1 © Nokia Solutions and Networks 2019 Public

5G Security

Future of Networking, March 19, 2019

Peter Schneider, Nokia Bell Labs

2 © Nokia Solutions and Networks 2019

• Mobile network security today – example LTE

• 5G security: drivers, requirements, vision

• 5G networking paradigms: Network Function Virtualization (NFV), Software Defined Networking (SDN), Network Slicing

• Elements of a 5G security architecture

• NFV Security

• Network slicing security

• 3GPP 5G security specification

• Summary and conclusion

Agenda

Public

3 © Nokia Solutions and Networks 2019

Layers of Mobile Network Security as of Today (Example LTE)

Public

PCRF

eNB

PDN-GW Internet

IMS,Application

Servers

MME

Backhaul

link

security

Core interface

security

HSSAuC

K

UEUSIM

K

User Identity Privacy

Secure Environment

VoLTE/IMS security

ServingGateway

PDNGateway

Non access stratum

signaling security

Authentication and Key Agreement

KASME

KASME

Access

stratum

security

KeNB

KeNB

SEG

Network security not

specified by 3GPP

3GPP-specified security architecture

Network element security measures

4 © Nokia Solutions and Networks 2019

5G Security Drivers

Public

Growing need for dependability

Growing need for flexibility

New use cases

New threats

Changing ecosystem

New networking paradigmsNew use cases

5GSecurity

?

5 © Nokia Solutions and Networks 2019

5G Security Drivers

For internal use

Growing need for flexibility

New use cases

New threats

Changing ecosystem

New networking paradigmsNew use cases

Supremebuilt-in security

Automation

Flexible securitymechanisms

5G Security

Growing need for dependability

6 © Nokia Solutions and Networks 2019 Public

From LTE to 5G: Adopting New Networking Paradigms

LTE

5G

7 © Nokia Solutions and Networks 2019 Public

Edge Cloud

Internet

Central Cloud

Cell

Cell

Cell

Slice A

Slice B

Common parts

SDN switches

Virtual network functions

A 5G Mobile Network Implemented on Distributed Telco Cloudsand Supporting Multiple Network Slices

8 © Nokia Solutions and Networks 2019

Elements of a 5G Security Architecture

Public

Cell

Subscriber/device identifiers/credentials

Secure hardware

Security negotiation, key hierarchyEnhanced control plane robustness

Enhanced subscriber privacy

Crypto algorithmsPhysical layer

securityJamming protection

Authentication/authorization, key agreement

NFV/SDN security

Network slicingsecurity

Security assurance for NFV environments

Security management and orchestration

Self-adaptive, intelligent security controls

9 © Nokia Solutions and Networks 2019

Network Function Virtualization Security

Public

10 © Nokia Solutions and Networks 2019

Network elementsreplaced by VNFsrunning on a cloudplatform

➢Secure the platform

➢Secure the VNFs

➢Security assurance for VNFs that can be deployed on different platforms

Public

“Network Element Security” for Virtualized Networks

11 © Nokia Solutions and Networks 2019

Isolation and Traffic Separation in the Telco Cloud

Public

• Separation of VMs relies on the hypervisor –software flaws may compromise it completely (e.g. allow VM1 to access the memory of VM2)

• Virtual networking allows logical traffic separation

• No physical separation of interfaces for different traffic types at a single VM

• No physical separation of traffic of different VMs running on the same HW platform

• Traffic separation relies on the hypervisor

12 © Nokia Solutions and Networks 2019 Public

Network Security Measures for Virtualized Networks

Network zoning can be implemented in a straightforward way:• The NFV environment facilitates separation, e.g. virtual machines are

separated by a hypervisor

• Dedicated VLANs to provide connectivity between the VMs forming a zone

• Traffic between zones may be filtered by virtual firewalls

• Even physical separation may be possible – on the cost of resource usage efficiency

Traffic separation by dedicated virtual switches, VLANs and wide area VPNs – physical separation is hardly applicable

The external perimeter may be secured by a virtual firewall; physically separated firewalls can protect the overall data center infrastructure

13 © Nokia Solutions and Networks 2019

Network Slicing Security

Public

14 © Nokia Solutions and Networks 2019 Public

Network Slice Isolation – The Crucial Slicing Security Aspect

Isolation in the cloud by NFV mechanisms in the (central/edge) cloud

Isolation in the transport by VPNs created via SDN

Isolation by equipment-specific mechanisms on (non virtualized) RAN equipment

Isolation means resource isolation + security isolation

➢ Slice isolation can be achieved assuming sound implementations (NFV environment, SDN transport, non-virtualized equipment)

15 © Nokia Solutions and Networks 2019

Slicing-specific attacks

Other Slicing Security Aspects

DoS attacks on “small” slices

Attacks on interfaces to common network

parts (vertical → mobile network operator)

Attacks on management interfaces

provided for verticals to manage their

slices

Attacks on slicing-specific procedures:

Slice selection, slicing-specific

authentication and authorization, slice

management

Malicious message routing between

different slices

➢ Mitigation by state-of-the-art means – with room for improvement

Slicing facilitates different security assurance levels per slice

Slicing facilitates individual security mechanisms per slice

For internal use

16 © Nokia Solutions and Networks 2019

3GPP 5G Security Specification

Public

17 © Nokia Solutions and Networks 2019

Overview 3GPP 5G Security Standardization

Public

3GPP Technical Specification 33.501, Release15“Security Architecture and Procedures for 5G System”

• New access-agnostic authentication framework

with improved home network control in roaming

scenarios

• Enhanced subscription privacy

• User plane integrity protection

• EAP-based “secondary authentication”

• Security for service-based interfaces

• Enhancements for interconnection security

➢ New 5G security features at a glance:

18 © Nokia Solutions and Networks 2019

New Security Features in 3GPP Release 15

Public

UE SEAF/AMF AUSF UDM/ARPF

Request to establisha signalling connection

Authentication Request

Authentication Request

Decision: Use 5G AKA

Authentication Response(AV with XRES*, KAUSF)Authentication Response

(AV with HXRES*,KSEAF)

5G AKA Response (RES*)

Compute HRES*,equal to HXRES* ?

Authentication Request (RES*)

RES* equal to XRES* ?

Auth Confirmation Req

UDM: Store UE authentication status

Auth Confirmation Resp

5G AKA Challenge

Authentication Response(Success)

• Two authentication methods, 5G AKA (enhancing

LTE’s EPS AKA) and EAP-AKA’

• Both provide assurance to the Home Network that

the UE is present in the Visited Network

• Besides EAP-AKA’, other EAP methods can be

implemented by operators (not for public use)

• “Access agnostic”: Both methods applicable for

3GPP as well as non-3GPP access

New access-agnostic authentication framework

with improved home network control in roaming

scenarios

UE SEAF/AMF AUSF UDM/ARPF

Request to establisha signalling connection

Authentication Request

Authentication Request

Decision: Use EAP-AKA’

Authentication Response(AV with CK',IK')Authent Response (EAP-

Request/AKA'-Challenge)

Auth Request (EAP-Response/AKA'-Challenge)

Auth Confirmation Req

UDM: Store UE authentication status

Auth Confirmation Resp

EAP-RequestAKA'-Challenge

Auth Response(EAP-Success, KSEAF)

EAP-Success

EAP-ResponseAKA'-Challenge

Scaled up pictures in the backup

19 © Nokia Solutions and Networks 2019

Enhanced Subscription Privacy, User Plane Integrity Protection

IMSI catching (and thus subscriber location tracking) is possible in LTE(a deliberate decision in LTE)

Public

➢ Fully covered in 5G by Subscription Concealed Identity (SUCI)➢ However, there is also a “null scheme” (without encryption)

➢ Will some legislations prefer their law enforcement agencies remain capable of IMSI catching ?

No user plane integrity protection(a deliberate decision in LTE)

➢ Fully covered in 5G: Mandatory to support by network and UE➢ Not mandatory to use – not all traffic will require it

20 © Nokia Solutions and Networks 2019

Summary: 5G Security

Public

21 © Nokia Solutions and Networks 2019

Summary: Layers of Mobile Network Security in a 3GPP 5G System

Public

Network security not specified by 3GPP

3GPP-specified security architecture

VNF security Telco cloud security

New access-agnostic authentication framework

Enhanced subscription privacy and user plane protection

EAP-based “secondary authentication”

Security for service-based interfaces

Enhancements for interconnection security

Sound, robust implementations of the virtualization layer

(e.g. hypervisor) and the overall cloud platform software

Sound, robust, security aware implementation of the VNFs

Integrity (trust) assurance for both platform and VNFs

Perimeter security and traffic filtering by virtual firewalls

Logically or even physically separated security zones

Traffic separation by VLANs and wide area VPNs

Holistic, automated security management and orchestration

Automated, self-adaptive, intelligent security controls