This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk

Hardening a (mission critical) service using 5G

Peter Haigh

Tech Director for Telecoms

UK National Cyber Security Centre

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk

Hardening a (mission critical) service using 5G

• Intro to the Mission Critical System:

+ the security challenges of building an over-the-top service

• The Mission Critical System, 4G & 5G:

+ thoughts for security improvements in 5G phase 2.

(Presentation is standards-specific, not UK-specific).

Hardening a (mission critical) service using 5G, June 2018 2

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk

Security of the Mission Critical System

Hardening a (mission critical) service using 5G, June 2018 3

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk

Intro to the Mission Critical System

MC system uses:

• HTTP bearer:• Provisioning data• configuration data• file upload/download

• Signalling bearer (SIP)• Majority of signalling content within

embedded XML• Routed over IP bearer or operator’s IMS

core.

• Media bearer • Unicast or multicast• Routed without modification by MC

Domain

• ProSe & IOPS

Hardening a (mission critical) service using 5G, June 2018 4

SIPCore

Mobile NetworkAPN

IMS Core

Control centres, User Devices, Mission Critical IoT

MC Domain

MCPTT Servers

Key Management

Server

Configuration Management

Server

Identity Management

Server

MCVideo Servers

MCData Servers

Group Management

Server

APN

HTTP Gateway SBC / MC GatewayMedia Gateway

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk

Security comparison: Mission Critical and TETRA

Hardening a (mission critical) service using 5G, June 2018 5

TETRA Security Mission Critical Security

Isolation Network ‘owned’ by customer. Isolated from commercial network.

Shared network resource. Can run on top of commercial network

Network security

Bespoke to service (but similar to GSM) Reuses LTE and IMS security.

Authentication Handset-based authentication. Authentication provided by network.

Handset and user-based authentication. User authentication provided OTT.

Metadata security

Metadata within ‘own’ network hence is not protected

Network security does not reach MC Domain so metadata may be protected OTT.

Media security End-to-end media security is an optional feature that can be used. By default it is not protected.

End-to-end media security mandated as part of comprehensive OTT security model.

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk

Mission Critical Security

• Three security layers:• LTE security• Signalling security (TLS for HTTP , IPSec to SIP core)• Application security (authentication, end-to-end media security)

• Each security layer acts independently of the others.

Hardening a (mission critical) service using 5G, June 2018 6

MC client Access edge Mobile core HTTP GW / SIP core

MC Domain

Air interface UP security

IMS security

MC application security

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk

Mission Critical Authentication

Hardening a (mission critical) service using 5G, June 2018 7

MC user application

Identity Management

Server

MC Network Entities

Authorisation over HTTP

Authentication

MC Network Entities

Authorisationover SIP

• Client authenticates to the network,

• …then the SIP Core, providing subscription authentication to the MC domain,

• …then the user authenticates to the MC Domain.

• OpenID connect 1.0 used for user authentication and authorisation.

• No restriction on the authentication methods used by the IdM.

• Tokens delivered over SIP and HTTP.

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk

Mission Critical media protection

v

Hardening a (mission critical) service using 5G, June 2018 8

Group Management

Server

Group Keying

Key Management

ServerIdentity Keying

MC clientMCPTT user applications

MCPTT user applicationsMC clients

Identity Keying

Group Keying

Media (sent via MCX server when online)

Control Signalling(when offline)

MCX Server

Key Management

ServerIdentity Keying

MC client MC client

Identity Keying

Media (offline)

Control Signalling(offline)

Group comms: Private (one-to-one) comms:

• Media security is client-to-client – can be routed via network or directly (ProSe).• Requires key provision by KMS (IDPKC), and key provision by GMS for group comms.

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk

Protection of Mission Critical metadata

• LTE/IMS network security does not protect MC metadata up to the MC Domain.• MC System defines optional application signalling security mechanism to protect this data.

Hardening a (mission critical) service using 5G, June 2018 9

MC client

MC Domain

Initial Client-Server

keying

MC client

MC Domain

Key Management

Server

Application plane

Signalling(XML, RTCP,

MCData signalling)

Key download for key update

and multicast keying

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk

The Mission Critical System, 4G and 5G

Hardening a (mission critical) service using 5G, June 2018 10

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk

Mission Critical and 4G

• LTE/IMS provides the following to the MC System:

• Unicast/Multicast/IOPS/ProSe bearer

• IMS: Subscription authentication & SIP transport

• Prioritisation

• Integration between the LTE/IMS network and the MC domain is pretty limited.

Hardening a (mission critical) service using 5G, June 2018 11

Mission Critical and 5G Phase 1(?)

• Use of IMS/multicast/ProSe/IOPS?• Use of NEF/CAPIF?• Which subscriber’s data is reaching me? Use of secondary authentication?

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk

Looking to 5G Phase 2

Considering the (mission critical) service as a 5G network slice:

As a customer, the slice should feel like a natural extension to my service

Security questions:

• Does using a slice make my life easier?

• Can I trust your network with the data in my slice?

• Is my device & slice effectively isolated from attack?

• Can I access data about my devices accessing my service?

• Is the data securely delivered to my slice?

Hardening a (mission critical) service using 5G, June 2018 12

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk

5G Phase 2: Slice virtualisation security requirements?

Hardening a (mission critical) service using 5G, June 2018 13

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk

5G Phase 2: Isolating slices from external attack?

Hardening a (mission critical) service using 5G, June 2018 14

AccessNetwork Core

MC client

MC Network Slice MC Domain

External networks

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk

5G Phase 2: Consistent user plane access security?

Hardening a (mission critical) service using 5G, June 2018 15

AccessNetwork

Trusted Core

MC Network Slice MC Domain

AccessNetwork

User plane security gateway

MC client

MC client

SBA

Protected perimeter

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk

Conclusion

Successful 5G slicing will do the following:

• Make it easy to launch a (secure) service.

• Run on a trusted in a network and on trusted hosts.

• Slice security/isolation will be configurable dynamically.

• Provide a ‘private line’:

• Deliver my user’s data securely into my slice.

• Automatically associate delivered data with my device/user.

• Be the edge firewall for both my service and my device.

Hardening a (mission critical) service using 5G, June 2018 16

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk

Questions?

Hardening a (mission critical) service using 5G, June 2018 17