Hardening a (mission critical) service using 5G€¦ · This information is exempt under the...
Transcript of Hardening a (mission critical) service using 5G€¦ · This information is exempt under the...
This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to [email protected]
Hardening a (mission critical) service using 5G
Peter Haigh
Tech Director for Telecoms
UK National Cyber Security Centre
This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to [email protected]
Hardening a (mission critical) service using 5G
• Intro to the Mission Critical System:
+ the security challenges of building an over-the-top service
• The Mission Critical System, 4G & 5G:
+ thoughts for security improvements in 5G phase 2.
(Presentation is standards-specific, not UK-specific).
Hardening a (mission critical) service using 5G, June 2018 2
This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to [email protected]
Security of the Mission Critical System
Hardening a (mission critical) service using 5G, June 2018 3
This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to [email protected]
Intro to the Mission Critical System
MC system uses:
• HTTP bearer:• Provisioning data• configuration data• file upload/download
• Signalling bearer (SIP)• Majority of signalling content within
embedded XML• Routed over IP bearer or operator’s IMS
core.
• Media bearer • Unicast or multicast• Routed without modification by MC
Domain
• ProSe & IOPS
Hardening a (mission critical) service using 5G, June 2018 4
SIPCore
Mobile NetworkAPN
IMS Core
Control centres, User Devices, Mission Critical IoT
MC Domain
MCPTT Servers
Key Management
Server
Configuration Management
Server
Identity Management
Server
MCVideo Servers
MCData Servers
Group Management
Server
APN
HTTP Gateway SBC / MC GatewayMedia Gateway
This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to [email protected]
Security comparison: Mission Critical and TETRA
Hardening a (mission critical) service using 5G, June 2018 5
TETRA Security Mission Critical Security
Isolation Network ‘owned’ by customer. Isolated from commercial network.
Shared network resource. Can run on top of commercial network
Network security
Bespoke to service (but similar to GSM) Reuses LTE and IMS security.
Authentication Handset-based authentication. Authentication provided by network.
Handset and user-based authentication. User authentication provided OTT.
Metadata security
Metadata within ‘own’ network hence is not protected
Network security does not reach MC Domain so metadata may be protected OTT.
Media security End-to-end media security is an optional feature that can be used. By default it is not protected.
End-to-end media security mandated as part of comprehensive OTT security model.
This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to [email protected]
Mission Critical Security
• Three security layers:• LTE security• Signalling security (TLS for HTTP , IPSec to SIP core)• Application security (authentication, end-to-end media security)
• Each security layer acts independently of the others.
Hardening a (mission critical) service using 5G, June 2018 6
MC client Access edge Mobile core HTTP GW / SIP core
MC Domain
Air interface UP security
IMS security
MC application security
This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to [email protected]
Mission Critical Authentication
Hardening a (mission critical) service using 5G, June 2018 7
MC user application
Identity Management
Server
MC Network Entities
Authorisation over HTTP
Authentication
MC Network Entities
Authorisationover SIP
• Client authenticates to the network,
• …then the SIP Core, providing subscription authentication to the MC domain,
• …then the user authenticates to the MC Domain.
• OpenID connect 1.0 used for user authentication and authorisation.
• No restriction on the authentication methods used by the IdM.
• Tokens delivered over SIP and HTTP.
This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to [email protected]
Mission Critical media protection
v
Hardening a (mission critical) service using 5G, June 2018 8
Group Management
Server
Group Keying
Key Management
ServerIdentity Keying
MC clientMCPTT user applications
MCPTT user applicationsMC clients
Identity Keying
Group Keying
Media (sent via MCX server when online)
Control Signalling(when offline)
MCX Server
Key Management
ServerIdentity Keying
MC client MC client
Identity Keying
Media (offline)
Control Signalling(offline)
Group comms: Private (one-to-one) comms:
• Media security is client-to-client – can be routed via network or directly (ProSe).• Requires key provision by KMS (IDPKC), and key provision by GMS for group comms.
This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to [email protected]
Protection of Mission Critical metadata
• LTE/IMS network security does not protect MC metadata up to the MC Domain.• MC System defines optional application signalling security mechanism to protect this data.
Hardening a (mission critical) service using 5G, June 2018 9
MC client
MC Domain
Initial Client-Server
keying
MC client
MC Domain
Key Management
Server
Application plane
Signalling(XML, RTCP,
MCData signalling)
Key download for key update
and multicast keying
This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to [email protected]
The Mission Critical System, 4G and 5G
Hardening a (mission critical) service using 5G, June 2018 10
This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to [email protected]
Mission Critical and 4G
• LTE/IMS provides the following to the MC System:
• Unicast/Multicast/IOPS/ProSe bearer
• IMS: Subscription authentication & SIP transport
• Prioritisation
• Integration between the LTE/IMS network and the MC domain is pretty limited.
Hardening a (mission critical) service using 5G, June 2018 11
Mission Critical and 5G Phase 1(?)
• Use of IMS/multicast/ProSe/IOPS?• Use of NEF/CAPIF?• Which subscriber’s data is reaching me? Use of secondary authentication?
This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to [email protected]
Looking to 5G Phase 2
Considering the (mission critical) service as a 5G network slice:
As a customer, the slice should feel like a natural extension to my service
Security questions:
• Does using a slice make my life easier?
• Can I trust your network with the data in my slice?
• Is my device & slice effectively isolated from attack?
• Can I access data about my devices accessing my service?
• Is the data securely delivered to my slice?
Hardening a (mission critical) service using 5G, June 2018 12
This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to [email protected]
5G Phase 2: Slice virtualisation security requirements?
Hardening a (mission critical) service using 5G, June 2018 13
This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to [email protected]
5G Phase 2: Isolating slices from external attack?
Hardening a (mission critical) service using 5G, June 2018 14
AccessNetwork Core
MC client
MC Network Slice MC Domain
External networks
This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to [email protected]
5G Phase 2: Consistent user plane access security?
Hardening a (mission critical) service using 5G, June 2018 15
AccessNetwork
Trusted Core
MC Network Slice MC Domain
AccessNetwork
User plane security gateway
MC client
MC client
SBA
Protected perimeter
This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to [email protected]
Conclusion
Successful 5G slicing will do the following:
• Make it easy to launch a (secure) service.
• Run on a trusted in a network and on trusted hosts.
• Slice security/isolation will be configurable dynamically.
• Provide a ‘private line’:
• Deliver my user’s data securely into my slice.
• Automatically associate delivered data with my device/user.
• Be the edge firewall for both my service and my device.
Hardening a (mission critical) service using 5G, June 2018 16
This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to [email protected]
Questions?
Hardening a (mission critical) service using 5G, June 2018 17