Tech-invite3GPPspaceIETFspace
21222324252627282931323334353637384‑5x
Top   in Index   Prev   Next

TR 33.819
Study on Security enhancements of 5GS
for Vertical and Local Area Network (LAN) Services

3GPP‑Page   fToC   Partial Content
V16.1.0 (Wzip)  2020/06  46 p.
Rapporteur:
Miss Jerichow, Anja
Nokia Germany

full Table of Contents for  TR 33.819  Word version:  16.1.0

each clause number in 'red' refers to the equivalent title in the Partial Content
Here   Top
0Introduction  p. 7
1Scope  p. 8
2References  p. 8
3Definitions of terms, symbols and abbreviations  p. 8
3.1Terms  p. 8
3.2Symbols  p. 9
3.3Abbreviations  p. 9
4Security aspects in the 5G System to enable enhanced support of Vertical and LAN Services  p. 9
5Key issues  p. 10
5.1Key Issues related to security for SNPNs  p. 10
5.1.1Key Issue #1.1: Completing AKA based authentication and calculating KSEAF for SNPNs  p. 10
5.1.1.1Key issue details  p. 10
5.1.1.2Security threats  p. 10
5.1.1.3Potential security requirements  p. 10
5.1.1.4Potential architectural requirements  p. 10
5.2Key Issues related to Security aspects on interworking between NPN and PLMN  p. 10
5.2.1Key Issue #2.1: Authentication and Authorization for Interworking, Roaming between NPN and PLMN  p. 10
5.2.1.1Key issue details  p. 10
5.2.1.2Security threats  p. 11
5.2.1.3Potential security requirements  p. 11
5.2.2Key Issue #2.2: Security and privacy aspects of service continuity and session continuity  p. 11
5.2.2.1Key issue details  p. 11
5.2.2.2Security threats  p. 12
5.2.2.3Potential security requirements  p. 12
5.2.3Key Issue #2.3: Independent credentials for authentication and authorization with NPN and PLMN  p. 13
5.2.3.1Key issue details  p. 13
5.2.3.2Security threats  p. 13
5.2.3.3Potential security requirements  p. 13
5.3Key Issues related to Security for 5G LAN services  p. 13
5.3.1Key Issue #3.1: Authentication and Authorization of UE in 5GLAN communication  p. 13
5.3.1.1Key issue details  p. 13
5.3.1.2Security threats  p. 13
5.3.1.3Potential security requirements  p. 14
5.3.2Key Issue #3.2: UP security policy for the 5GLAN Group  p. 14
5.3.2.1Key issue details  p. 14
5.3.2.2Security threats  p. 14
5.3.2.3Potential security requirements  p. 14
5.4Key Issues related to Security for TSC and 5GS interaction  p. 14
5.4.1Key Issue #4.1: Protection of interfaces that 5GS interacts with a TSN network  p. 14
5.4.1.1Key issue details  p. 14
5.4.1.2Security threats  p. 15
5.4.1.3Potential security requirements  p. 15
5.4.2Key Issue #4.2: TSC time synchronisation  p. 15
5.4.2.1Key issue details  p. 15
5.4.2.2Security threats  p. 15
5.4.2.3Potential security requirements  p. 15
5.5Key Issues related to authentication on NPNs  p. 15
5.5.1Key Issue #5.1: Key hierarchy for NPNs  p. 15
5.5.1.1Key issue details  p. 15
5.5.1.2Security threats  p. 16
5.5.1.3Potential security requirements  p. 16
5.5.2Key Issue #5.2: Authentication and authorization of NPN subscribers by an AAA  p. 16
5.5.2.1Key issue details  p. 16
5.5.2.2Security threats  p. 16
5.5.2.3Potential security requirements  p. 16
5.6Key Issues related to security for PNiNPNs  p. 17
5.6.1Key Issue #6.1: (D)DoS attack by large number of registration requests to CAG Cell  p. 17
5.6.1.1Key issue details  p. 17
5.6.1.2Security threats  p. 17
5.6.1.3Potential security requirements  p. 17
5.6.2Key Issue #6.2: CAG ID Privacy  p. 17
5.6.2.1Key issue details  p. 17
5.6.2.2Security threats  p. 18
5.6.2.3Potential security requirements  p. 18
5.6.3Key Issue #6.3: DoS attack by unauthorized removal of entries from the UE's Allowed CAG ID list  p. 18
5.6.3.1Key issue details  p. 18
5.6.3.2Security threats  p. 18
5.6.3.3Potential security requirements  p. 19
6Solutions  p. 19
6.1Solution #1: Solution for NPN network access via PLMN  p. 19
6.1.1Introduction  p. 19
6.1.2Solution details  p. 20
6.1.2.1Registration to NPN via PLMN  p. 20
6.1.2.2Registration to PLMN via NPN  p. 21
6.1.3Evaluation  p. 21
6.2Solution #2: Security solution for handling UP security policy for a 5GLAN Group  p. 21
6.2.1Introduction  p. 21
6.2.2Potential solution details  p. 21
6.2.3Evaluation  p. 22
6.3Solution #3: Security solution for mitigation of (D)DoS attack in PNiNPNs  p. 22
6.3.1Introduction  p. 22
6.3.2Potential solution details  p. 22
6.3.3Evaluation  p. 24
6.4Solution #4: Security solution for key derivation in SNPNs  p. 24
6.4.1Introduction  p. 24
6.4.2Solution details  p. 24
6.4.3Evaluation  p. 24
6.5Solution #5: Key hierarchy for authentication using non-AKA EAP methods in NPN  p. 25
6.5.1Introduction  p. 25
6.5.2Solution details  p. 25
6.5.3Evaluation  p. 25
6.6Solution #6: 5GLAN authentication  p. 25
6.6.1Introduction  p. 25
6.6.2Solution details  p. 26
6.6.3Evaluation  p. 26
6.7Solution #7: SMF handling the UP security policy for a 5GLAN Group based on information from DN AAA  p. 26
6.7.1Introduction  p. 26
6.7.2Potential solution details  p. 27
6.7.3Evaluation  p. 27
6.8Solution #8: TSC security  p. 27
6.8.1Introduction  p. 27
6.8.2Solution details  p. 27
6.9Solution #9: (D)DoS attack mitigation in PNiNPNs  p. 27
6.9.1Introduction  p. 27
6.9.2Solution details  p. 27
6.9.3Evaluation  p. 28
6.10Solution #10: Using NAS security for messages that modify the CAG list  p. 28
6.10.1Introduction  p. 28
6.10.2Solution details  p. 28
6.10.3Evaluation  p. 29
6.11Solution #11: DH based solution for CAG ID privacy  p. 29
6.11.1Introduction  p. 29
6.11.2Solution details  p. 29
6.11.3Evaluation  p. 31
6.12Solution #12: Hash based solution for CAG ID privacy  p. 31
6.12.1Introduction  p. 31
6.12.2Solution details  p. 32
6.12.3Evaluation  p. 34
6.13Solution #13: CAG ID Privacy in PNiNPNs by embedding CAG ID in the SUCI  p. 34
6.13.1Introduction  p. 34
6.13.2Solution details  p. 35
6.13.3Evaluation  p. 36
6.14Solution #14: CAG ID privacy by re-use of SUPI protection mechanism  p. 36
6.14.1Introduction  p. 36
6.14.2Solution details  p. 36
6.14.3Evaluation  p. 37
6.15Solution #15: CAG ID privacy by indication in RRC layer and providing CAG ID only after NAS security establishment  p. 38
6.15.1Introduction  p. 38
6.15.2Solution details  p. 38
6.15.3Evaluation  p. 39
6.16Solution #16: CAG ID privacy by sending CAG ID only in protected NAS signalling  p. 39
6.16.1Introduction  p. 39
6.16.2Solution details  p. 39
6.16.3Evaluation  p. 40
6.17Solution #17: Protection on TSC time synchronisation within UP security policy  p. 40
6.17.1Introduction  p. 40
6.17.2Solution details  p. 40
6.17.3Evaluation  p. 40
6.18Solution #18: CAG ID privacy considering RAN optimization  p. 40
6.18.1Introduction  p. 40
6.18.2Potential solution details  p. 40
6.18.3Evaluation  p. 41
6.19Solution #19: Privacy protected CAG ID Privacy in PNiNPNs  p. 41
6.19.1Introduction  p. 41
6.19.2Solution details  p. 41
6.19.3Evaluation  p. 42
7Conclusions  p. 43
7.1Security for 5G LAN services  p. 43
7.2Security for TSC  p. 43
7.3PLMN service access via SNPN and vice versa  p. 43
7.4Key hierarchy for NPNs  p. 43
7.5AKA based authentication and calculating KSEAF for SNPNs  p. 43
7.6Modification of CAG ID list in the UE  p. 43
7.7CAG ID Privacy  p. 43
ADeployment options for authentication in SNPNs considering different types of NPN credentials  p. 44
$Change history  p. 46

Up   Top