security considerations in 5g - etsi · huawei confidential page 1 ... backhaul, ipsec ......
TRANSCRIPT
Page 1Huawei Confidential www.huawei.comHUAWEI TECHNOLOGIES CO., LTD.
Security Considerations in 5G
ETSI Security Week
June 12 – 16, 2017
Marcus Wong
Page 2Huawei Confidential
Agenda
� 5G Motivation and Security Drivers
� Flexible Service Architecture
� Trust Model
� Slicing, On-demand, Flexible Policy
� User Plane Security
� Public Key for 5G
� Authentication
� Privacy
� 5G Security Standards Landscape
Page 3Huawei Confidential
5G Security Motivations and Drivers
Evolutionary rather than RevolutionaryEvolutionary rather than RevolutionaryEvolutionary rather than RevolutionaryEvolutionary rather than Revolutionary
Things that worked:
� UE Provisioning: USIM and UICC� Authentication: UE mutual authentication, home operator control (AKA)� Crypto Algorithms: AES, ZUC, public-key algorithms� Security Termination: UP terminating in access network� Domain Security: backhaul, IPsec� Service Security: one-size fits all
Things that need improving:
� UE Provisioning: eUICC� Authentication: protocol enhancements, efficiency, device authentication� Crypto Algorithms: quantum-ready, larger key sizes, expanding use of public-key algorithms� Security Termination: flexibility, application layer security� Domain Security: mid-haul security, end-to-end backhaul security� Forward Security: long term key protection, public-key assisted key derivation� Service Security: on-demand, network slicing, third-party� Privacy: IMSI protection
Page 4Huawei Confidential
SOR: Service Oriented RAN SOC: Service Oriented Core
Flexible Service Oriented Architecture
�1. IOT device
Identity Management
& access security
�2. Unified authentication
framework for different
access technologies�3. Physical
infrastructure security
�4. Virtualization
Security
�5. CP/UP separation
security
�7. On-demand slice security
mechanism for vertical services
�6. Opening for third-party
service security
�Legacy Security
�5G Specific Security
Page 5Huawei Confidential
Trust Model
New Trust Model:New Trust Model:New Trust Model:New Trust Model:
Traditional Trust Model:Traditional Trust Model:Traditional Trust Model:Traditional Trust Model:
UE SN HNauthenticationauthenticationauthenticationauthentication
control/delegatecontrol/delegatecontrol/delegatecontrol/delegate
UESN
HN
retain controlretain controlretain controlretain control
authenticationauthenticationauthenticationauthentication
o Operator to retain more home controlOperator to retain more home controlOperator to retain more home controlOperator to retain more home control
o Reduce reliance on SN trustReduce reliance on SN trustReduce reliance on SN trustReduce reliance on SN trust
o Reduce potential fraud due to unauthorized location updateReduce potential fraud due to unauthorized location updateReduce potential fraud due to unauthorized location updateReduce potential fraud due to unauthorized location update
Page 6Huawei Confidential
Network Slicing
Common Resources/Device not in any slice: globally accessible
????????Network
slice
Not A slice
Isolation Between SlicesProtection from unauthorized network slice access, between slices within and outside of operator network.
Isolation within Slices: Protection from unauthorized access of private data area among UEs within the slice.
Conditional
Access
Permanent
Isolation
Network
slice
Network
slice
Network
slice
Network
slice
Global
Access
Page 7Huawei Confidential
On-Demand Framework & Flexible Security Policy
AuthenticationAuthenticationAuthenticationAuthenticationConfidentiality Confidentiality Confidentiality Confidentiality ProtectionProtectionProtectionProtectionPrivacy Privacy Privacy Privacy ProtectionProtectionProtectionProtection
Extreme MBB
Slice
Massive Sensor
Slice
medium
Isolation Isolation Isolation Isolation Integrity Integrity Integrity Integrity ProtectionProtectionProtectionProtection
Vehicular & Healthcare
Slice
High
medium
medium
medium
On On off
SecurityFeatures
Security Policies Option
Isolation
Privacy
Integrity
Confidentiality
Authentication
between slices
inside slice
Aware of user data
Not aware of user activities
Not aware of user’s ID
Integrity Protection
No integrity Protection
256bit key 128bit keyDedicate cipher
algorithm
Multi-factor authentication
Biometric authentication
Flexible security features
Flexible security policy
medium
High
High
High medium
High
High
none
High Med Low
Page 8Huawei Confidential
User Plane security
� Ciphering (and integrity protection) use common crypto synchronization from LTE PDCP protocols.� Header compression capabilities(e.g. ROHC) support.� In-sequence delivery support.� Traffic-type aware and QoS support� Faster to market � Lawful Intercept support at CN consistent with solutions in LTE
U
P
C
P
UE
ANCN
Page 9Huawei Confidential
Use of Public Key
3G and 4G use of public key:3G and 4G use of public key:3G and 4G use of public key:3G and 4G use of public key:
o certificates and certificate enrolment certificates and certificate enrolment certificates and certificate enrolment certificates and certificate enrolment
o security between network entities (e.g. security between network entities (e.g. security between network entities (e.g. security between network entities (e.g.
establishment of establishment of establishment of establishment of IPsecIPsecIPsecIPsec))))
o ProSeProSeProSeProSe/V2X application security/V2X application security/V2X application security/V2X application security
o EAPEAPEAPEAP----TLS, Internet browser securityTLS, Internet browser securityTLS, Internet browser securityTLS, Internet browser security
New 5G potential Public Key use cases:New 5G potential Public Key use cases:New 5G potential Public Key use cases:New 5G potential Public Key use cases:
o certificates requiring PKI and publiccertificates requiring PKI and publiccertificates requiring PKI and publiccertificates requiring PKI and public----
private key pairs without PKI private key pairs without PKI private key pairs without PKI private key pairs without PKI
o device authenticationdevice authenticationdevice authenticationdevice authentication
o overoveroverover----thethethethe----air signaling protectionair signaling protectionair signaling protectionair signaling protection
o IMSI and privacy protectionIMSI and privacy protectionIMSI and privacy protectionIMSI and privacy protection
o remote provisioningremote provisioningremote provisioningremote provisioning
o long term key protectionlong term key protectionlong term key protectionlong term key protection
Page 10Huawei Confidential
Authenticationo Network Access AuthenticationNetwork Access AuthenticationNetwork Access AuthenticationNetwork Access Authentication
o Support backward compatibilitySupport backward compatibilitySupport backward compatibilitySupport backward compatibility
o EPSEPSEPSEPS----AKA*+AKA*+AKA*+AKA*+
o Support EAP authentication Support EAP authentication Support EAP authentication Support EAP authentication
FrameworkFrameworkFrameworkFramework
o EAPEAPEAPEAP----AKA’AKA’AKA’AKA’
o Device authenticationDevice authenticationDevice authenticationDevice authentication
o device publicdevice publicdevice publicdevice public----key/certificatekey/certificatekey/certificatekey/certificate
o Slice authenticationSlice authenticationSlice authenticationSlice authentication
o service authenticationservice authenticationservice authenticationservice authentication
o Authentication to external networksAuthentication to external networksAuthentication to external networksAuthentication to external networks
o secondary / thirdsecondary / thirdsecondary / thirdsecondary / third----party authenticationparty authenticationparty authenticationparty authentication
o alternative credential alternative credential alternative credential alternative credential
Page 11Huawei Confidential
Privacy
o IMSI Privacyo UE tracking
o IMSI Leakage
o initial authentication protection
o Use of privacy enhancing technology
o Pseudonym
o access token
o encrypted IMSI (using public key or shared key)
o temporary identities
o Need to support lawful interception in the serving network
o Serving Network can get target identity from Home network
o Serving Network can get target identity from UE
o Need to be done consistently (based on operator policy) for all UEs to avoid detectability
Page 12Huawei Confidential
“Option 3”
o Non-standalone 5G deploymento 5G UE + 4G AN + 5G AN + 4G CN
o Support faster deployment while migrating to full 5G CN gradually
o Security of “Option 3”
o modelled after dual-connectivity in LTE where UE connects to two eNBs simultaneously
o anchored via eNB (i.e. MeNB)
o gNB access by UE is considered as secondary (i.e. SgNB)
o RRC signalling support between UE and gNB reusing PDCP security
o
Page 13Huawei Confidential
�SA3#83
�07
�SA3 Release14
�Phase 1
�05 �11 �05�09 �2017.02 �08 �11
�SA3 Release15
�TR
�SA3#84
�SA3#85
�SA3#86
�45% done
�SA3#87
�SA3#88
�SA3#89
�2016. 03
5G Security Standards: Current Landscape
Key 3GPP Working Groups
SA1: 5G requirements RAN: 5G access network
SA2: 5G architecture CT: 5G core and terminal
SA3: 5G security
�Phase1 considerations key points•Security Architecture
• Unified Authentication Framework
• Key Hierarchy
• UE/Network Authorization
• Slicing Security
�Phase2 considerations key points• low latency
• IoT
• Small Data
• Slicing security enhancement
• etc.
Thank youwww.huawei.com
Copyright©2012 Huawei Technologies Co., Ltd. All Rights Reserved.
The information in this document may contain predictive statements including, without limitation, statements regarding the future financial
and operating results, future product portfolio, new technology, etc. There are a number of factors that could cause actual results and
developments to differ materially from those expressed or implied in the predictive statements. Therefore, such information is provided for
reference purpose only and constitutes neither an offer nor an acceptance. Huawei may change the information at any time without notice.