Month: November 2020

5G AKA authentication process – (3GPP 33501)

5G AKA authentication process – (3GPP 33501)

Hello my readers today we will talk about two ways to authenticate a UE in 5G :-

5G AKA (Authentication Key Agreement)

EAP AKA

The below components in the 5G network architecture are instrumental in the authentication process

Step 1 – UE searches for the SN

UE – User equipment

SEAF – Security anchor function

AUSF – Authentication server function

UDM – Unified data management

You can consider AUSF as the MME/MSC and UDM as HSS / HLR of the older generation of 3GPP

Here is the step vise authentication process for the UE to the network and vice versa :-

  1. On the N1 interface UE send {N1 message with SUCI (if attach for 1st time) else 5G GUTI}
Step 2 – UE first time attach request to SEAF

Quick recap on the permanent and temporary identifier used during the attach request and subsequent network usage

2G,3G4G,5GType of subscriber identifierWhen is this used
IMSI Internation mobile subscriber identitySUPI Subscriber permanent identityPermanentIn order to avoid MITM, only during exceptional scenarios of first time attach Or When the network is unable to resolve SUPI from SUCI/GUTI
TMSI Temparory mobile subscriber identityGUTI Global unique temparory identifierTemporaryEach time location is updated or attach attempt is made or call is attempted or as set in the PLMN parameters
Step 3 – at SEAF

Step 4 – at AUSF

Step 5 – at UDM first time HEAV is derived

HEAV – Home environment authentication vector

Step 6 – at AUSF AV

AV – Authentication vector

 Step 7 – at SEAF
Step 8 – at UE [ the UE authentication is complete here]
Step 9 – at SEAF [ the serving network authentication is complete here]
Step 10 – at AUSF [ the home network authentication is complete here]
Step 11 – at SEAF [ all the keys for that transactions are ready for use]

As you can see now the required keys for session to continue are derived for a session

Kseaf becomes the anchor key to derive Kamf, Knas, Kgnb,Knsiwf

Here the subscriber is successfully authenticated, serving network has been authenticated and the home network has been authenticated. This is the change from earlier generation and added layers of authentication have been added to safeguard the consumer

Do share you comments and let me know, was the article information and definitely i do welcome your comments to further improve the blog…… happy reading

5G & Service based Security Architecture

In the era of 5G communication, the way 5G services are deployed has fundamentally changed and securing the 5G infra and services is of paramount importance.

5G is no longer a user and operator communication only, its about VR,AR,MR, EMBB(enhanced mobile broadband), MMTC(massive machine type communication)and URLLC( ultra-reliable and low latency communication) much more.

Also one more hurdle to the task it shifts of telecom world into the IT space, where we are no longer talking about physical or traditional VM based core application running on proprietary telecom protocols. Now the fundamental shift is to VNF, container based application, even the protocols RESTful API based on service based architecture. This is where 5G deployment wherein we use the existing upgraded 4G radio and the core. This mainly caters to high speed and just puts the telecom provider in the 5G map. However, for the URLLC and MMTC use cases telecom operator has to move to the SA version of 5G.

Before we begin into the real security issues, lets have a look at basics of 5G.

The spectrum

Deployment models

  • NSA – Non stand alone
  • SA – Standalone

The architecture

From traditional tin based hardware to truly cloud native application, from boxes its now functions, from proprietary telecom protocols to standard REST API. A solution that truly is cloudification, if utilized to the true potential.

From dedicated interface cards to micro services, where each micro service serves a specific business purpose and built by a specific team. Even the applications are containerized and in the real sense support business.

Basic building blocs of 5G from radio to the core

  1. UE talks to RAN , in 5g this is called AN (access network) This can include 3GPP and no 3GPP components – GnodeB[RS2] , wifi
  2. UE then connect to AMF (access mobility function)
  3. Other core elements the UE connect to are session management function
  4. Policy control function
  5. Application function
  6. Authentication server function
  7. User plane function
  8. User data management
  9. Network slice selection function

AS the function names have totally changed, lets drive an analogy between the LTE and 5G nodes

4G/3G/2G NodeCorresponding 5G Node
HSS, HLRUnified data management(UDM)
HSS, HLRAuthentication server function(AUSF)
HSS, HLRUnstructured data user function (UDSF)
This component does not exist in earlier generation as defined by 3gppNetwork repository function(NRF)
HSS, HLRUnified data repository(UDR)
This component does not exist in earlier generation as defined by 3gppNetwork exposure function (NEF)
This component does not exist in earlier generation as defined by 3gppNetwork slice selection function(NSSF)
EIREIR
DRA/DEAService communication proxy(SCP)
DRA/DEAService edge protection proxy(SEPP)

Different types of API’s in 5G – SBA, make use of different URI, HTTP, data description languages,

  1. Northbound API’s
  2. Orchestration API’s
  3. Internal API’s

Example RESTful SBA Procedures

Example 1: User wants to surf internet

UE calls the AMF

AMF call the NRF

NRF calls the SMF

UE contacts the SMF

In the above its clearly observed that the request above are HTTP POST request and response. The security issues that are faced by HTTP post are now inherited with this SBA in 5G.

Example 2 : Service registration

SMF send request to NRF

SMF send HTTP PUT request to NRF.

This is how the API’s from operator side shall be exposed to the 3rd parties for their application consumptionS

Security issues in API / HTTP 2.0 usage in 5G

The HTTP methods on which 5G SBA has extreme reliance are the following

HTTP POST – used to create new resource which can be addressed by the URI

The HTTP post method is mostly used now a days to impact availability of the system in form of denial of service. Potentially exploiting the confidentiality as the HTTP POST request is clear text and not encrypted

HTTP GET – request for list/ retrieves the resources addressed by URI

HTTP PUT – request replaces the resourced addressed in URI

HTTP DELETE – request deleted the resource addressed in the URI

HTTP PUT and DELETE are used by an attacker this method which was originally used for file management operations is used to change or delete files from the server’s file system, arbitrarily. For sure, if these are enabled, it opens you to some dangerous attacks and you increase your attack surface.

Some critical interfaces and their security concerns

NG1,NG2,NG3 – all are potential candidates of REST API communication. Hence this leads the way for service based architecture …

  • N6 –
  • N8-
  • N12-
  • Nnef –

Security Issues

The security issues really are ranging from identity theft, to availability disruption to life saving services, non repudiation, API security issues, container security issues during the runtime, docker/kubernetics related security issues, privacy, SSL certificate related issues. The attack surface for 5G is really huge. Job of a security team is key over here. To understand about all issues and to put any type of security control over here will really needs in depth understanding of the 5G (NSA or SA) landscape.

In this article we just discuss about only one issues specific to API’s, as its something new to the Telco work from a core services point of view.

Articles about other security issues will soon follow.