5G security challenges

3GPP 5G Service Based Architecture (SBA)

As mobile networks are critical infrastructures or are deployed as a core component in critical systems, security is of paramount importance. Since the 5G SBA adopts the principles of SOA, where organizations aim to collaborate across organizational boundaries based on services, the data exchange likewise requires a corresponding high level of security.With the 3GPP 5G SBA, flexible and on-demand service composition — even across organizational boundaries — provides a new level of flexibility and business opportunities to the mobile industry. However, this type of service orientation comes with new security implications that have not been present to their full extent in previous mobile network generations. Even though the principles of secure network design and communication that the 3GPP Security Working Group is working on are the same as in earlier releases, the SBA concepts described before result in new challenges for the respective solutions. This is in part caused by security challenges for service-based systems and virtualized environments. As with all service-oriented systems, service-based virtualized environments for network functionality NF may be subject to various threat vectors.Security context.  Prior to establishing connectivity with the Network Repository Function for registration, an NF needs to obtain a cryptographic root of trust on which basis it can be authenticated. While the 3GPP security specification does not define details on the provisioning of (virtual) NFs with such cryptographic root in a confidential, and integrity- and replay-protected, manner, it is reasonable to assume that the authentication mechanisms will be derived from common patterns and protocols developed within the SOA domain (e.g., some form of public key cryptography). It is expected that an ongoing 3GPP SA3 Rel-16 study on security impacts of virtualization will investigate this further.Authentication.  Mutual authentication between NF and NRF during registration and discovery within a single 5G core network is possible in two ways. It may be carried out explicitly at the transport layer via TLS connection between the two communicating entities, as described above. By utilizing this mechanism, it is cryptographically ensured that only genuine NFs register in an operator’s network. Moreover, the established TLS connection can be used to protect integrity and confidentiality of the subsequent communication between NF and NRF. Alternatively, authentication may also be performed implicitly in case security is provided by other means (i.e., both NFs are located in physically secured locations and communicate over trusted networks or by use of NDS). The same options apply to NF-NF communication within the same core network. Authorization.  Authorization of NFs during registration relies on the authentication mechanism described above. For service discovery and access, 3GPP has specified a two-stage procedure based on token exchange. 
5G security architecture
  • Network access security (I): This security domain secures the user equipment (UE) and the network connection. It includes features that enable a UE to authenticate and access services securely via the network. This includes both 3GPP and Non-3GPP access, and specifically protects against attacks on the radio interfaces. It also includes the secure delivery of the security context from the Security Node (SN) to the Access Network (AN).
  • Network domain security (II): This security domain protects the exchange of data between network nodes. It includes features that enable network nodes to securely exchange signalling data and user plane data.
  • User domain security (III): This security domain secures the user's access to their mobile equipment.
  • SBA domain security (V): This is a new security feature for 5G networks that secures communication between network functions within the serving network domain and with other network domains. It includes security features for network function registration, discovery, and authorization, as well as protection for service-based interfaces.
  • Application domain security (IV): This security domain is not shown in the figure, but it refers to the set of security features that enable applications in the user domain and in the provider domain to exchange messages securely. This is considered outside the scope of the document that the figure is from.
In simpler terms, both SEPP and IPUPS act as security guards at the edge of the 5G Core network, but they guard different "doors":
  • SEPP secures the control room door (N32 interface) where network operators communicate to manage user sessions.
  • IPUPS secures the data transfer door (N9 interface) where user content flow
The 5G System architecture introduces the following security entities in the 5G Core network:
  • AUSF (Authentication Server Function).   Acts as the central manager for authentication processes in the 5G system. Verifies a subscriber's identity and generates authentication data (security keys) to be used for secure network access and communication. Works closely with the SEAF to ensure secure handling of authentication materials.
  • ARPF (Authentication credential Repository and Processing Function).  Serves as a secure storage for subscriber authentication credentials (think of it as a secure vault). Handles the retrieval and processing of those credentials during the authentication process, following instructions from the AUSF.
  • SIDF (Subscription Identifier De-concealing Function).  Responsible for protecting subscriber privacy. Decodes the concealed permanent subscriber identifier (SUPI) to reveal the user's actual subscription identity (such as their IMSI). This is done only when necessary and under strict authorization procedures to prevent unauthorized tracking of subscribers.
  • SEAF (Security Anchor Function).  Plays the role of a 'trust anchor' for the 5G core network.
  • It serves as the starting point for establishing trusting relationships between different network entities involved in authentication processes. Generates and distributes security keys to other network functions to ensure secure communication and data transfer.

How they work together:These security entities operate in concert to enforce strong security measures within the 5G Core:
  1. Subscriber connects: When a user's device connects to the 5G network, the AUSF initiates the authentication process.
  2. Authentication: The AUSF communicates with the ARPF to retrieve necessary subscriber credentials and verifies user identity.
  3. Protecting Privacy: If required, the SIDF helps to de-conceal the user's permanent identifier in a privacy-preserving manner.
  4. Trust Establishment: The SEAF provides secure keys to the AUSF, ensuring the authentication process is trustworthy.
  5. Secure Access: Upon successful authentication, the subscriber's device is granted access to the 5G network and its services.
ARPF (Authentication Credentials Repository and Processing Function):
  • Integrated deployment with the UDM: The ARPF is not a standalone function; it's combined with the Unified Data Management (UDM). The UDM stores and processes user data and subscription information.
  • Deployed on the home network in roaming scenarios: When you're roaming (using your phone on a different network, typically abroad), the ARPF remains on your home network. So, even if you're in another country, your authentication credentials are managed by your home network.

AUSF (Authentication Server Function):
  • Independent NF: The AUSF is a separate network function. It's like a specialized security office that verifies your identity when you try to use the network.
  • Deployed on the home network in roaming scenarios (5G phase 1): Similar to the ARPF, the AUSF stays in your home network when you roam. It means that your home network is still the one that checks your credentials and approves your access, no matter where you are.

SEAF/SCMF (Security Anchor Function / Security Context Management Function):
  • Integrated deployment with the AMF: These functions are part of the Access and Mobility Management Function (AMF), which manages your connection to the network, especially when you're moving around.
  • Deployed on the visited network in roaming scenarios: Unlike the ARPF and AUSF, the SEAF/SCMF is located in the network you're visiting. So when you're roaming, the local network you're connecting to will have its own SEAF/SCMF working with the AMF to manage security aspects like encrypting your data.
4G key architecture:
  • USIM/AuC & UE/HSS (Home Subscriber Server): The USIM (Universal Subscriber Identity Module) on your device holds a key called 'K'. The HSS, part of the home network, uses 'K' to derive two keys, CK and IK, which are used for ciphering and integrity protection, respectively.
  • UE/MMF (Mobility Management Function): The device uses 'K' to derive the 'K_ASME', a key associated with the access security management entity. 'K_ASME' is then used to create two more keys: 'K_NASenc' for encrypting non-access stratum (NAS) messages, and 'K_NASint' for checking their integrity.
  • UE/eNB (Evolved Node B): The eNB is a base station in the 4G LTE network. From 'K_ASME', the eNB and the UE derive additional keys for use in protecting radio communications: 'K_eNB' for encrypting data and 'K_RRCint' and 'K_UPenc' for integrity protection of the Radio Resource Control (RRC) and the user plane (UP).

5G key architecture:
  • ARPF & USIM: Similar to 4G, the process starts with the key 'K' in your USIM. The ARPF processes the authentication credentials and contributes to deriving 'K_AUSF'.
  • 5G AKA (Authentication and Key Agreement): This is a more advanced authentication mechanism than 4G's. It uses 'K' to produce 'CK' and 'IK', and with a process called EAP-AKA', it further derives 'K_SEAF', which is sent to the SEAF (Security Anchor Function) at the visited network during roaming.
  • AUSF: The Authentication Server Function uses 'K_AUSF' (derived from 'CK', 'IK') for authentication services in the home network.
  • AMF (Access and Mobility Function): The 'K_AMF' is derived and used by the AMF for secure communication.
  • SEAF/AMF & gNB (Next Generation Node B): Finally, the AMF and the gNB derive keys such as 'K_NASenc' and 'K_NASint' for NAS message encryption and integrity, and 'K_gNB' for protecting data at the radio layer.