5G Security Research

at Nokia Bell Labs

• Peter Schneider
• ICT SICS Security Day, 11-05-2016

1 © Nokia Solutions and Networks 2016 Public

Agenda

• NGMN as a source of 5G security requirements

• 5G Security Vision
• TrustCom15: Further steps “Towards 5G Security”
• 5G-PPP projects - 5G NORMA
• 3GPP next generation security
• Elements of a 5G security architecture / 5G security research topics
• Examples: network slicing, network based anomaly detection, security
orchestration

2 © Nokia Solutions and Networks 2016 Public

NGMN Alliance – An important source of views and recommendations

“5G Whitepaper”, Version 1.0, 17-February-2015:

• “enhanced performance is expected to be provided along ...
with the capability to, among others, ensure security and
trust, identity, and privacy”
• Mentions various requirements for improved security
compared to 4G ( next slide)

3 © Nokia Solutions and Networks 2016 Public NGMN Next Generation Mobile Network
Quotations from the NGMN “5G Whitepaper”
• “5G should be designed to provide more options beyond node-to-node and end-to-end
security available in today’s mobile systems”
• “design of security solutions (e.g. key exchange/derivation protocols upon handover or
when interworking with other RATs) should provide better secrecy than 4G”
• “Specific security design for use cases which require extremely low latency (including the
latency of initiating communications)”
• “Improve resilience and availability of the network against signalling based threats,
including overload”
• “Improve system robustness against smart jamming attacks of the radio signals and
channels”
• “Improve security of 5G small cell nodes”

 Substantial security requirements!

4 © Nokia Solutions and Networks 2016 Public

NGMN Alliance – An important source of views and recommendations

“5G Whitepaper”, Version 1.0, 17-February-2015:

• “enhanced performance is expected to be provided along ...
with the capability to, among others, ensure security and
trust, identity, and privacy”
• Mentions various requirements for improved security
compared to 4G

NGMN 5G Security Group:

• “does not make requirements, just recommendations”
• Recommendations concerning improvements of the access network, DoS
protection ( has been sent to 3GPP)
• Document on network slicing security, approval pending
• To come: Mobile edge computing, low latency, consistent user experience
5 © Nokia Solutions and Networks 2016 Public NGMN Next Generation Mobile Network
5G Security Vision

Changing
New use cases
Supreme ecosystem
built-in security

New threats Flexible security Growing need for

mechanisms flexibility
Automation
New networking Growing need for
paradigms dependability

Sound security concepts must be built into

the 5G architecture right from the start!
6 © Nokia Solutions and Networks 2016 Public
5G Security Vision – a slightly deeper look

Higher level of Higher flexibility in the selection Higher degree of

security of security mechanisms security
• Increased robust- • Alternative identification and automation
ness against authentication procedures • Holistic security
cyber attacks • User plane encryption and orchestration and
• Enhanced privacy integrity protection optional management
• Security to use • Self-adaptive,
assurance • Adjust security mechanisms intelligent
per network slice security controls

Proven network security concepts

Standardized e.g. 3GPP LTE security Non-standardized e.g. traffic separation, security zones, secure OAM

Secure software and platforms

7 © Nokia Solutions and Networks 2016 Public

IEEE-TrustCom-15: Further steps “Towards 5G Security”

From
https://research.comnet.aalto.fi/
Trustcom2015/index.html

• The “1st IEEE International Workshop on 5G Security”, organized by people

from Nokia T&I Research, now Nokia Bell Labs
• Overall 5G security views of vendors - on this level not controversial
• Further presentations on security topics relevant for future networks

8 © Nokia Solutions and Networks 2016 Public

Nokia Contribution “Towards 5G Security”

9 © Nokia Solutions and Networks 2016 Public

Example: Security between mobile and network and on network interfaces
IMS / Operator
LTE Non access stratum HSS PCRF services
signaling security
Core interface
MME
security

Access stratum eNB Internet

Backhaul link security
security Serv.-GW PDN-GW

5G ?
? ? ?
5G-NB
?
5G remote Aggregation
Local NFV
radio head platform cloud Central cloud
Internet
10 © Nokia Solutions and Networks 2016 Public
5G PPP

• “The 5G PPP will deliver

solutions, architectures,
technologies and standards
for the ubiquitous next
generation communication
infrastructures of the
coming decade.”
From https://5g-ppp.eu/

• 5G PPP Security Working Group: Various projects have shown interest

- 5G-ENSURE (initiator), 5G NORMA, 5G-SPEED, 5GEX, CHARISMA, COGNET,
SELFNET, SESAME, VIRTUWIND
• 5G NORMA: A NOvel Radio Multiservice adaptive network Architecture for the
5G era  Combining architecture and security work
11 © Nokia Solutions and Networks 2016 Public
12 © Nokia Solutions and Networks 2016 Public Source: 5G NORMA Consortium
13 © Nokia Solutions and Networks 2016 Public Source: 5G NORMA Consortium
5G NORMA Security

5G NORMA Feature Related Security

NFV environments for core and RAN NFV security (for central and distributed
functions NFV environments)
Software Defined Mobile Network SDN security, specialized for SDMC
Control (SDMC)
Mobile network multi-tenancy Tenant isolation, network slicing security
Multi-service awareness Flexible security approach,
e.g. choice of crypto-algorithms
Adaptive allocation of functions, Flexible security approach, e.g. support
joint optimization of RAN and core for flexible allocation of security
functions

14 © Nokia Solutions and Networks 2016 Public

5G NORMA: Radio Interface Security Termination Functions
Bare Metal RAN
Equipment
Radio Interface
Low Layer Secure Radio Interface Security
UE
Functions Termination
Function

Secure
Physically Exposed Entities
Cloud
Other RAN
Function
Other RAN
Bare Metal RAN Equipment Function

Low Layer Functions Secure

Communication Other Core
in the Cloud Function
Secure Environment
Radio Interface Backhaul Link Backhaul Link
Security Security Security
UE Termination Termination Termination
Secure Secure
Radio Function Function Function
Backhaul Link
Interface
Other RAN Functions

15 © Nokia Solutions and Networks 2016 Public

3GPP (3.Generation Partnership Project)
• SA1 – Services ( requirements):
- “SMARTER” Technical Report TR 22.891
- Four dedicated TRs on Massive Internet of Things (mIoT), Critical
Communications (CriC), Enhanced Mobile Broadband (eMBB),
Network Operation (NEO)
- An overview of security requirements in these reports is given
by a current SA3 contribution (S3-160458)
• SA2 – Architecture: Study ongoing (TR 23.799)
(includes an authentication framework as a topic
to be investigated)
• SA3 – Security: see next slide
• Security appears also in the work of RAN groups

16 © Nokia Solutions and Networks 2016 Public SA: Service and System Aspects
3GPP SA 3
• SA3 – Security: Study agreed, skeleton of TR 33.899 exists, security “key
issues” as well as solutions to be investigated
- ~60 contributions to SA3 Meeting #83 (this week), proposing various security areas
Network Subscriber
Architectural Network Virtualization User
Aspects Privacy Awareness and
Slices Security
Control of Security
Security Minimum security
Authentication Resilience AAA level assured by
Methods, the UE Security
identifiers and Authentication within NG UE
Credentials and Authorisation User plane Key
Core Network security Hierarchy
Security Key
Control Plane Access Network
Features Security Connectivity Negotiation
Signaling Plane
Security Over Relays

- and a lot of key issues, partly already with solutions

17 © Nokia Solutions and Networks 2016 Public
LTE Security Aspects – A more detailed view
Authentication and Key Agreement

Non access stratum HSS IMS / Operator

signaling security AuC PCRF services
K
User Identity Privacy
MME Core interface
KASME security
VoLTE/IMS security
UE Access stratum eNB
UICC security Backhaul link
KeNB
K security Serv.-GW PDN-GW Internet
Secure
KASME
KeNB RRC Environment

PDCP Crypto
algorithms More security aspects: Mobility (key separation in
RLC
handovers), Home eNB, Relay Node, non-3GPP access, dual
MAC connectivity (LTE, LTE/WiFi), proximity services (incl. device-
PHY to-device communication), security assurance methods, …

18 © Nokia Solutions and Networks 2016 Public

 Elements of a 5G Security Architecture  Research Topics
Authentication/autorization, key agreement
EPS-AKA, EAP-AKA’, EAP-xyz, others?
Security negotiation, key hierarchy
Enhanced C-plane robustness NFV security
Enhanced subscriber privacy
Network slicing security
C/U-plane security Security assurance for NFV
Crypto algorithms environments
Protocol layer for sec.
Physical layer sec.
Jamming Protection

5G remote Local NFV Aggregation

radio head platform
cloud Central cloud
Subscriber Id, Device Id, credentials
(e/i)UICC, other security modules Security management and orchestration
Security awareness and control Self-adaptive, intelligent security controls

19 © Nokia Solutions and Networks 2016 Public

Network Slicing Security
NGMN
• (Sub-)network slice
blueprint/instance
• Sharing subnetwork slice
instances
• Security considerations Source: NGMN 5G Whitepaper

Network slicing discussed in Research Projects, in 3GPP (SA1, SA2, SA3)

The obvious basic security requirement: Isolation!
Should be provided in the cloud by cloud security mechanisms.
Are we OK? Maybe not. Don’t know how to hack a hypervisor? Take a tutorial!
(https://www.troopers.de/events/troopers15/293_exploiting_hypervisors/ )
 “Participants will learn about the […] security pitfalls of these platforms and will
analyze and exploit three recent vulnerabilities in these hypervisors”
20 © Nokia Solutions and Networks 2016 Public
Holistic Security Management and Orchestration

Security Orchestrator Trust Network Data

Hardening
Management Protection Protection
Design (policies and topology) Automation (policies, compliance validation)

ETSI NFV Reference Architecture

NFVO (Network Service Lifecycle)
VNF Manager (VNF Lifecycle)

VSF
VNF ..
Hyper KVM VMware (ESXi) Virtual Infrastructure Manager
visor Security Functions Security Functions Openstack VMware (vCenter, vCloud)
PSF Data Center
Compute Storage Network (SDN)
.. Hardware
Security Features Security Features

21 © Nokia Solutions and Networks 2016 Confidential

Example: Network based Anomaly Detection for IoT

Dashboard for IoT

and end user devices
Security Insight Action Engine
(Dashboard) (automated actions)
Uses device profiles
Decide Act and Telco data for
Managed corporate detection and
IoT networks Malware Correlation of automated mitigation
• Known network intelligence DB traffic
architecture Analyze patterns
Sense
Detailed real-time
• Known device types
information about
infected devices

Radio Core

22 © Nokia Solutions and Networks 2016 Public

5G Security Vision

Supreme
built-in security Securing 5G networks is a
Flexible security multi-faceted, interesting and
mechanisms challenging task!
Automation

Questions?

23 © Nokia Solutions and Networks 2016 Public