Security in 5G Networks

Presented by
 Communications
•
Security
Security means preventing unauthorized access to
messages
• communications infrastructure resources
while still providing the communications service between intended parties
Privacy means protecting a user’s
• identity
• location
• personal data
A threat is a method to breach security or privacy
• denial of service (DoS) to the user
• theft of service by an unauthorized user
• access/modification to information by an unauthorized user
• control of restricted resources by an unauthorized user
• physical damage to resources
Trust is the degree to which we believe that an entity will behave
according to policy and not exploit threats
Security history
In the beginning the model was trust everyone
In the 1990s the model changed to soft on the inside, hard on the outside
trust employees and colleagues but not outsiders
which led to development of access policies, firewalls, etc.
Today standard operation procedures dictate
• trust no-one
• constantly monitor everything
• pro-actively search for vulnerabilities
and utilizing multiple layers of protection
Trust through the
generations 2G/3G
In 2G trust is required (and attained using a SIM)
• of the UE by the network(s)
in order to avoid the threat of theft of service SN
However, it is assumed that
• the UE trusts the network
• the threat of eavesdropping on the air interface is acknowledged
but assumed that simplistic encryption is enough to handle this issue
Trust is assumed
• inside any mobile network
• between Serving Network and Home Network (or any other mobile network)

In 3G it is no longer assumed that the UE can trust the network

(due to the possibility of fake base stations)
and the encryption of the air interface was strengthened (but still botched)
Trust through the generations 4G
In 4G there are more actors
• UEs
• serving network
• home network
• transport networks (e.g., in the RAN) SN
• other networks (3GPP and non-3GPP)
and the assumptions are
• UEs and networks have mutual lack of trust
• user privacy must be respected must prevent not just
eavesdropping but tracking too between networks
there may be trust different mobile networks need to
authenticate each other
 5G trust issues
Since 5G is designed to enable critical applications, such as
• critical infrastructure (electric, water, transportation, traffic control)
• emergency response
• smart cities
• autonomous cars
the threats are more significant than theft of service and eavesdropping
Furthermore the trust model involves many entities
• UE
• new host types (laptops, IoT, vehicles)
• home network
• serving network
• new transport mechanisms
• cloud service providers
• third-party application function providers
SN HN
• private network operators
•direct peer-to-peer connections (e.g., for V2V)
and a priori no entity trusts any other entity
 Counter
measures
• Physical security – preventing access to communications devices and links
• Emission security – preventing interception and jamming
• Privacy enforcement – protecting user’s identity and blocking impersonation
• Authorization – preventing unauthorized access to resources
• Source authentication – confirming the source of a message
• Integrity – preventing tampering with messages
• Confidentiality – preventing eavesdropping
• DoS blocking – preventing Denial of Service
• Topology hiding – thwarting traffic analysis
• Anti-hacking – preventing injection of computer malware
Cellular security
mechanism history
2G GSM already contained some basic security functions
• encryption of the radio interface to prevent eavesdropping
different algorithms were allowed (A5/1, A5/2, A5/3), but all were broken
• tamper resistant SIM card for subscriber authentication
to prevent theft of service
• use of random temporary identifiers to thwart subscriber tracking

3G introduced several improvements

• mutual authentication to avoid fake base stations
• improved encryption algorithms (Kasumi)

4G was similar to 3G except

• Authentication and Key Agreement protocol
• IMEI is only sent over secure channels
• use of state-of-the-art AES encryption (but SNOW-3G and ZUC allowed)
• SEcurity Gateways create IPsec tunnels to protect backhaul
5G Network security
The goal of 5G network security is to protect user data and enable
network resilience and business continuity. To ensure this, 5G has
designed security measures that address many of the threats faced
in today’s 4G/3G/2G networks and meet network security demands.
Some of the demands on network security are as follows:
 Availability: The identification of illegal attacks and reduction of
their impact.
 Traceability: Recording of operations for security audit and
problem identification.
 Integrity and Confidentiality: Protection of user privacy
information, user communication data, and operator’s principal
data.
The security measures try to ensure the above by implementing
the following:
 Enhanced security.
 Stronger security on the air interface; the user plane has
integrity protection by anti-alter, unlike 4G that is prone to
user plane attack.
 User privacy protection such that the users’ IMSI is
encrypted, unlike 4G, transmits user IMSI in plaintext.
 Improved interconnection security by implementing end-to-
end protection between PLMNs, unlike 4G that is similar to
SS7 attacks.
 Improved cryptographic algorithm using a 256-bit
cryptographic algorithm vis-a-vis 4G that uses a 128-bit
cryptographic algorithm.
 5G security
architecture
5G defines 3 hierarchical strata and 5 security domains

application domain
USER APPLICATION security PROVIDER APPLICATION Application Stratum

access Network Stratum

network access security
• Home Network
HOME
SIM user
user
NETWORK
(high security)

domain SBA • Serving Network

(medium security)

UE network access
SERVING
NETWORK

access
ACCESS Transport Stratum
NETWORK network
domain
(low security)
 Stratatu
Transport stratum
•m includes PHY of air interface, transport network in RAN, UPF of core
• low security sensitivity (enables non-trusted vendors to provide RAN)
• only utilizes temporary identifiers and keys
Network stratum - Serving Network
• includes serving network’s AMF, NRF, NEF, SEPP
• relatively high security sensitivity
• utilizes mid-level derived keys (such as AMF keys)
Network stratum - Home Network
• includes UE’s SIM, home network’s AUSF and UDM
• high security sensitivity
• utilizes SUPIs, user root keys, and high-level keys
Application stratum
• includes MEC, AF, 3d party functionalities, mobile payment
• responsibility of application service providers
• separated from mobile networks
• utilizes end-to-end security
 Security domains
Network access security
• enables UE to authenticate and securely access services
– mutual authentication, integrity protection, encryption
• protects against attacks on the air interface and from RAN to serving core
Network domain security
• protects RAN to core (IPsec) and serving-core to home-core (TLS, PRINS)
• protects control and user planes
User domain security
• secures end-user access to UE (passwords, PIN codes, etc)
• SIM access
Application domain security
• enable user applications to exchange messages with provider applications
• mechanisms provided by application providers and transparent to mobile
SBA domain security
• enable NFs in the SBA to securely communicate (TLS)
• features include NF registration, discovery, and authorization (OAuth)
SIM
Since 2G, the anchor of user identity
has been the Universal Subscriber Identity Module
Being a physical device it presents some degree of trust
like a physical key (but both can be stolen)
which is 1 reason for resistance to the ideas of eSIM
and software-SIM
Today the SIM is part of the Universal Integrated Circuit Card smart card
which consists of ROM, RAM, and a CPU, and contains
• USIM application (used in AS and NAS)
• Integrated Circuit Card ID (19 digit E.118 identifier written on SIM)
• International Mobile Subscriber Identity
• 2 PIN codes for protection
• 128-bit long-term pre-shared authentication key (also in HSS)
• file storage (e.g., for phone book)
• IP-Multimedia Services Identity Module application (used for SIP,
VoLTE)
IMSI
International Mobile Subscriber Identity uniquely identifies every UE
It is defined by ITU E.212 as up-to-15 digit number composed of:
• Home Network Identity (or PLMN ID)
– Mobile Country Code (3 digits) e.g., Israel=425
– Mobile Network Code (2-3 digits) e.g., Partner=01 Cellcom=02
Golan=08
• Mobile Subscription Identification Number (up to 10 digits)
The IMSI (and not the phone number) is
• stored in the Subscriber Identity Module (along with the
authentication key)
• sent by the UE as its identifier to the network
• indexes subscriber information in the HLR/HSS
• is locally copied into the VLR
To prevent IMSI catching the IMSI is sent
only when a unregistered UE registers to a cell (called IMSI
attach)
From then on, including during paging and handoff
4G EPS-AKA
In LTE, the mutual authentication and initial key exchange
between the UE’s USIM and the MME uses
the Evolved Packet System Authentication and Key Agreement protocol
with the MME acting as Access Security Management Entity
• UE completes RRC procedure with eNB
and sends attach request to Serving Network MME with its IMSI
• MME sends IMSI and SN to HSS and requests Authentication Vector
• based on IMSI and SN
HSS generates AV={RAND, XRES, AUTNHSS, KASME} and sends to MME
• ME stores AV, and forwards {RAND,AUTNHSS} to UE
• UE computes {RES, AUTNUE, KASME}
• UE compares AUTNHSS to AUTNUE for network authentication
• UE sends RES to MME
• MME compares RES with XRES for UE authentication
• if all succeeds, the key KASME (never transferred between UE and MME)
is now shared between UE and MME
4G privacy
vulnerabilities
There are several privacy vulnerabilities 4G
• AKA requires the UE to sends its IMSI in the clear over the air interface
to the MME (see next slide)
• once registered the UE-MME messaging uses the GUTI
to hide the UE’s identity, but:
– GUTIs are not changed frequently enough
– GUTI allocation is often predictable
• the home network provides AVs to the serving network
but is not part of the authentication decision
5G remedies these vulnerabilities
by supporting 3 new authentication methods
• 5G-AKA
• EAP-AKA’ (with Perfect Forward Security)
• EAP-TLS
IMSI catching
IMSI catching is a man-in-the-middle attack to collect IMSIs
(there are even miniature wearable IMSI catchers used by police)
Since IMSIs are only rarely transmitted
the probability of passively catching one is very low
An IMSI catcher (AKA a StingRay) masquerades as a base station
and causes the UE to register and send its IMSI
The principle was patented in 2003 by Rhode and Schwartz for GSM
but the patent was invalidated in 2012 (no inventive step)
Simple IMSI catching enables tracking, and perhaps impersonating, users
In a full MitM attack, the attacker
• convinces the UE that it is the preferred BS (has strongest pilot signal)
• captures the UE’s IMSI
• negotiates null encryption
• intercepts all user traffic
• passes user traffic to and from a true base-station
 Hiding the IMSI
5G enhances user privacy as compared to previous generations
• user identity cloaking
• user location confidentiality
• user activity masking
by never sending an IMSI in plaintext
5G defines
• SUbscription Permanent Identifier
(IMSI or email address user@network for non-3GPP)
which is never sent over the air interface
• SUbscription Concealed Identifier (pronounced Suchi )
which is freshly cryptographically generated by the UE
before being sent once over the air interface
The technique is called the Elliptic Curve Integrated
Encryption Scheme
The UE (using elliptical curve crypto) generates the SUCI
by encrypting its SUPI and a sequence number (incremented
to prevent repetition)
using the public key of its home network
5G ECIES
To simplify we’ll assume the non-roaming case (UE in home network)
• UE encrypts SUPI (MSIN, not MCC/MNC) and SQN creating SUCI
• UE sends registration request with SUCI to AMF
• AMF sends authentication request with SUCI to AUSF
• AUSF+UDM decrypt SUCI to SUPI
• AUSF sends authentication response with SUPI to AMF
• AMF generates GUTI and remembers GUTI-SUPI mapping
• AMF sends registration accept to UE
• UE sends second registration request with GUTI to AMF
commencing 5G’s version of AKA (slightly more complicated than 4G’s)
Several other related mechanisms are provided by 5G as well
• in 4G IMSI-based paging (used when UE is idle) leaked IMSI information
5G uses only one-time temporary identifiers
• 5G introduces a SEcurity Anchor Function to facilitate re-authentication
when moving between different RANs w/o full AKA
thus reducing load on the home network AUSF+UDM
Additional 5G
authentication features
Long term identifiers are never transmitted in the clear
When roaming, it is the home network’s AUSF
that performs UE authentication
The SEcurity Anchor Function in a serving network can act as middleman
during the authentication process
and can reject the authentication from the UE
but never accept the authentication
In addition to 5G-AKA, Extensible Authentication
Protocol can be used, and
• there are 2 variants – EAP-AKA’ and EAP-TLS (for
private networks and IoT)
• the UE acts as an EAP supplicant
• the AUSF acts as an EAP server
• the SEAF acts as an EAP pass-through
authenticator
When authentication is over untrusted non-3GPP access networks
Compartmentalizatio
ne have mentioned the use of multiple layers of security
W
Another general principle of modern security is compartmentalization
that is, isolating different parts of a system
so that breaches in one area do not affect other areas
5G utilizes compartmentalization in many aspects
• the 3 strata (transport, network, application) are isolated
• the RAN and core are clearly demarcated
• different core networks are isolated (SEPP)
• different keys are used after handoff
• network slices have separate security functions
Security in the SBA
There are various threats to the SBA which must be handled, e.g.,
• eavesdropping on sensitive N-interface messages
• crashing NF by sending malformed messages
• overwhelming NF by flooding
• obtaining unauthorized access to services
• modifying N-interface messages on the fly
• malicious changes to NF configuration
We have seen that the SBA-based 5GC uses the following protocols:
• JavaScript Object Notation (for encoding information)
• http/2 (for interaction, RESTful CRUD operations)
• TCP (for reliability and load balancing) [rather than SCTP as in 4G]
and so 3GPP mandates use of
• TLS 1.3 (RFC 8446)
– to authenticate parties using public key crypto
– to provide integrity of all connections
– to encrypt messages
• OAuth2.0 (RFC 6749)
– to provide delegated authorization via tokens without divulging keys
TLS
Transport Layer Security is an updated version of Secure Sockets Layer
originally developed by Netscape for its browser
but now used for browsing (https), email, chat, VoIP, etc.
4G security was based on IPsec and DIAMETER
5G’s uses https based on TLS
Unlike IPsec, TLS provides a client-server model of security
and assumes reliable transport
and so is situated between TCP and an application
TLS has 2 sub-layers :
• TLS handshake
– set-up negotiation (algorithms, generating keys, etc.)
– (optional) authorization using public key cryptography and
certificates
• TLS record
– integrity using HMAC
– encryption using symmetric key cryptography
5G requires authorization and uses authenticated
encryption algorithms
 OAuth
OAuth is a mechanism for secure access delegation
i.e., a way for resource owners to grant 3rd parties
restricted access to resources (servers, accounts, information)
without sharing their credentials
If you have ever accessed a website using your Google/Facebook
account
you have used Oauth!
OAuth began in 2006 at Twitter, but the effort was joined by
Google, etc.
The inspiration behind Oauth is the valet key
Some luxury cars come with a special key to give to valets or garages
and only allows driving a short distance
but not opening the trunk or glove compartment, etc.
Similarly, Oauth allows limited access to specific resources
using tokens that the user can later revoke
SEPP
Security issues arose in previous generations when communications
bridged several mobile networks (e.g., when roaming)
To solve such problems 5G introduced a perimeter security function
called
Security Edge Protection Proxy and a new N32 interface
The SEPP sits at the perimeter of the 5GC and
• protects all outgoing messages before sending to a 2nd PLMN over
N32
• receives and verifies all incoming messages on N32 interface
before forwarding to the appropriate NF
AMF AMF
N32
PLMN 1 SEPP SEPP PLMN 2

AUSF AUSF
 SEPP
protocols
The SEPP provides end-to-end protection
for application layer control plane messages
between NFs belonging to different core networks
from being exposed or manipulated by other
parties
A consumer in one network can safely access a
producer in another
so that we have a cSEPP and a pSEPP
The SEPP hides internal topology information from 3rd parties
and performs rate limiting to prevent DoS
Since the 5GC is based on RESTful interfaces using http and
JSON
the SEPP protocols are based on
• https, which is http over Transport Layer Security (RFC
8446, ex-SSL)
• use of telescopic FQDNs
If there are interconnect providers between the SEPPs, then
we also need
Telescopic
FQDNs
The Fully Qualified Domain Name of a particular 5GC is
5gc.mncXXX.mccXXX.3gppnetwork.org
and for a NF in this core, for example the NRF:
nrf.5gc.mncXXX.mccXXX.3gppnetwork.org
For example, the NRF of Partner’s 5GC here in
Israel will be
nrf.5gc.mnc001.mcc425.3gppnetwork.org
but these URLs can be much more complex
REST API calls are between such URLs
SEPPs obfuscate the internals of their
cores by using telescopic FQDNs
consisting of a label as first element
and SEPP’s domain as trailer
For example, if access to some NF is requested from some core
nf.xxx.xxx.5gc.mnc001.mcc425.3gppnetwork.org
is replaced by the pSEPP with
label.5gc.mnc001.mcc425.3gppnetwork.org
where label is generated by the pSEPP which remembers the
NESAS
 Network Equipment Security Assurance
Scheme has been jointly defined by GSMA
and 3GPP
 for security evaluation of mobile network
equipment
Itoffers a single process approach to
security audits
 thus saving time and expense for both
vendors and operators
NESAS assesses the security of
 a vendor’s products (in ISO 17025
accredited security test labs)
 conformance to 3GPP security standards
 its R&D lifecycle (via GSMA selected
security auditors)
 security by design
 version control, source code review,
vulnerability remedy process
5G-Compliant waveform generation and testing
% Parameters
fc = 2e9; % Carrier frequency (2 GHz)
fs = 10*fc; % Sampling frequency (10 times the carrier frequency)
T = 1/fs; % Sampling period
t = -5e-6:T:5e-6; % Time vector (-5 microseconds to 5 microseconds)
pulse_width = 1e-6; % Width of the pulse (1 microsecond)
pulse_delay = 0; % Delay of the pulse (no delay)

% Generate Gaussian Pulse

gaussian_pulse = exp(-((t - pulse_delay)/pulse_width).^2);

% Plot Gaussian Pulse

figure;
plot(t, gaussian_pulse, 'b', 'LineWidth', 2);
xlabel('Time (s)');
ylabel('Amplitude');
title('5G-Compliant Gaussian Pulse');
grid on;
To create a Gaussian pulse waveform compliant with 5G
standards and perform basic testing

1. Generate a Gaussian pulse waveform.

2. Verify its properties such as the spectrum and
autocorrelation
% Parameters Y = fft(gaussian_pulse,NFFT)/length(gaussian_pulse);
fc = 2e9; % Carrier frequency (2 GHz) f = fs/2*linspace(0,1,NFFT/2+1);
fs = 10*fc; % Sampling frequency (10 times the carrier
frequency) % Plot Single-Sided Amplitude Spectrum
T = 1/fs; % Sampling period figure;
t = -5e-6:T:5e-6; % Time vector (-5 microseconds to 5 plot(f,2*abs(Y(1:NFFT/2+1)),'b','LineWidth',2);
microseconds) title('Single-Sided Amplitude Spectrum of Gaussian Pulse');
pulse_width = 1e-6; % Width of the pulse (1 microsecond) xlabel('Frequency (Hz)');
pulse_delay = 0; % Delay of the pulse (no delay) ylabel('|Y(f)|');
grid on;
% Generate Gaussian Pulse
gaussian_pulse = exp(-((t - pulse_delay)/pulse_width).^2); % Compute Autocorrelation
autocorr_pulse = xcorr(gaussian_pulse, 'coeff');
% Plot Gaussian Pulse lags = -length(gaussian_pulse)+1:length(gaussian_pulse)-1;
figure;
plot(t, gaussian_pulse, 'b', 'LineWidth', 2); % Plot Autocorrelation
xlabel('Time (s)'); figure;
ylabel('Amplitude'); plot(lags*T, autocorr_pulse, 'b', 'LineWidth', 2);
title('5G-Compliant Gaussian Pulse'); xlabel('Lag (s)');
grid on; ylabel('Autocorrelation');
title('Autocorrelation of Gaussian Pulse');
% Compute the Spectrum grid on;
NFFT = 2^nextpow2(length(gaussian_pulse)); % Next power
of 2 from length of y
THANK YOU