5G-ENSURE_D2.1 Use Cases

DeliverableD2.1UseCases

Projectname 5GEnablersforNetworkandSystemSecurityandResilienceShortname 5G-ENSUREGrantagreement 671562Call H2020-ICT-2014-2Deliverydate 2016-02-01DisseminationLevel: PublicLeadbeneficiary EAB GöranSelander,[email protected] EAB:MatsNäslund,GöranSelander

ITINNOV:StephenPhillips,BassemNasserLMF:VesaTorvinen,VesaLehtovirtaNEC:FelixKlaedtkeNIXU:SeppoHeikkinen,TommiPernilä,AlexanderZaharievORANGE:GhadaArfaoui,JoséSanchez,Jean-PhilippeWaryUOXF:PiersO'HanlonSICS:MartinSvensson,RosarioGiustolisiTASE:GorkaLendrino,CarlaSalasTIIT:MadalinaBaltatu,LucianaCostaVTT:JanneVehkaperä,OlliMämmelä,JaniSuomalainen

D2.1UseCases

6715625G-ENSURE 2

Executivesummary

Thisdocumentdescribesanumberofusecasesillustratingsecurityandprivacyaspectsof5Gnetworks.Basedonsimilaritiesintechnical,serviceand/orbusiness-modelrelatedaspects,theusecasesaregroupedintousecaseclusterscoveringawidevarietyofdeploymentsincluding,forexample,theInternetofThings,SoftwareDefinedNetworksandvirtualization,ultra-reliableandstandaloneoperations.Theusecasesaddresssecurityandprivacyenhancementsofcurrentnetworksaswellassecurityandprivacyfunctionalityneededbynew5Gfeatures.Eachusecaseisdescribedinacommonformatwhereactors,assumptionsandasequenceofstepscharacterisingtheusecasearepresentedtogetherwithashortanalysisofthesecuritychallengesandthepropertiesofasecuritysolution.Eachusecaseclusterdescriptionisconcludedwitha“5GVision”outliningtheassociatedenhancementsinsecurityandprivacyanticipatedin5Gnetworksandsystems.Asummaryofthe5Gvisionsandconclusionsareprovidedattheendofthedocument.

D2.1UseCases

6715625G-ENSURE 3

Foreword

Theoverallobjectiveof5G-ENSURE(seeSection1.1)istobecomethereferenceprojectforeverythingthatconcernssecurityandprivacyin5Gwhilecontributingto5Gresilience.Toachievethisoverallambitionanumberofspecificobjectivesaretargeted,including:

• Collect,analyseandprioritize5Gsecurityandprivacyrequirements• Defineasecurityarchitecturefor5G• Specify,developandtestaninitialsetofsecurityandprivacyenablersfor5G

Thesethreeobjectivesareinpartdependentonanalysing5Gsecurityrelevantusecases,whichisthecontentofthisdeliverableD2.1.HenceD2.1providesinputtotheworkonTrustModel(Task2.2),RiskAssessment,MitigationandRequirements(Task2.3)andtheSecurityArchitecture(Task2.4)withintheproject.Theusecasespresentedhereinalsoservetoprovideinitial“blue-prints”fortherequiredfunctionalityoftheso-calledsecurityenablersdevelopedbyWP3of5G-ENSURE.

D2.1isoneinstanceofthe5G-ENSUREmeasurableresultsandoneofthemilestones(MS2)ofthe5G-ENSUREproject.D2.1isthefirsttechnicaldeliverableoftheprojectandhenceisnotdependentonanyprevioustechnicaldeliverablewithintheproject.Theexternalsourcesforthisdeliverable,however,includeotherparallelprojectsrunningwithintheoverall5G-PPPand,conversely,cross-PPPcoordinationactivitiesareinplacetodisseminatetheresultstoother5G-PPPprojects.

Disclaimer

Theinformationinthisdocumentisprovided‘asis’,andnoguaranteeorwarrantyisgiventhattheinformationisfitforanyparticularpurpose.

TheECflaginthisdeliverableisownedbytheEuropeanCommissionandthe5GPPPlogoisownedbythe5GPPPinitiative.Theuseoftheflagandthe5GPPPlogotypereflectsthat5G-ENSUREreceivesfundingfromtheEuropeanCommission,integratedinits5GPPPinitiative.Apartfromthis,theEuropeanCommissionorthe5GPPPinitiativehavenoresponsibilityforthecontent.

AllUseCasesinvestigatedinthisdeliverableareintheresearchcontextofafuture5Gnetworkanddonotentailanycommitmenttobeimplementedinexisting2/3/4Gstandards.Allreferencesto4G/LTEorEPCplatformsareusedforillustrationofUseCasesandarenotcommittingtheprojectinanywaytoapredefined5Ginfrastructure(asaniterationonlyofexisting4Gstandardsforinstance).

Copyrightnotice

©2015-20175G-ENSUREConsortium

D2.1UseCases

6715625G-ENSURE 4

Contents1 Introduction................................................................................................................................................7

1.1 5G-ENSURE..........................................................................................................................................8

1.2 Glossary...............................................................................................................................................8

1.3 Abbreviations.......................................................................................................................................9

2 Background...............................................................................................................................................10

3 Cluster1:IdentityManagement...............................................................................................................12

3.1 Introduction.......................................................................................................................................12

3.2 Actors.................................................................................................................................................12

3.3 UseCases...........................................................................................................................................12

3.3.1 UseCase1.1:FactoryDeviceIdentityManagementfor5GAccess............................................12

3.3.2 UseCase1.2:UsingEnterpriseIdentityManagementforBootstrapping5GAccess.................14

3.3.3 UseCase1.3:SatelliteIdentityManagementfor5GAccess......................................................17

3.3.4 UseCase1.4:MNOIdentityManagementService.....................................................................20

3.4 5GVision............................................................................................................................................21

4 Cluster2:EnhancedIdentityProtectionandAuthentication...................................................................22

4.1 Introduction.......................................................................................................................................22

4.2 Actors.................................................................................................................................................22

4.3 UseCases...........................................................................................................................................22

4.3.1 UseCase2.1:DeviceIdentityPrivacy.........................................................................................22

4.3.2 UseCase2.2:SubscriberIdentityPrivacy...................................................................................23

4.3.3 UseCase2.3:EnhancedCommunicationPrivacy.......................................................................24

4.4 5GVision............................................................................................................................................25

5 Cluster3:IoTDeviceAuthenticationandKeyManagement....................................................................26

5.1 Introduction.......................................................................................................................................26

5.2 Actors.................................................................................................................................................26

5.3 UseCases...........................................................................................................................................26

5.3.1 UseCase3.1:AuthenticationofIoTDevicesin5G.....................................................................26

5.3.2 UseCase3.2:Network-BasedKeyManagementforEnd-to-EndSecurity.................................29

5.4 5GVision............................................................................................................................................31

6 Cluster4:AuthorizationofDevice-to-DeviceInteractions.......................................................................32

6.1 Introduction.......................................................................................................................................32

6.2 Actors.................................................................................................................................................32

6.3 UseCases...........................................................................................................................................32

D2.1UseCases

6715625G-ENSURE 5

6.3.1 UseCase4.1:AuthorizationinResource-ConstrainedDevicesSupportedby5GNetwork.......32

6.3.2 UseCase4.2:AuthorizationforEnd-to-EndIPConnections......................................................33

6.3.3 UseCase4.3:Vehicle-to-Everything(V2X).................................................................................34

6.4 5GVision............................................................................................................................................35

7 Cluster5:Software-DefinedNetworks,VirtualizationandMonitoring....................................................36

7.1 Introduction.......................................................................................................................................36

7.2 Actors.................................................................................................................................................37

7.3 UseCases...........................................................................................................................................37

7.3.1 UseCase5.1:VirtualizedCoreNetworks,andNetworkSlicing..................................................37

7.3.2 UseCase5.2:Addinga5GNodetoaVirtualizedCoreNetwork................................................38

7.3.3 UseCase5.3:ReactiveTrafficRoutinginaVirtualizedCoreNetwork.......................................41

7.3.4 UseCase5.4:VerificationoftheVirtualizedNodeandtheVirtualizationPlatform..................42

7.3.5 Usecase5.5:ControlandMonitoringofSlicebyServiceProvider............................................43

7.3.6 UseCase5.6:IntegratedSatelliteandTerrestrialSystemsMonitor..........................................45

7.4 5GVision............................................................................................................................................48

8 Cluster6:RadioInterfaceProtection........................................................................................................49

8.1 Introduction.......................................................................................................................................49

8.2 Actors.................................................................................................................................................49

8.3 UseCases...........................................................................................................................................49

8.3.1 UseCase6.1:AttachRequestDuringOverload..........................................................................49

8.3.2 UseCase6.2:UnprotectedUserPlaneonRadioInterface.........................................................50

8.4 5GVision............................................................................................................................................51

9 Cluster7:MobilityManagementProtection............................................................................................52

9.1 Introduction.......................................................................................................................................52

9.2 Actors.................................................................................................................................................52

9.3 UseCases...........................................................................................................................................52

9.3.1 UseCase7.1:UnprotectedMobilityManagementExposesNetworkforDenialofService......52

9.4 5GVision............................................................................................................................................54

10 Cluster8:Ultra-ReliableandStandaloneOperations..............................................................................55

10.1 Introduction.....................................................................................................................................55

10.2 Actors...............................................................................................................................................55

10.3 UseCases.........................................................................................................................................55

10.3.1 UseCase8.1:Satellite-CapableeNB.........................................................................................55

10.3.2 UseCase8.2:StandaloneEPC..................................................................................................56

D2.1UseCases

6715625G-ENSURE 6

10.4 5GVision..........................................................................................................................................57

11 Cluster9:TrustedCoreNetworkandInterconnect................................................................................58

11.1 Introduction.....................................................................................................................................58

11.2 Actors...............................................................................................................................................58

11.3 UseCases.........................................................................................................................................58

11.3.1 UseCase9.1:AlternativeRoamingin5G.................................................................................58

11.3.2 UseCase9.2:PrivacyinContext-AwareServices.....................................................................60

11.3.3 UseCase9.3:AuthenticationofNewNetworkElements........................................................61

11.4 5GVision..........................................................................................................................................63

12 Cluster10:5GEnhancedSecurityServices.............................................................................................64

12.1 Introduction.....................................................................................................................................64

12.2 Actors...............................................................................................................................................64

12.3 UseCases.........................................................................................................................................64

12.3.1 UseCase10.1:BotnetMitigation............................................................................................64

12.3.2 UseCase10.2:PrivacyViolationMitigation.............................................................................66

12.3.3 UseCase10.3:SIM-basedand/orDevice-basedAnonymization.............................................67

12.4 5GVision..........................................................................................................................................68

13 Cluster11:LawfulInterception...............................................................................................................69

13.1 Introduction.....................................................................................................................................69

13.2 Actors...............................................................................................................................................69

13.3 UseCases.........................................................................................................................................70

13.3.1 UseCase11.1:LawfulInterceptioninaDynamic5GNetwork................................................70

13.3.2 UseCase11.2:End-to-endEncryptioninLI-awarenetwork...................................................72

13.4 5GVision..........................................................................................................................................74

14 Summary:UseCaseClusters...................................................................................................................75

15 Conclusions..............................................................................................................................................77

D2.1UseCases

6715625G-ENSURE 7

1 IntroductionThisdocumentdescribesusecasesillustratingsecurityandprivacyaspectsof5Gnetworks.Theseusecasesprovideabasisforunderstanding5Gsecurityandwillbeusedinseveralwayswithinthe5G-ENSUREproject(seeSection1.1):

• Theprojectwillanalysepotentialthreatsandvulnerabilities,andidentifysecurityandprivacyrequirementsbasedontheseusecases.

• Theusecaseswillbeusedtodefineatrustmodelbetweenthevariousactorsina5Gsystemaddressingthemultiplicityofactorsandalsotakingintoaccountthemachine-to-machineinteractionscharacterisingnextgenerationnetworks.

• TheusecasesprovideinputtothesecurityenablersinscopeoftheprojectcoveringtheareasAAA,Privacy,Trust,SecurityMonitoring,andNetworkManagement&VirtualisationIsolation.

• Theitemsabove,aswellastheusecasesthemselves,arethemajorbuildingblocksusedtodefinethe5Gsecurityarchitectureintheproject.Cross-PPPcoordinationactivitiesareinplacetodisseminatetheresultstootherprojectsofthe5G-PPP.

Theusecases illustratespecific5Grelatedsecuritychallenges.Therearetwocategoriesofusecasesandassociatedchallenges:

1. Forusecasesillustratingsecurityissuesinheritedfromcurrentgenerationnetworks,thechallengeistoprovideanimprovedlevelofsecurityandprivacy.1

2. Forusecasesillustratingnewfeaturesintroducedin5G,e.g.supportforMachineTypeCommunications(MTC)andSoftwareDefinedNetworks(SDN),thechallengeistoprovideanappropriatelevelofsecurityandprivacy,aswellaspotentialnewsecurityfunctionalityillustratedbytheusecase.

Inthefirstcategoryofusecase,thefocusisonthevulnerabilitiesandpotentialcountermeasuresaddressingtheidentifiedsecurityissues.Inthesecondkindofusecasethefocusisontheadditionalsecurityfunctionalityneededtosupportthenewfeatures.

Thisprocessofgeneratingusecasesmayhypotheticallyresultinnewdesired5Gsecurityfeaturesforwhichitishardoreveninfeasibletoprovidesolutionswhicharebothcost-efficientandadequate.However,thepurposeofthisdeliverableisneithertodoriskanalysis,nortospecifydetailedsolutionsforwhichthereareotheractivitieswithin5G-ENSURE(seeForeword).Hence,theresultingusecasesshouldnotbeinterpretedasfunctionalitythatunconditionallywillbesupportedin5G,butasanexplorationofinterestingrelevantscenarios,andastartingpointforfurtheranalysis.

Thisdocumentisorganisedasfollows:TheremainderofSection1containsaglossaryandalistofabbreviationsoftermsused.Section2providesabackgroundontheusecaseclustersandhowtheyarecompiled.Sections3to13containtheactualusecaseclustersandtheconstituentusecases.Section14summarisestheusecaseclustersandSection15providesthemainconclusionsderivedfromthisusecasecompilationactivity.Referencesareprovidedattheend.

1Thisshouldnotbeunderstoodasastatementthatcurrentnetworksarenotsecure,butratherthatchangesinthethreatlandscapewarrantsconsiderationsofadditionalcounter-measures.

D2.1UseCases

6715625G-ENSURE 8

1.1 5G-ENSURE

5G-ENSUREbelongstothegroupofEU-fundedprojectswhichcollaborativelydevelop5Gundertheumbrellaofthe5GInfrastructurePublicPrivatePartnership(5G-PPP)intheHorizon2020Programme.Theoverallgoalof5G-ENSUREistodeliverstrategicimpactacrosstechnologyandbusinessenablement,standardisationandvisionforasecure,resilientandviable5Gnetwork.Theprojectcoversresearch&innovation-fromtechnicalsolutions(5Gsecurityarchitectureandtestbedwith5Gsecurityenablers)tomarketvalidationandstakeholdersengagement-spanningvariousapplicationdomains.

1.2 GlossaryThissectioncontainsterminologyforthreatanalysisusedwhendiscussingthevulnerabilitiesoftheusecases.ThetermsarebasedontheInternetSecurityGlossary[RFC4949].

• Adversaryo Anentitythatattacksasystem.

• Attacko Anintentionalactbywhichanentityattemptstoevadesecurityservicesandviolatethe

securitypolicyofasystem.Thatis,anactualassaultonsystemsecuritythatderivesfromanintelligentthreat.

• Counter-measureo Anaction,device,procedure,ortechniquethatmeetsoropposes(i.e.,counters)athreat,a

vulnerability,oranattackbyeliminatingorpreventingit,byminimizingtheharmitcancause,orbydiscoveringandreportingitsothatcorrectiveactioncanbetaken.

• Deceptiono Acircumstanceoreventthatmayresultinanauthorizedentityreceivingfalsedataand

believingittobetrue.• Disruption

o Acircumstanceoreventthatinterruptsorpreventsthecorrectoperationofsystemservicesandfunctions.

• Threato Apotentialforviolationofsecurity,whichexistswhenthereisanentity,circumstance,

capability,action,oreventthatcouldcauseharm.o Threatsdonothavetobelinkedtoanattacker:avulnerabilitycombinedwithhumanerror

forinstancecanalsoleadtoconsequencessuchasexposure,corruptionorincapacitation.• Unauthorizeddisclosure

o Acircumstanceoreventwherebyanentitygainsaccesstoinformationforwhichtheentityisnotauthorized.

• Vulnerabilityo Aflaworweaknessinasystem'sdesign,implementation,oroperationandmanagement

thatcouldbeexploitedtoviolatethesystem'ssecuritypolicy.

D2.1UseCases

6715625G-ENSURE 9

1.3 Abbreviations

AAA Authentication,AuthorizationandAccountingAKA AuthenticationandKeyAgreementB/OSS BusinessandOperationalSupportSystemsCC ContentofCommunicationCN CoreNetworkEAP EnhancedAuthenticationProtocoleNB EvolvedNodeBEPC EvolvedPacketCoreESIM EmbeddedSubscriberIdentityModuleGAN GenericAccessNetworkGUTI GloballyUniqueTemporaryIdentityHN HomeNetworkHSS HomeSubscriberServerID IdentifierIMEI InternationalMobileEquipmentIdentityIMSI InternationalMobileSubscriberIdentityIRI InterceptRelatedInformationLEA LawEnforcementAgencyLI LawfulInterceptionMME MobilityManagementEntitymMTC MassiveMachine-TypeCommunicationMNO MobileNetworkOperatorNMS NetworkManagementSystemPLMN PublicLandMobileNetworkSA SecurityAssociationSatAN SatelliteAccessNetworkSatNO SatelliteNetworkOperatorSDN SoftwareDefinedNetworksSIM SubscriberIdentityModuleTA TrackingAreaTAU TrackingAreaUpdateUE UserEquipmentuMTC Ultra-reliableandlow-latencyMachine-TypeCommunicationxMBB EnhancedMobileBroadbandV2I Vehicle-to-InfrastructureV2P Vehicle-to-PedestrianV2V Vehicle-to-VehicleV2X Vehicle-to-EverythingVMNO VirtualMobileNetworkOperatorVN VisitedNetwork

D2.1UseCases

6715625G-ENSURE 10

2 BackgroundTheusecasesdescribedinthisdocumentwereselectedtoillustratesecurityorprivacyaspectsrelevantfor5Gsystems.

Theseusecasesarebasedoninputfromexternalsources(e.g.other5G-PPPprojects,3GPPNewServicesandMarketsTechnologyEnablers(SMARTER)[TR22.891],publicationsofvulnerabilitiesandpotentialattacksoncellularnetworks,etc.)combinedwiththeexpertiseandexperienceprovidedbythepartners.Theexternallysourceddedicated5Gusecasesturnedouttobeoflimiteddirectapplicabilitysincemostofthesedonothavesufficientsecurityfocus,seefurtherdiscussioninSection15.

Theusecasesaregroupedintoclustersaccordingtotopic,seeTable1.Theclustertopicshavebeendefinedbasedoncommonalitiesintheusecasesintermsofprovidedsecurityfunctionalityorcommontechnology.Eachclustercontainsthedescriptionoftheactorsinvolvedinthedescribedusecases,theactualusecases,andthe“5Gvision”–illustratingthesecurityfunctionalitywhicha5Gsystemisenvisionedtoencompass.Thefocusontheactorsismotivatedbytheircriticalroleintheupcomingtrustmodellingworkintheproject.

Eachusecaseisstructuredasfollows.Firstthepre-conditionsarelisted,illustratingthesettingbeforetheactualusecasetakesplace.Thisisfollowedbyadescriptioncontainingthesequenceofstepsillustratingtheusecase.Thestep-by-stepdescriptionisintendedtopavetheroadfortheupcomingthreatandriskanalysisintheproject.Subsequently,thereisoptionallyashortanalysisoftheusecaseinquestion,followedbyanoutlineofsecuritypropertiesofasolution.Finally,theusecaseisclassifiedintermsofrelevantcandidatesecurityenablersintheproject(seeSection1),andapplicablenextgenerationradiotechnologyusecases:EnhancedMobileBroadband(xMBB),MassiveMachine-TypeCommunication(mMTC),Ultra-reliableandlow-latencyMachine-TypeCommunication(uMTC)[METIS2015].Theseclassificationsareincludedtopositiontheusecasebothwithinthe5G-ENSUREprojectandinthecontextofother5G-PPPprojects,andalsotosimplifythelocationoftheusecasesofrelevancetothereader.

D2.1UseCases

6715625G-ENSURE 11

Table1:Tableofusecasesandclusters

Clusterno.

Clustername/topic Usecaseno.

Usecasename

1 IdentityManagement 1.1 FactoryDeviceIdentityManagementfor5GAccess1.2 UsingEnterpriseIdentityManagementfor

Bootstrapping5GAccess1.3 SatelliteIdentityManagementfor5GAccess1.4 MNOIdentityManagementService

2 EnhancedIdentityProtectionandAuthentication

2.1 DeviceIdentityPrivacy2.2 SubscriberIdentityPrivacy2.3 EnhancedCommunicationPrivacy

3 IoTDeviceAuthenticationandKeyManagement

3.1 AuthenticationofIoTDevicesin5G3.2 Network-basedKeyManagementforEnd-to-End

Security4 AuthorizationofDevice-to-

DeviceInteractions4.1 AuthorizationinResource-ConstrainedDevices

Supportedby5GNetwork4.2 AuthorizationforEnd-to-EndIPConnections4.3 Vehicle-to-Everything(V2X)

5 Software-DefinedNetworks,VirtualizationandMonitoring

5.1 VirtualizedCoreNetworks,andNetworkSlicing5.2 Addinga5GNodetoaVirtualizedCoreNetwork5.3 ReactiveTrafficRoutinginaVirtualizedCoreNetwork5.4 VerificationoftheVirtualizedNodeandthe

VirtualizationPlatform5.5 ControlandMonitoringofSlicebyaServiceProvider5.6 IntegratedSatelliteandTerrestrialSystemsSecurity

Monitor6 RadioInterfaceProtection 6.1 AttachRequestDuringOverload

6.2 UnprotectedUserPlaneonRadioInterface7 MobilityManagement

Protection7.1 UnprotectedMobilityManagementExposesNetwork

forDenial-of-Service8 Ultra-ReliableandStandalone

Operations8.1 Satellite-CapableeNB8.2 StandaloneEPC

9 TrustedCoreNetworkandInterconnect

9.1 AlternativeRoamingin5G9.2 PrivacyinContext-AwareServices9.3 AuthenticationofNewNetworkElements

10 5GEnhancedSecurityServices 10.1 BotnetMitigation10.2 PrivacyViolationMitigation10.3 SIM-basedand/orDevice-basedAnonymization

11 LawfulInterception 11.1 LawfulInterceptioninaDynamic5GNetwork11.2 End-to-EndEncryptionforDevice-to-Device

Communications

D2.1UseCases

6715625G-ENSURE 12

3 Cluster1:IdentityManagement

3.1 IntroductionCluster1containsfourusecasesdescribingvariousaspectsofidentitymanagementin5Gnetworks.

Inusecase1.1welearnhowtosecure5Gconnectivityandmobilityoffactorydeviceswithpre-existingAAAcredentialsmanagedbythefactoryowner.Usecase1.2demonstratesanotherwaytogain5Gaccess,byestablishmentofSIMcredentialstobootstrapenterpriseemployeecredentials.Usecase1.3elaboratesonidentitiesandauthenticationforroamingintoasatellitenetwork.Usecase1.4describesanMNOprovidinganidentitymanagementservicetoaserviceprovideronbehalfofauser.

3.2 ActorsTheactorsinthisclusterare:

• MobileNetworkOperator(MNO)• Mobiledeviceusers(Alice,Bob)• Maliciousparty(Mallory)• FactoryRobot(Rob)• FactoryOwner(FO)• ServiceProvider(SP)• SatelliteNetworkOperator(SatNO)

3.3 UseCases

3.3.1 UseCase1.1:FactoryDeviceIdentityManagementfor5GAccess

3.3.1.1 IntroductionIndustryautomationtodayusesproprietaryradioaccesstechnologies,ornon-3GPPtechnologiessuchasWLAN.New5Gradioaccessesareforeseentobedesignedtooffercompetitiveadvantagesintermsofcost,qualityofservice,mobility,etc.,thatmakesthemattractiveforindustryautomation.Thus,inthisusecase,weconsiderfactoryrobotsaccessingafactorynetworkover5GconnectivitybutusingcredentialsandAAAmanagedbyaFactoryOwner,assumingthattheMNOcanagreetosuchaconfiguration.Thissettingisalsodiscussedin[TR22.891].Thefactoryownerinstalls5GbasestationsinthefactorybutwillrelyonMNOtoperformservicessuchasIPconnectivityandmobility.

TheagreementbetweenFOandMNOcoversaspectssuchaschargingpolicies,securitypoliciesandconfigurationdata(e.g.certificates),liabilitiesoftheparties,etc.Itshouldbenotedthatsuchagreementwouldrequireamajorchangeinthetrustmodelcomparedtocurrentroamingagreements,whichtodayonlyexistsbetweenMNOs.

3.3.1.2 PreconditionsThepreconditionsareillustratedinFigure1.

• TheFactoryhasitsownAAAserverforrobots.

D2.1UseCases

6715625G-ENSURE 13

• TheMNOhasadedicatedIndustrialAutomationControl(IAC)servertoconnecttothefactoryAAAserverforAAApurposes.TheIACmaycomprisepartsofMMEfunctionalityoraninterfacetotheoperator’sMME.Thefullfunctionalityanditsrealization,e.g.intermsofvirtualization,isoutofscopeoftheusecase.

• 5Gbasestationsownedanddeployedinfactory,butthefactoryhasnoother5Gnetworkcoreequipment.ThebasestationsusesomespectrumallocatedtotheMNO.

• FOandMNOhaveanagreementallowingfactorybasestationstoconnectsecurelytotheMNOcorenetworkoveraninterfacewedenote“S1”(seebelow)andallowingthefactory’sAAAservertoconnectsecurelytotheMNO’sIACoveraninterfacewedenote“S6”(seealsobelow)inordertoestablishnetworkaccesscredentials.

• “S1”denotesapresumed3GPPreferenceinterfacebetweentheRadioAccessNetworkandCoreNetwork(CN)handlinge.g.authenticationsignallingbetweentheIACandUEvia5Gbasestations.TheS1interfaceisassumedtobesecuredby,forinstance,IPsecSecurityAssociations(SA)establishedusingcredentialswhicharepartoftheagreementbetweentheFOandMNO.

• “S6”denotesapresumed3GPPreferenceinterfacebetweentheservingnetwork(MNOIAC)andasubscriberdata-base(aAAA-typeserver).TheS6interfaceisassumedtobesecuredby,forinstance,IPsecSAsestablishedusingcredentialswhicharepartoftheagreementbetweenFOandMNO.

3.3.1.3 DescriptionWhenpowerisswitchedon,Rob,afactoryrobot,connectstotheFactoryNetworkusingfactorycredentialsasillustratedinFigure1.

Basicflowofevents:

1. Robispoweredup2. Robrequestsaccesstothefactory5GbasestationpresentingaFOidentifier3. RobisnotyetauthenticatedandthebasestationcontactstheIACintheMNOCNoverS14. TheIACrecognizes,e.g.usingnamespaceanalysisoftheFOidentifier,thatRobbelongstothe

factoryandthisIACconnectstothefactoryAAAoverS65. TheFOAAAprovides,basedonRob’sFOidentifier,atemporarycredentialtotheIACwhich

enablestheIACtoauthenticateRobtothissession6. Mutualauthentication,basedonRob’stemporarycredential,isperformedbetweenRobandthe

MNOnetwork.Asaresult,cryptographickeysaremadeavailableforthepurposeofprotectingtheconnectionbetweentherobotandthefactorybasestation,andbetweentherobotandtheIAC

7. RobisprovidedIPconnectivityandmobility

D2.1UseCases

6715625G-ENSURE 14

Figure1:Factory5Gdeployment

3.3.1.4 Propertiesofasolution

• SecureconnectionsbetweenfactoryandMNO,forexampleIPseconS1andS6,wheretheagreementbetweenMNOandFactoryshouldcontainthecredentialsforestablishingIPsec.

• EAP-basedauthenticationtofactoryAAA.WhichEAPmethodstobeallowedcouldbespecifiedintheagreementbetweenMNOandFactory,butweakmethodssuchaspasswordswillmostlikelynotbeallowedinanysuchagreement.

• The5Gauthenticationprocedurecanbedesignedtobecompatiblewithwhateverfactorycredentialsthatareused.

• TheMNOneverdistributesthecustomer’scredentials(whetherMNOrelatedorFOrelated)toanythirdparty

• AcandidatesolutionisusinganMNOimplementationofGBA[TS33.220]

3.3.1.5 Usecasecategories

EnsureEnablers AAA,Privacy,TrustNextGenerationRadioTechnologyUsecases mMTC,uMTC

3.3.2 UseCase1.2:UsingEnterpriseIdentityManagementforBootstrapping5GAccess

3.3.2.1 IntroductionTheenterprisewantstoprovideitsemployees’deviceswith5Gconnectivitytouseintheofficeorwhenbeingmobile.Sincetheenterpriseinanycaseneedstomanagetheemployees’credentialsitisconvenient

D2.1UseCases

6715625G-ENSURE 15

tousethesecredentialstobootstrap5Gcredentialsusedforconnectivity.However,theenterprisedoesnotwanttomanageanHSS.TheenterpriseandMNOsignanagreementthattheemployeedevicescanbecomeprovisionedwith5Gcredentials,assumingthattheMNOcanagreetosuchaconfiguration.Theenterprisemayextendcoverageandcapacityofthe5Gnetworkbyinstallingadditional(e.g.indoor)5Gbasestations,butthisisnotnecessaryiftheexisting5Gaccesssuffices.

Itshouldbenotedthatthiskindofagreementwouldrequireachangeinthetrustmodelcomparedtocurrentsubscriptionprovisioningmodels.

3.3.2.2 Preconditions• MNOhasitsownIACtocoverindustryneeds• TheenterprisehasitsownAAAfortheemployees.• Bob,anenterpriseemployee,hasaUE(e.g.mobilephone,laptop,etc.)whichisprovisionedwith

enterprisekeys.• TheenterpriseandMNOhavemadeanagreementallowingsubscriptionparametersassociatedwith

newemployeestobestoredintheMNOIAC.TheMNOIACgeneratesthesecredentialsbyrequestfromtheenterpriseAAA.Thecredentialscouldforexamplebe(U)SIM-compatibleparameterstobeusedwiththeAuthenticationandKeyAgreement(AKA)protocol.Theagreementcoversaspectssuchashowtosecurethecredentialprovisioning,chargingpolicies,liabilitiesoftheparties,etc.Tothisend,theMNOandenterpriseareassumedtohavemadeariskassessmentthattheenterpriseAAAissufficientlysecure,andhasanacceptablerisklevel,whenenteringintotheagreement.

• AfterbeingauthenticatedandauthorizedbytheAAA,Bob’sUEisbeingprovisionedfromMNOIACwithcredentialsforestablishinga5Gsession.ThecredentialsareprotectedintransportbetweenMNOIACandBob’sUEbasedontheenterpriseAAA.

3.3.2.3 DescriptionBob,anenterpriseemployee,switchesonhisUEwhichattachestotheMNObasestationandauthenticatestothenetwork.Thisauthenticationproceduremaybedifferentdependingonhow/whatcredentialthatwasprovisioned.TheflowisdepictedinFigure2.

Basicflowofevents:

1. Bobrequests5GcredentialsfromtheEnterpriseAAA.TherequestisauthenticatedusingBob’senterprisekeys.

2. TheEnterpriseAAArequeststotheMNOIACprovisioningof5Gsessioncredentials3. Bob’sUEissecurelyprovisionedwith(U)SIM-typecredentialsfromtheMNOIACbasedonthe

employeeAAAcredential4. Bob’sUEauthenticatestothe5Gnetwork5. Bob’sUEisreadytouse

D2.1UseCases

6715625G-ENSURE 16

Figure2:Enterprise5Gdeployment

Alternativeflowofevents:

Inthisflow,insteadof(U)SIM-typecredentials,somenon-SIMcredentialofsufficientstrengthisassumed,undertheconditionwherethesecurestorageanduseofthosecredentialsinBobDevicehasbeenqualifiedbytheMNOassufficientintermofsecurestorage,assuranceetc.inrelationtoexistingUSIMcard,andcouldbecontrolledbyMNO.Inparticularthesecuritylevelofthisstorageshouldpreventcredentialcloning.Aprotocolsuchase.g.EAPmaybeusedtocarrytheauthenticationsignalling.

1. Bob’sUEbeenprovisionedwithnon-SIMtypecredentialsviatheMNOIAC2. Bob’sUEauthenticatestothe5Gnetworkusingthecredentials,e.g.bymeansofEAP3. Bob’sUEisreadytouse


• ESIMprovisioninginitiatedbyenterprisenetwork• EAPbasedauthenticationtoenterpriseAAA• Inthefirstflow,nonewcredentialsneedtobesupportedbythe5Gauthenticationprotocol


EnsureEnablers AAA,Privacy,TrustNextGenerationRadioTechnologyUsecases xMBB

D2.1UseCases

6715625G-ENSURE 17

3.3.3 UseCase1.3:SatelliteIdentityManagementfor5GAccess

3.3.3.1 IntroductionThisusecaseexplorestwoidentity-managementsituationsinvolvingsatellitenetworksandadualsatelliteandterrestrial5Gaccess:oneinwhichthe5Gdeviceattachestothesatellitenetwork;theotheroneinwhichthe5Gdeviceidentifiesineitherthesatellitenetworkortheterrestrialnetwork,andthenduetocoverageissuesthe5Gdeviceperformsaroamingtotheothernetwork.

3.3.3.2 Preconditions• SatNOhasitsownAAAforitssubscribers.• SatNOandMNOhasaroamingagreementallowingeachother’suserstoroamintheother’snetwork.

3.3.3.3 DescriptionBobswitchesonhisdualsatelliteandterrestrial5GUEwithasetofcredentialsthatallowsaccesstobothnetworks,andisinitiallyconnectedtothesatellitenetwork(seeFigure3).Duetocoverageissueshemayneedtoroambetweenthenetworks(seeFigure4).

PleasenotethatAAAServersdepictedinFigure3andFigure4aredepictedseparatelyforlogicalreasons,buttheirphysicallocationmightbethesame–theycanphysicallyevenbeonesingleAAAServer.

Basicflowofevents:

1. Bob’sUE,locatedforinstanceinamovingtruckinanisolatedarea,canonlyofferBobconnectivitythroughsatellitewhenheturnsontheUE.

2. BobchoosestoconnecttheUEthroughsatellite,andtheauthenticationandauthorizationprocessisperformedbetweentheUEandthesatelliteAAAServerandbetweenthesatelliteAAAServerandthe5GAAAServer.

Thefine-grainedaccesspoliciesat5GAAAServerprocesstheauthenticationrequestfromBob’sUEandestablishesthat,forthecredentialsprovided,accesscanbegrantedtotheUEintothesatellitenetwork,withanauthorizationlevelA(whichmayconsistforexampleofcertainpeakdatarate,certainsustaineddatarate,certainservicesenabled,etc.).

D2.1UseCases

6715625G-ENSURE 18

Figure3:IntegrationofAAAsystemmechanismsin5Gdevicewithsatellitecoverage


Theeventscanbeseenasanextensionofthebasicflowinwhichtheroamingaspectisincorporated.

1. Bob’sUE,locatedforinstanceinamovingtruckinanisolatedarea,canonlyofferBobconnectivitythroughsatellitewhenheturnsontheUE.

2. BobchoosestoconnecttheUEthroughsatellite,andtheauthenticationandauthorizationprocessisperformedbetweentheUEandthesatelliteAAAServerandbetweenthesatelliteAAAServerandthe5GAAAServer

3. BobparksandtakeshisUEinsideabuildingunderterrestrialcoveragecompliantwithUEterrestrialconnectivity

4. TheUEdetachesfromthesatellitenetworkandautomaticallytriestoattachtotheterrestrialnetworkusingtherelevantcredentials.

5. Thecredentialsareroamedfrom5GAAAServertoTerrestrialAAAServerandTerrestrialnetworkauthorizesBob’sUE.Atthispointthe5GdevicehasregainedconnectivityafteraroamingprocessthathasbeenvirtuallyseamlesstoBob.

D2.1UseCases

6715625G-ENSURE 19

Asexplainedinthebasicflowofevents,thefine-grainedaccesspoliciesatthe5GAAAServerprocesstheauthenticationrequestfromBob’sUEandestablishesthat,forthecredentialsprovided,accesscanbegrantedtotheUEintothesatellitenetwork,withanauthorizationlevelA(whichmayconsistforexampleofcertainpeakdatarate,certainsustaineddatarate,certainservicesenabled,etc.).

Now,duringtheroamingprocess,aroamingrequestfromtheTerrestrialAAAServerarrivesatthe5GAAAServer,whichprocesstheauthenticationcredentialsfromBob’sUE(givenbytheSatelliteAAAServer)andestablishesthat,forthecredentialsprovided,accesscanbegrantedtotheUEintotheterrestrialnetwork,withanauthorizationlevelB(whichmayconsistforexampleofcertainpeakdatarate,certainsustaineddatarate,certainservicesenabled,etc.).

Figure4:IntegrationofAAAsystemmechanismswith5Groamingfromsatellitetoterrestrialnetworks


• (U)SIM-typecredentialsforsatelliteaccessmaybeoneapproachtoallowingroamingfromterrestrialnetworkintosatellitenetwork,e.g.usingEAP-AKAauthentication[EAP-AKA].


EnsureEnablers AAA,Privacy,TrustNextGenerationRadioTechnologyUsecases xMBB,mMTC,uMTC

D2.1UseCases

6715625G-ENSURE 20

3.3.4 UseCase1.4:MNOIdentityManagementService

3.3.4.1 IntroductionThisusecasedescribesanMNOprovidinganidentitymanagementservicetoa3rdpartyserviceprovideronbehalfofauser.

3.3.4.2 Preconditions• UserBobisasubscriberofanMNO• TheMNOassociatestoBoba“NetworkID”(e.g.,amobilephonenumbertoBob’sUE)• Bobusesaservice,S,providedbya3rdpartyserviceproviderSP(e.g.abank)• Bobsubscribestoacustomisedservice,S,providedbya3rdpartyserviceproviderSP(e.g.,a

bank)basedonsomeinformationthatcanbeprovidedbytheMNO.Theserviceagreements(betweentheuserBobandMNOandSP,respectively)detailwhatinformationcanbecollectedbytheMNO,whatinformationcanbesharedwiththeSP,thedeactivationofthisoption,etc.

• TheserviceproviderassignstoBobalocalidentity(i.e.anidentityassociatedtothisservicesuchasabankaccountnumber)

• TheservicelocalidentityofBobencompassessomeattributesrelatedtohis“NetworkID”

3.3.4.3 DescriptionForthesakeofconcreteness,weconsiderabankingserviceexample,seeFigure5.

Bobwouldliketoaccesssomeresourcesassociatedtohisbankaccount,e.g.,performatransferofmoney,changehissecretcode,etc.ThebankrequeststheoperatorinformationwithrespecttoBobsuchasBob’saccessnetworktype,Bob’sequipment,usedauthenticationscheme,location,andsoforth.Dependingontheprovidedinformation,thebankadjustsitssecuritypolicy.ThebankmayforexampleaskBobforfurther(secondfactor)authenticationormodifythewaytodelivertheservice.

Asaconsequence,thebankwillmanagetohavethesamesecuritylevelwhendeliveringaservice,e.g.iftheuserisconnectedviaapublichotspotthenperhapsadditionalauthenticationandprotectedcommunicationisneeded.ThisisowingtodynamicsecuritypoliciesthatarebasedoninformationprovidedbytheMNO.

Basicflowofevents:

1. Bob’sUEisauthenticatedtotheMNO2. Bob’sUErequestsaccesstoaserviceataserviceprovider(Step(a)inFigure5)3. Uponrequest,theoperatorcollectsinformationaboutBob(and/orhisUE)andsharesitwiththe

serviceprovideraccordingtothetermsoftheserviceS(Steps(b),(c)and(d)inFigure5)4. TheserviceproviderauthorizesorpersonalizesaservicetoBobbasedonthereceivedinformation

(Steps(e)and(f))

D2.1UseCases

6715625G-ENSURE 21

Figure5:5GNetworkOperatorasTrustProvider


• Useofsuitable(secure)attributesharingmechanism.


EnsureEnablers AAA,Privacy,TrustNextGenerationRadioTechnologyUsecases xMBB

3.4 5GVision

5GprovidesavarietyofidentitymanagementserviceswhichexpandsthecapabilitiesofdevicesandnetworksbeyondthelegacyUEtoRANservice.Adeviceprovisionedwithappropriatecredentialscanget5Gaccessinaflexiblewaydrivingdowncostinlargescaledeployments.Newsubscribersormachinescanbeenrolledin5Gnetworks,usingtheirpre-existingidentitymanagementschemes,whilerespectingtheirprivacy.Thisattractsnewcategoriesofuserstothe5Gecosystem.

5Gidentitymanagementprovidesforbetterintegrationbetweencellularandsatellitenetworks,includingroaming.5GAAAServersincludespecificintelligencetoconferanauthorizationlevelsuitedtotheauthenticationcredentialsforaparticularaccessnetwork,inparticulartheyassigntheauthorizationlevelseamlesslytotheenduserduringtheroamingbetweentwoaccessnetworks.Moreover,the5GAAAServersinsatellitenetworksofferultra-fastloginswithoptimizeddataexchangeinordertolowerthelatencyandmaximizethespectralefficiency.Finally,5GAAAServersarecapableofsupportinghundredsofthousandsofsimultaneouslogins,incompliancewiththerequirementsimposedby5G.

AnMNOcanofferidentitymanagementservicessuchastrustedassertionsandsecureidentifiersofsubscribers,whilerespectingtheagreeduponprivacypolicy.

5G Network

5GNetwork Operator

Bankserver (a)Request

(f)CustomizedReply

(c)Data Collect

(e)Update SecurityPolicies

(b)Bob?

(d)Networkcontext

associatedtoBob

Bob

D2.1UseCases

6715625G-ENSURE 22

4 Cluster2:EnhancedIdentityProtectionandAuthentication

4.1 IntroductionTheseuse-casesaddresstheareaofenhancementstoidentityprotectionandauthenticationin5Gcomparedtoexisting3Gand4Gnetworks.Specificallytheyfocusonthreeuse-cases,thefirstofwhichtacklesprivacyfordeviceidentifierswhichneedtobeappropriatelyprotectedand/oranonymised.Theseconduse-caseaddressestheareaofsubscriberidentityprivacywhichalsoneedstobesuitablyprotectedand/oranonymised,particularlywhentraversingaccessnetworks.Thefinaluse-casetacklestheprovisionofperfectforwardsecrecytocombatthethreatofpassiveattacks,particularlyinthecaseofsubscriberkeycompromise.


• User(Alice)• Alice’sUE(UE)• Malicioususer(Mallory)• MobileNetworkOperator(MNO)

4.3 UseCases

4.3.1 UseCase2.1:DeviceIdentityPrivacy

4.3.1.1 Preconditions• Alice’sUEisswitchedon

4.3.1.2 DescriptionAlice’sUEconnectstothemobilenetworkandwantstheidentityofherUEtobeprivate.

Basicflowofevents:

1. Alice’sUEconnectstothe5GnetworkovertheAirInterfaceorviaGenericAccessNetwork(GAN)2. Alice’sUEauthenticatestothe5Gnetworkusing(U)SIMcredentials3. Alice’sUErespondstotheMME’srequestfortheInternationalMobileEquipmentIdentity(IMEI)of

herUE,andrequestvalidation4. Alice’sUEisreadytouse


1. Alice’sUEconnectstothe5GnetworkovertheAirInterfaceorviaGenericAccessNetwork(GAN)withanAttachType"Emergency"

2. Alice’sUEincludestheIMEIinplaintextintheAttachrequestduringanemergencycallsituation,whereitdoesnothaveavalidGloballyUniqueTemporaryIdentity(GUTI)orInternationalMobileSubscriberIdentity(IMSI)

3. Ifthenetworkisconfiguredtosupportemergencyservices,Alice’sUEgetsemergencybearerallocated

D2.1UseCases

6715625G-ENSURE 23

4.3.1.3 Vulnerabilitiesandconsequences• UsersdonotwanttobetrackedviatheirUEidentifiers• Certainusergroupsdonotwanttheirsubscriberidentityandtheirdevice’sidentitylinked

4.3.1.4 PropertiesofasolutionThesolutionspaceincludesexplorationofprotocolenhancementsandinvestigationintostate-of-theartend-to-endanonymizationtechniques,offeringprotectionagainstdeviceidentitydisclosureandunauthorizeddevicetracking.AswithLTE,5GshouldensurethattheIMEIissentonlyinaconfidentiality-protectedmessage,asopposedtoGSMandUMTS,wherethenetwork,andhenceanattacker,mayrequestdeliveryoftheIMEIintheclear.InadditiontheenhancementaimstoalsoaddresstheemergencycallcasewheretheIMEIissentoverthenetworkunprotected,sinceasecuritycontextcannotbecreatedandusedtoprovideforconfidentiality.



4.3.2 UseCase2.2:SubscriberIdentityPrivacy

4.3.2.1 Preconditions• Alice’sUEisswitchedon.• MallorysetsupafakeBaseStation(foractiveattacks)ormonitoring(forpassivelisteningof

transmissionsoflegitimatebasestation).

4.3.2.2 DescriptionAlice’sUEconnectstothemobilenetworkandwantshersubscriberidentityandlocationtoremainprivate.

Basicflowofevents:

1. Alice’sUEconnectstothe5Gnetwork,identifiedbyherGUTI/IMSI2. MalloryobservesGUTI/IMSI,orelicitsAlice’sIMSI,andcantrackAlice’sUE3. Alice’sUEauthenticatestothe5GnetworkusingtheSIMcredentials4. Alice’sUEisreadytouse5. MallorytracksAlice’scurrentlocationbytriggeringthemobilenetworkintoinitiatingthe

generationofpagingmessagestoAlice’sUE(e.g.byusingsocialmediaapplicationtoinitiateunobtrusivecommunications)

6. MalloryobservesthepagingmessagessentandcanpotentiallycorrelatethecontainedGUTIwithAlice’ssocialnetworkidentity


1. Alice’sUEconnectstothe5Gnetwork,identifiedbyherGUTI/IMSI2. MalloryobservesGUTI/IMSI,orelicitsherIMSI,andcantrackher3. Alice’sUEauthenticatestothe5GnetworkusingtheSIMcredentials4. Alice’sUEisreadytouse

D2.1UseCases

6715625G-ENSURE 24

5. MalloryforcesAlice’sUEtoconnecttoMallory’srogueeNBbyexploitingthefeature“absoluteprioritybasedcellreselection”

6. Malloryinitiatesa“RRCConnectionReconfiguration”message7. Alice’sUErespondswitha“Measurementreport”andtheGPScoordinatesofherUE,ifherUE

supportsthe“locationInfo-r10”feature8. MalloryisabletodetermineAlice’slocationbytrilateration,orthesuppliedGPScoordinates

4.3.2.3 Vulnerabilitiesandconsequences• Thesubscriber’sidentifierortemporaryidentifiersallowsfortrackingofauser• Temporaryidentifiers(pseudonymslikeGUTIorTMSI)arebroadcastedincleartextsothatAlice’s

UEcanidentifytargetedcommunications.Ifsuchidentifiersarenotchanged(re-pseudonymized)beforeMalloryisabledeterminewhichbelongstoAlice,Alice’slocationcanbetracked

• BroadcastingaGUTI,whichisknownorsuspectedtobelongtoAlice,isanindicationthatAliceisclosetothebroadcastingbasestation.Byanalysingsignaldirections,MallorymaybeabletodetermineUE’slocationmoreaccurately.However,locationtrackingbasedupontrackingidentifiersalonedoesnotalwaysprovideapreciselocationforAlice.AlicemaybeindifferentlocationtoherUE,orherUE’scommunicationmayberelayed,atthephysicallayer,toanotherlocation

• Usersdonotwanttheirsubscriberidentityandtheirdevice’sidentitylinked• Thecurrentstandardsallowmeasurementreportstobesentwithoutsecurity,whichenables

MallorytoretrievethereportstodeterminethelocationofAlice’sUE[Shaik2015]

4.3.2.4 PropertiesofasolutionPotentialsolutionstoprovideforsubscriberprivacyincludeencryptionoftheIMSIand/oruseofimprovedpseudo-identifiers.Anonymisationsystemsmaybeinvestigatedtoprovideforunlinkabilityofsubscriberanddeviceidentities.



4.3.3 UseCase2.3:EnhancedCommunicationPrivacy

4.3.3.1 Preconditions• Alice’sUEisswitchedon• Malloryhasa5GaccessnetworkmonitorandisinpossessionofAlice’suser-specifickey,K

4.3.3.2 DescriptionAlice’sUEconnectstothemobilenetworkandwantshercommunicationstobeprivatetopassivemonitoring,despitecompromiseofheruser-specifickey.TheassumptionthatMalloryhasobtainedKisnormallyanextremelyunlikelyevent.Neverthelessclaimsofsuchsituationsarisinghaveoccurred[SchahillBegley2015].

Basicflowofevents:

1. Alice’sUEconnectstothe5Gnetwork

D2.1UseCases

6715625G-ENSURE 25

2. Alice’sUEauthenticatestothe5Gnetworkusingthe(U)SIMcredentials3. Malloryobservestheauthenticationandderivesthesessionkeys(CK,IK),usingAlice’skey,K4. Alice’sUEisreadytouse

4.3.3.3 Vulnerabilitiesandconsequences• Users’communicationsmaybedecryptedthroughpassivemonitoringofaccessnetworktraffic• Usersmaybeimpersonated

4.3.3.4 PropertiesofasolutionApotentialsolutionwouldbetointroducemechanismstoprovideforperfectforwardsecrecyofthecommunications.Thusonlyanactiveattackercouldascertainthesessionkeysintheeventofauser-specifickeycompromise.



4.4 5GVision

Itisessentialthatusershavecontrolovertheprivacyoftheirsubscriberanddeviceidentifiersin5Gandhaveevenhigherassurancethatprivacyoftheircommunicationsareupheld.Thepervasivenatureof5Gmeanstherewillbemanymoredeploymentoptionsfordevices.Thususerswanttohavewiderscopeandcontrolovertheirsubscriberanddeviceidentities,andtoensurethatcommunicationsaresecuredagainstwiderthreats.5Gnetworksshouldguaranteeuserprivacybyprovidingsecuritypropertiesincludingconfidentialitytosubscriberanddeviceidentities,untrackabilityoftheuserlocation,perfectforwardsecrecyforencryptedcommunicationsandunlinkabilitybetweentheusersubscriptioninformationandthedeviceidentity.

D2.1UseCases

6715625G-ENSURE 26

5 Cluster3:IoTDeviceAuthenticationandKeyManagement

5.1 IntroductionThisusecaseclusterfocusesonIoTdeviceauthenticationandkeymanagementanditincludestwousecases:“AuthenticationofIoTdevicesin5G”and“Network-basedkeymanagementforend-to-endsecurity”.

ThefirstusecasefocusesonauthenticationofconstrainedIoTdevices[RFC7228]whichmightnothavedirectaccesstothe5Gnetworkormightbenefitfromgroup-basedauthentication,wheremassivegroupsofIoTdevicesareauthenticatedsimultaneously.Thegroupisdefinedbyoneormoreattributes,suchasthedevicelocation,typeofdeviceortypeofapplication,etc.Thus,group-basedauthenticationconsistsofasetofprotocolsthatallowsmembersofthegrouptobeauthenticated.

Thesecondusecasefocusesonnetwork-basedkeymanagementwherethenetworkprovidesaserviceforkeyexchangetobeusedforsecuredend-to-endcommunication.


• 5GNetworkOperator(MNO)• Mobiledeviceuser(Bob)• AAAServerin5Gnetwork• Keymanagementservicein5Gnetwork• IoTdevice1(Sensor1)• IoTdeviceN(SensorN)• IoTgateway• IoTbackendservice(operatedbyAlice)

5.3 UseCases

5.3.1 UseCase3.1:AuthenticationofIoTDevicesin5G

5.3.1.1 Preconditions• MobiledeviceuserandIoTgatewayhave5Gcredentials• AlargenumberofIoTdevices(Sensor1,SensorN)requireaccesstoservices/Internet• IoTdevices(Sensor1andSensorN)maynotbeabletoaccessservices/Internetbythemselves

5.3.1.2 DescriptionThegroupofIoTdevices(Sensor1,SensorN)areconstraineddeviceswithdifferentnetworkaccessandsecuritytechnologiesandmayneedaccessservices/Internet,whicharereachablebymeansofa5Gnetwork.TheIoTdevicescanbegroupedintotwocategories:IoTdeviceswithanonboardradiointerface,hencearecapableofradiosignallingwiththe5Gnetwork;andIoTdeviceswithout5Gradioaccess,butwithothercommunicationtechnologies,e.g.WiFiorBluetooth,thereforerequiringanIoTGatewaythatprovidesthe5Gconnectivity.ThepresenceoftheIoTgatewaymaypotentiallyobstructthepossibilityto

D2.1UseCases

6715625G-ENSURE 27

robustlyidentifyindividualdevicesattheapplicationlayer.Whileagroupidentitymayofcoursebeused(e.g.relatedtoIMSI),thisusecaseseekstoenablemorerobustidentificationalsoofindividualdevicesbyleveragingthestrongsecurityoftheSIMcredentials.

Existingauthenticationprotocols,e.g.LTE-AKA,mightnotbesuitabletoefficientlysupporttheexpectednumberofauthenticationrequestsgeneratedbytheboomofconnectedIoTdevices.Thismightresultinunwantedlatencieswhennumerousdevicesinthesamegroupinitiatessimultaneousauthenticationrequests.Thisisespeciallyimportantinhighlymobiledevicesduetothemanyrequestsofauthenticationvectorstothehomenetwork.Asolutiontothiscanbegroup-basedauthentication,inwhichoverheadmaybereducedaseachdeviceofagivengroupdoesnothavetoexecutethecompleteauthenticationprotocol[Chengzhe2013].

Additionally,athirdscenarioisthatthenetworkbroadcastsasessionrequesttoagroupofdevices,onbehalfofauserorservice.Oneofthegroupmemberswillauthenticatewiththe5Gnetwork,presentingitsuniqueidentity,anditsgroupidentity[TS22.368]

Basicflowofevents:

1. TheIoTgatewayauthenticatestotheAAAserver,orthemobiledevice(Bob)authenticatestotheAAAserver,usingUSIMAKA.Thus,the5Gsubscriber’sidentity,i.e.IMSI,isensuredandcanbecollectedbythenetwork.

2. TheIoTSensor(Sensor1,SensorN)authenticatestotheIoTgatewayortothemobiledevicesusingradioaccessspecifictechnology.TheIoTsensorsandtheconnectedIoTgatewayormobiledevicesareownedbythesamesubscriber.

3. TheIoTsensorshaveaccesstoservices/Internetandareabletosendandreceivedata,eitherviaBob’sdeviceorviatheIoTgateway.Intheirrequesttoservicestheymightreusethe5Gsubscriber’sidentity.


1. TheIoTgatewayauthenticatestotheAAAserver,orthemobiledevice(Bob)authenticatestotheAAAserver,usingUSIMAKA.Thus,the5Gsubscriber’sidentity,i.e.IMSI,isensuredandcanbecollectedbythenetwork.

2. TheIoTSensor(Sensor1,SensorN)authenticatestotheAAAserver,byassistanceoftheIoTgatewayorthemobiledevice(Bob),toestablishitselfasapointofpresenceinthe5Gnetworktoenableaservicedifferentiationonanetworklevel,e.g.differentQoSclasses.TheIoTsensorswillbeuniquelyidentifiedinthenetworkinadditiontotheIoTgatewayormobiledevice(Bob).Allinvolvedequipmentareownedbythesamesubscriber.

3. TheIoTsensorshaveaccesstoservices/Internetandareabletosendandreceivedatadirectly,eitherviaBob’sdeviceorviatheIoTgateway.


1. TheIoTdevicesdynamicallyformgroupsaccordingtotheirsimilarity(typeofdevice,location,application).TheIoTdeviceshavethenecessarycredentialstoauthenticatewiththeAAAserver.

2. Group-basedauthenticationisperformedforagroupofIoTdeviceswiththeAAAserverauthenticatingagroupofdevicessimultaneously.

D2.1UseCases

6715625G-ENSURE 28

Figure6:AuthenticationofIoT/M2Mdevicesin5G

5.3.1.3 VulnerabilitiesandconsequencesThesecuritythreatscouldberelatedtoaman-in-the-middletakingpartintothebootstrappingprocedure.AspecificsecuritythreatrelatedtothealternativeflowcouldberelatedtoamaliciousIoTdevicewhichisgroupedwithotherIoTdevicesandisauthenticatedtogetherwithotherIoTdevices.Inaddition,theconstrainednatureofIoTdevicesmightmakeiteasiertosubvertthesecurityofthesedevices(e.g.,theydon’thaveenoughprocessingpowertousestrongeralgorithms).

5.3.1.4 Propertiesofasolution5GUserEquipment(Bob’smobiledeviceorIoTgateway)mayactasa5Gbootstrappingdeviceforanumberofconstraineddevices,sensors,andactuatorsthatarenotabletoaccessthe5Gnetworkthemselves.

Groupbasedauthentication,whereIoTdevicescanformagroupbasedonphysicallocation,typeofsensor/actuator,typeofapplication,orothersimilarityfactor,IoTgatewayormobiledeviceactingasarelaycouldperformsimultaneousauthenticationforgroupofdevices.Inagroupbasedauthenticationscenario,theAAAoverheadwillbegreatlyreducedaseachdevicedoesnothavetoexecutethecompleteprotocol.

5G Network

IoTSensor1

IoTSensorN GroupofIoT

sensors

IoTGateway

Bob’sdevice(relay)

Authen

tication

viaIoT

Gatew

ay Authenticationviarelay

Group authentication

AAAserver

D2.1UseCases

6715625G-ENSURE 29


EnsureEnablers AAANextGenerationRadioTechnologyUsecases mMTC,uMTC

5.3.2 UseCase3.2:Network-BasedKeyManagementforEnd-to-EndSecurity

5.3.2.1 Preconditions• IoTdevices(endpoints)have5Gcredentials• IoTbackendservice(endpoint)operatedbyAlicehas5Gcredentials• 5Gnetworkprovidesnetwork-enabledkeymanagementservice• Thekeymanagementservicecanauthenticateactorswith5GcredentialsusingtheAAAserverin5G

network• Aliceisabletoprovidepoliciesforthekeymanagementservicetocontrolwhichendpointscanshare

keys

5.3.2.2 DescriptionAnIoTdeviceisconnectedto5Gnetworkandauthenticatedtousethenetwork.TheIoTdeviceneedstocommunicatewiththebackendservice(operatedbyAlice).Thecommunicationshouldbeend-to-endsecured(encryptedandauthenticated)buttheendpointshavenomeanstoconnecteachothersecurely(e.g.,theydonotsharesecretkeys).TheconnectedIoTdeviceutilizesanetwork-enabledkeymanagementserviceprovidedby5Gnetworktoachievesecureend-to-endcommunicationbetweenthedeviceandtheIoTbackendservicelocated,e.g.,inthecloud.

Basicflowofevents:

1. TheIoTserviceisconnectedtothekeymanagementserviceandauthenticated2. Alice(operatingIoTservice)providespoliciescontrollingwhichIoTdevicesmayshareakeywith

theIoTservice3. IoTdeviceisconnectedto5Gnetworkandauthenticated4. IoTdevicenegotiatessecuritykeysfordataencryptionusingthekeymanagementserviceprovided

by5Gnetwork5. IoTdeviceencryptsandauthenticatesdatatobetransmittedusingkeysprovidedbythenetwork

andstartssendingthedatatotheIoTserver6. TheIoTserverdecryptsandverifiesreceiveddatausingthekeynegotiatedwiththekey

managementservice

D2.1UseCases

6715625G-ENSURE 30

Figure7:Network-basedkeymanagementforend-to-endsecurity

5.3.2.3 VulnerabilitiesandconsequencesMissingend-to-endsecurityleavescommunicationvulnerableforcompromisedormaliciousnetworkcomponents.End-to-endsecurity,wherekeysaremanagedbytheservices/devicesthemselves,preventslawfulinterceptionandmaywasteresourcesasoperators’maystillsecurecorenetworkcommunicationwiththeirownmechanisms.

Thekeymanagementsolutionprovidedby5Goperatorsissuitableforcaseswheretheend-pointstrusttheoperatorandoperator’scapabilities(e.g.toprovidetrulyrandomkeyswhichdonotleaktoadversaries).Inhighlycriticalapplicationssuchtrustassumptionsmaynotalwaysbejustified.Availabilityofend-to-endconnectionsmayinthesecasesachievedbyreplacingthekeymanagementthatisprovidedbya5Goperatorwithamoretrustedalternative.

5.3.2.4 PropertiesofasolutionNetwork-enabledkeymanagementavailablein5Genablescommunicationtobeencryptedandauthenticatedfromendtoend.Theconnecteddevicecanutilizenetwork-enabledkeymanagementprovidedby5Gnetworktoachievesecureend-to-endcommunicationbetweenthedeviceandtheservicelocatede.g.inthecloud.Byprovidingnetwork-enabledkeymanagement,5Gnetworkcanprovidesecurecommunicationandatthesametimeenablelawfulinterception.

5G Network

Keyman

agement

IoTSensor

IoTService

KeyManagement Service

Keymanagement Encrypteddata

D2.1UseCases

6715625G-ENSURE 31

Thekeymanagementservicemayprovidebothdevicespecifickeyforunicastcommunicationaswellasgroupspecifickeysformulticastcommunication.

Thesolutionmaybelinkedtoservice/devicediscovery.AnIoTdeviceisnotrequiredtoprovideanyconfigurationinterfacesthatwouldenableitsownertoinputconfigurationdatasuchastheaddressoftheremoteIoTservice.Adevicethathasbeenboughtdirectlyfromashopmaye.g.haveonlyaninterfacetoinsert5Gcredentials(likeUSIMcard).Alicemayprovidethisconfigurationthroughthe5Gmobileoperator(keymanagementservice)whoforwardstheconfigurationinformationalongsidewiththekeysfortheauthenticatedandauthorizeddevices.Authentication(orSLA)betweenkeymanagementservice(providedbyanoperatororthirdparty)anddevices/servicesutilisingthekeymanagementserviceisneededbeforetheactualkeyexchange.

IntermsofLI,thesolutionproposedshouldbetransparent,whichmeansthat5GNetworkoperatorsshouldbeabletosupportinterceptionwithouttheneedofKeyManagementServer(incaseitisoperatedbythirdpartytobeinvolved).Thispointisrelatedtocountrysovereignty.


EnsureEnablers AAA,Privacy,TrustNextGenerationRadioTechnologyUsecases mMTC,uMTC

5.4 5GVision

5Gshouldsupportgroup-basedauthentication,whereIoTdevicescanformagroupbasedonthesimilarity(location,typeofsensor/actuator,application,…)toreduceAAAoverheadwhereeachdevicedoesnothavetoexecutethecompleteAAAprotocol.5GshouldalsobeabletoserveIoTdevicesbehindarelay/gatewaysecurelyevenwhenIoTdevicesdonothavedirectaccessto5Gnetwork.

5Gnetworksshouldalsoprovideasecurityenablerforthekeymanagementwhichenablescommunicationtobeencryptedandauthenticatedfromendtoend.Theconnecteddevicecanutilizenetwork-enabledkeymanagementprovidedby5Gnetworktoachievesecureend-to-endcommunicationbetweenthedeviceandtheservicelocated,e.g.,inthecloud.Byprovidingnetwork-enabledkeymanagement,5Gnetworkcanprovidesecurecommunicationandatthesametimecomplywiththelawfulinterceptionrequirements.

D2.1UseCases

6715625G-ENSURE 32

6 Cluster4:AuthorizationofDevice-to-DeviceInteractions

6.1 IntroductionThisclustercontainsthreeusecasesaboutauthorizationofdevice-to-deviceinteractions:thefirstusecaseconsiderstheauthorizationinresource-constraineddevices[RFC7744]bymeansoftokenbasedon5Gcredentials;thesecondusecaseconsiderstheauthorizationbya5GoperatorofdirectIPconnections;thelastusecaseconsidersauthorizationinvehicle-to-everythingcommunications.


• User(Alice)• Sensors’Owner• Sensors’Owner’sAAAServer• Sensor1• Sensor2• 5Goperator• Vehicle1(Ann)• Vehicle2(Bob)• Pedestrian(Charlie)• VehicleManufacturer

6.3 UseCases

6.3.1 UseCase4.1:AuthorizationinResource-ConstrainedDevicesSupportedby5GNetwork

6.3.1.1 Preconditions• Everyactorholds5Gcredentials• TheAAAServercanauthenticateuserswith5Gcredentials• TheAAAServermaintainsadatabasethatstoresaccessrightstothesensors.

6.3.1.2 DescriptionSensor1andSensor2areresource-constraineddevices[RFC7228]thatwanttooutsourceauthorizationservicestoaAAAServer.Thus,theAAAServershouldsupportaninterfacethatallowsthesensors’ownertoissuesecuritypoliciesviathe5Gnetwork.Also,theAAAServershouldsupportaninterfacetoissueauthorizationtokensbasedonthe5Gcredentials(seeFigure8).

Basicflowofevents:

1. Thesensors'ownerissuessecuritypoliciestotheAAAServerconcerningaccesstoitssensors.2. AliceauthenticatestotheAAAServerandrequiresaccesstothesensors.3. TheAAAServerissuesanauthorizationtokenbasedon5GcredentialsofAliceaccordingtothe

securitypolicies.4. Alicehasaccesstothesensor(s)usinghertokenand5Gcredentials.

D2.1UseCases

6715625G-ENSURE 33

6.3.1.3 VulnerabilitiesandConsequencesThemainthreatsareduetoamalicioususerwhomaywanttoaccessthesensors’datawithoutauthorization.Suchamalicioususermayeithertrytogenerateafaketokenortrytomodifythesecuritypolicytogetaccesstothesensors.Moreover,theAAAservermayintroduceseveralvulnerabilitiesinthe5Gnetworkinfrastructure,whichhavetobecarefullyinvestigated.Inanycase,aninvestigationofliabilitiesbetweenpartieswillhavetobeperformed(AAAowner,sensorownerand5Goperator).

Figure8:SettingforAuthorizationinResource-ConstrainedDevices


Thegenerationoftheauthorizationtokenshouldbebasedbothonthesecuritypolicy,asdefinedbythesensorowner,andonthe5Gcredentialswhichprovidestheoveralltrust.TheAAAserveractivitiesshouldnotaffectthesecurityofthe5GNetworktowhichitisconnected(forexamplenotcontributetootherattackssuchascloning,eavesdropofcommunication,networkelementcompromise,etc.).


EnsureEnablers AAANextGenerationRadioTechnologyUsecases xMBB,mMTC,uMTC

6.3.2 UseCase4.2:AuthorizationforEnd-to-EndIPConnections

6.3.2.1 Preconditions• AliceandSensor1hold5Gcredentials

Token

SecurityPolicy

User AAA

Sensor Owner Sensors

D2.1UseCases

6715625G-ENSURE 34

• 5GoperatorcanauthenticatebothAliceandSensor1• Sensor1isabletoperformaccesscontrol

6.3.2.2 DescriptionAlicewantstoaccessthedataprovidedbySensor1,henceshewantstobuildend-to-endIPconnectionsthroughthe5Gnetwork.The5Goperatorshouldbeabletoauthorizesuchconnections.

Basicflowofevents:

1. AliceandSensor1areauthenticatedbythe5Gnetworkandconfiguredtothesame5Gslice2. AlicebootstrapsadirectIPconnectionwithSensor1via5Gnetwork3. The5GoperatorauthorizesthedirectIPconnection4. Sensor1sendsitsdatathroughtheestablishedsecuredirectIPconnection

6.3.2.3 VulnerabilitiesandConsequencesOnepotentialvulnerabilityappearsifthesolutionwouldallowadirectIPconnectionwithoutauthorization.Inotherwords,amalicioususermightthenestablishsuchaconnectioneventhoughthe5Goperatorshouldhaveblockedit.

6.3.2.4 PropertiesofasolutionToprohibitunauthorizedaccessandillicittraffic,usingthedirectIPconnect,the5Gnetworkmayrequirethatdirectconnectionsmustfirstbeauthorizedbythenetwork,oruseanIPwhitelist,combinedwithaserviceswhitelist.The5Goperatormightalsodoalayer7verificationoftheIPtrafficsenttothesensors,todetectknownexploitattempts.


EnsureEnablers AAA,NetworkManagement&VirtualisationIsolation

NextGenerationRadioTechnologyUsecases xMBB,mMTC,uMTC

6.3.3 UseCase4.3:Vehicle-to-Everything(V2X)

6.3.3.1 Preconditions• Everyactorholds5Gcredentials• 5Goperatorcanauthenticatevehicles• Mutualauthenticationbetweenvehicleandvehiclemanufacturer

6.3.3.2 DescriptionAnnandBobmaywanttoexchangedata(Vehicle-to-Vehicle(V2V)communication)via5Gnetworktoshareknowledgeinordertoprovidemoreintelligentservices,suchastrafficjaminformation.AnnmayalsowanttoexchangedatawithCharlie(Vehicle-to-Pedestrian(V2P)communication)via5Gnetworktosupportcooperativecollisionwarning.Finally,Annmaywanttoconnectwithhervehiclemanufacturerinfrastructure(Vehicle-to-Infrastructure(V2I)communication)todownloadasoftwareupdate,ortosendanalyticsreportsfromthevehicletotherepairshop.

D2.1UseCases

6715625G-ENSURE 35

V2V,V2P,andV2Ihavedifferentsecurityneeds,andthe5Goperatorshouldgrantauthorizationtothe5Gnetworkaccordingly.

Basicflowofevents:

1. AnnestablishesaconnectionwithBob2. BobsendstoAnninformationabouthislocationandspeed3. AnnprocessesBob’sinformationtogeneratethetrafficstatus


1. AnnestablishesaconnectionwithCharlie2. CharliesendshispositiontoAnn,andAnnherstoCharlie3. AnnandCharlieprocesstheinformationaccordingacollaborativecollisionwarningsystem.


1. AnnestablishesanIPconnectionwithavehiclemanufacturer2. Annsendshersoftwareversioninformationtothevehiclemanufacturer3. ThevehiclemanufacturersendsasoftwareupdatetoAnn

6.3.3.3 VulnerabilitiesandConsequencesIndicationabouttrafficjamsmightuseagroupsecurityassociationwhereidentifyingandauthenticatinganindividualsendermaynotberequired.However,ifgroupsecurityassociationisusedforsendinganalyticstotherepairshopfromavehicle,amaliciousgroupmember(e.g.Eve)couldbeabletosendunauthorizedanalyticsdatatotherepairshoponbehalfofthevictim(Ann).

6.3.3.4 Propertiesofasolution• Enrolmentinnationaltrafficmanagementinfrastructure,assoonasborderispassed.• Symmetrickeysforencryption• Asymmetrickeysforsignature,providingnon-repudiation


EnsureEnablers AAA,Trust,NetworkManagement&VirtualisationIsolation


6.4 5GVision

5Gshouldsupportauthorizationofdevice-to-deviceoperationsatdifferentlevels.Attheapplicationlevel,the5Ginfrastructureprovidesthecredentialstosupportthegenerationofsecuritypoliciesandauthorizationtokens.Atthenetworklevel,the5Goperatorshouldbeabletoauthorizedirectandsecureend-to-endconnectionsbetweendevices.Moreover,theuseoflicensedspectrumof5Gshouldbeauthorizedinasecureway.5Gshouldcopewiththedifferentlevelsoftrust,forinstance,accordingtotheV2Xscenario,andalsotaketherelevantlegislationandregulationintoaccountinthedesignofthe5Gsolution.

D2.1UseCases

6715625G-ENSURE 36

7 Cluster5:Software-DefinedNetworks,VirtualizationandMonitoring

7.1 IntroductionTolowerthecostandallowmoreflexibility,e.g.rapiddeploymentofnewnetworkfunctionality,5Gwillrelyonvirtualization.Inaddition,networkvirtualizationintheformofnetworkslicescanbeameanstoisolatedifferenttypesoftrafficandtoprovidebettersecurityandnetworkattackresistance.

By“networkslice”wemeanaportionoftheunderlyingnetworkusedtoprovidenetworkserviceswithparticularproperties.Forexampleaslicecouldbeusedtoprovide:

• HighQoSforreal-timestreaming/video• Delaytolerantnetworking• SpecialenterpriseorM2Mtraffic• Strongsecurityproperties(e.g."isolating"trafficfrompotentialeavesdropping,DoSetc.)

Theusecasesoninthisclusteraredividedintothreecategories:

1. TheuserplaneofanSDNnetwork:Thiscategorycomprisesusescasesthatdealwiththevirtualizationofthenetwork,i.e.,the5GCoreNetworkintheformofaNetworkSlice.Thefirstusecasebelongstothiscategory.

2. ThecontrolplaneofanSDNnetwork:Thiscategorycomprisesusecasesthatdealwithmechanismsofvirtualizingthenetwork,andhowthevirtualizednetworkisoperated.Thisincludesthetoolsforcreating,maintaining,andremovingNetworkSlices,andNetworkNodesintheseSlices.Italsoincludestherouterinfrastructure,SDNprogramminginterfaces,clouds,andtheVNFs(VirtualizedNetworkFunctions).Thesecondandthirdusecasesbelongtothiscategory.

3. Monitoringandcontrolofthevirtualized5Gnetworkandofthevirtualizationinfrastructure:Thiscategorycomprisesusescasesthatdescribemonitoring,verifying,andcontrollingthevirtualized5GCoreNetwork,andinthevirtualizationinfrastructure.Thefourth,fifthandsixthusecasesbelongtothiscategory.

Figure9:Userplane,controlplaneinSDNandmonitoringandcontrolofvirtualized5Gnetwork

Virtualizationinfrastructure(NFVs,routers,CloudHW),andthemanagementoftheforwardingplane

API

Verification,andassuranceofvirtualizednetw

ork,andthevirtualizationinfrastructure

API

API

5G User Plane

Processing

5G User Plane

Processing

5G User Plane

Processing

The user plane of SDN (5G Network Slice & micro-segments)

The control plane of SDN

Virtual Core NetworkNetwork Slice

Bob

Alice @ VIP Carol @ VMNO

5G User Plane

Processing

5G User Plane

Processing

5G User Plane

Processing

5G User Plane

Processing

5G User Plane

Processing

5G User Plane

Processing Monitoringandcontrolofsub-slice

API

Sub-slice

Dave @ SP

D2.1UseCases

6715625G-ENSURE 37


• VirtualMobileNetworkOperator(VMNO)• VirtualizedInfrastructureProvider(VIP)• Infrastructurecomponents,thesearethenetworkcomponents(physicalorvirtualized)• 5GNodeProvider(5GNP),thisisthesoftwarevendorofa5Gnodethatisrunningontopofthe

VirtualizedInfrastructure• ServiceProvider(SP)runningaserviceontopoftheVMNO’snetwork• Employee(Alice)usingtheAPIinInfrastructureside,couldbeanemployeeofSatNO,VMNOorVIP• Consumer(Bob)andhis5Gdevices(e.g.xMBBormMTCdevices)• Employee(Carol)usingthemonitoring/assuranceAPI,couldbeanemployeeofVMNO,VIP,5GNP• Employee(Dave)oftheSPusinganAPItotheVMNO.

7.3 UseCases

7.3.1 UseCase5.1:VirtualizedCoreNetworks,andNetworkSlicingThisusecasebelongstocategory1:theuserplaneofanSDNnetwork.

7.3.1.1 Preconditions• TheVirtualizedInfrastructureProvider(VIP)andtheVirtualMobileNetworkOperator(VMNO)havea

businessagreement,andtheyhaveinstalled,andconfiguredaVirtualCoreNetwork(VCN)consistingoftwoNetworkSlices.OnesliceisservingxMBBsubscribers,andtheothermMTCsubscribers.

• TheVCNisconnectedtoaninfrastructureof5GbasestationsthatinthisusecasearesharedbetweenmultipleVMNOs.TheRANconsistsofcomponentsownedbydifferentVMNOs.

• TheNetworkSlicesareconfiguredinsuchwaythatoneslicedoesnotacceptcommandsfromanotherslice.

• Micro-segmentationsplitsnetworkslicesintosmallerpartswithmorerestrictedandcontrolledsecuritypoliciesdedicatedforspecificapplicationservicesorusers.Bycombiningmicro-segmentssimilarguaranteedsecuritylevelscanbeprovidedevenovermultiplenetworkdomainsandmultiplenetworkoperators.

• Bobhasa5GxMBBdevice,andasubscriptionofVMNOtothatdevice.• Bobhasalsoasensorthatisa5GmMTCdevice,andincludesasubscriptionofVMNO.• VMNOisprovidinganInternetaccessibleAPIfor5GmMTCdevicesubscriberstocontrolthebehaviour

ofthemMTCdevices.

7.3.1.2 DescriptionBobturnsonthepowerinhis5GxMBBdeviceand5GmMTCsensor,andtheattachrequestsareroutedviathe5Gradionetworktothecorrespondingnetworkslices.Devicesandthenetworknegotiatesecuritymechanismandalgorithmsinasecureway,andafterthesecurityisturnedon,thedeviceshaveaccesstotheservicesinthedifferentnetworkslices.

Thisusecaseassumesthatthedevicesareauthenticatedaftertheyhaveaccesstotheslice,however,thereareotheroptionslikeauthenticationofthedeviceataspecialsliceselectionfunction.

D2.1UseCases

6715625G-ENSURE 38

Basicflowofevents:

1. The5GxMBBdevice,and5GmMTCdevicearepoweredup.2. Thedevicesattachtothe5Gbasestation.3. Thedevicesareauthenticatedaftertheattachment.4. ThebasestationcontactstheMMEsintheVMNOnetworkslicesforxMBBandmMTC.5. TheVMNOdecidestocreateamicro-segmentforBob’smMTCcommunications.Thismicro-

segmentisextendedtoincludethis5Gbasestationifnotalreadyincluded.6. Beforecreatingthemicrosegments,thedevicesandtheslicesmutuallyauthenticate.

Authenticationcouldhappenalsoinanearlierphasebetweenthedeviceandaspecialsliceselectionfunction.

7. Themicro-segmentsareallocatedforthedevicesthatareauthorizedforit.Themicro-segmenthasasecuritymechanismofitsown.

8. Bobuseshis5GxMBBdevicetoconfigurethebehaviourofthesensorviatheAPI.

7.3.1.3 VulnerabilitiesandconsequencesHavinglargesegmentedsecurityzonescancreatesignificantattacksurfacesandenablethreatstomovethroughoutlargeportionsofthe5Gsoftwarenetworkunrestricted.

7.3.1.4 PropertiesofasolutionBydividingthenetworkintosmallerparts,i.e.,networkslices,sub-slicesandmicro-segmentsitwouldbeeasiertomonitorandrespondtoanomalousbehaviour.Inthisway,thesurfaceforattacksandthreatscanbereducedsignificantly.Networkslicing(andfurthersub-slicing)couldbeusedtocreateportionsoftheunderlyingnetworkwhichcanbefurtherusedtoprovidenetworkserviceswithparticularproperties.Micro-segmentationcouldprovideamorefine-grainedapproachthantraditionalnetworkslicingandwithmicro-segmentationitmaybepossibletocreatesecuresegmentswheremoregranularaccesscontrolsandstrictersecuritypoliciescanbeenforced.


EnsureEnablers NetworkManagement&VirtualisationIsolation,Trust

NextGenerationRadioTechnologyUsecases uMTC,mMTC,xMBB

7.3.2 UseCase5.2:Addinga5GNodetoaVirtualizedCoreNetworkThisusecasebelongstocategory2:thecontrolplaneofSDN.

ThegeneralSDNapproachthatcouldbeusedtoimplementthisusecase,wouldtypicallyusethefollowingconcepts.ThecontrolplaneofSDNintermediatesbetweentheapplicationplaneandthedataplane,whereastheuserplaneofSDNiscomposedofnetworkapplicationsthatsendinstructionstothecontrolplane,theSDNcontroller,viathenorthboundapplicationinterface.ThoseinstructionswillbetranslatedbytheSDNcontrollerintosuitableactionssentviathesouthboundprotocolinterfacetothedataplane.Forinstance,toinstallanend-to-endpathbetweentwonodes,theSDNcontrollerwilltakethisinstructionsentbyanetworkapplicationanditwillgenerateaseriesofflowstobeinstalledontheappropriateswitchese.g.viaOpenFlow,toensurethatpath.

D2.1UseCases

6715625G-ENSURE 39

7.3.2.1 Preconditions• TherearetwoVirtualMobileNetworkOperators,VMNO1andVMNO2.• EachVMNOhasitsownvirtualcorenetwork,VCN1andVCN2.• VCN1andVCN2sharethesamephysicalnetwork.• Amulti-slicesystem,wheretheslicesconsistofvirtualtopologiessimultaneouslydeployedoverthe

samecorenetwork(physicalinfrastructure).ThisphysicalinfrastructureisoperatedbyaVirtualizedInfrastructureProvider(VIP).

• BothcorenetworksVCN1andVCN2areisolatedbyusinganisolationmechanism.• VMNO1hasrequestedtheVIPtoconstructanewNetworkSlice.Thisrequesthasbeendoneina

secureway.

7.3.2.2 DescriptionNetworkApplicationsineachVirtualizedCoreNetworkmodifytheforwardinglogicofthesharedphysicalnetwork.

TheNetworkApplications(suchasanMME)arenotabletoreadormodifyphysicalnetworkresourcesbelongingtotheotherVirtualizedCoreNetwork.Furthermore,modificationstothephysicalnetwork,whichmightoriginatefromareconfigurationofoneofthevirtualcorenetworks,shouldnotconflictwiththecurrentconfigurationsoftheothervirtualcorenetwork.Intheflowbelow,theMMEisassumedtobeassociatedwithaslice.Thus,thisonlysupportsthemodelinwhichUEdevicesareassignedtoslicesbeforetheyhavebeenauthenticated,evenif,asmentioned,otheroptionsarepossible.

Basicflowofevents:

1. Alice,anemployeeofaVIP,startsconfiguringanewNetworkSliceonVCN1bycreatinganewvirtualMME.TheMMEsoftwareiscomingfroma5GNodeProvider(5GNP).

2. AlicecreatesthevirtualspaceforMME,andinstallstheMMEsoftwareontopofthat.3. AliceconfigurestheforwardinglogicrelatedtothenewMME.

7.3.2.3 VulnerabilitiesandconsequencesTheMMEsoftwareintheVCN1shouldnotbeabletoseeormodifytheforwardinglogicrelatedtoVCN2.Theremaybepolicyconflictswhendifferentnetworkapplicationsineachvirtualizedcorenetworktrytomodifytheforwardinglogicofthesharedphysicalnetworkelements,becausethosecaninjectcontradictorypolicies,orevenonenon-authenticatednetworkapplicationscantrytoinjectmaliciouspoliciestotheSDNcontroller.

Ontheotherhand,thehighdynamicityinSDNandNFV-basedenvironmentscomesfromthefactthattheSDNcontrollerensurestheconnectivityamongvirtualnodescomprisingtheslicesbychoosingaphysicalpathatrun-time.Apartfromthis,whenSDNiscombinedwithNFVthenetworkbecomesevenmoredynamic,sincevirtualnodeshostVNFswhichmaybemigrated,leadingtosubsequentrecalculationofthepathallocatedbytheSDNcontroller.Thisdynamicityleadstoalackofcontrolontheestablisheddependenciesbetweentheslicetopologiesandthephysicalinfrastructure,sinceitdependsontheSDNcontrollerwhichmaychangethosedependenciesdynamically.Asaconsequence,faultisolationonmulti-slicesystemsneedstobeensured.FaultisolationensurestheresilienceofVNFsandvirtuallinkscomposingtheslices,anditconsistsofensuringthatthosevirtualresourcesaredisjointlyallocated(i.e.ensuringthoseslicesdonotshareresources)inthenetworkinfrastructureoratleastensuringthereisenoughredundancy

D2.1UseCases

6715625G-ENSURE 40

tomigratethemtoavoidserviceoutages.Otherwise,afailureonthesharedphysicalresourcescouldpropagatetobothslices.


Securitypolicies:

Theauthenticityandintegrityofthereceiveddataandcommandsineachslicemustbeensured.Tocontroltheaccessbetweenslices,securitymechanismsmustbeabletocheckifthereceiveddata/commands,originatedfromwithinthesliceornot(fromalegitimateentity).Inotherwords,itmustbeabletocheckitstrustworthiness,topreventaccessfromotherslices.

ThesecuritysystemmustensurethedifferentSLAobjectivesforthedifferentslicesaremet.TheSLAobjectiveswillbedifferentdependingontheusecase(e.g.autonomousdriving,health,massiveIoT,etc.)

Thepoliciessentbynetworkapplicationsshouldbefirstinjectedtoapolicycheckerblock[Paladi2015]toanalysethepoliciesfromnetworkapplicationstowardstheVCNstoavoidincoherenciesbetweenpoliciesand/orsecurityissues.ThispolicycheckerblockverifiesandenforcespoliciesandcontrolstheaccessofnetworkapplicationstotheSDNcontroller.Thisblockhastwocomponents:areal-timepolicycheckerblockthatverifiestheincomingpoliciesandtagsthemwhithissuingentity,andaofflinepolicycheckerblockthatensuresisolation,networkreachabilityandliveness.Inthisusecase,thenetworkapplicationsshouldnotbeabletoreadormodifynetworkresourcesofotherVCNs,sotherulessentfromnetworkapplicationsshouldbeinjectedintoapolicycheckerblockabletounderstandtheirorigin,identifywhetherornottheyarenotallowedtoaccesstothatVCNandrejectthemifnecessary.TheSDNcontrollershouldonlyinstallthosepoliciesacceptedbythepolicycheckerblock,oncethisblockchecksthatthosepoliciescomefromauthenticatedandauthorisednetworkapplications.

• Ina5Gnetwork,theisolationofslices(isolationassurancewithin5Gnodes)mustbeensured.Thisassurancemustbeprovidedattwolevels,atsecuritylevel(threatspropagatingthroughtheslices)andatresiliencylevel(faultsinthephysicalinfrastructurepropagatingthroughtheslices).

• Acompromisedslicemaycompromisethesecurityofotherslicessharingthesamephysical5Gnodes.

• Unavailabilityofaphysicalnetworkresource(physical5Gnode)servingNslices,duetointentionaloraccidentalintentions,maypropagatetotheNslices(a.k.acascadeeffect)

• Integrityandauthenticityofthedata/commandsuploaded/downloadedbya5Gcontroller/a5Gobjectmustbeensuredtoavoidanysecurityissues.

Resiliencypolicies:

Aresilientsystemmustpreventcascadeeffectsbetweendifferentslices,bycheckinginrealtimewhichpartofthephysicalinfrastructureisensuringtheintegrityofagivenslicetopologyandproposemigrationswhendetectingvulnerable,attacked,compromisedoraffectedphysicalresources.Forthat,itisnecessarytosupporttheretrievalon-the-flyofthedynamicdependenciesbetweentheslicesandthephysicalinfrastructureinordertocalculatethepropagationoffaultsandattacksinagivenslice.

D2.1UseCases

6715625G-ENSURE 41



NextGenerationRadioTechnologyUsecases mMTC,uMTC,xMBB

7.3.3 UseCase5.3:ReactiveTrafficRoutinginaVirtualizedCoreNetworkThisusecasebelongstocategory2:thecontrolplaneofanSDNnetwork.

7.3.3.1 Preconditions• ThereisoneVirtualMobileNetworkOperator,VMNO1.• VMNO1hasitsownvirtualcorenetwork,VCN1.• NetworktrafficinVCN1isrouted(reactively)byanetworkapplication.Thefunctionofthisnetwork

applicationistoreceivepacket-inmessagesandreconfiguretheflowtablesoftheswitchesaccordingly.

• Thisusecaseassumesthatthevirtual5Gcoreisawareofvirtualization.(Itcouldalsobepossiblethatthedynamicbehaviourisdonetransparentlytothevirtual5Gcore.)

• AconsumerofVMNO2,Bob,accesseswithhismobiledeviceaserviceintheinternet.BobisaroamingsubscriberintheVCN1.

7.3.3.2 DescriptionWhenBobaccessesthephysicalcorenetworkforwhichnomatchingflowrulesareinstalled,theVCN1’snetworkapplicationistriggered.ThereconfigurationofVCN1iscompileddowntoareconfigurationofthephysicalnetwork.ThereconfigurationhandlesBob’snetworkflowtoaccesstheremoteinternetservice.

Basicflowofevents:

1. Bob’sdevicestartssendingnetworkpacketstothecorenetwork.2. Sincethenetworkpacketsdonotmatchanyflowrule,thecorenetworkgeneratesacorresponding

packet-inmessageforVCN1.3. VCN1triggersitsnetworkroutingapplicationforthereceivedpacket-inmessage.4. ThenetworkapplicationestablishesanetworkflowinVCN1.5. ThereconfigurationofVCN1iscompileddownsothatacorrespondingnetworkflowinthephysical

networkisestablished.6. Bobstartscommunicatingoverhismobiledevicewiththeinternetservice.

7.3.3.3 VulnerabilitiesandconsequencesThetimeofreconfiguringthephysicalnetworkcanbemeasuredbyanattacker.Inthisway,anattackercangaininformationaboutwhichandwhenanetworkpackettriggersareconfigurationofnetworkcomponents.Thiscanbeexploitedtomountpowerfuldenial-of-serviceattacks,whereanattackeroverloadsthecontrollerofVCN1bysendingpacketsthat,withhighprobability,triggerareconfigurationofthenetworks.Furthermore,notethatinstallingflowrulesinstate-of-the-arthardwareswitchesisacostlyoperation.Thismeansthateventheperformanceofthephysicalnetworkmightbedecreased.

7.3.3.4 PropertiesofasolutionAsolutionshouldnotdecreasenetworkperformancesignificantly.Thismeans,forexample,thatdelayingeverynetworkpacketthatdoesnottriggeraninteractionwiththecontrolplaneataswitchbefore

D2.1UseCases

6715625G-ENSURE 42

forwardingitisnotaworkablesolution.Althoughanadversarywouldnotgainanyknowledgewhenmeasuringthetimingsofsendingandreceivingpackets,thewholenetworktrafficwouldsignificantlybesloweddown.However,onecandelayafewpacketsofanetworkflowtoobfuscatethetimingmeasurementsofanadversary.Thefewdelayedpacketsfakeaninteractionbetweenthenetwork’sdataplaneandcontrolplane.Thesedelayscanbedonedirectlyattheswitchesoradedicated,newdata-planecomponent.Thereisnoneedforanyinteractionwiththecontrolplane.Theselectionofthepacketsandthedelayisspecifictoanetwork,andneedstobeconfigured.




7.3.4 UseCase5.4:VerificationoftheVirtualizedNodeandtheVirtualizationPlatformThisusecasebelongstocategory3:themonitoringofthevirtualized5Gnetworkandofthevirtualizationinfrastructure.

7.3.4.1 Preconditions• AnewMMEhasbeenvirtualized,anditisrunningontopofaVirtualizationPlatform.• TheMMEisdeployedaspartofaVCN,andaNetworkSlice.• ThereisacertificationsystemforVirtualizationPlatformsthatissue“level1certification”tothirdparty

products.

7.3.4.2 DescriptionCarolisrunningvarioustestsontheVirtualizedNode,andtheVirtualizationPlatform.CarolneedstocheckthatthenewnodemeetstherequirementsoftheVirtualMobileNetworkOperator.ThissliceisusedforeHealthservices,anditneedstofulfilcertainsafety,securityandprivacystandards:inthisexampleweassumethatallpartsoftheVCNarephysicallywithinFrance.

Basicflowofevents:

1. CarolstartsbycheckingthatthephysicalcomputeroftheVirtualizationPlatformislocatedinFrance.ThephysicalcomputeristheonewheretheVirtualizedNodeistobeinstalled.

2. Caroladdsamonitoringpolicythatallowshertoreceiveanotificationifthelocationischanged,andanalarmmessageifthelocationmovesoutsideofFrance.

3. CarolrunsatestonthevirtualmachineoftheVirtualizationPlatform,andverifiesthatitisabletofulfilthesecurityandprivacyrequirements.CarolisabletoverifythattheVirtualizationPlatformhasbeencertifiedbyanexternalparty,andithas“level1”certification.

4. CarolthencheckstheintegrityoftheMMEsoftwarethatisrunningontopofthevirtualmachine.5. CarolverifiesthatthesecuritytowardstheothernodesintheVirtualCoreNetworkisconfigured

correctly,andonlyauthenticatedandprotecteddata/commandsareabletopass/accesstheMME.6. Carolchecksthattheslicetopologycorrespondstoaphysicalinfrastructurewhosephysicalnodes

complywiththegeographicalconstraintsforthisusecase.

D2.1UseCases

6715625G-ENSURE 43

7.3.4.3 VulnerabilitiesandconsequencesInthise-healthservice,thesliceshoulddependonlyon5GnodeslocatedinFranceoroperatedbyagivenMNO,thatiswhyCarolischeckingthattheunderlyingnodesofthesliceprovidedcomplywithsuchageographicalconstraint.

Privacyandsecurityissuesshouldberespected,especiallyinhighlysensitiveserviceslikee-health.Forinstance,ifthee-healthflowofagivencountrygoesthroughanynon-French5Gnodes,itmaynotrespecttheservicesecurityorprivacypolicy.

A5Goperatormustbeabletoensureatalltimesthatagivenslice(service)resourcearelocatedinagivengeographicalarea.Aserviceprovidermustbeabletocheckthatthedataflowoftheservicetransitswithinagivenarea.Thisispossibleifweareabletoretrievetheunderlyingphysicalnodeidentifiersbelongingtoeverysliceatrun-timeandverifytheirgeographicallocationinordertoensurethattheirlocationdoesnotviolatethegeographicalconstraintsimposedbythee-healthcase.

VNFscanbeprovidedbythirdparties,soanotherthreatiswhenVNFsbecomecompromised.Anetworkoperatormustbeabletocheck,inrealtime,theintegrityoftherunningcodeinaNFVandthatit(theNFV)iscomplianttowhathepreviouslydefined,thatiswhyoneofCarol’sroleistochecktheintegrityoftheMMEsoftwarerunningontheVM.

AnotherthreatiswhenSDNistheunderlyinginfrastructureofNFV-basedservices,whereSDNisensuringtheconnectivityamongVNFs.Inthisscenario,theSDNcontrollercanbecomecompromised,becauseSDNcontrollersarevulnerabletoDDoSattacks(DistributedDenialofService).

7.3.4.4 PropertiesofasolutionOnebasicapproachistoverifyandthoroughlytestthedeployedsoftwarethatcontrolsthenetwork.Thereshouldbededicatedtoolsthatsupporttheseverificationandtestingtasks.Another,complementaryapproachistomonitortheinteractionsbetweenthenetwork’splanes.Theseinteractionsarecheckedagainstgivensecuritypolicies.Noncompliant,malicious,andsuspiciousinteractions(orsequencesofinteractions)arereported.Thecheckingcaneitherbedoneonlineoroffline.Inthelattercase,theinteractionsareloggedandthencollectedandauditedlater.


EnsureEnablers NetworkManagement&VirtualisationIsolation,SecurityMonitoring,Trust


7.3.5 Usecase5.5:ControlandMonitoringofSlicebyServiceProviderThisusecasebelongstocategory3:monitoringandcontrolofthevirtualized5Gnetwork.

7.3.5.1 Preconditions• ThereisaVirtualisedInfrastructureProvider(VIP).• ThereisaVirtualMobileNetworkOperator(VMNO).• TheVIPhasdeployedaVirtualCoreNetwork(VCN)fortheVMNO.• ThereisaServiceProvider(SP).• TheVMNOhasdeployedasub-slicefortheSPwithcertainSLAconstraints.

D2.1UseCases

6715625G-ENSURE 44

7.3.5.2 DescriptionAServiceProvider,forinstanceamassivelymultiplayeronlinegame(MMOG)host,requiresasecurenetworkwithsomeQoSguaranteestobeusedbytheircustomers(gameplayers).TheServiceProviderhasacontractwiththeVMNOfortheVMNOtosupplyasuitablesub-sliceoftheVCNfortheServiceProvider’scustomerstouse.TheServiceProviderneedstobeabletomonitorthesub-slicetoensurethattheVMNOisprovidingwhatisrequiredbythecontract,andalsoneedstobeabletovarytheparametersofthesub-slicewithinsomepredefinedboundsastheservice’spopularitychanges.

Theterm“sub-slice”isherebeingusedtomeanaportionofanetworkslice.ThisusecasemaintainsmostofitsfeaturesiftheServiceProviderisadirectcustomerofaMNOandtheMNOprovisionsa“slice”ofthecorenetworkfortheSP.ByhavingtheSPinteractwithaVMNOwedemonstrateafurtherpotentiallevelofcomplexity.

Basicflowofevents:

1. Dave,anemployeeoftheSP,usingthetoolsprovidedbytheVMNO,monitorstheQoSbeingprovidedtothegameplayersinthesub-slice.

2. Dave,usingtheServiceProvider’sgamemonitoringsystem,predictsthatthenumberofplayersthiseveningwillincreasebeyondthecapacitythatthesub-slicewasprovisionedforandthattheperformanceofthegamefortheplayerswilldegradetoanunacceptablelevel.

3. Daverequeststhatthecapacityofthesub-sliceisincreasedtodealwiththeadditionaldemand.4. TheVMNOdetermines(automaticallyormanually)thattheVCNcansupporttheincreased

capacityofthesub-slicewithoutdegradingtheQoSofothercustomersandsoincreasesthesub-slicecapacity.

5. TheVMNOchargestheSPfortheextracapacity.

7.3.5.3 VulnerabilitiesandconsequencesTheusecasedemonstratesthatacustomerofaVMNOcanrequest,use,monitorandcontrolasub-sliceofthenetwork.Thisrequiresre-sellingofcapacitybyaVMNOalongwithQoStermscontainedinanSLA.TheusecasealsodemonstratesthedynamicnatureofallocationsbyallowingtheServiceProvidertohavesomedegreeofcontrolovertheirsub-slice.Toensureanacceptablelevelofservicefortheircustomers,theServiceProviderwouldneedtobeabletoassessthetrustworthinessoftheVMNObeforeenteringintoacontractwiththem.TheVMNO’ssystemsdependenceon(atleast)theVIPmakesthechainoftrustquitecomplex.


• controlofsub-slicemaybeaddressedwithdelegation• hierarchicalassertedidentitiesofactors• SLAwherepartsoftheagreementrelatestoestablishingnewSLAs• atooltoassessthetrustworthinessofasystem(includingnetworkcomponentsandactors)based

onknownthreatsandpriorexperience

D2.1UseCases

6715625G-ENSURE 45




7.3.6 UseCase5.6:IntegratedSatelliteandTerrestrialSystemsMonitor

7.3.6.1 IntroductionThisusecasebelongstocategory3andisrelatedtobroadbandtelecommunicationsystemsortelecommunicationgroundusersegments.TheinfrastructureforbuildingtheSatAN(SatelliteAccessNetwork)comprisethefollowingnetworkcomponents(seeFigure10):

• SatelliteHub:satelliteearthstationconnectedtothe5Gnetwork.• Satellite-capableeNB:traditionaleNBimprovedwithasatellitelink.• DifferentUEs:

o SatelliteTerminals(Kaband):satelliteterminalwithaKabandantenna.o SatelliteModems:end-usersatelliteterminalconnectedtoasatelliteantennausinga

communicationssatelliteasarelay.o 5Gdevices.

Thesenetworkcomponentsaredistributedinawide-areaandduetothesatellitesupportensurehighnetworkavailabilityandservicereliabilitywitha100%geographiccoverage.

Thesenetworkcomponentsperiodicallycollectinformationfromthemselves(hardwarestatus,alarms…)andcountersfromthespecificbusinesslogic(transferrate,numberofrequests…).Thisinformation,calledindicators,isusedtomonitorthenetwork.

Theseindicatorscanbeclassifiedinthreecategories:

• Healthstatus:o Intrusiondetection.o Alarmsscannedbysatellitenetworkdevices.o Excessiveload.

• Configurationstate:o Networkstatus.o Credentialstatus.

• Counters:o Volumecounters.o Efficiencycounters.

Thesenetworkcomponentsaresupervisedandcontrolledusinganetworkmanagementsystem.Thisnetworkmanagementsystemiscomposedof:

• Securitymonitor:receivessuchindicatorsandisinchargeofcarryingoutanactivesecurityanalysistodetectattacksandmaliciousbehaviour.Furthermore,thesecuritymonitorusesdataanalytics

D2.1UseCases

6715625G-ENSURE 46

andintelligence-drivensecuritytoresponsetotheidentifiedthreats(e.g.notifytheoperator,balancetheload,…).Someofthethreatsidentifiedare:

o Attackonnetworkcomponents:RFinterference,powerorcommunicationslines…o Attackonthenetworkmanagementsystem:intrudingthesystembyhijacking,

blackmailing,placingorimpersonatingtheoperator,toobtaincredentialsor/andgaincontrolofthesystem,…

o Denialofservice:floodthenetworkwithdummyindicatorstomakethenetworkunusable,preventinganyusefulcommunicationswiththenetworkmanagementsystem.

• B/OSS(BusinessandOperationalSupportSystems)monitor:receivessuchindicatorsandisinchargeofserviceprovisioning,networkconfigurationandbilling.

7.3.6.2 Preconditions• Thenetworkcomponentsperiodicallycollectindicators.

7.3.6.3 DescriptionOnceregistered,networkcomponentsdelivertothesecuritymonitoringtheindicatorscollected.Later,securitymonitoringusesactivesecurityanalysiswiththeseindicatorsinordertodetectthreats.

SatNOconnectstothesecuritymonitortocheckthesystemsstatus(e.g.faultmanagement,performancemonitoring)and,ifneeded,respondstotheidentifiedthreats.

AServiceProvider(i.e.telecommunicationscompany)hasacontractwiththeSatNOtosupplyasuitablesystemcapacitywithsomeQoSguaranteestobeusedbyitscustomers.TheServiceProviderimplementspre-paid/post-paidservicesandconnectstotheB/OSSmonitortoensurethattheSatNOisprovidingwhatisrequiredbythecontractandperformssomecontroltasks(managementofsystembandwidthandpowertooptimizeglobalcapacity,configurationofnetworkcomponents,…).

Basicflowofevents:

1. Uponactivation,eachnetworkcomponentidentifiesitselfwiththenetworkandregisterswiththenetworkmanagementsystem

2. Thesecuritycredentialsofthesenetworkcomponentsneedtobeperiodicallyupdated3. Onceregistered,networkcomponentsdeliverperiodicallythecollectedindicatorstothenetwork

managementsystem4. Networkmanagementsystemreceivesfromthenetworkcomponentsalargeamountofindicators5. Securitymonitorusesactivesecurityanalysiswiththeseindicators


1. Alice,aSatNO,connectstothesecuritymonitortocheckthesystemstatusandthesecurityanalysisprovidedbythesecuritymonitor

2. Securityalarms(e.g.attacks,maliciousbehaviourdetected,…)mayrequirearesponsefromAlice(e.g.allow/denyaccesstoonenetworkcomponent)


1. Carol,anemployeeoftheSP,connectstotheBSS/OSSmonitortochecktheQoS2. Carolmayrequestincreasecapacitytodealwithadditionaldemand

D2.1UseCases

6715625G-ENSURE 47

Figure10:Satelliteand5GMonitor.

7.3.6.4 VulnerabilitiesandConsequencesTheusecasedemonstratesthedynamicnatureofallocationsbyallowingtheServiceProvidertohavesomedegreeofcontrolovertheirmicro-slice.Thesecuritycredentialsofthesemicro-slicecomponentsmayhavebeencompromisedanditisneededtoforceanupdateofthesecredentialstomaintainthesecurityofthenetwork.

Theoriginofmostfraudulentaccessesorsecuritybreachescanbesummarizedaseithertechnicalidentityalteration(afteranillegalorillegitimateprivilegeaugmentation)orsignallingmessagesreceivedoutsideofthenormalsequences.

7.3.6.5 PropertiesofasolutionTheuse-caserequiresre-sellingofcapacitybyaSatNOalongwithQoStermscontainedinanSLA.

• Securemechanismtostoreandupdatethesecuritycredentialsforthenetworkcomponents• Genericsecureinterfacetoprovideindicatorsfromaheterogeneousnetworkandtoupdatethe

securitycredentials• Realtimedataanalyticsandintelligence-drivensecuritytodetectthreatsbasedonsecuritymetrics

D2.1UseCases

6715625G-ENSURE 48

7.3.6.6 UsecasecategoriesEnsureEnablers SecurityMonitoring,NetworkManagement&

VirtualisationIsolation

NextGenerationRadioTechnologyUsecases mMTC,uMTC

7.4 5GVisionItisenvisionedthatthevirtualizationofthecorenetworkisanessentialfeatureof5G.Avirtualizedcoreisdescribedhereasa“networkslice”.Mobileoperatorsareabletoprovidedifferentcorenetworkslicesfordifferenttypesofsubscribers.ThisincludesdifferentUEtypes,suchasmMTCorxMBBbutalsocustomerspecificslicessuchaseHealthorsatellitecommunications.Networkslicesmayprovidedifferentservices,andshareacommonradionetwork.Thevirtualizationmayalsoincludemorefine-grainedfeatures,suchasmicro-segmentationwithintheslice.Isolationofnetworkslicesisessential.

Techniquesthatareavailableforimplementationofthevirtualizationaremany,e.g.Software-DefinedNetworking,VirtualizedNetworkFunctionsandCloudtechniques.Virtualizationismostlikelytobetransparenttomany5Gnodes,however,theremightalsobesome5Gnodecomponentsthatareactivelymodifyingthestructureandbehaviourofthecorenetwork,adaptingtoe.g.subscriber/devicecontext.VirtualizationismostlikelyanddesirabletobetransparenttotheUserEquipment(UE),andthesubscriber.TheUEdoesnotneedtobeawareoftheinternalstructureorimplementationofthecore.

Virtualizationbringnewtypesofactors,androlesintothepicture.Itisenvisionedthatitispossibletoseparatetherolesofthe5GNodeProvider,theVirtualizationInfrastructureProvider,andtheVirtualMobileNetworkOperator.Thisalsomeansthatnewtypesofsecuremonitoringandassuranceinterfacesareneededifallthenewrolesaretakenbyseparateactors.Actorsthatareoperatingontopofvirtualizedplatformneedtomonitor,verifyandcontrolwhatishappeninginthevirtualizednetworkaswellasinthevirtualizationinfrastructure.

D2.1UseCases

6715625G-ENSURE 49

8 Cluster6:RadioInterfaceProtection

8.1 IntroductionThisclusterdescribestwousecasesaddressingavailabilityandintegrityoftheradiointerface.Usecase6.1considersoverloadanddenialofserviceattacksoftheradiointerfaceandhowdeviceswithpriorityshouldbeprioritizedinordertobeabletoattachevenduringahighloadsituation.Usecase6.2considersuserplanedataintegrityprotection.


• MobileNetworkOperator(MNO)• Communicationdevice(D)• User(Bob)

8.3 UseCases

8.3.1 UseCase6.1:AttachRequestDuringOverload

8.3.1.1 Preconditions• TheRANisservingmultiplerecentattachrequests• Availableradioresourcesaredepleted

8.3.1.2 DescriptionAcriticalcommunicationdeviceD,e.g.servingcriticalinfrastructureorusedbyuserBobinanemergencysituation,istryingtoattachtotheMNO’snetwork.ThenetworkisbusyservingmanyotherattachrequestssoDdoesnotgetimmediateaccesstothenetwork.Evendeviceswhichareattachedbutloseradiosynchronizationarerequiredtoperformtherandomaccessprocedureandmaybecomelockedoutofthenetworkinthesesituations.

Basicflowofevents:

1. Dmakesanattachmentrequesttothebasestation2. Thebasestationisbusyservingotherrecentattachmentrequestsorhasnoradioresources

available3. Dgetsnoaccessorbecomesdelayed


1. Disattachedtothenetwork2. Dlosesradiosynchronization3. Disre-attaching4. Availableradioresourcearedepletedandthenetworkcan’tofferDaccess5. Ddoesnotregainconnectivity

D2.1UseCases

6715625G-ENSURE 50

8.3.1.3 Vulnerabilitiesandconsequences• Currentnetworksperformpreliminaryradioresourceallocationandsignallingprocedureswhich

consumesprocessingandotherresourcesintheRANandonthebackhaul,beforetheauthenticationprocedure

• Illegitimaterequestscannotberejectedatanearlystage,andtherearenomeanstogiveprioritytoimportantrequests

• Anadversarycansaturatetheradionetwork(ortheuplinkresources),e.g.usingsoftwaredefinedradios(SDR),orusingmultiplelegitimatedevices,e.g.likeinabotnetsetting

• Whenattacheddeviceslosesradiosynchronization,theyarerequiredtoperformtherandomaccessprocedureandmaybeunabletoreconnect,despitebeingallocatedradioresources

Potentialconsequencesinclude:

• Disruptedavailabilityofcriticalcommunicationsnetwork.Deceptiveillegitimaterequestsmaycausedisruptioninnetworkaccess

• Emergencyandcriticalcommunicationrequestscannotgethigherprioritythannon-urgentattachmentrequests


• Asecuremethodforpriorityofaccessrequests• Saveresourcesbyrejectingillegitimateornon-prioritizedrequestatearlystage,i.e.enable

integrityprotectionatalowlayerintheradionetworkstack• Givepriorityforre-attachmenttodeviceslosingradiosynchronization• Threatsofcyber-attacksdirectlytargeting5Gnetworksneedstobedealtwithinthe5Gdesign




8.3.2 UseCase6.2:UnprotectedUserPlaneonRadioInterface

8.3.2.1 Preconditions• TheUEisinConnectedMode• Signallingisintegrityprotected• Userplanedataisnotintegrityprotected• Encryptionmaynotbeallowedontheradiointerfaceduetoregulatoryconstraints

8.3.2.2 DescriptionSignallingbetweentheUEandnetworkisintegrityprotected,butinsomescenarios,theamountofsignallingneededbeforesendinguserdataisminimizedtosavebattery,sometimessignallingbeforesendinguserdataiscompletelyremoved.ThedataconnectionisleftopentothenetworkwhentheUEgoestosleepmode.

D2.1UseCases

6715625G-ENSURE 51

Userplanedataisnotencryptedduetoregulatoryconstraints.Sinceuserplanedataisnotintegrityprotectedeither[TS33.401],thisleavestheuserplanedatatotallywithoutprotection.

Basicflowofevents:

1. Dattachestothenetworkandestablishesintegrityprotectionforsignalling.Encryptionisnotusedforsignallingnorforuserplanedata

2. ThenetworkreceivesunprotecteduserplanedatafromD3. Dgoestosleep.Thedataconnectionisleftopen.4. Dwakesupandsendsdataonthedataconnection


1. Dattachestothenetworkandestablishesintegrityprotectionforsignalling.Encryptionisnotusedforsignallingnorforuserplanedata

2. ThenetworkreceivesunprotecteduserplanedatafromD3. Dgoestosleep.Thedataconnectionisleftopen4. Adversarysendsdataontheopendataconnection

8.3.2.3 Vulnerabilitiesandconsequences

• Thenetworkcannotverifyauthenticityofthereceiveduserplanedata• Anadversarymayusetheopenuserdataconnection

Asaconsequence,theuserplanedataiscompletelyunprotectedandtheMNOcannotprovideanyservicerelyingonthecontent.


• Introduceintegrityprotectionofuserplaneinadditiontointegrityprotectionofcontrolplane• Replacespecificintegrityprotectionofcontrolplanewithcommonintegrityprotectiononuserand

controlplanelowerintheradionetworkstack




8.4 5GVisionThe5Gnetworkshouldberobustagainstoverloadanddenialofserviceattacksoftheradiointerface.Prioritizeddevicesshouldbegettingpriorityandbeabletoattachevenduringhighloadsituations.Also,alreadyattacheddeviceslosingsynchronizationshouldregainaccessduringhighloadsituations.Userplanedatashouldbeintegrityprotectedenablingtrustworthyservicestobebuiltontop,andillegitimateandlowpriorityrequestsshouldberejectedatanearlystage.

D2.1UseCases

6715625G-ENSURE 52

9 Cluster7:MobilityManagementProtection

9.1 IntroductionThisclusterdescribesdifferenttechniquestocauseapersistentdenialofserviceattackoftheUE,illustratedbythreedifferentflowofevents.Thedenialofserviceattacksarepossiblesincenoneoftheexploitedmessagesrequireconfidentialityorintegrityprotectioninthecurrent3GPPstandard,thusenablingtheattackertointercept,decodeandalterthemessages.


• Mobilephonesubscriber(Bob)• Maliciousattacker(Mallory)• MobileNetworkOperator(MNO)• Sensor1

9.3 UseCases

9.3.1 UseCase7.1:UnprotectedMobilityManagementExposesNetworkforDenialofService

9.3.1.1 Preconditions• BobhasavalidsubscriptionwiththeMNO• Mallory’srogueequipmentisphysicallylocatedinthesamearea(TAorCell)asBoborSensor1• MalloryhasaccesstoherownrogueeNB

9.3.1.2 DescriptionBobpowersonhisphone,aspartoftheLTEspecification[TS33.401]thephonewillinitiatean“Attachrequest”tothebasestation(eNB).OnceconnectedtotheMNO,theuserequipment(UE)willsendperiodictrackingareaupdate(TAU)requestmessagesintendedfortheMNO’sMobilityManagementEntity(MME).

Thisuse-caseisvalidforalltypesofconnecteddevices,i.e.BobcanbesubstitutedwithSensor1.

Basicflowofevents:

1. BobisatworkandhashisphoneturnedonandisconnectedtohisMNO2. Bob’sphonesendsaTAUrequestmessagetotheMMEofhisconnectedMNO3. MalloryinterceptstheTAUrequestandrespondswithaTAURejectwithEMMcausenumber7

“LTEServicesnotallowed”orcausenumber8“LTEandnon-LTEservicesnotallowed”.SeeFigure11andFigure12.

4. Bob’sphoneacceptstheTAURejectmessageandactsaccordinglya. IfEMMcausenumber7,Bob’sphonewillconsideritselfinvalidforLTEservices.If

supportedthephonewillconnecttoavailable3Gor2Gnetworksb. IfEMMcausenumber8,Bob’sphonewillconsideritselfinvalidforallservicesandenter

thestateEMM-DEREGISTERED.

D2.1UseCases

6715625G-ENSURE 53


1. Bobpowersonhisphone.2. Bob’sphonesendsan“Attachrequest”totheMNO.3. Malloryinterceptthe“Attachrequest”.4. Malloryaltersthemessageandreplacethe“VoicedomainpreferenceandUE’susagesetting”with

“Additionalupdatetype–SMSonly”andforwardsthemessagetotheMNO.5. TheMNOacceptsthemessageandproceedswiththeAKAprotocol,furthermoretheMNO

configurestheprofileoftheUEintheMMEwiththecapabilitiessentbyMallory,therebyrejectingallvoicecapabilities.


1. Bob’sphonecontinuouslysendsregistrationrequeststothenetworkswiththebestcoverage.2. Malloryrespondswiththerejectmessage“ForbiddenPLMN”.3. Bob’sphoneacceptstheunprotectedrejectmessageandreconfigurestheUSIMaccordingly,hence

denyingallservicestotheindicatedpubliclandmobilenetwork(PLMN)untilthephonehasbeenturnedoff/onortheUSIMhasbeenre-inserted.

Figure11:(from[Shaik2015])DoSattack-denyingLTEnetworkservices

Figure12:(from[Shaik2015])DoSattack-denyingallmobilenetworkservices

D2.1UseCases

6715625G-ENSURE 54

9.3.1.3 Vulnerabilitiesandconsequences• TheTAURequestissentwithoutconfidentialityprotection,hencetheattackercandecodeit.• TheTAURejectmessageisacceptedbytheUEwithoutintegrityprotectionandwithoutanestablished

securitycontextbetweentheUEandnetwork.• The“Attachrequest”issentunprotected,hencethelistofthenetworkcapabilitiescanbealteredby

theattacker.• The“ForbiddenPLMN”areacceptedbytheUEwithoutintegrityprotectionandwithoutanestablished

securitycontextbetweentheUEandnetwork.

Thesevulnerabilitiescanbeusedtoperformadenialofserviceordowngradeattacks,whichpersistsuntiltheuserreinsertstheUSIM,rebootstheUE,orinonecase,physicallymovestheUEtoanewtrackingarea.


SecuritymonitoringcouldbeonesolutiontocapturethoseattackswhereUEisforcedtouseweakerservices.UEthatpreviouslyhasbeenabletousefullservices,typicallydoesnotdowngradeitsowncapabilities.

IftheTAURejectmessagesweredigitallysigned,whichareverifiedbytheUE,anadversary’smessageswouldberejectedbytheUE.ThiswouldrequiretheintroductionofMNOspecificpublickeys.

Amitigationthatmakesitmoredifficulttoimplementapersistentdenialofserviceattackwouldbetointroduceamechanismbasedonatimerorcountervalue,toallowtheUEtore-attachitselftothenetworkafteracertaintime.

Tomitigatetheman-in-the-middleattackontheAttachrequest,the5GnetworkcouldrequireanidenticalintegrityprotectedreconfirmationofthenetworkcapabilitiesasisrequiredforthesecuritycapabilitiesinLTE.


EnsureEnablers AAA,NetworkManagement&VirtualisationIsolation,SecurityMonitoring,Privacy


9.4 5GVision5Gprovidesrobustnetworkserviceswithconsiderableavailabilityguarantees.Thesignallingmessagesexchangedbetweentheuserequipmentandthe5GnetworkshouldhavetheappropriateprotectiontocombatknownweaknessesinLTE.Suchprotectioncanbebuiltfromexistingmechanisms,whichinLTEprovideamatchinghistoryoftheuserequipment’ssecuritycapabilities.In5Gthesemechanismscanbeexpandedtoincludeasimilarcheckofthenetworkcapabilities.Additionally,theintroductionofanoperatorpublickeycanbringthenecessaryprotectionofcapabilityliststhatarebroadcastedbythenetwork.

D2.1UseCases

6715625G-ENSURE 55

10 Cluster8:Ultra-ReliableandStandaloneOperations

10.1 IntroductionThisclusterincludestwousecasesforultra-reliableandstandaloneoperations.Thefirstoneisthesatellite-capableeNBthatprovidesconnectivitytothecorenetworkifthenormalbackhaulislost.Thesecondcasedescribesstandalonecorenetworkservicesthataresimilartoisolatedpublic-safetyservicesbutareinthiscasecommercial.

TheusecasestalkaboutMacroEPCwhichisthe5Gcorenetworkthatisusedinnormalmodeofoperation.MacroEPCprovidesservicestothesubscribersthatareinthehomenetwork,orwhichareroaminginsomevisitednetworks.TheMacroEPCisreachedviathesatelliteinthefirstusecasewhenthenormalrouteisnotpossiblebecauseofanaturaldisaster.

ThestandaloneEPCisanentitywhichprovidesfunctionalitythateNBsinstandalonemodeofoperationuse,insteadoftheMacroEPC,inordertosupportlocalservices.Thisisassumedtobeacommercialservice,andconnectiontotheMacroEPCisstillpossible.


• Ad-hocroaminguser(Alice)• SatNO(Bob)• VisitedNetwork(VN)• HomeNetwork(HN)

10.3 UseCases

10.3.1 UseCase8.1:Satellite-CapableeNB

10.3.1.1 IntroductionThisusecasefocusesonevolvingtheTransportNetworkArchitecture(TNA)bycombiningbothsatelliteandterrestrialtransportarchitectures.Theinfrastructurecomprisesthefollowingcomponents:

• SatelliteHub:satelliteearthstationconnectedtothe5Gnetwork.• Satellite-capableeNB:traditionaleNBimprovedwithasatellitelink.• Networkmanager:performstopologycalculationsanddistributestheupdatednetwork

configuration.

Themaingoalistheabilitytoofferresiliencetocasesoflinkfailure.Thesatelliteconnectivityaddsflexibilitytobackhaulingnetworks.Also,thisusecaseprovidesoffloadingcapabilityviasatellitetothebackhaulnetworkincaseofcongestion.Thisisakeyenhancementin5G,asthisusecasecanonlybeservedbysatellites,orforwhichsatellitesprovideamoreefficientsolution.

Thetopologymanagementobjectiveisthatnonodesinthemeshnetworkareleftun-connected,whilecoveringalltheneededarea.Topologyalgorithmshallbebasedonuserpriorityandbandwidth.

D2.1UseCases

6715625G-ENSURE 56

10.3.1.2 Preconditions• MacroEPC:theEPCwhichservesaneNBinnormalmodeofoperation.• Thereisasatellite-capableeNBthathasthecapabilityofconnectingtotheMacroEPCviasatellite,and

providesIPconnectivitytotheUEswhentheeNBhaslostthewiredroutetotheMacroEPC.• Intheeventthatthesatellite-capableeNBdoesnotbelongtotheHNandthatthereisnostatic

roamingagreementbetweentheVNandtheHN,theroamingagreementisdynamic,andvalidonlywhenspecialconditionslikeanaturaldisasteroccur.

10.3.1.3 DescriptionAliceisinholidayinanareawhichisabruptlyturnedintoanaturaldisasterarea.AliceisabletocommunicateevenwhenthereisnostaticroamingagreementbetweentheHNandtheVN.

Basicflowofevents:

1. Thenaturaldisasteroccurs.TheeNBloosestheconnectiontoMacroEPC.2. Thenetworkmanagerdetectsthefailureeventandperformstopologycalculationstoguarantee

ultra-reliableservices3. Thenewtopologyisforwardedtothenetworkcomponents4. Thesatellite-capableeNBactivatesthealternativeroutetoMacroEPCviathesatellite.5. Thesatellite-capableeNBstartstobroadcastthatitsupportsthead-hocroamingmode.Itoffers

SMSservicestoeveryoneinthearea.Thevoiceservicesarenowreservedforpublicsafetyusersonly.

6. Alice’sphoneloosestheconnectiontothenetwork.7. Alice’sphoneattachestothesatellite-capableeNBoftheVN.8. Alice’sHNauthorizesthead-hocroamingintheVN.9. AlicereceivesanSMSfromtheembassyaskingifsheandherfamilyaresafe.10. Aliceinformstheembassythateveryoneinherfamilyissafe.

10.3.1.4 Propertiesofasolution• Dynamicroaming• Non-satellite5Gdeviceusingsatellite-capableeNB• Satellite-based5Gtopologyreconfiguration




10.3.2 UseCase8.2:StandaloneEPC

10.3.2.1 Preconditions• Thereisastandalone-capableeNBthathasthecapabilityofstandalonemodeofoperation,which

providescommerciallocalIPconnectivitytotheUEsviaaStandaloneEPC.

D2.1UseCases

6715625G-ENSURE 57

• ThereisastandaloneEPCwhichprovidesfunctionalitythateNBsinstandalonemodeofoperationuse,insteadoftheMacroEPC.StandaloneEPSprovidesIPaddressassignmentandlocalroutingwithinthestandaloneEPC.

10.3.2.2 DescriptionAliceisinamegaeventwith100.000otherpeople.SheusestheservicesthatareavailableinthestandaloneEPC.

Basicflowofevents:

1. Whenthemegaeventstarts,thestandalone-capableeNBstartstobroadcastsupportofthead-hocroamingmodetothelocalEPC.ItofferslocalIPconnectivitywithinthestandaloneEPC.

2. Alice’sphoneattachestothestandalone-capableeNBofthestandaloneEPC.Alice’sphonedoesnotloosetheconnectiontotheHN.

3. Alice’sHNauthorizesthead-hocroamingtothestandaloneEPC.4. AliceusestheservicesinthestandaloneEPC.5. AlicealsousestheservicesintheHN.

10.3.2.3 Propertiesofasolution• Dynamicroaming• CommercialstandaloneEPC




10.4 5GVision5Gnetworkismorereliableintermsofhavingdynamic,alternativeroutesfromtheradionetworkintothecorenetwork(suchassatelliteconnection)andmoreflexibleintermsofdynamicroaming.eNBshavingsatellitecapabilitiesareespeciallyinterestingbecausetheycanprovidesatellitecapabilitiestonon-satellite5Gdevices.Newcommercialpossibilitiesonstand-aloneradionetworks,andstand-alonecorenetworksarealsoenvisioned.

D2.1UseCases

6715625G-ENSURE 58

11 Cluster9:TrustedCoreNetworkandInterconnect

11.1 IntroductionTheseusecasesdealwithtrustedcorenetworkandinterconnectionbetweendifferententities.The5Gnetworkshouldbesuchthatitisabletoensurethattheinteractingentitiesareauthenticonesandspoofingofmessagescannottakeplace.Thisshouldnotbebasedonimplicitsecurityassumption,butratheruseexplicitsecuritysolutions.


• Mobilephonesubscriber(Bob)• Adversary(Eve)• HomeNetwork(HN)• VisitedNetwork(VN)

11.3 UseCases

11.3.1 UseCase9.1:AlternativeRoamingin5G

11.3.1.1 IntroductionWhenentitiesareroaminginavisitednetwork,itstillneedstobeensuredthattherelatedmessagesareauthenticinsteadofimplicitlyrelyingontheassumptionthatthetrafficisoriginatingfromacertainnetwork.Thus,messagesneedtobeboundtothecorrectentities,sothatspoofingcannottakeplace.Theentitiesalsoshouldhaveclearunderstandingwhichentitiestheyarecommunicatingwith.Thisisespeciallyimportantwhentherearerealworldconsequences,suchascharging.

11.3.1.2 Preconditions• TheHNandtheVNhavearoamingagreement

11.3.1.3 DescriptionBobneedstheassistanceofthehomeAAAinfrastructureinordertoauthenticatehimselftotheVN.HomeAAAissuesanauthenticationchallenge.ThisprocessalsoidentifiesboththeVNandtheHN,sothattheinvolvedpartiesareidentified.Inthecourseofthisprocess,BobalsoauthorisestheVNtoprovideservicestohim.

Atthesametime,accountingmechanismsaresetup.TheHNnetworkcanthereforehaveassurancethatanybillingrelatedinformationistiedtoBob.Thus,theVNcannotmakefalseclaims.Similarly,Bob’sfalseclaimscanbedeniedbasedonassuredaccountinginformation.Bob’sdeviceisinvolvedintheprocess,sothatthereistransparencyoftheincurredcoststoBobaswell.

Basicflowofevents(seeFigure13):

1. TheVNisadvertisedtoBob2. BobidentifieshisHNandauthorisestheVNtoofferservicestohisidentity3. TheHNdetectsthatriskstatusoftheVNissuchthatinteractioncanproceed4. TheHNsendsanauthenticationchallengetoBobandalsoidentifiestheVNtobeused

D2.1UseCases

6715625G-ENSURE 59

5. Bobchecksthatheisusingthecorrectnetworkandrespondstothechallenge6. TheHNverifiesthechallenge-responseandinformstheVNthatBobisauthentic7. AuthenticationresultistransmittedtoBob8. Bobnegotiatestheuseofservicesforhisidentity9. TheVNbindsitsownidentitytotheservicenegotiation10. Non-repudiableservicerecordsarecreated

Figure13:BobattachestotheVNwhileroamingabroad

11.3.1.4 VulnerabilitiesandconsequencesThisusecasedepictsthefollowingvulnerabilitiesandtheirconsequences.

• Unauthoriseddisclosureofsensitiveinformationo Ifcorenetworkelements,interconnectnetworks,orotheroperatorsareexpectedtobe

trustedentitieswithnoadditionalverification,sensitiveinformationwillbedisclosedtounauthorisedentities[Nohl2014]

• Spoofingofsignallingmessageso Ifunauthenticsignallingmessagescanbesentandaccepted,thebehaviourofthenetwork

canbechangedinanunauthorisedway,i.e.,integrityofthenetworkiscompromisedo Iftrafficthathasimpactonchargingisneitherauthenticatednorclearlyboundtothe

entitywhichisresponsibleforthetraffic,fraudcanbeperformed.Thisislikelytodecreasetheusertrusttothesystem.

11.3.1.5 PropertiesofasolutionIfnetworkentitieshavecryptographicidentities,thenmessagescanbeboundtothemstrongly.Thisprovidesmoreflexibility,whenreferringtootherentitiesoutsidethetwo-wayinteraction.

Serviceusagecanbenegotiatedinsuchawaythatbothpartieshaveanunderstandingoftheincurredcosts.Thisinvolvesusingthesaididentitiesguaranteeingthatassuredaccountingrecordscanbecreated.

D2.1UseCases

6715625G-ENSURE 60

11.3.1.6 UsecasecategoriesEnsureEnablers AAA,Privacy,Trust

NextGenerationRadioTechnologyUsecases xMBB

11.3.2 UseCase9.2:PrivacyinContext-AwareServices

11.3.2.1 IntroductionThecontextoftheuserisbeneficialforprovidingbetterservices.However,privacyissuesariseastheremightbeunintentionaldisclosureofuserrelatedinformation[Vallina-Rodriguez2015].Anothersideofthecoinisthatifpurelyencryptedtrafficisused,thenitishardertotakeadvantageofflowsemanticstooptimisetheuserexperience[Smith2015].

11.3.2.2 Preconditions• TheHNandtheVNhavearoamingagreement

11.3.2.3 DescriptionTheVNandtheHNmayexchangeinformationregardingtheBob’scontext.ThisinformationcanbeusedtocustomisethenetworkinordertosatisfyBob’sservicerequirementswithoutrevealinganyunnecessaryinformation.

Basicflowofevents(seeFigure14):

1. Ondemand,theVNsendsinformationaboutBob'scontexttotheHN2. TheHNsharessomeofthecontextinformationwithcontentprovidersasallowedby(privacy)

policies

Figure14:DisclosureofusercontextinformationcontrolledbyHomeNetwork


1. Bobauthorisesvisitednetworktodisclosesomeofthecontextinformationasperhisdefinedprivacypolicies

2. TheVNsharessomeofthecontextinformationwithcontentproviders

D2.1UseCases

6715625G-ENSURE 61

11.3.2.4 VulnerabilitiesandconsequencesUsertrafficcanbeenrichedinvariousways,suchasproxiesincludingadditionalheaderstotheusertraffic.However,thisinformationcanleakandbeabusedbypartiesforwhichtheinformationwasnotintended.Thisviolatesuserprivacy.

Itisworthnotingthatintheabovealternativeflowthecontrolofdisclosurelieswithinthevisitednetwork.Eventhoughtheusercanstatehisprivacypolicies,hecannotverifyhowwellthisishonouredastheuser’scontractualrelationshipiswithhishomenetwork.Ontheotherhand,nothing(saveregulatorysanctions)preventsvisitednetworkfromdisclosingthisinformationanyway.

11.3.2.5 PropertiesofasolutionContextinformationisdisclosedincontrolledfashionanditismadeavailableinastandardisedwaysothatitisnotnecessarytodevisenon-interoperableorpotentiallyvulnerableschemes.Inaddition,thecontextinformationcanbeusedincaseofencryptedflows.

11.3.2.6 UsecasecategoriesEnsureEnablers Privacy,Trust

NextGenerationRadioTechnologyUsecases xMBB,uMTC

11.3.3 UseCase9.3:AuthenticationofNewNetworkElements

11.3.3.1 Introduction5Gnetworksallowmoredynamismthroughvirtualisationandnewfunctionscanbeintroducedtothenetworkonthefly.Astheseenvironmentsaremorevirtualised,thereisalwaysadangerthatsomeonemanagestointroduceamaliciousfunctionintothenetwork.Similarly,unauthorizedphysicalelementscouldbeattachedtothenetwork,iftheirauthenticityisonlybasedonthelocationinthenetwork.

11.3.3.2 Preconditions• TheHNandtheVNhavearoamingagreement• TheVNdoesnothaveup-to-datepatchmanagement• ThereisanexploitablevulnerabilityintheVNinfrastructure• PoorphysicalsecurityoftheVNhasresultedintheinstallationofunauthoriseddevice

11.3.3.3 DescriptionUnbeknowntoBob,EvehasmanagedtoinfiltratetheVNandinstalledadeviceintothelocalnetwork(Figure15).Thedeviceisnotrecognisedasanauthorisednode,soitcannotinjectnetworktraffic,however,itdetectsanunpatchedvulnerableserverandinstallsmaliciousnetworkfunctiontosubvertusertraffic.However,asallthesignallingrelatedtoBobisstronglyboundtohis(temporary)identity,Eve’sattemptstoinjectmessagesmasqueradingasBob,sothatBobwouldsuffertheincurredcosts,aredetectedasspoofingattempts.Basedonthisfinding,theHNnetworkreportsthepossiblemisusetotheVN.Basedonitspolicies,theVNwillconsidersomemeasurestoaddresstheproblem.

Basicflowofevents:

1. Eveinstallsamaliciousnetworkdevice

D2.1UseCases

6715625G-ENSURE 62

2. Evenattemptstoinjectsignallingmessages,buttheyarerejectedbecauseofanunauthorisedsender

3. LocalnetworkhasanunpatchedserverandEveisabletotakeadvantageoftheexistingvulnerability

4. Maliciousvirtualfunctionisinstalledontheserver5. MaliciousfunctionattemptstosendspoofedmessageclaimingtocomefromBob6. TheHNnetworkdetectsBob’sspoofedidentitycomingfromtheVN7. TheVNisinformedofthemisuse

Figure15:EvehasinfiltratedVNandtriestosubvertBob’straffic

11.3.3.4 AlternativeDescriptionUnbeknowntoBob,EvehasmanagedtoinfiltratetheVNandinstalledadeviceintothelocalnetwork.Thedeviceisrecognisedasanauthorisednode,soitcaninjectdatatoBob’susertraffic.Eve’sinjectionisdetectedasspoofingattemptsbecauseofbehaviouralanalysisonBob’strafficprofileintheHNnetwork.Basedonthisfinding,theHNnetworkreportsthepossiblemisusetotheVN.Basedonitspolicies,theVNwillconsidersomemeasurestoaddresstheproblem.


1. Eveinstallsamaliciousnetworkdevice2. NetworkhasavulnerableAAAserverandEveisabletotakeadvantageofthevulnerability3. Thedeviceisrecognisedasanauthorisednode4. Maliciousdeviceinjectsspoofedmessages5. TheHNnetworkdetectsabnormaltrafficbehaviourforBobcomingfromtheVN6. TheVNisinformedofthemisuse

11.3.3.5 VulnerabilitiesandconsequencesThefollowingvulnerabilitiescanbeintroducedwhenmoredynamismisintroduced.

o Unauthorisednetworkelementsaredeployedintothecorenetworko Ifanadversaryisabletodeploydevicesorfunctionsintothenetwork,variousmaninthe

middleattackscanbecomepossible.Theadversaryhasapotentialtoeavesdrop,modify,deleteorinjectnewtraffic.Inthecaseofsignallingtraffic,thewholenetworkcouldbecompromised.Dependingontheleveloftrustrelationships,thepropagationoftheattacktoothernetworksmightbeadditionallyfacilitated.

o Asmoreelementsrelyonsoftwareandvirtualisation,properpatchmanagementneedstoexist

D2.1UseCases

6715625G-ENSURE 63

o Ifelementsarenotkeptup-to-date,lackofpatchingmayleadtoexistenceofexploitablevulnerabilitiesinthesoftware.

o Compositionofnetworksornetworkelementsisnotauthentic(orauthorised)o Ifnew5Garchitectureallowsdynamiccompositionofnetworksornetworkelements,lack

ofauthenticationandauthorizationcanleadtocompromisednetworksimilarlyasinthepreviouscase.Thecompositionneedstodefinetheconstraintsonthelevelofintegration,i.e.,whatresourcesareavailableandwhatsortofsecuritylevelsareexpected.Liabilityaspectsneedtobetakenintoaccountaswell.

11.3.3.6 PropertiesofasolutionWhennewelementsareintroducedintoadynamicnetwork,ithastobeensuredthattheyareauthenticcomponents.Monitoringandtestingoftheenvironmentcanhelpindetectingpossibleviolationsofsystemintegrity.Monitoringoftrafficpatternscanalsohelpindetectedsubvertedelements.


EnsureEnablers AAA,Trust,NetworkManagement&VirtualisationIsolation,SecurityMonitoring

NextGenerationRadioTechnologyUsecases xMBB,uMTC

11.4 5GVision5Gnetworksareenvisionedtodynamicallyadapttotheuserneeds.Thisdynamismsetsmorerequirementsontheauthenticityoftheentitiesasnewentitiesemergeinthenetworkandoldonesareremoved.Operatorsshouldnotbeforcedtoresortofimplicitsecurityassumptionsaboutthesecurityofthecorenetworkoftheinteractingpartner,i.e.,thereshouldbemoreassurancethatthetrafficisindeedoriginatingfromalegitimateentityandisboundtoalegitimateentity.Thisisespeciallyimportantwhenanysignallinghaseffectoncharging,thusitshouldbeensuredthattheusersdonotfaceunfoundedservicecharges.Thisappliestotheidentityoftheusersaswell,i.e.,itshouldnotbepossibletospooftheidentityoftheuser.Ontheotherhand,theservicechargesoughttobeattributabletotheusersothattheuserisnotabletodenytheuseofservice.

Inordertoenrichandoptimisetheuserexperience,contextinformationoughttobeavailableforuse.However,onealsoshouldensurethatwhendoingsotheuserprivacyishonoured.Thus,thereoughttobeacontrolledandstandardisedwayofprovidingcontext-awareservices.

Asthenetworkcouldbeconstantlyevolvingduetovirtualisationanddynamicinteraction,oneshouldensurethatthesecurityofthenetworkismonitoredaswell.Whilemonitoringofthenetworkiscommonplaceactivityevennowadays,itismainlydonebyadd-ondevicesthatmaynothaveaholisticviewofthenetwork.Insomecasesitmightbeevenenvisionedthatdynamiccompositionofelementswouldwarrantsecuritytestingofthosecomponentsbeforetheyareallowedtointeract.Thiscouldsimplybestraightforwardvulnerabilityscanning,butmorecomplexscenarioscouldinvolve,e.g.,sandboxtesting.Correlationofinformationfromseveralsourcesshouldinanycasebeusedtomakemoreeducatedguessesregardingthepossibleexistenceofongoingattacks.

D2.1UseCases

6715625G-ENSURE 64

12 Cluster10:5GEnhancedSecurityServices

12.1 IntroductionCluster10containsthreeusecasesdescribingvariousenhancedsecurityservicesthatcanbeofferedin5Gnetworks.

Inusecase10.1welearnapossiblewaytocounteractmobilebotnetsBotNetbyofferingaservicetoaidtheuserstoidentifyanomalousactivityfromtheirmobiledevicesandtoreportthisactivity.Usecase10.2proposesaservicethatcanhelpprotecttheuser’sprivacyattheapplicationlayer,bymeansofappsanddeviceprivacychecks.Usecase10.3offerananonymizationcapabilitytoall5GsubscribershavingananonymizationSIM.Inadditiontothiscapabilitymoreservicesmaybeenvisionedthatareabletoanonymizeuser/deviceidentifyingdataand,therefore,canhelptoprotecttheuser’sprivacy.


• Mobilephonesubscribers(Bob,Alice)• HomeMobileNetworkOperator(HMNO)• Maliciousattacker(Mallory)

12.3 UseCases

12.3.1 UseCase10.1:BotnetMitigation

12.3.1.1 IntroductionA botnet is a network of hijacked agents/clients which are remotely controlled, often associated withintroducing malicious software. Botnet infrastructure is increasingly being used for performing criminalactivity that involves the use of computers or networks such as the Internet. Although the networkoperatorsarenothighlyimpactedasyet,thesituationwillmostlikelychangeinthefuture,becauseoftherapidlygrowingtrendofdatatrafficinmobilenetworksandincreasedcapabilityofmobiledevices.Inthisusecaseanattackerremotely instructsandendusermobiledevicetosendapremiumSMStoanumbercontrolledbytheattacker.

12.3.1.2 Preconditions• BobhasavalidsubscriptionwiththeMNO• Mallory’sinfectedapplicationisuploadedtoBob'spreferredapplicationsstore/market

12.3.1.3 DescriptionBobisstayingathomeandbrowseshisBob'spreferredapplicationsstore/market.Hefindsafreeversionofapopularandtrendygame(oranyotherapplication)uploadedbyanunknownpublisher(i.e.Mallory)anddecidestogiveitatry.Bobdownloadsitandinstallsitafteracceptingeverythingthegame(application)requirestorun.HowBob’sdevicegetsinfectedisirrelevanthere,itcouldbealsobyattachinghisphonetoaninfectedPC/laptop,orbyopeningalinkreceivedinphishingmail.Thesalientaspectisthattheinfectionpropagatesthroughmobiletraffic.HereweobservethecasehowBob’sdevicegetsinfectedviaoperator’snetwork.

D2.1UseCases

6715625G-ENSURE 65

ThefreeversionofthepopularandtrendygameapplicationismodifiedinawaythatinadditiontothemainfunctionalityitalsoaddstheSMSsendingfunctionality,andtransformsthephoneintoabotremotelycontrolled,byaCommandandControlCentre(C&C)pilotedbyMallory.AfterBob’sdevicehasbeeninfected,Mallorycanremotelyperformvariousmaliciousactivitiesonthedevice,suchasSMSsendinginthebackground.Forthisparticularattack,Malloryhadregisteredapremiumnumberwithanoperator,whichcouldbeevenlocatedinanothercountry,andonce(ortwice)permonthMallorycouldconfiguretheC&Ctoinstructallofhis“puppets”(i.e.remotelycontrolledmobiledevices)tosendSMStothatpremiumnumber.Bobandthousandsofotheruserswillveryunlikelybeabletodetecttheincreasedmonthlybill,especiallyiftheincreaseamountstoonlyacoupleofeuros.

Basicflowofevents:

1. Malloryregistersapremiumnumberwithanoperator.2. MalloryconfigurestheCommandandControlCentre(C&C)robottoinstructallpuppetstosend

SMStothatpremiumnumber.3. BobisconnectedtotheMNOandbrowsestheapplicationmarketonhismobiledevice.4. BobinstallsaninfectedapplicationandbecomesoneoftheC&C’spuppetsunknowingly.5. WithoutBob’sknowledge,hismobiledeviceisusedforbotnetactivitysuchasSMSsendingand

Bob’smonthlybillisincreased

Figure16:MalwareinfectedUEsendingpremiumSMS

12.3.1.4 VulnerabilitiesandconsequencesVulnerabilitiesinmobiledevicesaswellastheingenuityoftheiruserscanleadtosubvertingtheintegrityofthedeviceandinstallationofmalware.Asaresult

• Mobiledevicecouldbecontrolledremotely• Mobiledevicescouldbeusedformaliciousactivities

D2.1UseCases

6715625G-ENSURE 66

Unwantedcommunicationcouldleadtomonetarylossfortheendusersthroughtheirmonthlybills,regardlesshowinsignificanttheamountisforeachindividual.

12.3.1.5 PropertiesofasolutionOnewaytoapproachthisproblemfromtheMNOpointofviewistoemploytheservicesofananomaly-basednetworkintrusiondetectionorpreventionsystemwithinthecorenetwork,sothatthesystemdetectsatypicalindividualbehaviour.AnothersolutioncouldbeprovidingtheenduserwithvisuallyrepresentedhistoricaldataoftheiractivitywithintheMNO,which,inadditiontothetargetednumberandthepartywhoownsit,andalsocontainsarepresentationofwhichcountryandMNOthatnumberisregisteredin.Thiswouldaidtheuserstoidentifyanomalousactivityfromtheirmobiledevicesandtoreportthisactivity.Furthermore,theMNOcouldofferservicestotheenduserstodefinetheirownatypicalbehaviourintheMNO,sothatuserscouldforinstancerestrictanyoutgoingSMStospecificforeigncountries,ordisplayamessagepriortosendinganyoutgoingSMS.




12.3.2 UseCase10.2:PrivacyViolationMitigation

12.3.2.1 IntroductionMobiledevicesandtheinstalledapplicationsdisclosealargeamountofprivateinformationbothpersonalanddevice-relatedinformation.Therearemanymisbehavingapps,PUAs(PotentiallyUnwantedApplications),adwareandransomwareinthewildandspywareisnotsouncommoneveninofficialappstores!Currentlythemobilenetworkhasnomeanstoprotecttheuser’sprivacyattheapplicationlayer.

Somemobilesubscribershaveprivacyconcernsandwouldliketoknowiftheirdeviceandtheapplicationsinstalledthereinareinvolvedinactivitiesthatviolatetheirprivacy.

12.3.2.2 Preconditions• AlicehasavalidsubscriptionwiththeMNO• Alicealsosubscribestotheprivacyserviceprovidedbyhermobilenetworkoperator(andpossibly

installsaprivacyapp).

12.3.2.3 DescriptionAlicehasjustinstalledanewgameapponhermobiledevice(UE)fromalinkreceivedinsideanSMSfromaWhatsappcontact.Sheisconcernedthatappmayviolateherprivacyinsomewayandsousesaservice(andpossiblyalocalapp)tocheck.

Basicflowofevents:

1. Aliceactivatestheprivacyservice.2. Alicelauncheshernewgameapp.

D2.1UseCases

6715625G-ENSURE 67

3. Theprivacyserviceonthe5GnetworkdetectssomeanomalouseventfromtheUE(e.g.,botnetrelatedcommunications)andsendsanotificationtoAlicetoaskhertoactivateaprivacyrelatedanalysis.

4. Aliceagreestotherequest,anddata(e.g.alistofinstalledapplications)issentfromherphonetotheprivacyserviceforanalysis.

5. Theprivacyservicerespondswithanotificationcontainingthenameofthenoncompliantappifany,asummaryofitsprivacyviolationactivity,andthesuggestiontouninstallit.


1. Alicestartstheprivacyappandconfiguresherprivacypreferences.2. Aliceinstallsthenewgameapp,startsitandthegameattemptstoaccessthecorrespondingserver

whichhasalsoconfigureditsprivacypolicy.3. TheprivacyappchecksAlice’sandtheserver’sprivacypolicies.4. Aprivacy-relatedwarningcontainingthenameoftheviolatingappandserverisshowntoAliceif

thepoliciesdonotmatch.5. Alicecandecideiftoproceedwiththeapp/serverornot.


• The5Gnetworkdeployssomeanomalydetectionormalwareactivitydetectionmechanismsorprivacyviolationmechanism[Razaghpanah2015],[Ren2015].

• The5Gnetworkadoptsaprivacypolicycontainingvariousprivacyparameters(relatedtodeviceandappsactivityonuserdata)thatcanbecontrolledonuser’sdemandoruponsomeanomalouseventdetection.

• The5Gnetworkofferstosubscribersaservicethatcheckstheprivacyriskofdevicesandtheirinstalledapps.

• Ausefultoolforthisserviceistorequirethemobileapplicationsandserverstodeclareahumanreadableprivacypolicyandtoofferatooltotheuser’sdevicetoverifyit.


EnsureEnablers Privacy,SecurityMonitoring,TrustNextGenerationRadioTechnologyUsecases mMTC,uMTC,xMBB

12.3.3 UseCase10.3:SIM-basedand/orDevice-basedAnonymization

12.3.3.1 IntroductionMobiledevicesand/ortheinstalledapplications(malware/spyware,misbehavingapplicationsandalsocommonapplications)disclosealargeamountofpersonalanddeviceidentifyinginformation(e.g.,IMSI,phonenumber,locationdata,IMEIetc.).Ifsuchprivateinformationisaccessedbyapplications,theuserswouldliketobeabletoprotectitwithappropriate(e.g.,formatpreserving)anonymizationalgorithmsresidingpreferablyontheSIM.ThisservicecanbeofferedbytheMNOattheapplicationlayere.g.,throughanapplicationrunningonthedeviceand/orontheSIMitself.AdeviceimplementationshouldpreferablybeintegratedintotheOStoprovideprotectionagainstmisbehavingapplications.Ontheotherhand,aSIM-basedimplementationmayhaveevenstrongersecurityadvantagesandalsoprovides“plasticroaming”,e.g.,theservicecanbeenjoyedeveniftheuserchangesdevice.WestressadifferencetoUse

D2.1UseCases

6715625G-ENSURE 68

Cases1.4and2.2.Inthefirstcase,theidentityprotectionisprovidedthroughanetwork-basedfunction.Inthesecondcase,theidentityprotectionis,asinhisusecase,providedinthedevice,buttheprotectionistargetingthelower(radio)layersoftheprotocolstack,ratherthantheservice/applicationlayer.

12.3.3.2 Preconditions• AlicehasavalidsubscriptionwiththeMNOandaSIMthathasanonymizationcapabilities• Alicehasameanstoconfigureandactivateheranonymizationpreferences(profile).

12.3.3.3 DescriptionAliceconfiguresheranonymizationprofilesuchas,forexampletheIMSIisneverdisclosedtotheapplicationsrequestingit,butreturnedinananonymizedway(e.g.,withformatpreservinganonymization).

Basicflowofevents:

1. Alicebrowsesapplicationmarketonhermobiledevice2. AliceinstallsanentertainmentapplicationthatcanreadtheIMSIandsendittoaremoteserver

togetherwithotherapprelateddata.3. Aliceactivatestheanonymizationprofileandstartstheapp.4. WhentheapplicationasksfortheIMSI,itgetsitanonymizedandsendstheanonymizedIMSItothe

remoteservertogetherwithotherapprelateddata.

12.3.3.4 Propertiesofasolution• Networkprovidesananonymizationservicethatcanbesubscribedbyusersneedingit(usersthat

haveprivacyconcernsregardingtheirdata)• NetworkofferstosubscribersaSIM(oradevice)thatimplementsanonymizationalgorithmslike

forexamplelightweightformatpreservingalgorithmsthatcanbeimplementedwithlittlecomputationalresources.

• Networkofferstosubscribersameanstoconfiguretheiranonymizationpreferences.

12.3.3.5 UsecasecategoriesEnsureEnablers Privacy,TrustNextGenerationRadioTechnologyUsecases mMTC,uMTC

12.4 5GVisionIn5G,MNOsshouldbuildanddriveinternationallycoordinatedAnti-BotNetactivitiesorprograms.AlldetectionandpreventionmethodsshouldbeembeddedintheMNOinfrastructure,sincetheMNOsdonothavecontrolsontheenduserdevicesandhowusersusetheconnecteddevices.

The5Gnetworkscanofferadditional(optional)enhancedsecurityservicestousersthatsubscribethem,especiallyusersconcernedwithsecurityandprivacyissuesarisingfrommobilemalwareandmisbehavingorunwantedapplications.Suchservicesmaydetectandnotifytotheuserbotnet-relatedactivityandprivacyviolationactivity.SIM-based(orpossiblyevendevice-based)anonymizationservicescanaswellbeprovidedtouserswhowanttobeabletocontrolandprotecttheprivacyoftheirowndata.

D2.1UseCases

6715625G-ENSURE 69

13 Cluster11:LawfulInterception

13.1 IntroductionIn this cluster, we introduce the use cases that are relevant to lawful interception in a 5G context. AsdescribedinFigure17,Lawfulinterceptioninvolvesseveralactorsthatwedetailinwhatfollows.Foreveryuse case, we give one or multiple flows of events, the potential vulnerabilities that may arise and itsassociatedconsequences,thesecuritypropertiesthatasolutionshouldsatisfy,andtheusecasecategory.Attheendofthissection,wegiveanindicationofthepotentialenhancementsin5G.

Figure17:LawfulInterceptionEcosystem

13.2 ActorsAlawfulInterceptionecosystem,asdescribedinFigure1,involvesfouractors.

• LawEnforcementAgency(LEA):thisistheauthoritythatintendstocarryoutalawfulinterceptiononauser,alistofusers,aserviceoralistofservices.

• Amobilephonesubscriber(e.g.,Alice,Bob)• A5GOperator• Courtofjustice:thisistheauthoritythatdeliverstheauthorizationtoperformalawfulinterception.

LINetworkFunction

LawEnforcementAgency

5G Operator

5G Network

Alice Bob

Users’equipment

Interceptrequest

Au

thoriza

tion

Interceptrequest &Authorization

Activate &Instanciate

InterceptRelatedInformation

ContentofCommunication

CourtofJustice

D2.1UseCases

6715625G-ENSURE 70

13.3 UseCases

13.3.1 UseCase11.1:LawfulInterceptioninaDynamic5GNetwork

13.3.1.1 Introduction5GinvolvestheemergenceofnewtechnologiessuchasSDNandNFV,andnewconceptslikeslicing.Thenetworkisevolvingfromastaticonetoaprogrammable,hencedynamic,one.AnMNOwill,therefore,havenewresponsibilities.Inadditiontomanaginghardware-basednetworkequipment’s,MNOwillhavetoensurethemanagementandsecurityofvirtualizedresources.Virtualization,in5G,bringsoutnewopportunitiesmainlyadynamicnetworktopology.Thisdynamicitywouldenhancethenetworkresourcemanagement,soastohavetheabilitytosupportdifferentserviceswithdifferentrequirements,e.g.ultra-reliableusecases,massiveIoTusecases.

Inthesecircumstances,weattempttoshowthenecessaryarrangementsinordertoensuretheLIfunctions.Inwhatfollows,forthesakeofsimplicity,weconsiderthatLEAwouldliketointerceptBob’sactivitiesinagiventelecommunicationservice.

13.3.1.2 Preconditions• LEAidentifiesthesuspectedcriminal(i.e.,Bob)tobesurveilled.• LEArequiresanauthorizationfromthecourtofjusticeinordertoperformalawfulinterceptionon

Bob.

13.3.1.3 DescriptionOndemand,a5Goperatorshouldbeabletoansweranyinterceptionrequestregardlessofthetargetentity/userortargetservice[TS33.106].

Basicflowofevents:

1. LEAtransmitstheLIrequestandthegrantedauthorizationtothedesignatedserviceofthe5GoperatortoconducttheinterceptionwithregardstoBob.

2. Thedesignatedserviceof5Goperatorchecksthevalidityoftherequest.3. Depending2ontheintercepttype(i.e.,onlyInterceptRelatedInformation(IRI-only),IRIand

ContentofCommunication(CC))andtheservicetobeintercepted,the5Goperatorinstantiates/activates/initiatesaNetworkfunction(wecallit,inwhatfollows,LIfunction)thatwilldelivertotheauthoritiestherequiredinformation.

4. Attheendoftheauthorizedperiod,the5GoperatordeactivatestheLIfunction.

2Thestep3maybeinterpreteddifferentlydependingonthe5Garchitecture.Forinstance,

- Inavirtualization-basedarchitecturefor5Gnetwork,theLIfunctionshouldbeavirtualisednetworkfunction(VNF).

- Inaslice-basedarchitecturefor5Gnetwork,theLIfunctionshouldbeabletodetecttheinvolvedslice.Iftheuserissubscribedtovariousservices(i.e.,slices),theLIfunctionshouldbeacommonVNFtoallslices.

D2.1UseCases

6715625G-ENSURE 71

13.3.1.4 Vulnerabilities&consequencesThemainissuesthatmayariseareresultingfromacompromised/maliciousLIfunction.Wegivefurtherdetailsabouttheseissuesinwhatfollows.

- Unauthorizeddisclosure:o AcompromisedLIfunctionmaybeactivated/initiatedwithoutbeingtriggeredbythe5G

operator.o AcompromisedLIfunctionmayprovidetoLEAinformationaboutusersthatdonotbelong

tothedeclaredlistintheauthorization.o AcompromisedLIfunctionmaydeliverinformationtoanexternalattacker.o AcompromisedLIfunctionmaycontinuedeliveringinformationevenaftertheendofthe

designatedperiodintheauthorization.

- Disruption:o AcompromisedLIfunctionmayimpactthequalityagivenservice.

- Deception:

o AcompromisedLIfunctionmaydelivertoLEAfakeinformation(e.g.,servicestowhichtheuserissubscribed(slices))aboutthesuspecteduser.

13.3.1.5 PropertiesofasolutionInthissection,wedescribethepropertiesthataLIimplementationshouldsatisfyandsomepossiblewaystodoso.Thosechoicesmayvarybasedontheadopted5Gnetworkarchitecture.

• Transparencyo The LI function,whenactivated, shouldnot bedetectable.Any thirdparty (e.g., through

observation)oruser (e.g., throughqualityofservice)shouldnotnoticeanychangewhenthisfunctionisactivated.

• Confidentialityo Onlyconcernedentities(i.e.,the5GoperatorLIserviceandLEA)haveaccesstothelistof

thewiretapped.àThe5GoperatormustbeabletoanswertheLIrequestwithoutrequiringanythirdpartyevenwhentheuserissubscribedtoservicesthatarenotofferedbytheNetworkoperator,butaredeliveredbythe5Gnetwork.àThispropertyimpactstwoaspects:theLIfunction“location”withinthenetworkanditsbehaviour.RegardingtheLIfunctionlocation,twocandidatesolutionsarise:aLIfunctionperservice(hence,withinaslice)oracommonLIfunction.Thefirstcandidatesolutionmayviolatethefirstandsecondproperties(i.e.,transparencyandconfidentiality)ifthe5Goperatorwillhavetoasktheserviceprovider(i.e.,sliceowner)toactivatetheLIfunction.Now,ifweconsiderthatthe5Goperatorwillnotmakeanyrequesttothesliceowner,thismayquestiontheintegrityoftheservice/slice.Thisiswhy,wepromotethesecondcandidatesolution(i.e.,acommonLIfunctionforalltheslices).Ofcourse,acommonLImustbeimplementedinawaytostillensureitdoesnotprovideunauthorizedinformationleakagebetweenslices.

D2.1UseCases

6715625G-ENSURE 72

RegardingtheLIfunctionbehaviour,themaintwopointsaretoauthenticatetheincomingrequestsfromthe5Goperator,andthetargetauthority(i.e.,LEA)beforedeliveringanyinformation.

• Dependability&reliability

Inahighlydynamicnetworkincludingmultipleslicesandafloatingtopology,contraryto3/4G,assuringtrustworthinessofthedeliveredinformation.

o The5Goperatorshouldbeabletoprovidehighassurancethatthewiretappeduser/entityisindeedtherequiredone.

o The5Goperatorshouldbeabletoprovidehighassuranceonthevalidityofthecollectedinformation.

o The5Goperatormustensurethatonlythoseundersurveillancearewiretapped,e.g.,AuthoritiescannotusetheLIfunctiontowiretapusers/entitiesnotonthelist.

o Incaseofanend-to-endencryptionmanagedbythenetwork,the5Goperatorshouldbeabledeliverplaindataortheencrypteddataalongwiththedecryptionkey.àContraryto3/4G,thispropertyimpliestheprotectionoftransmittedinformationintermsofintegrity,confidentialityandassuranceaboutthesourceofinformation.Cryptographicmechanismmaybeusedinsuchcases,e.g.,ciphering,signature.

• Securityo Onlythe5GoperatorshouldbeabletoactivatetheLIfunction.Thiswouldprevent

fraudulentinterceptions.àThispropertywillalsoimpactthechoiceoftheLIfunctionlocationwithinthenetwork.


TheLIrequirementsshouldbepartofallthe5Genablersandusecases.Indeed,any5Gusecasemaybeconsideredasaservicewherethetargetuserorentityissubscribed.

EnsureEnablers Privacy,NetworkManagement&VirtualizationIsolation,SecurityMonitoring,AAA,Trust


13.3.2 UseCase11.2:End-to-endEncryptioninLI-awarenetwork

13.3.2.1 Introduction5Gshouldpushforwardastrictprivacyforusers.Anend-to-end(device-to-device)encryptionistheonlysolutiontoensurethisrequirement,especiallywhenthecommunicationsaretoorfromdifferentnetworks,areasorcountrieswithunknownsecuritylevelorunacceptableone.ThemaingoalistoofferstrongerprotectionofuserdataanduserrelatedinformationwhilebeingabletosecurelyansweranyLIrequest.

D2.1UseCases

6715625G-ENSURE 73

Thisusecasedescribeshowa5Goperatorcanpreventeavesdroppingattacksonallpossiblepathstheuserdatatrafficfollowsthroughthemobilenetwork.Thisisbyaugmentingidentitymanagementwithadditionalcryptographickeys.

13.3.2.2 Preconditions• AliceandBobsubscribetoanadd-onend-to-endprotectionservicesupportedbythe5Goperator.• Thereisakeymanagementandkeyescrowserverinthe5Gnetwork.

13.3.2.3 DescriptionAliceneedstocommunicateinanencryptedmannerwithBob.ShewantshercallorSMS/MMStobeencryptedbutshedoesneithershareasecretkeywithBobnoranapplicationtoencryptthecommunication.Aliceusestheencryptionserviceprovidedbythe5GOperator,asshowninFigure18.

Basicflowofevents:

1. Aliceisconnectedtothe5Gnetworkandhasbeenauthenticated.2. AlicewantstocallBob.Alice’sdeviceusesthekeymanagementserviceandnegotiatesasession

keywithBob’sdevicetobeusedforcallencryption.3. AlicecallsBobwithencryptionturnedon.4. LEAwantstointerceptAlice’scalls.LEAasksthe5Goperatortoprovideaccesstotheintercepted

communications.5. 5Goperatorasprovideroftheencryptionserviceactsasanescrowagent.Thesessionkeyis

retrievedorreconstructedandusedbyLEAtodecryptthesessionkeyandconsequentlyAlicecommunication.

13.3.2.4 Vulnerabilities&consequencesThemainpotentialflawsofanend-to-endencryptionserviceistoprovideLEA(oranyotherkeyescrowagents,e.g.,5Goperator)fullcontrolofthedecryptionkeysortosomehowenableabackdoorwhichmightbeusedforundetectablemasssurveillance[Murdoch2016].Insuchacase,LEAoranyentityincontrolofthebackdoormaygetinformationexchangedoutofthedesignatedperiodintheauthorizationand/oraboutusersnotinthelist(Unauthorizeddisclosure).

13.3.2.5 Propertiesofasolution&candidatesolutionsInthissection,wedescribethepropertiesthatanend-to-endencryptionserviceshouldsatisfyandsomepossiblewaystodoso.Themainideaistoencryptsessionkeysusingamasterkey.Tothisend,wecanuseathreshold(k,n)secretsharingscheme.Insuchacase,lessthankagents(e.g.,LEA,5Goperator,etc.)cannotgetanyinformationaboutthemasterkeyandanyk(possiblysmallerthann)ormoreagentscanrecoverthemasterkey.Inwhatfollow,wegivefurtherdetails.

• On-demandserviceo Theserviceshouldbeturnedonandoffbythesubscribers.

• Backwardsecrecyo LEAmustnothaveaccesstoexchangedinformationbeforethedesignatedperiodinthe

authorization.• Forwardsecrecy

o LEAmustnothaveaccesstoexchangedinformationafterthedesignatedperiodintheauthorization.

D2.1UseCases

6715625G-ENSURE 74

• Securityo Theend-to-endencryptionservicemaybeapplicableonIPorhigherlayerindependently

bythetypeofUEusinganapplicationwhichisinstalledaspartoftheservice.o Theencryptionkeymaybepartofanescrowsystemprovidedbythe5Goperatorto

enablesecurecommunicationandatthesametimeenablelawfulinterception.

Figure18:Theoperatorasatrustedproviderofanend-to-endencryptionservice


EnsureEnablers AAA,Privacy,Trust


13.4 5GVision5GshouldbeabletoansweranyLIrequestinasecureway(i.e.,withoutcompromisingtheprivacyofanyofthenetworkusers).Moreover,informationdelivered,incaseofaLI,mustbeprovablytrustworthy.

5Gshouldbeabletosupportend-to-endencryptionforconfidentialdevice-to-devicecommunications(e.g.,callsandSMS/MMScommunications),inconjunctionwithkeyescrowforreasonsoflawfulintercept.

D2.1UseCases

6715625G-ENSURE 75

14 Summary:UseCaseClustersThisdocumentpresents31usecasesgroupedinto11clustersillustratingtheenhancedscopeofsecurityandprivacyin5Gnetworksandsystems.

Clusters1-4focusonIdentities,Authentication,AuthorizationandPrivacy:

5GshouldprovideavarietyofidentitymanagementserviceswhichexpandsthecapabilitiesofdevicesandnetworksbeyondthelegacyDevicetoRadioAccessNetworkservice.Forexample,newsubscribersormachinesshouldbeabletoenrolin5Gnetworks,usingpre-existingidentitymanagementschemes;orbeabletosupportidentityschemesenablingdevicestoroambetweenterrestrialandsatellitenetworks.

AnMNOshouldbeabletoofferadditionalidentitymanagementservicessuchastrustedassertionsusedbythirdpartyproviders,andkeymanagementenablingcommunicationtobeauthenticatedandencryptedend-to-end.5GshouldalsobeabletoserveInternet-of-Thingsdevicesbehindagatewayandsupportauthorizationofdevice-to-deviceoperationsatapplicationlayeroratnetworklayer.

Duetothepervasivenatureof5Gitisessentialthatusershavecontrolovertheprivacyoftheirdeviceidentifiersbyprovidingpropertieslikeconfidentialitytosubscriberanddeviceidentities,untrackabilityoftheuserlocation,perfectforwardsecrecyforencryptedcommunicationsandunlinkabilitybetweentheusersubscriptioninformationandthedeviceidentity.

Cluster5focusesonSoftwareDefinedNetworks,VirtualizationandMonitoring:

5GnetworksshouldprovidedifferentvirtualizedCoreNetwork(slices)fordifferenttypesofsubscribersincludingdifferentDevicetypes,suchasmMTCorxMBB,butalsocustomerspecificslicessuchaseHealth.Networkslicesmaybeabletoprovidedifferentservices,andshareacommonradionetwork.Isolationofnetworkslicesisessential.Virtualizationismostlikelytobetransparenttomany5Gnodesandalsotodevicesandsubscribers,butsome5Gnodecomponentsshouldbeabletoactivelymodifythestructureandbehaviourofthecorenetwork.

Virtualizationbringnewtypesofrolesandactorsintothepicturesuchasthe5GNodeProvider,theVirtualizationInfrastructureProvider,andtheVirtualMobileNetworkOperator,whichrequireadequatetrustrelationstobeestablishedandenforced.Thisalsomeansthatnewtypesofmonitoringandassuranceinterfacesareneededifallthenewrolesaretakenbyseparateactors.Actorsthatareoperatingontopofvirtualizedplatformshouldbeabletomonitor,verifyandcontrolwhatishappeninginthevirtualizednetworkaswellasinthevirtualizationinfrastructure.

Clusters6-10focusonAvailability,ReliabilityandIntegrity:

5Gshouldproviderobustnetworkserviceswithconsiderableavailabilityguarantees,inparticularrobustnessagainstoverloadanddenialofserviceattacksoftheradiointerface.Alsoinhighloadsituationsshouldprioritizeddevicesshouldgetprioritytoattachandalreadyattacheddeviceslosingsynchronizationshouldbeabletoregainaccess.Userplanedatashouldbeintegrityprotectedenablingtrustworthyservicestobebuiltontop,suchthatillegitimateandlowpriorityrequestsshouldberejectedatanearlystage.Threatsofcyber-attacksdirectlytargeting5Gaccessnetworksneedstobedealtwithinthe5Gdesign.

D2.1UseCases

6715625G-ENSURE 76

In5Gnetworksthereshouldbeincreasedassurancethatthetrafficisindeedoriginatingfromalegitimateentityandisboundtoalegitimateentity.MNOsshouldnotbeforcedtoresorttoimplicitsecurityassumptionsaboutthesecurityofthecorenetworkofinteractingpartners.

5Gnetworkshouldbemorereliableintermsofhavingdynamic,alternativeroutesfromtheradionetworkintothecorenetwork(suchassatelliteconnection).Newcommercialpossibilitiesonstand-aloneradionetworks,andstand-alonecorenetworksarealsoenvisioned.

5Gshouldprovidemeansforcoordinatedbotnetmitigationschemeswithpreventionanddetectionembeddedinthenetworkinfrastructure,leveragingestablishedandaddingnewtechniquesforrestrictingtraffic.

5Gnetworksshouldoffersubscribersadditional(optional)enhancedsecurityservicesforanonymizationcapabilitiesaswellasaddressingsecurityandprivacyissuesarisingfrommobilemalwareandmisbehavingapplications.

Cluster11focusesonLawfulInterception:

A5GsystemshouldbeabletoansweranyLawfulIntercept(LI)requestinasecurewaywithoutcompromisingtheprivacyofnetworkusers,andtheinformationprovidedbytheLIfunctionmustbeprovablytrustworthyandsecurelydelivered.ForthisreasonthereisaneedforacommonLIfunctionforservicesdeliveredviathe5Gnetworkwhichauthenticatesandauthorizestheincomingrequestsandtargetlawenforcementauthority.Theoperatorscanprovidetrustedkeyescrowserviceswithinthisframework.

D2.1UseCases

6715625G-ENSURE 77

15 ConclusionsTheusecasespresentedinthisdocumentillustratetheneedforenhancedsecurityandprivacyinfifthgenerationmobilenetworks.

Theusecasesexhibitawiderangeofsecurityconcernsincludinguserprivacy,identitymanagement,authentication,authorization,keyestablishmentforIoT,airinterfaceprotection,botnetmitigation,isolationofcorenetworkfunctionality,securevirtualizationandverificationofvirtualizednodeandplatform,securitymonitoringandcontrol,andlawfulinterception.

Theusecasesaddresssecurityenhancementsofcurrentnetworksaswellassecurityfunctionalityofnew5Gfeaturesinabalancedmix.Justtohighlightafewtake-aways:

• 5Gencompassesavarietyofradioaccesssystemsexpandingthecapabilitiesofmobiledevicesandnetworks.Toallowextendedofferingsintermsofaccessorotherservicesthereisaneedtosupportalternativeauthenticationschemesandassociatedidentitymanagement,whilenotcompromisingthehighsecurityoflegacyauthenticationandidentitymanagement.

• Theincreasedemphasisofuserprivacy,includingunlinkabilitybetweensubscriberinformationanddeviceidentifiersanduntrackabiltyofuser’slocation,needstobemetbynewprotectionschemes.

• 5GnetworksshouldprovidevariouskindsofvirtualizedCoreNetworkfunctions(slices)fordifferenttypesofsubscribersorcorporationswhichneedtotallydifferentisolationproperties.Virtualizationbringnewtypesofrolesandactorsandnewtypesofmonitoringandassuranceinterfacesaswellastheneedtoverifyandcontroltheactionsandentitiescorrespondingtothevariousactors.

• Theincreasingtrendofconnectingimportantfunctionsinsocietyandcorporationsthroughmobilenetworktechnologyleadstoanincreaseddemandforrobustnessandreliabilityinoverloadanddenialofservicesituations.Thebalancebetweenlawenforcementandprivacyrevealedbythedevelopmentsinthesocietyduringthelastyearscallsforenhancedschemesforseparatingtheconcernsoftheinvolvedparties.

Mostofthesesecurityandprivacyenhancementsrequiresbeingbuilt-inintotheradioaccessandcorenetworksandcannotbeaddedasanafterthought.Thecontinuedanalysisonsecurityenablersandsecurityarchitecturewithin5G-ENSUREwillassessmoreintodetailstherelevanceoftheseusecasesandtheirimpactonthe5Gsystem.However,itisalreadyclearthatsecurityandprivacyconsiderationssuchasthosemadeinthisdocumentneedtoenterthedevelopmentof5Gstandardsatanearlystagetohavetherequiredimpactonthesecurityandprivacycharacteristicsofnextgenerationmobilenetworks.

D2.1UseCases

6715625G-ENSURE 78

References

[Chengzhe2013]L.Chengzhe,L.Hui,L.Rongxing,andS.Xuemin,“SE-AKA:AsecureandefficientgroupauthenticationandkeyagreementprotocolforLTEnetworks,”ComputerNetworks,vol.57,pp.3492-3510,2013.

[EAP-AKA]J.ArkkoandH.Haverinen,ExtensibleAuthenticationProtocolMethodfor3rdGeneration,AuthenticationandKeyAgreement(EAP-AKA)”,IETFRFC4187,2006.

[FooKune2012]N.H.FooKune,JohnKoelndorferandY.Kim,“Locationleaksonthegsmairinterface,”in19thNetworkandDistributedSystemSecuritySymposium,2012.

[METIS2015]”DeliverableD6.6,FinalreportontheMETIS5Gsystemconceptandtechnologyroadmap”,ICT-317669-METIS/D6.6,2015.

[Murdoch2016]S.Murdoch,“Insecurebydesign:protocolsforencryptedphonecalls“,Bentham’sGaze,2016.https://www.benthamsgaze.org/2016/01/19/insecure-by-design-protocols-for-encrypted-phone-calls/

[Nohl2014]K.Nohl“MobileSelf-Defense”,ChaosCommunicationCongress,2014.

[Paladi2015]N.Paladi,“TowardssecureSDNpolicymanagement.In:1stInternationalWorkshoponCloudSecurityandDataPrivacybyDesign”,7-10December2015,Limassol,Cyprus.[Razaghpanah2015]A.Razaghpanah,N.Vallina-Rodriguez,S.Sundaresan,C.Kreibich,P.Gill,M.Allman,V.Paxson“Haystack:InSituMobileTrafficAnalysisinUserSpace”,2015.http://arxiv.org/abs/1510.01419

[Ren2015]J.Ren,A.Rao,M.Lindorfer,A.Legout,D.Choffnes“ReCon:RevealingandControllingPrivacyLeaksinMobileNetworkTraffic”,2015.http://recon.meddle.mobi/papers/recon-sep.pdf

[RFC4949]R.Shirey,“InternetSecurityGlossary,Version2”,IETFRFC4949,2007.https://tools.ietf.org/html/rfc4949

[RFC7228]C.Bormann,M.Ersue,A.Keränen,“TerminologyforConstrained-NodeNetworks”,IETFRFC7228,2014.https://tools.ietf.org/html/rfc7228

[RFC7744]L.Seitz,S.Gerdes,G.Selander,M.Mani,S.Kumar“UseCasesforAuthenticationandAuthorizationinConstrainedEnvironments”.IETFRFC7744,2016.https://tools.ietf.org/html/rfc7744

[SchahillBegley2015]J.Schahill,J.Begley,”TheGreatSIMHeist---HowSpiesStoletheKeystotheEncryptionCastle”,TheIntercept,Feb2015.https://theintercept.com/2015/02/19/great-sim-heist/

[Shaik2015]A.Shaik,R.Borgaonkar,N.Asokan,V.Niemi,andJ-P.Seifert,“Practicalattacksagainstprivacyandavailabilityin4G/LTEmobilecommunicationsystems”,October2015.http://arxiv.org/pdf/1510.07563v1.pdf

[Smith2015]K.Smith,“Networkmanagementofencryptedtraffic”,IETFInternetDraftdraft-smith-encrypted-traffic-management-04,Nov2015.

D2.1UseCases

6715625G-ENSURE 79

[TR22.891]3GPPTR22.891“FeasibilityStudyonNewServicesandMarketsTechnologyEnablers;Stage1”,Sections5.20,5.22,5.72

[TS22.368]3GPPTS22.368“ServicerequirementsforMachine-TypeCommunications(MTC);Stage1”

[TS33.106]3GPPTS33.106“3Gsecurity;Lawfulinterceptionrequirements”

[TS33.220]3GPPTS33.220“GenericAuthenticationArchitecture(GAA);GenericBootstrappingArchitecture(GBA)”

[TS33.401]3GPPTS33.401“3GPPSystemArchitectureEvolution(SAE);Securityarchitecture”

[Vallina-Rodriguez2015]N.Vallina-Rodriguez,S.Sundaresan,C.Kreibich,V.Paxson“HeaderEnrichmentorISPEnrichment?EmergingPrivacyThreatsinMobileNetworks”,HotMiddlebox’15,2015.

Documents

5G-ENSURE_D2.1 Use Cases