5G Security
5G security, as defined by 3GPP (3rd Generation Partnership Project), is a comprehensive framework designed to provide enhanced security for mobile networks. It addresses various new challenges introduced by the 5G ecosystem, including higher data rates, massive device connectivity (e.g., IoT), ultra-low latency requirements, and diverse deployment scenarios. The 5G security framework builds on 4G LTE security mechanisms but introduces several new features and improvements to ensure more robust protection.
Below is a detailed explanation of 5G security features, based on 3GPP's standards:
1. Enhanced Authentication and Identity Protection
5G introduces several improvements in how devices and users authenticate with the network and how their identities are protected:
a) Primary Authentication
The primary authentication in 5G involves mutual authentication between the user equipment (UE) and the network. This ensures that both the network and the device verify each other's identity before establishing a connection.
Authentication and Key Agreement (AKA): 5G uses 5G-AKA (an enhanced version of LTE-AKA) and EAP-AKA' (Extensible Authentication Protocol AKA') for user authentication. These protocols authenticate the subscriber and establish a secure key to encrypt communication between the UE and the network.
Mutual Authentication: Unlike previous generations, 5G guarantees mutual authentication, meaning that both the user device and the network authenticate each other, reducing the risk of unauthorized network connections.
b) Subscription Concealed Identifier (SUCI)
5G enhances user privacy by protecting the Subscription Permanent Identifier (SUPI) using the Subscription Concealed Identifier (SUCI). The SUCI is derived by encrypting the SUPI, so it is never transmitted in cleartext over the air. This prevents unauthorized entities from intercepting the user's permanent identity.
SUPI = Permanent identifier (like IMSI in 4G).
SUCI = Encrypted identifier used to protect the SUPI during transmission.
2. Improved Encryption and Integrity Protection
Encryption and integrity protection in 5G are stronger and more flexible than in previous generations. Key improvements include:
a) User Data and Signaling Protection
Both user plane (data traffic) and control plane (signaling) messages are protected using encryption and integrity mechanisms. 5G offers stronger encryption algorithms and provides encryption and integrity protection for control plane and user plane messages, enhancing confidentiality and preventing tampering.
Control Plane Security: Encryption and integrity protection for signaling messages (e.g., between the UE and AMF - Access and Mobility Management Function).
User Plane Security: Encryption for data transmitted between the UE and the network to ensure confidentiality.
b) More Secure Algorithms
5G uses state-of-the-art encryption algorithms, including 128-bit and 256-bit encryption options. The flexibility of encryption algorithms allows 5G to adapt to different security requirements and provide stronger protection compared to 4G.
c) Separation of Control and User Plane Security
The separation of control and user plane security allows different keys to be used for the control messages and the user data. This ensures that even if one plane is compromised, the other remains secure.
3. Network Slicing Security
5G introduces network slicing, where a single physical network is divided into multiple virtual networks (slices), each tailored to specific use cases (e.g., enhanced mobile broadband, critical IoT, etc.). Each network slice can have its own security policies.
Isolation Between Slices: Each slice has dedicated security mechanisms, ensuring that security breaches in one slice do not impact others. This enables different security levels for various use cases, such as ultra-reliable low-latency communication (URLLC) or massive machine-type communications (mMTC).
Authentication Per Slice: Each network slice can authenticate users separately and apply different encryption or access control mechanisms based on the requirements of the slice.
4. Key Management and Security Anchors
The 5G security architecture includes a robust key management system to handle the generation, distribution, and protection of cryptographic keys.
a) Key Hierarchy
5G uses a hierarchical key management structure, starting with the Anchor Key (K_Ausf), which is derived during authentication. From this anchor key, additional keys are derived for both the control and user planes.
K_Ausf (Anchor Key) is derived during authentication.
K_AMF (Access and Mobility Key) is derived from K_Ausf and used for control plane signaling.
K_gNB (gNB Key) is used for user plane encryption.
b) Inter-Access Technology and Handover Security
In 5G, key management is designed to support handover security between different radio access technologies (e.g., between 5G and 4G). Handover security ensures that keys are re-used or re-derived securely when transitioning between different access networks, maintaining the security of ongoing communication sessions.
5. Enhanced Privacy Protections
In addition to encrypting the user’s identity with SUCI, 5G also incorporates other privacy features:
Anonymization of Identifiers: 5G anonymizes temporary user identifiers, such as the GUTI (Globally Unique Temporary Identifier), which is dynamically assigned to the UE and frequently updated to prevent tracking.
Protection Against Location Tracking: The 5G system is designed to limit the exposure of user location data, making it harder for third parties to track users across the network.
6. Security for IoT (Massive Machine-Type Communication)
With the proliferation of IoT devices in 5G, security for low-power, low-data-rate devices becomes crucial. 5G addresses IoT security with:
Lightweight Authentication: 5G supports efficient and lightweight security mechanisms for IoT devices that have limited computational resources. These mechanisms ensure that IoT devices remain secure without imposing a heavy processing burden.
Network Slicing for IoT: Network slicing enables 5G to offer dedicated slices for IoT, with tailored security policies to protect IoT services, including device authentication and encryption.
7. Secure Edge Computing
5G's architecture integrates Multi-Access Edge Computing (MEC) to bring computing resources closer to the user. MEC introduces new security challenges, and 5G addresses them by:
Edge Security: 5G ensures that data processed at the edge is encrypted, and that secure communication channels are maintained between the edge nodes and the core network.
Data Integrity and Confidentiality: MEC nodes are integrated into the security framework, ensuring that data is both encrypted and protected for integrity during its transmission and processing.
8. Service-Based Architecture (SBA) Security
5G uses a Service-Based Architecture (SBA) in its core network, where network functions communicate with each other via standardized APIs. This requires strong security measures to protect inter-function communication.
API Security: All interactions between network functions (e.g., AMF, SMF, UPF) are secured using TLS (Transport Layer Security) to ensure confidentiality, integrity, and authentication.
Authorization Framework: Access control mechanisms ensure that only authorized network functions can communicate with each other. This is achieved through secure token-based authorization.
9. Lawful Interception (LI) Security
5G supports lawful interception in compliance with legal regulations. The 5G architecture ensures that lawful interception is carried out securely without compromising the security and privacy of non-targeted users.
Encrypted Lawful Interception: Interception interfaces are secured to prevent unauthorized access, and only authorized entities can perform lawful interceptions in a secure manner.
Summary
The 5G security architecture defined by 3GPP represents a significant improvement over previous generations, with a focus on:
Stronger authentication and encryption mechanisms.
Enhanced user privacy, such as the use of SUCI to protect identities.
Secure and flexible network slicing for different use cases.
Comprehensive key management for control and user plane security.
Tailored security for IoT and edge computing.
Advanced privacy and protection mechanisms against tracking, identity theft, and interception.
These advancements make 5G more resilient against modern threats, ensuring a secure foundation for the wide range of services and applications that 5G will support.