How vulnerable is 5G – security viewpoint

Executive Summary:

The blog starts with a question, are we introducing new threat surface in 5G, we have already made radio flattened and split into RU-DU-CU and attach virtualized capabilities – though it is an open question if introducing more software vendor can touch money-money deck/TCO in big difference, the answer is not yet known rather we are in the way of experimenting vendor dependencies and virtualization in terms of CXO TCO figure.

The blog includes

  1. 3gpp specification for phase 1 and a specification viewpoint ,it is the responsibilities of CSP to implement specifications.
  2. security architecture and its viewpoint from actor, domain and system.
  3. Introduction of trust model
  4. Virtualisation and share responsibilities between either CSP business with private cloud or public cloud with panic attack – just kidding.
  5. Key Managment

3GPP Specification and security phases

  • 3GPP security Architecture specification 1 covers eMBB
  • 3GPP security Architecture specification 2 covers URLLC and massive IOT
  • Below is the chart that illustrates the broad categories of use cases that 5G will cater to:

Fig 1 – 3GPP Specifications phase for security

3GPP uses the following use-cases to differentiates use of 5G

Enhanced Mobile broadband (eMBB): 5G Enhanced Mobile Broadband (eMBB) brings the promise of high speed and dense broadband to the subscriber. With gigabit speeds, 5G provides an alternative to traditional fixed line services. Fixed wireless access based on mmWave radio technologies enables the density to support high bandwidth services such as video over a 5G wireless connection. To support eMBB use cases, the mobile core must support the performance density, scalability and security required.

Ultra-reliable low latency Communications (Robotics, Factory Automation): Ultra-reliable low latency communications (URLLC) focuses on mission critical services such as augment and virtual reality, tele-surgery
and healthcare, intelligent transportation and industry automation. Traditionally over a wired connection, 5G offers
a wireless equivalent to these extremely sensitive use cases. URLLC often requires the mobile core User Plane Function (UPF) to be located geographically closer to then end user in a Control and User plane Separation (CUPS) architecture to achieve the latency requirements.

Massive IOT: Massive IOT in 5G addresses the need to support billions of connections with a range of different services. IOT services range from devices sensors requiring relatively low bandwidth to connected cars which require a similar service to a mobile handset. Network slicing provides a way for service providers to enable Network as a Service (NaaS) to enterprises; giving them the flexibility to manage their own devices and services on the 5G network.

Simplified view of User Equipment and 5G network communication

Figure 2: Overview of the security Architecture actor- viewpoint

Fig 3 : Overview security architecture domain and intersection viewpoint source:3GPP

Five security feature groups are defined. Each of these feature groups meets certain threats and accomplishes certain security objectives:

–   Network access security (I): the set of security features that provide users with secure access to services, and which protect against attacks on the (radio) access link.

–   Network domain security (II): the set of security features that enable nodes to securely exchange signalling data, user data (between AN and SN and within AN) and protect against attacks on the wireline network.

–   User domain security (III): the set of security features that secure access to mobile stations.

–   Application domain security (IV): the set of security features that enable applications in the user and in the provider domain to securely exchange messages.

–   Visibility and configurability of security (V): the set of features that enables the user to inform himself whether a security feature is in operation or not and whether the use and provision of services should depend on the security feature.

5G Service based Ref Architecture:Non Roaming

USE of TLS and Oauth2.0 while function communicate with each other

Fig 4 5gC architecture source 3gpp

5G Service based Ref Architecture:Roaming and introduction of Security Age Protection Proxy (SEPP)

USE of TLS and Oauth2.0 while function communicate with each other

Fig 4 5gC architecture source 3gpp

Attack surface:

Network Resource and communication medium

  • Radio Access Link
  • Node or domain communication security

User and application security

  • User authentication/authorization to services
  • Authorized Services accessibility for User and SBA domain communication
  • Configuration and visibility shared responsibility of user and CSP

Trust Model Non-Roaming and Roaming scenario

The Authentication Function (AUSF) keeps a key for reuse, derived after authentication, in case of simultaneous registration of a UE in different access network technologies, i.e. 3GPP access networks and non-3GPP access networks such as IEEE 802.11 Wireless Local Area Network (WLAN). Authentication credential Repository and Processing Function (ARPF) keeps the authentication credentials. This is mirrored by the USIM on the side of the client, i.e. the UE side. The subscriber information is stored in the Unified Data Repository (UDR). The Unified Data Management (UDM) uses the subscription data stored in UDR and implements the application logic to perform various functionalities such as authentication credential generation, user identification, service and session continuity etc. Over the air interface, both active and passive attacks are considered on both control plane and user plane. Privacy has become increasingly important leading to permanent identifiers being kept secret over the air interface.

Fig 5 Trust Model source 3gpp

Fig 6 Trust Model with roaming source 3gpp

In the roaming architecture, the home and the visited network are connected through SEcurity Protection Proxy (SEPP) for the control plane of the internetwork interconnect. This enhancement is done in 5G because of the number of attacks coming to light recently such as key theft and re-routing attacks in SS7  and network node impersonation and source address spoofing in signalling messages in DIAMETER  that exploited the trusted nature of the internetwork interconnect

5G Security Enhancement phase1

Fig 7 Authentication Mode(s) source 3gpp

Primary authentication: Network and device mutual authentication in 5G is based on primary authentication. This is similar to 4G but there are a few differences. The authentication mechanism has in-built home control allowing the home operator to know whether the device is authenticated in a given network and to take final call of authentication. In 5G Phase 1 there are two mandatory authentication options: 5G Authentication and Key Agreement (5G-AKA) and Extensible Authentication Protocol (EAP)-AKA’, i.e. EAP-AKA’. Optionally, other EAP based authentication mechanisms are also allowed in 5G – for specific cases such as private networks. Also, primary authentication is radio access technology independent, thus it can run over non-3GPP technology such as IEEE 802.11 WLANs.

Secondary authentication: Secondary authentication in 5G is meant for authentication with data networks outside the mobile operator domain. For this purpose, different EAP based authentication methods and associated credentials can be used. A similar service was possible in 4G as well, but now it is integrated in the 5G architecture.

Inter-operator security: Several security issues exist in the inter-operator interface arising from SS7 or Diameter [5,6] in the earlier generations of mobile communication systems. To counter these issues, 5G Phase 1 provides inter-operator security from the very beginning.

Privacy: Subscriber identity related issues have been know since 4G and earlier generations of mobile systems. In 5G a privacy solution is developed that protects the user’s subscription permanent identifier against active attacks. A home network public key is used to provide subscriber identity privacy.

Service based architecture (SBA): The 5G core network is based on a service based architecture, which did not exist in 4G and earlier generations. Thus 5G also provides adequate security for SBA.

Central Unit (CU) – Distributed Unit (DU): In 5G the base-station is logically split in CU and DU with a interface between them. Security is provided for the CU-DU interface. This split was also possible in 4G, but in 5G it is part of the architecture that can support a number of deployment options (e.g. co-locataed CU-DU deployment is also possible). The DUs, which are deployed at the very edge of the network, don’t have access to any user data when confidentiality protection is enabled. Even with the CU-DU split, the air interface security point in 5G remains the same as in 4G, namely in the radio access network.

Key hierarchy: The 5G hierarchy reflects the changes in the overall architecture and the trust model using the  security principle of key separation. One main difference in 5G compared to 4G is the possibility for integrity protection of the user plane.

Mobility: Although mobility in 5G is similar to 4G, the difference in 5G is the assumption that the mobility anchor in the core network can be separated from the security anchor. 

Key Management

The 5GC and NG-RAN shall allow for use of encryption and integrity protection algorithms for AS and NAS protection having keys of length 128 bits. The network interfaces shall support the transport of 256 bit keys.

The following describes the keys of the key hierarchy generation in a 5GS in detail.

Fig 8 5G key Management source 3gpp

The keys related to authentication (see Figure ) include the following keys: K, CK/IK. In case of EAP-AKA’, the keys CK’, IK’ are derived from CK, IK

The key hierarchy includes the following keys: KAUSF, KSEAF, KAMF, KNASint, KNASenc, KN3IWF, KgNB, KRRCint, KRRCenc, KUPint and KUPenc.

Keys for AUSF in home network:

–   KAUSF is a key derived

–    by ME and AUSF from CK’, IK’ in case of EAP-AKA’, CK’ and IK’ is received by AUSF as a part of transformed AV from ARPF; or,

–    by ME and ARPF from CK, IK in case of 5G AKA, KAUSF is received by AUSF as a part of the 5G HE AV from ARPF.

–   KSEAF is an anchor key derived by ME and AUSF from KAUSF.  KSEAF is provided by AUSF to the SEAF in the serving network.

Key for AMF in serving network:

–   KAMF is a key derived by ME and SEAF from KSEAF. KAMF is further derived by ME and source AMF when performing horizontal key derivation.

Keys for NAS signalling:

–   KNASint is a key derived by ME and AMF from KAMF, which shall only be used for the protection of NAS signalling with a particular integrity algorithm.

–   KNASenc is a key derived by ME and AMF from KAMF, which shall only be used for the protection of NAS signalling with a particular encryption algorithm.

Key for NG-RAN:

–   KgNB is a key derived by ME and AMF from KAMF. KgNB is further derived by ME and source gNB when performing horizontal or vertical key derivation. The KgNB is used as KeNB between ME and ng-eNB.

Keys for UP traffic:

–   KUPenc is a key derived by ME and gNB from KgNB, which shall only be used for the protection of UP traffic with a particular encryption algorithm.

–   KUPint is a key derived by ME and gNB from KgNB, which shall only be used for the protection of UP traffic between ME and gNB with a particular integrity algorithm.

Keys for RRC signalling:

–   KRRCint is a key derived by ME and gNB from KgNB, which shall only be used for the protection of RRC signalling with a particular integrity algorithm.

–   KRRCenc is a key derived by ME and gNB from KgNB, which shall only be used for the protection of RRC signalling with a particular encryption algorithm.

Application and Virtualization Security

Zero Trust security enablement – using centralized control management

Fig 8 SBA,Virtualization and control check point

Container Security

  • Securing container hosts
  • Securing container components
  • Orchestration Platform Security Best Practices: Build Phase
  • Orchestration Platform Security Best Practices: Deploy Phase
  • Orchestration Platform Security Best Practices: Runtime Phase


We have try to provide overview of 5g architecture in the context of security attack surface and risk mitigation plan by using 3GPP phase 1 specification, 5gc architecture, trust model (roaming and non-roming) ,control plane for SBA and container hardening best practice

in the next blog we will cover 5G security architecture phae2, 5GCore architecture in the security context

Happy learning!


Leave a Reply