Читать книгу NG-RAN and 5G-NR - Frédéric Launay - Страница 28
1.5. Security architecture
ОглавлениеThe security architecture implemented on the 5G mobile is based on:
1 – mutual authentication between the 5GC core network and mobile (UICC);
2 – ciphering and integrity of NAS signaling messages exchanged between the mobile and the AMF;
3 – AS security through the 5G-NR radio interface between the mobile and the NG-RAN node. Security concerns the integrity control and encryption of RRC messages and IP packets. Integrity on IP packets is optional.
Data integrity:
1 – ensures that the data have not been altered by a third party between transmission and reception;
2 – verifies the transmitting source;
3 – ensures that a message already received is not reused.
Encryption ensures the confidentiality of data exchanged between two entities.
The security of the NAS and AS messages consists of deriving different keys at the level of the mobile and at the level of the following entities (Figure 1.11):
1 – The AMF:
2 – KAMF key;
3 – KNASint key from the KAMF key for the integrity check of the NAS signaling;
4 – KNASenc key from the KAMF key for the encryption of the NAS signaling.
5 – The radio node:
6 – KgNB key from the KAMF key;
7 – KRRCenc key derived from the KgNB key for the encryption of RRC signaling on the 5G-NR interface;
8 – KRRCint key derived from the KgNB key for the integrity check of RRC signaling on the 5G-NR interface;
9 – KUPenc key derived from the KgNB key for encrypting IP traffic on the 5G-NR interface;
10 – optionally, a KUPint key derived from the KgNB key for the integrity check of IP traffic on the 5G-NR interface.
Figure 1.11. Security architecture
The mobile must support the NAS security based on information transmitted by the 5G core network and AS security, according to the indications sent by the NG-RAN access node.
5G security is based on the use of:
1 – NEA encryption algorithms (Encryption Algorithm for 5G);
2 – NIA (Integrity Algorithm for 5G) integrity control algorithms;
3 – the KUPenc, KRRCenc, KNASenc encryption keys consist of 128 bits.
The encryption and integrity control algorithms are similar to those used on the LTE interface:
1 – NEA0/NIA0: no ciphering;
2 – 128-NEA1/128-NIA1: algorithm SNOW 3G (flow ciphering);
3 – 128-NEA2/128-NIA2: algorithm AES (bloc ciphering);
4 – 128-NEA3/128-NIA3: algorithm ZUC (flow ciphering).
Encryption and integrity are based on the following parameters:
1 – a 32-bit counter;
2 – the identity of the 5-bit bearer;
3 – the direction of the connection on one bit;
4 – the length of the message.
Figure 1.12. Ciphering and integrity
