What are the security standards for 5G?

[Editor's Recommendation] 5G security standards include requirements for user devices - mainly their tablets and smartphones as well as base stations in 5G networks.

[[430277]]

Other standards include various features within the 5G system. 5G security standards emphasize confidentiality, integrity, and replay protection. Replay protection is used to avoid replay attacks, in which a malicious actor intercepts a message, obtains the credentials contained, and then sends a similar but modified message again to the same destination. The result is a response sent to the original sender instead of to the attacker.

The "Security architecture and procedures for 5G systems" standard is an important example of a 5G security standard. It was developed through the collaboration of the standards bodies that together make up 3GPP and through cooperation with the Internet Engineering Task Force (IETF). The International Telecommunication Union (ITU) has published a large number of 5G standards in other areas, but there is no comparable document that sets out 5G security rules to the same extent as 3GPP's publications.

This article is not an exhaustive look at all the content in 3GPP publications regarding 5G security architecture and procedures. Instead, it is a high-level overview of requirements for user equipment and 5G base stations. These two categories were chosen because they are the most important and fundamental examples of 5G technology.

As the number of IoT devices surges, now is the perfect time to refresh your basics and read up on the latest developments. Download this guide today to learn everything you need to know.

User equipment security features

Authentication: In this case, the user equipment must authenticate the network identifier through key authentication.

Confidentiality of user and signaling data: User equipment can support confidentiality of data through encryption algorithms. User equipment must use the NEA0, 128-NEA1, and 128-NEA2 cryptographic algorithms. For context, NEA0 lacks encryption, while 128-NEA2 is the same as AES-128. Cryptographic algorithm 128-NEA3 is a stronger algorithm, although it is optional.

Integrity of user and signaling data: Cryptographic algorithms NIA0, 128-NIA1, and 128-NIA2 are used for integrity protection. User equipment must support integrity protection and replay protection of user data between it and network nodes. Integrity protection is part of tamper resistance, when measures are taken to ensure that a program is functioning properly, especially when an entity is trying to corrupt, monitor, or change the way it operates. An optional element of user data integrity is integrity protection of the data between the user equipment and the network nodes. This is optional because integrity protection of the user plane adds overhead to the size of the data packets and increases the processing load on the user equipment and network nodes.

Secure storage and handling of subscription credentials: These credentials and their long-term keys will be integrity protected within the user's device by tamper-resistant hardware. Long-term keys will never be unencrypted outside of the tamper-resistant hardware. Any authentication algorithm that uses subscription credentials must run in this hardware. This part of the larger standard also requires that security assessments of hardware components must be able to be performed.

User privacy: To meet 3GPP 5G security standards, user devices must support what 3GPP calls a Globally Unique Temporary UE Identity (GUTI). The GUTI provides unambiguous identification of the user device but does not reveal the permanent identity of the UE or user in the 5G network. The Subscription Permanent Identifier (SUPI) must not be transmitted unencrypted over the next-generation radio access network. The Generic User Identity Module is where the home network public key, protection scheme identifier, home network public key identifier, and subscription concealed identifier (SUCI) are stored. SUCI in turn contains SUPI. The 5G network provider is responsible for user privacy and for configuring and updating the home network public key and the identifier of that key. In the 3GPP 5G security standards, a home network refers to the network to which the user primarily subscribes.

Network security features

The 5G base station is called gNB, which is the abbreviation of new radio NodeB. This is after the evolved NodeB of 4G LTE and the NodeB of 3G.

Subscription Authentication: The network needs to authenticate the SUPI when authenticating and performing key agreement with the user equipment.

User Equipment Authorization: The serving network must authorize the user equipment using the subscription template obtained from the home network. The serving network is essentially a roaming network that allows users to connect to their home network. User equipment authorization depends on the SUPI being authenticated.

Home network authorized serving network: As part of this larger 5G security standard, the user device must ensure that it is connected to a serving network authorized by the home network.

Access network authorization: Just as the serving network must obtain authorization from the home network, the access network must obtain authorization from the serving network to provide services to the user equipment.

Confidentiality of user and signaling data: The 5G gNB must support encryption of user data and radio resource control (RRC) signaling in transit. The gNB shall activate the user data encryption procedure based on the security policy. This encryption algorithm is the same as that used by the user equipment for data confidentiality, as described above.

Integrity of user and signaling data: Nodes, like UEs, must support integrity protection and replay protection for user data between UEs and gNBs. The encryption algorithm is the same as that used by the UE for integrity protection. However, it is not recommended to use NIA0 for integrity protection because it is not encrypted and therefore adds unnecessary overhead. 5G network nodes must also support integrity protection and replay protection for RRC. For context, RRC exists in the control plane and controls the configuration between Layer 2 and Layer 3 of the radio interface.

Setup and configuration requirements: In this 5G security standard, when the operation and management (O&M) system sets up and configures the gNB, it must be authenticated and authorized by the registration authority and certification authority (RA/CA) so that attackers will not be able to modify the gNB settings and software configuration. The communication between the O&M system and the gNB must be protected by confidentiality, integrity, and replay from unauthorized entities. In addition, software and data changes must be authorized before installation and use, the software and data itself must be authorized, and the transfer of software to the gNB must be confidential and have integrity protection. The boot process must be completed in a secure environment to protect its sensitive elements.

Key management requirements within the gNB: Different elements of the encryption keys provided by the 5G network core to the gNB need to be protected. These elements are subscription-specific session key material, which holds long-term keys used for security association setup and authentication purposes. The first element of this requirement is that any part of the gNB deployment that stores or processes unencrypted keys must be protected from physical attack. If it is not physically protected, then the gNB is placed in a physically secure location.

Requirements for handling user plane and control plane data: The requirements for key management are similar to those for handling user plane and control plane data of the gNB. Unencrypted data must be protected from physical attacks, placed in a physically secure location, and stored and processed in a secure environment.

Requirements for a secure environment: There are also requirements for the secure environment in which all this unencrypted data runs. It must support secure storage through, for example, long-term cryptographic secrets and important configuration data. The environment must be able to perform sensitive functions and protocols that use long-term secrets. Execution of sensitive functions includes encryption and decryption of user data. An example of a protocol that uses long-term secrets is an authentication protocol. This part of the 3GPP5G security standard requires that the secure environment has integrity. Finally, only people with authorized access can access the secure environment.

F1 interface requirements: The F1 interface can send signaling traffic and user plane data between the distributed units and the central unit of the network. The F1 interfaces for the control plane and the user plane must support confidentiality, integrity, and replay protection. However, the F1 interfaces for the control plane and the user plane are independently protected. The same protection must apply to all management traffic transmitted through the central unit to the distributed unit link.

E1 interface requirements: The E1 interface works with the open interface between the central unit and the control plane and the central unit and the user plane. The E1 interface used in both cases requires confidentiality, integrity and replay protection.

5G security standards: key takeaways

1. Various 5G network security responsibilities fall on user devices and network infrastructure.

2.3GPP standards emphasize the confidentiality and integrity of data and mainly use encryption algorithms, also known as cryptographic algorithms, to protect data.

3. Both user devices and network infrastructure need to protect the algorithm’s cryptographic keys through encryption, tamper-proof hardware, or in a secure physical location.

4. Authentication and authorization are also important for user devices and network infrastructure so that user devices and other networks can be confirmed as authorized devices and networks.

1. New 5G LAN technology advances QoS across the enterprise
2. Ministry of Industry and Information Technology: More than 1,800 "5G + Industrial Internet" projects are being built nationwide
3. The number of 5G base stations has reached 1.159 million. The Gigabit optical network has the capacity to cover more than 200 million households.
4. At the end of September, the number of 5G mobile phone terminal connections in China reached 445 million
5. 5G mobile phone sales account for more than 70%, but it is difficult to hide consumers' indifference to 5G. These reasons are very real