3GPP SA3 5G SECURITY THIS TALK Short introduction about me and some words on 3GPP SA3 Major changes since 4G what do we really get Unified authentication framework for both 3GPP and non 3GPP a ID: 821645
Download Pdf The PPT/PDF document "Major changes in 5G security architectur..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
3GPP SA3 -5G SECURITYMajor changes in
3GPP SA3 -5G SECURITYMajor changes in 5G security architecture and procedures | Sander de KievitTHIS TALKShort introduction about me and some words on 3GPP SA3.Major changes since 4G, what do we really get?Unified authentication framework for both 3GPP and non-3GPP accessIncreased home controlExtended key hierarchy for later security servicesE.g.
steering of roaming under discussion and
steering of roaming under discussion and protection of UE to home trafficImproved subscriber identity confidentialityEncryption at initial registrationSecurityofthe interconnect network between operatorsWorkinprogress…3GPP SA3 -5G SecurityABOUT MESander de KievitSecurity researcher at TNORepresenting KPN in 3GPP SA3My interests include:Secu
rity as enabler of 5G Mobile NetworksSe
rity as enabler of 5G Mobile NetworksSecurity consultancy and assessments forIT systems.In the past: Monitoring and Detection of AdvancedPersistent Threats3GPP SA3 -5G Security3GPP SA3 SECURITY WORKING GROUPSA3 is the working group tasked with security and privacy within the scope of 3GPP.Study started at #83 with TR 33.899Overall topics identifie
dPriorities setSpecification work star
dPriorities setSpecification work started at #86-BIS New spec: TS 33.501First approved version (15.0.0) available soon3GPP SA3 -5G Security0500100015002000250030002014201520162017Number of documents / yearwork started: TRTSMAJOR CHANGESIN 5G –AUTHENTICATIONDesign Goals:Unified authentication framework for both 3GPP and non-3G
PP accessImproved control by home netwo
PP accessImproved control by home networkDesign Questions:How to deal with potentially different transport of NAS and EAP?How to add home control to EPS AKA?Authentication algorithm under control of 3GPP SA3?Final design decisions:Both EAP AKA’ and newly developed 5G AKA supportedContinued compatibility with Rel-8 USIM3GPP SA3 -5G SecurityMAJO
R CHANGES IN 5G –AUTHENTICATIONHOME
R CHANGES IN 5G –AUTHENTICATIONHOME CONTROL IN 5G AKA 3GPP SA3 -5G SecurityUESEAFAUSFARPFHSSMME5G AVRAND, AUTNRES*AC (RES*)Calculate HRES*Based on EPS AKANewauthentication confirmationNew RES* and H(X)RES*Calculation of RES*:KDF(CK, IK, SN name, RAND, RES)Calculated in ARPF and UECalculation of HRES*:HASH(RAND, RES*)Calculated in
SEAF and AUSFUsed for authentication by
SEAF and AUSFUsed for authentication by the SEAFCalculate HXRES*5G HE AVMAJOR CHANGES IN 5G –AUTHENTICATIONHOME CONTROL IN 5G AKA 3GPP SA3 -5G SecurityUESEAFAUSFARPFHSSMME5G AVRAND, AUTNRES*AC (RES*)Calculate HRES*Based on EPS AKANewauthentication confirmationNew RES* and H(X)RES*Calculation of RES*:KDF(CK, IK, SN name, RAND, RES)
Calculated in ARPF and UECalculation o
Calculated in ARPF and UECalculation of HRES*:HASH(RAND, RES*)Calculated in SEAF and AUSFUsed for authentication by the SEAFCalculate HXRES*5G HE AVMAJOR CHANGESIN 5G –SUBSCRIBER PRIVACYDesign Goal:Defeating the IMSI catcherDesign Challenges:Scalable solution under control of operatorComply with regulations3GPP SA3 -5G SecurityMAJOR CH
ANGESIN 5G –SUBSCRIBER PRIVACYSolu
ANGESIN 5G –SUBSCRIBER PRIVACYSolution:SUPI encrypted with home network public key on initial attach (SUCI)Complete authenticationThen, send SUPI from HPLMN to VPLMNFinally, confirm SUPI by binding into a keyFurther details:Encryption can done on UE or USIMTwo algorithms standardized on UE sideAlgorithms on the USIM can be controlled by operat
ors3GPP SA3 -5G SecurityVPLMNHPLMN
ors3GPP SA3 -5G SecurityVPLMNHPLMNUESUPIAUTHENTICATIONSUCISUPI CONFIRMATIONMAJOR CHANGESIN 5G –KEY HIERARCHYKey hierarchy extended to also include:KAUSFat home networkKSEAFat visited networkReasons for KAUSFQuick reauthenticationProtecting home to UE traffic, e.g. steering of roaming under discussionReasons for KSEAF:Separate
security anchor from mobility anchorPr
security anchor from mobility anchorPre-empts AMF at insecure locations3GPP SA3 -5G SecurityNetwork sideUE sideAUSFMESEAFMEKKAUSFKSEAFKAMFKN3IWFKgNB, NHKRRCintKRRCencKUPintKUPencAMFMEN3IWFMEgNBMEKNASintKNASencCK’, IK’5G AKAEAP AKA’HNSNMAJOR CHANGESIN 5G –INTERCONNECT SEC.Design Goal:Protectingme
ssagesexchanged between operators via t
ssagesexchanged between operators via the IPX networkDesign Challenge:Deal with the complex services of IPX providers:ReroutingofmessagesMediationofmessagesRoaming hubsProviding PLMN to PLMN securityBeing compliantwithJSONandHTTP2 standards3GPP SA3 -5G SecurityPLMN1PLMN2PLMN3?MAJOR CHANGESIN 5G –INTERCONNECT SEC.Design Goal:Pro
tectingmessagesexchanged between opera
tectingmessagesexchanged between operators via the IPX networkDesign Challenge:Deal with the complex services of IPX providers:ReroutingofmessagesMediationofmessagesRoaming hubsProviding PLMN to PLMN securityBeing compliantwithJSONandHTTP2 standards3GPP SA3 -5G SecurityPLMN1PLMN2PLMN3?THANK YOU FOR YOUR ATTENTIONTake a look:TIME.TN