5G-ENSURE_D2.1 Use Cases
Transcript of 5G-ENSURE_D2.1 Use Cases
![Page 1: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/1.jpg)
DeliverableD2.1UseCases
Projectname 5GEnablersforNetworkandSystemSecurityandResilienceShortname 5G-ENSUREGrantagreement 671562Call H2020-ICT-2014-2Deliverydate 2016-02-01DisseminationLevel: PublicLeadbeneficiary EAB GöranSelander,[email protected] EAB:MatsNäslund,GöranSelander
ITINNOV:StephenPhillips,BassemNasserLMF:VesaTorvinen,VesaLehtovirtaNEC:FelixKlaedtkeNIXU:SeppoHeikkinen,TommiPernilä,AlexanderZaharievORANGE:GhadaArfaoui,JoséSanchez,Jean-PhilippeWaryUOXF:PiersO'HanlonSICS:MartinSvensson,RosarioGiustolisiTASE:GorkaLendrino,CarlaSalasTIIT:MadalinaBaltatu,LucianaCostaVTT:JanneVehkaperä,OlliMämmelä,JaniSuomalainen
![Page 2: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/2.jpg)
D2.1UseCases
6715625G-ENSURE 2
Executivesummary
Thisdocumentdescribesanumberofusecasesillustratingsecurityandprivacyaspectsof5Gnetworks.Basedonsimilaritiesintechnical,serviceand/orbusiness-modelrelatedaspects,theusecasesaregroupedintousecaseclusterscoveringawidevarietyofdeploymentsincluding,forexample,theInternetofThings,SoftwareDefinedNetworksandvirtualization,ultra-reliableandstandaloneoperations.Theusecasesaddresssecurityandprivacyenhancementsofcurrentnetworksaswellassecurityandprivacyfunctionalityneededbynew5Gfeatures.Eachusecaseisdescribedinacommonformatwhereactors,assumptionsandasequenceofstepscharacterisingtheusecasearepresentedtogetherwithashortanalysisofthesecuritychallengesandthepropertiesofasecuritysolution.Eachusecaseclusterdescriptionisconcludedwitha“5GVision”outliningtheassociatedenhancementsinsecurityandprivacyanticipatedin5Gnetworksandsystems.Asummaryofthe5Gvisionsandconclusionsareprovidedattheendofthedocument.
![Page 3: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/3.jpg)
D2.1UseCases
6715625G-ENSURE 3
Foreword
Theoverallobjectiveof5G-ENSURE(seeSection1.1)istobecomethereferenceprojectforeverythingthatconcernssecurityandprivacyin5Gwhilecontributingto5Gresilience.Toachievethisoverallambitionanumberofspecificobjectivesaretargeted,including:
• Collect,analyseandprioritize5Gsecurityandprivacyrequirements• Defineasecurityarchitecturefor5G• Specify,developandtestaninitialsetofsecurityandprivacyenablersfor5G
Thesethreeobjectivesareinpartdependentonanalysing5Gsecurityrelevantusecases,whichisthecontentofthisdeliverableD2.1.HenceD2.1providesinputtotheworkonTrustModel(Task2.2),RiskAssessment,MitigationandRequirements(Task2.3)andtheSecurityArchitecture(Task2.4)withintheproject.Theusecasespresentedhereinalsoservetoprovideinitial“blue-prints”fortherequiredfunctionalityoftheso-calledsecurityenablersdevelopedbyWP3of5G-ENSURE.
D2.1isoneinstanceofthe5G-ENSUREmeasurableresultsandoneofthemilestones(MS2)ofthe5G-ENSUREproject.D2.1isthefirsttechnicaldeliverableoftheprojectandhenceisnotdependentonanyprevioustechnicaldeliverablewithintheproject.Theexternalsourcesforthisdeliverable,however,includeotherparallelprojectsrunningwithintheoverall5G-PPPand,conversely,cross-PPPcoordinationactivitiesareinplacetodisseminatetheresultstoother5G-PPPprojects.
Disclaimer
Theinformationinthisdocumentisprovided‘asis’,andnoguaranteeorwarrantyisgiventhattheinformationisfitforanyparticularpurpose.
TheECflaginthisdeliverableisownedbytheEuropeanCommissionandthe5GPPPlogoisownedbythe5GPPPinitiative.Theuseoftheflagandthe5GPPPlogotypereflectsthat5G-ENSUREreceivesfundingfromtheEuropeanCommission,integratedinits5GPPPinitiative.Apartfromthis,theEuropeanCommissionorthe5GPPPinitiativehavenoresponsibilityforthecontent.
AllUseCasesinvestigatedinthisdeliverableareintheresearchcontextofafuture5Gnetworkanddonotentailanycommitmenttobeimplementedinexisting2/3/4Gstandards.Allreferencesto4G/LTEorEPCplatformsareusedforillustrationofUseCasesandarenotcommittingtheprojectinanywaytoapredefined5Ginfrastructure(asaniterationonlyofexisting4Gstandardsforinstance).
Copyrightnotice
©2015-20175G-ENSUREConsortium
![Page 4: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/4.jpg)
D2.1UseCases
6715625G-ENSURE 4
Contents1 Introduction................................................................................................................................................7
1.1 5G-ENSURE..........................................................................................................................................8
1.2 Glossary...............................................................................................................................................8
1.3 Abbreviations.......................................................................................................................................9
2 Background...............................................................................................................................................10
3 Cluster1:IdentityManagement...............................................................................................................12
3.1 Introduction.......................................................................................................................................12
3.2 Actors.................................................................................................................................................12
3.3 UseCases...........................................................................................................................................12
3.3.1 UseCase1.1:FactoryDeviceIdentityManagementfor5GAccess............................................12
3.3.2 UseCase1.2:UsingEnterpriseIdentityManagementforBootstrapping5GAccess.................14
3.3.3 UseCase1.3:SatelliteIdentityManagementfor5GAccess......................................................17
3.3.4 UseCase1.4:MNOIdentityManagementService.....................................................................20
3.4 5GVision............................................................................................................................................21
4 Cluster2:EnhancedIdentityProtectionandAuthentication...................................................................22
4.1 Introduction.......................................................................................................................................22
4.2 Actors.................................................................................................................................................22
4.3 UseCases...........................................................................................................................................22
4.3.1 UseCase2.1:DeviceIdentityPrivacy.........................................................................................22
4.3.2 UseCase2.2:SubscriberIdentityPrivacy...................................................................................23
4.3.3 UseCase2.3:EnhancedCommunicationPrivacy.......................................................................24
4.4 5GVision............................................................................................................................................25
5 Cluster3:IoTDeviceAuthenticationandKeyManagement....................................................................26
5.1 Introduction.......................................................................................................................................26
5.2 Actors.................................................................................................................................................26
5.3 UseCases...........................................................................................................................................26
5.3.1 UseCase3.1:AuthenticationofIoTDevicesin5G.....................................................................26
5.3.2 UseCase3.2:Network-BasedKeyManagementforEnd-to-EndSecurity.................................29
5.4 5GVision............................................................................................................................................31
6 Cluster4:AuthorizationofDevice-to-DeviceInteractions.......................................................................32
6.1 Introduction.......................................................................................................................................32
6.2 Actors.................................................................................................................................................32
6.3 UseCases...........................................................................................................................................32
![Page 5: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/5.jpg)
D2.1UseCases
6715625G-ENSURE 5
6.3.1 UseCase4.1:AuthorizationinResource-ConstrainedDevicesSupportedby5GNetwork.......32
6.3.2 UseCase4.2:AuthorizationforEnd-to-EndIPConnections......................................................33
6.3.3 UseCase4.3:Vehicle-to-Everything(V2X).................................................................................34
6.4 5GVision............................................................................................................................................35
7 Cluster5:Software-DefinedNetworks,VirtualizationandMonitoring....................................................36
7.1 Introduction.......................................................................................................................................36
7.2 Actors.................................................................................................................................................37
7.3 UseCases...........................................................................................................................................37
7.3.1 UseCase5.1:VirtualizedCoreNetworks,andNetworkSlicing..................................................37
7.3.2 UseCase5.2:Addinga5GNodetoaVirtualizedCoreNetwork................................................38
7.3.3 UseCase5.3:ReactiveTrafficRoutinginaVirtualizedCoreNetwork.......................................41
7.3.4 UseCase5.4:VerificationoftheVirtualizedNodeandtheVirtualizationPlatform..................42
7.3.5 Usecase5.5:ControlandMonitoringofSlicebyServiceProvider............................................43
7.3.6 UseCase5.6:IntegratedSatelliteandTerrestrialSystemsMonitor..........................................45
7.4 5GVision............................................................................................................................................48
8 Cluster6:RadioInterfaceProtection........................................................................................................49
8.1 Introduction.......................................................................................................................................49
8.2 Actors.................................................................................................................................................49
8.3 UseCases...........................................................................................................................................49
8.3.1 UseCase6.1:AttachRequestDuringOverload..........................................................................49
8.3.2 UseCase6.2:UnprotectedUserPlaneonRadioInterface.........................................................50
8.4 5GVision............................................................................................................................................51
9 Cluster7:MobilityManagementProtection............................................................................................52
9.1 Introduction.......................................................................................................................................52
9.2 Actors.................................................................................................................................................52
9.3 UseCases...........................................................................................................................................52
9.3.1 UseCase7.1:UnprotectedMobilityManagementExposesNetworkforDenialofService......52
9.4 5GVision............................................................................................................................................54
10 Cluster8:Ultra-ReliableandStandaloneOperations..............................................................................55
10.1 Introduction.....................................................................................................................................55
10.2 Actors...............................................................................................................................................55
10.3 UseCases.........................................................................................................................................55
10.3.1 UseCase8.1:Satellite-CapableeNB.........................................................................................55
10.3.2 UseCase8.2:StandaloneEPC..................................................................................................56
![Page 6: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/6.jpg)
D2.1UseCases
6715625G-ENSURE 6
10.4 5GVision..........................................................................................................................................57
11 Cluster9:TrustedCoreNetworkandInterconnect................................................................................58
11.1 Introduction.....................................................................................................................................58
11.2 Actors...............................................................................................................................................58
11.3 UseCases.........................................................................................................................................58
11.3.1 UseCase9.1:AlternativeRoamingin5G.................................................................................58
11.3.2 UseCase9.2:PrivacyinContext-AwareServices.....................................................................60
11.3.3 UseCase9.3:AuthenticationofNewNetworkElements........................................................61
11.4 5GVision..........................................................................................................................................63
12 Cluster10:5GEnhancedSecurityServices.............................................................................................64
12.1 Introduction.....................................................................................................................................64
12.2 Actors...............................................................................................................................................64
12.3 UseCases.........................................................................................................................................64
12.3.1 UseCase10.1:BotnetMitigation............................................................................................64
12.3.2 UseCase10.2:PrivacyViolationMitigation.............................................................................66
12.3.3 UseCase10.3:SIM-basedand/orDevice-basedAnonymization.............................................67
12.4 5GVision..........................................................................................................................................68
13 Cluster11:LawfulInterception...............................................................................................................69
13.1 Introduction.....................................................................................................................................69
13.2 Actors...............................................................................................................................................69
13.3 UseCases.........................................................................................................................................70
13.3.1 UseCase11.1:LawfulInterceptioninaDynamic5GNetwork................................................70
13.3.2 UseCase11.2:End-to-endEncryptioninLI-awarenetwork...................................................72
13.4 5GVision..........................................................................................................................................74
14 Summary:UseCaseClusters...................................................................................................................75
15 Conclusions..............................................................................................................................................77
![Page 7: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/7.jpg)
D2.1UseCases
6715625G-ENSURE 7
1 IntroductionThisdocumentdescribesusecasesillustratingsecurityandprivacyaspectsof5Gnetworks.Theseusecasesprovideabasisforunderstanding5Gsecurityandwillbeusedinseveralwayswithinthe5G-ENSUREproject(seeSection1.1):
• Theprojectwillanalysepotentialthreatsandvulnerabilities,andidentifysecurityandprivacyrequirementsbasedontheseusecases.
• Theusecaseswillbeusedtodefineatrustmodelbetweenthevariousactorsina5Gsystemaddressingthemultiplicityofactorsandalsotakingintoaccountthemachine-to-machineinteractionscharacterisingnextgenerationnetworks.
• TheusecasesprovideinputtothesecurityenablersinscopeoftheprojectcoveringtheareasAAA,Privacy,Trust,SecurityMonitoring,andNetworkManagement&VirtualisationIsolation.
• Theitemsabove,aswellastheusecasesthemselves,arethemajorbuildingblocksusedtodefinethe5Gsecurityarchitectureintheproject.Cross-PPPcoordinationactivitiesareinplacetodisseminatetheresultstootherprojectsofthe5G-PPP.
Theusecases illustratespecific5Grelatedsecuritychallenges.Therearetwocategoriesofusecasesandassociatedchallenges:
1. Forusecasesillustratingsecurityissuesinheritedfromcurrentgenerationnetworks,thechallengeistoprovideanimprovedlevelofsecurityandprivacy.1
2. Forusecasesillustratingnewfeaturesintroducedin5G,e.g.supportforMachineTypeCommunications(MTC)andSoftwareDefinedNetworks(SDN),thechallengeistoprovideanappropriatelevelofsecurityandprivacy,aswellaspotentialnewsecurityfunctionalityillustratedbytheusecase.
Inthefirstcategoryofusecase,thefocusisonthevulnerabilitiesandpotentialcountermeasuresaddressingtheidentifiedsecurityissues.Inthesecondkindofusecasethefocusisontheadditionalsecurityfunctionalityneededtosupportthenewfeatures.
Thisprocessofgeneratingusecasesmayhypotheticallyresultinnewdesired5Gsecurityfeaturesforwhichitishardoreveninfeasibletoprovidesolutionswhicharebothcost-efficientandadequate.However,thepurposeofthisdeliverableisneithertodoriskanalysis,nortospecifydetailedsolutionsforwhichthereareotheractivitieswithin5G-ENSURE(seeForeword).Hence,theresultingusecasesshouldnotbeinterpretedasfunctionalitythatunconditionallywillbesupportedin5G,butasanexplorationofinterestingrelevantscenarios,andastartingpointforfurtheranalysis.
Thisdocumentisorganisedasfollows:TheremainderofSection1containsaglossaryandalistofabbreviationsoftermsused.Section2providesabackgroundontheusecaseclustersandhowtheyarecompiled.Sections3to13containtheactualusecaseclustersandtheconstituentusecases.Section14summarisestheusecaseclustersandSection15providesthemainconclusionsderivedfromthisusecasecompilationactivity.Referencesareprovidedattheend.
1Thisshouldnotbeunderstoodasastatementthatcurrentnetworksarenotsecure,butratherthatchangesinthethreatlandscapewarrantsconsiderationsofadditionalcounter-measures.
![Page 8: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/8.jpg)
D2.1UseCases
6715625G-ENSURE 8
1.1 5G-ENSURE
5G-ENSUREbelongstothegroupofEU-fundedprojectswhichcollaborativelydevelop5Gundertheumbrellaofthe5GInfrastructurePublicPrivatePartnership(5G-PPP)intheHorizon2020Programme.Theoverallgoalof5G-ENSUREistodeliverstrategicimpactacrosstechnologyandbusinessenablement,standardisationandvisionforasecure,resilientandviable5Gnetwork.Theprojectcoversresearch&innovation-fromtechnicalsolutions(5Gsecurityarchitectureandtestbedwith5Gsecurityenablers)tomarketvalidationandstakeholdersengagement-spanningvariousapplicationdomains.
1.2 GlossaryThissectioncontainsterminologyforthreatanalysisusedwhendiscussingthevulnerabilitiesoftheusecases.ThetermsarebasedontheInternetSecurityGlossary[RFC4949].
• Adversaryo Anentitythatattacksasystem.
• Attacko Anintentionalactbywhichanentityattemptstoevadesecurityservicesandviolatethe
securitypolicyofasystem.Thatis,anactualassaultonsystemsecuritythatderivesfromanintelligentthreat.
• Counter-measureo Anaction,device,procedure,ortechniquethatmeetsoropposes(i.e.,counters)athreat,a
vulnerability,oranattackbyeliminatingorpreventingit,byminimizingtheharmitcancause,orbydiscoveringandreportingitsothatcorrectiveactioncanbetaken.
• Deceptiono Acircumstanceoreventthatmayresultinanauthorizedentityreceivingfalsedataand
believingittobetrue.• Disruption
o Acircumstanceoreventthatinterruptsorpreventsthecorrectoperationofsystemservicesandfunctions.
• Threato Apotentialforviolationofsecurity,whichexistswhenthereisanentity,circumstance,
capability,action,oreventthatcouldcauseharm.o Threatsdonothavetobelinkedtoanattacker:avulnerabilitycombinedwithhumanerror
forinstancecanalsoleadtoconsequencessuchasexposure,corruptionorincapacitation.• Unauthorizeddisclosure
o Acircumstanceoreventwherebyanentitygainsaccesstoinformationforwhichtheentityisnotauthorized.
• Vulnerabilityo Aflaworweaknessinasystem'sdesign,implementation,oroperationandmanagement
thatcouldbeexploitedtoviolatethesystem'ssecuritypolicy.
![Page 9: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/9.jpg)
D2.1UseCases
6715625G-ENSURE 9
1.3 Abbreviations
AAA Authentication,AuthorizationandAccountingAKA AuthenticationandKeyAgreementB/OSS BusinessandOperationalSupportSystemsCC ContentofCommunicationCN CoreNetworkEAP EnhancedAuthenticationProtocoleNB EvolvedNodeBEPC EvolvedPacketCoreESIM EmbeddedSubscriberIdentityModuleGAN GenericAccessNetworkGUTI GloballyUniqueTemporaryIdentityHN HomeNetworkHSS HomeSubscriberServerID IdentifierIMEI InternationalMobileEquipmentIdentityIMSI InternationalMobileSubscriberIdentityIRI InterceptRelatedInformationLEA LawEnforcementAgencyLI LawfulInterceptionMME MobilityManagementEntitymMTC MassiveMachine-TypeCommunicationMNO MobileNetworkOperatorNMS NetworkManagementSystemPLMN PublicLandMobileNetworkSA SecurityAssociationSatAN SatelliteAccessNetworkSatNO SatelliteNetworkOperatorSDN SoftwareDefinedNetworksSIM SubscriberIdentityModuleTA TrackingAreaTAU TrackingAreaUpdateUE UserEquipmentuMTC Ultra-reliableandlow-latencyMachine-TypeCommunicationxMBB EnhancedMobileBroadbandV2I Vehicle-to-InfrastructureV2P Vehicle-to-PedestrianV2V Vehicle-to-VehicleV2X Vehicle-to-EverythingVMNO VirtualMobileNetworkOperatorVN VisitedNetwork
![Page 10: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/10.jpg)
D2.1UseCases
6715625G-ENSURE 10
2 BackgroundTheusecasesdescribedinthisdocumentwereselectedtoillustratesecurityorprivacyaspectsrelevantfor5Gsystems.
Theseusecasesarebasedoninputfromexternalsources(e.g.other5G-PPPprojects,3GPPNewServicesandMarketsTechnologyEnablers(SMARTER)[TR22.891],publicationsofvulnerabilitiesandpotentialattacksoncellularnetworks,etc.)combinedwiththeexpertiseandexperienceprovidedbythepartners.Theexternallysourceddedicated5Gusecasesturnedouttobeoflimiteddirectapplicabilitysincemostofthesedonothavesufficientsecurityfocus,seefurtherdiscussioninSection15.
Theusecasesaregroupedintoclustersaccordingtotopic,seeTable1.Theclustertopicshavebeendefinedbasedoncommonalitiesintheusecasesintermsofprovidedsecurityfunctionalityorcommontechnology.Eachclustercontainsthedescriptionoftheactorsinvolvedinthedescribedusecases,theactualusecases,andthe“5Gvision”–illustratingthesecurityfunctionalitywhicha5Gsystemisenvisionedtoencompass.Thefocusontheactorsismotivatedbytheircriticalroleintheupcomingtrustmodellingworkintheproject.
Eachusecaseisstructuredasfollows.Firstthepre-conditionsarelisted,illustratingthesettingbeforetheactualusecasetakesplace.Thisisfollowedbyadescriptioncontainingthesequenceofstepsillustratingtheusecase.Thestep-by-stepdescriptionisintendedtopavetheroadfortheupcomingthreatandriskanalysisintheproject.Subsequently,thereisoptionallyashortanalysisoftheusecaseinquestion,followedbyanoutlineofsecuritypropertiesofasolution.Finally,theusecaseisclassifiedintermsofrelevantcandidatesecurityenablersintheproject(seeSection1),andapplicablenextgenerationradiotechnologyusecases:EnhancedMobileBroadband(xMBB),MassiveMachine-TypeCommunication(mMTC),Ultra-reliableandlow-latencyMachine-TypeCommunication(uMTC)[METIS2015].Theseclassificationsareincludedtopositiontheusecasebothwithinthe5G-ENSUREprojectandinthecontextofother5G-PPPprojects,andalsotosimplifythelocationoftheusecasesofrelevancetothereader.
![Page 11: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/11.jpg)
D2.1UseCases
6715625G-ENSURE 11
Table1:Tableofusecasesandclusters
Clusterno.
Clustername/topic Usecaseno.
Usecasename
1 IdentityManagement 1.1 FactoryDeviceIdentityManagementfor5GAccess1.2 UsingEnterpriseIdentityManagementfor
Bootstrapping5GAccess1.3 SatelliteIdentityManagementfor5GAccess1.4 MNOIdentityManagementService
2 EnhancedIdentityProtectionandAuthentication
2.1 DeviceIdentityPrivacy2.2 SubscriberIdentityPrivacy2.3 EnhancedCommunicationPrivacy
3 IoTDeviceAuthenticationandKeyManagement
3.1 AuthenticationofIoTDevicesin5G3.2 Network-basedKeyManagementforEnd-to-End
Security4 AuthorizationofDevice-to-
DeviceInteractions4.1 AuthorizationinResource-ConstrainedDevices
Supportedby5GNetwork4.2 AuthorizationforEnd-to-EndIPConnections4.3 Vehicle-to-Everything(V2X)
5 Software-DefinedNetworks,VirtualizationandMonitoring
5.1 VirtualizedCoreNetworks,andNetworkSlicing5.2 Addinga5GNodetoaVirtualizedCoreNetwork5.3 ReactiveTrafficRoutinginaVirtualizedCoreNetwork5.4 VerificationoftheVirtualizedNodeandthe
VirtualizationPlatform5.5 ControlandMonitoringofSlicebyaServiceProvider5.6 IntegratedSatelliteandTerrestrialSystemsSecurity
Monitor6 RadioInterfaceProtection 6.1 AttachRequestDuringOverload
6.2 UnprotectedUserPlaneonRadioInterface7 MobilityManagement
Protection7.1 UnprotectedMobilityManagementExposesNetwork
forDenial-of-Service8 Ultra-ReliableandStandalone
Operations8.1 Satellite-CapableeNB8.2 StandaloneEPC
9 TrustedCoreNetworkandInterconnect
9.1 AlternativeRoamingin5G9.2 PrivacyinContext-AwareServices9.3 AuthenticationofNewNetworkElements
10 5GEnhancedSecurityServices 10.1 BotnetMitigation10.2 PrivacyViolationMitigation10.3 SIM-basedand/orDevice-basedAnonymization
11 LawfulInterception 11.1 LawfulInterceptioninaDynamic5GNetwork11.2 End-to-EndEncryptionforDevice-to-Device
Communications
![Page 12: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/12.jpg)
D2.1UseCases
6715625G-ENSURE 12
3 Cluster1:IdentityManagement
3.1 IntroductionCluster1containsfourusecasesdescribingvariousaspectsofidentitymanagementin5Gnetworks.
Inusecase1.1welearnhowtosecure5Gconnectivityandmobilityoffactorydeviceswithpre-existingAAAcredentialsmanagedbythefactoryowner.Usecase1.2demonstratesanotherwaytogain5Gaccess,byestablishmentofSIMcredentialstobootstrapenterpriseemployeecredentials.Usecase1.3elaboratesonidentitiesandauthenticationforroamingintoasatellitenetwork.Usecase1.4describesanMNOprovidinganidentitymanagementservicetoaserviceprovideronbehalfofauser.
3.2 ActorsTheactorsinthisclusterare:
• MobileNetworkOperator(MNO)• Mobiledeviceusers(Alice,Bob)• Maliciousparty(Mallory)• FactoryRobot(Rob)• FactoryOwner(FO)• ServiceProvider(SP)• SatelliteNetworkOperator(SatNO)
3.3 UseCases
3.3.1 UseCase1.1:FactoryDeviceIdentityManagementfor5GAccess
3.3.1.1 IntroductionIndustryautomationtodayusesproprietaryradioaccesstechnologies,ornon-3GPPtechnologiessuchasWLAN.New5Gradioaccessesareforeseentobedesignedtooffercompetitiveadvantagesintermsofcost,qualityofservice,mobility,etc.,thatmakesthemattractiveforindustryautomation.Thus,inthisusecase,weconsiderfactoryrobotsaccessingafactorynetworkover5GconnectivitybutusingcredentialsandAAAmanagedbyaFactoryOwner,assumingthattheMNOcanagreetosuchaconfiguration.Thissettingisalsodiscussedin[TR22.891].Thefactoryownerinstalls5GbasestationsinthefactorybutwillrelyonMNOtoperformservicessuchasIPconnectivityandmobility.
TheagreementbetweenFOandMNOcoversaspectssuchaschargingpolicies,securitypoliciesandconfigurationdata(e.g.certificates),liabilitiesoftheparties,etc.Itshouldbenotedthatsuchagreementwouldrequireamajorchangeinthetrustmodelcomparedtocurrentroamingagreements,whichtodayonlyexistsbetweenMNOs.
3.3.1.2 PreconditionsThepreconditionsareillustratedinFigure1.
• TheFactoryhasitsownAAAserverforrobots.
![Page 13: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/13.jpg)
D2.1UseCases
6715625G-ENSURE 13
• TheMNOhasadedicatedIndustrialAutomationControl(IAC)servertoconnecttothefactoryAAAserverforAAApurposes.TheIACmaycomprisepartsofMMEfunctionalityoraninterfacetotheoperator’sMME.Thefullfunctionalityanditsrealization,e.g.intermsofvirtualization,isoutofscopeoftheusecase.
• 5Gbasestationsownedanddeployedinfactory,butthefactoryhasnoother5Gnetworkcoreequipment.ThebasestationsusesomespectrumallocatedtotheMNO.
• FOandMNOhaveanagreementallowingfactorybasestationstoconnectsecurelytotheMNOcorenetworkoveraninterfacewedenote“S1”(seebelow)andallowingthefactory’sAAAservertoconnectsecurelytotheMNO’sIACoveraninterfacewedenote“S6”(seealsobelow)inordertoestablishnetworkaccesscredentials.
• “S1”denotesapresumed3GPPreferenceinterfacebetweentheRadioAccessNetworkandCoreNetwork(CN)handlinge.g.authenticationsignallingbetweentheIACandUEvia5Gbasestations.TheS1interfaceisassumedtobesecuredby,forinstance,IPsecSecurityAssociations(SA)establishedusingcredentialswhicharepartoftheagreementbetweentheFOandMNO.
• “S6”denotesapresumed3GPPreferenceinterfacebetweentheservingnetwork(MNOIAC)andasubscriberdata-base(aAAA-typeserver).TheS6interfaceisassumedtobesecuredby,forinstance,IPsecSAsestablishedusingcredentialswhicharepartoftheagreementbetweenFOandMNO.
3.3.1.3 DescriptionWhenpowerisswitchedon,Rob,afactoryrobot,connectstotheFactoryNetworkusingfactorycredentialsasillustratedinFigure1.
Basicflowofevents:
1. Robispoweredup2. Robrequestsaccesstothefactory5GbasestationpresentingaFOidentifier3. RobisnotyetauthenticatedandthebasestationcontactstheIACintheMNOCNoverS14. TheIACrecognizes,e.g.usingnamespaceanalysisoftheFOidentifier,thatRobbelongstothe
factoryandthisIACconnectstothefactoryAAAoverS65. TheFOAAAprovides,basedonRob’sFOidentifier,atemporarycredentialtotheIACwhich
enablestheIACtoauthenticateRobtothissession6. Mutualauthentication,basedonRob’stemporarycredential,isperformedbetweenRobandthe
MNOnetwork.Asaresult,cryptographickeysaremadeavailableforthepurposeofprotectingtheconnectionbetweentherobotandthefactorybasestation,andbetweentherobotandtheIAC
7. RobisprovidedIPconnectivityandmobility
![Page 14: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/14.jpg)
D2.1UseCases
6715625G-ENSURE 14
Figure1:Factory5Gdeployment
3.3.1.4 Propertiesofasolution
• SecureconnectionsbetweenfactoryandMNO,forexampleIPseconS1andS6,wheretheagreementbetweenMNOandFactoryshouldcontainthecredentialsforestablishingIPsec.
• EAP-basedauthenticationtofactoryAAA.WhichEAPmethodstobeallowedcouldbespecifiedintheagreementbetweenMNOandFactory,butweakmethodssuchaspasswordswillmostlikelynotbeallowedinanysuchagreement.
• The5Gauthenticationprocedurecanbedesignedtobecompatiblewithwhateverfactorycredentialsthatareused.
• TheMNOneverdistributesthecustomer’scredentials(whetherMNOrelatedorFOrelated)toanythirdparty
• AcandidatesolutionisusinganMNOimplementationofGBA[TS33.220]
3.3.1.5 Usecasecategories
EnsureEnablers AAA,Privacy,TrustNextGenerationRadioTechnologyUsecases mMTC,uMTC
3.3.2 UseCase1.2:UsingEnterpriseIdentityManagementforBootstrapping5GAccess
3.3.2.1 IntroductionTheenterprisewantstoprovideitsemployees’deviceswith5Gconnectivitytouseintheofficeorwhenbeingmobile.Sincetheenterpriseinanycaseneedstomanagetheemployees’credentialsitisconvenient
![Page 15: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/15.jpg)
D2.1UseCases
6715625G-ENSURE 15
tousethesecredentialstobootstrap5Gcredentialsusedforconnectivity.However,theenterprisedoesnotwanttomanageanHSS.TheenterpriseandMNOsignanagreementthattheemployeedevicescanbecomeprovisionedwith5Gcredentials,assumingthattheMNOcanagreetosuchaconfiguration.Theenterprisemayextendcoverageandcapacityofthe5Gnetworkbyinstallingadditional(e.g.indoor)5Gbasestations,butthisisnotnecessaryiftheexisting5Gaccesssuffices.
Itshouldbenotedthatthiskindofagreementwouldrequireachangeinthetrustmodelcomparedtocurrentsubscriptionprovisioningmodels.
3.3.2.2 Preconditions• MNOhasitsownIACtocoverindustryneeds• TheenterprisehasitsownAAAfortheemployees.• Bob,anenterpriseemployee,hasaUE(e.g.mobilephone,laptop,etc.)whichisprovisionedwith
enterprisekeys.• TheenterpriseandMNOhavemadeanagreementallowingsubscriptionparametersassociatedwith
newemployeestobestoredintheMNOIAC.TheMNOIACgeneratesthesecredentialsbyrequestfromtheenterpriseAAA.Thecredentialscouldforexamplebe(U)SIM-compatibleparameterstobeusedwiththeAuthenticationandKeyAgreement(AKA)protocol.Theagreementcoversaspectssuchashowtosecurethecredentialprovisioning,chargingpolicies,liabilitiesoftheparties,etc.Tothisend,theMNOandenterpriseareassumedtohavemadeariskassessmentthattheenterpriseAAAissufficientlysecure,andhasanacceptablerisklevel,whenenteringintotheagreement.
• AfterbeingauthenticatedandauthorizedbytheAAA,Bob’sUEisbeingprovisionedfromMNOIACwithcredentialsforestablishinga5Gsession.ThecredentialsareprotectedintransportbetweenMNOIACandBob’sUEbasedontheenterpriseAAA.
3.3.2.3 DescriptionBob,anenterpriseemployee,switchesonhisUEwhichattachestotheMNObasestationandauthenticatestothenetwork.Thisauthenticationproceduremaybedifferentdependingonhow/whatcredentialthatwasprovisioned.TheflowisdepictedinFigure2.
Basicflowofevents:
1. Bobrequests5GcredentialsfromtheEnterpriseAAA.TherequestisauthenticatedusingBob’senterprisekeys.
2. TheEnterpriseAAArequeststotheMNOIACprovisioningof5Gsessioncredentials3. Bob’sUEissecurelyprovisionedwith(U)SIM-typecredentialsfromtheMNOIACbasedonthe
employeeAAAcredential4. Bob’sUEauthenticatestothe5Gnetwork5. Bob’sUEisreadytouse
![Page 16: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/16.jpg)
D2.1UseCases
6715625G-ENSURE 16
Figure2:Enterprise5Gdeployment
Alternativeflowofevents:
Inthisflow,insteadof(U)SIM-typecredentials,somenon-SIMcredentialofsufficientstrengthisassumed,undertheconditionwherethesecurestorageanduseofthosecredentialsinBobDevicehasbeenqualifiedbytheMNOassufficientintermofsecurestorage,assuranceetc.inrelationtoexistingUSIMcard,andcouldbecontrolledbyMNO.Inparticularthesecuritylevelofthisstorageshouldpreventcredentialcloning.Aprotocolsuchase.g.EAPmaybeusedtocarrytheauthenticationsignalling.
1. Bob’sUEbeenprovisionedwithnon-SIMtypecredentialsviatheMNOIAC2. Bob’sUEauthenticatestothe5Gnetworkusingthecredentials,e.g.bymeansofEAP3. Bob’sUEisreadytouse
3.3.2.4 Propertiesofasolution
• ESIMprovisioninginitiatedbyenterprisenetwork• EAPbasedauthenticationtoenterpriseAAA• Inthefirstflow,nonewcredentialsneedtobesupportedbythe5Gauthenticationprotocol
3.3.2.5 Usecasecategories
EnsureEnablers AAA,Privacy,TrustNextGenerationRadioTechnologyUsecases xMBB
![Page 17: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/17.jpg)
D2.1UseCases
6715625G-ENSURE 17
3.3.3 UseCase1.3:SatelliteIdentityManagementfor5GAccess
3.3.3.1 IntroductionThisusecaseexplorestwoidentity-managementsituationsinvolvingsatellitenetworksandadualsatelliteandterrestrial5Gaccess:oneinwhichthe5Gdeviceattachestothesatellitenetwork;theotheroneinwhichthe5Gdeviceidentifiesineitherthesatellitenetworkortheterrestrialnetwork,andthenduetocoverageissuesthe5Gdeviceperformsaroamingtotheothernetwork.
3.3.3.2 Preconditions• SatNOhasitsownAAAforitssubscribers.• SatNOandMNOhasaroamingagreementallowingeachother’suserstoroamintheother’snetwork.
3.3.3.3 DescriptionBobswitchesonhisdualsatelliteandterrestrial5GUEwithasetofcredentialsthatallowsaccesstobothnetworks,andisinitiallyconnectedtothesatellitenetwork(seeFigure3).Duetocoverageissueshemayneedtoroambetweenthenetworks(seeFigure4).
PleasenotethatAAAServersdepictedinFigure3andFigure4aredepictedseparatelyforlogicalreasons,buttheirphysicallocationmightbethesame–theycanphysicallyevenbeonesingleAAAServer.
Basicflowofevents:
1. Bob’sUE,locatedforinstanceinamovingtruckinanisolatedarea,canonlyofferBobconnectivitythroughsatellitewhenheturnsontheUE.
2. BobchoosestoconnecttheUEthroughsatellite,andtheauthenticationandauthorizationprocessisperformedbetweentheUEandthesatelliteAAAServerandbetweenthesatelliteAAAServerandthe5GAAAServer.
Thefine-grainedaccesspoliciesat5GAAAServerprocesstheauthenticationrequestfromBob’sUEandestablishesthat,forthecredentialsprovided,accesscanbegrantedtotheUEintothesatellitenetwork,withanauthorizationlevelA(whichmayconsistforexampleofcertainpeakdatarate,certainsustaineddatarate,certainservicesenabled,etc.).
![Page 18: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/18.jpg)
D2.1UseCases
6715625G-ENSURE 18
Figure3:IntegrationofAAAsystemmechanismsin5Gdevicewithsatellitecoverage
Alternativeflowofevents:
Theeventscanbeseenasanextensionofthebasicflowinwhichtheroamingaspectisincorporated.
1. Bob’sUE,locatedforinstanceinamovingtruckinanisolatedarea,canonlyofferBobconnectivitythroughsatellitewhenheturnsontheUE.
2. BobchoosestoconnecttheUEthroughsatellite,andtheauthenticationandauthorizationprocessisperformedbetweentheUEandthesatelliteAAAServerandbetweenthesatelliteAAAServerandthe5GAAAServer
3. BobparksandtakeshisUEinsideabuildingunderterrestrialcoveragecompliantwithUEterrestrialconnectivity
4. TheUEdetachesfromthesatellitenetworkandautomaticallytriestoattachtotheterrestrialnetworkusingtherelevantcredentials.
5. Thecredentialsareroamedfrom5GAAAServertoTerrestrialAAAServerandTerrestrialnetworkauthorizesBob’sUE.Atthispointthe5GdevicehasregainedconnectivityafteraroamingprocessthathasbeenvirtuallyseamlesstoBob.
![Page 19: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/19.jpg)
D2.1UseCases
6715625G-ENSURE 19
Asexplainedinthebasicflowofevents,thefine-grainedaccesspoliciesatthe5GAAAServerprocesstheauthenticationrequestfromBob’sUEandestablishesthat,forthecredentialsprovided,accesscanbegrantedtotheUEintothesatellitenetwork,withanauthorizationlevelA(whichmayconsistforexampleofcertainpeakdatarate,certainsustaineddatarate,certainservicesenabled,etc.).
Now,duringtheroamingprocess,aroamingrequestfromtheTerrestrialAAAServerarrivesatthe5GAAAServer,whichprocesstheauthenticationcredentialsfromBob’sUE(givenbytheSatelliteAAAServer)andestablishesthat,forthecredentialsprovided,accesscanbegrantedtotheUEintotheterrestrialnetwork,withanauthorizationlevelB(whichmayconsistforexampleofcertainpeakdatarate,certainsustaineddatarate,certainservicesenabled,etc.).
Figure4:IntegrationofAAAsystemmechanismswith5Groamingfromsatellitetoterrestrialnetworks
3.3.3.4 Propertiesofasolution
• (U)SIM-typecredentialsforsatelliteaccessmaybeoneapproachtoallowingroamingfromterrestrialnetworkintosatellitenetwork,e.g.usingEAP-AKAauthentication[EAP-AKA].
3.3.3.5 Usecasecategories
EnsureEnablers AAA,Privacy,TrustNextGenerationRadioTechnologyUsecases xMBB,mMTC,uMTC
![Page 20: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/20.jpg)
D2.1UseCases
6715625G-ENSURE 20
3.3.4 UseCase1.4:MNOIdentityManagementService
3.3.4.1 IntroductionThisusecasedescribesanMNOprovidinganidentitymanagementservicetoa3rdpartyserviceprovideronbehalfofauser.
3.3.4.2 Preconditions• UserBobisasubscriberofanMNO• TheMNOassociatestoBoba“NetworkID”(e.g.,amobilephonenumbertoBob’sUE)• Bobusesaservice,S,providedbya3rdpartyserviceproviderSP(e.g.abank)• Bobsubscribestoacustomisedservice,S,providedbya3rdpartyserviceproviderSP(e.g.,a
bank)basedonsomeinformationthatcanbeprovidedbytheMNO.Theserviceagreements(betweentheuserBobandMNOandSP,respectively)detailwhatinformationcanbecollectedbytheMNO,whatinformationcanbesharedwiththeSP,thedeactivationofthisoption,etc.
• TheserviceproviderassignstoBobalocalidentity(i.e.anidentityassociatedtothisservicesuchasabankaccountnumber)
• TheservicelocalidentityofBobencompassessomeattributesrelatedtohis“NetworkID”
3.3.4.3 DescriptionForthesakeofconcreteness,weconsiderabankingserviceexample,seeFigure5.
Bobwouldliketoaccesssomeresourcesassociatedtohisbankaccount,e.g.,performatransferofmoney,changehissecretcode,etc.ThebankrequeststheoperatorinformationwithrespecttoBobsuchasBob’saccessnetworktype,Bob’sequipment,usedauthenticationscheme,location,andsoforth.Dependingontheprovidedinformation,thebankadjustsitssecuritypolicy.ThebankmayforexampleaskBobforfurther(secondfactor)authenticationormodifythewaytodelivertheservice.
Asaconsequence,thebankwillmanagetohavethesamesecuritylevelwhendeliveringaservice,e.g.iftheuserisconnectedviaapublichotspotthenperhapsadditionalauthenticationandprotectedcommunicationisneeded.ThisisowingtodynamicsecuritypoliciesthatarebasedoninformationprovidedbytheMNO.
Basicflowofevents:
1. Bob’sUEisauthenticatedtotheMNO2. Bob’sUErequestsaccesstoaserviceataserviceprovider(Step(a)inFigure5)3. Uponrequest,theoperatorcollectsinformationaboutBob(and/orhisUE)andsharesitwiththe
serviceprovideraccordingtothetermsoftheserviceS(Steps(b),(c)and(d)inFigure5)4. TheserviceproviderauthorizesorpersonalizesaservicetoBobbasedonthereceivedinformation
(Steps(e)and(f))
![Page 21: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/21.jpg)
D2.1UseCases
6715625G-ENSURE 21
Figure5:5GNetworkOperatorasTrustProvider
3.3.4.4 Propertiesofasolution
• Useofsuitable(secure)attributesharingmechanism.
3.3.4.5 Usecasecategories
EnsureEnablers AAA,Privacy,TrustNextGenerationRadioTechnologyUsecases xMBB
3.4 5GVision
5GprovidesavarietyofidentitymanagementserviceswhichexpandsthecapabilitiesofdevicesandnetworksbeyondthelegacyUEtoRANservice.Adeviceprovisionedwithappropriatecredentialscanget5Gaccessinaflexiblewaydrivingdowncostinlargescaledeployments.Newsubscribersormachinescanbeenrolledin5Gnetworks,usingtheirpre-existingidentitymanagementschemes,whilerespectingtheirprivacy.Thisattractsnewcategoriesofuserstothe5Gecosystem.
5Gidentitymanagementprovidesforbetterintegrationbetweencellularandsatellitenetworks,includingroaming.5GAAAServersincludespecificintelligencetoconferanauthorizationlevelsuitedtotheauthenticationcredentialsforaparticularaccessnetwork,inparticulartheyassigntheauthorizationlevelseamlesslytotheenduserduringtheroamingbetweentwoaccessnetworks.Moreover,the5GAAAServersinsatellitenetworksofferultra-fastloginswithoptimizeddataexchangeinordertolowerthelatencyandmaximizethespectralefficiency.Finally,5GAAAServersarecapableofsupportinghundredsofthousandsofsimultaneouslogins,incompliancewiththerequirementsimposedby5G.
AnMNOcanofferidentitymanagementservicessuchastrustedassertionsandsecureidentifiersofsubscribers,whilerespectingtheagreeduponprivacypolicy.
5G Network
5GNetwork Operator
Bankserver (a)Request
(f)CustomizedReply
(c)Data Collect
(e)Update SecurityPolicies
(b)Bob?
(d)Networkcontext
associatedtoBob
Bob
![Page 22: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/22.jpg)
D2.1UseCases
6715625G-ENSURE 22
4 Cluster2:EnhancedIdentityProtectionandAuthentication
4.1 IntroductionTheseuse-casesaddresstheareaofenhancementstoidentityprotectionandauthenticationin5Gcomparedtoexisting3Gand4Gnetworks.Specificallytheyfocusonthreeuse-cases,thefirstofwhichtacklesprivacyfordeviceidentifierswhichneedtobeappropriatelyprotectedand/oranonymised.Theseconduse-caseaddressestheareaofsubscriberidentityprivacywhichalsoneedstobesuitablyprotectedand/oranonymised,particularlywhentraversingaccessnetworks.Thefinaluse-casetacklestheprovisionofperfectforwardsecrecytocombatthethreatofpassiveattacks,particularlyinthecaseofsubscriberkeycompromise.
4.2 ActorsTheactorsinthisclusterare:
• User(Alice)• Alice’sUE(UE)• Malicioususer(Mallory)• MobileNetworkOperator(MNO)
4.3 UseCases
4.3.1 UseCase2.1:DeviceIdentityPrivacy
4.3.1.1 Preconditions• Alice’sUEisswitchedon
4.3.1.2 DescriptionAlice’sUEconnectstothemobilenetworkandwantstheidentityofherUEtobeprivate.
Basicflowofevents:
1. Alice’sUEconnectstothe5GnetworkovertheAirInterfaceorviaGenericAccessNetwork(GAN)2. Alice’sUEauthenticatestothe5Gnetworkusing(U)SIMcredentials3. Alice’sUErespondstotheMME’srequestfortheInternationalMobileEquipmentIdentity(IMEI)of
herUE,andrequestvalidation4. Alice’sUEisreadytouse
Alternativeflowofevents:
1. Alice’sUEconnectstothe5GnetworkovertheAirInterfaceorviaGenericAccessNetwork(GAN)withanAttachType"Emergency"
2. Alice’sUEincludestheIMEIinplaintextintheAttachrequestduringanemergencycallsituation,whereitdoesnothaveavalidGloballyUniqueTemporaryIdentity(GUTI)orInternationalMobileSubscriberIdentity(IMSI)
3. Ifthenetworkisconfiguredtosupportemergencyservices,Alice’sUEgetsemergencybearerallocated
![Page 23: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/23.jpg)
D2.1UseCases
6715625G-ENSURE 23
4.3.1.3 Vulnerabilitiesandconsequences• UsersdonotwanttobetrackedviatheirUEidentifiers• Certainusergroupsdonotwanttheirsubscriberidentityandtheirdevice’sidentitylinked
4.3.1.4 PropertiesofasolutionThesolutionspaceincludesexplorationofprotocolenhancementsandinvestigationintostate-of-theartend-to-endanonymizationtechniques,offeringprotectionagainstdeviceidentitydisclosureandunauthorizeddevicetracking.AswithLTE,5GshouldensurethattheIMEIissentonlyinaconfidentiality-protectedmessage,asopposedtoGSMandUMTS,wherethenetwork,andhenceanattacker,mayrequestdeliveryoftheIMEIintheclear.InadditiontheenhancementaimstoalsoaddresstheemergencycallcasewheretheIMEIissentoverthenetworkunprotected,sinceasecuritycontextcannotbecreatedandusedtoprovideforconfidentiality.
4.3.1.5 Usecasecategories
EnsureEnablers AAA,Privacy,TrustNextGenerationRadioTechnologyUsecases xMBB,mMTC,uMTC
4.3.2 UseCase2.2:SubscriberIdentityPrivacy
4.3.2.1 Preconditions• Alice’sUEisswitchedon.• MallorysetsupafakeBaseStation(foractiveattacks)ormonitoring(forpassivelisteningof
transmissionsoflegitimatebasestation).
4.3.2.2 DescriptionAlice’sUEconnectstothemobilenetworkandwantshersubscriberidentityandlocationtoremainprivate.
Basicflowofevents:
1. Alice’sUEconnectstothe5Gnetwork,identifiedbyherGUTI/IMSI2. MalloryobservesGUTI/IMSI,orelicitsAlice’sIMSI,andcantrackAlice’sUE3. Alice’sUEauthenticatestothe5GnetworkusingtheSIMcredentials4. Alice’sUEisreadytouse5. MallorytracksAlice’scurrentlocationbytriggeringthemobilenetworkintoinitiatingthe
generationofpagingmessagestoAlice’sUE(e.g.byusingsocialmediaapplicationtoinitiateunobtrusivecommunications)
6. MalloryobservesthepagingmessagessentandcanpotentiallycorrelatethecontainedGUTIwithAlice’ssocialnetworkidentity
Alternativeflowofevents:
1. Alice’sUEconnectstothe5Gnetwork,identifiedbyherGUTI/IMSI2. MalloryobservesGUTI/IMSI,orelicitsherIMSI,andcantrackher3. Alice’sUEauthenticatestothe5GnetworkusingtheSIMcredentials4. Alice’sUEisreadytouse
![Page 24: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/24.jpg)
D2.1UseCases
6715625G-ENSURE 24
5. MalloryforcesAlice’sUEtoconnecttoMallory’srogueeNBbyexploitingthefeature“absoluteprioritybasedcellreselection”
6. Malloryinitiatesa“RRCConnectionReconfiguration”message7. Alice’sUErespondswitha“Measurementreport”andtheGPScoordinatesofherUE,ifherUE
supportsthe“locationInfo-r10”feature8. MalloryisabletodetermineAlice’slocationbytrilateration,orthesuppliedGPScoordinates
4.3.2.3 Vulnerabilitiesandconsequences• Thesubscriber’sidentifierortemporaryidentifiersallowsfortrackingofauser• Temporaryidentifiers(pseudonymslikeGUTIorTMSI)arebroadcastedincleartextsothatAlice’s
UEcanidentifytargetedcommunications.Ifsuchidentifiersarenotchanged(re-pseudonymized)beforeMalloryisabledeterminewhichbelongstoAlice,Alice’slocationcanbetracked
• BroadcastingaGUTI,whichisknownorsuspectedtobelongtoAlice,isanindicationthatAliceisclosetothebroadcastingbasestation.Byanalysingsignaldirections,MallorymaybeabletodetermineUE’slocationmoreaccurately.However,locationtrackingbasedupontrackingidentifiersalonedoesnotalwaysprovideapreciselocationforAlice.AlicemaybeindifferentlocationtoherUE,orherUE’scommunicationmayberelayed,atthephysicallayer,toanotherlocation
• Usersdonotwanttheirsubscriberidentityandtheirdevice’sidentitylinked• Thecurrentstandardsallowmeasurementreportstobesentwithoutsecurity,whichenables
MallorytoretrievethereportstodeterminethelocationofAlice’sUE[Shaik2015]
4.3.2.4 PropertiesofasolutionPotentialsolutionstoprovideforsubscriberprivacyincludeencryptionoftheIMSIand/oruseofimprovedpseudo-identifiers.Anonymisationsystemsmaybeinvestigatedtoprovideforunlinkabilityofsubscriberanddeviceidentities.
4.3.2.5 Usecasecategories
EnsureEnablers AAA,Privacy,TrustNextGenerationRadioTechnologyUsecases xMBB,mMTC,uMTC
4.3.3 UseCase2.3:EnhancedCommunicationPrivacy
4.3.3.1 Preconditions• Alice’sUEisswitchedon• Malloryhasa5GaccessnetworkmonitorandisinpossessionofAlice’suser-specifickey,K
4.3.3.2 DescriptionAlice’sUEconnectstothemobilenetworkandwantshercommunicationstobeprivatetopassivemonitoring,despitecompromiseofheruser-specifickey.TheassumptionthatMalloryhasobtainedKisnormallyanextremelyunlikelyevent.Neverthelessclaimsofsuchsituationsarisinghaveoccurred[SchahillBegley2015].
Basicflowofevents:
1. Alice’sUEconnectstothe5Gnetwork
![Page 25: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/25.jpg)
D2.1UseCases
6715625G-ENSURE 25
2. Alice’sUEauthenticatestothe5Gnetworkusingthe(U)SIMcredentials3. Malloryobservestheauthenticationandderivesthesessionkeys(CK,IK),usingAlice’skey,K4. Alice’sUEisreadytouse
4.3.3.3 Vulnerabilitiesandconsequences• Users’communicationsmaybedecryptedthroughpassivemonitoringofaccessnetworktraffic• Usersmaybeimpersonated
4.3.3.4 PropertiesofasolutionApotentialsolutionwouldbetointroducemechanismstoprovideforperfectforwardsecrecyofthecommunications.Thusonlyanactiveattackercouldascertainthesessionkeysintheeventofauser-specifickeycompromise.
4.3.3.5 Usecasecategories
EnsureEnablers AAA,Privacy,TrustNextGenerationRadioTechnologyUsecases xMBB,mMTC,uMTC
4.4 5GVision
Itisessentialthatusershavecontrolovertheprivacyoftheirsubscriberanddeviceidentifiersin5Gandhaveevenhigherassurancethatprivacyoftheircommunicationsareupheld.Thepervasivenatureof5Gmeanstherewillbemanymoredeploymentoptionsfordevices.Thususerswanttohavewiderscopeandcontrolovertheirsubscriberanddeviceidentities,andtoensurethatcommunicationsaresecuredagainstwiderthreats.5Gnetworksshouldguaranteeuserprivacybyprovidingsecuritypropertiesincludingconfidentialitytosubscriberanddeviceidentities,untrackabilityoftheuserlocation,perfectforwardsecrecyforencryptedcommunicationsandunlinkabilitybetweentheusersubscriptioninformationandthedeviceidentity.
![Page 26: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/26.jpg)
D2.1UseCases
6715625G-ENSURE 26
5 Cluster3:IoTDeviceAuthenticationandKeyManagement
5.1 IntroductionThisusecaseclusterfocusesonIoTdeviceauthenticationandkeymanagementanditincludestwousecases:“AuthenticationofIoTdevicesin5G”and“Network-basedkeymanagementforend-to-endsecurity”.
ThefirstusecasefocusesonauthenticationofconstrainedIoTdevices[RFC7228]whichmightnothavedirectaccesstothe5Gnetworkormightbenefitfromgroup-basedauthentication,wheremassivegroupsofIoTdevicesareauthenticatedsimultaneously.Thegroupisdefinedbyoneormoreattributes,suchasthedevicelocation,typeofdeviceortypeofapplication,etc.Thus,group-basedauthenticationconsistsofasetofprotocolsthatallowsmembersofthegrouptobeauthenticated.
Thesecondusecasefocusesonnetwork-basedkeymanagementwherethenetworkprovidesaserviceforkeyexchangetobeusedforsecuredend-to-endcommunication.
5.2 ActorsTheactorsinthisclusterare:
• 5GNetworkOperator(MNO)• Mobiledeviceuser(Bob)• AAAServerin5Gnetwork• Keymanagementservicein5Gnetwork• IoTdevice1(Sensor1)• IoTdeviceN(SensorN)• IoTgateway• IoTbackendservice(operatedbyAlice)
5.3 UseCases
5.3.1 UseCase3.1:AuthenticationofIoTDevicesin5G
5.3.1.1 Preconditions• MobiledeviceuserandIoTgatewayhave5Gcredentials• AlargenumberofIoTdevices(Sensor1,SensorN)requireaccesstoservices/Internet• IoTdevices(Sensor1andSensorN)maynotbeabletoaccessservices/Internetbythemselves
5.3.1.2 DescriptionThegroupofIoTdevices(Sensor1,SensorN)areconstraineddeviceswithdifferentnetworkaccessandsecuritytechnologiesandmayneedaccessservices/Internet,whicharereachablebymeansofa5Gnetwork.TheIoTdevicescanbegroupedintotwocategories:IoTdeviceswithanonboardradiointerface,hencearecapableofradiosignallingwiththe5Gnetwork;andIoTdeviceswithout5Gradioaccess,butwithothercommunicationtechnologies,e.g.WiFiorBluetooth,thereforerequiringanIoTGatewaythatprovidesthe5Gconnectivity.ThepresenceoftheIoTgatewaymaypotentiallyobstructthepossibilityto
![Page 27: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/27.jpg)
D2.1UseCases
6715625G-ENSURE 27
robustlyidentifyindividualdevicesattheapplicationlayer.Whileagroupidentitymayofcoursebeused(e.g.relatedtoIMSI),thisusecaseseekstoenablemorerobustidentificationalsoofindividualdevicesbyleveragingthestrongsecurityoftheSIMcredentials.
Existingauthenticationprotocols,e.g.LTE-AKA,mightnotbesuitabletoefficientlysupporttheexpectednumberofauthenticationrequestsgeneratedbytheboomofconnectedIoTdevices.Thismightresultinunwantedlatencieswhennumerousdevicesinthesamegroupinitiatessimultaneousauthenticationrequests.Thisisespeciallyimportantinhighlymobiledevicesduetothemanyrequestsofauthenticationvectorstothehomenetwork.Asolutiontothiscanbegroup-basedauthentication,inwhichoverheadmaybereducedaseachdeviceofagivengroupdoesnothavetoexecutethecompleteauthenticationprotocol[Chengzhe2013].
Additionally,athirdscenarioisthatthenetworkbroadcastsasessionrequesttoagroupofdevices,onbehalfofauserorservice.Oneofthegroupmemberswillauthenticatewiththe5Gnetwork,presentingitsuniqueidentity,anditsgroupidentity[TS22.368]
Basicflowofevents:
1. TheIoTgatewayauthenticatestotheAAAserver,orthemobiledevice(Bob)authenticatestotheAAAserver,usingUSIMAKA.Thus,the5Gsubscriber’sidentity,i.e.IMSI,isensuredandcanbecollectedbythenetwork.
2. TheIoTSensor(Sensor1,SensorN)authenticatestotheIoTgatewayortothemobiledevicesusingradioaccessspecifictechnology.TheIoTsensorsandtheconnectedIoTgatewayormobiledevicesareownedbythesamesubscriber.
3. TheIoTsensorshaveaccesstoservices/Internetandareabletosendandreceivedata,eitherviaBob’sdeviceorviatheIoTgateway.Intheirrequesttoservicestheymightreusethe5Gsubscriber’sidentity.
Alternativeflowofevents:
1. TheIoTgatewayauthenticatestotheAAAserver,orthemobiledevice(Bob)authenticatestotheAAAserver,usingUSIMAKA.Thus,the5Gsubscriber’sidentity,i.e.IMSI,isensuredandcanbecollectedbythenetwork.
2. TheIoTSensor(Sensor1,SensorN)authenticatestotheAAAserver,byassistanceoftheIoTgatewayorthemobiledevice(Bob),toestablishitselfasapointofpresenceinthe5Gnetworktoenableaservicedifferentiationonanetworklevel,e.g.differentQoSclasses.TheIoTsensorswillbeuniquelyidentifiedinthenetworkinadditiontotheIoTgatewayormobiledevice(Bob).Allinvolvedequipmentareownedbythesamesubscriber.
3. TheIoTsensorshaveaccesstoservices/Internetandareabletosendandreceivedatadirectly,eitherviaBob’sdeviceorviatheIoTgateway.
Alternativeflowofevents:
1. TheIoTdevicesdynamicallyformgroupsaccordingtotheirsimilarity(typeofdevice,location,application).TheIoTdeviceshavethenecessarycredentialstoauthenticatewiththeAAAserver.
2. Group-basedauthenticationisperformedforagroupofIoTdeviceswiththeAAAserverauthenticatingagroupofdevicessimultaneously.
![Page 28: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/28.jpg)
D2.1UseCases
6715625G-ENSURE 28
Figure6:AuthenticationofIoT/M2Mdevicesin5G
5.3.1.3 VulnerabilitiesandconsequencesThesecuritythreatscouldberelatedtoaman-in-the-middletakingpartintothebootstrappingprocedure.AspecificsecuritythreatrelatedtothealternativeflowcouldberelatedtoamaliciousIoTdevicewhichisgroupedwithotherIoTdevicesandisauthenticatedtogetherwithotherIoTdevices.Inaddition,theconstrainednatureofIoTdevicesmightmakeiteasiertosubvertthesecurityofthesedevices(e.g.,theydon’thaveenoughprocessingpowertousestrongeralgorithms).
5.3.1.4 Propertiesofasolution5GUserEquipment(Bob’smobiledeviceorIoTgateway)mayactasa5Gbootstrappingdeviceforanumberofconstraineddevices,sensors,andactuatorsthatarenotabletoaccessthe5Gnetworkthemselves.
Groupbasedauthentication,whereIoTdevicescanformagroupbasedonphysicallocation,typeofsensor/actuator,typeofapplication,orothersimilarityfactor,IoTgatewayormobiledeviceactingasarelaycouldperformsimultaneousauthenticationforgroupofdevices.Inagroupbasedauthenticationscenario,theAAAoverheadwillbegreatlyreducedaseachdevicedoesnothavetoexecutethecompleteprotocol.
5G Network
IoTSensor1
IoTSensorN GroupofIoT
sensors
IoTGateway
Bob’sdevice(relay)
Authen
tication
viaIoT
Gatew
ay Authenticationviarelay
Group authentication
AAAserver
![Page 29: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/29.jpg)
D2.1UseCases
6715625G-ENSURE 29
5.3.1.5 Usecasecategories
EnsureEnablers AAANextGenerationRadioTechnologyUsecases mMTC,uMTC
5.3.2 UseCase3.2:Network-BasedKeyManagementforEnd-to-EndSecurity
5.3.2.1 Preconditions• IoTdevices(endpoints)have5Gcredentials• IoTbackendservice(endpoint)operatedbyAlicehas5Gcredentials• 5Gnetworkprovidesnetwork-enabledkeymanagementservice• Thekeymanagementservicecanauthenticateactorswith5GcredentialsusingtheAAAserverin5G
network• Aliceisabletoprovidepoliciesforthekeymanagementservicetocontrolwhichendpointscanshare
keys
5.3.2.2 DescriptionAnIoTdeviceisconnectedto5Gnetworkandauthenticatedtousethenetwork.TheIoTdeviceneedstocommunicatewiththebackendservice(operatedbyAlice).Thecommunicationshouldbeend-to-endsecured(encryptedandauthenticated)buttheendpointshavenomeanstoconnecteachothersecurely(e.g.,theydonotsharesecretkeys).TheconnectedIoTdeviceutilizesanetwork-enabledkeymanagementserviceprovidedby5Gnetworktoachievesecureend-to-endcommunicationbetweenthedeviceandtheIoTbackendservicelocated,e.g.,inthecloud.
Basicflowofevents:
1. TheIoTserviceisconnectedtothekeymanagementserviceandauthenticated2. Alice(operatingIoTservice)providespoliciescontrollingwhichIoTdevicesmayshareakeywith
theIoTservice3. IoTdeviceisconnectedto5Gnetworkandauthenticated4. IoTdevicenegotiatessecuritykeysfordataencryptionusingthekeymanagementserviceprovided
by5Gnetwork5. IoTdeviceencryptsandauthenticatesdatatobetransmittedusingkeysprovidedbythenetwork
andstartssendingthedatatotheIoTserver6. TheIoTserverdecryptsandverifiesreceiveddatausingthekeynegotiatedwiththekey
managementservice
![Page 30: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/30.jpg)
D2.1UseCases
6715625G-ENSURE 30
Figure7:Network-basedkeymanagementforend-to-endsecurity
5.3.2.3 VulnerabilitiesandconsequencesMissingend-to-endsecurityleavescommunicationvulnerableforcompromisedormaliciousnetworkcomponents.End-to-endsecurity,wherekeysaremanagedbytheservices/devicesthemselves,preventslawfulinterceptionandmaywasteresourcesasoperators’maystillsecurecorenetworkcommunicationwiththeirownmechanisms.
Thekeymanagementsolutionprovidedby5Goperatorsissuitableforcaseswheretheend-pointstrusttheoperatorandoperator’scapabilities(e.g.toprovidetrulyrandomkeyswhichdonotleaktoadversaries).Inhighlycriticalapplicationssuchtrustassumptionsmaynotalwaysbejustified.Availabilityofend-to-endconnectionsmayinthesecasesachievedbyreplacingthekeymanagementthatisprovidedbya5Goperatorwithamoretrustedalternative.
5.3.2.4 PropertiesofasolutionNetwork-enabledkeymanagementavailablein5Genablescommunicationtobeencryptedandauthenticatedfromendtoend.Theconnecteddevicecanutilizenetwork-enabledkeymanagementprovidedby5Gnetworktoachievesecureend-to-endcommunicationbetweenthedeviceandtheservicelocatede.g.inthecloud.Byprovidingnetwork-enabledkeymanagement,5Gnetworkcanprovidesecurecommunicationandatthesametimeenablelawfulinterception.
5G Network
Keyman
agement
IoTSensor
IoTService
KeyManagement Service
Keymanagement Encrypteddata
![Page 31: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/31.jpg)
D2.1UseCases
6715625G-ENSURE 31
Thekeymanagementservicemayprovidebothdevicespecifickeyforunicastcommunicationaswellasgroupspecifickeysformulticastcommunication.
Thesolutionmaybelinkedtoservice/devicediscovery.AnIoTdeviceisnotrequiredtoprovideanyconfigurationinterfacesthatwouldenableitsownertoinputconfigurationdatasuchastheaddressoftheremoteIoTservice.Adevicethathasbeenboughtdirectlyfromashopmaye.g.haveonlyaninterfacetoinsert5Gcredentials(likeUSIMcard).Alicemayprovidethisconfigurationthroughthe5Gmobileoperator(keymanagementservice)whoforwardstheconfigurationinformationalongsidewiththekeysfortheauthenticatedandauthorizeddevices.Authentication(orSLA)betweenkeymanagementservice(providedbyanoperatororthirdparty)anddevices/servicesutilisingthekeymanagementserviceisneededbeforetheactualkeyexchange.
IntermsofLI,thesolutionproposedshouldbetransparent,whichmeansthat5GNetworkoperatorsshouldbeabletosupportinterceptionwithouttheneedofKeyManagementServer(incaseitisoperatedbythirdpartytobeinvolved).Thispointisrelatedtocountrysovereignty.
5.3.2.5 Usecasecategories
EnsureEnablers AAA,Privacy,TrustNextGenerationRadioTechnologyUsecases mMTC,uMTC
5.4 5GVision
5Gshouldsupportgroup-basedauthentication,whereIoTdevicescanformagroupbasedonthesimilarity(location,typeofsensor/actuator,application,…)toreduceAAAoverheadwhereeachdevicedoesnothavetoexecutethecompleteAAAprotocol.5GshouldalsobeabletoserveIoTdevicesbehindarelay/gatewaysecurelyevenwhenIoTdevicesdonothavedirectaccessto5Gnetwork.
5Gnetworksshouldalsoprovideasecurityenablerforthekeymanagementwhichenablescommunicationtobeencryptedandauthenticatedfromendtoend.Theconnecteddevicecanutilizenetwork-enabledkeymanagementprovidedby5Gnetworktoachievesecureend-to-endcommunicationbetweenthedeviceandtheservicelocated,e.g.,inthecloud.Byprovidingnetwork-enabledkeymanagement,5Gnetworkcanprovidesecurecommunicationandatthesametimecomplywiththelawfulinterceptionrequirements.
![Page 32: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/32.jpg)
D2.1UseCases
6715625G-ENSURE 32
6 Cluster4:AuthorizationofDevice-to-DeviceInteractions
6.1 IntroductionThisclustercontainsthreeusecasesaboutauthorizationofdevice-to-deviceinteractions:thefirstusecaseconsiderstheauthorizationinresource-constraineddevices[RFC7744]bymeansoftokenbasedon5Gcredentials;thesecondusecaseconsiderstheauthorizationbya5GoperatorofdirectIPconnections;thelastusecaseconsidersauthorizationinvehicle-to-everythingcommunications.
6.2 ActorsTheactorsinthisclusterare:
• User(Alice)• Sensors’Owner• Sensors’Owner’sAAAServer• Sensor1• Sensor2• 5Goperator• Vehicle1(Ann)• Vehicle2(Bob)• Pedestrian(Charlie)• VehicleManufacturer
6.3 UseCases
6.3.1 UseCase4.1:AuthorizationinResource-ConstrainedDevicesSupportedby5GNetwork
6.3.1.1 Preconditions• Everyactorholds5Gcredentials• TheAAAServercanauthenticateuserswith5Gcredentials• TheAAAServermaintainsadatabasethatstoresaccessrightstothesensors.
6.3.1.2 DescriptionSensor1andSensor2areresource-constraineddevices[RFC7228]thatwanttooutsourceauthorizationservicestoaAAAServer.Thus,theAAAServershouldsupportaninterfacethatallowsthesensors’ownertoissuesecuritypoliciesviathe5Gnetwork.Also,theAAAServershouldsupportaninterfacetoissueauthorizationtokensbasedonthe5Gcredentials(seeFigure8).
Basicflowofevents:
1. Thesensors'ownerissuessecuritypoliciestotheAAAServerconcerningaccesstoitssensors.2. AliceauthenticatestotheAAAServerandrequiresaccesstothesensors.3. TheAAAServerissuesanauthorizationtokenbasedon5GcredentialsofAliceaccordingtothe
securitypolicies.4. Alicehasaccesstothesensor(s)usinghertokenand5Gcredentials.
![Page 33: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/33.jpg)
D2.1UseCases
6715625G-ENSURE 33
6.3.1.3 VulnerabilitiesandConsequencesThemainthreatsareduetoamalicioususerwhomaywanttoaccessthesensors’datawithoutauthorization.Suchamalicioususermayeithertrytogenerateafaketokenortrytomodifythesecuritypolicytogetaccesstothesensors.Moreover,theAAAservermayintroduceseveralvulnerabilitiesinthe5Gnetworkinfrastructure,whichhavetobecarefullyinvestigated.Inanycase,aninvestigationofliabilitiesbetweenpartieswillhavetobeperformed(AAAowner,sensorownerand5Goperator).
Figure8:SettingforAuthorizationinResource-ConstrainedDevices
6.3.1.4 Propertiesofasolution
Thegenerationoftheauthorizationtokenshouldbebasedbothonthesecuritypolicy,asdefinedbythesensorowner,andonthe5Gcredentialswhichprovidestheoveralltrust.TheAAAserveractivitiesshouldnotaffectthesecurityofthe5GNetworktowhichitisconnected(forexamplenotcontributetootherattackssuchascloning,eavesdropofcommunication,networkelementcompromise,etc.).
6.3.1.5 Usecasecategories
EnsureEnablers AAANextGenerationRadioTechnologyUsecases xMBB,mMTC,uMTC
6.3.2 UseCase4.2:AuthorizationforEnd-to-EndIPConnections
6.3.2.1 Preconditions• AliceandSensor1hold5Gcredentials
Token
SecurityPolicy
User AAA
Sensor Owner Sensors
![Page 34: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/34.jpg)
D2.1UseCases
6715625G-ENSURE 34
• 5GoperatorcanauthenticatebothAliceandSensor1• Sensor1isabletoperformaccesscontrol
6.3.2.2 DescriptionAlicewantstoaccessthedataprovidedbySensor1,henceshewantstobuildend-to-endIPconnectionsthroughthe5Gnetwork.The5Goperatorshouldbeabletoauthorizesuchconnections.
Basicflowofevents:
1. AliceandSensor1areauthenticatedbythe5Gnetworkandconfiguredtothesame5Gslice2. AlicebootstrapsadirectIPconnectionwithSensor1via5Gnetwork3. The5GoperatorauthorizesthedirectIPconnection4. Sensor1sendsitsdatathroughtheestablishedsecuredirectIPconnection
6.3.2.3 VulnerabilitiesandConsequencesOnepotentialvulnerabilityappearsifthesolutionwouldallowadirectIPconnectionwithoutauthorization.Inotherwords,amalicioususermightthenestablishsuchaconnectioneventhoughthe5Goperatorshouldhaveblockedit.
6.3.2.4 PropertiesofasolutionToprohibitunauthorizedaccessandillicittraffic,usingthedirectIPconnect,the5Gnetworkmayrequirethatdirectconnectionsmustfirstbeauthorizedbythenetwork,oruseanIPwhitelist,combinedwithaserviceswhitelist.The5Goperatormightalsodoalayer7verificationoftheIPtrafficsenttothesensors,todetectknownexploitattempts.
6.3.2.5 Usecasecategories
EnsureEnablers AAA,NetworkManagement&VirtualisationIsolation
NextGenerationRadioTechnologyUsecases xMBB,mMTC,uMTC
6.3.3 UseCase4.3:Vehicle-to-Everything(V2X)
6.3.3.1 Preconditions• Everyactorholds5Gcredentials• 5Goperatorcanauthenticatevehicles• Mutualauthenticationbetweenvehicleandvehiclemanufacturer
6.3.3.2 DescriptionAnnandBobmaywanttoexchangedata(Vehicle-to-Vehicle(V2V)communication)via5Gnetworktoshareknowledgeinordertoprovidemoreintelligentservices,suchastrafficjaminformation.AnnmayalsowanttoexchangedatawithCharlie(Vehicle-to-Pedestrian(V2P)communication)via5Gnetworktosupportcooperativecollisionwarning.Finally,Annmaywanttoconnectwithhervehiclemanufacturerinfrastructure(Vehicle-to-Infrastructure(V2I)communication)todownloadasoftwareupdate,ortosendanalyticsreportsfromthevehicletotherepairshop.
![Page 35: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/35.jpg)
D2.1UseCases
6715625G-ENSURE 35
V2V,V2P,andV2Ihavedifferentsecurityneeds,andthe5Goperatorshouldgrantauthorizationtothe5Gnetworkaccordingly.
Basicflowofevents:
1. AnnestablishesaconnectionwithBob2. BobsendstoAnninformationabouthislocationandspeed3. AnnprocessesBob’sinformationtogeneratethetrafficstatus
Alternativeflowofevents:
1. AnnestablishesaconnectionwithCharlie2. CharliesendshispositiontoAnn,andAnnherstoCharlie3. AnnandCharlieprocesstheinformationaccordingacollaborativecollisionwarningsystem.
Alternativeflowofevents:
1. AnnestablishesanIPconnectionwithavehiclemanufacturer2. Annsendshersoftwareversioninformationtothevehiclemanufacturer3. ThevehiclemanufacturersendsasoftwareupdatetoAnn
6.3.3.3 VulnerabilitiesandConsequencesIndicationabouttrafficjamsmightuseagroupsecurityassociationwhereidentifyingandauthenticatinganindividualsendermaynotberequired.However,ifgroupsecurityassociationisusedforsendinganalyticstotherepairshopfromavehicle,amaliciousgroupmember(e.g.Eve)couldbeabletosendunauthorizedanalyticsdatatotherepairshoponbehalfofthevictim(Ann).
6.3.3.4 Propertiesofasolution• Enrolmentinnationaltrafficmanagementinfrastructure,assoonasborderispassed.• Symmetrickeysforencryption• Asymmetrickeysforsignature,providingnon-repudiation
6.3.3.5 Usecasecategories
EnsureEnablers AAA,Trust,NetworkManagement&VirtualisationIsolation
NextGenerationRadioTechnologyUsecases xMBB,mMTC,uMTC
6.4 5GVision
5Gshouldsupportauthorizationofdevice-to-deviceoperationsatdifferentlevels.Attheapplicationlevel,the5Ginfrastructureprovidesthecredentialstosupportthegenerationofsecuritypoliciesandauthorizationtokens.Atthenetworklevel,the5Goperatorshouldbeabletoauthorizedirectandsecureend-to-endconnectionsbetweendevices.Moreover,theuseoflicensedspectrumof5Gshouldbeauthorizedinasecureway.5Gshouldcopewiththedifferentlevelsoftrust,forinstance,accordingtotheV2Xscenario,andalsotaketherelevantlegislationandregulationintoaccountinthedesignofthe5Gsolution.
![Page 36: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/36.jpg)
D2.1UseCases
6715625G-ENSURE 36
7 Cluster5:Software-DefinedNetworks,VirtualizationandMonitoring
7.1 IntroductionTolowerthecostandallowmoreflexibility,e.g.rapiddeploymentofnewnetworkfunctionality,5Gwillrelyonvirtualization.Inaddition,networkvirtualizationintheformofnetworkslicescanbeameanstoisolatedifferenttypesoftrafficandtoprovidebettersecurityandnetworkattackresistance.
By“networkslice”wemeanaportionoftheunderlyingnetworkusedtoprovidenetworkserviceswithparticularproperties.Forexampleaslicecouldbeusedtoprovide:
• HighQoSforreal-timestreaming/video• Delaytolerantnetworking• SpecialenterpriseorM2Mtraffic• Strongsecurityproperties(e.g."isolating"trafficfrompotentialeavesdropping,DoSetc.)
Theusecasesoninthisclusteraredividedintothreecategories:
1. TheuserplaneofanSDNnetwork:Thiscategorycomprisesusescasesthatdealwiththevirtualizationofthenetwork,i.e.,the5GCoreNetworkintheformofaNetworkSlice.Thefirstusecasebelongstothiscategory.
2. ThecontrolplaneofanSDNnetwork:Thiscategorycomprisesusecasesthatdealwithmechanismsofvirtualizingthenetwork,andhowthevirtualizednetworkisoperated.Thisincludesthetoolsforcreating,maintaining,andremovingNetworkSlices,andNetworkNodesintheseSlices.Italsoincludestherouterinfrastructure,SDNprogramminginterfaces,clouds,andtheVNFs(VirtualizedNetworkFunctions).Thesecondandthirdusecasesbelongtothiscategory.
3. Monitoringandcontrolofthevirtualized5Gnetworkandofthevirtualizationinfrastructure:Thiscategorycomprisesusescasesthatdescribemonitoring,verifying,andcontrollingthevirtualized5GCoreNetwork,andinthevirtualizationinfrastructure.Thefourth,fifthandsixthusecasesbelongtothiscategory.
Figure9:Userplane,controlplaneinSDNandmonitoringandcontrolofvirtualized5Gnetwork
Virtualizationinfrastructure(NFVs,routers,CloudHW),andthemanagementoftheforwardingplane
API
Verification,andassuranceofvirtualizednetw
ork,andthevirtualizationinfrastructure
API
API
5G User Plane
Processing
5G User Plane
Processing
5G User Plane
Processing
The user plane of SDN (5G Network Slice & micro-segments)
The control plane of SDN
Virtual Core NetworkNetwork Slice
Bob
Alice @ VIP Carol @ VMNO
5G User Plane
Processing
5G User Plane
Processing
5G User Plane
Processing
5G User Plane
Processing
5G User Plane
Processing
5G User Plane
Processing Monitoringandcontrolofsub-slice
API
Sub-slice
Dave @ SP
![Page 37: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/37.jpg)
D2.1UseCases
6715625G-ENSURE 37
7.2 ActorsTheactorsinthisclusterare:
• VirtualMobileNetworkOperator(VMNO)• VirtualizedInfrastructureProvider(VIP)• Infrastructurecomponents,thesearethenetworkcomponents(physicalorvirtualized)• 5GNodeProvider(5GNP),thisisthesoftwarevendorofa5Gnodethatisrunningontopofthe
VirtualizedInfrastructure• ServiceProvider(SP)runningaserviceontopoftheVMNO’snetwork• Employee(Alice)usingtheAPIinInfrastructureside,couldbeanemployeeofSatNO,VMNOorVIP• Consumer(Bob)andhis5Gdevices(e.g.xMBBormMTCdevices)• Employee(Carol)usingthemonitoring/assuranceAPI,couldbeanemployeeofVMNO,VIP,5GNP• Employee(Dave)oftheSPusinganAPItotheVMNO.
7.3 UseCases
7.3.1 UseCase5.1:VirtualizedCoreNetworks,andNetworkSlicingThisusecasebelongstocategory1:theuserplaneofanSDNnetwork.
7.3.1.1 Preconditions• TheVirtualizedInfrastructureProvider(VIP)andtheVirtualMobileNetworkOperator(VMNO)havea
businessagreement,andtheyhaveinstalled,andconfiguredaVirtualCoreNetwork(VCN)consistingoftwoNetworkSlices.OnesliceisservingxMBBsubscribers,andtheothermMTCsubscribers.
• TheVCNisconnectedtoaninfrastructureof5GbasestationsthatinthisusecasearesharedbetweenmultipleVMNOs.TheRANconsistsofcomponentsownedbydifferentVMNOs.
• TheNetworkSlicesareconfiguredinsuchwaythatoneslicedoesnotacceptcommandsfromanotherslice.
• Micro-segmentationsplitsnetworkslicesintosmallerpartswithmorerestrictedandcontrolledsecuritypoliciesdedicatedforspecificapplicationservicesorusers.Bycombiningmicro-segmentssimilarguaranteedsecuritylevelscanbeprovidedevenovermultiplenetworkdomainsandmultiplenetworkoperators.
• Bobhasa5GxMBBdevice,andasubscriptionofVMNOtothatdevice.• Bobhasalsoasensorthatisa5GmMTCdevice,andincludesasubscriptionofVMNO.• VMNOisprovidinganInternetaccessibleAPIfor5GmMTCdevicesubscriberstocontrolthebehaviour
ofthemMTCdevices.
7.3.1.2 DescriptionBobturnsonthepowerinhis5GxMBBdeviceand5GmMTCsensor,andtheattachrequestsareroutedviathe5Gradionetworktothecorrespondingnetworkslices.Devicesandthenetworknegotiatesecuritymechanismandalgorithmsinasecureway,andafterthesecurityisturnedon,thedeviceshaveaccesstotheservicesinthedifferentnetworkslices.
Thisusecaseassumesthatthedevicesareauthenticatedaftertheyhaveaccesstotheslice,however,thereareotheroptionslikeauthenticationofthedeviceataspecialsliceselectionfunction.
![Page 38: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/38.jpg)
D2.1UseCases
6715625G-ENSURE 38
Basicflowofevents:
1. The5GxMBBdevice,and5GmMTCdevicearepoweredup.2. Thedevicesattachtothe5Gbasestation.3. Thedevicesareauthenticatedaftertheattachment.4. ThebasestationcontactstheMMEsintheVMNOnetworkslicesforxMBBandmMTC.5. TheVMNOdecidestocreateamicro-segmentforBob’smMTCcommunications.Thismicro-
segmentisextendedtoincludethis5Gbasestationifnotalreadyincluded.6. Beforecreatingthemicrosegments,thedevicesandtheslicesmutuallyauthenticate.
Authenticationcouldhappenalsoinanearlierphasebetweenthedeviceandaspecialsliceselectionfunction.
7. Themicro-segmentsareallocatedforthedevicesthatareauthorizedforit.Themicro-segmenthasasecuritymechanismofitsown.
8. Bobuseshis5GxMBBdevicetoconfigurethebehaviourofthesensorviatheAPI.
7.3.1.3 VulnerabilitiesandconsequencesHavinglargesegmentedsecurityzonescancreatesignificantattacksurfacesandenablethreatstomovethroughoutlargeportionsofthe5Gsoftwarenetworkunrestricted.
7.3.1.4 PropertiesofasolutionBydividingthenetworkintosmallerparts,i.e.,networkslices,sub-slicesandmicro-segmentsitwouldbeeasiertomonitorandrespondtoanomalousbehaviour.Inthisway,thesurfaceforattacksandthreatscanbereducedsignificantly.Networkslicing(andfurthersub-slicing)couldbeusedtocreateportionsoftheunderlyingnetworkwhichcanbefurtherusedtoprovidenetworkserviceswithparticularproperties.Micro-segmentationcouldprovideamorefine-grainedapproachthantraditionalnetworkslicingandwithmicro-segmentationitmaybepossibletocreatesecuresegmentswheremoregranularaccesscontrolsandstrictersecuritypoliciescanbeenforced.
7.3.1.5 Usecasecategories
EnsureEnablers NetworkManagement&VirtualisationIsolation,Trust
NextGenerationRadioTechnologyUsecases uMTC,mMTC,xMBB
7.3.2 UseCase5.2:Addinga5GNodetoaVirtualizedCoreNetworkThisusecasebelongstocategory2:thecontrolplaneofSDN.
ThegeneralSDNapproachthatcouldbeusedtoimplementthisusecase,wouldtypicallyusethefollowingconcepts.ThecontrolplaneofSDNintermediatesbetweentheapplicationplaneandthedataplane,whereastheuserplaneofSDNiscomposedofnetworkapplicationsthatsendinstructionstothecontrolplane,theSDNcontroller,viathenorthboundapplicationinterface.ThoseinstructionswillbetranslatedbytheSDNcontrollerintosuitableactionssentviathesouthboundprotocolinterfacetothedataplane.Forinstance,toinstallanend-to-endpathbetweentwonodes,theSDNcontrollerwilltakethisinstructionsentbyanetworkapplicationanditwillgenerateaseriesofflowstobeinstalledontheappropriateswitchese.g.viaOpenFlow,toensurethatpath.
![Page 39: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/39.jpg)
D2.1UseCases
6715625G-ENSURE 39
7.3.2.1 Preconditions• TherearetwoVirtualMobileNetworkOperators,VMNO1andVMNO2.• EachVMNOhasitsownvirtualcorenetwork,VCN1andVCN2.• VCN1andVCN2sharethesamephysicalnetwork.• Amulti-slicesystem,wheretheslicesconsistofvirtualtopologiessimultaneouslydeployedoverthe
samecorenetwork(physicalinfrastructure).ThisphysicalinfrastructureisoperatedbyaVirtualizedInfrastructureProvider(VIP).
• BothcorenetworksVCN1andVCN2areisolatedbyusinganisolationmechanism.• VMNO1hasrequestedtheVIPtoconstructanewNetworkSlice.Thisrequesthasbeendoneina
secureway.
7.3.2.2 DescriptionNetworkApplicationsineachVirtualizedCoreNetworkmodifytheforwardinglogicofthesharedphysicalnetwork.
TheNetworkApplications(suchasanMME)arenotabletoreadormodifyphysicalnetworkresourcesbelongingtotheotherVirtualizedCoreNetwork.Furthermore,modificationstothephysicalnetwork,whichmightoriginatefromareconfigurationofoneofthevirtualcorenetworks,shouldnotconflictwiththecurrentconfigurationsoftheothervirtualcorenetwork.Intheflowbelow,theMMEisassumedtobeassociatedwithaslice.Thus,thisonlysupportsthemodelinwhichUEdevicesareassignedtoslicesbeforetheyhavebeenauthenticated,evenif,asmentioned,otheroptionsarepossible.
Basicflowofevents:
1. Alice,anemployeeofaVIP,startsconfiguringanewNetworkSliceonVCN1bycreatinganewvirtualMME.TheMMEsoftwareiscomingfroma5GNodeProvider(5GNP).
2. AlicecreatesthevirtualspaceforMME,andinstallstheMMEsoftwareontopofthat.3. AliceconfigurestheforwardinglogicrelatedtothenewMME.
7.3.2.3 VulnerabilitiesandconsequencesTheMMEsoftwareintheVCN1shouldnotbeabletoseeormodifytheforwardinglogicrelatedtoVCN2.Theremaybepolicyconflictswhendifferentnetworkapplicationsineachvirtualizedcorenetworktrytomodifytheforwardinglogicofthesharedphysicalnetworkelements,becausethosecaninjectcontradictorypolicies,orevenonenon-authenticatednetworkapplicationscantrytoinjectmaliciouspoliciestotheSDNcontroller.
Ontheotherhand,thehighdynamicityinSDNandNFV-basedenvironmentscomesfromthefactthattheSDNcontrollerensurestheconnectivityamongvirtualnodescomprisingtheslicesbychoosingaphysicalpathatrun-time.Apartfromthis,whenSDNiscombinedwithNFVthenetworkbecomesevenmoredynamic,sincevirtualnodeshostVNFswhichmaybemigrated,leadingtosubsequentrecalculationofthepathallocatedbytheSDNcontroller.Thisdynamicityleadstoalackofcontrolontheestablisheddependenciesbetweentheslicetopologiesandthephysicalinfrastructure,sinceitdependsontheSDNcontrollerwhichmaychangethosedependenciesdynamically.Asaconsequence,faultisolationonmulti-slicesystemsneedstobeensured.FaultisolationensurestheresilienceofVNFsandvirtuallinkscomposingtheslices,anditconsistsofensuringthatthosevirtualresourcesaredisjointlyallocated(i.e.ensuringthoseslicesdonotshareresources)inthenetworkinfrastructureoratleastensuringthereisenoughredundancy
![Page 40: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/40.jpg)
D2.1UseCases
6715625G-ENSURE 40
tomigratethemtoavoidserviceoutages.Otherwise,afailureonthesharedphysicalresourcescouldpropagatetobothslices.
7.3.2.4 Propertiesofasolution
Securitypolicies:
Theauthenticityandintegrityofthereceiveddataandcommandsineachslicemustbeensured.Tocontroltheaccessbetweenslices,securitymechanismsmustbeabletocheckifthereceiveddata/commands,originatedfromwithinthesliceornot(fromalegitimateentity).Inotherwords,itmustbeabletocheckitstrustworthiness,topreventaccessfromotherslices.
ThesecuritysystemmustensurethedifferentSLAobjectivesforthedifferentslicesaremet.TheSLAobjectiveswillbedifferentdependingontheusecase(e.g.autonomousdriving,health,massiveIoT,etc.)
Thepoliciessentbynetworkapplicationsshouldbefirstinjectedtoapolicycheckerblock[Paladi2015]toanalysethepoliciesfromnetworkapplicationstowardstheVCNstoavoidincoherenciesbetweenpoliciesand/orsecurityissues.ThispolicycheckerblockverifiesandenforcespoliciesandcontrolstheaccessofnetworkapplicationstotheSDNcontroller.Thisblockhastwocomponents:areal-timepolicycheckerblockthatverifiestheincomingpoliciesandtagsthemwhithissuingentity,andaofflinepolicycheckerblockthatensuresisolation,networkreachabilityandliveness.Inthisusecase,thenetworkapplicationsshouldnotbeabletoreadormodifynetworkresourcesofotherVCNs,sotherulessentfromnetworkapplicationsshouldbeinjectedintoapolicycheckerblockabletounderstandtheirorigin,identifywhetherornottheyarenotallowedtoaccesstothatVCNandrejectthemifnecessary.TheSDNcontrollershouldonlyinstallthosepoliciesacceptedbythepolicycheckerblock,oncethisblockchecksthatthosepoliciescomefromauthenticatedandauthorisednetworkapplications.
• Ina5Gnetwork,theisolationofslices(isolationassurancewithin5Gnodes)mustbeensured.Thisassurancemustbeprovidedattwolevels,atsecuritylevel(threatspropagatingthroughtheslices)andatresiliencylevel(faultsinthephysicalinfrastructurepropagatingthroughtheslices).
• Acompromisedslicemaycompromisethesecurityofotherslicessharingthesamephysical5Gnodes.
• Unavailabilityofaphysicalnetworkresource(physical5Gnode)servingNslices,duetointentionaloraccidentalintentions,maypropagatetotheNslices(a.k.acascadeeffect)
• Integrityandauthenticityofthedata/commandsuploaded/downloadedbya5Gcontroller/a5Gobjectmustbeensuredtoavoidanysecurityissues.
Resiliencypolicies:
Aresilientsystemmustpreventcascadeeffectsbetweendifferentslices,bycheckinginrealtimewhichpartofthephysicalinfrastructureisensuringtheintegrityofagivenslicetopologyandproposemigrationswhendetectingvulnerable,attacked,compromisedoraffectedphysicalresources.Forthat,itisnecessarytosupporttheretrievalon-the-flyofthedynamicdependenciesbetweentheslicesandthephysicalinfrastructureinordertocalculatethepropagationoffaultsandattacksinagivenslice.
![Page 41: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/41.jpg)
D2.1UseCases
6715625G-ENSURE 41
7.3.2.5 Usecasecategories
EnsureEnablers NetworkManagement&VirtualisationIsolation,Trust
NextGenerationRadioTechnologyUsecases mMTC,uMTC,xMBB
7.3.3 UseCase5.3:ReactiveTrafficRoutinginaVirtualizedCoreNetworkThisusecasebelongstocategory2:thecontrolplaneofanSDNnetwork.
7.3.3.1 Preconditions• ThereisoneVirtualMobileNetworkOperator,VMNO1.• VMNO1hasitsownvirtualcorenetwork,VCN1.• NetworktrafficinVCN1isrouted(reactively)byanetworkapplication.Thefunctionofthisnetwork
applicationistoreceivepacket-inmessagesandreconfiguretheflowtablesoftheswitchesaccordingly.
• Thisusecaseassumesthatthevirtual5Gcoreisawareofvirtualization.(Itcouldalsobepossiblethatthedynamicbehaviourisdonetransparentlytothevirtual5Gcore.)
• AconsumerofVMNO2,Bob,accesseswithhismobiledeviceaserviceintheinternet.BobisaroamingsubscriberintheVCN1.
7.3.3.2 DescriptionWhenBobaccessesthephysicalcorenetworkforwhichnomatchingflowrulesareinstalled,theVCN1’snetworkapplicationistriggered.ThereconfigurationofVCN1iscompileddowntoareconfigurationofthephysicalnetwork.ThereconfigurationhandlesBob’snetworkflowtoaccesstheremoteinternetservice.
Basicflowofevents:
1. Bob’sdevicestartssendingnetworkpacketstothecorenetwork.2. Sincethenetworkpacketsdonotmatchanyflowrule,thecorenetworkgeneratesacorresponding
packet-inmessageforVCN1.3. VCN1triggersitsnetworkroutingapplicationforthereceivedpacket-inmessage.4. ThenetworkapplicationestablishesanetworkflowinVCN1.5. ThereconfigurationofVCN1iscompileddownsothatacorrespondingnetworkflowinthephysical
networkisestablished.6. Bobstartscommunicatingoverhismobiledevicewiththeinternetservice.
7.3.3.3 VulnerabilitiesandconsequencesThetimeofreconfiguringthephysicalnetworkcanbemeasuredbyanattacker.Inthisway,anattackercangaininformationaboutwhichandwhenanetworkpackettriggersareconfigurationofnetworkcomponents.Thiscanbeexploitedtomountpowerfuldenial-of-serviceattacks,whereanattackeroverloadsthecontrollerofVCN1bysendingpacketsthat,withhighprobability,triggerareconfigurationofthenetworks.Furthermore,notethatinstallingflowrulesinstate-of-the-arthardwareswitchesisacostlyoperation.Thismeansthateventheperformanceofthephysicalnetworkmightbedecreased.
7.3.3.4 PropertiesofasolutionAsolutionshouldnotdecreasenetworkperformancesignificantly.Thismeans,forexample,thatdelayingeverynetworkpacketthatdoesnottriggeraninteractionwiththecontrolplaneataswitchbefore
![Page 42: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/42.jpg)
D2.1UseCases
6715625G-ENSURE 42
forwardingitisnotaworkablesolution.Althoughanadversarywouldnotgainanyknowledgewhenmeasuringthetimingsofsendingandreceivingpackets,thewholenetworktrafficwouldsignificantlybesloweddown.However,onecandelayafewpacketsofanetworkflowtoobfuscatethetimingmeasurementsofanadversary.Thefewdelayedpacketsfakeaninteractionbetweenthenetwork’sdataplaneandcontrolplane.Thesedelayscanbedonedirectlyattheswitchesoradedicated,newdata-planecomponent.Thereisnoneedforanyinteractionwiththecontrolplane.Theselectionofthepacketsandthedelayisspecifictoanetwork,andneedstobeconfigured.
7.3.3.5 Usecasecategories
EnsureEnablers NetworkManagement&VirtualisationIsolation,Trust
NextGenerationRadioTechnologyUsecases mMTC,uMTC,xMBB
7.3.4 UseCase5.4:VerificationoftheVirtualizedNodeandtheVirtualizationPlatformThisusecasebelongstocategory3:themonitoringofthevirtualized5Gnetworkandofthevirtualizationinfrastructure.
7.3.4.1 Preconditions• AnewMMEhasbeenvirtualized,anditisrunningontopofaVirtualizationPlatform.• TheMMEisdeployedaspartofaVCN,andaNetworkSlice.• ThereisacertificationsystemforVirtualizationPlatformsthatissue“level1certification”tothirdparty
products.
7.3.4.2 DescriptionCarolisrunningvarioustestsontheVirtualizedNode,andtheVirtualizationPlatform.CarolneedstocheckthatthenewnodemeetstherequirementsoftheVirtualMobileNetworkOperator.ThissliceisusedforeHealthservices,anditneedstofulfilcertainsafety,securityandprivacystandards:inthisexampleweassumethatallpartsoftheVCNarephysicallywithinFrance.
Basicflowofevents:
1. CarolstartsbycheckingthatthephysicalcomputeroftheVirtualizationPlatformislocatedinFrance.ThephysicalcomputeristheonewheretheVirtualizedNodeistobeinstalled.
2. Caroladdsamonitoringpolicythatallowshertoreceiveanotificationifthelocationischanged,andanalarmmessageifthelocationmovesoutsideofFrance.
3. CarolrunsatestonthevirtualmachineoftheVirtualizationPlatform,andverifiesthatitisabletofulfilthesecurityandprivacyrequirements.CarolisabletoverifythattheVirtualizationPlatformhasbeencertifiedbyanexternalparty,andithas“level1”certification.
4. CarolthencheckstheintegrityoftheMMEsoftwarethatisrunningontopofthevirtualmachine.5. CarolverifiesthatthesecuritytowardstheothernodesintheVirtualCoreNetworkisconfigured
correctly,andonlyauthenticatedandprotecteddata/commandsareabletopass/accesstheMME.6. Carolchecksthattheslicetopologycorrespondstoaphysicalinfrastructurewhosephysicalnodes
complywiththegeographicalconstraintsforthisusecase.
![Page 43: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/43.jpg)
D2.1UseCases
6715625G-ENSURE 43
7.3.4.3 VulnerabilitiesandconsequencesInthise-healthservice,thesliceshoulddependonlyon5GnodeslocatedinFranceoroperatedbyagivenMNO,thatiswhyCarolischeckingthattheunderlyingnodesofthesliceprovidedcomplywithsuchageographicalconstraint.
Privacyandsecurityissuesshouldberespected,especiallyinhighlysensitiveserviceslikee-health.Forinstance,ifthee-healthflowofagivencountrygoesthroughanynon-French5Gnodes,itmaynotrespecttheservicesecurityorprivacypolicy.
A5Goperatormustbeabletoensureatalltimesthatagivenslice(service)resourcearelocatedinagivengeographicalarea.Aserviceprovidermustbeabletocheckthatthedataflowoftheservicetransitswithinagivenarea.Thisispossibleifweareabletoretrievetheunderlyingphysicalnodeidentifiersbelongingtoeverysliceatrun-timeandverifytheirgeographicallocationinordertoensurethattheirlocationdoesnotviolatethegeographicalconstraintsimposedbythee-healthcase.
VNFscanbeprovidedbythirdparties,soanotherthreatiswhenVNFsbecomecompromised.Anetworkoperatormustbeabletocheck,inrealtime,theintegrityoftherunningcodeinaNFVandthatit(theNFV)iscomplianttowhathepreviouslydefined,thatiswhyoneofCarol’sroleistochecktheintegrityoftheMMEsoftwarerunningontheVM.
AnotherthreatiswhenSDNistheunderlyinginfrastructureofNFV-basedservices,whereSDNisensuringtheconnectivityamongVNFs.Inthisscenario,theSDNcontrollercanbecomecompromised,becauseSDNcontrollersarevulnerabletoDDoSattacks(DistributedDenialofService).
7.3.4.4 PropertiesofasolutionOnebasicapproachistoverifyandthoroughlytestthedeployedsoftwarethatcontrolsthenetwork.Thereshouldbededicatedtoolsthatsupporttheseverificationandtestingtasks.Another,complementaryapproachistomonitortheinteractionsbetweenthenetwork’splanes.Theseinteractionsarecheckedagainstgivensecuritypolicies.Noncompliant,malicious,andsuspiciousinteractions(orsequencesofinteractions)arereported.Thecheckingcaneitherbedoneonlineoroffline.Inthelattercase,theinteractionsareloggedandthencollectedandauditedlater.
7.3.4.5 Usecasecategories
EnsureEnablers NetworkManagement&VirtualisationIsolation,SecurityMonitoring,Trust
NextGenerationRadioTechnologyUsecases mMTC,uMTC,xMBB
7.3.5 Usecase5.5:ControlandMonitoringofSlicebyServiceProviderThisusecasebelongstocategory3:monitoringandcontrolofthevirtualized5Gnetwork.
7.3.5.1 Preconditions• ThereisaVirtualisedInfrastructureProvider(VIP).• ThereisaVirtualMobileNetworkOperator(VMNO).• TheVIPhasdeployedaVirtualCoreNetwork(VCN)fortheVMNO.• ThereisaServiceProvider(SP).• TheVMNOhasdeployedasub-slicefortheSPwithcertainSLAconstraints.
![Page 44: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/44.jpg)
D2.1UseCases
6715625G-ENSURE 44
7.3.5.2 DescriptionAServiceProvider,forinstanceamassivelymultiplayeronlinegame(MMOG)host,requiresasecurenetworkwithsomeQoSguaranteestobeusedbytheircustomers(gameplayers).TheServiceProviderhasacontractwiththeVMNOfortheVMNOtosupplyasuitablesub-sliceoftheVCNfortheServiceProvider’scustomerstouse.TheServiceProviderneedstobeabletomonitorthesub-slicetoensurethattheVMNOisprovidingwhatisrequiredbythecontract,andalsoneedstobeabletovarytheparametersofthesub-slicewithinsomepredefinedboundsastheservice’spopularitychanges.
Theterm“sub-slice”isherebeingusedtomeanaportionofanetworkslice.ThisusecasemaintainsmostofitsfeaturesiftheServiceProviderisadirectcustomerofaMNOandtheMNOprovisionsa“slice”ofthecorenetworkfortheSP.ByhavingtheSPinteractwithaVMNOwedemonstrateafurtherpotentiallevelofcomplexity.
Basicflowofevents:
1. Dave,anemployeeoftheSP,usingthetoolsprovidedbytheVMNO,monitorstheQoSbeingprovidedtothegameplayersinthesub-slice.
2. Dave,usingtheServiceProvider’sgamemonitoringsystem,predictsthatthenumberofplayersthiseveningwillincreasebeyondthecapacitythatthesub-slicewasprovisionedforandthattheperformanceofthegamefortheplayerswilldegradetoanunacceptablelevel.
3. Daverequeststhatthecapacityofthesub-sliceisincreasedtodealwiththeadditionaldemand.4. TheVMNOdetermines(automaticallyormanually)thattheVCNcansupporttheincreased
capacityofthesub-slicewithoutdegradingtheQoSofothercustomersandsoincreasesthesub-slicecapacity.
5. TheVMNOchargestheSPfortheextracapacity.
7.3.5.3 VulnerabilitiesandconsequencesTheusecasedemonstratesthatacustomerofaVMNOcanrequest,use,monitorandcontrolasub-sliceofthenetwork.Thisrequiresre-sellingofcapacitybyaVMNOalongwithQoStermscontainedinanSLA.TheusecasealsodemonstratesthedynamicnatureofallocationsbyallowingtheServiceProvidertohavesomedegreeofcontrolovertheirsub-slice.Toensureanacceptablelevelofservicefortheircustomers,theServiceProviderwouldneedtobeabletoassessthetrustworthinessoftheVMNObeforeenteringintoacontractwiththem.TheVMNO’ssystemsdependenceon(atleast)theVIPmakesthechainoftrustquitecomplex.
7.3.5.4 Propertiesofasolution
• controlofsub-slicemaybeaddressedwithdelegation• hierarchicalassertedidentitiesofactors• SLAwherepartsoftheagreementrelatestoestablishingnewSLAs• atooltoassessthetrustworthinessofasystem(includingnetworkcomponentsandactors)based
onknownthreatsandpriorexperience
![Page 45: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/45.jpg)
D2.1UseCases
6715625G-ENSURE 45
7.3.5.5 Usecasecategories
EnsureEnablers NetworkManagement&VirtualisationIsolation,SecurityMonitoring,Trust
NextGenerationRadioTechnologyUsecases mMTC,uMTC,xMBB
7.3.6 UseCase5.6:IntegratedSatelliteandTerrestrialSystemsMonitor
7.3.6.1 IntroductionThisusecasebelongstocategory3andisrelatedtobroadbandtelecommunicationsystemsortelecommunicationgroundusersegments.TheinfrastructureforbuildingtheSatAN(SatelliteAccessNetwork)comprisethefollowingnetworkcomponents(seeFigure10):
• SatelliteHub:satelliteearthstationconnectedtothe5Gnetwork.• Satellite-capableeNB:traditionaleNBimprovedwithasatellitelink.• DifferentUEs:
o SatelliteTerminals(Kaband):satelliteterminalwithaKabandantenna.o SatelliteModems:end-usersatelliteterminalconnectedtoasatelliteantennausinga
communicationssatelliteasarelay.o 5Gdevices.
Thesenetworkcomponentsaredistributedinawide-areaandduetothesatellitesupportensurehighnetworkavailabilityandservicereliabilitywitha100%geographiccoverage.
Thesenetworkcomponentsperiodicallycollectinformationfromthemselves(hardwarestatus,alarms…)andcountersfromthespecificbusinesslogic(transferrate,numberofrequests…).Thisinformation,calledindicators,isusedtomonitorthenetwork.
Theseindicatorscanbeclassifiedinthreecategories:
• Healthstatus:o Intrusiondetection.o Alarmsscannedbysatellitenetworkdevices.o Excessiveload.
• Configurationstate:o Networkstatus.o Credentialstatus.
• Counters:o Volumecounters.o Efficiencycounters.
Thesenetworkcomponentsaresupervisedandcontrolledusinganetworkmanagementsystem.Thisnetworkmanagementsystemiscomposedof:
• Securitymonitor:receivessuchindicatorsandisinchargeofcarryingoutanactivesecurityanalysistodetectattacksandmaliciousbehaviour.Furthermore,thesecuritymonitorusesdataanalytics
![Page 46: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/46.jpg)
D2.1UseCases
6715625G-ENSURE 46
andintelligence-drivensecuritytoresponsetotheidentifiedthreats(e.g.notifytheoperator,balancetheload,…).Someofthethreatsidentifiedare:
o Attackonnetworkcomponents:RFinterference,powerorcommunicationslines…o Attackonthenetworkmanagementsystem:intrudingthesystembyhijacking,
blackmailing,placingorimpersonatingtheoperator,toobtaincredentialsor/andgaincontrolofthesystem,…
o Denialofservice:floodthenetworkwithdummyindicatorstomakethenetworkunusable,preventinganyusefulcommunicationswiththenetworkmanagementsystem.
• B/OSS(BusinessandOperationalSupportSystems)monitor:receivessuchindicatorsandisinchargeofserviceprovisioning,networkconfigurationandbilling.
7.3.6.2 Preconditions• Thenetworkcomponentsperiodicallycollectindicators.
7.3.6.3 DescriptionOnceregistered,networkcomponentsdelivertothesecuritymonitoringtheindicatorscollected.Later,securitymonitoringusesactivesecurityanalysiswiththeseindicatorsinordertodetectthreats.
SatNOconnectstothesecuritymonitortocheckthesystemsstatus(e.g.faultmanagement,performancemonitoring)and,ifneeded,respondstotheidentifiedthreats.
AServiceProvider(i.e.telecommunicationscompany)hasacontractwiththeSatNOtosupplyasuitablesystemcapacitywithsomeQoSguaranteestobeusedbyitscustomers.TheServiceProviderimplementspre-paid/post-paidservicesandconnectstotheB/OSSmonitortoensurethattheSatNOisprovidingwhatisrequiredbythecontractandperformssomecontroltasks(managementofsystembandwidthandpowertooptimizeglobalcapacity,configurationofnetworkcomponents,…).
Basicflowofevents:
1. Uponactivation,eachnetworkcomponentidentifiesitselfwiththenetworkandregisterswiththenetworkmanagementsystem
2. Thesecuritycredentialsofthesenetworkcomponentsneedtobeperiodicallyupdated3. Onceregistered,networkcomponentsdeliverperiodicallythecollectedindicatorstothenetwork
managementsystem4. Networkmanagementsystemreceivesfromthenetworkcomponentsalargeamountofindicators5. Securitymonitorusesactivesecurityanalysiswiththeseindicators
Alternativeflowofevents:
1. Alice,aSatNO,connectstothesecuritymonitortocheckthesystemstatusandthesecurityanalysisprovidedbythesecuritymonitor
2. Securityalarms(e.g.attacks,maliciousbehaviourdetected,…)mayrequirearesponsefromAlice(e.g.allow/denyaccesstoonenetworkcomponent)
Alternativeflowofevents:
1. Carol,anemployeeoftheSP,connectstotheBSS/OSSmonitortochecktheQoS2. Carolmayrequestincreasecapacitytodealwithadditionaldemand
![Page 47: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/47.jpg)
D2.1UseCases
6715625G-ENSURE 47
Figure10:Satelliteand5GMonitor.
7.3.6.4 VulnerabilitiesandConsequencesTheusecasedemonstratesthedynamicnatureofallocationsbyallowingtheServiceProvidertohavesomedegreeofcontrolovertheirmicro-slice.Thesecuritycredentialsofthesemicro-slicecomponentsmayhavebeencompromisedanditisneededtoforceanupdateofthesecredentialstomaintainthesecurityofthenetwork.
Theoriginofmostfraudulentaccessesorsecuritybreachescanbesummarizedaseithertechnicalidentityalteration(afteranillegalorillegitimateprivilegeaugmentation)orsignallingmessagesreceivedoutsideofthenormalsequences.
7.3.6.5 PropertiesofasolutionTheuse-caserequiresre-sellingofcapacitybyaSatNOalongwithQoStermscontainedinanSLA.
• Securemechanismtostoreandupdatethesecuritycredentialsforthenetworkcomponents• Genericsecureinterfacetoprovideindicatorsfromaheterogeneousnetworkandtoupdatethe
securitycredentials• Realtimedataanalyticsandintelligence-drivensecuritytodetectthreatsbasedonsecuritymetrics
![Page 48: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/48.jpg)
D2.1UseCases
6715625G-ENSURE 48
7.3.6.6 UsecasecategoriesEnsureEnablers SecurityMonitoring,NetworkManagement&
VirtualisationIsolation
NextGenerationRadioTechnologyUsecases mMTC,uMTC
7.4 5GVisionItisenvisionedthatthevirtualizationofthecorenetworkisanessentialfeatureof5G.Avirtualizedcoreisdescribedhereasa“networkslice”.Mobileoperatorsareabletoprovidedifferentcorenetworkslicesfordifferenttypesofsubscribers.ThisincludesdifferentUEtypes,suchasmMTCorxMBBbutalsocustomerspecificslicessuchaseHealthorsatellitecommunications.Networkslicesmayprovidedifferentservices,andshareacommonradionetwork.Thevirtualizationmayalsoincludemorefine-grainedfeatures,suchasmicro-segmentationwithintheslice.Isolationofnetworkslicesisessential.
Techniquesthatareavailableforimplementationofthevirtualizationaremany,e.g.Software-DefinedNetworking,VirtualizedNetworkFunctionsandCloudtechniques.Virtualizationismostlikelytobetransparenttomany5Gnodes,however,theremightalsobesome5Gnodecomponentsthatareactivelymodifyingthestructureandbehaviourofthecorenetwork,adaptingtoe.g.subscriber/devicecontext.VirtualizationismostlikelyanddesirabletobetransparenttotheUserEquipment(UE),andthesubscriber.TheUEdoesnotneedtobeawareoftheinternalstructureorimplementationofthecore.
Virtualizationbringnewtypesofactors,androlesintothepicture.Itisenvisionedthatitispossibletoseparatetherolesofthe5GNodeProvider,theVirtualizationInfrastructureProvider,andtheVirtualMobileNetworkOperator.Thisalsomeansthatnewtypesofsecuremonitoringandassuranceinterfacesareneededifallthenewrolesaretakenbyseparateactors.Actorsthatareoperatingontopofvirtualizedplatformneedtomonitor,verifyandcontrolwhatishappeninginthevirtualizednetworkaswellasinthevirtualizationinfrastructure.
![Page 49: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/49.jpg)
D2.1UseCases
6715625G-ENSURE 49
8 Cluster6:RadioInterfaceProtection
8.1 IntroductionThisclusterdescribestwousecasesaddressingavailabilityandintegrityoftheradiointerface.Usecase6.1considersoverloadanddenialofserviceattacksoftheradiointerfaceandhowdeviceswithpriorityshouldbeprioritizedinordertobeabletoattachevenduringahighloadsituation.Usecase6.2considersuserplanedataintegrityprotection.
8.2 ActorsTheactorsinthisclusterare:
• MobileNetworkOperator(MNO)• Communicationdevice(D)• User(Bob)
8.3 UseCases
8.3.1 UseCase6.1:AttachRequestDuringOverload
8.3.1.1 Preconditions• TheRANisservingmultiplerecentattachrequests• Availableradioresourcesaredepleted
8.3.1.2 DescriptionAcriticalcommunicationdeviceD,e.g.servingcriticalinfrastructureorusedbyuserBobinanemergencysituation,istryingtoattachtotheMNO’snetwork.ThenetworkisbusyservingmanyotherattachrequestssoDdoesnotgetimmediateaccesstothenetwork.Evendeviceswhichareattachedbutloseradiosynchronizationarerequiredtoperformtherandomaccessprocedureandmaybecomelockedoutofthenetworkinthesesituations.
Basicflowofevents:
1. Dmakesanattachmentrequesttothebasestation2. Thebasestationisbusyservingotherrecentattachmentrequestsorhasnoradioresources
available3. Dgetsnoaccessorbecomesdelayed
Alternativeflowofevents:
1. Disattachedtothenetwork2. Dlosesradiosynchronization3. Disre-attaching4. Availableradioresourcearedepletedandthenetworkcan’tofferDaccess5. Ddoesnotregainconnectivity
![Page 50: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/50.jpg)
D2.1UseCases
6715625G-ENSURE 50
8.3.1.3 Vulnerabilitiesandconsequences• Currentnetworksperformpreliminaryradioresourceallocationandsignallingprocedureswhich
consumesprocessingandotherresourcesintheRANandonthebackhaul,beforetheauthenticationprocedure
• Illegitimaterequestscannotberejectedatanearlystage,andtherearenomeanstogiveprioritytoimportantrequests
• Anadversarycansaturatetheradionetwork(ortheuplinkresources),e.g.usingsoftwaredefinedradios(SDR),orusingmultiplelegitimatedevices,e.g.likeinabotnetsetting
• Whenattacheddeviceslosesradiosynchronization,theyarerequiredtoperformtherandomaccessprocedureandmaybeunabletoreconnect,despitebeingallocatedradioresources
Potentialconsequencesinclude:
• Disruptedavailabilityofcriticalcommunicationsnetwork.Deceptiveillegitimaterequestsmaycausedisruptioninnetworkaccess
• Emergencyandcriticalcommunicationrequestscannotgethigherprioritythannon-urgentattachmentrequests
8.3.1.4 Propertiesofasolution
• Asecuremethodforpriorityofaccessrequests• Saveresourcesbyrejectingillegitimateornon-prioritizedrequestatearlystage,i.e.enable
integrityprotectionatalowlayerintheradionetworkstack• Givepriorityforre-attachmenttodeviceslosingradiosynchronization• Threatsofcyber-attacksdirectlytargeting5Gnetworksneedstobedealtwithinthe5Gdesign
8.3.1.5 Usecasecategories
EnsureEnablers AAA,NetworkManagement&VirtualisationIsolation
NextGenerationRadioTechnologyUsecases xMBB,mMTC,uMTC
8.3.2 UseCase6.2:UnprotectedUserPlaneonRadioInterface
8.3.2.1 Preconditions• TheUEisinConnectedMode• Signallingisintegrityprotected• Userplanedataisnotintegrityprotected• Encryptionmaynotbeallowedontheradiointerfaceduetoregulatoryconstraints
8.3.2.2 DescriptionSignallingbetweentheUEandnetworkisintegrityprotected,butinsomescenarios,theamountofsignallingneededbeforesendinguserdataisminimizedtosavebattery,sometimessignallingbeforesendinguserdataiscompletelyremoved.ThedataconnectionisleftopentothenetworkwhentheUEgoestosleepmode.
![Page 51: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/51.jpg)
D2.1UseCases
6715625G-ENSURE 51
Userplanedataisnotencryptedduetoregulatoryconstraints.Sinceuserplanedataisnotintegrityprotectedeither[TS33.401],thisleavestheuserplanedatatotallywithoutprotection.
Basicflowofevents:
1. Dattachestothenetworkandestablishesintegrityprotectionforsignalling.Encryptionisnotusedforsignallingnorforuserplanedata
2. ThenetworkreceivesunprotecteduserplanedatafromD3. Dgoestosleep.Thedataconnectionisleftopen.4. Dwakesupandsendsdataonthedataconnection
Alternativeflowofevents:
1. Dattachestothenetworkandestablishesintegrityprotectionforsignalling.Encryptionisnotusedforsignallingnorforuserplanedata
2. ThenetworkreceivesunprotecteduserplanedatafromD3. Dgoestosleep.Thedataconnectionisleftopen4. Adversarysendsdataontheopendataconnection
8.3.2.3 Vulnerabilitiesandconsequences
• Thenetworkcannotverifyauthenticityofthereceiveduserplanedata• Anadversarymayusetheopenuserdataconnection
Asaconsequence,theuserplanedataiscompletelyunprotectedandtheMNOcannotprovideanyservicerelyingonthecontent.
8.3.2.4 Propertiesofasolution
• Introduceintegrityprotectionofuserplaneinadditiontointegrityprotectionofcontrolplane• Replacespecificintegrityprotectionofcontrolplanewithcommonintegrityprotectiononuserand
controlplanelowerintheradionetworkstack
8.3.2.5 Usecasecategories
EnsureEnablers AAA,NetworkManagement&VirtualisationIsolation
NextGenerationRadioTechnologyUsecases mMTC,uMTC
8.4 5GVisionThe5Gnetworkshouldberobustagainstoverloadanddenialofserviceattacksoftheradiointerface.Prioritizeddevicesshouldbegettingpriorityandbeabletoattachevenduringhighloadsituations.Also,alreadyattacheddeviceslosingsynchronizationshouldregainaccessduringhighloadsituations.Userplanedatashouldbeintegrityprotectedenablingtrustworthyservicestobebuiltontop,andillegitimateandlowpriorityrequestsshouldberejectedatanearlystage.
![Page 52: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/52.jpg)
D2.1UseCases
6715625G-ENSURE 52
9 Cluster7:MobilityManagementProtection
9.1 IntroductionThisclusterdescribesdifferenttechniquestocauseapersistentdenialofserviceattackoftheUE,illustratedbythreedifferentflowofevents.Thedenialofserviceattacksarepossiblesincenoneoftheexploitedmessagesrequireconfidentialityorintegrityprotectioninthecurrent3GPPstandard,thusenablingtheattackertointercept,decodeandalterthemessages.
9.2 ActorsTheactorsinthisclusterare:
• Mobilephonesubscriber(Bob)• Maliciousattacker(Mallory)• MobileNetworkOperator(MNO)• Sensor1
9.3 UseCases
9.3.1 UseCase7.1:UnprotectedMobilityManagementExposesNetworkforDenialofService
9.3.1.1 Preconditions• BobhasavalidsubscriptionwiththeMNO• Mallory’srogueequipmentisphysicallylocatedinthesamearea(TAorCell)asBoborSensor1• MalloryhasaccesstoherownrogueeNB
9.3.1.2 DescriptionBobpowersonhisphone,aspartoftheLTEspecification[TS33.401]thephonewillinitiatean“Attachrequest”tothebasestation(eNB).OnceconnectedtotheMNO,theuserequipment(UE)willsendperiodictrackingareaupdate(TAU)requestmessagesintendedfortheMNO’sMobilityManagementEntity(MME).
Thisuse-caseisvalidforalltypesofconnecteddevices,i.e.BobcanbesubstitutedwithSensor1.
Basicflowofevents:
1. BobisatworkandhashisphoneturnedonandisconnectedtohisMNO2. Bob’sphonesendsaTAUrequestmessagetotheMMEofhisconnectedMNO3. MalloryinterceptstheTAUrequestandrespondswithaTAURejectwithEMMcausenumber7
“LTEServicesnotallowed”orcausenumber8“LTEandnon-LTEservicesnotallowed”.SeeFigure11andFigure12.
4. Bob’sphoneacceptstheTAURejectmessageandactsaccordinglya. IfEMMcausenumber7,Bob’sphonewillconsideritselfinvalidforLTEservices.If
supportedthephonewillconnecttoavailable3Gor2Gnetworksb. IfEMMcausenumber8,Bob’sphonewillconsideritselfinvalidforallservicesandenter
thestateEMM-DEREGISTERED.
![Page 53: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/53.jpg)
D2.1UseCases
6715625G-ENSURE 53
Alternativeflowofevents:
1. Bobpowersonhisphone.2. Bob’sphonesendsan“Attachrequest”totheMNO.3. Malloryinterceptthe“Attachrequest”.4. Malloryaltersthemessageandreplacethe“VoicedomainpreferenceandUE’susagesetting”with
“Additionalupdatetype–SMSonly”andforwardsthemessagetotheMNO.5. TheMNOacceptsthemessageandproceedswiththeAKAprotocol,furthermoretheMNO
configurestheprofileoftheUEintheMMEwiththecapabilitiessentbyMallory,therebyrejectingallvoicecapabilities.
Alternativeflowofevents:
1. Bob’sphonecontinuouslysendsregistrationrequeststothenetworkswiththebestcoverage.2. Malloryrespondswiththerejectmessage“ForbiddenPLMN”.3. Bob’sphoneacceptstheunprotectedrejectmessageandreconfigurestheUSIMaccordingly,hence
denyingallservicestotheindicatedpubliclandmobilenetwork(PLMN)untilthephonehasbeenturnedoff/onortheUSIMhasbeenre-inserted.
Figure11:(from[Shaik2015])DoSattack-denyingLTEnetworkservices
Figure12:(from[Shaik2015])DoSattack-denyingallmobilenetworkservices
![Page 54: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/54.jpg)
D2.1UseCases
6715625G-ENSURE 54
9.3.1.3 Vulnerabilitiesandconsequences• TheTAURequestissentwithoutconfidentialityprotection,hencetheattackercandecodeit.• TheTAURejectmessageisacceptedbytheUEwithoutintegrityprotectionandwithoutanestablished
securitycontextbetweentheUEandnetwork.• The“Attachrequest”issentunprotected,hencethelistofthenetworkcapabilitiescanbealteredby
theattacker.• The“ForbiddenPLMN”areacceptedbytheUEwithoutintegrityprotectionandwithoutanestablished
securitycontextbetweentheUEandnetwork.
Thesevulnerabilitiescanbeusedtoperformadenialofserviceordowngradeattacks,whichpersistsuntiltheuserreinsertstheUSIM,rebootstheUE,orinonecase,physicallymovestheUEtoanewtrackingarea.
9.3.1.4 Propertiesofasolution
SecuritymonitoringcouldbeonesolutiontocapturethoseattackswhereUEisforcedtouseweakerservices.UEthatpreviouslyhasbeenabletousefullservices,typicallydoesnotdowngradeitsowncapabilities.
IftheTAURejectmessagesweredigitallysigned,whichareverifiedbytheUE,anadversary’smessageswouldberejectedbytheUE.ThiswouldrequiretheintroductionofMNOspecificpublickeys.
Amitigationthatmakesitmoredifficulttoimplementapersistentdenialofserviceattackwouldbetointroduceamechanismbasedonatimerorcountervalue,toallowtheUEtore-attachitselftothenetworkafteracertaintime.
Tomitigatetheman-in-the-middleattackontheAttachrequest,the5GnetworkcouldrequireanidenticalintegrityprotectedreconfirmationofthenetworkcapabilitiesasisrequiredforthesecuritycapabilitiesinLTE.
9.3.1.5 Usecasecategories
EnsureEnablers AAA,NetworkManagement&VirtualisationIsolation,SecurityMonitoring,Privacy
NextGenerationRadioTechnologyUsecases xMBB,mMTC,uMTC
9.4 5GVision5Gprovidesrobustnetworkserviceswithconsiderableavailabilityguarantees.Thesignallingmessagesexchangedbetweentheuserequipmentandthe5GnetworkshouldhavetheappropriateprotectiontocombatknownweaknessesinLTE.Suchprotectioncanbebuiltfromexistingmechanisms,whichinLTEprovideamatchinghistoryoftheuserequipment’ssecuritycapabilities.In5Gthesemechanismscanbeexpandedtoincludeasimilarcheckofthenetworkcapabilities.Additionally,theintroductionofanoperatorpublickeycanbringthenecessaryprotectionofcapabilityliststhatarebroadcastedbythenetwork.
![Page 55: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/55.jpg)
D2.1UseCases
6715625G-ENSURE 55
10 Cluster8:Ultra-ReliableandStandaloneOperations
10.1 IntroductionThisclusterincludestwousecasesforultra-reliableandstandaloneoperations.Thefirstoneisthesatellite-capableeNBthatprovidesconnectivitytothecorenetworkifthenormalbackhaulislost.Thesecondcasedescribesstandalonecorenetworkservicesthataresimilartoisolatedpublic-safetyservicesbutareinthiscasecommercial.
TheusecasestalkaboutMacroEPCwhichisthe5Gcorenetworkthatisusedinnormalmodeofoperation.MacroEPCprovidesservicestothesubscribersthatareinthehomenetwork,orwhichareroaminginsomevisitednetworks.TheMacroEPCisreachedviathesatelliteinthefirstusecasewhenthenormalrouteisnotpossiblebecauseofanaturaldisaster.
ThestandaloneEPCisanentitywhichprovidesfunctionalitythateNBsinstandalonemodeofoperationuse,insteadoftheMacroEPC,inordertosupportlocalservices.Thisisassumedtobeacommercialservice,andconnectiontotheMacroEPCisstillpossible.
10.2 ActorsTheactorsinthisclusterare:
• Ad-hocroaminguser(Alice)• SatNO(Bob)• VisitedNetwork(VN)• HomeNetwork(HN)
10.3 UseCases
10.3.1 UseCase8.1:Satellite-CapableeNB
10.3.1.1 IntroductionThisusecasefocusesonevolvingtheTransportNetworkArchitecture(TNA)bycombiningbothsatelliteandterrestrialtransportarchitectures.Theinfrastructurecomprisesthefollowingcomponents:
• SatelliteHub:satelliteearthstationconnectedtothe5Gnetwork.• Satellite-capableeNB:traditionaleNBimprovedwithasatellitelink.• Networkmanager:performstopologycalculationsanddistributestheupdatednetwork
configuration.
Themaingoalistheabilitytoofferresiliencetocasesoflinkfailure.Thesatelliteconnectivityaddsflexibilitytobackhaulingnetworks.Also,thisusecaseprovidesoffloadingcapabilityviasatellitetothebackhaulnetworkincaseofcongestion.Thisisakeyenhancementin5G,asthisusecasecanonlybeservedbysatellites,orforwhichsatellitesprovideamoreefficientsolution.
Thetopologymanagementobjectiveisthatnonodesinthemeshnetworkareleftun-connected,whilecoveringalltheneededarea.Topologyalgorithmshallbebasedonuserpriorityandbandwidth.
![Page 56: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/56.jpg)
D2.1UseCases
6715625G-ENSURE 56
10.3.1.2 Preconditions• MacroEPC:theEPCwhichservesaneNBinnormalmodeofoperation.• Thereisasatellite-capableeNBthathasthecapabilityofconnectingtotheMacroEPCviasatellite,and
providesIPconnectivitytotheUEswhentheeNBhaslostthewiredroutetotheMacroEPC.• Intheeventthatthesatellite-capableeNBdoesnotbelongtotheHNandthatthereisnostatic
roamingagreementbetweentheVNandtheHN,theroamingagreementisdynamic,andvalidonlywhenspecialconditionslikeanaturaldisasteroccur.
10.3.1.3 DescriptionAliceisinholidayinanareawhichisabruptlyturnedintoanaturaldisasterarea.AliceisabletocommunicateevenwhenthereisnostaticroamingagreementbetweentheHNandtheVN.
Basicflowofevents:
1. Thenaturaldisasteroccurs.TheeNBloosestheconnectiontoMacroEPC.2. Thenetworkmanagerdetectsthefailureeventandperformstopologycalculationstoguarantee
ultra-reliableservices3. Thenewtopologyisforwardedtothenetworkcomponents4. Thesatellite-capableeNBactivatesthealternativeroutetoMacroEPCviathesatellite.5. Thesatellite-capableeNBstartstobroadcastthatitsupportsthead-hocroamingmode.Itoffers
SMSservicestoeveryoneinthearea.Thevoiceservicesarenowreservedforpublicsafetyusersonly.
6. Alice’sphoneloosestheconnectiontothenetwork.7. Alice’sphoneattachestothesatellite-capableeNBoftheVN.8. Alice’sHNauthorizesthead-hocroamingintheVN.9. AlicereceivesanSMSfromtheembassyaskingifsheandherfamilyaresafe.10. Aliceinformstheembassythateveryoneinherfamilyissafe.
10.3.1.4 Propertiesofasolution• Dynamicroaming• Non-satellite5Gdeviceusingsatellite-capableeNB• Satellite-based5Gtopologyreconfiguration
10.3.1.5 Usecasecategories
EnsureEnablers AAA,Trust,NetworkManagement&VirtualisationIsolation
NextGenerationRadioTechnologyUsecases xMBB,mMTC,uMTC
10.3.2 UseCase8.2:StandaloneEPC
10.3.2.1 Preconditions• Thereisastandalone-capableeNBthathasthecapabilityofstandalonemodeofoperation,which
providescommerciallocalIPconnectivitytotheUEsviaaStandaloneEPC.
![Page 57: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/57.jpg)
D2.1UseCases
6715625G-ENSURE 57
• ThereisastandaloneEPCwhichprovidesfunctionalitythateNBsinstandalonemodeofoperationuse,insteadoftheMacroEPC.StandaloneEPSprovidesIPaddressassignmentandlocalroutingwithinthestandaloneEPC.
10.3.2.2 DescriptionAliceisinamegaeventwith100.000otherpeople.SheusestheservicesthatareavailableinthestandaloneEPC.
Basicflowofevents:
1. Whenthemegaeventstarts,thestandalone-capableeNBstartstobroadcastsupportofthead-hocroamingmodetothelocalEPC.ItofferslocalIPconnectivitywithinthestandaloneEPC.
2. Alice’sphoneattachestothestandalone-capableeNBofthestandaloneEPC.Alice’sphonedoesnotloosetheconnectiontotheHN.
3. Alice’sHNauthorizesthead-hocroamingtothestandaloneEPC.4. AliceusestheservicesinthestandaloneEPC.5. AlicealsousestheservicesintheHN.
10.3.2.3 Propertiesofasolution• Dynamicroaming• CommercialstandaloneEPC
10.3.2.4 Usecasecategories
EnsureEnablers AAA,Trust,NetworkManagement&VirtualisationIsolation
NextGenerationRadioTechnologyUsecases xMBB,mMTC,uMTC
10.4 5GVision5Gnetworkismorereliableintermsofhavingdynamic,alternativeroutesfromtheradionetworkintothecorenetwork(suchassatelliteconnection)andmoreflexibleintermsofdynamicroaming.eNBshavingsatellitecapabilitiesareespeciallyinterestingbecausetheycanprovidesatellitecapabilitiestonon-satellite5Gdevices.Newcommercialpossibilitiesonstand-aloneradionetworks,andstand-alonecorenetworksarealsoenvisioned.
![Page 58: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/58.jpg)
D2.1UseCases
6715625G-ENSURE 58
11 Cluster9:TrustedCoreNetworkandInterconnect
11.1 IntroductionTheseusecasesdealwithtrustedcorenetworkandinterconnectionbetweendifferententities.The5Gnetworkshouldbesuchthatitisabletoensurethattheinteractingentitiesareauthenticonesandspoofingofmessagescannottakeplace.Thisshouldnotbebasedonimplicitsecurityassumption,butratheruseexplicitsecuritysolutions.
11.2 ActorsTheactorsinthisclusterare:
• Mobilephonesubscriber(Bob)• Adversary(Eve)• HomeNetwork(HN)• VisitedNetwork(VN)
11.3 UseCases
11.3.1 UseCase9.1:AlternativeRoamingin5G
11.3.1.1 IntroductionWhenentitiesareroaminginavisitednetwork,itstillneedstobeensuredthattherelatedmessagesareauthenticinsteadofimplicitlyrelyingontheassumptionthatthetrafficisoriginatingfromacertainnetwork.Thus,messagesneedtobeboundtothecorrectentities,sothatspoofingcannottakeplace.Theentitiesalsoshouldhaveclearunderstandingwhichentitiestheyarecommunicatingwith.Thisisespeciallyimportantwhentherearerealworldconsequences,suchascharging.
11.3.1.2 Preconditions• TheHNandtheVNhavearoamingagreement
11.3.1.3 DescriptionBobneedstheassistanceofthehomeAAAinfrastructureinordertoauthenticatehimselftotheVN.HomeAAAissuesanauthenticationchallenge.ThisprocessalsoidentifiesboththeVNandtheHN,sothattheinvolvedpartiesareidentified.Inthecourseofthisprocess,BobalsoauthorisestheVNtoprovideservicestohim.
Atthesametime,accountingmechanismsaresetup.TheHNnetworkcanthereforehaveassurancethatanybillingrelatedinformationistiedtoBob.Thus,theVNcannotmakefalseclaims.Similarly,Bob’sfalseclaimscanbedeniedbasedonassuredaccountinginformation.Bob’sdeviceisinvolvedintheprocess,sothatthereistransparencyoftheincurredcoststoBobaswell.
Basicflowofevents(seeFigure13):
1. TheVNisadvertisedtoBob2. BobidentifieshisHNandauthorisestheVNtoofferservicestohisidentity3. TheHNdetectsthatriskstatusoftheVNissuchthatinteractioncanproceed4. TheHNsendsanauthenticationchallengetoBobandalsoidentifiestheVNtobeused
![Page 59: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/59.jpg)
D2.1UseCases
6715625G-ENSURE 59
5. Bobchecksthatheisusingthecorrectnetworkandrespondstothechallenge6. TheHNverifiesthechallenge-responseandinformstheVNthatBobisauthentic7. AuthenticationresultistransmittedtoBob8. Bobnegotiatestheuseofservicesforhisidentity9. TheVNbindsitsownidentitytotheservicenegotiation10. Non-repudiableservicerecordsarecreated
Figure13:BobattachestotheVNwhileroamingabroad
11.3.1.4 VulnerabilitiesandconsequencesThisusecasedepictsthefollowingvulnerabilitiesandtheirconsequences.
• Unauthoriseddisclosureofsensitiveinformationo Ifcorenetworkelements,interconnectnetworks,orotheroperatorsareexpectedtobe
trustedentitieswithnoadditionalverification,sensitiveinformationwillbedisclosedtounauthorisedentities[Nohl2014]
• Spoofingofsignallingmessageso Ifunauthenticsignallingmessagescanbesentandaccepted,thebehaviourofthenetwork
canbechangedinanunauthorisedway,i.e.,integrityofthenetworkiscompromisedo Iftrafficthathasimpactonchargingisneitherauthenticatednorclearlyboundtothe
entitywhichisresponsibleforthetraffic,fraudcanbeperformed.Thisislikelytodecreasetheusertrusttothesystem.
11.3.1.5 PropertiesofasolutionIfnetworkentitieshavecryptographicidentities,thenmessagescanbeboundtothemstrongly.Thisprovidesmoreflexibility,whenreferringtootherentitiesoutsidethetwo-wayinteraction.
Serviceusagecanbenegotiatedinsuchawaythatbothpartieshaveanunderstandingoftheincurredcosts.Thisinvolvesusingthesaididentitiesguaranteeingthatassuredaccountingrecordscanbecreated.
![Page 60: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/60.jpg)
D2.1UseCases
6715625G-ENSURE 60
11.3.1.6 UsecasecategoriesEnsureEnablers AAA,Privacy,Trust
NextGenerationRadioTechnologyUsecases xMBB
11.3.2 UseCase9.2:PrivacyinContext-AwareServices
11.3.2.1 IntroductionThecontextoftheuserisbeneficialforprovidingbetterservices.However,privacyissuesariseastheremightbeunintentionaldisclosureofuserrelatedinformation[Vallina-Rodriguez2015].Anothersideofthecoinisthatifpurelyencryptedtrafficisused,thenitishardertotakeadvantageofflowsemanticstooptimisetheuserexperience[Smith2015].
11.3.2.2 Preconditions• TheHNandtheVNhavearoamingagreement
11.3.2.3 DescriptionTheVNandtheHNmayexchangeinformationregardingtheBob’scontext.ThisinformationcanbeusedtocustomisethenetworkinordertosatisfyBob’sservicerequirementswithoutrevealinganyunnecessaryinformation.
Basicflowofevents(seeFigure14):
1. Ondemand,theVNsendsinformationaboutBob'scontexttotheHN2. TheHNsharessomeofthecontextinformationwithcontentprovidersasallowedby(privacy)
policies
Figure14:DisclosureofusercontextinformationcontrolledbyHomeNetwork
Alternativeflowofevents:
1. Bobauthorisesvisitednetworktodisclosesomeofthecontextinformationasperhisdefinedprivacypolicies
2. TheVNsharessomeofthecontextinformationwithcontentproviders
![Page 61: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/61.jpg)
D2.1UseCases
6715625G-ENSURE 61
11.3.2.4 VulnerabilitiesandconsequencesUsertrafficcanbeenrichedinvariousways,suchasproxiesincludingadditionalheaderstotheusertraffic.However,thisinformationcanleakandbeabusedbypartiesforwhichtheinformationwasnotintended.Thisviolatesuserprivacy.
Itisworthnotingthatintheabovealternativeflowthecontrolofdisclosurelieswithinthevisitednetwork.Eventhoughtheusercanstatehisprivacypolicies,hecannotverifyhowwellthisishonouredastheuser’scontractualrelationshipiswithhishomenetwork.Ontheotherhand,nothing(saveregulatorysanctions)preventsvisitednetworkfromdisclosingthisinformationanyway.
11.3.2.5 PropertiesofasolutionContextinformationisdisclosedincontrolledfashionanditismadeavailableinastandardisedwaysothatitisnotnecessarytodevisenon-interoperableorpotentiallyvulnerableschemes.Inaddition,thecontextinformationcanbeusedincaseofencryptedflows.
11.3.2.6 UsecasecategoriesEnsureEnablers Privacy,Trust
NextGenerationRadioTechnologyUsecases xMBB,uMTC
11.3.3 UseCase9.3:AuthenticationofNewNetworkElements
11.3.3.1 Introduction5Gnetworksallowmoredynamismthroughvirtualisationandnewfunctionscanbeintroducedtothenetworkonthefly.Astheseenvironmentsaremorevirtualised,thereisalwaysadangerthatsomeonemanagestointroduceamaliciousfunctionintothenetwork.Similarly,unauthorizedphysicalelementscouldbeattachedtothenetwork,iftheirauthenticityisonlybasedonthelocationinthenetwork.
11.3.3.2 Preconditions• TheHNandtheVNhavearoamingagreement• TheVNdoesnothaveup-to-datepatchmanagement• ThereisanexploitablevulnerabilityintheVNinfrastructure• PoorphysicalsecurityoftheVNhasresultedintheinstallationofunauthoriseddevice
11.3.3.3 DescriptionUnbeknowntoBob,EvehasmanagedtoinfiltratetheVNandinstalledadeviceintothelocalnetwork(Figure15).Thedeviceisnotrecognisedasanauthorisednode,soitcannotinjectnetworktraffic,however,itdetectsanunpatchedvulnerableserverandinstallsmaliciousnetworkfunctiontosubvertusertraffic.However,asallthesignallingrelatedtoBobisstronglyboundtohis(temporary)identity,Eve’sattemptstoinjectmessagesmasqueradingasBob,sothatBobwouldsuffertheincurredcosts,aredetectedasspoofingattempts.Basedonthisfinding,theHNnetworkreportsthepossiblemisusetotheVN.Basedonitspolicies,theVNwillconsidersomemeasurestoaddresstheproblem.
Basicflowofevents:
1. Eveinstallsamaliciousnetworkdevice
![Page 62: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/62.jpg)
D2.1UseCases
6715625G-ENSURE 62
2. Evenattemptstoinjectsignallingmessages,buttheyarerejectedbecauseofanunauthorisedsender
3. LocalnetworkhasanunpatchedserverandEveisabletotakeadvantageoftheexistingvulnerability
4. Maliciousvirtualfunctionisinstalledontheserver5. MaliciousfunctionattemptstosendspoofedmessageclaimingtocomefromBob6. TheHNnetworkdetectsBob’sspoofedidentitycomingfromtheVN7. TheVNisinformedofthemisuse
Figure15:EvehasinfiltratedVNandtriestosubvertBob’straffic
11.3.3.4 AlternativeDescriptionUnbeknowntoBob,EvehasmanagedtoinfiltratetheVNandinstalledadeviceintothelocalnetwork.Thedeviceisrecognisedasanauthorisednode,soitcaninjectdatatoBob’susertraffic.Eve’sinjectionisdetectedasspoofingattemptsbecauseofbehaviouralanalysisonBob’strafficprofileintheHNnetwork.Basedonthisfinding,theHNnetworkreportsthepossiblemisusetotheVN.Basedonitspolicies,theVNwillconsidersomemeasurestoaddresstheproblem.
Alternativeflowofevents:
1. Eveinstallsamaliciousnetworkdevice2. NetworkhasavulnerableAAAserverandEveisabletotakeadvantageofthevulnerability3. Thedeviceisrecognisedasanauthorisednode4. Maliciousdeviceinjectsspoofedmessages5. TheHNnetworkdetectsabnormaltrafficbehaviourforBobcomingfromtheVN6. TheVNisinformedofthemisuse
11.3.3.5 VulnerabilitiesandconsequencesThefollowingvulnerabilitiescanbeintroducedwhenmoredynamismisintroduced.
o Unauthorisednetworkelementsaredeployedintothecorenetworko Ifanadversaryisabletodeploydevicesorfunctionsintothenetwork,variousmaninthe
middleattackscanbecomepossible.Theadversaryhasapotentialtoeavesdrop,modify,deleteorinjectnewtraffic.Inthecaseofsignallingtraffic,thewholenetworkcouldbecompromised.Dependingontheleveloftrustrelationships,thepropagationoftheattacktoothernetworksmightbeadditionallyfacilitated.
o Asmoreelementsrelyonsoftwareandvirtualisation,properpatchmanagementneedstoexist
![Page 63: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/63.jpg)
D2.1UseCases
6715625G-ENSURE 63
o Ifelementsarenotkeptup-to-date,lackofpatchingmayleadtoexistenceofexploitablevulnerabilitiesinthesoftware.
o Compositionofnetworksornetworkelementsisnotauthentic(orauthorised)o Ifnew5Garchitectureallowsdynamiccompositionofnetworksornetworkelements,lack
ofauthenticationandauthorizationcanleadtocompromisednetworksimilarlyasinthepreviouscase.Thecompositionneedstodefinetheconstraintsonthelevelofintegration,i.e.,whatresourcesareavailableandwhatsortofsecuritylevelsareexpected.Liabilityaspectsneedtobetakenintoaccountaswell.
11.3.3.6 PropertiesofasolutionWhennewelementsareintroducedintoadynamicnetwork,ithastobeensuredthattheyareauthenticcomponents.Monitoringandtestingoftheenvironmentcanhelpindetectingpossibleviolationsofsystemintegrity.Monitoringoftrafficpatternscanalsohelpindetectedsubvertedelements.
11.3.3.7 Usecasecategories
EnsureEnablers AAA,Trust,NetworkManagement&VirtualisationIsolation,SecurityMonitoring
NextGenerationRadioTechnologyUsecases xMBB,uMTC
11.4 5GVision5Gnetworksareenvisionedtodynamicallyadapttotheuserneeds.Thisdynamismsetsmorerequirementsontheauthenticityoftheentitiesasnewentitiesemergeinthenetworkandoldonesareremoved.Operatorsshouldnotbeforcedtoresortofimplicitsecurityassumptionsaboutthesecurityofthecorenetworkoftheinteractingpartner,i.e.,thereshouldbemoreassurancethatthetrafficisindeedoriginatingfromalegitimateentityandisboundtoalegitimateentity.Thisisespeciallyimportantwhenanysignallinghaseffectoncharging,thusitshouldbeensuredthattheusersdonotfaceunfoundedservicecharges.Thisappliestotheidentityoftheusersaswell,i.e.,itshouldnotbepossibletospooftheidentityoftheuser.Ontheotherhand,theservicechargesoughttobeattributabletotheusersothattheuserisnotabletodenytheuseofservice.
Inordertoenrichandoptimisetheuserexperience,contextinformationoughttobeavailableforuse.However,onealsoshouldensurethatwhendoingsotheuserprivacyishonoured.Thus,thereoughttobeacontrolledandstandardisedwayofprovidingcontext-awareservices.
Asthenetworkcouldbeconstantlyevolvingduetovirtualisationanddynamicinteraction,oneshouldensurethatthesecurityofthenetworkismonitoredaswell.Whilemonitoringofthenetworkiscommonplaceactivityevennowadays,itismainlydonebyadd-ondevicesthatmaynothaveaholisticviewofthenetwork.Insomecasesitmightbeevenenvisionedthatdynamiccompositionofelementswouldwarrantsecuritytestingofthosecomponentsbeforetheyareallowedtointeract.Thiscouldsimplybestraightforwardvulnerabilityscanning,butmorecomplexscenarioscouldinvolve,e.g.,sandboxtesting.Correlationofinformationfromseveralsourcesshouldinanycasebeusedtomakemoreeducatedguessesregardingthepossibleexistenceofongoingattacks.
![Page 64: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/64.jpg)
D2.1UseCases
6715625G-ENSURE 64
12 Cluster10:5GEnhancedSecurityServices
12.1 IntroductionCluster10containsthreeusecasesdescribingvariousenhancedsecurityservicesthatcanbeofferedin5Gnetworks.
Inusecase10.1welearnapossiblewaytocounteractmobilebotnetsBotNetbyofferingaservicetoaidtheuserstoidentifyanomalousactivityfromtheirmobiledevicesandtoreportthisactivity.Usecase10.2proposesaservicethatcanhelpprotecttheuser’sprivacyattheapplicationlayer,bymeansofappsanddeviceprivacychecks.Usecase10.3offerananonymizationcapabilitytoall5GsubscribershavingananonymizationSIM.Inadditiontothiscapabilitymoreservicesmaybeenvisionedthatareabletoanonymizeuser/deviceidentifyingdataand,therefore,canhelptoprotecttheuser’sprivacy.
12.2 ActorsTheactorsinthisclusterare:
• Mobilephonesubscribers(Bob,Alice)• HomeMobileNetworkOperator(HMNO)• Maliciousattacker(Mallory)
12.3 UseCases
12.3.1 UseCase10.1:BotnetMitigation
12.3.1.1 IntroductionA botnet is a network of hijacked agents/clients which are remotely controlled, often associated withintroducing malicious software. Botnet infrastructure is increasingly being used for performing criminalactivity that involves the use of computers or networks such as the Internet. Although the networkoperatorsarenothighlyimpactedasyet,thesituationwillmostlikelychangeinthefuture,becauseoftherapidlygrowingtrendofdatatrafficinmobilenetworksandincreasedcapabilityofmobiledevices.Inthisusecaseanattackerremotely instructsandendusermobiledevicetosendapremiumSMStoanumbercontrolledbytheattacker.
12.3.1.2 Preconditions• BobhasavalidsubscriptionwiththeMNO• Mallory’sinfectedapplicationisuploadedtoBob'spreferredapplicationsstore/market
12.3.1.3 DescriptionBobisstayingathomeandbrowseshisBob'spreferredapplicationsstore/market.Hefindsafreeversionofapopularandtrendygame(oranyotherapplication)uploadedbyanunknownpublisher(i.e.Mallory)anddecidestogiveitatry.Bobdownloadsitandinstallsitafteracceptingeverythingthegame(application)requirestorun.HowBob’sdevicegetsinfectedisirrelevanthere,itcouldbealsobyattachinghisphonetoaninfectedPC/laptop,orbyopeningalinkreceivedinphishingmail.Thesalientaspectisthattheinfectionpropagatesthroughmobiletraffic.HereweobservethecasehowBob’sdevicegetsinfectedviaoperator’snetwork.
![Page 65: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/65.jpg)
D2.1UseCases
6715625G-ENSURE 65
ThefreeversionofthepopularandtrendygameapplicationismodifiedinawaythatinadditiontothemainfunctionalityitalsoaddstheSMSsendingfunctionality,andtransformsthephoneintoabotremotelycontrolled,byaCommandandControlCentre(C&C)pilotedbyMallory.AfterBob’sdevicehasbeeninfected,Mallorycanremotelyperformvariousmaliciousactivitiesonthedevice,suchasSMSsendinginthebackground.Forthisparticularattack,Malloryhadregisteredapremiumnumberwithanoperator,whichcouldbeevenlocatedinanothercountry,andonce(ortwice)permonthMallorycouldconfiguretheC&Ctoinstructallofhis“puppets”(i.e.remotelycontrolledmobiledevices)tosendSMStothatpremiumnumber.Bobandthousandsofotheruserswillveryunlikelybeabletodetecttheincreasedmonthlybill,especiallyiftheincreaseamountstoonlyacoupleofeuros.
Basicflowofevents:
1. Malloryregistersapremiumnumberwithanoperator.2. MalloryconfigurestheCommandandControlCentre(C&C)robottoinstructallpuppetstosend
SMStothatpremiumnumber.3. BobisconnectedtotheMNOandbrowsestheapplicationmarketonhismobiledevice.4. BobinstallsaninfectedapplicationandbecomesoneoftheC&C’spuppetsunknowingly.5. WithoutBob’sknowledge,hismobiledeviceisusedforbotnetactivitysuchasSMSsendingand
Bob’smonthlybillisincreased
Figure16:MalwareinfectedUEsendingpremiumSMS
12.3.1.4 VulnerabilitiesandconsequencesVulnerabilitiesinmobiledevicesaswellastheingenuityoftheiruserscanleadtosubvertingtheintegrityofthedeviceandinstallationofmalware.Asaresult
• Mobiledevicecouldbecontrolledremotely• Mobiledevicescouldbeusedformaliciousactivities
![Page 66: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/66.jpg)
D2.1UseCases
6715625G-ENSURE 66
Unwantedcommunicationcouldleadtomonetarylossfortheendusersthroughtheirmonthlybills,regardlesshowinsignificanttheamountisforeachindividual.
12.3.1.5 PropertiesofasolutionOnewaytoapproachthisproblemfromtheMNOpointofviewistoemploytheservicesofananomaly-basednetworkintrusiondetectionorpreventionsystemwithinthecorenetwork,sothatthesystemdetectsatypicalindividualbehaviour.AnothersolutioncouldbeprovidingtheenduserwithvisuallyrepresentedhistoricaldataoftheiractivitywithintheMNO,which,inadditiontothetargetednumberandthepartywhoownsit,andalsocontainsarepresentationofwhichcountryandMNOthatnumberisregisteredin.Thiswouldaidtheuserstoidentifyanomalousactivityfromtheirmobiledevicesandtoreportthisactivity.Furthermore,theMNOcouldofferservicestotheenduserstodefinetheirownatypicalbehaviourintheMNO,sothatuserscouldforinstancerestrictanyoutgoingSMStospecificforeigncountries,ordisplayamessagepriortosendinganyoutgoingSMS.
12.3.1.6 Usecasecategories
EnsureEnablers NetworkManagement&VirtualisationIsolation,SecurityMonitoring,Trust
NextGenerationRadioTechnologyUsecases mMTC,uMTC,xMBB
12.3.2 UseCase10.2:PrivacyViolationMitigation
12.3.2.1 IntroductionMobiledevicesandtheinstalledapplicationsdisclosealargeamountofprivateinformationbothpersonalanddevice-relatedinformation.Therearemanymisbehavingapps,PUAs(PotentiallyUnwantedApplications),adwareandransomwareinthewildandspywareisnotsouncommoneveninofficialappstores!Currentlythemobilenetworkhasnomeanstoprotecttheuser’sprivacyattheapplicationlayer.
Somemobilesubscribershaveprivacyconcernsandwouldliketoknowiftheirdeviceandtheapplicationsinstalledthereinareinvolvedinactivitiesthatviolatetheirprivacy.
12.3.2.2 Preconditions• AlicehasavalidsubscriptionwiththeMNO• Alicealsosubscribestotheprivacyserviceprovidedbyhermobilenetworkoperator(andpossibly
installsaprivacyapp).
12.3.2.3 DescriptionAlicehasjustinstalledanewgameapponhermobiledevice(UE)fromalinkreceivedinsideanSMSfromaWhatsappcontact.Sheisconcernedthatappmayviolateherprivacyinsomewayandsousesaservice(andpossiblyalocalapp)tocheck.
Basicflowofevents:
1. Aliceactivatestheprivacyservice.2. Alicelauncheshernewgameapp.
![Page 67: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/67.jpg)
D2.1UseCases
6715625G-ENSURE 67
3. Theprivacyserviceonthe5GnetworkdetectssomeanomalouseventfromtheUE(e.g.,botnetrelatedcommunications)andsendsanotificationtoAlicetoaskhertoactivateaprivacyrelatedanalysis.
4. Aliceagreestotherequest,anddata(e.g.alistofinstalledapplications)issentfromherphonetotheprivacyserviceforanalysis.
5. Theprivacyservicerespondswithanotificationcontainingthenameofthenoncompliantappifany,asummaryofitsprivacyviolationactivity,andthesuggestiontouninstallit.
Alternativeflowofevents:
1. Alicestartstheprivacyappandconfiguresherprivacypreferences.2. Aliceinstallsthenewgameapp,startsitandthegameattemptstoaccessthecorrespondingserver
whichhasalsoconfigureditsprivacypolicy.3. TheprivacyappchecksAlice’sandtheserver’sprivacypolicies.4. Aprivacy-relatedwarningcontainingthenameoftheviolatingappandserverisshowntoAliceif
thepoliciesdonotmatch.5. Alicecandecideiftoproceedwiththeapp/serverornot.
12.3.2.4 Propertiesofasolution
• The5Gnetworkdeployssomeanomalydetectionormalwareactivitydetectionmechanismsorprivacyviolationmechanism[Razaghpanah2015],[Ren2015].
• The5Gnetworkadoptsaprivacypolicycontainingvariousprivacyparameters(relatedtodeviceandappsactivityonuserdata)thatcanbecontrolledonuser’sdemandoruponsomeanomalouseventdetection.
• The5Gnetworkofferstosubscribersaservicethatcheckstheprivacyriskofdevicesandtheirinstalledapps.
• Ausefultoolforthisserviceistorequirethemobileapplicationsandserverstodeclareahumanreadableprivacypolicyandtoofferatooltotheuser’sdevicetoverifyit.
12.3.2.5 Usecasecategories
EnsureEnablers Privacy,SecurityMonitoring,TrustNextGenerationRadioTechnologyUsecases mMTC,uMTC,xMBB
12.3.3 UseCase10.3:SIM-basedand/orDevice-basedAnonymization
12.3.3.1 IntroductionMobiledevicesand/ortheinstalledapplications(malware/spyware,misbehavingapplicationsandalsocommonapplications)disclosealargeamountofpersonalanddeviceidentifyinginformation(e.g.,IMSI,phonenumber,locationdata,IMEIetc.).Ifsuchprivateinformationisaccessedbyapplications,theuserswouldliketobeabletoprotectitwithappropriate(e.g.,formatpreserving)anonymizationalgorithmsresidingpreferablyontheSIM.ThisservicecanbeofferedbytheMNOattheapplicationlayere.g.,throughanapplicationrunningonthedeviceand/orontheSIMitself.AdeviceimplementationshouldpreferablybeintegratedintotheOStoprovideprotectionagainstmisbehavingapplications.Ontheotherhand,aSIM-basedimplementationmayhaveevenstrongersecurityadvantagesandalsoprovides“plasticroaming”,e.g.,theservicecanbeenjoyedeveniftheuserchangesdevice.WestressadifferencetoUse
![Page 68: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/68.jpg)
D2.1UseCases
6715625G-ENSURE 68
Cases1.4and2.2.Inthefirstcase,theidentityprotectionisprovidedthroughanetwork-basedfunction.Inthesecondcase,theidentityprotectionis,asinhisusecase,providedinthedevice,buttheprotectionistargetingthelower(radio)layersoftheprotocolstack,ratherthantheservice/applicationlayer.
12.3.3.2 Preconditions• AlicehasavalidsubscriptionwiththeMNOandaSIMthathasanonymizationcapabilities• Alicehasameanstoconfigureandactivateheranonymizationpreferences(profile).
12.3.3.3 DescriptionAliceconfiguresheranonymizationprofilesuchas,forexampletheIMSIisneverdisclosedtotheapplicationsrequestingit,butreturnedinananonymizedway(e.g.,withformatpreservinganonymization).
Basicflowofevents:
1. Alicebrowsesapplicationmarketonhermobiledevice2. AliceinstallsanentertainmentapplicationthatcanreadtheIMSIandsendittoaremoteserver
togetherwithotherapprelateddata.3. Aliceactivatestheanonymizationprofileandstartstheapp.4. WhentheapplicationasksfortheIMSI,itgetsitanonymizedandsendstheanonymizedIMSItothe
remoteservertogetherwithotherapprelateddata.
12.3.3.4 Propertiesofasolution• Networkprovidesananonymizationservicethatcanbesubscribedbyusersneedingit(usersthat
haveprivacyconcernsregardingtheirdata)• NetworkofferstosubscribersaSIM(oradevice)thatimplementsanonymizationalgorithmslike
forexamplelightweightformatpreservingalgorithmsthatcanbeimplementedwithlittlecomputationalresources.
• Networkofferstosubscribersameanstoconfiguretheiranonymizationpreferences.
12.3.3.5 UsecasecategoriesEnsureEnablers Privacy,TrustNextGenerationRadioTechnologyUsecases mMTC,uMTC
12.4 5GVisionIn5G,MNOsshouldbuildanddriveinternationallycoordinatedAnti-BotNetactivitiesorprograms.AlldetectionandpreventionmethodsshouldbeembeddedintheMNOinfrastructure,sincetheMNOsdonothavecontrolsontheenduserdevicesandhowusersusetheconnecteddevices.
The5Gnetworkscanofferadditional(optional)enhancedsecurityservicestousersthatsubscribethem,especiallyusersconcernedwithsecurityandprivacyissuesarisingfrommobilemalwareandmisbehavingorunwantedapplications.Suchservicesmaydetectandnotifytotheuserbotnet-relatedactivityandprivacyviolationactivity.SIM-based(orpossiblyevendevice-based)anonymizationservicescanaswellbeprovidedtouserswhowanttobeabletocontrolandprotecttheprivacyoftheirowndata.
![Page 69: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/69.jpg)
D2.1UseCases
6715625G-ENSURE 69
13 Cluster11:LawfulInterception
13.1 IntroductionIn this cluster, we introduce the use cases that are relevant to lawful interception in a 5G context. AsdescribedinFigure17,Lawfulinterceptioninvolvesseveralactorsthatwedetailinwhatfollows.Foreveryuse case, we give one or multiple flows of events, the potential vulnerabilities that may arise and itsassociatedconsequences,thesecuritypropertiesthatasolutionshouldsatisfy,andtheusecasecategory.Attheendofthissection,wegiveanindicationofthepotentialenhancementsin5G.
Figure17:LawfulInterceptionEcosystem
13.2 ActorsAlawfulInterceptionecosystem,asdescribedinFigure1,involvesfouractors.
• LawEnforcementAgency(LEA):thisistheauthoritythatintendstocarryoutalawfulinterceptiononauser,alistofusers,aserviceoralistofservices.
• Amobilephonesubscriber(e.g.,Alice,Bob)• A5GOperator• Courtofjustice:thisistheauthoritythatdeliverstheauthorizationtoperformalawfulinterception.
LINetworkFunction
LawEnforcementAgency
5G Operator
5G Network
Alice Bob
Users’equipment
Interceptrequest
Au
thoriza
tion
Interceptrequest &Authorization
Activate &Instanciate
InterceptRelatedInformation
ContentofCommunication
CourtofJustice
![Page 70: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/70.jpg)
D2.1UseCases
6715625G-ENSURE 70
13.3 UseCases
13.3.1 UseCase11.1:LawfulInterceptioninaDynamic5GNetwork
13.3.1.1 Introduction5GinvolvestheemergenceofnewtechnologiessuchasSDNandNFV,andnewconceptslikeslicing.Thenetworkisevolvingfromastaticonetoaprogrammable,hencedynamic,one.AnMNOwill,therefore,havenewresponsibilities.Inadditiontomanaginghardware-basednetworkequipment’s,MNOwillhavetoensurethemanagementandsecurityofvirtualizedresources.Virtualization,in5G,bringsoutnewopportunitiesmainlyadynamicnetworktopology.Thisdynamicitywouldenhancethenetworkresourcemanagement,soastohavetheabilitytosupportdifferentserviceswithdifferentrequirements,e.g.ultra-reliableusecases,massiveIoTusecases.
Inthesecircumstances,weattempttoshowthenecessaryarrangementsinordertoensuretheLIfunctions.Inwhatfollows,forthesakeofsimplicity,weconsiderthatLEAwouldliketointerceptBob’sactivitiesinagiventelecommunicationservice.
13.3.1.2 Preconditions• LEAidentifiesthesuspectedcriminal(i.e.,Bob)tobesurveilled.• LEArequiresanauthorizationfromthecourtofjusticeinordertoperformalawfulinterceptionon
Bob.
13.3.1.3 DescriptionOndemand,a5Goperatorshouldbeabletoansweranyinterceptionrequestregardlessofthetargetentity/userortargetservice[TS33.106].
Basicflowofevents:
1. LEAtransmitstheLIrequestandthegrantedauthorizationtothedesignatedserviceofthe5GoperatortoconducttheinterceptionwithregardstoBob.
2. Thedesignatedserviceof5Goperatorchecksthevalidityoftherequest.3. Depending2ontheintercepttype(i.e.,onlyInterceptRelatedInformation(IRI-only),IRIand
ContentofCommunication(CC))andtheservicetobeintercepted,the5Goperatorinstantiates/activates/initiatesaNetworkfunction(wecallit,inwhatfollows,LIfunction)thatwilldelivertotheauthoritiestherequiredinformation.
4. Attheendoftheauthorizedperiod,the5GoperatordeactivatestheLIfunction.
2Thestep3maybeinterpreteddifferentlydependingonthe5Garchitecture.Forinstance,
- Inavirtualization-basedarchitecturefor5Gnetwork,theLIfunctionshouldbeavirtualisednetworkfunction(VNF).
- Inaslice-basedarchitecturefor5Gnetwork,theLIfunctionshouldbeabletodetecttheinvolvedslice.Iftheuserissubscribedtovariousservices(i.e.,slices),theLIfunctionshouldbeacommonVNFtoallslices.
![Page 71: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/71.jpg)
D2.1UseCases
6715625G-ENSURE 71
13.3.1.4 Vulnerabilities&consequencesThemainissuesthatmayariseareresultingfromacompromised/maliciousLIfunction.Wegivefurtherdetailsabouttheseissuesinwhatfollows.
- Unauthorizeddisclosure:o AcompromisedLIfunctionmaybeactivated/initiatedwithoutbeingtriggeredbythe5G
operator.o AcompromisedLIfunctionmayprovidetoLEAinformationaboutusersthatdonotbelong
tothedeclaredlistintheauthorization.o AcompromisedLIfunctionmaydeliverinformationtoanexternalattacker.o AcompromisedLIfunctionmaycontinuedeliveringinformationevenaftertheendofthe
designatedperiodintheauthorization.
- Disruption:o AcompromisedLIfunctionmayimpactthequalityagivenservice.
- Deception:
o AcompromisedLIfunctionmaydelivertoLEAfakeinformation(e.g.,servicestowhichtheuserissubscribed(slices))aboutthesuspecteduser.
13.3.1.5 PropertiesofasolutionInthissection,wedescribethepropertiesthataLIimplementationshouldsatisfyandsomepossiblewaystodoso.Thosechoicesmayvarybasedontheadopted5Gnetworkarchitecture.
• Transparencyo The LI function,whenactivated, shouldnot bedetectable.Any thirdparty (e.g., through
observation)oruser (e.g., throughqualityofservice)shouldnotnoticeanychangewhenthisfunctionisactivated.
• Confidentialityo Onlyconcernedentities(i.e.,the5GoperatorLIserviceandLEA)haveaccesstothelistof
thewiretapped.àThe5GoperatormustbeabletoanswertheLIrequestwithoutrequiringanythirdpartyevenwhentheuserissubscribedtoservicesthatarenotofferedbytheNetworkoperator,butaredeliveredbythe5Gnetwork.àThispropertyimpactstwoaspects:theLIfunction“location”withinthenetworkanditsbehaviour.RegardingtheLIfunctionlocation,twocandidatesolutionsarise:aLIfunctionperservice(hence,withinaslice)oracommonLIfunction.Thefirstcandidatesolutionmayviolatethefirstandsecondproperties(i.e.,transparencyandconfidentiality)ifthe5Goperatorwillhavetoasktheserviceprovider(i.e.,sliceowner)toactivatetheLIfunction.Now,ifweconsiderthatthe5Goperatorwillnotmakeanyrequesttothesliceowner,thismayquestiontheintegrityoftheservice/slice.Thisiswhy,wepromotethesecondcandidatesolution(i.e.,acommonLIfunctionforalltheslices).Ofcourse,acommonLImustbeimplementedinawaytostillensureitdoesnotprovideunauthorizedinformationleakagebetweenslices.
![Page 72: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/72.jpg)
D2.1UseCases
6715625G-ENSURE 72
RegardingtheLIfunctionbehaviour,themaintwopointsaretoauthenticatetheincomingrequestsfromthe5Goperator,andthetargetauthority(i.e.,LEA)beforedeliveringanyinformation.
• Dependability&reliability
Inahighlydynamicnetworkincludingmultipleslicesandafloatingtopology,contraryto3/4G,assuringtrustworthinessofthedeliveredinformation.
o The5Goperatorshouldbeabletoprovidehighassurancethatthewiretappeduser/entityisindeedtherequiredone.
o The5Goperatorshouldbeabletoprovidehighassuranceonthevalidityofthecollectedinformation.
o The5Goperatormustensurethatonlythoseundersurveillancearewiretapped,e.g.,AuthoritiescannotusetheLIfunctiontowiretapusers/entitiesnotonthelist.
o Incaseofanend-to-endencryptionmanagedbythenetwork,the5Goperatorshouldbeabledeliverplaindataortheencrypteddataalongwiththedecryptionkey.àContraryto3/4G,thispropertyimpliestheprotectionoftransmittedinformationintermsofintegrity,confidentialityandassuranceaboutthesourceofinformation.Cryptographicmechanismmaybeusedinsuchcases,e.g.,ciphering,signature.
• Securityo Onlythe5GoperatorshouldbeabletoactivatetheLIfunction.Thiswouldprevent
fraudulentinterceptions.àThispropertywillalsoimpactthechoiceoftheLIfunctionlocationwithinthenetwork.
13.3.1.6 Usecasecategories
TheLIrequirementsshouldbepartofallthe5Genablersandusecases.Indeed,any5Gusecasemaybeconsideredasaservicewherethetargetuserorentityissubscribed.
EnsureEnablers Privacy,NetworkManagement&VirtualizationIsolation,SecurityMonitoring,AAA,Trust
NextGenerationRadioTechnologyUsecases xMBB,mMTC,uMTC
13.3.2 UseCase11.2:End-to-endEncryptioninLI-awarenetwork
13.3.2.1 Introduction5Gshouldpushforwardastrictprivacyforusers.Anend-to-end(device-to-device)encryptionistheonlysolutiontoensurethisrequirement,especiallywhenthecommunicationsaretoorfromdifferentnetworks,areasorcountrieswithunknownsecuritylevelorunacceptableone.ThemaingoalistoofferstrongerprotectionofuserdataanduserrelatedinformationwhilebeingabletosecurelyansweranyLIrequest.
![Page 73: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/73.jpg)
D2.1UseCases
6715625G-ENSURE 73
Thisusecasedescribeshowa5Goperatorcanpreventeavesdroppingattacksonallpossiblepathstheuserdatatrafficfollowsthroughthemobilenetwork.Thisisbyaugmentingidentitymanagementwithadditionalcryptographickeys.
13.3.2.2 Preconditions• AliceandBobsubscribetoanadd-onend-to-endprotectionservicesupportedbythe5Goperator.• Thereisakeymanagementandkeyescrowserverinthe5Gnetwork.
13.3.2.3 DescriptionAliceneedstocommunicateinanencryptedmannerwithBob.ShewantshercallorSMS/MMStobeencryptedbutshedoesneithershareasecretkeywithBobnoranapplicationtoencryptthecommunication.Aliceusestheencryptionserviceprovidedbythe5GOperator,asshowninFigure18.
Basicflowofevents:
1. Aliceisconnectedtothe5Gnetworkandhasbeenauthenticated.2. AlicewantstocallBob.Alice’sdeviceusesthekeymanagementserviceandnegotiatesasession
keywithBob’sdevicetobeusedforcallencryption.3. AlicecallsBobwithencryptionturnedon.4. LEAwantstointerceptAlice’scalls.LEAasksthe5Goperatortoprovideaccesstotheintercepted
communications.5. 5Goperatorasprovideroftheencryptionserviceactsasanescrowagent.Thesessionkeyis
retrievedorreconstructedandusedbyLEAtodecryptthesessionkeyandconsequentlyAlicecommunication.
13.3.2.4 Vulnerabilities&consequencesThemainpotentialflawsofanend-to-endencryptionserviceistoprovideLEA(oranyotherkeyescrowagents,e.g.,5Goperator)fullcontrolofthedecryptionkeysortosomehowenableabackdoorwhichmightbeusedforundetectablemasssurveillance[Murdoch2016].Insuchacase,LEAoranyentityincontrolofthebackdoormaygetinformationexchangedoutofthedesignatedperiodintheauthorizationand/oraboutusersnotinthelist(Unauthorizeddisclosure).
13.3.2.5 Propertiesofasolution&candidatesolutionsInthissection,wedescribethepropertiesthatanend-to-endencryptionserviceshouldsatisfyandsomepossiblewaystodoso.Themainideaistoencryptsessionkeysusingamasterkey.Tothisend,wecanuseathreshold(k,n)secretsharingscheme.Insuchacase,lessthankagents(e.g.,LEA,5Goperator,etc.)cannotgetanyinformationaboutthemasterkeyandanyk(possiblysmallerthann)ormoreagentscanrecoverthemasterkey.Inwhatfollow,wegivefurtherdetails.
• On-demandserviceo Theserviceshouldbeturnedonandoffbythesubscribers.
• Backwardsecrecyo LEAmustnothaveaccesstoexchangedinformationbeforethedesignatedperiodinthe
authorization.• Forwardsecrecy
o LEAmustnothaveaccesstoexchangedinformationafterthedesignatedperiodintheauthorization.
![Page 74: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/74.jpg)
D2.1UseCases
6715625G-ENSURE 74
• Securityo Theend-to-endencryptionservicemaybeapplicableonIPorhigherlayerindependently
bythetypeofUEusinganapplicationwhichisinstalledaspartoftheservice.o Theencryptionkeymaybepartofanescrowsystemprovidedbythe5Goperatorto
enablesecurecommunicationandatthesametimeenablelawfulinterception.
Figure18:Theoperatorasatrustedproviderofanend-to-endencryptionservice
13.3.2.6 Usecasecategories
EnsureEnablers AAA,Privacy,Trust
NextGenerationRadioTechnologyUsecases mMTC,uMTC
13.4 5GVision5GshouldbeabletoansweranyLIrequestinasecureway(i.e.,withoutcompromisingtheprivacyofanyofthenetworkusers).Moreover,informationdelivered,incaseofaLI,mustbeprovablytrustworthy.
5Gshouldbeabletosupportend-to-endencryptionforconfidentialdevice-to-devicecommunications(e.g.,callsandSMS/MMScommunications),inconjunctionwithkeyescrowforreasonsoflawfulintercept.
![Page 75: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/75.jpg)
D2.1UseCases
6715625G-ENSURE 75
14 Summary:UseCaseClustersThisdocumentpresents31usecasesgroupedinto11clustersillustratingtheenhancedscopeofsecurityandprivacyin5Gnetworksandsystems.
Clusters1-4focusonIdentities,Authentication,AuthorizationandPrivacy:
5GshouldprovideavarietyofidentitymanagementserviceswhichexpandsthecapabilitiesofdevicesandnetworksbeyondthelegacyDevicetoRadioAccessNetworkservice.Forexample,newsubscribersormachinesshouldbeabletoenrolin5Gnetworks,usingpre-existingidentitymanagementschemes;orbeabletosupportidentityschemesenablingdevicestoroambetweenterrestrialandsatellitenetworks.
AnMNOshouldbeabletoofferadditionalidentitymanagementservicessuchastrustedassertionsusedbythirdpartyproviders,andkeymanagementenablingcommunicationtobeauthenticatedandencryptedend-to-end.5GshouldalsobeabletoserveInternet-of-Thingsdevicesbehindagatewayandsupportauthorizationofdevice-to-deviceoperationsatapplicationlayeroratnetworklayer.
Duetothepervasivenatureof5Gitisessentialthatusershavecontrolovertheprivacyoftheirdeviceidentifiersbyprovidingpropertieslikeconfidentialitytosubscriberanddeviceidentities,untrackabilityoftheuserlocation,perfectforwardsecrecyforencryptedcommunicationsandunlinkabilitybetweentheusersubscriptioninformationandthedeviceidentity.
Cluster5focusesonSoftwareDefinedNetworks,VirtualizationandMonitoring:
5GnetworksshouldprovidedifferentvirtualizedCoreNetwork(slices)fordifferenttypesofsubscribersincludingdifferentDevicetypes,suchasmMTCorxMBB,butalsocustomerspecificslicessuchaseHealth.Networkslicesmaybeabletoprovidedifferentservices,andshareacommonradionetwork.Isolationofnetworkslicesisessential.Virtualizationismostlikelytobetransparenttomany5Gnodesandalsotodevicesandsubscribers,butsome5Gnodecomponentsshouldbeabletoactivelymodifythestructureandbehaviourofthecorenetwork.
Virtualizationbringnewtypesofrolesandactorsintothepicturesuchasthe5GNodeProvider,theVirtualizationInfrastructureProvider,andtheVirtualMobileNetworkOperator,whichrequireadequatetrustrelationstobeestablishedandenforced.Thisalsomeansthatnewtypesofmonitoringandassuranceinterfacesareneededifallthenewrolesaretakenbyseparateactors.Actorsthatareoperatingontopofvirtualizedplatformshouldbeabletomonitor,verifyandcontrolwhatishappeninginthevirtualizednetworkaswellasinthevirtualizationinfrastructure.
Clusters6-10focusonAvailability,ReliabilityandIntegrity:
5Gshouldproviderobustnetworkserviceswithconsiderableavailabilityguarantees,inparticularrobustnessagainstoverloadanddenialofserviceattacksoftheradiointerface.Alsoinhighloadsituationsshouldprioritizeddevicesshouldgetprioritytoattachandalreadyattacheddeviceslosingsynchronizationshouldbeabletoregainaccess.Userplanedatashouldbeintegrityprotectedenablingtrustworthyservicestobebuiltontop,suchthatillegitimateandlowpriorityrequestsshouldberejectedatanearlystage.Threatsofcyber-attacksdirectlytargeting5Gaccessnetworksneedstobedealtwithinthe5Gdesign.
![Page 76: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/76.jpg)
D2.1UseCases
6715625G-ENSURE 76
In5Gnetworksthereshouldbeincreasedassurancethatthetrafficisindeedoriginatingfromalegitimateentityandisboundtoalegitimateentity.MNOsshouldnotbeforcedtoresorttoimplicitsecurityassumptionsaboutthesecurityofthecorenetworkofinteractingpartners.
5Gnetworkshouldbemorereliableintermsofhavingdynamic,alternativeroutesfromtheradionetworkintothecorenetwork(suchassatelliteconnection).Newcommercialpossibilitiesonstand-aloneradionetworks,andstand-alonecorenetworksarealsoenvisioned.
5Gshouldprovidemeansforcoordinatedbotnetmitigationschemeswithpreventionanddetectionembeddedinthenetworkinfrastructure,leveragingestablishedandaddingnewtechniquesforrestrictingtraffic.
5Gnetworksshouldoffersubscribersadditional(optional)enhancedsecurityservicesforanonymizationcapabilitiesaswellasaddressingsecurityandprivacyissuesarisingfrommobilemalwareandmisbehavingapplications.
Cluster11focusesonLawfulInterception:
A5GsystemshouldbeabletoansweranyLawfulIntercept(LI)requestinasecurewaywithoutcompromisingtheprivacyofnetworkusers,andtheinformationprovidedbytheLIfunctionmustbeprovablytrustworthyandsecurelydelivered.ForthisreasonthereisaneedforacommonLIfunctionforservicesdeliveredviathe5Gnetworkwhichauthenticatesandauthorizestheincomingrequestsandtargetlawenforcementauthority.Theoperatorscanprovidetrustedkeyescrowserviceswithinthisframework.
![Page 77: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/77.jpg)
D2.1UseCases
6715625G-ENSURE 77
15 ConclusionsTheusecasespresentedinthisdocumentillustratetheneedforenhancedsecurityandprivacyinfifthgenerationmobilenetworks.
Theusecasesexhibitawiderangeofsecurityconcernsincludinguserprivacy,identitymanagement,authentication,authorization,keyestablishmentforIoT,airinterfaceprotection,botnetmitigation,isolationofcorenetworkfunctionality,securevirtualizationandverificationofvirtualizednodeandplatform,securitymonitoringandcontrol,andlawfulinterception.
Theusecasesaddresssecurityenhancementsofcurrentnetworksaswellassecurityfunctionalityofnew5Gfeaturesinabalancedmix.Justtohighlightafewtake-aways:
• 5Gencompassesavarietyofradioaccesssystemsexpandingthecapabilitiesofmobiledevicesandnetworks.Toallowextendedofferingsintermsofaccessorotherservicesthereisaneedtosupportalternativeauthenticationschemesandassociatedidentitymanagement,whilenotcompromisingthehighsecurityoflegacyauthenticationandidentitymanagement.
• Theincreasedemphasisofuserprivacy,includingunlinkabilitybetweensubscriberinformationanddeviceidentifiersanduntrackabiltyofuser’slocation,needstobemetbynewprotectionschemes.
• 5GnetworksshouldprovidevariouskindsofvirtualizedCoreNetworkfunctions(slices)fordifferenttypesofsubscribersorcorporationswhichneedtotallydifferentisolationproperties.Virtualizationbringnewtypesofrolesandactorsandnewtypesofmonitoringandassuranceinterfacesaswellastheneedtoverifyandcontroltheactionsandentitiescorrespondingtothevariousactors.
• Theincreasingtrendofconnectingimportantfunctionsinsocietyandcorporationsthroughmobilenetworktechnologyleadstoanincreaseddemandforrobustnessandreliabilityinoverloadanddenialofservicesituations.Thebalancebetweenlawenforcementandprivacyrevealedbythedevelopmentsinthesocietyduringthelastyearscallsforenhancedschemesforseparatingtheconcernsoftheinvolvedparties.
Mostofthesesecurityandprivacyenhancementsrequiresbeingbuilt-inintotheradioaccessandcorenetworksandcannotbeaddedasanafterthought.Thecontinuedanalysisonsecurityenablersandsecurityarchitecturewithin5G-ENSUREwillassessmoreintodetailstherelevanceoftheseusecasesandtheirimpactonthe5Gsystem.However,itisalreadyclearthatsecurityandprivacyconsiderationssuchasthosemadeinthisdocumentneedtoenterthedevelopmentof5Gstandardsatanearlystagetohavetherequiredimpactonthesecurityandprivacycharacteristicsofnextgenerationmobilenetworks.
![Page 78: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/78.jpg)
D2.1UseCases
6715625G-ENSURE 78
References
[Chengzhe2013]L.Chengzhe,L.Hui,L.Rongxing,andS.Xuemin,“SE-AKA:AsecureandefficientgroupauthenticationandkeyagreementprotocolforLTEnetworks,”ComputerNetworks,vol.57,pp.3492-3510,2013.
[EAP-AKA]J.ArkkoandH.Haverinen,ExtensibleAuthenticationProtocolMethodfor3rdGeneration,AuthenticationandKeyAgreement(EAP-AKA)”,IETFRFC4187,2006.
[FooKune2012]N.H.FooKune,JohnKoelndorferandY.Kim,“Locationleaksonthegsmairinterface,”in19thNetworkandDistributedSystemSecuritySymposium,2012.
[METIS2015]”DeliverableD6.6,FinalreportontheMETIS5Gsystemconceptandtechnologyroadmap”,ICT-317669-METIS/D6.6,2015.
[Murdoch2016]S.Murdoch,“Insecurebydesign:protocolsforencryptedphonecalls“,Bentham’sGaze,2016.https://www.benthamsgaze.org/2016/01/19/insecure-by-design-protocols-for-encrypted-phone-calls/
[Nohl2014]K.Nohl“MobileSelf-Defense”,ChaosCommunicationCongress,2014.
[Paladi2015]N.Paladi,“TowardssecureSDNpolicymanagement.In:1stInternationalWorkshoponCloudSecurityandDataPrivacybyDesign”,7-10December2015,Limassol,Cyprus.[Razaghpanah2015]A.Razaghpanah,N.Vallina-Rodriguez,S.Sundaresan,C.Kreibich,P.Gill,M.Allman,V.Paxson“Haystack:InSituMobileTrafficAnalysisinUserSpace”,2015.http://arxiv.org/abs/1510.01419
[Ren2015]J.Ren,A.Rao,M.Lindorfer,A.Legout,D.Choffnes“ReCon:RevealingandControllingPrivacyLeaksinMobileNetworkTraffic”,2015.http://recon.meddle.mobi/papers/recon-sep.pdf
[RFC4949]R.Shirey,“InternetSecurityGlossary,Version2”,IETFRFC4949,2007.https://tools.ietf.org/html/rfc4949
[RFC7228]C.Bormann,M.Ersue,A.Keränen,“TerminologyforConstrained-NodeNetworks”,IETFRFC7228,2014.https://tools.ietf.org/html/rfc7228
[RFC7744]L.Seitz,S.Gerdes,G.Selander,M.Mani,S.Kumar“UseCasesforAuthenticationandAuthorizationinConstrainedEnvironments”.IETFRFC7744,2016.https://tools.ietf.org/html/rfc7744
[SchahillBegley2015]J.Schahill,J.Begley,”TheGreatSIMHeist---HowSpiesStoletheKeystotheEncryptionCastle”,TheIntercept,Feb2015.https://theintercept.com/2015/02/19/great-sim-heist/
[Shaik2015]A.Shaik,R.Borgaonkar,N.Asokan,V.Niemi,andJ-P.Seifert,“Practicalattacksagainstprivacyandavailabilityin4G/LTEmobilecommunicationsystems”,October2015.http://arxiv.org/pdf/1510.07563v1.pdf
[Smith2015]K.Smith,“Networkmanagementofencryptedtraffic”,IETFInternetDraftdraft-smith-encrypted-traffic-management-04,Nov2015.
![Page 79: 5G-ENSURE_D2.1 Use Cases](https://reader034.fdocuments.in/reader034/viewer/2022051301/585a59501a28ab6e3291797c/html5/thumbnails/79.jpg)
D2.1UseCases
6715625G-ENSURE 79
[TR22.891]3GPPTR22.891“FeasibilityStudyonNewServicesandMarketsTechnologyEnablers;Stage1”,Sections5.20,5.22,5.72
[TS22.368]3GPPTS22.368“ServicerequirementsforMachine-TypeCommunications(MTC);Stage1”
[TS33.106]3GPPTS33.106“3Gsecurity;Lawfulinterceptionrequirements”
[TS33.220]3GPPTS33.220“GenericAuthenticationArchitecture(GAA);GenericBootstrappingArchitecture(GBA)”
[TS33.401]3GPPTS33.401“3GPPSystemArchitectureEvolution(SAE);Securityarchitecture”
[Vallina-Rodriguez2015]N.Vallina-Rodriguez,S.Sundaresan,C.Kreibich,V.Paxson“HeaderEnrichmentorISPEnrichment?EmergingPrivacyThreatsinMobileNetworks”,HotMiddlebox’15,2015.