5G Core Security: Trust Boundaries, SBA, Network Slicing Security

As 5G technology continues to roll out across the globe, the security of these networks has become a top priority for both service providers and end users.

With the increased capabilities and features of 5G, such as support for the Internet of Things (IoT) and the industrial internet, there is a greater need for robust security measures to protect against threats and ensure the integrity of the the 5G network.

In this blog post, we’ll take a deep dive into 5G core security implementation, exploring the various components of the 5G core network and the key points that have been put in place to protect against threats.

From encryption and authentication to access control and network slicing, we’ll cover the key elements of 5G core security and how they work together to keep the network safe.

This blog post will provide a comprehensive overview of the 5G core security measures that have been put in place to protect 5G networks.

Below are the main security measure points for 5G core security into your network to consider:

1. Trust Boundaries

The 5G network architecture includes several trust boundaries to ensure the security and integrity of data transmitted within and between different parts of the network.

These trust boundaries are used to divide the network into different trust zones, with each trust zone belonging to a specific mobile network operator.

Messages that are transmitted between trust zones must follow specific requirements to ensure their security and integrity, unless they are already protected by NDS/IP as specified in TS 33.210 standards.

These requirements help to prevent unauthorized access or tampering with data as it passes through the network.

2. 5G Service-Based Architecture Security

  • Confidentiality: NF Service Based discovery and registration shall support confidentiality, which means that the information exchanged between the NFs and NRF (Network Repository Function) shall be kept private and only accessible to the intended parties.
  • Integrity: NF Service Based discovery and registration shall also support integrity, which means that the information exchanged between the NFs and NRF shall be protected against unauthorized changes or modifications.
  • Replay Protection: NF Service Based discovery and registration shall support replay protection, which means that the information exchanged between the NFs and NRF shall be protected against replay attacks, where an attacker intercepts and retransmits the information to gain unauthorized access.
  • Authorization: NRF shall be able to ensure that NF Discovery and registration requests are authorized, which means that only authorized NFs can request and receive information from the NRF.
  • Topology Hiding: NF service based discovery and registration shall be able to hide the topology of the available/supported NFs in one administrative/trust domain from entities in different trust/administrative domains (e.g. between NFs in visited and the home networks). This helps to protect the network infrastructure from being discovered and potentially exploited by attackers.
  • Mutual Authentication: NF Service Request and Response procedure shall support mutual authentication between NF consumer and NF producer, which means that both parties shall authenticate each other before exchanging information.
  • Incoming Message Validation: Each NF shall validate all incoming messages. Messages that are not valid according to the protocol specification and network state shall be either rejected or discarded by the NF. This helps to ensure that only valid and authorized messages are processed, protecting against potential attacks.
Also Read:  5G CNF (Cloud-Native Network Function): In-Detail Guide

3. NRF Security

The Network Repository Function (NRF) is responsible for managing the discovery and registration of Network Functions (NFs) in the 5G network.

It receives NF discovery requests from NF nodes and provides information about the discovered NF instances to the requesting instance. The NRF also maintains profiles of the registered NFs.

To ensure the security of the discovery and registration process, the NRF must implement certain security measures on its end.

These measures include mutual authentication between the NRF and the NFs requesting service, as well as the ability to provide authentication and authorization to NFs for establishing secure communication with each other.

These measures help to ensure that only authorized NFs can access the NRF’s services and that the communication between the NRF and the NFs is protected against unauthorized access or tampering.

4. NEF Security

The Network Exposure Function (NEF) is responsible for exposing the capabilities of Network Functions to Application Functions, which can then interact with the relevant Network Functions through the NEF.

To ensure secure communication, the following security requirements must be fulfilled for the interface between the NEF and the AF (Application Function):

  • Integrity protection, replay protection, and confidentiality protection must be supported for communication between the NEF and the AF (Application Function).
  • Mutual authentication between the NEF and the Application Function must be supported.
  • Internal 5G Core information, such as DNN and S-NSSAI, must not be sent outside the 3GPP operator domain by the NEF.
  • The SUPI must not be sent outside the 3GPP operator domain by the NEF.

Additionally, the NEF must be able to determine whether the Application Function is authorized to interact with the relevant Network Functions.

This ensures that only authorized entities can access and use the network functions through the NEF.

Security for 5G End-to-End (e2e) Core Network Interconnection

  1. General Security: Support for application layer mechanisms for adding, deleting, and modifying message elements by intermediate nodes, with the exception of specific message elements defined in the specification. This is necessary to allow IPX providers to modify messages for routing purposes.
  2. End-to-end confidentiality and/or integrity protection for specific message elements between the source and destination networks. This requires the presence of SEPPs (Security Edge Protection Points) at the edges of the source and destination networks dedicated to handling e2e core network interconnection security. The confidentiality and/or integrity protection applies between two SEPPs in the source and destination PLMNs (Public Land Mobile Networks).
  3. The ability for the destination network to authenticate the source network that sent the protected message elements. This can be achieved by having a SEPP (Security Edge Protection Proxy) in the destination network dedicated to handling e2e core network interconnection security that can authenticate the source network.
  4. Minimal impact and additions to 3GPP-defined network elements.
  5. Use of standard security protocols.
  6. Coverage of interfaces used for roaming purposes.
  7. Consideration of performance and overhead.
  8. Prevention of replay attacks.
  9. Algorithm negotiation and prevention of bidding down attacks.
  10. Consideration of operational aspects of key management.
Also Read:  5G to 4G Interworking: Handover Call Flow

5G Security Edge Protection Proxy (SEPP)

The SEPP is a security entity that is used to protect the application layer control plane messages between two 5G network functions (NFs) that belong to different public land mobile networks (PLMNs) and use the N32 interface to communicate with each other.

It performs various security-related tasks, such as mutual authentication and cipher suite negotiation with the SEPP in the roaming network, handling key management aspects, topology hiding, and providing a single point of access and control to internal NFs.

The SEPP also verifies the authorization of the sending SEPP to use the PLMN ID in the received N32 message, and implements rate-limiting and anti-spoofing mechanisms to defend against excessive signaling and address spoofing.

It also discards malformed N32 signaling messages and implements a mechanism for differentiating between certificates used for authentication of peer SEPPs and certificates used for authentication of intermediates performing message modifications.

Protection of Attributes

When transferring attributes over the N32 interface, integrity protection shall be applied to all attributes.

Additionally, confidentiality protection shall be applied to certain specified attributes, including authentication vectors, cryptographic material, location data, and the Subscription Permanent Identifier (SUPI).

This is to ensure the security and confidentiality of these sensitive attributes as they are transmitted over the N32 interface.

In addition to the required attributes, it is recommended to also apply confidentiality protection to other specified attributes.

Security Entities in the 5G Core Network

The 5G System architecture introduces the following security entities in the 5G Core network those needs to have data proper protection mechanism:

  • AUSF: AUthentication Server Function
  • ARPF: Authentication credential Repository and Processing Function
  • SIDF: Subscription Identifier De-concealing Function
  • SEAF: SEcurity Anchor Function
Also Read:  5G Security Standards: 3GPP, ETSI, NIST, GSMA

The Authentication Server Function (AUSF) is responsible for authenticating the UE’s identity and issuing a security context for the UE.

It does this by verifying the UE’s subscription credentials, which are stored in the Authentication credential Repository and Processing Function (ARPF).

The Subscription Identifier De-concealing Function (SIDF) is responsible for de-concealing the UE’s Subscription Permanent Identifier (SUPI) when it is received in a disguised form. This is done to protect the privacy of the UE’s identity.

The SEcurityanchor Function (SEAF) is responsible for managing the security anchor, which is a long-term secret shared between the UE and the 5G Core network.

The security anchor is used to establish security contexts between the UE and the network, and is also used to authenticate the UE and the network to each other.

Network Slicing Security

Network slicing allows for the creation of multiple virtual networks on top of a shared 5G physical infrastructure.

Each virtual network, or “slice,” can be aligned to the specific needs and requirements of a particular use case or application, such as high-bandwidth connectivity for residential customers or low-latency connectivity for industrial IoT applications.

To ensure the security of these virtual networks, 5G uses a combination of encryption, authentication, and access control measures.

Encryption is used to protect user data as it travels across the network, while authentication is used to verify the identity of users and devices accessing the network.

To protect against threats in virtualized environments, 5G uses various security measures such as virtual machine (VM) isolation, firewalls, and intrusion detection and prevention systems.

Overall, 5G network slice security relies on a combination of encryption, authentication, access control, and NFV to protect against threats and ensure the integrity of the network.

Hope this article has provided you in-detail insight on 5G core security and its attributes. you can also read the 5G Security Consideration on gNB, UE and General Security requirements here.

Photo of author

Som D

Som is Network and Cloud Security expert with 12+ years of experience in the field and years of experience into 5G Security. She has researched, tested and written hundreds of articles on a variety of topics such as Network Security, Cloud Security, Wireless Security, Networking Basics, Mobile Operators services guides and 5G Security. In addition to her professional pursuits, Som is also a passionate into researching and publishing the content on other education platforms surrounding network security, cloud security and 5G security. She also creates guides, walkthroughs, solutions and more to help others with their progression in the same field.