5G Network Security: Architecture And Procedures

Explore the preliminaries essential to understanding 5G security, including 5G architecture and security concepts, with a step-by-step explanation for beginners.

Explore the 5G core network architecture and the access and mobility management function, including registration, authentication, mobility management in idle and in-call states, and tracking area updates.

Coordinate the authentication process among ausf, amf, usf, and udm to generate an authentication vector, challenge the user equipment with a random number, and verify the authentication response.

Unified data management serves as the centralized database for all 5G subscribers, storing security keys, subscriber profiles, and roaming and service access information across emf areas.

Maintains a directory of all core network functions within the 5G core NRF, enabling other functions to discover locations by returning IP addresses or domain name servers for SMF.

Explore the 5G service based architecture where network functions produce and consume services via service based interfaces, replacing traditional topologies, with cloud scalability enabling flexible resource allocation.

Explore 5g ue identifiers, from permanent equipment identity (imei) to the subscription concealed identifier (susi). See how 5g-s-tmsi and 5g-guti enable secure communication after registration with amf, including non-3gpp access.

In symmetric key cryptography, Alice and Bob share the same secret key to encrypt and decrypt messages, producing cipher text that both parties can read after using the secret key.

Understand public key cryptography, where Alice encrypts with Bob's public key and Bob uses his private key to decrypt the cipher text.

Digital signatures secure message integrity by signing with a private key and verifying with a public key, ensuring the decrypted message matches the original and remains unaltered.

Learn how hash functions compress long messages into fixed-length digests to enable efficient digital signatures by encrypting the digest with a private key and verifying authenticity with a public key.

Examine how 5G roaming enables cross-network authentication among EMF, USF, and UDM. Track data flow from GNB to the visiting UPF and home network, guided by iPKF and H PCF.

Learn how 5G network access security ensures secure access with mutual authentication, privacy by encrypting permanent identities, and non access stratum signaling protection across the core, serving, and home networks.

Protect the traffic and signaling between 5G network functions by securing the reference point interfaces within the network domain security, including inter-network security during roaming.

Ensure secure access to terminals through the user domain interface, such as entering a pin that authenticates the user with the terminal.

Secure the data exchange within the application domain, between the user and the server or peer on the data network.

Explore how 5G's service-based architecture secures communications between network functions by registering with the network repository function and authorizing service use across serving and home networks.

5g network access security relies on logical security entities co-located in network functions such as the UDM, including the RPF and concealing function, with SRF and Usim handling access security.

Explore the RPF inside the UDM, featuring the master key K for mutual authentication and ciphering, plus the soup identity and an undefined UDM-RPF interface in 5G.

Understand how the subscription identifier de-concealing function (sidf) derives the supi from the suci during registration, enabling secure network authentication by ausf and udm.

Explore the authentication server function (ausf) as a standalone 5g core network element. It authenticates user equipment using data from the device and the home network's udm, including roaming.

The security anchor function (SCAF) is co-located inside the EMF and handles authentication for user equipment, whether in the home network or when roaming; user equipment must communicate through SCAF.

Describe how 5g access security uses mutual authentication with home or visited core network, via 5g aka or EAP for non-3gpp, derive ciphering and integrity keys for signaling and data.

Explain the initiation of 5G authentication, tracing the N1 message through the MF, SCAF, USF, and UDM, handling soupy or sushi and the serving network name.

Explain concealment and deconcealement of SUPI in 5G authentication, where the UE encrypts SUPI as sushi with the home network public key, and the UTM decrypts with a private key.

Explain the 5g authentication and key agreement (AKA) procedure, detailing home environment authentication vectors, random numbers, authentication tokens, and the derivation of ciphering and integrity keys for mutual authentication.

Explore the 5g aka security key hierarchy, tracing how the master key derives low-level encryption and integrity keys on both network and user equipment, including GMB and C signaling keys.

Learn how 5g eap-aka authenticates non-3gpp devices via n3iwf, using transformed authentication vectors from udm through usf and emf to amf.

Trace the 5G EAP-AKA security key hierarchy across non-3GPP access from the master key in the UDM to derived k and ik keys, KAUSF, CIF, EMF, and KN3IWF for IPsec.

Explore 5g network domain security, covering cloud ran with gnb distributed and centralized units, backhaul protections using ikev2 and IPsec, and optional transport layer security for core interfaces.

IPsec secures traffic at the network layer for IPv4 and IPv6. Deliver header protection, access control, data origin authentication, integrity, replay protection, and encryption.

Explore the IPsec framework, including Diffie-Hellman key exchange for shared keys, authentication options (PSK or RSA), integrity protection with MD5 or SHA, and encryption with ESP, with AH possible.

Security associations provide unidirectional logical connections for IPsec traffic; bidirectional flows require two SAs with security parameter indices, addresses, and encryption and integrity keys.

Establish bidirectional security associations and an IPsec tunnel using IKE v2, including NAT traversal and keepalive, across two routers in 5G networks through phase one and phase two.

In IPSec IKE phase 1, negotiate security association parameters, perform Diffie-Hellman exchange to establish a secret, authenticate peers, and create a management tunnel that enables the ECC phase 2 tunnel.

IKE phase 2 negotiates the second IPsec tunnel parameters with phase one, selecting ESP, transport or tunnel mode, encryption, integrity, and lifetime, after which data is transmitted securely.

Explains ipsec authentication header and encapsulating security payload, showing how ah provides integrity via hash-based message authentication and signatures, while esp adds encapsulation and encryption with des or triple des.

Explain how IPsec operates in transport mode versus tunnel mode, showing how transport preserves the original IP header while tunnel mode adds a new header and encrypts the entire packet.

Explain how the authentication header protocol provides integrity without encryption in edge modes by hashing the packet and storing a signature, excluding TTL and IP header checksum from hash.

Explain how the encapsulating security payload protocol provides integrity and encryption for IP traffic. Compare transport and tunnel modes, including header and payload encryption and authentication.

Secure exchange between service consumer and provider in the 5g core via sbi security, enforcing authentication and authorization, while operators may turn sbi security on or off.

Implement an OAuth 2.0 based authorization framework for service-based interfaces where AMF requests a token from the NRF authorization server, and UTM validates it using public or shared keys.

Explore the transport layer security protocol for service-based architectures, enabling authentication with digital signatures, encryption, integrity protection, and replay-attack defense, and note the alternative Network Domain Security Protocol for IP.

describes the two main phases of the TLS protocol: the handshake, where the client and server authenticate and negotiate cryptographic parameters, and the record protocol, which secures application data.

Examine how consumer SAP and provider SAP secure inter-core network function calls, using TLS for direct links or application-layer security with TLS or NDS IP protocol when IPX is present.

Explains network based security for IP-based communication in the 5G network using security domains. Describes subdomains, security gateways at borders, and IKEv2 authentication with IPsec tunnel-mode protection for inter-domain traffic.

Examine securing the N2 and N3 interfaces between the GNB and the core network with IPsec ESP for ciphering and integrity, and IKEv2 for authentication, with TLS/DTLS options.