EAP)-AKA’, i.e. EAP-AKA’.
Optionally, other EAP based authentication mechanisms are also allowed in 5G — for specific cases such as private networks.
Also, primary authentication is radio access technology independent, thus it can run over non-3GPP technology such as IEEE 802.11 WLANs. (Wi-Fi 6 for example).
Secondary authentication in 5G is meant for authentication with data networks outside the mobile operator domain. For this purpose, different EAP based authentication methods and associated credentials can be used.
7. Network Topology Hiding — NRF
The 5G NRF protects the network topology of the service based architecture during network discovery procedures itself depending upon the trust domain configurations. This is a major enhancement as compared to previous generations of networks.
8. Securing the CU-DU Split
For the gNodeB, in the CU-DU split architectures both the E1 and F1 interfaces defined in the split architecture are integrity and cipher key protected in the standards.
This is an important feature, as the CU and DU would be deployed in different physical locations and hence this interface needs to be protected.
Apart from the 5G standards, the introduction of Segment Routing in the underlying IP network is a welcome addition.
Segment Routing simplifies the IP network design, especially for distributed deployments and this paves the way for programmatic control of the network through SDN — where a SDN controller can implement the role of a Path Computation Entity (PCE).
This allows automated control over the provisioned paths in the network and reduces the risk of unwanted back door entries into the network through a legitimate route — which may happen due to manual provisioning.
If you liked this article, feel free to clap and connect with me on Linkedin