5G-ENSURE_D2.1 Use Cases
Transcript of 5G-ENSURE_D2.1 Use Cases
DeliverableD2.1UseCases
Projectname 5GEnablersforNetworkandSystemSecurityandResilienceShortname 5G-ENSUREGrantagreement 671562Call H2020-ICT-2014-2Deliverydate 2016-02-01DisseminationLevel: PublicLeadbeneficiary EAB GöranSelander,[email protected] EAB:MatsNäslund,GöranSelander
ITINNOV:StephenPhillips,BassemNasserLMF:VesaTorvinen,VesaLehtovirtaNEC:FelixKlaedtkeNIXU:SeppoHeikkinen,TommiPernilä,AlexanderZaharievORANGE:GhadaArfaoui,JoséSanchez,Jean-PhilippeWaryUOXF:PiersO'HanlonSICS:MartinSvensson,RosarioGiustolisiTASE:GorkaLendrino,CarlaSalasTIIT:MadalinaBaltatu,LucianaCostaVTT:JanneVehkaperä,OlliMämmelä,JaniSuomalainen
D2.1UseCases
6715625G-ENSURE 2
Executivesummary
Thisdocumentdescribesanumberofusecasesillustratingsecurityandprivacyaspectsof5Gnetworks.Basedonsimilaritiesintechnical,serviceand/orbusiness-modelrelatedaspects,theusecasesaregroupedintousecaseclusterscoveringawidevarietyofdeploymentsincluding,forexample,theInternetofThings,SoftwareDefinedNetworksandvirtualization,ultra-reliableandstandaloneoperations.Theusecasesaddresssecurityandprivacyenhancementsofcurrentnetworksaswellassecurityandprivacyfunctionalityneededbynew5Gfeatures.Eachusecaseisdescribedinacommonformatwhereactors,assumptionsandasequenceofstepscharacterisingtheusecasearepresentedtogetherwithashortanalysisofthesecuritychallengesandthepropertiesofasecuritysolution.Eachusecaseclusterdescriptionisconcludedwitha“5GVision”outliningtheassociatedenhancementsinsecurityandprivacyanticipatedin5Gnetworksandsystems.Asummaryofthe5Gvisionsandconclusionsareprovidedattheendofthedocument.
D2.1UseCases
6715625G-ENSURE 3
Foreword
Theoverallobjectiveof5G-ENSURE(seeSection1.1)istobecomethereferenceprojectforeverythingthatconcernssecurityandprivacyin5Gwhilecontributingto5Gresilience.Toachievethisoverallambitionanumberofspecificobjectivesaretargeted,including:
• Collect,analyseandprioritize5Gsecurityandprivacyrequirements• Defineasecurityarchitecturefor5G• Specify,developandtestaninitialsetofsecurityandprivacyenablersfor5G
Thesethreeobjectivesareinpartdependentonanalysing5Gsecurityrelevantusecases,whichisthecontentofthisdeliverableD2.1.HenceD2.1providesinputtotheworkonTrustModel(Task2.2),RiskAssessment,MitigationandRequirements(Task2.3)andtheSecurityArchitecture(Task2.4)withintheproject.Theusecasespresentedhereinalsoservetoprovideinitial“blue-prints”fortherequiredfunctionalityoftheso-calledsecurityenablersdevelopedbyWP3of5G-ENSURE.
D2.1isoneinstanceofthe5G-ENSUREmeasurableresultsandoneofthemilestones(MS2)ofthe5G-ENSUREproject.D2.1isthefirsttechnicaldeliverableoftheprojectandhenceisnotdependentonanyprevioustechnicaldeliverablewithintheproject.Theexternalsourcesforthisdeliverable,however,includeotherparallelprojectsrunningwithintheoverall5G-PPPand,conversely,cross-PPPcoordinationactivitiesareinplacetodisseminatetheresultstoother5G-PPPprojects.
Disclaimer
Theinformationinthisdocumentisprovided‘asis’,andnoguaranteeorwarrantyisgiventhattheinformationisfitforanyparticularpurpose.
TheECflaginthisdeliverableisownedbytheEuropeanCommissionandthe5GPPPlogoisownedbythe5GPPPinitiative.Theuseoftheflagandthe5GPPPlogotypereflectsthat5G-ENSUREreceivesfundingfromtheEuropeanCommission,integratedinits5GPPPinitiative.Apartfromthis,theEuropeanCommissionorthe5GPPPinitiativehavenoresponsibilityforthecontent.
AllUseCasesinvestigatedinthisdeliverableareintheresearchcontextofafuture5Gnetworkanddonotentailanycommitmenttobeimplementedinexisting2/3/4Gstandards.Allreferencesto4G/LTEorEPCplatformsareusedforillustrationofUseCasesandarenotcommittingtheprojectinanywaytoapredefined5Ginfrastructure(asaniterationonlyofexisting4Gstandardsforinstance).
Copyrightnotice
©2015-20175G-ENSUREConsortium
D2.1UseCases
6715625G-ENSURE 4
Contents1 Introduction................................................................................................................................................7
1.1 5G-ENSURE..........................................................................................................................................8
1.2 Glossary...............................................................................................................................................8
1.3 Abbreviations.......................................................................................................................................9
2 Background...............................................................................................................................................10
3 Cluster1:IdentityManagement...............................................................................................................12
3.1 Introduction.......................................................................................................................................12
3.2 Actors.................................................................................................................................................12
3.3 UseCases...........................................................................................................................................12
3.3.1 UseCase1.1:FactoryDeviceIdentityManagementfor5GAccess............................................12
3.3.2 UseCase1.2:UsingEnterpriseIdentityManagementforBootstrapping5GAccess.................14
3.3.3 UseCase1.3:SatelliteIdentityManagementfor5GAccess......................................................17
3.3.4 UseCase1.4:MNOIdentityManagementService.....................................................................20
3.4 5GVision............................................................................................................................................21
4 Cluster2:EnhancedIdentityProtectionandAuthentication...................................................................22
4.1 Introduction.......................................................................................................................................22
4.2 Actors.................................................................................................................................................22
4.3 UseCases...........................................................................................................................................22
4.3.1 UseCase2.1:DeviceIdentityPrivacy.........................................................................................22
4.3.2 UseCase2.2:SubscriberIdentityPrivacy...................................................................................23
4.3.3 UseCase2.3:EnhancedCommunicationPrivacy.......................................................................24
4.4 5GVision............................................................................................................................................25
5 Cluster3:IoTDeviceAuthenticationandKeyManagement....................................................................26
5.1 Introduction.......................................................................................................................................26
5.2 Actors.................................................................................................................................................26
5.3 UseCases...........................................................................................................................................26
5.3.1 UseCase3.1:AuthenticationofIoTDevicesin5G.....................................................................26
5.3.2 UseCase3.2:Network-BasedKeyManagementforEnd-to-EndSecurity.................................29
5.4 5GVision............................................................................................................................................31
6 Cluster4:AuthorizationofDevice-to-DeviceInteractions.......................................................................32
6.1 Introduction.......................................................................................................................................32
6.2 Actors.................................................................................................................................................32
6.3 UseCases...........................................................................................................................................32
D2.1UseCases
6715625G-ENSURE 5
6.3.1 UseCase4.1:AuthorizationinResource-ConstrainedDevicesSupportedby5GNetwork.......32
6.3.2 UseCase4.2:AuthorizationforEnd-to-EndIPConnections......................................................33
6.3.3 UseCase4.3:Vehicle-to-Everything(V2X).................................................................................34
6.4 5GVision............................................................................................................................................35
7 Cluster5:Software-DefinedNetworks,VirtualizationandMonitoring....................................................36
7.1 Introduction.......................................................................................................................................36
7.2 Actors.................................................................................................................................................37
7.3 UseCases...........................................................................................................................................37
7.3.1 UseCase5.1:VirtualizedCoreNetworks,andNetworkSlicing..................................................37
7.3.2 UseCase5.2:Addinga5GNodetoaVirtualizedCoreNetwork................................................38
7.3.3 UseCase5.3:ReactiveTrafficRoutinginaVirtualizedCoreNetwork.......................................41
7.3.4 UseCase5.4:VerificationoftheVirtualizedNodeandtheVirtualizationPlatform..................42
7.3.5 Usecase5.5:ControlandMonitoringofSlicebyServiceProvider............................................43
7.3.6 UseCase5.6:IntegratedSatelliteandTerrestrialSystemsMonitor..........................................45
7.4 5GVision............................................................................................................................................48
8 Cluster6:RadioInterfaceProtection........................................................................................................49
8.1 Introduction.......................................................................................................................................49
8.2 Actors.................................................................................................................................................49
8.3 UseCases...........................................................................................................................................49
8.3.1 UseCase6.1:AttachRequestDuringOverload..........................................................................49
8.3.2 UseCase6.2:UnprotectedUserPlaneonRadioInterface.........................................................50
8.4 5GVision............................................................................................................................................51
9 Cluster7:MobilityManagementProtection............................................................................................52
9.1 Introduction.......................................................................................................................................52
9.2 Actors.................................................................................................................................................52
9.3 UseCases...........................................................................................................................................52
9.3.1 UseCase7.1:UnprotectedMobilityManagementExposesNetworkforDenialofService......52
9.4 5GVision............................................................................................................................................54
10 Cluster8:Ultra-ReliableandStandaloneOperations..............................................................................55
10.1 Introduction.....................................................................................................................................55
10.2 Actors...............................................................................................................................................55
10.3 UseCases.........................................................................................................................................55
10.3.1 UseCase8.1:Satellite-CapableeNB.........................................................................................55
10.3.2 UseCase8.2:StandaloneEPC..................................................................................................56
D2.1UseCases
6715625G-ENSURE 6
10.4 5GVision..........................................................................................................................................57
11 Cluster9:TrustedCoreNetworkandInterconnect................................................................................58
11.1 Introduction.....................................................................................................................................58
11.2 Actors...............................................................................................................................................58
11.3 UseCases.........................................................................................................................................58
11.3.1 UseCase9.1:AlternativeRoamingin5G.................................................................................58
11.3.2 UseCase9.2:PrivacyinContext-AwareServices.....................................................................60
11.3.3 UseCase9.3:AuthenticationofNewNetworkElements........................................................61
11.4 5GVision..........................................................................................................................................63
12 Cluster10:5GEnhancedSecurityServices.............................................................................................64
12.1 Introduction.....................................................................................................................................64
12.2 Actors...............................................................................................................................................64
12.3 UseCases.........................................................................................................................................64
12.3.1 UseCase10.1:BotnetMitigation............................................................................................64
12.3.2 UseCase10.2:PrivacyViolationMitigation.............................................................................66
12.3.3 UseCase10.3:SIM-basedand/orDevice-basedAnonymization.............................................67
12.4 5GVision..........................................................................................................................................68
13 Cluster11:LawfulInterception...............................................................................................................69
13.1 Introduction.....................................................................................................................................69
13.2 Actors...............................................................................................................................................69
13.3 UseCases.........................................................................................................................................70
13.3.1 UseCase11.1:LawfulInterceptioninaDynamic5GNetwork................................................70
13.3.2 UseCase11.2:End-to-endEncryptioninLI-awarenetwork...................................................72
13.4 5GVision..........................................................................................................................................74
14 Summary:UseCaseClusters...................................................................................................................75
15 Conclusions..............................................................................................................................................77
D2.1UseCases
6715625G-ENSURE 7
1 IntroductionThisdocumentdescribesusecasesillustratingsecurityandprivacyaspectsof5Gnetworks.Theseusecasesprovideabasisforunderstanding5Gsecurityandwillbeusedinseveralwayswithinthe5G-ENSUREproject(seeSection1.1):
• Theprojectwillanalysepotentialthreatsandvulnerabilities,andidentifysecurityandprivacyrequirementsbasedontheseusecases.
• Theusecaseswillbeusedtodefineatrustmodelbetweenthevariousactorsina5Gsystemaddressingthemultiplicityofactorsandalsotakingintoaccountthemachine-to-machineinteractionscharacterisingnextgenerationnetworks.
• TheusecasesprovideinputtothesecurityenablersinscopeoftheprojectcoveringtheareasAAA,Privacy,Trust,SecurityMonitoring,andNetworkManagement&VirtualisationIsolation.
• Theitemsabove,aswellastheusecasesthemselves,arethemajorbuildingblocksusedtodefinethe5Gsecurityarchitectureintheproject.Cross-PPPcoordinationactivitiesareinplacetodisseminatetheresultstootherprojectsofthe5G-PPP.
Theusecases illustratespecific5Grelatedsecuritychallenges.Therearetwocategoriesofusecasesandassociatedchallenges:
1. Forusecasesillustratingsecurityissuesinheritedfromcurrentgenerationnetworks,thechallengeistoprovideanimprovedlevelofsecurityandprivacy.1
2. Forusecasesillustratingnewfeaturesintroducedin5G,e.g.supportforMachineTypeCommunications(MTC)andSoftwareDefinedNetworks(SDN),thechallengeistoprovideanappropriatelevelofsecurityandprivacy,aswellaspotentialnewsecurityfunctionalityillustratedbytheusecase.
Inthefirstcategoryofusecase,thefocusisonthevulnerabilitiesandpotentialcountermeasuresaddressingtheidentifiedsecurityissues.Inthesecondkindofusecasethefocusisontheadditionalsecurityfunctionalityneededtosupportthenewfeatures.
Thisprocessofgeneratingusecasesmayhypotheticallyresultinnewdesired5Gsecurityfeaturesforwhichitishardoreveninfeasibletoprovidesolutionswhicharebothcost-efficientandadequate.However,thepurposeofthisdeliverableisneithertodoriskanalysis,nortospecifydetailedsolutionsforwhichthereareotheractivitieswithin5G-ENSURE(seeForeword).Hence,theresultingusecasesshouldnotbeinterpretedasfunctionalitythatunconditionallywillbesupportedin5G,butasanexplorationofinterestingrelevantscenarios,andastartingpointforfurtheranalysis.
Thisdocumentisorganisedasfollows:TheremainderofSection1containsaglossaryandalistofabbreviationsoftermsused.Section2providesabackgroundontheusecaseclustersandhowtheyarecompiled.Sections3to13containtheactualusecaseclustersandtheconstituentusecases.Section14summarisestheusecaseclustersandSection15providesthemainconclusionsderivedfromthisusecasecompilationactivity.Referencesareprovidedattheend.
1Thisshouldnotbeunderstoodasastatementthatcurrentnetworksarenotsecure,butratherthatchangesinthethreatlandscapewarrantsconsiderationsofadditionalcounter-measures.
D2.1UseCases
6715625G-ENSURE 8
1.1 5G-ENSURE
5G-ENSUREbelongstothegroupofEU-fundedprojectswhichcollaborativelydevelop5Gundertheumbrellaofthe5GInfrastructurePublicPrivatePartnership(5G-PPP)intheHorizon2020Programme.Theoverallgoalof5G-ENSUREistodeliverstrategicimpactacrosstechnologyandbusinessenablement,standardisationandvisionforasecure,resilientandviable5Gnetwork.Theprojectcoversresearch&innovation-fromtechnicalsolutions(5Gsecurityarchitectureandtestbedwith5Gsecurityenablers)tomarketvalidationandstakeholdersengagement-spanningvariousapplicationdomains.
1.2 GlossaryThissectioncontainsterminologyforthreatanalysisusedwhendiscussingthevulnerabilitiesoftheusecases.ThetermsarebasedontheInternetSecurityGlossary[RFC4949].
• Adversaryo Anentitythatattacksasystem.
• Attacko Anintentionalactbywhichanentityattemptstoevadesecurityservicesandviolatethe
securitypolicyofasystem.Thatis,anactualassaultonsystemsecuritythatderivesfromanintelligentthreat.
• Counter-measureo Anaction,device,procedure,ortechniquethatmeetsoropposes(i.e.,counters)athreat,a
vulnerability,oranattackbyeliminatingorpreventingit,byminimizingtheharmitcancause,orbydiscoveringandreportingitsothatcorrectiveactioncanbetaken.
• Deceptiono Acircumstanceoreventthatmayresultinanauthorizedentityreceivingfalsedataand
believingittobetrue.• Disruption
o Acircumstanceoreventthatinterruptsorpreventsthecorrectoperationofsystemservicesandfunctions.
• Threato Apotentialforviolationofsecurity,whichexistswhenthereisanentity,circumstance,
capability,action,oreventthatcouldcauseharm.o Threatsdonothavetobelinkedtoanattacker:avulnerabilitycombinedwithhumanerror
forinstancecanalsoleadtoconsequencessuchasexposure,corruptionorincapacitation.• Unauthorizeddisclosure
o Acircumstanceoreventwherebyanentitygainsaccesstoinformationforwhichtheentityisnotauthorized.
• Vulnerabilityo Aflaworweaknessinasystem'sdesign,implementation,oroperationandmanagement
thatcouldbeexploitedtoviolatethesystem'ssecuritypolicy.
D2.1UseCases
6715625G-ENSURE 9
1.3 Abbreviations
AAA Authentication,AuthorizationandAccountingAKA AuthenticationandKeyAgreementB/OSS BusinessandOperationalSupportSystemsCC ContentofCommunicationCN CoreNetworkEAP EnhancedAuthenticationProtocoleNB EvolvedNodeBEPC EvolvedPacketCoreESIM EmbeddedSubscriberIdentityModuleGAN GenericAccessNetworkGUTI GloballyUniqueTemporaryIdentityHN HomeNetworkHSS HomeSubscriberServerID IdentifierIMEI InternationalMobileEquipmentIdentityIMSI InternationalMobileSubscriberIdentityIRI InterceptRelatedInformationLEA LawEnforcementAgencyLI LawfulInterceptionMME MobilityManagementEntitymMTC MassiveMachine-TypeCommunicationMNO MobileNetworkOperatorNMS NetworkManagementSystemPLMN PublicLandMobileNetworkSA SecurityAssociationSatAN SatelliteAccessNetworkSatNO SatelliteNetworkOperatorSDN SoftwareDefinedNetworksSIM SubscriberIdentityModuleTA TrackingAreaTAU TrackingAreaUpdateUE UserEquipmentuMTC Ultra-reliableandlow-latencyMachine-TypeCommunicationxMBB EnhancedMobileBroadbandV2I Vehicle-to-InfrastructureV2P Vehicle-to-PedestrianV2V Vehicle-to-VehicleV2X Vehicle-to-EverythingVMNO VirtualMobileNetworkOperatorVN VisitedNetwork
D2.1UseCases
6715625G-ENSURE 10
2 BackgroundTheusecasesdescribedinthisdocumentwereselectedtoillustratesecurityorprivacyaspectsrelevantfor5Gsystems.
Theseusecasesarebasedoninputfromexternalsources(e.g.other5G-PPPprojects,3GPPNewServicesandMarketsTechnologyEnablers(SMARTER)[TR22.891],publicationsofvulnerabilitiesandpotentialattacksoncellularnetworks,etc.)combinedwiththeexpertiseandexperienceprovidedbythepartners.Theexternallysourceddedicated5Gusecasesturnedouttobeoflimiteddirectapplicabilitysincemostofthesedonothavesufficientsecurityfocus,seefurtherdiscussioninSection15.
Theusecasesaregroupedintoclustersaccordingtotopic,seeTable1.Theclustertopicshavebeendefinedbasedoncommonalitiesintheusecasesintermsofprovidedsecurityfunctionalityorcommontechnology.Eachclustercontainsthedescriptionoftheactorsinvolvedinthedescribedusecases,theactualusecases,andthe“5Gvision”–illustratingthesecurityfunctionalitywhicha5Gsystemisenvisionedtoencompass.Thefocusontheactorsismotivatedbytheircriticalroleintheupcomingtrustmodellingworkintheproject.
Eachusecaseisstructuredasfollows.Firstthepre-conditionsarelisted,illustratingthesettingbeforetheactualusecasetakesplace.Thisisfollowedbyadescriptioncontainingthesequenceofstepsillustratingtheusecase.Thestep-by-stepdescriptionisintendedtopavetheroadfortheupcomingthreatandriskanalysisintheproject.Subsequently,thereisoptionallyashortanalysisoftheusecaseinquestion,followedbyanoutlineofsecuritypropertiesofasolution.Finally,theusecaseisclassifiedintermsofrelevantcandidatesecurityenablersintheproject(seeSection1),andapplicablenextgenerationradiotechnologyusecases:EnhancedMobileBroadband(xMBB),MassiveMachine-TypeCommunication(mMTC),Ultra-reliableandlow-latencyMachine-TypeCommunication(uMTC)[METIS2015].Theseclassificationsareincludedtopositiontheusecasebothwithinthe5G-ENSUREprojectandinthecontextofother5G-PPPprojects,andalsotosimplifythelocationoftheusecasesofrelevancetothereader.
D2.1UseCases
6715625G-ENSURE 11
Table1:Tableofusecasesandclusters
Clusterno.
Clustername/topic Usecaseno.
Usecasename
1 IdentityManagement 1.1 FactoryDeviceIdentityManagementfor5GAccess1.2 UsingEnterpriseIdentityManagementfor
Bootstrapping5GAccess1.3 SatelliteIdentityManagementfor5GAccess1.4 MNOIdentityManagementService
2 EnhancedIdentityProtectionandAuthentication
2.1 DeviceIdentityPrivacy2.2 SubscriberIdentityPrivacy2.3 EnhancedCommunicationPrivacy
3 IoTDeviceAuthenticationandKeyManagement
3.1 AuthenticationofIoTDevicesin5G3.2 Network-basedKeyManagementforEnd-to-End
Security4 AuthorizationofDevice-to-
DeviceInteractions4.1 AuthorizationinResource-ConstrainedDevices
Supportedby5GNetwork4.2 AuthorizationforEnd-to-EndIPConnections4.3 Vehicle-to-Everything(V2X)
5 Software-DefinedNetworks,VirtualizationandMonitoring
5.1 VirtualizedCoreNetworks,andNetworkSlicing5.2 Addinga5GNodetoaVirtualizedCoreNetwork5.3 ReactiveTrafficRoutinginaVirtualizedCoreNetwork5.4 VerificationoftheVirtualizedNodeandthe
VirtualizationPlatform5.5 ControlandMonitoringofSlicebyaServiceProvider5.6 IntegratedSatelliteandTerrestrialSystemsSecurity
Monitor6 RadioInterfaceProtection 6.1 AttachRequestDuringOverload
6.2 UnprotectedUserPlaneonRadioInterface7 MobilityManagement
Protection7.1 UnprotectedMobilityManagementExposesNetwork
forDenial-of-Service8 Ultra-ReliableandStandalone
Operations8.1 Satellite-CapableeNB8.2 StandaloneEPC
9 TrustedCoreNetworkandInterconnect
9.1 AlternativeRoamingin5G9.2 PrivacyinContext-AwareServices9.3 AuthenticationofNewNetworkElements
10 5GEnhancedSecurityServices 10.1 BotnetMitigation10.2 PrivacyViolationMitigation10.3 SIM-basedand/orDevice-basedAnonymization
11 LawfulInterception 11.1 LawfulInterceptioninaDynamic5GNetwork11.2 End-to-EndEncryptionforDevice-to-Device
Communications
D2.1UseCases
6715625G-ENSURE 12
3 Cluster1:IdentityManagement
3.1 IntroductionCluster1containsfourusecasesdescribingvariousaspectsofidentitymanagementin5Gnetworks.
Inusecase1.1welearnhowtosecure5Gconnectivityandmobilityoffactorydeviceswithpre-existingAAAcredentialsmanagedbythefactoryowner.Usecase1.2demonstratesanotherwaytogain5Gaccess,byestablishmentofSIMcredentialstobootstrapenterpriseemployeecredentials.Usecase1.3elaboratesonidentitiesandauthenticationforroamingintoasatellitenetwork.Usecase1.4describesanMNOprovidinganidentitymanagementservicetoaserviceprovideronbehalfofauser.
3.2 ActorsTheactorsinthisclusterare:
• MobileNetworkOperator(MNO)• Mobiledeviceusers(Alice,Bob)• Maliciousparty(Mallory)• FactoryRobot(Rob)• FactoryOwner(FO)• ServiceProvider(SP)• SatelliteNetworkOperator(SatNO)
3.3 UseCases
3.3.1 UseCase1.1:FactoryDeviceIdentityManagementfor5GAccess
3.3.1.1 IntroductionIndustryautomationtodayusesproprietaryradioaccesstechnologies,ornon-3GPPtechnologiessuchasWLAN.New5Gradioaccessesareforeseentobedesignedtooffercompetitiveadvantagesintermsofcost,qualityofservice,mobility,etc.,thatmakesthemattractiveforindustryautomation.Thus,inthisusecase,weconsiderfactoryrobotsaccessingafactorynetworkover5GconnectivitybutusingcredentialsandAAAmanagedbyaFactoryOwner,assumingthattheMNOcanagreetosuchaconfiguration.Thissettingisalsodiscussedin[TR22.891].Thefactoryownerinstalls5GbasestationsinthefactorybutwillrelyonMNOtoperformservicessuchasIPconnectivityandmobility.
TheagreementbetweenFOandMNOcoversaspectssuchaschargingpolicies,securitypoliciesandconfigurationdata(e.g.certificates),liabilitiesoftheparties,etc.Itshouldbenotedthatsuchagreementwouldrequireamajorchangeinthetrustmodelcomparedtocurrentroamingagreements,whichtodayonlyexistsbetweenMNOs.
3.3.1.2 PreconditionsThepreconditionsareillustratedinFigure1.
• TheFactoryhasitsownAAAserverforrobots.
D2.1UseCases
6715625G-ENSURE 13
• TheMNOhasadedicatedIndustrialAutomationControl(IAC)servertoconnecttothefactoryAAAserverforAAApurposes.TheIACmaycomprisepartsofMMEfunctionalityoraninterfacetotheoperator’sMME.Thefullfunctionalityanditsrealization,e.g.intermsofvirtualization,isoutofscopeoftheusecase.
• 5Gbasestationsownedanddeployedinfactory,butthefactoryhasnoother5Gnetworkcoreequipment.ThebasestationsusesomespectrumallocatedtotheMNO.
• FOandMNOhaveanagreementallowingfactorybasestationstoconnectsecurelytotheMNOcorenetworkoveraninterfacewedenote“S1”(seebelow)andallowingthefactory’sAAAservertoconnectsecurelytotheMNO’sIACoveraninterfacewedenote“S6”(seealsobelow)inordertoestablishnetworkaccesscredentials.
• “S1”denotesapresumed3GPPreferenceinterfacebetweentheRadioAccessNetworkandCoreNetwork(CN)handlinge.g.authenticationsignallingbetweentheIACandUEvia5Gbasestations.TheS1interfaceisassumedtobesecuredby,forinstance,IPsecSecurityAssociations(SA)establishedusingcredentialswhicharepartoftheagreementbetweentheFOandMNO.
• “S6”denotesapresumed3GPPreferenceinterfacebetweentheservingnetwork(MNOIAC)andasubscriberdata-base(aAAA-typeserver).TheS6interfaceisassumedtobesecuredby,forinstance,IPsecSAsestablishedusingcredentialswhicharepartoftheagreementbetweenFOandMNO.
3.3.1.3 DescriptionWhenpowerisswitchedon,Rob,afactoryrobot,connectstotheFactoryNetworkusingfactorycredentialsasillustratedinFigure1.
Basicflowofevents:
1. Robispoweredup2. Robrequestsaccesstothefactory5GbasestationpresentingaFOidentifier3. RobisnotyetauthenticatedandthebasestationcontactstheIACintheMNOCNoverS14. TheIACrecognizes,e.g.usingnamespaceanalysisoftheFOidentifier,thatRobbelongstothe
factoryandthisIACconnectstothefactoryAAAoverS65. TheFOAAAprovides,basedonRob’sFOidentifier,atemporarycredentialtotheIACwhich
enablestheIACtoauthenticateRobtothissession6. Mutualauthentication,basedonRob’stemporarycredential,isperformedbetweenRobandthe
MNOnetwork.Asaresult,cryptographickeysaremadeavailableforthepurposeofprotectingtheconnectionbetweentherobotandthefactorybasestation,andbetweentherobotandtheIAC
7. RobisprovidedIPconnectivityandmobility
D2.1UseCases
6715625G-ENSURE 14
Figure1:Factory5Gdeployment
3.3.1.4 Propertiesofasolution
• SecureconnectionsbetweenfactoryandMNO,forexampleIPseconS1andS6,wheretheagreementbetweenMNOandFactoryshouldcontainthecredentialsforestablishingIPsec.
• EAP-basedauthenticationtofactoryAAA.WhichEAPmethodstobeallowedcouldbespecifiedintheagreementbetweenMNOandFactory,butweakmethodssuchaspasswordswillmostlikelynotbeallowedinanysuchagreement.
• The5Gauthenticationprocedurecanbedesignedtobecompatiblewithwhateverfactorycredentialsthatareused.
• TheMNOneverdistributesthecustomer’scredentials(whetherMNOrelatedorFOrelated)toanythirdparty
• AcandidatesolutionisusinganMNOimplementationofGBA[TS33.220]
3.3.1.5 Usecasecategories
EnsureEnablers AAA,Privacy,TrustNextGenerationRadioTechnologyUsecases mMTC,uMTC
3.3.2 UseCase1.2:UsingEnterpriseIdentityManagementforBootstrapping5GAccess
3.3.2.1 IntroductionTheenterprisewantstoprovideitsemployees’deviceswith5Gconnectivitytouseintheofficeorwhenbeingmobile.Sincetheenterpriseinanycaseneedstomanagetheemployees’credentialsitisconvenient
D2.1UseCases
6715625G-ENSURE 15
tousethesecredentialstobootstrap5Gcredentialsusedforconnectivity.However,theenterprisedoesnotwanttomanageanHSS.TheenterpriseandMNOsignanagreementthattheemployeedevicescanbecomeprovisionedwith5Gcredentials,assumingthattheMNOcanagreetosuchaconfiguration.Theenterprisemayextendcoverageandcapacityofthe5Gnetworkbyinstallingadditional(e.g.indoor)5Gbasestations,butthisisnotnecessaryiftheexisting5Gaccesssuffices.
Itshouldbenotedthatthiskindofagreementwouldrequireachangeinthetrustmodelcomparedtocurrentsubscriptionprovisioningmodels.
3.3.2.2 Preconditions• MNOhasitsownIACtocoverindustryneeds• TheenterprisehasitsownAAAfortheemployees.• Bob,anenterpriseemployee,hasaUE(e.g.mobilephone,laptop,etc.)whichisprovisionedwith
enterprisekeys.• TheenterpriseandMNOhavemadeanagreementallowingsubscriptionparametersassociatedwith
newemployeestobestoredintheMNOIAC.TheMNOIACgeneratesthesecredentialsbyrequestfromtheenterpriseAAA.Thecredentialscouldforexamplebe(U)SIM-compatibleparameterstobeusedwiththeAuthenticationandKeyAgreement(AKA)protocol.Theagreementcoversaspectssuchashowtosecurethecredentialprovisioning,chargingpolicies,liabilitiesoftheparties,etc.Tothisend,theMNOandenterpriseareassumedtohavemadeariskassessmentthattheenterpriseAAAissufficientlysecure,andhasanacceptablerisklevel,whenenteringintotheagreement.
• AfterbeingauthenticatedandauthorizedbytheAAA,Bob’sUEisbeingprovisionedfromMNOIACwithcredentialsforestablishinga5Gsession.ThecredentialsareprotectedintransportbetweenMNOIACandBob’sUEbasedontheenterpriseAAA.
3.3.2.3 DescriptionBob,anenterpriseemployee,switchesonhisUEwhichattachestotheMNObasestationandauthenticatestothenetwork.Thisauthenticationproceduremaybedifferentdependingonhow/whatcredentialthatwasprovisioned.TheflowisdepictedinFigure2.
Basicflowofevents:
1. Bobrequests5GcredentialsfromtheEnterpriseAAA.TherequestisauthenticatedusingBob’senterprisekeys.
2. TheEnterpriseAAArequeststotheMNOIACprovisioningof5Gsessioncredentials3. Bob’sUEissecurelyprovisionedwith(U)SIM-typecredentialsfromtheMNOIACbasedonthe
employeeAAAcredential4. Bob’sUEauthenticatestothe5Gnetwork5. Bob’sUEisreadytouse
D2.1UseCases
6715625G-ENSURE 16
Figure2:Enterprise5Gdeployment
Alternativeflowofevents:
Inthisflow,insteadof(U)SIM-typecredentials,somenon-SIMcredentialofsufficientstrengthisassumed,undertheconditionwherethesecurestorageanduseofthosecredentialsinBobDevicehasbeenqualifiedbytheMNOassufficientintermofsecurestorage,assuranceetc.inrelationtoexistingUSIMcard,andcouldbecontrolledbyMNO.Inparticularthesecuritylevelofthisstorageshouldpreventcredentialcloning.Aprotocolsuchase.g.EAPmaybeusedtocarrytheauthenticationsignalling.
1. Bob’sUEbeenprovisionedwithnon-SIMtypecredentialsviatheMNOIAC2. Bob’sUEauthenticatestothe5Gnetworkusingthecredentials,e.g.bymeansofEAP3. Bob’sUEisreadytouse
3.3.2.4 Propertiesofasolution
• ESIMprovisioninginitiatedbyenterprisenetwork• EAPbasedauthenticationtoenterpriseAAA• Inthefirstflow,nonewcredentialsneedtobesupportedbythe5Gauthenticationprotocol
3.3.2.5 Usecasecategories
EnsureEnablers AAA,Privacy,TrustNextGenerationRadioTechnologyUsecases xMBB
D2.1UseCases
6715625G-ENSURE 17
3.3.3 UseCase1.3:SatelliteIdentityManagementfor5GAccess
3.3.3.1 IntroductionThisusecaseexplorestwoidentity-managementsituationsinvolvingsatellitenetworksandadualsatelliteandterrestrial5Gaccess:oneinwhichthe5Gdeviceattachestothesatellitenetwork;theotheroneinwhichthe5Gdeviceidentifiesineitherthesatellitenetworkortheterrestrialnetwork,andthenduetocoverageissuesthe5Gdeviceperformsaroamingtotheothernetwork.
3.3.3.2 Preconditions• SatNOhasitsownAAAforitssubscribers.• SatNOandMNOhasaroamingagreementallowingeachother’suserstoroamintheother’snetwork.
3.3.3.3 DescriptionBobswitchesonhisdualsatelliteandterrestrial5GUEwithasetofcredentialsthatallowsaccesstobothnetworks,andisinitiallyconnectedtothesatellitenetwork(seeFigure3).Duetocoverageissueshemayneedtoroambetweenthenetworks(seeFigure4).
PleasenotethatAAAServersdepictedinFigure3andFigure4aredepictedseparatelyforlogicalreasons,buttheirphysicallocationmightbethesame–theycanphysicallyevenbeonesingleAAAServer.
Basicflowofevents:
1. Bob’sUE,locatedforinstanceinamovingtruckinanisolatedarea,canonlyofferBobconnectivitythroughsatellitewhenheturnsontheUE.
2. BobchoosestoconnecttheUEthroughsatellite,andtheauthenticationandauthorizationprocessisperformedbetweentheUEandthesatelliteAAAServerandbetweenthesatelliteAAAServerandthe5GAAAServer.
Thefine-grainedaccesspoliciesat5GAAAServerprocesstheauthenticationrequestfromBob’sUEandestablishesthat,forthecredentialsprovided,accesscanbegrantedtotheUEintothesatellitenetwork,withanauthorizationlevelA(whichmayconsistforexampleofcertainpeakdatarate,certainsustaineddatarate,certainservicesenabled,etc.).
D2.1UseCases
6715625G-ENSURE 18
Figure3:IntegrationofAAAsystemmechanismsin5Gdevicewithsatellitecoverage
Alternativeflowofevents:
Theeventscanbeseenasanextensionofthebasicflowinwhichtheroamingaspectisincorporated.
1. Bob’sUE,locatedforinstanceinamovingtruckinanisolatedarea,canonlyofferBobconnectivitythroughsatellitewhenheturnsontheUE.
2. BobchoosestoconnecttheUEthroughsatellite,andtheauthenticationandauthorizationprocessisperformedbetweentheUEandthesatelliteAAAServerandbetweenthesatelliteAAAServerandthe5GAAAServer
3. BobparksandtakeshisUEinsideabuildingunderterrestrialcoveragecompliantwithUEterrestrialconnectivity
4. TheUEdetachesfromthesatellitenetworkandautomaticallytriestoattachtotheterrestrialnetworkusingtherelevantcredentials.
5. Thecredentialsareroamedfrom5GAAAServertoTerrestrialAAAServerandTerrestrialnetworkauthorizesBob’sUE.Atthispointthe5GdevicehasregainedconnectivityafteraroamingprocessthathasbeenvirtuallyseamlesstoBob.
D2.1UseCases
6715625G-ENSURE 19
Asexplainedinthebasicflowofevents,thefine-grainedaccesspoliciesatthe5GAAAServerprocesstheauthenticationrequestfromBob’sUEandestablishesthat,forthecredentialsprovided,accesscanbegrantedtotheUEintothesatellitenetwork,withanauthorizationlevelA(whichmayconsistforexampleofcertainpeakdatarate,certainsustaineddatarate,certainservicesenabled,etc.).
Now,duringtheroamingprocess,aroamingrequestfromtheTerrestrialAAAServerarrivesatthe5GAAAServer,whichprocesstheauthenticationcredentialsfromBob’sUE(givenbytheSatelliteAAAServer)andestablishesthat,forthecredentialsprovided,accesscanbegrantedtotheUEintotheterrestrialnetwork,withanauthorizationlevelB(whichmayconsistforexampleofcertainpeakdatarate,certainsustaineddatarate,certainservicesenabled,etc.).
Figure4:IntegrationofAAAsystemmechanismswith5Groamingfromsatellitetoterrestrialnetworks
3.3.3.4 Propertiesofasolution
• (U)SIM-typecredentialsforsatelliteaccessmaybeoneapproachtoallowingroamingfromterrestrialnetworkintosatellitenetwork,e.g.usingEAP-AKAauthentication[EAP-AKA].
3.3.3.5 Usecasecategories
EnsureEnablers AAA,Privacy,TrustNextGenerationRadioTechnologyUsecases xMBB,mMTC,uMTC
D2.1UseCases
6715625G-ENSURE 20
3.3.4 UseCase1.4:MNOIdentityManagementService
3.3.4.1 IntroductionThisusecasedescribesanMNOprovidinganidentitymanagementservicetoa3rdpartyserviceprovideronbehalfofauser.
3.3.4.2 Preconditions• UserBobisasubscriberofanMNO• TheMNOassociatestoBoba“NetworkID”(e.g.,amobilephonenumbertoBob’sUE)• Bobusesaservice,S,providedbya3rdpartyserviceproviderSP(e.g.abank)• Bobsubscribestoacustomisedservice,S,providedbya3rdpartyserviceproviderSP(e.g.,a
bank)basedonsomeinformationthatcanbeprovidedbytheMNO.Theserviceagreements(betweentheuserBobandMNOandSP,respectively)detailwhatinformationcanbecollectedbytheMNO,whatinformationcanbesharedwiththeSP,thedeactivationofthisoption,etc.
• TheserviceproviderassignstoBobalocalidentity(i.e.anidentityassociatedtothisservicesuchasabankaccountnumber)
• TheservicelocalidentityofBobencompassessomeattributesrelatedtohis“NetworkID”
3.3.4.3 DescriptionForthesakeofconcreteness,weconsiderabankingserviceexample,seeFigure5.
Bobwouldliketoaccesssomeresourcesassociatedtohisbankaccount,e.g.,performatransferofmoney,changehissecretcode,etc.ThebankrequeststheoperatorinformationwithrespecttoBobsuchasBob’saccessnetworktype,Bob’sequipment,usedauthenticationscheme,location,andsoforth.Dependingontheprovidedinformation,thebankadjustsitssecuritypolicy.ThebankmayforexampleaskBobforfurther(secondfactor)authenticationormodifythewaytodelivertheservice.
Asaconsequence,thebankwillmanagetohavethesamesecuritylevelwhendeliveringaservice,e.g.iftheuserisconnectedviaapublichotspotthenperhapsadditionalauthenticationandprotectedcommunicationisneeded.ThisisowingtodynamicsecuritypoliciesthatarebasedoninformationprovidedbytheMNO.
Basicflowofevents:
1. Bob’sUEisauthenticatedtotheMNO2. Bob’sUErequestsaccesstoaserviceataserviceprovider(Step(a)inFigure5)3. Uponrequest,theoperatorcollectsinformationaboutBob(and/orhisUE)andsharesitwiththe
serviceprovideraccordingtothetermsoftheserviceS(Steps(b),(c)and(d)inFigure5)4. TheserviceproviderauthorizesorpersonalizesaservicetoBobbasedonthereceivedinformation
(Steps(e)and(f))
D2.1UseCases
6715625G-ENSURE 21
Figure5:5GNetworkOperatorasTrustProvider
3.3.4.4 Propertiesofasolution
• Useofsuitable(secure)attributesharingmechanism.
3.3.4.5 Usecasecategories
EnsureEnablers AAA,Privacy,TrustNextGenerationRadioTechnologyUsecases xMBB
3.4 5GVision
5GprovidesavarietyofidentitymanagementserviceswhichexpandsthecapabilitiesofdevicesandnetworksbeyondthelegacyUEtoRANservice.Adeviceprovisionedwithappropriatecredentialscanget5Gaccessinaflexiblewaydrivingdowncostinlargescaledeployments.Newsubscribersormachinescanbeenrolledin5Gnetworks,usingtheirpre-existingidentitymanagementschemes,whilerespectingtheirprivacy.Thisattractsnewcategoriesofuserstothe5Gecosystem.
5Gidentitymanagementprovidesforbetterintegrationbetweencellularandsatellitenetworks,includingroaming.5GAAAServersincludespecificintelligencetoconferanauthorizationlevelsuitedtotheauthenticationcredentialsforaparticularaccessnetwork,inparticulartheyassigntheauthorizationlevelseamlesslytotheenduserduringtheroamingbetweentwoaccessnetworks.Moreover,the5GAAAServersinsatellitenetworksofferultra-fastloginswithoptimizeddataexchangeinordertolowerthelatencyandmaximizethespectralefficiency.Finally,5GAAAServersarecapableofsupportinghundredsofthousandsofsimultaneouslogins,incompliancewiththerequirementsimposedby5G.
AnMNOcanofferidentitymanagementservicessuchastrustedassertionsandsecureidentifiersofsubscribers,whilerespectingtheagreeduponprivacypolicy.
5G Network
5GNetwork Operator
Bankserver (a)Request
(f)CustomizedReply
(c)Data Collect
(e)Update SecurityPolicies
(b)Bob?
(d)Networkcontext
associatedtoBob
Bob
D2.1UseCases
6715625G-ENSURE 22
4 Cluster2:EnhancedIdentityProtectionandAuthentication
4.1 IntroductionTheseuse-casesaddresstheareaofenhancementstoidentityprotectionandauthenticationin5Gcomparedtoexisting3Gand4Gnetworks.Specificallytheyfocusonthreeuse-cases,thefirstofwhichtacklesprivacyfordeviceidentifierswhichneedtobeappropriatelyprotectedand/oranonymised.Theseconduse-caseaddressestheareaofsubscriberidentityprivacywhichalsoneedstobesuitablyprotectedand/oranonymised,particularlywhentraversingaccessnetworks.Thefinaluse-casetacklestheprovisionofperfectforwardsecrecytocombatthethreatofpassiveattacks,particularlyinthecaseofsubscriberkeycompromise.
4.2 ActorsTheactorsinthisclusterare:
• User(Alice)• Alice’sUE(UE)• Malicioususer(Mallory)• MobileNetworkOperator(MNO)
4.3 UseCases
4.3.1 UseCase2.1:DeviceIdentityPrivacy
4.3.1.1 Preconditions• Alice’sUEisswitchedon
4.3.1.2 DescriptionAlice’sUEconnectstothemobilenetworkandwantstheidentityofherUEtobeprivate.
Basicflowofevents:
1. Alice’sUEconnectstothe5GnetworkovertheAirInterfaceorviaGenericAccessNetwork(GAN)2. Alice’sUEauthenticatestothe5Gnetworkusing(U)SIMcredentials3. Alice’sUErespondstotheMME’srequestfortheInternationalMobileEquipmentIdentity(IMEI)of
herUE,andrequestvalidation4. Alice’sUEisreadytouse
Alternativeflowofevents:
1. Alice’sUEconnectstothe5GnetworkovertheAirInterfaceorviaGenericAccessNetwork(GAN)withanAttachType"Emergency"
2. Alice’sUEincludestheIMEIinplaintextintheAttachrequestduringanemergencycallsituation,whereitdoesnothaveavalidGloballyUniqueTemporaryIdentity(GUTI)orInternationalMobileSubscriberIdentity(IMSI)
3. Ifthenetworkisconfiguredtosupportemergencyservices,Alice’sUEgetsemergencybearerallocated
D2.1UseCases
6715625G-ENSURE 23
4.3.1.3 Vulnerabilitiesandconsequences• UsersdonotwanttobetrackedviatheirUEidentifiers• Certainusergroupsdonotwanttheirsubscriberidentityandtheirdevice’sidentitylinked
4.3.1.4 PropertiesofasolutionThesolutionspaceincludesexplorationofprotocolenhancementsandinvestigationintostate-of-theartend-to-endanonymizationtechniques,offeringprotectionagainstdeviceidentitydisclosureandunauthorizeddevicetracking.AswithLTE,5GshouldensurethattheIMEIissentonlyinaconfidentiality-protectedmessage,asopposedtoGSMandUMTS,wherethenetwork,andhenceanattacker,mayrequestdeliveryoftheIMEIintheclear.InadditiontheenhancementaimstoalsoaddresstheemergencycallcasewheretheIMEIissentoverthenetworkunprotected,sinceasecuritycontextcannotbecreatedandusedtoprovideforconfidentiality.
4.3.1.5 Usecasecategories
EnsureEnablers AAA,Privacy,TrustNextGenerationRadioTechnologyUsecases xMBB,mMTC,uMTC
4.3.2 UseCase2.2:SubscriberIdentityPrivacy
4.3.2.1 Preconditions• Alice’sUEisswitchedon.• MallorysetsupafakeBaseStation(foractiveattacks)ormonitoring(forpassivelisteningof
transmissionsoflegitimatebasestation).
4.3.2.2 DescriptionAlice’sUEconnectstothemobilenetworkandwantshersubscriberidentityandlocationtoremainprivate.
Basicflowofevents:
1. Alice’sUEconnectstothe5Gnetwork,identifiedbyherGUTI/IMSI2. MalloryobservesGUTI/IMSI,orelicitsAlice’sIMSI,andcantrackAlice’sUE3. Alice’sUEauthenticatestothe5GnetworkusingtheSIMcredentials4. Alice’sUEisreadytouse5. MallorytracksAlice’scurrentlocationbytriggeringthemobilenetworkintoinitiatingthe
generationofpagingmessagestoAlice’sUE(e.g.byusingsocialmediaapplicationtoinitiateunobtrusivecommunications)
6. MalloryobservesthepagingmessagessentandcanpotentiallycorrelatethecontainedGUTIwithAlice’ssocialnetworkidentity
Alternativeflowofevents:
1. Alice’sUEconnectstothe5Gnetwork,identifiedbyherGUTI/IMSI2. MalloryobservesGUTI/IMSI,orelicitsherIMSI,andcantrackher3. Alice’sUEauthenticatestothe5GnetworkusingtheSIMcredentials4. Alice’sUEisreadytouse
D2.1UseCases
6715625G-ENSURE 24
5. MalloryforcesAlice’sUEtoconnecttoMallory’srogueeNBbyexploitingthefeature“absoluteprioritybasedcellreselection”
6. Malloryinitiatesa“RRCConnectionReconfiguration”message7. Alice’sUErespondswitha“Measurementreport”andtheGPScoordinatesofherUE,ifherUE
supportsthe“locationInfo-r10”feature8. MalloryisabletodetermineAlice’slocationbytrilateration,orthesuppliedGPScoordinates
4.3.2.3 Vulnerabilitiesandconsequences• Thesubscriber’sidentifierortemporaryidentifiersallowsfortrackingofauser• Temporaryidentifiers(pseudonymslikeGUTIorTMSI)arebroadcastedincleartextsothatAlice’s
UEcanidentifytargetedcommunications.Ifsuchidentifiersarenotchanged(re-pseudonymized)beforeMalloryisabledeterminewhichbelongstoAlice,Alice’slocationcanbetracked
• BroadcastingaGUTI,whichisknownorsuspectedtobelongtoAlice,isanindicationthatAliceisclosetothebroadcastingbasestation.Byanalysingsignaldirections,MallorymaybeabletodetermineUE’slocationmoreaccurately.However,locationtrackingbasedupontrackingidentifiersalonedoesnotalwaysprovideapreciselocationforAlice.AlicemaybeindifferentlocationtoherUE,orherUE’scommunicationmayberelayed,atthephysicallayer,toanotherlocation
• Usersdonotwanttheirsubscriberidentityandtheirdevice’sidentitylinked• Thecurrentstandardsallowmeasurementreportstobesentwithoutsecurity,whichenables
MallorytoretrievethereportstodeterminethelocationofAlice’sUE[Shaik2015]
4.3.2.4 PropertiesofasolutionPotentialsolutionstoprovideforsubscriberprivacyincludeencryptionoftheIMSIand/oruseofimprovedpseudo-identifiers.Anonymisationsystemsmaybeinvestigatedtoprovideforunlinkabilityofsubscriberanddeviceidentities.
4.3.2.5 Usecasecategories
EnsureEnablers AAA,Privacy,TrustNextGenerationRadioTechnologyUsecases xMBB,mMTC,uMTC
4.3.3 UseCase2.3:EnhancedCommunicationPrivacy
4.3.3.1 Preconditions• Alice’sUEisswitchedon• Malloryhasa5GaccessnetworkmonitorandisinpossessionofAlice’suser-specifickey,K
4.3.3.2 DescriptionAlice’sUEconnectstothemobilenetworkandwantshercommunicationstobeprivatetopassivemonitoring,despitecompromiseofheruser-specifickey.TheassumptionthatMalloryhasobtainedKisnormallyanextremelyunlikelyevent.Neverthelessclaimsofsuchsituationsarisinghaveoccurred[SchahillBegley2015].
Basicflowofevents:
1. Alice’sUEconnectstothe5Gnetwork
D2.1UseCases
6715625G-ENSURE 25
2. Alice’sUEauthenticatestothe5Gnetworkusingthe(U)SIMcredentials3. Malloryobservestheauthenticationandderivesthesessionkeys(CK,IK),usingAlice’skey,K4. Alice’sUEisreadytouse
4.3.3.3 Vulnerabilitiesandconsequences• Users’communicationsmaybedecryptedthroughpassivemonitoringofaccessnetworktraffic• Usersmaybeimpersonated
4.3.3.4 PropertiesofasolutionApotentialsolutionwouldbetointroducemechanismstoprovideforperfectforwardsecrecyofthecommunications.Thusonlyanactiveattackercouldascertainthesessionkeysintheeventofauser-specifickeycompromise.
4.3.3.5 Usecasecategories
EnsureEnablers AAA,Privacy,TrustNextGenerationRadioTechnologyUsecases xMBB,mMTC,uMTC
4.4 5GVision
Itisessentialthatusershavecontrolovertheprivacyoftheirsubscriberanddeviceidentifiersin5Gandhaveevenhigherassurancethatprivacyoftheircommunicationsareupheld.Thepervasivenatureof5Gmeanstherewillbemanymoredeploymentoptionsfordevices.Thususerswanttohavewiderscopeandcontrolovertheirsubscriberanddeviceidentities,andtoensurethatcommunicationsaresecuredagainstwiderthreats.5Gnetworksshouldguaranteeuserprivacybyprovidingsecuritypropertiesincludingconfidentialitytosubscriberanddeviceidentities,untrackabilityoftheuserlocation,perfectforwardsecrecyforencryptedcommunicationsandunlinkabilitybetweentheusersubscriptioninformationandthedeviceidentity.
D2.1UseCases
6715625G-ENSURE 26
5 Cluster3:IoTDeviceAuthenticationandKeyManagement
5.1 IntroductionThisusecaseclusterfocusesonIoTdeviceauthenticationandkeymanagementanditincludestwousecases:“AuthenticationofIoTdevicesin5G”and“Network-basedkeymanagementforend-to-endsecurity”.
ThefirstusecasefocusesonauthenticationofconstrainedIoTdevices[RFC7228]whichmightnothavedirectaccesstothe5Gnetworkormightbenefitfromgroup-basedauthentication,wheremassivegroupsofIoTdevicesareauthenticatedsimultaneously.Thegroupisdefinedbyoneormoreattributes,suchasthedevicelocation,typeofdeviceortypeofapplication,etc.Thus,group-basedauthenticationconsistsofasetofprotocolsthatallowsmembersofthegrouptobeauthenticated.
Thesecondusecasefocusesonnetwork-basedkeymanagementwherethenetworkprovidesaserviceforkeyexchangetobeusedforsecuredend-to-endcommunication.
5.2 ActorsTheactorsinthisclusterare:
• 5GNetworkOperator(MNO)• Mobiledeviceuser(Bob)• AAAServerin5Gnetwork• Keymanagementservicein5Gnetwork• IoTdevice1(Sensor1)• IoTdeviceN(SensorN)• IoTgateway• IoTbackendservice(operatedbyAlice)
5.3 UseCases
5.3.1 UseCase3.1:AuthenticationofIoTDevicesin5G
5.3.1.1 Preconditions• MobiledeviceuserandIoTgatewayhave5Gcredentials• AlargenumberofIoTdevices(Sensor1,SensorN)requireaccesstoservices/Internet• IoTdevices(Sensor1andSensorN)maynotbeabletoaccessservices/Internetbythemselves
5.3.1.2 DescriptionThegroupofIoTdevices(Sensor1,SensorN)areconstraineddeviceswithdifferentnetworkaccessandsecuritytechnologiesandmayneedaccessservices/Internet,whicharereachablebymeansofa5Gnetwork.TheIoTdevicescanbegroupedintotwocategories:IoTdeviceswithanonboardradiointerface,hencearecapableofradiosignallingwiththe5Gnetwork;andIoTdeviceswithout5Gradioaccess,butwithothercommunicationtechnologies,e.g.WiFiorBluetooth,thereforerequiringanIoTGatewaythatprovidesthe5Gconnectivity.ThepresenceoftheIoTgatewaymaypotentiallyobstructthepossibilityto
D2.1UseCases
6715625G-ENSURE 27
robustlyidentifyindividualdevicesattheapplicationlayer.Whileagroupidentitymayofcoursebeused(e.g.relatedtoIMSI),thisusecaseseekstoenablemorerobustidentificationalsoofindividualdevicesbyleveragingthestrongsecurityoftheSIMcredentials.
Existingauthenticationprotocols,e.g.LTE-AKA,mightnotbesuitabletoefficientlysupporttheexpectednumberofauthenticationrequestsgeneratedbytheboomofconnectedIoTdevices.Thismightresultinunwantedlatencieswhennumerousdevicesinthesamegroupinitiatessimultaneousauthenticationrequests.Thisisespeciallyimportantinhighlymobiledevicesduetothemanyrequestsofauthenticationvectorstothehomenetwork.Asolutiontothiscanbegroup-basedauthentication,inwhichoverheadmaybereducedaseachdeviceofagivengroupdoesnothavetoexecutethecompleteauthenticationprotocol[Chengzhe2013].
Additionally,athirdscenarioisthatthenetworkbroadcastsasessionrequesttoagroupofdevices,onbehalfofauserorservice.Oneofthegroupmemberswillauthenticatewiththe5Gnetwork,presentingitsuniqueidentity,anditsgroupidentity[TS22.368]
Basicflowofevents:
1. TheIoTgatewayauthenticatestotheAAAserver,orthemobiledevice(Bob)authenticatestotheAAAserver,usingUSIMAKA.Thus,the5Gsubscriber’sidentity,i.e.IMSI,isensuredandcanbecollectedbythenetwork.
2. TheIoTSensor(Sensor1,SensorN)authenticatestotheIoTgatewayortothemobiledevicesusingradioaccessspecifictechnology.TheIoTsensorsandtheconnectedIoTgatewayormobiledevicesareownedbythesamesubscriber.
3. TheIoTsensorshaveaccesstoservices/Internetandareabletosendandreceivedata,eitherviaBob’sdeviceorviatheIoTgateway.Intheirrequesttoservicestheymightreusethe5Gsubscriber’sidentity.
Alternativeflowofevents:
1. TheIoTgatewayauthenticatestotheAAAserver,orthemobiledevice(Bob)authenticatestotheAAAserver,usingUSIMAKA.Thus,the5Gsubscriber’sidentity,i.e.IMSI,isensuredandcanbecollectedbythenetwork.
2. TheIoTSensor(Sensor1,SensorN)authenticatestotheAAAserver,byassistanceoftheIoTgatewayorthemobiledevice(Bob),toestablishitselfasapointofpresenceinthe5Gnetworktoenableaservicedifferentiationonanetworklevel,e.g.differentQoSclasses.TheIoTsensorswillbeuniquelyidentifiedinthenetworkinadditiontotheIoTgatewayormobiledevice(Bob).Allinvolvedequipmentareownedbythesamesubscriber.
3. TheIoTsensorshaveaccesstoservices/Internetandareabletosendandreceivedatadirectly,eitherviaBob’sdeviceorviatheIoTgateway.
Alternativeflowofevents:
1. TheIoTdevicesdynamicallyformgroupsaccordingtotheirsimilarity(typeofdevice,location,application).TheIoTdeviceshavethenecessarycredentialstoauthenticatewiththeAAAserver.
2. Group-basedauthenticationisperformedforagroupofIoTdeviceswiththeAAAserverauthenticatingagroupofdevicessimultaneously.
D2.1UseCases
6715625G-ENSURE 28
Figure6:AuthenticationofIoT/M2Mdevicesin5G
5.3.1.3 VulnerabilitiesandconsequencesThesecuritythreatscouldberelatedtoaman-in-the-middletakingpartintothebootstrappingprocedure.AspecificsecuritythreatrelatedtothealternativeflowcouldberelatedtoamaliciousIoTdevicewhichisgroupedwithotherIoTdevicesandisauthenticatedtogetherwithotherIoTdevices.Inaddition,theconstrainednatureofIoTdevicesmightmakeiteasiertosubvertthesecurityofthesedevices(e.g.,theydon’thaveenoughprocessingpowertousestrongeralgorithms).
5.3.1.4 Propertiesofasolution5GUserEquipment(Bob’smobiledeviceorIoTgateway)mayactasa5Gbootstrappingdeviceforanumberofconstraineddevices,sensors,andactuatorsthatarenotabletoaccessthe5Gnetworkthemselves.
Groupbasedauthentication,whereIoTdevicescanformagroupbasedonphysicallocation,typeofsensor/actuator,typeofapplication,orothersimilarityfactor,IoTgatewayormobiledeviceactingasarelaycouldperformsimultaneousauthenticationforgroupofdevices.Inagroupbasedauthenticationscenario,theAAAoverheadwillbegreatlyreducedaseachdevicedoesnothavetoexecutethecompleteprotocol.
5G Network
IoTSensor1
IoTSensorN GroupofIoT
sensors
IoTGateway
Bob’sdevice(relay)
Authen
tication
viaIoT
Gatew
ay Authenticationviarelay
Group authentication
AAAserver
D2.1UseCases
6715625G-ENSURE 29
5.3.1.5 Usecasecategories
EnsureEnablers AAANextGenerationRadioTechnologyUsecases mMTC,uMTC
5.3.2 UseCase3.2:Network-BasedKeyManagementforEnd-to-EndSecurity
5.3.2.1 Preconditions• IoTdevices(endpoints)have5Gcredentials• IoTbackendservice(endpoint)operatedbyAlicehas5Gcredentials• 5Gnetworkprovidesnetwork-enabledkeymanagementservice• Thekeymanagementservicecanauthenticateactorswith5GcredentialsusingtheAAAserverin5G
network• Aliceisabletoprovidepoliciesforthekeymanagementservicetocontrolwhichendpointscanshare
keys
5.3.2.2 DescriptionAnIoTdeviceisconnectedto5Gnetworkandauthenticatedtousethenetwork.TheIoTdeviceneedstocommunicatewiththebackendservice(operatedbyAlice).Thecommunicationshouldbeend-to-endsecured(encryptedandauthenticated)buttheendpointshavenomeanstoconnecteachothersecurely(e.g.,theydonotsharesecretkeys).TheconnectedIoTdeviceutilizesanetwork-enabledkeymanagementserviceprovidedby5Gnetworktoachievesecureend-to-endcommunicationbetweenthedeviceandtheIoTbackendservicelocated,e.g.,inthecloud.
Basicflowofevents:
1. TheIoTserviceisconnectedtothekeymanagementserviceandauthenticated2. Alice(operatingIoTservice)providespoliciescontrollingwhichIoTdevicesmayshareakeywith
theIoTservice3. IoTdeviceisconnectedto5Gnetworkandauthenticated4. IoTdevicenegotiatessecuritykeysfordataencryptionusingthekeymanagementserviceprovided
by5Gnetwork5. IoTdeviceencryptsandauthenticatesdatatobetransmittedusingkeysprovidedbythenetwork
andstartssendingthedatatotheIoTserver6. TheIoTserverdecryptsandverifiesreceiveddatausingthekeynegotiatedwiththekey
managementservice
D2.1UseCases
6715625G-ENSURE 30
Figure7:Network-basedkeymanagementforend-to-endsecurity
5.3.2.3 VulnerabilitiesandconsequencesMissingend-to-endsecurityleavescommunicationvulnerableforcompromisedormaliciousnetworkcomponents.End-to-endsecurity,wherekeysaremanagedbytheservices/devicesthemselves,preventslawfulinterceptionandmaywasteresourcesasoperators’maystillsecurecorenetworkcommunicationwiththeirownmechanisms.
Thekeymanagementsolutionprovidedby5Goperatorsissuitableforcaseswheretheend-pointstrusttheoperatorandoperator’scapabilities(e.g.toprovidetrulyrandomkeyswhichdonotleaktoadversaries).Inhighlycriticalapplicationssuchtrustassumptionsmaynotalwaysbejustified.Availabilityofend-to-endconnectionsmayinthesecasesachievedbyreplacingthekeymanagementthatisprovidedbya5Goperatorwithamoretrustedalternative.
5.3.2.4 PropertiesofasolutionNetwork-enabledkeymanagementavailablein5Genablescommunicationtobeencryptedandauthenticatedfromendtoend.Theconnecteddevicecanutilizenetwork-enabledkeymanagementprovidedby5Gnetworktoachievesecureend-to-endcommunicationbetweenthedeviceandtheservicelocatede.g.inthecloud.Byprovidingnetwork-enabledkeymanagement,5Gnetworkcanprovidesecurecommunicationandatthesametimeenablelawfulinterception.
5G Network
Keyman
agement
IoTSensor
IoTService
KeyManagement Service
Keymanagement Encrypteddata
D2.1UseCases
6715625G-ENSURE 31
Thekeymanagementservicemayprovidebothdevicespecifickeyforunicastcommunicationaswellasgroupspecifickeysformulticastcommunication.
Thesolutionmaybelinkedtoservice/devicediscovery.AnIoTdeviceisnotrequiredtoprovideanyconfigurationinterfacesthatwouldenableitsownertoinputconfigurationdatasuchastheaddressoftheremoteIoTservice.Adevicethathasbeenboughtdirectlyfromashopmaye.g.haveonlyaninterfacetoinsert5Gcredentials(likeUSIMcard).Alicemayprovidethisconfigurationthroughthe5Gmobileoperator(keymanagementservice)whoforwardstheconfigurationinformationalongsidewiththekeysfortheauthenticatedandauthorizeddevices.Authentication(orSLA)betweenkeymanagementservice(providedbyanoperatororthirdparty)anddevices/servicesutilisingthekeymanagementserviceisneededbeforetheactualkeyexchange.
IntermsofLI,thesolutionproposedshouldbetransparent,whichmeansthat5GNetworkoperatorsshouldbeabletosupportinterceptionwithouttheneedofKeyManagementServer(incaseitisoperatedbythirdpartytobeinvolved).Thispointisrelatedtocountrysovereignty.
5.3.2.5 Usecasecategories
EnsureEnablers AAA,Privacy,TrustNextGenerationRadioTechnologyUsecases mMTC,uMTC
5.4 5GVision
5Gshouldsupportgroup-basedauthentication,whereIoTdevicescanformagroupbasedonthesimilarity(location,typeofsensor/actuator,application,…)toreduceAAAoverheadwhereeachdevicedoesnothavetoexecutethecompleteAAAprotocol.5GshouldalsobeabletoserveIoTdevicesbehindarelay/gatewaysecurelyevenwhenIoTdevicesdonothavedirectaccessto5Gnetwork.
5Gnetworksshouldalsoprovideasecurityenablerforthekeymanagementwhichenablescommunicationtobeencryptedandauthenticatedfromendtoend.Theconnecteddevicecanutilizenetwork-enabledkeymanagementprovidedby5Gnetworktoachievesecureend-to-endcommunicationbetweenthedeviceandtheservicelocated,e.g.,inthecloud.Byprovidingnetwork-enabledkeymanagement,5Gnetworkcanprovidesecurecommunicationandatthesametimecomplywiththelawfulinterceptionrequirements.
D2.1UseCases
6715625G-ENSURE 32
6 Cluster4:AuthorizationofDevice-to-DeviceInteractions
6.1 IntroductionThisclustercontainsthreeusecasesaboutauthorizationofdevice-to-deviceinteractions:thefirstusecaseconsiderstheauthorizationinresource-constraineddevices[RFC7744]bymeansoftokenbasedon5Gcredentials;thesecondusecaseconsiderstheauthorizationbya5GoperatorofdirectIPconnections;thelastusecaseconsidersauthorizationinvehicle-to-everythingcommunications.
6.2 ActorsTheactorsinthisclusterare:
• User(Alice)• Sensors’Owner• Sensors’Owner’sAAAServer• Sensor1• Sensor2• 5Goperator• Vehicle1(Ann)• Vehicle2(Bob)• Pedestrian(Charlie)• VehicleManufacturer
6.3 UseCases
6.3.1 UseCase4.1:AuthorizationinResource-ConstrainedDevicesSupportedby5GNetwork
6.3.1.1 Preconditions• Everyactorholds5Gcredentials• TheAAAServercanauthenticateuserswith5Gcredentials• TheAAAServermaintainsadatabasethatstoresaccessrightstothesensors.
6.3.1.2 DescriptionSensor1andSensor2areresource-constraineddevices[RFC7228]thatwanttooutsourceauthorizationservicestoaAAAServer.Thus,theAAAServershouldsupportaninterfacethatallowsthesensors’ownertoissuesecuritypoliciesviathe5Gnetwork.Also,theAAAServershouldsupportaninterfacetoissueauthorizationtokensbasedonthe5Gcredentials(seeFigure8).
Basicflowofevents:
1. Thesensors'ownerissuessecuritypoliciestotheAAAServerconcerningaccesstoitssensors.2. AliceauthenticatestotheAAAServerandrequiresaccesstothesensors.3. TheAAAServerissuesanauthorizationtokenbasedon5GcredentialsofAliceaccordingtothe
securitypolicies.4. Alicehasaccesstothesensor(s)usinghertokenand5Gcredentials.
D2.1UseCases
6715625G-ENSURE 33
6.3.1.3 VulnerabilitiesandConsequencesThemainthreatsareduetoamalicioususerwhomaywanttoaccessthesensors’datawithoutauthorization.Suchamalicioususermayeithertrytogenerateafaketokenortrytomodifythesecuritypolicytogetaccesstothesensors.Moreover,theAAAservermayintroduceseveralvulnerabilitiesinthe5Gnetworkinfrastructure,whichhavetobecarefullyinvestigated.Inanycase,aninvestigationofliabilitiesbetweenpartieswillhavetobeperformed(AAAowner,sensorownerand5Goperator).
Figure8:SettingforAuthorizationinResource-ConstrainedDevices
6.3.1.4 Propertiesofasolution
Thegenerationoftheauthorizationtokenshouldbebasedbothonthesecuritypolicy,asdefinedbythesensorowner,andonthe5Gcredentialswhichprovidestheoveralltrust.TheAAAserveractivitiesshouldnotaffectthesecurityofthe5GNetworktowhichitisconnected(forexamplenotcontributetootherattackssuchascloning,eavesdropofcommunication,networkelementcompromise,etc.).
6.3.1.5 Usecasecategories
EnsureEnablers AAANextGenerationRadioTechnologyUsecases xMBB,mMTC,uMTC
6.3.2 UseCase4.2:AuthorizationforEnd-to-EndIPConnections
6.3.2.1 Preconditions• AliceandSensor1hold5Gcredentials
Token
SecurityPolicy
User AAA
Sensor Owner Sensors
D2.1UseCases
6715625G-ENSURE 34
• 5GoperatorcanauthenticatebothAliceandSensor1• Sensor1isabletoperformaccesscontrol
6.3.2.2 DescriptionAlicewantstoaccessthedataprovidedbySensor1,henceshewantstobuildend-to-endIPconnectionsthroughthe5Gnetwork.The5Goperatorshouldbeabletoauthorizesuchconnections.
Basicflowofevents:
1. AliceandSensor1areauthenticatedbythe5Gnetworkandconfiguredtothesame5Gslice2. AlicebootstrapsadirectIPconnectionwithSensor1via5Gnetwork3. The5GoperatorauthorizesthedirectIPconnection4. Sensor1sendsitsdatathroughtheestablishedsecuredirectIPconnection
6.3.2.3 VulnerabilitiesandConsequencesOnepotentialvulnerabilityappearsifthesolutionwouldallowadirectIPconnectionwithoutauthorization.Inotherwords,amalicioususermightthenestablishsuchaconnectioneventhoughthe5Goperatorshouldhaveblockedit.
6.3.2.4 PropertiesofasolutionToprohibitunauthorizedaccessandillicittraffic,usingthedirectIPconnect,the5Gnetworkmayrequirethatdirectconnectionsmustfirstbeauthorizedbythenetwork,oruseanIPwhitelist,combinedwithaserviceswhitelist.The5Goperatormightalsodoalayer7verificationoftheIPtrafficsenttothesensors,todetectknownexploitattempts.
6.3.2.5 Usecasecategories
EnsureEnablers AAA,NetworkManagement&VirtualisationIsolation
NextGenerationRadioTechnologyUsecases xMBB,mMTC,uMTC
6.3.3 UseCase4.3:Vehicle-to-Everything(V2X)
6.3.3.1 Preconditions• Everyactorholds5Gcredentials• 5Goperatorcanauthenticatevehicles• Mutualauthenticationbetweenvehicleandvehiclemanufacturer
6.3.3.2 DescriptionAnnandBobmaywanttoexchangedata(Vehicle-to-Vehicle(V2V)communication)via5Gnetworktoshareknowledgeinordertoprovidemoreintelligentservices,suchastrafficjaminformation.AnnmayalsowanttoexchangedatawithCharlie(Vehicle-to-Pedestrian(V2P)communication)via5Gnetworktosupportcooperativecollisionwarning.Finally,Annmaywanttoconnectwithhervehiclemanufacturerinfrastructure(Vehicle-to-Infrastructure(V2I)communication)todownloadasoftwareupdate,ortosendanalyticsreportsfromthevehicletotherepairshop.
D2.1UseCases
6715625G-ENSURE 35
V2V,V2P,andV2Ihavedifferentsecurityneeds,andthe5Goperatorshouldgrantauthorizationtothe5Gnetworkaccordingly.
Basicflowofevents:
1. AnnestablishesaconnectionwithBob2. BobsendstoAnninformationabouthislocationandspeed3. AnnprocessesBob’sinformationtogeneratethetrafficstatus
Alternativeflowofevents:
1. AnnestablishesaconnectionwithCharlie2. CharliesendshispositiontoAnn,andAnnherstoCharlie3. AnnandCharlieprocesstheinformationaccordingacollaborativecollisionwarningsystem.
Alternativeflowofevents:
1. AnnestablishesanIPconnectionwithavehiclemanufacturer2. Annsendshersoftwareversioninformationtothevehiclemanufacturer3. ThevehiclemanufacturersendsasoftwareupdatetoAnn
6.3.3.3 VulnerabilitiesandConsequencesIndicationabouttrafficjamsmightuseagroupsecurityassociationwhereidentifyingandauthenticatinganindividualsendermaynotberequired.However,ifgroupsecurityassociationisusedforsendinganalyticstotherepairshopfromavehicle,amaliciousgroupmember(e.g.Eve)couldbeabletosendunauthorizedanalyticsdatatotherepairshoponbehalfofthevictim(Ann).
6.3.3.4 Propertiesofasolution• Enrolmentinnationaltrafficmanagementinfrastructure,assoonasborderispassed.• Symmetrickeysforencryption• Asymmetrickeysforsignature,providingnon-repudiation
6.3.3.5 Usecasecategories
EnsureEnablers AAA,Trust,NetworkManagement&VirtualisationIsolation
NextGenerationRadioTechnologyUsecases xMBB,mMTC,uMTC
6.4 5GVision
5Gshouldsupportauthorizationofdevice-to-deviceoperationsatdifferentlevels.Attheapplicationlevel,the5Ginfrastructureprovidesthecredentialstosupportthegenerationofsecuritypoliciesandauthorizationtokens.Atthenetworklevel,the5Goperatorshouldbeabletoauthorizedirectandsecureend-to-endconnectionsbetweendevices.Moreover,theuseoflicensedspectrumof5Gshouldbeauthorizedinasecureway.5Gshouldcopewiththedifferentlevelsoftrust,forinstance,accordingtotheV2Xscenario,andalsotaketherelevantlegislationandregulationintoaccountinthedesignofthe5Gsolution.
D2.1UseCases
6715625G-ENSURE 36
7 Cluster5:Software-DefinedNetworks,VirtualizationandMonitoring
7.1 IntroductionTolowerthecostandallowmoreflexibility,e.g.rapiddeploymentofnewnetworkfunctionality,5Gwillrelyonvirtualization.Inaddition,networkvirtualizationintheformofnetworkslicescanbeameanstoisolatedifferenttypesoftrafficandtoprovidebettersecurityandnetworkattackresistance.
By“networkslice”wemeanaportionoftheunderlyingnetworkusedtoprovidenetworkserviceswithparticularproperties.Forexampleaslicecouldbeusedtoprovide:
• HighQoSforreal-timestreaming/video• Delaytolerantnetworking• SpecialenterpriseorM2Mtraffic• Strongsecurityproperties(e.g."isolating"trafficfrompotentialeavesdropping,DoSetc.)
Theusecasesoninthisclusteraredividedintothreecategories:
1. TheuserplaneofanSDNnetwork:Thiscategorycomprisesusescasesthatdealwiththevirtualizationofthenetwork,i.e.,the5GCoreNetworkintheformofaNetworkSlice.Thefirstusecasebelongstothiscategory.
2. ThecontrolplaneofanSDNnetwork:Thiscategorycomprisesusecasesthatdealwithmechanismsofvirtualizingthenetwork,andhowthevirtualizednetworkisoperated.Thisincludesthetoolsforcreating,maintaining,andremovingNetworkSlices,andNetworkNodesintheseSlices.Italsoincludestherouterinfrastructure,SDNprogramminginterfaces,clouds,andtheVNFs(VirtualizedNetworkFunctions).Thesecondandthirdusecasesbelongtothiscategory.
3. Monitoringandcontrolofthevirtualized5Gnetworkandofthevirtualizationinfrastructure:Thiscategorycomprisesusescasesthatdescribemonitoring,verifying,andcontrollingthevirtualized5GCoreNetwork,andinthevirtualizationinfrastructure.Thefourth,fifthandsixthusecasesbelongtothiscategory.
Figure9:Userplane,controlplaneinSDNandmonitoringandcontrolofvirtualized5Gnetwork
Virtualizationinfrastructure(NFVs,routers,CloudHW),andthemanagementoftheforwardingplane
API
Verification,andassuranceofvirtualizednetw
ork,andthevirtualizationinfrastructure
API
API
5G User Plane
Processing
5G User Plane
Processing
5G User Plane
Processing
The user plane of SDN (5G Network Slice & micro-segments)
The control plane of SDN
Virtual Core NetworkNetwork Slice
Bob
Alice @ VIP Carol @ VMNO
5G User Plane
Processing
5G User Plane
Processing
5G User Plane
Processing
5G User Plane
Processing
5G User Plane
Processing
5G User Plane
Processing Monitoringandcontrolofsub-slice
API
Sub-slice
Dave @ SP
D2.1UseCases
6715625G-ENSURE 37
7.2 ActorsTheactorsinthisclusterare:
• VirtualMobileNetworkOperator(VMNO)• VirtualizedInfrastructureProvider(VIP)• Infrastructurecomponents,thesearethenetworkcomponents(physicalorvirtualized)• 5GNodeProvider(5GNP),thisisthesoftwarevendorofa5Gnodethatisrunningontopofthe
VirtualizedInfrastructure• ServiceProvider(SP)runningaserviceontopoftheVMNO’snetwork• Employee(Alice)usingtheAPIinInfrastructureside,couldbeanemployeeofSatNO,VMNOorVIP• Consumer(Bob)andhis5Gdevices(e.g.xMBBormMTCdevices)• Employee(Carol)usingthemonitoring/assuranceAPI,couldbeanemployeeofVMNO,VIP,5GNP• Employee(Dave)oftheSPusinganAPItotheVMNO.
7.3 UseCases
7.3.1 UseCase5.1:VirtualizedCoreNetworks,andNetworkSlicingThisusecasebelongstocategory1:theuserplaneofanSDNnetwork.
7.3.1.1 Preconditions• TheVirtualizedInfrastructureProvider(VIP)andtheVirtualMobileNetworkOperator(VMNO)havea
businessagreement,andtheyhaveinstalled,andconfiguredaVirtualCoreNetwork(VCN)consistingoftwoNetworkSlices.OnesliceisservingxMBBsubscribers,andtheothermMTCsubscribers.
• TheVCNisconnectedtoaninfrastructureof5GbasestationsthatinthisusecasearesharedbetweenmultipleVMNOs.TheRANconsistsofcomponentsownedbydifferentVMNOs.
• TheNetworkSlicesareconfiguredinsuchwaythatoneslicedoesnotacceptcommandsfromanotherslice.
• Micro-segmentationsplitsnetworkslicesintosmallerpartswithmorerestrictedandcontrolledsecuritypoliciesdedicatedforspecificapplicationservicesorusers.Bycombiningmicro-segmentssimilarguaranteedsecuritylevelscanbeprovidedevenovermultiplenetworkdomainsandmultiplenetworkoperators.
• Bobhasa5GxMBBdevice,andasubscriptionofVMNOtothatdevice.• Bobhasalsoasensorthatisa5GmMTCdevice,andincludesasubscriptionofVMNO.• VMNOisprovidinganInternetaccessibleAPIfor5GmMTCdevicesubscriberstocontrolthebehaviour
ofthemMTCdevices.
7.3.1.2 DescriptionBobturnsonthepowerinhis5GxMBBdeviceand5GmMTCsensor,andtheattachrequestsareroutedviathe5Gradionetworktothecorrespondingnetworkslices.Devicesandthenetworknegotiatesecuritymechanismandalgorithmsinasecureway,andafterthesecurityisturnedon,thedeviceshaveaccesstotheservicesinthedifferentnetworkslices.
Thisusecaseassumesthatthedevicesareauthenticatedaftertheyhaveaccesstotheslice,however,thereareotheroptionslikeauthenticationofthedeviceataspecialsliceselectionfunction.
D2.1UseCases
6715625G-ENSURE 38
Basicflowofevents:
1. The5GxMBBdevice,and5GmMTCdevicearepoweredup.2. Thedevicesattachtothe5Gbasestation.3. Thedevicesareauthenticatedaftertheattachment.4. ThebasestationcontactstheMMEsintheVMNOnetworkslicesforxMBBandmMTC.5. TheVMNOdecidestocreateamicro-segmentforBob’smMTCcommunications.Thismicro-
segmentisextendedtoincludethis5Gbasestationifnotalreadyincluded.6. Beforecreatingthemicrosegments,thedevicesandtheslicesmutuallyauthenticate.
Authenticationcouldhappenalsoinanearlierphasebetweenthedeviceandaspecialsliceselectionfunction.
7. Themicro-segmentsareallocatedforthedevicesthatareauthorizedforit.Themicro-segmenthasasecuritymechanismofitsown.
8. Bobuseshis5GxMBBdevicetoconfigurethebehaviourofthesensorviatheAPI.
7.3.1.3 VulnerabilitiesandconsequencesHavinglargesegmentedsecurityzonescancreatesignificantattacksurfacesandenablethreatstomovethroughoutlargeportionsofthe5Gsoftwarenetworkunrestricted.
7.3.1.4 PropertiesofasolutionBydividingthenetworkintosmallerparts,i.e.,networkslices,sub-slicesandmicro-segmentsitwouldbeeasiertomonitorandrespondtoanomalousbehaviour.Inthisway,thesurfaceforattacksandthreatscanbereducedsignificantly.Networkslicing(andfurthersub-slicing)couldbeusedtocreateportionsoftheunderlyingnetworkwhichcanbefurtherusedtoprovidenetworkserviceswithparticularproperties.Micro-segmentationcouldprovideamorefine-grainedapproachthantraditionalnetworkslicingandwithmicro-segmentationitmaybepossibletocreatesecuresegmentswheremoregranularaccesscontrolsandstrictersecuritypoliciescanbeenforced.
7.3.1.5 Usecasecategories
EnsureEnablers NetworkManagement&VirtualisationIsolation,Trust
NextGenerationRadioTechnologyUsecases uMTC,mMTC,xMBB
7.3.2 UseCase5.2:Addinga5GNodetoaVirtualizedCoreNetworkThisusecasebelongstocategory2:thecontrolplaneofSDN.
ThegeneralSDNapproachthatcouldbeusedtoimplementthisusecase,wouldtypicallyusethefollowingconcepts.ThecontrolplaneofSDNintermediatesbetweentheapplicationplaneandthedataplane,whereastheuserplaneofSDNiscomposedofnetworkapplicationsthatsendinstructionstothecontrolplane,theSDNcontroller,viathenorthboundapplicationinterface.ThoseinstructionswillbetranslatedbytheSDNcontrollerintosuitableactionssentviathesouthboundprotocolinterfacetothedataplane.Forinstance,toinstallanend-to-endpathbetweentwonodes,theSDNcontrollerwilltakethisinstructionsentbyanetworkapplicationanditwillgenerateaseriesofflowstobeinstalledontheappropriateswitchese.g.viaOpenFlow,toensurethatpath.
D2.1UseCases
6715625G-ENSURE 39
7.3.2.1 Preconditions• TherearetwoVirtualMobileNetworkOperators,VMNO1andVMNO2.• EachVMNOhasitsownvirtualcorenetwork,VCN1andVCN2.• VCN1andVCN2sharethesamephysicalnetwork.• Amulti-slicesystem,wheretheslicesconsistofvirtualtopologiessimultaneouslydeployedoverthe
samecorenetwork(physicalinfrastructure).ThisphysicalinfrastructureisoperatedbyaVirtualizedInfrastructureProvider(VIP).
• BothcorenetworksVCN1andVCN2areisolatedbyusinganisolationmechanism.• VMNO1hasrequestedtheVIPtoconstructanewNetworkSlice.Thisrequesthasbeendoneina
secureway.
7.3.2.2 DescriptionNetworkApplicationsineachVirtualizedCoreNetworkmodifytheforwardinglogicofthesharedphysicalnetwork.
TheNetworkApplications(suchasanMME)arenotabletoreadormodifyphysicalnetworkresourcesbelongingtotheotherVirtualizedCoreNetwork.Furthermore,modificationstothephysicalnetwork,whichmightoriginatefromareconfigurationofoneofthevirtualcorenetworks,shouldnotconflictwiththecurrentconfigurationsoftheothervirtualcorenetwork.Intheflowbelow,theMMEisassumedtobeassociatedwithaslice.Thus,thisonlysupportsthemodelinwhichUEdevicesareassignedtoslicesbeforetheyhavebeenauthenticated,evenif,asmentioned,otheroptionsarepossible.
Basicflowofevents:
1. Alice,anemployeeofaVIP,startsconfiguringanewNetworkSliceonVCN1bycreatinganewvirtualMME.TheMMEsoftwareiscomingfroma5GNodeProvider(5GNP).
2. AlicecreatesthevirtualspaceforMME,andinstallstheMMEsoftwareontopofthat.3. AliceconfigurestheforwardinglogicrelatedtothenewMME.
7.3.2.3 VulnerabilitiesandconsequencesTheMMEsoftwareintheVCN1shouldnotbeabletoseeormodifytheforwardinglogicrelatedtoVCN2.Theremaybepolicyconflictswhendifferentnetworkapplicationsineachvirtualizedcorenetworktrytomodifytheforwardinglogicofthesharedphysicalnetworkelements,becausethosecaninjectcontradictorypolicies,orevenonenon-authenticatednetworkapplicationscantrytoinjectmaliciouspoliciestotheSDNcontroller.
Ontheotherhand,thehighdynamicityinSDNandNFV-basedenvironmentscomesfromthefactthattheSDNcontrollerensurestheconnectivityamongvirtualnodescomprisingtheslicesbychoosingaphysicalpathatrun-time.Apartfromthis,whenSDNiscombinedwithNFVthenetworkbecomesevenmoredynamic,sincevirtualnodeshostVNFswhichmaybemigrated,leadingtosubsequentrecalculationofthepathallocatedbytheSDNcontroller.Thisdynamicityleadstoalackofcontrolontheestablisheddependenciesbetweentheslicetopologiesandthephysicalinfrastructure,sinceitdependsontheSDNcontrollerwhichmaychangethosedependenciesdynamically.Asaconsequence,faultisolationonmulti-slicesystemsneedstobeensured.FaultisolationensurestheresilienceofVNFsandvirtuallinkscomposingtheslices,anditconsistsofensuringthatthosevirtualresourcesaredisjointlyallocated(i.e.ensuringthoseslicesdonotshareresources)inthenetworkinfrastructureoratleastensuringthereisenoughredundancy
D2.1UseCases
6715625G-ENSURE 40
tomigratethemtoavoidserviceoutages.Otherwise,afailureonthesharedphysicalresourcescouldpropagatetobothslices.
7.3.2.4 Propertiesofasolution
Securitypolicies:
Theauthenticityandintegrityofthereceiveddataandcommandsineachslicemustbeensured.Tocontroltheaccessbetweenslices,securitymechanismsmustbeabletocheckifthereceiveddata/commands,originatedfromwithinthesliceornot(fromalegitimateentity).Inotherwords,itmustbeabletocheckitstrustworthiness,topreventaccessfromotherslices.
ThesecuritysystemmustensurethedifferentSLAobjectivesforthedifferentslicesaremet.TheSLAobjectiveswillbedifferentdependingontheusecase(e.g.autonomousdriving,health,massiveIoT,etc.)
Thepoliciessentbynetworkapplicationsshouldbefirstinjectedtoapolicycheckerblock[Paladi2015]toanalysethepoliciesfromnetworkapplicationstowardstheVCNstoavoidincoherenciesbetweenpoliciesand/orsecurityissues.ThispolicycheckerblockverifiesandenforcespoliciesandcontrolstheaccessofnetworkapplicationstotheSDNcontroller.Thisblockhastwocomponents:areal-timepolicycheckerblockthatverifiestheincomingpoliciesandtagsthemwhithissuingentity,andaofflinepolicycheckerblockthatensuresisolation,networkreachabilityandliveness.Inthisusecase,thenetworkapplicationsshouldnotbeabletoreadormodifynetworkresourcesofotherVCNs,sotherulessentfromnetworkapplicationsshouldbeinjectedintoapolicycheckerblockabletounderstandtheirorigin,identifywhetherornottheyarenotallowedtoaccesstothatVCNandrejectthemifnecessary.TheSDNcontrollershouldonlyinstallthosepoliciesacceptedbythepolicycheckerblock,oncethisblockchecksthatthosepoliciescomefromauthenticatedandauthorisednetworkapplications.
• Ina5Gnetwork,theisolationofslices(isolationassurancewithin5Gnodes)mustbeensured.Thisassurancemustbeprovidedattwolevels,atsecuritylevel(threatspropagatingthroughtheslices)andatresiliencylevel(faultsinthephysicalinfrastructurepropagatingthroughtheslices).
• Acompromisedslicemaycompromisethesecurityofotherslicessharingthesamephysical5Gnodes.
• Unavailabilityofaphysicalnetworkresource(physical5Gnode)servingNslices,duetointentionaloraccidentalintentions,maypropagatetotheNslices(a.k.acascadeeffect)
• Integrityandauthenticityofthedata/commandsuploaded/downloadedbya5Gcontroller/a5Gobjectmustbeensuredtoavoidanysecurityissues.
Resiliencypolicies:
Aresilientsystemmustpreventcascadeeffectsbetweendifferentslices,bycheckinginrealtimewhichpartofthephysicalinfrastructureisensuringtheintegrityofagivenslicetopologyandproposemigrationswhendetectingvulnerable,attacked,compromisedoraffectedphysicalresources.Forthat,itisnecessarytosupporttheretrievalon-the-flyofthedynamicdependenciesbetweentheslicesandthephysicalinfrastructureinordertocalculatethepropagationoffaultsandattacksinagivenslice.
D2.1UseCases
6715625G-ENSURE 41
7.3.2.5 Usecasecategories
EnsureEnablers NetworkManagement&VirtualisationIsolation,Trust
NextGenerationRadioTechnologyUsecases mMTC,uMTC,xMBB
7.3.3 UseCase5.3:ReactiveTrafficRoutinginaVirtualizedCoreNetworkThisusecasebelongstocategory2:thecontrolplaneofanSDNnetwork.
7.3.3.1 Preconditions• ThereisoneVirtualMobileNetworkOperator,VMNO1.• VMNO1hasitsownvirtualcorenetwork,VCN1.• NetworktrafficinVCN1isrouted(reactively)byanetworkapplication.Thefunctionofthisnetwork
applicationistoreceivepacket-inmessagesandreconfiguretheflowtablesoftheswitchesaccordingly.
• Thisusecaseassumesthatthevirtual5Gcoreisawareofvirtualization.(Itcouldalsobepossiblethatthedynamicbehaviourisdonetransparentlytothevirtual5Gcore.)
• AconsumerofVMNO2,Bob,accesseswithhismobiledeviceaserviceintheinternet.BobisaroamingsubscriberintheVCN1.
7.3.3.2 DescriptionWhenBobaccessesthephysicalcorenetworkforwhichnomatchingflowrulesareinstalled,theVCN1’snetworkapplicationistriggered.ThereconfigurationofVCN1iscompileddowntoareconfigurationofthephysicalnetwork.ThereconfigurationhandlesBob’snetworkflowtoaccesstheremoteinternetservice.
Basicflowofevents:
1. Bob’sdevicestartssendingnetworkpacketstothecorenetwork.2. Sincethenetworkpacketsdonotmatchanyflowrule,thecorenetworkgeneratesacorresponding
packet-inmessageforVCN1.3. VCN1triggersitsnetworkroutingapplicationforthereceivedpacket-inmessage.4. ThenetworkapplicationestablishesanetworkflowinVCN1.5. ThereconfigurationofVCN1iscompileddownsothatacorrespondingnetworkflowinthephysical
networkisestablished.6. Bobstartscommunicatingoverhismobiledevicewiththeinternetservice.
7.3.3.3 VulnerabilitiesandconsequencesThetimeofreconfiguringthephysicalnetworkcanbemeasuredbyanattacker.Inthisway,anattackercangaininformationaboutwhichandwhenanetworkpackettriggersareconfigurationofnetworkcomponents.Thiscanbeexploitedtomountpowerfuldenial-of-serviceattacks,whereanattackeroverloadsthecontrollerofVCN1bysendingpacketsthat,withhighprobability,triggerareconfigurationofthenetworks.Furthermore,notethatinstallingflowrulesinstate-of-the-arthardwareswitchesisacostlyoperation.Thismeansthateventheperformanceofthephysicalnetworkmightbedecreased.
7.3.3.4 PropertiesofasolutionAsolutionshouldnotdecreasenetworkperformancesignificantly.Thismeans,forexample,thatdelayingeverynetworkpacketthatdoesnottriggeraninteractionwiththecontrolplaneataswitchbefore
D2.1UseCases
6715625G-ENSURE 42
forwardingitisnotaworkablesolution.Althoughanadversarywouldnotgainanyknowledgewhenmeasuringthetimingsofsendingandreceivingpackets,thewholenetworktrafficwouldsignificantlybesloweddown.However,onecandelayafewpacketsofanetworkflowtoobfuscatethetimingmeasurementsofanadversary.Thefewdelayedpacketsfakeaninteractionbetweenthenetwork’sdataplaneandcontrolplane.Thesedelayscanbedonedirectlyattheswitchesoradedicated,newdata-planecomponent.Thereisnoneedforanyinteractionwiththecontrolplane.Theselectionofthepacketsandthedelayisspecifictoanetwork,andneedstobeconfigured.
7.3.3.5 Usecasecategories
EnsureEnablers NetworkManagement&VirtualisationIsolation,Trust
NextGenerationRadioTechnologyUsecases mMTC,uMTC,xMBB
7.3.4 UseCase5.4:VerificationoftheVirtualizedNodeandtheVirtualizationPlatformThisusecasebelongstocategory3:themonitoringofthevirtualized5Gnetworkandofthevirtualizationinfrastructure.
7.3.4.1 Preconditions• AnewMMEhasbeenvirtualized,anditisrunningontopofaVirtualizationPlatform.• TheMMEisdeployedaspartofaVCN,andaNetworkSlice.• ThereisacertificationsystemforVirtualizationPlatformsthatissue“level1certification”tothirdparty
products.
7.3.4.2 DescriptionCarolisrunningvarioustestsontheVirtualizedNode,andtheVirtualizationPlatform.CarolneedstocheckthatthenewnodemeetstherequirementsoftheVirtualMobileNetworkOperator.ThissliceisusedforeHealthservices,anditneedstofulfilcertainsafety,securityandprivacystandards:inthisexampleweassumethatallpartsoftheVCNarephysicallywithinFrance.
Basicflowofevents:
1. CarolstartsbycheckingthatthephysicalcomputeroftheVirtualizationPlatformislocatedinFrance.ThephysicalcomputeristheonewheretheVirtualizedNodeistobeinstalled.
2. Caroladdsamonitoringpolicythatallowshertoreceiveanotificationifthelocationischanged,andanalarmmessageifthelocationmovesoutsideofFrance.
3. CarolrunsatestonthevirtualmachineoftheVirtualizationPlatform,andverifiesthatitisabletofulfilthesecurityandprivacyrequirements.CarolisabletoverifythattheVirtualizationPlatformhasbeencertifiedbyanexternalparty,andithas“level1”certification.
4. CarolthencheckstheintegrityoftheMMEsoftwarethatisrunningontopofthevirtualmachine.5. CarolverifiesthatthesecuritytowardstheothernodesintheVirtualCoreNetworkisconfigured
correctly,andonlyauthenticatedandprotecteddata/commandsareabletopass/accesstheMME.6. Carolchecksthattheslicetopologycorrespondstoaphysicalinfrastructurewhosephysicalnodes
complywiththegeographicalconstraintsforthisusecase.
D2.1UseCases
6715625G-ENSURE 43
7.3.4.3 VulnerabilitiesandconsequencesInthise-healthservice,thesliceshoulddependonlyon5GnodeslocatedinFranceoroperatedbyagivenMNO,thatiswhyCarolischeckingthattheunderlyingnodesofthesliceprovidedcomplywithsuchageographicalconstraint.
Privacyandsecurityissuesshouldberespected,especiallyinhighlysensitiveserviceslikee-health.Forinstance,ifthee-healthflowofagivencountrygoesthroughanynon-French5Gnodes,itmaynotrespecttheservicesecurityorprivacypolicy.
A5Goperatormustbeabletoensureatalltimesthatagivenslice(service)resourcearelocatedinagivengeographicalarea.Aserviceprovidermustbeabletocheckthatthedataflowoftheservicetransitswithinagivenarea.Thisispossibleifweareabletoretrievetheunderlyingphysicalnodeidentifiersbelongingtoeverysliceatrun-timeandverifytheirgeographicallocationinordertoensurethattheirlocationdoesnotviolatethegeographicalconstraintsimposedbythee-healthcase.
VNFscanbeprovidedbythirdparties,soanotherthreatiswhenVNFsbecomecompromised.Anetworkoperatormustbeabletocheck,inrealtime,theintegrityoftherunningcodeinaNFVandthatit(theNFV)iscomplianttowhathepreviouslydefined,thatiswhyoneofCarol’sroleistochecktheintegrityoftheMMEsoftwarerunningontheVM.
AnotherthreatiswhenSDNistheunderlyinginfrastructureofNFV-basedservices,whereSDNisensuringtheconnectivityamongVNFs.Inthisscenario,theSDNcontrollercanbecomecompromised,becauseSDNcontrollersarevulnerabletoDDoSattacks(DistributedDenialofService).
7.3.4.4 PropertiesofasolutionOnebasicapproachistoverifyandthoroughlytestthedeployedsoftwarethatcontrolsthenetwork.Thereshouldbededicatedtoolsthatsupporttheseverificationandtestingtasks.Another,complementaryapproachistomonitortheinteractionsbetweenthenetwork’splanes.Theseinteractionsarecheckedagainstgivensecuritypolicies.Noncompliant,malicious,andsuspiciousinteractions(orsequencesofinteractions)arereported.Thecheckingcaneitherbedoneonlineoroffline.Inthelattercase,theinteractionsareloggedandthencollectedandauditedlater.
7.3.4.5 Usecasecategories
EnsureEnablers NetworkManagement&VirtualisationIsolation,SecurityMonitoring,Trust
NextGenerationRadioTechnologyUsecases mMTC,uMTC,xMBB
7.3.5 Usecase5.5:ControlandMonitoringofSlicebyServiceProviderThisusecasebelongstocategory3:monitoringandcontrolofthevirtualized5Gnetwork.
7.3.5.1 Preconditions• ThereisaVirtualisedInfrastructureProvider(VIP).• ThereisaVirtualMobileNetworkOperator(VMNO).• TheVIPhasdeployedaVirtualCoreNetwork(VCN)fortheVMNO.• ThereisaServiceProvider(SP).• TheVMNOhasdeployedasub-slicefortheSPwithcertainSLAconstraints.
D2.1UseCases
6715625G-ENSURE 44
7.3.5.2 DescriptionAServiceProvider,forinstanceamassivelymultiplayeronlinegame(MMOG)host,requiresasecurenetworkwithsomeQoSguaranteestobeusedbytheircustomers(gameplayers).TheServiceProviderhasacontractwiththeVMNOfortheVMNOtosupplyasuitablesub-sliceoftheVCNfortheServiceProvider’scustomerstouse.TheServiceProviderneedstobeabletomonitorthesub-slicetoensurethattheVMNOisprovidingwhatisrequiredbythecontract,andalsoneedstobeabletovarytheparametersofthesub-slicewithinsomepredefinedboundsastheservice’spopularitychanges.
Theterm“sub-slice”isherebeingusedtomeanaportionofanetworkslice.ThisusecasemaintainsmostofitsfeaturesiftheServiceProviderisadirectcustomerofaMNOandtheMNOprovisionsa“slice”ofthecorenetworkfortheSP.ByhavingtheSPinteractwithaVMNOwedemonstrateafurtherpotentiallevelofcomplexity.
Basicflowofevents:
1. Dave,anemployeeoftheSP,usingthetoolsprovidedbytheVMNO,monitorstheQoSbeingprovidedtothegameplayersinthesub-slice.
2. Dave,usingtheServiceProvider’sgamemonitoringsystem,predictsthatthenumberofplayersthiseveningwillincreasebeyondthecapacitythatthesub-slicewasprovisionedforandthattheperformanceofthegamefortheplayerswilldegradetoanunacceptablelevel.
3. Daverequeststhatthecapacityofthesub-sliceisincreasedtodealwiththeadditionaldemand.4. TheVMNOdetermines(automaticallyormanually)thattheVCNcansupporttheincreased
capacityofthesub-slicewithoutdegradingtheQoSofothercustomersandsoincreasesthesub-slicecapacity.
5. TheVMNOchargestheSPfortheextracapacity.
7.3.5.3 VulnerabilitiesandconsequencesTheusecasedemonstratesthatacustomerofaVMNOcanrequest,use,monitorandcontrolasub-sliceofthenetwork.Thisrequiresre-sellingofcapacitybyaVMNOalongwithQoStermscontainedinanSLA.TheusecasealsodemonstratesthedynamicnatureofallocationsbyallowingtheServiceProvidertohavesomedegreeofcontrolovertheirsub-slice.Toensureanacceptablelevelofservicefortheircustomers,theServiceProviderwouldneedtobeabletoassessthetrustworthinessoftheVMNObeforeenteringintoacontractwiththem.TheVMNO’ssystemsdependenceon(atleast)theVIPmakesthechainoftrustquitecomplex.
7.3.5.4 Propertiesofasolution
• controlofsub-slicemaybeaddressedwithdelegation• hierarchicalassertedidentitiesofactors• SLAwherepartsoftheagreementrelatestoestablishingnewSLAs• atooltoassessthetrustworthinessofasystem(includingnetworkcomponentsandactors)based
onknownthreatsandpriorexperience
D2.1UseCases
6715625G-ENSURE 45
7.3.5.5 Usecasecategories
EnsureEnablers NetworkManagement&VirtualisationIsolation,SecurityMonitoring,Trust
NextGenerationRadioTechnologyUsecases mMTC,uMTC,xMBB
7.3.6 UseCase5.6:IntegratedSatelliteandTerrestrialSystemsMonitor
7.3.6.1 IntroductionThisusecasebelongstocategory3andisrelatedtobroadbandtelecommunicationsystemsortelecommunicationgroundusersegments.TheinfrastructureforbuildingtheSatAN(SatelliteAccessNetwork)comprisethefollowingnetworkcomponents(seeFigure10):
• SatelliteHub:satelliteearthstationconnectedtothe5Gnetwork.• Satellite-capableeNB:traditionaleNBimprovedwithasatellitelink.• DifferentUEs:
o SatelliteTerminals(Kaband):satelliteterminalwithaKabandantenna.o SatelliteModems:end-usersatelliteterminalconnectedtoasatelliteantennausinga
communicationssatelliteasarelay.o 5Gdevices.
Thesenetworkcomponentsaredistributedinawide-areaandduetothesatellitesupportensurehighnetworkavailabilityandservicereliabilitywitha100%geographiccoverage.
Thesenetworkcomponentsperiodicallycollectinformationfromthemselves(hardwarestatus,alarms…)andcountersfromthespecificbusinesslogic(transferrate,numberofrequests…).Thisinformation,calledindicators,isusedtomonitorthenetwork.
Theseindicatorscanbeclassifiedinthreecategories:
• Healthstatus:o Intrusiondetection.o Alarmsscannedbysatellitenetworkdevices.o Excessiveload.
• Configurationstate:o Networkstatus.o Credentialstatus.
• Counters:o Volumecounters.o Efficiencycounters.
Thesenetworkcomponentsaresupervisedandcontrolledusinganetworkmanagementsystem.Thisnetworkmanagementsystemiscomposedof:
• Securitymonitor:receivessuchindicatorsandisinchargeofcarryingoutanactivesecurityanalysistodetectattacksandmaliciousbehaviour.Furthermore,thesecuritymonitorusesdataanalytics
D2.1UseCases
6715625G-ENSURE 46
andintelligence-drivensecuritytoresponsetotheidentifiedthreats(e.g.notifytheoperator,balancetheload,…).Someofthethreatsidentifiedare:
o Attackonnetworkcomponents:RFinterference,powerorcommunicationslines…o Attackonthenetworkmanagementsystem:intrudingthesystembyhijacking,
blackmailing,placingorimpersonatingtheoperator,toobtaincredentialsor/andgaincontrolofthesystem,…
o Denialofservice:floodthenetworkwithdummyindicatorstomakethenetworkunusable,preventinganyusefulcommunicationswiththenetworkmanagementsystem.
• B/OSS(BusinessandOperationalSupportSystems)monitor:receivessuchindicatorsandisinchargeofserviceprovisioning,networkconfigurationandbilling.
7.3.6.2 Preconditions• Thenetworkcomponentsperiodicallycollectindicators.
7.3.6.3 DescriptionOnceregistered,networkcomponentsdelivertothesecuritymonitoringtheindicatorscollected.Later,securitymonitoringusesactivesecurityanalysiswiththeseindicatorsinordertodetectthreats.
SatNOconnectstothesecuritymonitortocheckthesystemsstatus(e.g.faultmanagement,performancemonitoring)and,ifneeded,respondstotheidentifiedthreats.
AServiceProvider(i.e.telecommunicationscompany)hasacontractwiththeSatNOtosupplyasuitablesystemcapacitywithsomeQoSguaranteestobeusedbyitscustomers.TheServiceProviderimplementspre-paid/post-paidservicesandconnectstotheB/OSSmonitortoensurethattheSatNOisprovidingwhatisrequiredbythecontractandperformssomecontroltasks(managementofsystembandwidthandpowertooptimizeglobalcapacity,configurationofnetworkcomponents,…).
Basicflowofevents:
1. Uponactivation,eachnetworkcomponentidentifiesitselfwiththenetworkandregisterswiththenetworkmanagementsystem
2. Thesecuritycredentialsofthesenetworkcomponentsneedtobeperiodicallyupdated3. Onceregistered,networkcomponentsdeliverperiodicallythecollectedindicatorstothenetwork
managementsystem4. Networkmanagementsystemreceivesfromthenetworkcomponentsalargeamountofindicators5. Securitymonitorusesactivesecurityanalysiswiththeseindicators
Alternativeflowofevents:
1. Alice,aSatNO,connectstothesecuritymonitortocheckthesystemstatusandthesecurityanalysisprovidedbythesecuritymonitor
2. Securityalarms(e.g.attacks,maliciousbehaviourdetected,…)mayrequirearesponsefromAlice(e.g.allow/denyaccesstoonenetworkcomponent)
Alternativeflowofevents:
1. Carol,anemployeeoftheSP,connectstotheBSS/OSSmonitortochecktheQoS2. Carolmayrequestincreasecapacitytodealwithadditionaldemand
D2.1UseCases
6715625G-ENSURE 47
Figure10:Satelliteand5GMonitor.
7.3.6.4 VulnerabilitiesandConsequencesTheusecasedemonstratesthedynamicnatureofallocationsbyallowingtheServiceProvidertohavesomedegreeofcontrolovertheirmicro-slice.Thesecuritycredentialsofthesemicro-slicecomponentsmayhavebeencompromisedanditisneededtoforceanupdateofthesecredentialstomaintainthesecurityofthenetwork.
Theoriginofmostfraudulentaccessesorsecuritybreachescanbesummarizedaseithertechnicalidentityalteration(afteranillegalorillegitimateprivilegeaugmentation)orsignallingmessagesreceivedoutsideofthenormalsequences.
7.3.6.5 PropertiesofasolutionTheuse-caserequiresre-sellingofcapacitybyaSatNOalongwithQoStermscontainedinanSLA.
• Securemechanismtostoreandupdatethesecuritycredentialsforthenetworkcomponents• Genericsecureinterfacetoprovideindicatorsfromaheterogeneousnetworkandtoupdatethe
securitycredentials• Realtimedataanalyticsandintelligence-drivensecuritytodetectthreatsbasedonsecuritymetrics
D2.1UseCases
6715625G-ENSURE 48
7.3.6.6 UsecasecategoriesEnsureEnablers SecurityMonitoring,NetworkManagement&
VirtualisationIsolation
NextGenerationRadioTechnologyUsecases mMTC,uMTC
7.4 5GVisionItisenvisionedthatthevirtualizationofthecorenetworkisanessentialfeatureof5G.Avirtualizedcoreisdescribedhereasa“networkslice”.Mobileoperatorsareabletoprovidedifferentcorenetworkslicesfordifferenttypesofsubscribers.ThisincludesdifferentUEtypes,suchasmMTCorxMBBbutalsocustomerspecificslicessuchaseHealthorsatellitecommunications.Networkslicesmayprovidedifferentservices,andshareacommonradionetwork.Thevirtualizationmayalsoincludemorefine-grainedfeatures,suchasmicro-segmentationwithintheslice.Isolationofnetworkslicesisessential.
Techniquesthatareavailableforimplementationofthevirtualizationaremany,e.g.Software-DefinedNetworking,VirtualizedNetworkFunctionsandCloudtechniques.Virtualizationismostlikelytobetransparenttomany5Gnodes,however,theremightalsobesome5Gnodecomponentsthatareactivelymodifyingthestructureandbehaviourofthecorenetwork,adaptingtoe.g.subscriber/devicecontext.VirtualizationismostlikelyanddesirabletobetransparenttotheUserEquipment(UE),andthesubscriber.TheUEdoesnotneedtobeawareoftheinternalstructureorimplementationofthecore.
Virtualizationbringnewtypesofactors,androlesintothepicture.Itisenvisionedthatitispossibletoseparatetherolesofthe5GNodeProvider,theVirtualizationInfrastructureProvider,andtheVirtualMobileNetworkOperator.Thisalsomeansthatnewtypesofsecuremonitoringandassuranceinterfacesareneededifallthenewrolesaretakenbyseparateactors.Actorsthatareoperatingontopofvirtualizedplatformneedtomonitor,verifyandcontrolwhatishappeninginthevirtualizednetworkaswellasinthevirtualizationinfrastructure.
D2.1UseCases
6715625G-ENSURE 49
8 Cluster6:RadioInterfaceProtection
8.1 IntroductionThisclusterdescribestwousecasesaddressingavailabilityandintegrityoftheradiointerface.Usecase6.1considersoverloadanddenialofserviceattacksoftheradiointerfaceandhowdeviceswithpriorityshouldbeprioritizedinordertobeabletoattachevenduringahighloadsituation.Usecase6.2considersuserplanedataintegrityprotection.
8.2 ActorsTheactorsinthisclusterare:
• MobileNetworkOperator(MNO)• Communicationdevice(D)• User(Bob)
8.3 UseCases
8.3.1 UseCase6.1:AttachRequestDuringOverload
8.3.1.1 Preconditions• TheRANisservingmultiplerecentattachrequests• Availableradioresourcesaredepleted
8.3.1.2 DescriptionAcriticalcommunicationdeviceD,e.g.servingcriticalinfrastructureorusedbyuserBobinanemergencysituation,istryingtoattachtotheMNO’snetwork.ThenetworkisbusyservingmanyotherattachrequestssoDdoesnotgetimmediateaccesstothenetwork.Evendeviceswhichareattachedbutloseradiosynchronizationarerequiredtoperformtherandomaccessprocedureandmaybecomelockedoutofthenetworkinthesesituations.
Basicflowofevents:
1. Dmakesanattachmentrequesttothebasestation2. Thebasestationisbusyservingotherrecentattachmentrequestsorhasnoradioresources
available3. Dgetsnoaccessorbecomesdelayed
Alternativeflowofevents:
1. Disattachedtothenetwork2. Dlosesradiosynchronization3. Disre-attaching4. Availableradioresourcearedepletedandthenetworkcan’tofferDaccess5. Ddoesnotregainconnectivity
D2.1UseCases
6715625G-ENSURE 50
8.3.1.3 Vulnerabilitiesandconsequences• Currentnetworksperformpreliminaryradioresourceallocationandsignallingprocedureswhich
consumesprocessingandotherresourcesintheRANandonthebackhaul,beforetheauthenticationprocedure
• Illegitimaterequestscannotberejectedatanearlystage,andtherearenomeanstogiveprioritytoimportantrequests
• Anadversarycansaturatetheradionetwork(ortheuplinkresources),e.g.usingsoftwaredefinedradios(SDR),orusingmultiplelegitimatedevices,e.g.likeinabotnetsetting
• Whenattacheddeviceslosesradiosynchronization,theyarerequiredtoperformtherandomaccessprocedureandmaybeunabletoreconnect,despitebeingallocatedradioresources
Potentialconsequencesinclude:
• Disruptedavailabilityofcriticalcommunicationsnetwork.Deceptiveillegitimaterequestsmaycausedisruptioninnetworkaccess
• Emergencyandcriticalcommunicationrequestscannotgethigherprioritythannon-urgentattachmentrequests
8.3.1.4 Propertiesofasolution
• Asecuremethodforpriorityofaccessrequests• Saveresourcesbyrejectingillegitimateornon-prioritizedrequestatearlystage,i.e.enable
integrityprotectionatalowlayerintheradionetworkstack• Givepriorityforre-attachmenttodeviceslosingradiosynchronization• Threatsofcyber-attacksdirectlytargeting5Gnetworksneedstobedealtwithinthe5Gdesign
8.3.1.5 Usecasecategories
EnsureEnablers AAA,NetworkManagement&VirtualisationIsolation
NextGenerationRadioTechnologyUsecases xMBB,mMTC,uMTC
8.3.2 UseCase6.2:UnprotectedUserPlaneonRadioInterface
8.3.2.1 Preconditions• TheUEisinConnectedMode• Signallingisintegrityprotected• Userplanedataisnotintegrityprotected• Encryptionmaynotbeallowedontheradiointerfaceduetoregulatoryconstraints
8.3.2.2 DescriptionSignallingbetweentheUEandnetworkisintegrityprotected,butinsomescenarios,theamountofsignallingneededbeforesendinguserdataisminimizedtosavebattery,sometimessignallingbeforesendinguserdataiscompletelyremoved.ThedataconnectionisleftopentothenetworkwhentheUEgoestosleepmode.
D2.1UseCases
6715625G-ENSURE 51
Userplanedataisnotencryptedduetoregulatoryconstraints.Sinceuserplanedataisnotintegrityprotectedeither[TS33.401],thisleavestheuserplanedatatotallywithoutprotection.
Basicflowofevents:
1. Dattachestothenetworkandestablishesintegrityprotectionforsignalling.Encryptionisnotusedforsignallingnorforuserplanedata
2. ThenetworkreceivesunprotecteduserplanedatafromD3. Dgoestosleep.Thedataconnectionisleftopen.4. Dwakesupandsendsdataonthedataconnection
Alternativeflowofevents:
1. Dattachestothenetworkandestablishesintegrityprotectionforsignalling.Encryptionisnotusedforsignallingnorforuserplanedata
2. ThenetworkreceivesunprotecteduserplanedatafromD3. Dgoestosleep.Thedataconnectionisleftopen4. Adversarysendsdataontheopendataconnection
8.3.2.3 Vulnerabilitiesandconsequences
• Thenetworkcannotverifyauthenticityofthereceiveduserplanedata• Anadversarymayusetheopenuserdataconnection
Asaconsequence,theuserplanedataiscompletelyunprotectedandtheMNOcannotprovideanyservicerelyingonthecontent.
8.3.2.4 Propertiesofasolution
• Introduceintegrityprotectionofuserplaneinadditiontointegrityprotectionofcontrolplane• Replacespecificintegrityprotectionofcontrolplanewithcommonintegrityprotectiononuserand
controlplanelowerintheradionetworkstack
8.3.2.5 Usecasecategories
EnsureEnablers AAA,NetworkManagement&VirtualisationIsolation
NextGenerationRadioTechnologyUsecases mMTC,uMTC
8.4 5GVisionThe5Gnetworkshouldberobustagainstoverloadanddenialofserviceattacksoftheradiointerface.Prioritizeddevicesshouldbegettingpriorityandbeabletoattachevenduringhighloadsituations.Also,alreadyattacheddeviceslosingsynchronizationshouldregainaccessduringhighloadsituations.Userplanedatashouldbeintegrityprotectedenablingtrustworthyservicestobebuiltontop,andillegitimateandlowpriorityrequestsshouldberejectedatanearlystage.
D2.1UseCases
6715625G-ENSURE 52
9 Cluster7:MobilityManagementProtection
9.1 IntroductionThisclusterdescribesdifferenttechniquestocauseapersistentdenialofserviceattackoftheUE,illustratedbythreedifferentflowofevents.Thedenialofserviceattacksarepossiblesincenoneoftheexploitedmessagesrequireconfidentialityorintegrityprotectioninthecurrent3GPPstandard,thusenablingtheattackertointercept,decodeandalterthemessages.
9.2 ActorsTheactorsinthisclusterare:
• Mobilephonesubscriber(Bob)• Maliciousattacker(Mallory)• MobileNetworkOperator(MNO)• Sensor1
9.3 UseCases
9.3.1 UseCase7.1:UnprotectedMobilityManagementExposesNetworkforDenialofService
9.3.1.1 Preconditions• BobhasavalidsubscriptionwiththeMNO• Mallory’srogueequipmentisphysicallylocatedinthesamearea(TAorCell)asBoborSensor1• MalloryhasaccesstoherownrogueeNB
9.3.1.2 DescriptionBobpowersonhisphone,aspartoftheLTEspecification[TS33.401]thephonewillinitiatean“Attachrequest”tothebasestation(eNB).OnceconnectedtotheMNO,theuserequipment(UE)willsendperiodictrackingareaupdate(TAU)requestmessagesintendedfortheMNO’sMobilityManagementEntity(MME).
Thisuse-caseisvalidforalltypesofconnecteddevices,i.e.BobcanbesubstitutedwithSensor1.
Basicflowofevents:
1. BobisatworkandhashisphoneturnedonandisconnectedtohisMNO2. Bob’sphonesendsaTAUrequestmessagetotheMMEofhisconnectedMNO3. MalloryinterceptstheTAUrequestandrespondswithaTAURejectwithEMMcausenumber7
“LTEServicesnotallowed”orcausenumber8“LTEandnon-LTEservicesnotallowed”.SeeFigure11andFigure12.
4. Bob’sphoneacceptstheTAURejectmessageandactsaccordinglya. IfEMMcausenumber7,Bob’sphonewillconsideritselfinvalidforLTEservices.If
supportedthephonewillconnecttoavailable3Gor2Gnetworksb. IfEMMcausenumber8,Bob’sphonewillconsideritselfinvalidforallservicesandenter
thestateEMM-DEREGISTERED.
D2.1UseCases
6715625G-ENSURE 53
Alternativeflowofevents:
1. Bobpowersonhisphone.2. Bob’sphonesendsan“Attachrequest”totheMNO.3. Malloryinterceptthe“Attachrequest”.4. Malloryaltersthemessageandreplacethe“VoicedomainpreferenceandUE’susagesetting”with
“Additionalupdatetype–SMSonly”andforwardsthemessagetotheMNO.5. TheMNOacceptsthemessageandproceedswiththeAKAprotocol,furthermoretheMNO
configurestheprofileoftheUEintheMMEwiththecapabilitiessentbyMallory,therebyrejectingallvoicecapabilities.
Alternativeflowofevents:
1. Bob’sphonecontinuouslysendsregistrationrequeststothenetworkswiththebestcoverage.2. Malloryrespondswiththerejectmessage“ForbiddenPLMN”.3. Bob’sphoneacceptstheunprotectedrejectmessageandreconfigurestheUSIMaccordingly,hence
denyingallservicestotheindicatedpubliclandmobilenetwork(PLMN)untilthephonehasbeenturnedoff/onortheUSIMhasbeenre-inserted.
Figure11:(from[Shaik2015])DoSattack-denyingLTEnetworkservices
Figure12:(from[Shaik2015])DoSattack-denyingallmobilenetworkservices
D2.1UseCases
6715625G-ENSURE 54
9.3.1.3 Vulnerabilitiesandconsequences• TheTAURequestissentwithoutconfidentialityprotection,hencetheattackercandecodeit.• TheTAURejectmessageisacceptedbytheUEwithoutintegrityprotectionandwithoutanestablished
securitycontextbetweentheUEandnetwork.• The“Attachrequest”issentunprotected,hencethelistofthenetworkcapabilitiescanbealteredby
theattacker.• The“ForbiddenPLMN”areacceptedbytheUEwithoutintegrityprotectionandwithoutanestablished
securitycontextbetweentheUEandnetwork.
Thesevulnerabilitiescanbeusedtoperformadenialofserviceordowngradeattacks,whichpersistsuntiltheuserreinsertstheUSIM,rebootstheUE,orinonecase,physicallymovestheUEtoanewtrackingarea.
9.3.1.4 Propertiesofasolution
SecuritymonitoringcouldbeonesolutiontocapturethoseattackswhereUEisforcedtouseweakerservices.UEthatpreviouslyhasbeenabletousefullservices,typicallydoesnotdowngradeitsowncapabilities.
IftheTAURejectmessagesweredigitallysigned,whichareverifiedbytheUE,anadversary’smessageswouldberejectedbytheUE.ThiswouldrequiretheintroductionofMNOspecificpublickeys.
Amitigationthatmakesitmoredifficulttoimplementapersistentdenialofserviceattackwouldbetointroduceamechanismbasedonatimerorcountervalue,toallowtheUEtore-attachitselftothenetworkafteracertaintime.
Tomitigatetheman-in-the-middleattackontheAttachrequest,the5GnetworkcouldrequireanidenticalintegrityprotectedreconfirmationofthenetworkcapabilitiesasisrequiredforthesecuritycapabilitiesinLTE.
9.3.1.5 Usecasecategories
EnsureEnablers AAA,NetworkManagement&VirtualisationIsolation,SecurityMonitoring,Privacy
NextGenerationRadioTechnologyUsecases xMBB,mMTC,uMTC
9.4 5GVision5Gprovidesrobustnetworkserviceswithconsiderableavailabilityguarantees.Thesignallingmessagesexchangedbetweentheuserequipmentandthe5GnetworkshouldhavetheappropriateprotectiontocombatknownweaknessesinLTE.Suchprotectioncanbebuiltfromexistingmechanisms,whichinLTEprovideamatchinghistoryoftheuserequipment’ssecuritycapabilities.In5Gthesemechanismscanbeexpandedtoincludeasimilarcheckofthenetworkcapabilities.Additionally,theintroductionofanoperatorpublickeycanbringthenecessaryprotectionofcapabilityliststhatarebroadcastedbythenetwork.
D2.1UseCases
6715625G-ENSURE 55
10 Cluster8:Ultra-ReliableandStandaloneOperations
10.1 IntroductionThisclusterincludestwousecasesforultra-reliableandstandaloneoperations.Thefirstoneisthesatellite-capableeNBthatprovidesconnectivitytothecorenetworkifthenormalbackhaulislost.Thesecondcasedescribesstandalonecorenetworkservicesthataresimilartoisolatedpublic-safetyservicesbutareinthiscasecommercial.
TheusecasestalkaboutMacroEPCwhichisthe5Gcorenetworkthatisusedinnormalmodeofoperation.MacroEPCprovidesservicestothesubscribersthatareinthehomenetwork,orwhichareroaminginsomevisitednetworks.TheMacroEPCisreachedviathesatelliteinthefirstusecasewhenthenormalrouteisnotpossiblebecauseofanaturaldisaster.
ThestandaloneEPCisanentitywhichprovidesfunctionalitythateNBsinstandalonemodeofoperationuse,insteadoftheMacroEPC,inordertosupportlocalservices.Thisisassumedtobeacommercialservice,andconnectiontotheMacroEPCisstillpossible.
10.2 ActorsTheactorsinthisclusterare:
• Ad-hocroaminguser(Alice)• SatNO(Bob)• VisitedNetwork(VN)• HomeNetwork(HN)
10.3 UseCases
10.3.1 UseCase8.1:Satellite-CapableeNB
10.3.1.1 IntroductionThisusecasefocusesonevolvingtheTransportNetworkArchitecture(TNA)bycombiningbothsatelliteandterrestrialtransportarchitectures.Theinfrastructurecomprisesthefollowingcomponents:
• SatelliteHub:satelliteearthstationconnectedtothe5Gnetwork.• Satellite-capableeNB:traditionaleNBimprovedwithasatellitelink.• Networkmanager:performstopologycalculationsanddistributestheupdatednetwork
configuration.
Themaingoalistheabilitytoofferresiliencetocasesoflinkfailure.Thesatelliteconnectivityaddsflexibilitytobackhaulingnetworks.Also,thisusecaseprovidesoffloadingcapabilityviasatellitetothebackhaulnetworkincaseofcongestion.Thisisakeyenhancementin5G,asthisusecasecanonlybeservedbysatellites,orforwhichsatellitesprovideamoreefficientsolution.
Thetopologymanagementobjectiveisthatnonodesinthemeshnetworkareleftun-connected,whilecoveringalltheneededarea.Topologyalgorithmshallbebasedonuserpriorityandbandwidth.
D2.1UseCases
6715625G-ENSURE 56
10.3.1.2 Preconditions• MacroEPC:theEPCwhichservesaneNBinnormalmodeofoperation.• Thereisasatellite-capableeNBthathasthecapabilityofconnectingtotheMacroEPCviasatellite,and
providesIPconnectivitytotheUEswhentheeNBhaslostthewiredroutetotheMacroEPC.• Intheeventthatthesatellite-capableeNBdoesnotbelongtotheHNandthatthereisnostatic
roamingagreementbetweentheVNandtheHN,theroamingagreementisdynamic,andvalidonlywhenspecialconditionslikeanaturaldisasteroccur.
10.3.1.3 DescriptionAliceisinholidayinanareawhichisabruptlyturnedintoanaturaldisasterarea.AliceisabletocommunicateevenwhenthereisnostaticroamingagreementbetweentheHNandtheVN.
Basicflowofevents:
1. Thenaturaldisasteroccurs.TheeNBloosestheconnectiontoMacroEPC.2. Thenetworkmanagerdetectsthefailureeventandperformstopologycalculationstoguarantee
ultra-reliableservices3. Thenewtopologyisforwardedtothenetworkcomponents4. Thesatellite-capableeNBactivatesthealternativeroutetoMacroEPCviathesatellite.5. Thesatellite-capableeNBstartstobroadcastthatitsupportsthead-hocroamingmode.Itoffers
SMSservicestoeveryoneinthearea.Thevoiceservicesarenowreservedforpublicsafetyusersonly.
6. Alice’sphoneloosestheconnectiontothenetwork.7. Alice’sphoneattachestothesatellite-capableeNBoftheVN.8. Alice’sHNauthorizesthead-hocroamingintheVN.9. AlicereceivesanSMSfromtheembassyaskingifsheandherfamilyaresafe.10. Aliceinformstheembassythateveryoneinherfamilyissafe.
10.3.1.4 Propertiesofasolution• Dynamicroaming• Non-satellite5Gdeviceusingsatellite-capableeNB• Satellite-based5Gtopologyreconfiguration
10.3.1.5 Usecasecategories
EnsureEnablers AAA,Trust,NetworkManagement&VirtualisationIsolation
NextGenerationRadioTechnologyUsecases xMBB,mMTC,uMTC
10.3.2 UseCase8.2:StandaloneEPC
10.3.2.1 Preconditions• Thereisastandalone-capableeNBthathasthecapabilityofstandalonemodeofoperation,which
providescommerciallocalIPconnectivitytotheUEsviaaStandaloneEPC.
D2.1UseCases
6715625G-ENSURE 57
• ThereisastandaloneEPCwhichprovidesfunctionalitythateNBsinstandalonemodeofoperationuse,insteadoftheMacroEPC.StandaloneEPSprovidesIPaddressassignmentandlocalroutingwithinthestandaloneEPC.
10.3.2.2 DescriptionAliceisinamegaeventwith100.000otherpeople.SheusestheservicesthatareavailableinthestandaloneEPC.
Basicflowofevents:
1. Whenthemegaeventstarts,thestandalone-capableeNBstartstobroadcastsupportofthead-hocroamingmodetothelocalEPC.ItofferslocalIPconnectivitywithinthestandaloneEPC.
2. Alice’sphoneattachestothestandalone-capableeNBofthestandaloneEPC.Alice’sphonedoesnotloosetheconnectiontotheHN.
3. Alice’sHNauthorizesthead-hocroamingtothestandaloneEPC.4. AliceusestheservicesinthestandaloneEPC.5. AlicealsousestheservicesintheHN.
10.3.2.3 Propertiesofasolution• Dynamicroaming• CommercialstandaloneEPC
10.3.2.4 Usecasecategories
EnsureEnablers AAA,Trust,NetworkManagement&VirtualisationIsolation
NextGenerationRadioTechnologyUsecases xMBB,mMTC,uMTC
10.4 5GVision5Gnetworkismorereliableintermsofhavingdynamic,alternativeroutesfromtheradionetworkintothecorenetwork(suchassatelliteconnection)andmoreflexibleintermsofdynamicroaming.eNBshavingsatellitecapabilitiesareespeciallyinterestingbecausetheycanprovidesatellitecapabilitiestonon-satellite5Gdevices.Newcommercialpossibilitiesonstand-aloneradionetworks,andstand-alonecorenetworksarealsoenvisioned.
D2.1UseCases
6715625G-ENSURE 58
11 Cluster9:TrustedCoreNetworkandInterconnect
11.1 IntroductionTheseusecasesdealwithtrustedcorenetworkandinterconnectionbetweendifferententities.The5Gnetworkshouldbesuchthatitisabletoensurethattheinteractingentitiesareauthenticonesandspoofingofmessagescannottakeplace.Thisshouldnotbebasedonimplicitsecurityassumption,butratheruseexplicitsecuritysolutions.
11.2 ActorsTheactorsinthisclusterare:
• Mobilephonesubscriber(Bob)• Adversary(Eve)• HomeNetwork(HN)• VisitedNetwork(VN)
11.3 UseCases
11.3.1 UseCase9.1:AlternativeRoamingin5G
11.3.1.1 IntroductionWhenentitiesareroaminginavisitednetwork,itstillneedstobeensuredthattherelatedmessagesareauthenticinsteadofimplicitlyrelyingontheassumptionthatthetrafficisoriginatingfromacertainnetwork.Thus,messagesneedtobeboundtothecorrectentities,sothatspoofingcannottakeplace.Theentitiesalsoshouldhaveclearunderstandingwhichentitiestheyarecommunicatingwith.Thisisespeciallyimportantwhentherearerealworldconsequences,suchascharging.
11.3.1.2 Preconditions• TheHNandtheVNhavearoamingagreement
11.3.1.3 DescriptionBobneedstheassistanceofthehomeAAAinfrastructureinordertoauthenticatehimselftotheVN.HomeAAAissuesanauthenticationchallenge.ThisprocessalsoidentifiesboththeVNandtheHN,sothattheinvolvedpartiesareidentified.Inthecourseofthisprocess,BobalsoauthorisestheVNtoprovideservicestohim.
Atthesametime,accountingmechanismsaresetup.TheHNnetworkcanthereforehaveassurancethatanybillingrelatedinformationistiedtoBob.Thus,theVNcannotmakefalseclaims.Similarly,Bob’sfalseclaimscanbedeniedbasedonassuredaccountinginformation.Bob’sdeviceisinvolvedintheprocess,sothatthereistransparencyoftheincurredcoststoBobaswell.
Basicflowofevents(seeFigure13):
1. TheVNisadvertisedtoBob2. BobidentifieshisHNandauthorisestheVNtoofferservicestohisidentity3. TheHNdetectsthatriskstatusoftheVNissuchthatinteractioncanproceed4. TheHNsendsanauthenticationchallengetoBobandalsoidentifiestheVNtobeused
D2.1UseCases
6715625G-ENSURE 59
5. Bobchecksthatheisusingthecorrectnetworkandrespondstothechallenge6. TheHNverifiesthechallenge-responseandinformstheVNthatBobisauthentic7. AuthenticationresultistransmittedtoBob8. Bobnegotiatestheuseofservicesforhisidentity9. TheVNbindsitsownidentitytotheservicenegotiation10. Non-repudiableservicerecordsarecreated
Figure13:BobattachestotheVNwhileroamingabroad
11.3.1.4 VulnerabilitiesandconsequencesThisusecasedepictsthefollowingvulnerabilitiesandtheirconsequences.
• Unauthoriseddisclosureofsensitiveinformationo Ifcorenetworkelements,interconnectnetworks,orotheroperatorsareexpectedtobe
trustedentitieswithnoadditionalverification,sensitiveinformationwillbedisclosedtounauthorisedentities[Nohl2014]
• Spoofingofsignallingmessageso Ifunauthenticsignallingmessagescanbesentandaccepted,thebehaviourofthenetwork
canbechangedinanunauthorisedway,i.e.,integrityofthenetworkiscompromisedo Iftrafficthathasimpactonchargingisneitherauthenticatednorclearlyboundtothe
entitywhichisresponsibleforthetraffic,fraudcanbeperformed.Thisislikelytodecreasetheusertrusttothesystem.
11.3.1.5 PropertiesofasolutionIfnetworkentitieshavecryptographicidentities,thenmessagescanbeboundtothemstrongly.Thisprovidesmoreflexibility,whenreferringtootherentitiesoutsidethetwo-wayinteraction.
Serviceusagecanbenegotiatedinsuchawaythatbothpartieshaveanunderstandingoftheincurredcosts.Thisinvolvesusingthesaididentitiesguaranteeingthatassuredaccountingrecordscanbecreated.
D2.1UseCases
6715625G-ENSURE 60
11.3.1.6 UsecasecategoriesEnsureEnablers AAA,Privacy,Trust
NextGenerationRadioTechnologyUsecases xMBB
11.3.2 UseCase9.2:PrivacyinContext-AwareServices
11.3.2.1 IntroductionThecontextoftheuserisbeneficialforprovidingbetterservices.However,privacyissuesariseastheremightbeunintentionaldisclosureofuserrelatedinformation[Vallina-Rodriguez2015].Anothersideofthecoinisthatifpurelyencryptedtrafficisused,thenitishardertotakeadvantageofflowsemanticstooptimisetheuserexperience[Smith2015].
11.3.2.2 Preconditions• TheHNandtheVNhavearoamingagreement
11.3.2.3 DescriptionTheVNandtheHNmayexchangeinformationregardingtheBob’scontext.ThisinformationcanbeusedtocustomisethenetworkinordertosatisfyBob’sservicerequirementswithoutrevealinganyunnecessaryinformation.
Basicflowofevents(seeFigure14):
1. Ondemand,theVNsendsinformationaboutBob'scontexttotheHN2. TheHNsharessomeofthecontextinformationwithcontentprovidersasallowedby(privacy)
policies
Figure14:DisclosureofusercontextinformationcontrolledbyHomeNetwork
Alternativeflowofevents:
1. Bobauthorisesvisitednetworktodisclosesomeofthecontextinformationasperhisdefinedprivacypolicies
2. TheVNsharessomeofthecontextinformationwithcontentproviders
D2.1UseCases
6715625G-ENSURE 61
11.3.2.4 VulnerabilitiesandconsequencesUsertrafficcanbeenrichedinvariousways,suchasproxiesincludingadditionalheaderstotheusertraffic.However,thisinformationcanleakandbeabusedbypartiesforwhichtheinformationwasnotintended.Thisviolatesuserprivacy.
Itisworthnotingthatintheabovealternativeflowthecontrolofdisclosurelieswithinthevisitednetwork.Eventhoughtheusercanstatehisprivacypolicies,hecannotverifyhowwellthisishonouredastheuser’scontractualrelationshipiswithhishomenetwork.Ontheotherhand,nothing(saveregulatorysanctions)preventsvisitednetworkfromdisclosingthisinformationanyway.
11.3.2.5 PropertiesofasolutionContextinformationisdisclosedincontrolledfashionanditismadeavailableinastandardisedwaysothatitisnotnecessarytodevisenon-interoperableorpotentiallyvulnerableschemes.Inaddition,thecontextinformationcanbeusedincaseofencryptedflows.
11.3.2.6 UsecasecategoriesEnsureEnablers Privacy,Trust
NextGenerationRadioTechnologyUsecases xMBB,uMTC
11.3.3 UseCase9.3:AuthenticationofNewNetworkElements
11.3.3.1 Introduction5Gnetworksallowmoredynamismthroughvirtualisationandnewfunctionscanbeintroducedtothenetworkonthefly.Astheseenvironmentsaremorevirtualised,thereisalwaysadangerthatsomeonemanagestointroduceamaliciousfunctionintothenetwork.Similarly,unauthorizedphysicalelementscouldbeattachedtothenetwork,iftheirauthenticityisonlybasedonthelocationinthenetwork.
11.3.3.2 Preconditions• TheHNandtheVNhavearoamingagreement• TheVNdoesnothaveup-to-datepatchmanagement• ThereisanexploitablevulnerabilityintheVNinfrastructure• PoorphysicalsecurityoftheVNhasresultedintheinstallationofunauthoriseddevice
11.3.3.3 DescriptionUnbeknowntoBob,EvehasmanagedtoinfiltratetheVNandinstalledadeviceintothelocalnetwork(Figure15).Thedeviceisnotrecognisedasanauthorisednode,soitcannotinjectnetworktraffic,however,itdetectsanunpatchedvulnerableserverandinstallsmaliciousnetworkfunctiontosubvertusertraffic.However,asallthesignallingrelatedtoBobisstronglyboundtohis(temporary)identity,Eve’sattemptstoinjectmessagesmasqueradingasBob,sothatBobwouldsuffertheincurredcosts,aredetectedasspoofingattempts.Basedonthisfinding,theHNnetworkreportsthepossiblemisusetotheVN.Basedonitspolicies,theVNwillconsidersomemeasurestoaddresstheproblem.
Basicflowofevents:
1. Eveinstallsamaliciousnetworkdevice
D2.1UseCases
6715625G-ENSURE 62
2. Evenattemptstoinjectsignallingmessages,buttheyarerejectedbecauseofanunauthorisedsender
3. LocalnetworkhasanunpatchedserverandEveisabletotakeadvantageoftheexistingvulnerability
4. Maliciousvirtualfunctionisinstalledontheserver5. MaliciousfunctionattemptstosendspoofedmessageclaimingtocomefromBob6. TheHNnetworkdetectsBob’sspoofedidentitycomingfromtheVN7. TheVNisinformedofthemisuse
Figure15:EvehasinfiltratedVNandtriestosubvertBob’straffic
11.3.3.4 AlternativeDescriptionUnbeknowntoBob,EvehasmanagedtoinfiltratetheVNandinstalledadeviceintothelocalnetwork.Thedeviceisrecognisedasanauthorisednode,soitcaninjectdatatoBob’susertraffic.Eve’sinjectionisdetectedasspoofingattemptsbecauseofbehaviouralanalysisonBob’strafficprofileintheHNnetwork.Basedonthisfinding,theHNnetworkreportsthepossiblemisusetotheVN.Basedonitspolicies,theVNwillconsidersomemeasurestoaddresstheproblem.
Alternativeflowofevents:
1. Eveinstallsamaliciousnetworkdevice2. NetworkhasavulnerableAAAserverandEveisabletotakeadvantageofthevulnerability3. Thedeviceisrecognisedasanauthorisednode4. Maliciousdeviceinjectsspoofedmessages5. TheHNnetworkdetectsabnormaltrafficbehaviourforBobcomingfromtheVN6. TheVNisinformedofthemisuse
11.3.3.5 VulnerabilitiesandconsequencesThefollowingvulnerabilitiescanbeintroducedwhenmoredynamismisintroduced.
o Unauthorisednetworkelementsaredeployedintothecorenetworko Ifanadversaryisabletodeploydevicesorfunctionsintothenetwork,variousmaninthe
middleattackscanbecomepossible.Theadversaryhasapotentialtoeavesdrop,modify,deleteorinjectnewtraffic.Inthecaseofsignallingtraffic,thewholenetworkcouldbecompromised.Dependingontheleveloftrustrelationships,thepropagationoftheattacktoothernetworksmightbeadditionallyfacilitated.
o Asmoreelementsrelyonsoftwareandvirtualisation,properpatchmanagementneedstoexist
D2.1UseCases
6715625G-ENSURE 63
o Ifelementsarenotkeptup-to-date,lackofpatchingmayleadtoexistenceofexploitablevulnerabilitiesinthesoftware.
o Compositionofnetworksornetworkelementsisnotauthentic(orauthorised)o Ifnew5Garchitectureallowsdynamiccompositionofnetworksornetworkelements,lack
ofauthenticationandauthorizationcanleadtocompromisednetworksimilarlyasinthepreviouscase.Thecompositionneedstodefinetheconstraintsonthelevelofintegration,i.e.,whatresourcesareavailableandwhatsortofsecuritylevelsareexpected.Liabilityaspectsneedtobetakenintoaccountaswell.
11.3.3.6 PropertiesofasolutionWhennewelementsareintroducedintoadynamicnetwork,ithastobeensuredthattheyareauthenticcomponents.Monitoringandtestingoftheenvironmentcanhelpindetectingpossibleviolationsofsystemintegrity.Monitoringoftrafficpatternscanalsohelpindetectedsubvertedelements.
11.3.3.7 Usecasecategories
EnsureEnablers AAA,Trust,NetworkManagement&VirtualisationIsolation,SecurityMonitoring
NextGenerationRadioTechnologyUsecases xMBB,uMTC
11.4 5GVision5Gnetworksareenvisionedtodynamicallyadapttotheuserneeds.Thisdynamismsetsmorerequirementsontheauthenticityoftheentitiesasnewentitiesemergeinthenetworkandoldonesareremoved.Operatorsshouldnotbeforcedtoresortofimplicitsecurityassumptionsaboutthesecurityofthecorenetworkoftheinteractingpartner,i.e.,thereshouldbemoreassurancethatthetrafficisindeedoriginatingfromalegitimateentityandisboundtoalegitimateentity.Thisisespeciallyimportantwhenanysignallinghaseffectoncharging,thusitshouldbeensuredthattheusersdonotfaceunfoundedservicecharges.Thisappliestotheidentityoftheusersaswell,i.e.,itshouldnotbepossibletospooftheidentityoftheuser.Ontheotherhand,theservicechargesoughttobeattributabletotheusersothattheuserisnotabletodenytheuseofservice.
Inordertoenrichandoptimisetheuserexperience,contextinformationoughttobeavailableforuse.However,onealsoshouldensurethatwhendoingsotheuserprivacyishonoured.Thus,thereoughttobeacontrolledandstandardisedwayofprovidingcontext-awareservices.
Asthenetworkcouldbeconstantlyevolvingduetovirtualisationanddynamicinteraction,oneshouldensurethatthesecurityofthenetworkismonitoredaswell.Whilemonitoringofthenetworkiscommonplaceactivityevennowadays,itismainlydonebyadd-ondevicesthatmaynothaveaholisticviewofthenetwork.Insomecasesitmightbeevenenvisionedthatdynamiccompositionofelementswouldwarrantsecuritytestingofthosecomponentsbeforetheyareallowedtointeract.Thiscouldsimplybestraightforwardvulnerabilityscanning,butmorecomplexscenarioscouldinvolve,e.g.,sandboxtesting.Correlationofinformationfromseveralsourcesshouldinanycasebeusedtomakemoreeducatedguessesregardingthepossibleexistenceofongoingattacks.
D2.1UseCases
6715625G-ENSURE 64
12 Cluster10:5GEnhancedSecurityServices
12.1 IntroductionCluster10containsthreeusecasesdescribingvariousenhancedsecurityservicesthatcanbeofferedin5Gnetworks.
Inusecase10.1welearnapossiblewaytocounteractmobilebotnetsBotNetbyofferingaservicetoaidtheuserstoidentifyanomalousactivityfromtheirmobiledevicesandtoreportthisactivity.Usecase10.2proposesaservicethatcanhelpprotecttheuser’sprivacyattheapplicationlayer,bymeansofappsanddeviceprivacychecks.Usecase10.3offerananonymizationcapabilitytoall5GsubscribershavingananonymizationSIM.Inadditiontothiscapabilitymoreservicesmaybeenvisionedthatareabletoanonymizeuser/deviceidentifyingdataand,therefore,canhelptoprotecttheuser’sprivacy.
12.2 ActorsTheactorsinthisclusterare:
• Mobilephonesubscribers(Bob,Alice)• HomeMobileNetworkOperator(HMNO)• Maliciousattacker(Mallory)
12.3 UseCases
12.3.1 UseCase10.1:BotnetMitigation
12.3.1.1 IntroductionA botnet is a network of hijacked agents/clients which are remotely controlled, often associated withintroducing malicious software. Botnet infrastructure is increasingly being used for performing criminalactivity that involves the use of computers or networks such as the Internet. Although the networkoperatorsarenothighlyimpactedasyet,thesituationwillmostlikelychangeinthefuture,becauseoftherapidlygrowingtrendofdatatrafficinmobilenetworksandincreasedcapabilityofmobiledevices.Inthisusecaseanattackerremotely instructsandendusermobiledevicetosendapremiumSMStoanumbercontrolledbytheattacker.
12.3.1.2 Preconditions• BobhasavalidsubscriptionwiththeMNO• Mallory’sinfectedapplicationisuploadedtoBob'spreferredapplicationsstore/market
12.3.1.3 DescriptionBobisstayingathomeandbrowseshisBob'spreferredapplicationsstore/market.Hefindsafreeversionofapopularandtrendygame(oranyotherapplication)uploadedbyanunknownpublisher(i.e.Mallory)anddecidestogiveitatry.Bobdownloadsitandinstallsitafteracceptingeverythingthegame(application)requirestorun.HowBob’sdevicegetsinfectedisirrelevanthere,itcouldbealsobyattachinghisphonetoaninfectedPC/laptop,orbyopeningalinkreceivedinphishingmail.Thesalientaspectisthattheinfectionpropagatesthroughmobiletraffic.HereweobservethecasehowBob’sdevicegetsinfectedviaoperator’snetwork.
D2.1UseCases
6715625G-ENSURE 65
ThefreeversionofthepopularandtrendygameapplicationismodifiedinawaythatinadditiontothemainfunctionalityitalsoaddstheSMSsendingfunctionality,andtransformsthephoneintoabotremotelycontrolled,byaCommandandControlCentre(C&C)pilotedbyMallory.AfterBob’sdevicehasbeeninfected,Mallorycanremotelyperformvariousmaliciousactivitiesonthedevice,suchasSMSsendinginthebackground.Forthisparticularattack,Malloryhadregisteredapremiumnumberwithanoperator,whichcouldbeevenlocatedinanothercountry,andonce(ortwice)permonthMallorycouldconfiguretheC&Ctoinstructallofhis“puppets”(i.e.remotelycontrolledmobiledevices)tosendSMStothatpremiumnumber.Bobandthousandsofotheruserswillveryunlikelybeabletodetecttheincreasedmonthlybill,especiallyiftheincreaseamountstoonlyacoupleofeuros.
Basicflowofevents:
1. Malloryregistersapremiumnumberwithanoperator.2. MalloryconfigurestheCommandandControlCentre(C&C)robottoinstructallpuppetstosend
SMStothatpremiumnumber.3. BobisconnectedtotheMNOandbrowsestheapplicationmarketonhismobiledevice.4. BobinstallsaninfectedapplicationandbecomesoneoftheC&C’spuppetsunknowingly.5. WithoutBob’sknowledge,hismobiledeviceisusedforbotnetactivitysuchasSMSsendingand
Bob’smonthlybillisincreased
Figure16:MalwareinfectedUEsendingpremiumSMS
12.3.1.4 VulnerabilitiesandconsequencesVulnerabilitiesinmobiledevicesaswellastheingenuityoftheiruserscanleadtosubvertingtheintegrityofthedeviceandinstallationofmalware.Asaresult
• Mobiledevicecouldbecontrolledremotely• Mobiledevicescouldbeusedformaliciousactivities
D2.1UseCases
6715625G-ENSURE 66
Unwantedcommunicationcouldleadtomonetarylossfortheendusersthroughtheirmonthlybills,regardlesshowinsignificanttheamountisforeachindividual.
12.3.1.5 PropertiesofasolutionOnewaytoapproachthisproblemfromtheMNOpointofviewistoemploytheservicesofananomaly-basednetworkintrusiondetectionorpreventionsystemwithinthecorenetwork,sothatthesystemdetectsatypicalindividualbehaviour.AnothersolutioncouldbeprovidingtheenduserwithvisuallyrepresentedhistoricaldataoftheiractivitywithintheMNO,which,inadditiontothetargetednumberandthepartywhoownsit,andalsocontainsarepresentationofwhichcountryandMNOthatnumberisregisteredin.Thiswouldaidtheuserstoidentifyanomalousactivityfromtheirmobiledevicesandtoreportthisactivity.Furthermore,theMNOcouldofferservicestotheenduserstodefinetheirownatypicalbehaviourintheMNO,sothatuserscouldforinstancerestrictanyoutgoingSMStospecificforeigncountries,ordisplayamessagepriortosendinganyoutgoingSMS.
12.3.1.6 Usecasecategories
EnsureEnablers NetworkManagement&VirtualisationIsolation,SecurityMonitoring,Trust
NextGenerationRadioTechnologyUsecases mMTC,uMTC,xMBB
12.3.2 UseCase10.2:PrivacyViolationMitigation
12.3.2.1 IntroductionMobiledevicesandtheinstalledapplicationsdisclosealargeamountofprivateinformationbothpersonalanddevice-relatedinformation.Therearemanymisbehavingapps,PUAs(PotentiallyUnwantedApplications),adwareandransomwareinthewildandspywareisnotsouncommoneveninofficialappstores!Currentlythemobilenetworkhasnomeanstoprotecttheuser’sprivacyattheapplicationlayer.
Somemobilesubscribershaveprivacyconcernsandwouldliketoknowiftheirdeviceandtheapplicationsinstalledthereinareinvolvedinactivitiesthatviolatetheirprivacy.
12.3.2.2 Preconditions• AlicehasavalidsubscriptionwiththeMNO• Alicealsosubscribestotheprivacyserviceprovidedbyhermobilenetworkoperator(andpossibly
installsaprivacyapp).
12.3.2.3 DescriptionAlicehasjustinstalledanewgameapponhermobiledevice(UE)fromalinkreceivedinsideanSMSfromaWhatsappcontact.Sheisconcernedthatappmayviolateherprivacyinsomewayandsousesaservice(andpossiblyalocalapp)tocheck.
Basicflowofevents:
1. Aliceactivatestheprivacyservice.2. Alicelauncheshernewgameapp.
D2.1UseCases
6715625G-ENSURE 67
3. Theprivacyserviceonthe5GnetworkdetectssomeanomalouseventfromtheUE(e.g.,botnetrelatedcommunications)andsendsanotificationtoAlicetoaskhertoactivateaprivacyrelatedanalysis.
4. Aliceagreestotherequest,anddata(e.g.alistofinstalledapplications)issentfromherphonetotheprivacyserviceforanalysis.
5. Theprivacyservicerespondswithanotificationcontainingthenameofthenoncompliantappifany,asummaryofitsprivacyviolationactivity,andthesuggestiontouninstallit.
Alternativeflowofevents:
1. Alicestartstheprivacyappandconfiguresherprivacypreferences.2. Aliceinstallsthenewgameapp,startsitandthegameattemptstoaccessthecorrespondingserver
whichhasalsoconfigureditsprivacypolicy.3. TheprivacyappchecksAlice’sandtheserver’sprivacypolicies.4. Aprivacy-relatedwarningcontainingthenameoftheviolatingappandserverisshowntoAliceif
thepoliciesdonotmatch.5. Alicecandecideiftoproceedwiththeapp/serverornot.
12.3.2.4 Propertiesofasolution
• The5Gnetworkdeployssomeanomalydetectionormalwareactivitydetectionmechanismsorprivacyviolationmechanism[Razaghpanah2015],[Ren2015].
• The5Gnetworkadoptsaprivacypolicycontainingvariousprivacyparameters(relatedtodeviceandappsactivityonuserdata)thatcanbecontrolledonuser’sdemandoruponsomeanomalouseventdetection.
• The5Gnetworkofferstosubscribersaservicethatcheckstheprivacyriskofdevicesandtheirinstalledapps.
• Ausefultoolforthisserviceistorequirethemobileapplicationsandserverstodeclareahumanreadableprivacypolicyandtoofferatooltotheuser’sdevicetoverifyit.
12.3.2.5 Usecasecategories
EnsureEnablers Privacy,SecurityMonitoring,TrustNextGenerationRadioTechnologyUsecases mMTC,uMTC,xMBB
12.3.3 UseCase10.3:SIM-basedand/orDevice-basedAnonymization
12.3.3.1 IntroductionMobiledevicesand/ortheinstalledapplications(malware/spyware,misbehavingapplicationsandalsocommonapplications)disclosealargeamountofpersonalanddeviceidentifyinginformation(e.g.,IMSI,phonenumber,locationdata,IMEIetc.).Ifsuchprivateinformationisaccessedbyapplications,theuserswouldliketobeabletoprotectitwithappropriate(e.g.,formatpreserving)anonymizationalgorithmsresidingpreferablyontheSIM.ThisservicecanbeofferedbytheMNOattheapplicationlayere.g.,throughanapplicationrunningonthedeviceand/orontheSIMitself.AdeviceimplementationshouldpreferablybeintegratedintotheOStoprovideprotectionagainstmisbehavingapplications.Ontheotherhand,aSIM-basedimplementationmayhaveevenstrongersecurityadvantagesandalsoprovides“plasticroaming”,e.g.,theservicecanbeenjoyedeveniftheuserchangesdevice.WestressadifferencetoUse
D2.1UseCases
6715625G-ENSURE 68
Cases1.4and2.2.Inthefirstcase,theidentityprotectionisprovidedthroughanetwork-basedfunction.Inthesecondcase,theidentityprotectionis,asinhisusecase,providedinthedevice,buttheprotectionistargetingthelower(radio)layersoftheprotocolstack,ratherthantheservice/applicationlayer.
12.3.3.2 Preconditions• AlicehasavalidsubscriptionwiththeMNOandaSIMthathasanonymizationcapabilities• Alicehasameanstoconfigureandactivateheranonymizationpreferences(profile).
12.3.3.3 DescriptionAliceconfiguresheranonymizationprofilesuchas,forexampletheIMSIisneverdisclosedtotheapplicationsrequestingit,butreturnedinananonymizedway(e.g.,withformatpreservinganonymization).
Basicflowofevents:
1. Alicebrowsesapplicationmarketonhermobiledevice2. AliceinstallsanentertainmentapplicationthatcanreadtheIMSIandsendittoaremoteserver
togetherwithotherapprelateddata.3. Aliceactivatestheanonymizationprofileandstartstheapp.4. WhentheapplicationasksfortheIMSI,itgetsitanonymizedandsendstheanonymizedIMSItothe
remoteservertogetherwithotherapprelateddata.
12.3.3.4 Propertiesofasolution• Networkprovidesananonymizationservicethatcanbesubscribedbyusersneedingit(usersthat
haveprivacyconcernsregardingtheirdata)• NetworkofferstosubscribersaSIM(oradevice)thatimplementsanonymizationalgorithmslike
forexamplelightweightformatpreservingalgorithmsthatcanbeimplementedwithlittlecomputationalresources.
• Networkofferstosubscribersameanstoconfiguretheiranonymizationpreferences.
12.3.3.5 UsecasecategoriesEnsureEnablers Privacy,TrustNextGenerationRadioTechnologyUsecases mMTC,uMTC
12.4 5GVisionIn5G,MNOsshouldbuildanddriveinternationallycoordinatedAnti-BotNetactivitiesorprograms.AlldetectionandpreventionmethodsshouldbeembeddedintheMNOinfrastructure,sincetheMNOsdonothavecontrolsontheenduserdevicesandhowusersusetheconnecteddevices.
The5Gnetworkscanofferadditional(optional)enhancedsecurityservicestousersthatsubscribethem,especiallyusersconcernedwithsecurityandprivacyissuesarisingfrommobilemalwareandmisbehavingorunwantedapplications.Suchservicesmaydetectandnotifytotheuserbotnet-relatedactivityandprivacyviolationactivity.SIM-based(orpossiblyevendevice-based)anonymizationservicescanaswellbeprovidedtouserswhowanttobeabletocontrolandprotecttheprivacyoftheirowndata.
D2.1UseCases
6715625G-ENSURE 69
13 Cluster11:LawfulInterception
13.1 IntroductionIn this cluster, we introduce the use cases that are relevant to lawful interception in a 5G context. AsdescribedinFigure17,Lawfulinterceptioninvolvesseveralactorsthatwedetailinwhatfollows.Foreveryuse case, we give one or multiple flows of events, the potential vulnerabilities that may arise and itsassociatedconsequences,thesecuritypropertiesthatasolutionshouldsatisfy,andtheusecasecategory.Attheendofthissection,wegiveanindicationofthepotentialenhancementsin5G.
Figure17:LawfulInterceptionEcosystem
13.2 ActorsAlawfulInterceptionecosystem,asdescribedinFigure1,involvesfouractors.
• LawEnforcementAgency(LEA):thisistheauthoritythatintendstocarryoutalawfulinterceptiononauser,alistofusers,aserviceoralistofservices.
• Amobilephonesubscriber(e.g.,Alice,Bob)• A5GOperator• Courtofjustice:thisistheauthoritythatdeliverstheauthorizationtoperformalawfulinterception.
LINetworkFunction
LawEnforcementAgency
5G Operator
5G Network
Alice Bob
Users’equipment
Interceptrequest
Au
thoriza
tion
Interceptrequest &Authorization
Activate &Instanciate
InterceptRelatedInformation
ContentofCommunication
CourtofJustice
D2.1UseCases
6715625G-ENSURE 70
13.3 UseCases
13.3.1 UseCase11.1:LawfulInterceptioninaDynamic5GNetwork
13.3.1.1 Introduction5GinvolvestheemergenceofnewtechnologiessuchasSDNandNFV,andnewconceptslikeslicing.Thenetworkisevolvingfromastaticonetoaprogrammable,hencedynamic,one.AnMNOwill,therefore,havenewresponsibilities.Inadditiontomanaginghardware-basednetworkequipment’s,MNOwillhavetoensurethemanagementandsecurityofvirtualizedresources.Virtualization,in5G,bringsoutnewopportunitiesmainlyadynamicnetworktopology.Thisdynamicitywouldenhancethenetworkresourcemanagement,soastohavetheabilitytosupportdifferentserviceswithdifferentrequirements,e.g.ultra-reliableusecases,massiveIoTusecases.
Inthesecircumstances,weattempttoshowthenecessaryarrangementsinordertoensuretheLIfunctions.Inwhatfollows,forthesakeofsimplicity,weconsiderthatLEAwouldliketointerceptBob’sactivitiesinagiventelecommunicationservice.
13.3.1.2 Preconditions• LEAidentifiesthesuspectedcriminal(i.e.,Bob)tobesurveilled.• LEArequiresanauthorizationfromthecourtofjusticeinordertoperformalawfulinterceptionon
Bob.
13.3.1.3 DescriptionOndemand,a5Goperatorshouldbeabletoansweranyinterceptionrequestregardlessofthetargetentity/userortargetservice[TS33.106].
Basicflowofevents:
1. LEAtransmitstheLIrequestandthegrantedauthorizationtothedesignatedserviceofthe5GoperatortoconducttheinterceptionwithregardstoBob.
2. Thedesignatedserviceof5Goperatorchecksthevalidityoftherequest.3. Depending2ontheintercepttype(i.e.,onlyInterceptRelatedInformation(IRI-only),IRIand
ContentofCommunication(CC))andtheservicetobeintercepted,the5Goperatorinstantiates/activates/initiatesaNetworkfunction(wecallit,inwhatfollows,LIfunction)thatwilldelivertotheauthoritiestherequiredinformation.
4. Attheendoftheauthorizedperiod,the5GoperatordeactivatestheLIfunction.
2Thestep3maybeinterpreteddifferentlydependingonthe5Garchitecture.Forinstance,
- Inavirtualization-basedarchitecturefor5Gnetwork,theLIfunctionshouldbeavirtualisednetworkfunction(VNF).
- Inaslice-basedarchitecturefor5Gnetwork,theLIfunctionshouldbeabletodetecttheinvolvedslice.Iftheuserissubscribedtovariousservices(i.e.,slices),theLIfunctionshouldbeacommonVNFtoallslices.
D2.1UseCases
6715625G-ENSURE 71
13.3.1.4 Vulnerabilities&consequencesThemainissuesthatmayariseareresultingfromacompromised/maliciousLIfunction.Wegivefurtherdetailsabouttheseissuesinwhatfollows.
- Unauthorizeddisclosure:o AcompromisedLIfunctionmaybeactivated/initiatedwithoutbeingtriggeredbythe5G
operator.o AcompromisedLIfunctionmayprovidetoLEAinformationaboutusersthatdonotbelong
tothedeclaredlistintheauthorization.o AcompromisedLIfunctionmaydeliverinformationtoanexternalattacker.o AcompromisedLIfunctionmaycontinuedeliveringinformationevenaftertheendofthe
designatedperiodintheauthorization.
- Disruption:o AcompromisedLIfunctionmayimpactthequalityagivenservice.
- Deception:
o AcompromisedLIfunctionmaydelivertoLEAfakeinformation(e.g.,servicestowhichtheuserissubscribed(slices))aboutthesuspecteduser.
13.3.1.5 PropertiesofasolutionInthissection,wedescribethepropertiesthataLIimplementationshouldsatisfyandsomepossiblewaystodoso.Thosechoicesmayvarybasedontheadopted5Gnetworkarchitecture.
• Transparencyo The LI function,whenactivated, shouldnot bedetectable.Any thirdparty (e.g., through
observation)oruser (e.g., throughqualityofservice)shouldnotnoticeanychangewhenthisfunctionisactivated.
• Confidentialityo Onlyconcernedentities(i.e.,the5GoperatorLIserviceandLEA)haveaccesstothelistof
thewiretapped.àThe5GoperatormustbeabletoanswertheLIrequestwithoutrequiringanythirdpartyevenwhentheuserissubscribedtoservicesthatarenotofferedbytheNetworkoperator,butaredeliveredbythe5Gnetwork.àThispropertyimpactstwoaspects:theLIfunction“location”withinthenetworkanditsbehaviour.RegardingtheLIfunctionlocation,twocandidatesolutionsarise:aLIfunctionperservice(hence,withinaslice)oracommonLIfunction.Thefirstcandidatesolutionmayviolatethefirstandsecondproperties(i.e.,transparencyandconfidentiality)ifthe5Goperatorwillhavetoasktheserviceprovider(i.e.,sliceowner)toactivatetheLIfunction.Now,ifweconsiderthatthe5Goperatorwillnotmakeanyrequesttothesliceowner,thismayquestiontheintegrityoftheservice/slice.Thisiswhy,wepromotethesecondcandidatesolution(i.e.,acommonLIfunctionforalltheslices).Ofcourse,acommonLImustbeimplementedinawaytostillensureitdoesnotprovideunauthorizedinformationleakagebetweenslices.
D2.1UseCases
6715625G-ENSURE 72
RegardingtheLIfunctionbehaviour,themaintwopointsaretoauthenticatetheincomingrequestsfromthe5Goperator,andthetargetauthority(i.e.,LEA)beforedeliveringanyinformation.
• Dependability&reliability
Inahighlydynamicnetworkincludingmultipleslicesandafloatingtopology,contraryto3/4G,assuringtrustworthinessofthedeliveredinformation.
o The5Goperatorshouldbeabletoprovidehighassurancethatthewiretappeduser/entityisindeedtherequiredone.
o The5Goperatorshouldbeabletoprovidehighassuranceonthevalidityofthecollectedinformation.
o The5Goperatormustensurethatonlythoseundersurveillancearewiretapped,e.g.,AuthoritiescannotusetheLIfunctiontowiretapusers/entitiesnotonthelist.
o Incaseofanend-to-endencryptionmanagedbythenetwork,the5Goperatorshouldbeabledeliverplaindataortheencrypteddataalongwiththedecryptionkey.àContraryto3/4G,thispropertyimpliestheprotectionoftransmittedinformationintermsofintegrity,confidentialityandassuranceaboutthesourceofinformation.Cryptographicmechanismmaybeusedinsuchcases,e.g.,ciphering,signature.
• Securityo Onlythe5GoperatorshouldbeabletoactivatetheLIfunction.Thiswouldprevent
fraudulentinterceptions.àThispropertywillalsoimpactthechoiceoftheLIfunctionlocationwithinthenetwork.
13.3.1.6 Usecasecategories
TheLIrequirementsshouldbepartofallthe5Genablersandusecases.Indeed,any5Gusecasemaybeconsideredasaservicewherethetargetuserorentityissubscribed.
EnsureEnablers Privacy,NetworkManagement&VirtualizationIsolation,SecurityMonitoring,AAA,Trust
NextGenerationRadioTechnologyUsecases xMBB,mMTC,uMTC
13.3.2 UseCase11.2:End-to-endEncryptioninLI-awarenetwork
13.3.2.1 Introduction5Gshouldpushforwardastrictprivacyforusers.Anend-to-end(device-to-device)encryptionistheonlysolutiontoensurethisrequirement,especiallywhenthecommunicationsaretoorfromdifferentnetworks,areasorcountrieswithunknownsecuritylevelorunacceptableone.ThemaingoalistoofferstrongerprotectionofuserdataanduserrelatedinformationwhilebeingabletosecurelyansweranyLIrequest.
D2.1UseCases
6715625G-ENSURE 73
Thisusecasedescribeshowa5Goperatorcanpreventeavesdroppingattacksonallpossiblepathstheuserdatatrafficfollowsthroughthemobilenetwork.Thisisbyaugmentingidentitymanagementwithadditionalcryptographickeys.
13.3.2.2 Preconditions• AliceandBobsubscribetoanadd-onend-to-endprotectionservicesupportedbythe5Goperator.• Thereisakeymanagementandkeyescrowserverinthe5Gnetwork.
13.3.2.3 DescriptionAliceneedstocommunicateinanencryptedmannerwithBob.ShewantshercallorSMS/MMStobeencryptedbutshedoesneithershareasecretkeywithBobnoranapplicationtoencryptthecommunication.Aliceusestheencryptionserviceprovidedbythe5GOperator,asshowninFigure18.
Basicflowofevents:
1. Aliceisconnectedtothe5Gnetworkandhasbeenauthenticated.2. AlicewantstocallBob.Alice’sdeviceusesthekeymanagementserviceandnegotiatesasession
keywithBob’sdevicetobeusedforcallencryption.3. AlicecallsBobwithencryptionturnedon.4. LEAwantstointerceptAlice’scalls.LEAasksthe5Goperatortoprovideaccesstotheintercepted
communications.5. 5Goperatorasprovideroftheencryptionserviceactsasanescrowagent.Thesessionkeyis
retrievedorreconstructedandusedbyLEAtodecryptthesessionkeyandconsequentlyAlicecommunication.
13.3.2.4 Vulnerabilities&consequencesThemainpotentialflawsofanend-to-endencryptionserviceistoprovideLEA(oranyotherkeyescrowagents,e.g.,5Goperator)fullcontrolofthedecryptionkeysortosomehowenableabackdoorwhichmightbeusedforundetectablemasssurveillance[Murdoch2016].Insuchacase,LEAoranyentityincontrolofthebackdoormaygetinformationexchangedoutofthedesignatedperiodintheauthorizationand/oraboutusersnotinthelist(Unauthorizeddisclosure).
13.3.2.5 Propertiesofasolution&candidatesolutionsInthissection,wedescribethepropertiesthatanend-to-endencryptionserviceshouldsatisfyandsomepossiblewaystodoso.Themainideaistoencryptsessionkeysusingamasterkey.Tothisend,wecanuseathreshold(k,n)secretsharingscheme.Insuchacase,lessthankagents(e.g.,LEA,5Goperator,etc.)cannotgetanyinformationaboutthemasterkeyandanyk(possiblysmallerthann)ormoreagentscanrecoverthemasterkey.Inwhatfollow,wegivefurtherdetails.
• On-demandserviceo Theserviceshouldbeturnedonandoffbythesubscribers.
• Backwardsecrecyo LEAmustnothaveaccesstoexchangedinformationbeforethedesignatedperiodinthe
authorization.• Forwardsecrecy
o LEAmustnothaveaccesstoexchangedinformationafterthedesignatedperiodintheauthorization.
D2.1UseCases
6715625G-ENSURE 74
• Securityo Theend-to-endencryptionservicemaybeapplicableonIPorhigherlayerindependently
bythetypeofUEusinganapplicationwhichisinstalledaspartoftheservice.o Theencryptionkeymaybepartofanescrowsystemprovidedbythe5Goperatorto
enablesecurecommunicationandatthesametimeenablelawfulinterception.
Figure18:Theoperatorasatrustedproviderofanend-to-endencryptionservice
13.3.2.6 Usecasecategories
EnsureEnablers AAA,Privacy,Trust
NextGenerationRadioTechnologyUsecases mMTC,uMTC
13.4 5GVision5GshouldbeabletoansweranyLIrequestinasecureway(i.e.,withoutcompromisingtheprivacyofanyofthenetworkusers).Moreover,informationdelivered,incaseofaLI,mustbeprovablytrustworthy.
5Gshouldbeabletosupportend-to-endencryptionforconfidentialdevice-to-devicecommunications(e.g.,callsandSMS/MMScommunications),inconjunctionwithkeyescrowforreasonsoflawfulintercept.
D2.1UseCases
6715625G-ENSURE 75
14 Summary:UseCaseClustersThisdocumentpresents31usecasesgroupedinto11clustersillustratingtheenhancedscopeofsecurityandprivacyin5Gnetworksandsystems.
Clusters1-4focusonIdentities,Authentication,AuthorizationandPrivacy:
5GshouldprovideavarietyofidentitymanagementserviceswhichexpandsthecapabilitiesofdevicesandnetworksbeyondthelegacyDevicetoRadioAccessNetworkservice.Forexample,newsubscribersormachinesshouldbeabletoenrolin5Gnetworks,usingpre-existingidentitymanagementschemes;orbeabletosupportidentityschemesenablingdevicestoroambetweenterrestrialandsatellitenetworks.
AnMNOshouldbeabletoofferadditionalidentitymanagementservicessuchastrustedassertionsusedbythirdpartyproviders,andkeymanagementenablingcommunicationtobeauthenticatedandencryptedend-to-end.5GshouldalsobeabletoserveInternet-of-Thingsdevicesbehindagatewayandsupportauthorizationofdevice-to-deviceoperationsatapplicationlayeroratnetworklayer.
Duetothepervasivenatureof5Gitisessentialthatusershavecontrolovertheprivacyoftheirdeviceidentifiersbyprovidingpropertieslikeconfidentialitytosubscriberanddeviceidentities,untrackabilityoftheuserlocation,perfectforwardsecrecyforencryptedcommunicationsandunlinkabilitybetweentheusersubscriptioninformationandthedeviceidentity.
Cluster5focusesonSoftwareDefinedNetworks,VirtualizationandMonitoring:
5GnetworksshouldprovidedifferentvirtualizedCoreNetwork(slices)fordifferenttypesofsubscribersincludingdifferentDevicetypes,suchasmMTCorxMBB,butalsocustomerspecificslicessuchaseHealth.Networkslicesmaybeabletoprovidedifferentservices,andshareacommonradionetwork.Isolationofnetworkslicesisessential.Virtualizationismostlikelytobetransparenttomany5Gnodesandalsotodevicesandsubscribers,butsome5Gnodecomponentsshouldbeabletoactivelymodifythestructureandbehaviourofthecorenetwork.
Virtualizationbringnewtypesofrolesandactorsintothepicturesuchasthe5GNodeProvider,theVirtualizationInfrastructureProvider,andtheVirtualMobileNetworkOperator,whichrequireadequatetrustrelationstobeestablishedandenforced.Thisalsomeansthatnewtypesofmonitoringandassuranceinterfacesareneededifallthenewrolesaretakenbyseparateactors.Actorsthatareoperatingontopofvirtualizedplatformshouldbeabletomonitor,verifyandcontrolwhatishappeninginthevirtualizednetworkaswellasinthevirtualizationinfrastructure.
Clusters6-10focusonAvailability,ReliabilityandIntegrity:
5Gshouldproviderobustnetworkserviceswithconsiderableavailabilityguarantees,inparticularrobustnessagainstoverloadanddenialofserviceattacksoftheradiointerface.Alsoinhighloadsituationsshouldprioritizeddevicesshouldgetprioritytoattachandalreadyattacheddeviceslosingsynchronizationshouldbeabletoregainaccess.Userplanedatashouldbeintegrityprotectedenablingtrustworthyservicestobebuiltontop,suchthatillegitimateandlowpriorityrequestsshouldberejectedatanearlystage.Threatsofcyber-attacksdirectlytargeting5Gaccessnetworksneedstobedealtwithinthe5Gdesign.
D2.1UseCases
6715625G-ENSURE 76
In5Gnetworksthereshouldbeincreasedassurancethatthetrafficisindeedoriginatingfromalegitimateentityandisboundtoalegitimateentity.MNOsshouldnotbeforcedtoresorttoimplicitsecurityassumptionsaboutthesecurityofthecorenetworkofinteractingpartners.
5Gnetworkshouldbemorereliableintermsofhavingdynamic,alternativeroutesfromtheradionetworkintothecorenetwork(suchassatelliteconnection).Newcommercialpossibilitiesonstand-aloneradionetworks,andstand-alonecorenetworksarealsoenvisioned.
5Gshouldprovidemeansforcoordinatedbotnetmitigationschemeswithpreventionanddetectionembeddedinthenetworkinfrastructure,leveragingestablishedandaddingnewtechniquesforrestrictingtraffic.
5Gnetworksshouldoffersubscribersadditional(optional)enhancedsecurityservicesforanonymizationcapabilitiesaswellasaddressingsecurityandprivacyissuesarisingfrommobilemalwareandmisbehavingapplications.
Cluster11focusesonLawfulInterception:
A5GsystemshouldbeabletoansweranyLawfulIntercept(LI)requestinasecurewaywithoutcompromisingtheprivacyofnetworkusers,andtheinformationprovidedbytheLIfunctionmustbeprovablytrustworthyandsecurelydelivered.ForthisreasonthereisaneedforacommonLIfunctionforservicesdeliveredviathe5Gnetworkwhichauthenticatesandauthorizestheincomingrequestsandtargetlawenforcementauthority.Theoperatorscanprovidetrustedkeyescrowserviceswithinthisframework.
D2.1UseCases
6715625G-ENSURE 77
15 ConclusionsTheusecasespresentedinthisdocumentillustratetheneedforenhancedsecurityandprivacyinfifthgenerationmobilenetworks.
Theusecasesexhibitawiderangeofsecurityconcernsincludinguserprivacy,identitymanagement,authentication,authorization,keyestablishmentforIoT,airinterfaceprotection,botnetmitigation,isolationofcorenetworkfunctionality,securevirtualizationandverificationofvirtualizednodeandplatform,securitymonitoringandcontrol,andlawfulinterception.
Theusecasesaddresssecurityenhancementsofcurrentnetworksaswellassecurityfunctionalityofnew5Gfeaturesinabalancedmix.Justtohighlightafewtake-aways:
• 5Gencompassesavarietyofradioaccesssystemsexpandingthecapabilitiesofmobiledevicesandnetworks.Toallowextendedofferingsintermsofaccessorotherservicesthereisaneedtosupportalternativeauthenticationschemesandassociatedidentitymanagement,whilenotcompromisingthehighsecurityoflegacyauthenticationandidentitymanagement.
• Theincreasedemphasisofuserprivacy,includingunlinkabilitybetweensubscriberinformationanddeviceidentifiersanduntrackabiltyofuser’slocation,needstobemetbynewprotectionschemes.
• 5GnetworksshouldprovidevariouskindsofvirtualizedCoreNetworkfunctions(slices)fordifferenttypesofsubscribersorcorporationswhichneedtotallydifferentisolationproperties.Virtualizationbringnewtypesofrolesandactorsandnewtypesofmonitoringandassuranceinterfacesaswellastheneedtoverifyandcontroltheactionsandentitiescorrespondingtothevariousactors.
• Theincreasingtrendofconnectingimportantfunctionsinsocietyandcorporationsthroughmobilenetworktechnologyleadstoanincreaseddemandforrobustnessandreliabilityinoverloadanddenialofservicesituations.Thebalancebetweenlawenforcementandprivacyrevealedbythedevelopmentsinthesocietyduringthelastyearscallsforenhancedschemesforseparatingtheconcernsoftheinvolvedparties.
Mostofthesesecurityandprivacyenhancementsrequiresbeingbuilt-inintotheradioaccessandcorenetworksandcannotbeaddedasanafterthought.Thecontinuedanalysisonsecurityenablersandsecurityarchitecturewithin5G-ENSUREwillassessmoreintodetailstherelevanceoftheseusecasesandtheirimpactonthe5Gsystem.However,itisalreadyclearthatsecurityandprivacyconsiderationssuchasthosemadeinthisdocumentneedtoenterthedevelopmentof5Gstandardsatanearlystagetohavetherequiredimpactonthesecurityandprivacycharacteristicsofnextgenerationmobilenetworks.
D2.1UseCases
6715625G-ENSURE 78
References
[Chengzhe2013]L.Chengzhe,L.Hui,L.Rongxing,andS.Xuemin,“SE-AKA:AsecureandefficientgroupauthenticationandkeyagreementprotocolforLTEnetworks,”ComputerNetworks,vol.57,pp.3492-3510,2013.
[EAP-AKA]J.ArkkoandH.Haverinen,ExtensibleAuthenticationProtocolMethodfor3rdGeneration,AuthenticationandKeyAgreement(EAP-AKA)”,IETFRFC4187,2006.
[FooKune2012]N.H.FooKune,JohnKoelndorferandY.Kim,“Locationleaksonthegsmairinterface,”in19thNetworkandDistributedSystemSecuritySymposium,2012.
[METIS2015]”DeliverableD6.6,FinalreportontheMETIS5Gsystemconceptandtechnologyroadmap”,ICT-317669-METIS/D6.6,2015.
[Murdoch2016]S.Murdoch,“Insecurebydesign:protocolsforencryptedphonecalls“,Bentham’sGaze,2016.https://www.benthamsgaze.org/2016/01/19/insecure-by-design-protocols-for-encrypted-phone-calls/
[Nohl2014]K.Nohl“MobileSelf-Defense”,ChaosCommunicationCongress,2014.
[Paladi2015]N.Paladi,“TowardssecureSDNpolicymanagement.In:1stInternationalWorkshoponCloudSecurityandDataPrivacybyDesign”,7-10December2015,Limassol,Cyprus.[Razaghpanah2015]A.Razaghpanah,N.Vallina-Rodriguez,S.Sundaresan,C.Kreibich,P.Gill,M.Allman,V.Paxson“Haystack:InSituMobileTrafficAnalysisinUserSpace”,2015.http://arxiv.org/abs/1510.01419
[Ren2015]J.Ren,A.Rao,M.Lindorfer,A.Legout,D.Choffnes“ReCon:RevealingandControllingPrivacyLeaksinMobileNetworkTraffic”,2015.http://recon.meddle.mobi/papers/recon-sep.pdf
[RFC4949]R.Shirey,“InternetSecurityGlossary,Version2”,IETFRFC4949,2007.https://tools.ietf.org/html/rfc4949
[RFC7228]C.Bormann,M.Ersue,A.Keränen,“TerminologyforConstrained-NodeNetworks”,IETFRFC7228,2014.https://tools.ietf.org/html/rfc7228
[RFC7744]L.Seitz,S.Gerdes,G.Selander,M.Mani,S.Kumar“UseCasesforAuthenticationandAuthorizationinConstrainedEnvironments”.IETFRFC7744,2016.https://tools.ietf.org/html/rfc7744
[SchahillBegley2015]J.Schahill,J.Begley,”TheGreatSIMHeist---HowSpiesStoletheKeystotheEncryptionCastle”,TheIntercept,Feb2015.https://theintercept.com/2015/02/19/great-sim-heist/
[Shaik2015]A.Shaik,R.Borgaonkar,N.Asokan,V.Niemi,andJ-P.Seifert,“Practicalattacksagainstprivacyandavailabilityin4G/LTEmobilecommunicationsystems”,October2015.http://arxiv.org/pdf/1510.07563v1.pdf
[Smith2015]K.Smith,“Networkmanagementofencryptedtraffic”,IETFInternetDraftdraft-smith-encrypted-traffic-management-04,Nov2015.
D2.1UseCases
6715625G-ENSURE 79
[TR22.891]3GPPTR22.891“FeasibilityStudyonNewServicesandMarketsTechnologyEnablers;Stage1”,Sections5.20,5.22,5.72
[TS22.368]3GPPTS22.368“ServicerequirementsforMachine-TypeCommunications(MTC);Stage1”
[TS33.106]3GPPTS33.106“3Gsecurity;Lawfulinterceptionrequirements”
[TS33.220]3GPPTS33.220“GenericAuthenticationArchitecture(GAA);GenericBootstrappingArchitecture(GBA)”
[TS33.401]3GPPTS33.401“3GPPSystemArchitectureEvolution(SAE);Securityarchitecture”
[Vallina-Rodriguez2015]N.Vallina-Rodriguez,S.Sundaresan,C.Kreibich,V.Paxson“HeaderEnrichmentorISPEnrichment?EmergingPrivacyThreatsinMobileNetworks”,HotMiddlebox’15,2015.