3GPP security working group (SA3) 의장이며 NEC에 Chief Advanced Technologist인 Anand R. Prasad님이 보내온 기고글입니다. Anand R. Prasad Chairman of 3GPP security working group (SA3) and Chief Advanced Technologist at NEC |
This is second part of the article based on talks I have given on 5G security since last year. The first part on my thoughts regarding 5G is available here. In this part I present my views on considerations regarding 5G security for core network and radio access technology/network; rest of the security topics will be in the following part of the article. Once again, on purpose I do not discuss about global activities on 5G IOT and security.
Note that the discussion is about security considerations for 5G and not about security solutions or attacks.
(Core) Network
The core network will see increased use of SDN, NFV and cloud. Also, the core network will cater for multiple radio access technologies. With that let us look at security considerations.
Virtualization: A mobile network has to cater for several security credentials; security credential related to subscribers that are active or have been active recently and those related to secure communication between network functions. If we virtualize the network functions without appropriate considerations, these security credentials will potentially be accessible to attackers. Further to that, attack from one virtual machine could flow to other virtual machine or tenants.
Based on the discussion it is clear that secure boot, secure storage of security credentials and isolation are some of the minimum requirements. There are several other virtualization related security aspects covered elsewhere thus we will no discuss the topic further.
The network perimeter will not be the same as today, i.e. it will not be possible to deter attacks at network borders or probably the definition of border will have to be reconsidered, where the network border will go deeper in the network that in turn means that attackers will be able to reach much deeper than before.
It goes without saying that baseline security considerations will become paramount. Where baseline security includes hardening, TCP/IP stack security, OS security, hypervisor security, password management etc. Security orchestration, besides secure orchestration, and security monitoring will be required.
Cloud: To me cloud is more than virtualization. In-case of cloud, virtual machines can migrate from one place to other. Now consider the security issues of migrating a mobile network function with associated security and networking related credentials as well as various configuration parameters; the network will become vulnerable. All credentials or configuration parameters associated to a network function that is being migrated must be removed from the source location else these could become targets of attack and, if not, misconfiguration. Similarly credentials and configuration parameters must be secured during the migration as well.
Slicing: Slicing will be brought about with the help of virtualization and cloud, although one could argue that slicing is doable without these technologies as well. As slicing is meant to provision network for specific service, it is also possible that various radio technologies will be connected to a given slice. This leads to several security considerations:
Radio Access Technology (and Network)
Radio access technology will see several improvements with data-rates available from few bits going up to several gigabits, delays going down to micro- if not nano-seconds (compare it with millisecond range in today’s system). Radio access network will also become partially virtualized and cloud based. Let us now look at security considerations:
Virtualization and cloud related security issues will be the same as that for the (core) network discussed earlier. Additional implications due to radio access technology and radio access network characteristics will appear.
Interfaces: Additional security consideration will be required for introduction of new interfaces to the core network and within the radio access network including interface between the cloud part and non-cloud part.
Data-rates and delays: For very low data-rates, going down to few bits per day, we will have to consider the extent of security (be it authentication, confidentiality, integrity or otherwise) that can be provisioned. Several Internet of Things (IOT) or Machine-to-Machine (M2M) services and devices fall under this category, examples are temperature sensors giving hourly updates, sensors on farm animals giving vital signature couple of times a day etc. Such devices will also be resource constrained in terms of battery, computation and memory. This brings us to several requirements on security like complete security related message sequence, e.g. authentication, should not run for every communication and even when run, they should be performed with minimum round-trip. Other requirement will be to reduce security related bits, e.g. integrity, over-the-air interface. Security and cryptographic algorithms must be energy efficient and optimized to work for resource constrained devices.
On the other end are high data-rate devices with higher battery and computational resources; examples include the smartphones or tablets, IOT devices like cars, Industrial IOT (IIOT) devices like machineries in factories and virtual or augmented reality (VR or AR) devices used for gaming or real-time services. Provisioning of higher data rates also means that complexity of security functions should be considered to avoid processing delay. At the same time, higher data rates are provisioned by decreasing the overhead bits in radio interface that in turn has implications on bits that can be budgeted for security.
General aspects: Security considerations mentioned under slicing (authentication, key management etc.) part of previous section on (core) network are also valid for radio access network and radio access technology. Enhancements like beamforming, mass usage of software defined radio and their security implications should also be considered.