Patrik Rokyta I CTO I Aug 13, 2024
The Crucial Role of 3GPP Standards in 5G Network Security
As mobile networks evolve, the importance of robust security measures becomes ever more critical. With the global number of mobile users reaching approximately 8 billion, securing these networks is vital to protecting both personal data and national infrastructure. In this blog, we explore the essential role of 3GPP standards in shaping the security landscape of 5G core networks. These standards not only ensure the interoperability and reliability of mobile communications but also introduce advanced security protocols to counter emerging threats. Join us as we explore the 3GPP TS 33.501 specification, the bedrock of 5G security, to understand how these methodically developed standards are securing our connected future and in addition maintain seamless interoperability between products and solutions of different suppliers.
The 3GPP TS 33.501 specification is establishing comprehensive guidelines and protocols to ensure robust network protection. Developed through the collaborative efforts of the 3rd Generation Partnership Project (3GPP) under the stewardship of the Security Working Group (SA3), the TS 33.501 specification is a product of extensive input from numerous organizations and experts globally. Starting with release 15, it outlines the security architecture and procedures essential for safeguarding the integrity, confidentiality, and availability of 5G networks by addressing critical aspects such as flexible authentication, user identity protection, and inter-operator security.
At its heart, the 3GPP TS 33.501 specification defines security architecture consisting of various security domains. The fundamental security principles include:
- Authentication: Ensuring that only legitimate devices and users can access the network.
- Confidentiality: Protecting user data and signaling information from unauthorized access and interception.
- Integrity: Safeguarding the data and signaling messages from being tampered with or altered.
- Availability: Ensuring that network services are available to legitimate users even in the face of attacks.
- Privacy: Protecting the privacy of user identities and sensitive information from exposure.
- Accountability: Enabling the tracking and logging of security-related actions to ensure that activities can be traced back to their source.
- Inter-operator Security: Ensuring secure interactions and data exchange between different network operators.
This blog discusses the security principles with the particular focus on the signaling control security inside the 5G core network and at the perimeter of the 5G core network.
Authentication
The security principles associated with authentication in 5G networks, as detailed in the 3GPP TS 33.501 specification, ensure that only legitimate devices and users can access the network. Primary authentication leverages the Authentication and Key Agreement (AKA) security protocol in the verification of the device's identity during its initial registration over any access type, forming the basis for mutual authentication between the device and the network. This procedure includes mechanisms for home control, allowing the home operator to oversee and finalize the authentication process. Additionally, 5G networks support the Extensible Authentication Protocol (EAP), accommodating a wide range of credentials beyond traditional SIM-based ones. Secondary authentication allows third-party service providers to authenticate users independently, ensuring secure access to specific services requiring higher trust levels. These robust authentication procedures not only protect user identities but also establish secure communication channels, vital for maintaining the integrity and confidentiality of the data transmitted over the 5G network.
Confidentiality
Confidentiality in 5G networks is fundamental to safeguarding user data and signaling information from unauthorized access. Advanced encryption techniques, such as the use of the Advanced Encryption Standard (AES) standardized by bodies like the US National Institute of Standards and Technology (NIST), ensure that data remains encrypted during transmission over the air interface and in the 5G core network. Within the 5G core network, the exchange of information between the 5G core services utilizes the HTTP/2 protocol secured by the Transport Layer Security (TLS) protocol. This prevents malicious actors from intercepting and deciphering sensitive information, maintaining the privacy of user, device and service communications. Additionally, 5G's security architecture mandates robust key management practices to securely distribute and update encryption keys, further fortifying the confidentiality of data exchanges across the network. These measures not only uphold user privacy but also support reliable and secure operation of critical applications and services dependent on 5G connectivity.
Integrity
Integrity principles in 5G networks ensure the reliability and trustworthiness of data transmitted across the network. Data and signaling messages maintain their integrity through sophisticated protection mechanisms that prevent unauthorized modification or tampering. These measures are implemented at both the user plane and control plane levels. For example, cryptographic techniques such as digital signatures and hash functions verify the integrity of data packets and signaling messages exchanged between user devices and the network. Within the 5G core network, service access tokens and client credentials assertions secure the access to the registered 5G core services. By preserving the integrity of these credentials through digital signatures, 5G networks uphold the accuracy and reliability of communications. This is crucial not only for supporting mission-critical services and applications but also for fostering the confidence and trust of users, enterprises, and verticals relying on 5G services. It's noteworthy that robust key management, essential for secure authentication in 5G networks, is equally critical for ensuring integrity.
Availability
Availability principles in 5G networks ensure that network services remain accessible and operational, even in the face of potential disruptions or attacks aimed at compromising service availability, including complete service outage. This is achieved through robust redundancy measures and zero-trust approaches. In cloud-native environments, local redundancy is achieved by deploying replicas of the entities delivering the service. The number of replicas can be dynamically adjusted to accommodate fluctuating traffic. Combined with overload protection, the auto-scalability of the service provides robust defences against signaling surge and Denial of Service (DoS) attacks. Additional measures include securing services with signaling firewalls specialized in defending against telco-specific attacks, including cross-domain threats. Zero-trust approaches, particularly relevant in modern cybersecurity, are increasingly applied within container orchestration frameworks like Kubernetes. By adopting zero-trust principles, Kubernetes environments can mitigate the risk of lateral movement and unauthorized access, ensuring that each component—whether node, pod, or service—operates within a secure and validated context, thereby enhancing overall system security and resilience. At the application layer, zero-trust principles are natively built into the 5G Security Edge Protection Proxy (SEPP), adhering to the bilateral trust model defined by GSMA. This implementation ensures that all interactions between network components and external entities are continuously validated and authorized, regardless of their originating source or destination.
Privacy
Privacy principles in 5G networks prioritize safeguarding user identities, notably through mechanisms such as the Subscription Concealed Identifier (SUCI) employed during primary authentication. By integrating robust encryption methods like Elliptic Curve Cryptography (ECC), 5G networks ensure the confidentiality of user identities during authentication, thereby protecting them from unauthorized access. Furthermore, the implementation of telescopic Fully Qualified Domain Name (FQDN) mapping on the Security Edge Protection Proxy (SEPP) enhances privacy by concealing network topology, making it challenging for attackers to discern user locations or network structure. These measures not only enhance user privacy by preventing unauthorized tracking and profiling but also align with regulatory requirements, reassuring users that their personal data is securely managed and safeguarded throughout their digital interactions.
Accountability
Accountability mandates the ability to trace and log security-related actions, attributing them to their source with accuracy, reliability and operational integrity. In practical terms, accountability facilitates the tracking of security breaches or suspicious activities within the network. In conjunction with the evolving role of the Network Data Analytics Function (NWDAF), accountability gains enhanced capabilities in modern mobile networks. By processing vast amounts of network data, NWDAF by utilizing rules-based and/or AI/ML-based algorithms can identify anomalies or suspicious activities promptly, providing valuable insights for forensic analysis and regulatory compliance. This collaborative approach between accountability principles and NWDAF empowers network operators to enforce security policies effectively and respond promptly to security incidents.
Inter-Operator Security
Inter-operator security addresses the complexities inherent in the global nature of mobile networks, where operators must trust each other's infrastructures while safeguarding their own. Both 3GPP and GSMA standards emphasize authentication and validation mechanisms to verify the identities of communicating parties, ensuring that only legitimate entities can access sensitive network resources as stipulated by roaming agreements and within the contracted scope. In 5G networks, inter-operator security is centered around the Security Edge Protection Proxy (SEPP), a critical network function that securely filters and protects all signaling traffic between operators. This mechanism not only enhances availability by safeguarding network services from disruptions caused by malicious traffic or attacks but also strengthens privacy through advanced security features. As previously discussed, the SEPP integrates zero-trust principles in line with GSMA's bilateral trust model and implements telescopic Fully Qualified Domain Name (FQDN) mapping to obscure network topology details. By adhering to these rigorous security measures and others, the SEPP not only facilitates secure inter-operator communications but also enhances the resilience and integrity of global mobile networks against both known and emerging cyber threats.
About Titan.ium Platform
Titan.ium Platform is a leader in signaling, routing, subscriber data management, and security software and services, with deployments in more than 80 countries by over 180 companies, including eight of the world’s top 10 communications service providers and all of the top five. Having successfully transitioned technology and workforce to cloud-native environments, Titan.ium has developed strong capabilities in delivering, deploying, and operating a cloud-native product portfolio. This portfolio includes 5G core network functions such as the Security Edge Protection Proxy (SEPP), Service Communication Proxy (SCP), Network Repository Function (NRF), Binding Support Function (BSF), and Network Slice Selection Function (NSSF), alongside selected legacy products. All offerings comply with the stringent security standards of 3GPP TS 33.501 and GSMA FS.34, ensuring robust security across 5G core networks and PLMN interconnects. Additionally, Titan.ium provides a Data Analytics solution that enables proactive monitoring and response capabilities, detecting anomalies within signaling messages, message content, traffic mix, and traffic shape. Titan.ium 's dedication to innovation and excellence in 5G network security and analytics positions them as the preferred partner for future-ready telecommunications solutions.
