5G networks - a look into security controls

The sum of the whole is greater than the individual parts put together.

This is the mantra when it comes to mobile security. As one does not lose sight of the forest against the trees, the network is as strong when it's individually and collectively secured. In building the security standards, global organizations such as 3GPP, ETSI, IETF, and ISO have joined hands in getting the security standards done in the right way.

This brief article is going to investigate the key security enhancements into 5G.

In any system, the most important component is the authentication piece. The authentication framework in 5G will be flexible and robust, allowing different sets of credentials besides the SIM cards; enhancing subscriber privacy features by mitigating the IMSI catcher issue that’s been long plaguing the networks. Additional layer security for higher protocol is implemented on the new service interfaces as well as integrity protection of user data over the air interface to further strengthen confidentiality.

Inheritance from the former standards

While the earlier standards were never so focused on security, there were incremental improvements on the network requirements, starting from 3G. These functionalities were bought forward, in tandem with implementing new features specific to 5G. Hence, you will find features that are bought forward and implemented as part of 5G.

Sets of mechanism

The network access security mechanism is contained in the first set. The first set contains security features that provide users with secure access to services through the User Equipment (UE/phone) and is protected against threats facing the air interface, between the US and the radio node (known as eNodeB on LTE and gNB on 5G)

The second set of mechanisms contains the network domain-related security mechanisms. This contains features that enable nodes to securely exchange network signaling data and user data between the network elements (i.e. radio nodes and core network nodes).

A simplified version of the security architecture of LTE and 5G, showing the grouping of network components/entities that need to be secured in the Home/Local and Visited/Foreign Network and all the links that must be secured.

New Authentication Framework

In the review of 3GPP networks, the access authentication, which holds the key central security procedure in all network generations. This is known as primary authentication in the 5G security standards. This procedure is typically performed during the initial registration, known as initial attach in the previous network generations, happens when a UE/device is turned on for the first time.

Once successfully authenticated, the session keys are established. This session key is used to protect the communications between the UE and the network. The authentication procedure has been designed to support EAP, a protocol standardized by IETF. EAP is used extensively, even in implementations of IEEE802.11 (aka WiFi).

The benefit of using this protocol is that it allows the use of different credentials and supplicants, extending beyond the traditional SIM approach. This includes digital certificate (X.509), preshared keys, and even a username/password pair. This provides flexibility for use cases beyond the typical mobile-based approach into a seamless, beyond industry and better proliferation into the IoT networking.

EAP also allows secondary authentication, where this function is performed for authorization during the set-up of user-plane connections. Use cases include establishing phone calls, surfing the web, and even delegating to third-party authorization for OTT services such as streaming, or social media validations. Extension of authentication from the network provider allows seamless user experience as well as providing secure credentials for supporting services.

Enhanced privacy

The previous generation of networks had many issues surrounding the privacy of subscribers. This includes attacks originating from fake base stations, popularly known as IMSI catchers or Stingray devices.A simplified version of the security architecture of LTE and 5G, showing the grouping of network components/entities that need to be secured in the Home/Local and Visited/Foreign Network and all the links that must be secured.

New Authentication Framework

In the review of 3GPP networks, the access authentication, which holds the key central security procedure in all network generations. This is known as primary authentication in the 5G security standards. This procedure is typically performed during the initial registration, known as initial attach in the previous network generations, happens when a UE/device is turned on for the first time.

Once successfully authenticated, the session keys are established. This session key is used to protect the communications between the UE and the network. The authentication procedure has been designed to support EAP, a protocol standardized by IETF. EAP is used extensively, even in implementations of IEEE802.11 (aka WiFi).

The benefit of using this protocol is that it allows the use of different credentials and supplicants, extending beyond the traditional SIM approach. This includes digital certificate (X.509), preshared keys, and even a username/password pair. This provides flexibility for use cases beyond the typical mobile-based approach into a seamless, beyond industry and better proliferation into the IoT networking.

EAP also allows secondary authentication, where this function is performed for authorization during the set-up of user-plane connections. Use cases include establishing phone calls, surfing the web, and even delegating to third-party authorization for OTT services such as streaming, or social media validations. Extension of authentication from the network provider allows seamless user experience as well as providing secure credentials for supporting services.

Privacy considerations and implementation

The previous generation of networks had many issues surrounding the privacy of subscribers. This includes attacks originating from fake base stations, popularly known as IMSI catchers or Stingray devices.

File picture of Stingray device

The new measures have made it impractical for fake base stations to identify and trace subscribers by using conventional methods such as passive eavesdropping or active probing of permanent and temporary identifiers (SUPI and GUTI in 5G).

Together with these improvements, 5G makes it much more difficult for attackers to correlate protocol messages and identify a single subscriber. This is due to a limited set of information is sent in cleartext even during the initial attach protocol message. The rest, of course, is hidden. Another improvement is a general framework for detecting fake base stations, which is based on the radio state information reported by UE in the open, make it difficult for fake base stations to remain undetected.

Interconnect and Service based architecture security

A paradigm shift has been bought about by 5GT to the mobile networks, moving from the classical model of point-to-point interfaces between network functions into a Service-based Interface (SBI) model. In an SBA, different functionalities of a network entity are refactored into services exposed and offered on-demand to other network entities.

SBA has also pushed for greater protection at higher protocol layers (e.g. transport and application), in addition to the protection of the communications between core network elements at the IP layer (usually done through IPsec). Hence, the 5G core network function supports the latest and greatest security protocols such as TLS1.2 and TLS1.3 to protect communications at the transport layer and OAUTH 2.0 framework at the application layer to ensure that only authorized network functions are granted access to a service offered by another function. This sees the move away from traditional mobile-only protocols and methods, into a more standardized universal approach towards security.

3GPP SA3

The SGPP SA3 provides many improvements towards interconnect security(i.e. security between different operator networks) consist of 3 building blocks:

1. A new network function called the security edge protection proxy (SEPP) was introduced in the 5G architecture. All signaling traffic across operator networks are expected to transit through these proxies.
2. Authentication between SEPPs is required. This enables effective filtering of traffic coming from interconnect.
3. A new application layer security solution on the N32 interface between the SEPPs was designed to provide protection of sensitive data attributes while still allowing mediation services through the interconnect.

The main component of the SBA security is authentication and transport protection between different network functions using TLS, authorization frameworks utilizing OAUTH2.0 coupled with improved interconnect security designed by 3GPP.

5G roaming scenario using the service-based architecture (simplified)

User plane integrity protection

Integrity protection of the UP (user plane) between the UE and the gNB was introduced as a new feature. The support t of integrity protection, like the encryption feature, is mandatory on both the devices and the gNB while the use is optional and under the control of the operator.

It is well understood that integrity protection is resource-demanding and that not all devices will be able to support it at the full data rate. Therefore, the 5G network allows the negotiation of the rates which are suitable for the feature. For example, if the device indicates 64kbps as the maximum data rate for integrity-protected traffic, then the network only turns on the integrity protection for the UP connections where data rates are not expected to go over the 64 kbps limit.

Summary

5G has been a huge step up, with 3GPP and all other bodies working together hand in hand to improve the security posture of this new generation network. Adoption of existing security protocol across standards body shows that the networks have been built with security considerations in mind, a good and right step forward.  

Acronyms

• UE - User equipment aka the phone/tablet
• UP - User plane
• eNB - eNode B
• gNB - next generation node B
• kbps - kilo bits per second
• TLS - transport layer security
• ETSI - European Telecommunications Standards Institute
• IETF - Internet Engineering Task Force
• SIM - Subscriber Identity Module
• EAP - Extensible Authentication Protocols

Further reading

1. Marcin Dryjanski - Why is 5G complex - https://www.dhirubhai.net/pulse/nr-gnb-ng-ran-5gc-why-5g-complex-marcin-dryjanski/
2. Pictures courtesy of E//

This article was originally published at https://www.drsuresh.net/2021/05/5g-security-primer/