5G End-to-End Security, General Security, gNB Security, UE Security

5G has the potential to transform industries and change the way we interact with the world. However, with these new capabilities comes a greater need for security.

In this blog post, we’ll take a look at the end-to-end security measures that have been put in place to ensure the safety and integrity of 5G networks and data.

We will explore the various components of a 5G system and the security measures that have been put in place to protect against threats such as unauthorized access, man-in-the-middle attacks, and interception of user data.

Whether you are a business looking to adopt 5G technology or an individual interested in learning more about 5G security, this blog post will provide a comprehensive overview of the end-to-end 5G security measures those needs to consider in place to protect 5G networks and data.

In this blog post, 5G security has been segregated into general security requirements, security on gNB node and UE (User equipment) end for better clarification.

In another blog post, 5G Core Security also has been discussed in more details.

1. 5G General Security Implementation

Mitigation of Bidding Down Attacks

A bidding down attack is an attempt by an attacker to make the user equipment (UE) and the network devices to believe that the other side does not support a certain security feature, even when both sides actually support that feature.

This could potentially compromise the security of the system. To prevent this type of attack, measures must be taken to ensure that the UE and network entities cannot be fooled into believing that the other side does not support a certain security feature.

Authentication and Authorization

The 5G system must satisfy certain requirements for authentication and authorization to ensure the security of the system.

Also Read:  GSMA 5G Cybersecurity Knowledge Base

5G Security Authentication and Authorization requirements include the following:

  • Subscription Authentication: The serving network must authenticate the Subscription Permanent Identifier (SUPI) of the UE node at the time of the authentication and key agreement process between the UE and network.
  • Serving Network Authentication: The UE must authenticate the serving network identifier through the use of keys resulting from the authentication and key agreement process in subsequent procedures.
  • UE Authorization: The serving network must authorize the UE based on the authenticated SUPI and the subscription profile obtained from the home network.
  • Serving Network Authorization by Home Network: The UE node must be able to sure that it is connected to a serving network that is authorized by the home network to provide services to the UE. This authorization is implied by a successful authentication and key agreement process.
  • Access Network Authorization: The UE must be assured that it is connected to an access network that is authorized by the serving network to provide services to the UE. This authorization is implied by the successful establishment of access network security.
  • Unauthenticated Emergency Services: In certain regions or countries, the 5G system must support unauthenticated access for emergency services to meet regulatory requirements. This requirement only applies to serving networks in regions where unauthenticated emergency services are allowed by regulation. Serving networks in regions or countries where unauthenticated emergency services are not allowed must not support this feature.

2. 5G Security on the gNB (gNodeB)

Below are the key points to consider the full security implementation on 5G gNB (gNodeB):

  • The gNB shall support ciphering of user data and RRC-signalling between the UE and the gNB. Ciphering algorithms NEA0, 128-NEA1, 128-NEA2 and 128-NEA3 may be implemented. Confidentiality protection is optional to use on gNB.
  • The gNB shall support integrity protection and replay protection of user data and RRC-signalling between the UE and the gNB. Integrity protection algorithms NIA0, 128-NIA1, 128-NIA2 and 128-NIA3 may be implemented. Integrity protection of user data is optional to use and NIA0 shall not be used. Integrity protection of RRC signalling is mandatory, except for unauthenticated emergency calls.
  • The gNB shall authenticate and authorize setup and configuration by O&M systems, and support confidentiality, integrity and replay protection of communication between the O&M systems and the gNB.
  • The gNB shall ensure that software/data change attempts and software transfer towards the gNB are authorized and the integrity of software transfer is protected.
  • The gNB shall protect keys stored or processed in cleartext, and support key-wrapping and key-transport mechanisms for keys that need to be transferred between entities.
  • The gNB shall support secure boot and secure firmware updates, and ensure that the integrity and authenticity of the boot process and firmware are protected.
Also Read:  5G RAN Architecture: Nodes and Components

3. 5G UE (User Equipment) Security

Below are the key points to consider for full-edge security implementation on 5G UE(User Equipment) nodes:

  • The support and use of ciphering and integrity protection between the UE and the ng-eNB must be the same as the support and use of ciphering and integrity protection between the UE and the eNB (eNodeB).
  • The PEI must be securely stored in the UE to ensure its integrity.
  • The UE must support ciphering of user data and signalling data between itself and the gNB.
  • The UE must activate ciphering of user data based on the indication sent by the gNB
  • The UE must implement certain ciphering algorithms, including NEA0, 128-NEA1, 128-NEA2 and optionally 128-NEA3.
  • Confidentiality protection of user data between the UE and the gNB is optional, while confidentiality protection of signalling data is optional except in certain cases.
  • The UE must support integrity protection and replay protection of user data and signalling data.
  • The UE must implement certain integrity protection algorithms, including NIA0, 128-NIA1, 128-NIA2 and optionally 128-NIA3.
  • Integrity protection of user data is optional, while integrity protection of signalling data is mandatory except in certain cases.
  • The subscription credentials used to access the 5G network must be stored and processed securely within the UE using a tamper resistant secure hardware component
  • The UE must support 5G-GUTI and ensure the privacy of the SUPI and any other subscription information.
  • The UE must implement certain security features to protect against threats such as cloning and unauthorized access.
  • The UE must support the secure boot process and secure update mechanism to ensure the integrity and authenticity of software and configuration data.
Photo of author

Som D

Som is Network and Cloud Security expert with 12+ years of experience in the field and years of experience into 5G Security. She has researched, tested and written hundreds of articles on a variety of topics such as Network Security, Cloud Security, Wireless Security, Networking Basics, Mobile Operators services guides and 5G Security. In addition to her professional pursuits, Som is also a passionate into researching and publishing the content on other education platforms surrounding network security, cloud security and 5G security. She also creates guides, walkthroughs, solutions and more to help others with their progression in the same field.