We are pleased to share with you all an interesting article contributed by Anand R. Prasad who is information security leader experienced in developing successful businesses with over 20 years of proven professional track record.
Anand R. Prasad Chairman of 3GPP security working group (SA3) and Chief Advanced Technologist at NEC |
|
In this brief article I will touch on 3GPP recent achievements regarding 5G followed by high level discussion on migration associated security aspects and finally details of 3GPP specifications on Non-Stand-Alone or 4G-5G Dual Connectivity.
3GPP Recent Achievements 5G architecture and radio specifications were approved in December 2017! Click here to check 3GPP news. This is as planned, see my earlier article 5G Security - Tomorrow and day after? Among others, one of the achievements of 3GPP was the completion of 5G-4G dual connectivity specifications where a device can connect to 5G and 4G base-stations simultaneously while the 5G base-station is connected to the 4G core network. Such dual connectivity solution allows early availability of 5G to the market and serves as a migration path from 4G to 5G. Certainly, there are other options for migration to 5G - more details can be found in clause 7.2 of technical report 38.801"Study on new radio access technology: Radio access architecture and interfaces".
General Aspect
Looking at the global mobile communications market, operators might migrate to 5G not only from 4G but also from 3G and even some from 2G. Thus migration will be happening from very different types of system. At a high level, some of the aspects requiring security consideration from migration perspective are: (1) Deploying a secure 5G network; this includes secure network design, security assurance of network function and provisioning of security monitoring as well as security operations center - see figure on Network Guardian. Network design security should include interactions with legacy system. This gives us a clean 5G only environment. (2) Several existing databases will require migration to new system, adequate security consideration should be given to these. Special attention should be paid to those databases associated with user authentication, charging etc. (3) Adequate security consideration will also be required for security associated with OSS/BSS and O&M. (4) Migration towards 5G will also lead to increased deployment of virtualization. Depending on strategy and national regulations, shared or private virtualization infrastructure might be used thus calling for security considerations for cloud and virtualization. (5) Security should also be provisioned for new services that 5G will bring and for open APIs. This security must be provisioned with legacy networks in mind.
Now let us look at security for 4G-5G dual connectivity (non-stand-alone) specification as discussed earlier in the article. The mobile device first connects to 4G network thus from security perspective mobile device capability for 5G and authorization of subscriber to access 5G network should be verified. Followed by that keys should be derived for secure communication over 5G. Let us look at this in further details: The Master eNodeB (MeNB), i.e. the 4G base-station to which the mobile device is connected to, verifies whether the device is authorized to access 5G services. Once that is done, the MeNB derives and sends the key to be used by the Secondary gNB (SgNB), i.e. the 5G base-station; the mobile device also derives the same key. Both user-data communication and signaling takes place between the mobile device and SgNB. Thus further keys are derived from key sent to SgNB, these are (a) confidentiality key for user-data and (b) both confidentiality and integrity keys for signaling. Note that integrity key will be derived and integrity will be provisioned for user-data for complete 5G system, i.e., non-dual connectivity case.
|
||