Tech-invite 3GPPspace IETFspace

◀ ▶ 21 22 23 24 25 26 27 28 29 31 32 33 34 35 36 37 38 4‑5x

TR 33.861
Study on evolution of Cellular Internet of Things (CIoT) Security for the 5G System

3GPP‑Page ETSI‑search fToC_↓ Partial Content _→

V16.1.0 (Wzip) 2020/09 73 p.

Rapporteur:: Mr. Normann, Henrik Andreas
Ericsson LM

full Table of Contents for TR 33.861 Word version: 16.1.0

each clause number in 'red' refers to the equivalent title in the Partial Content

Introduction p. 9

Scope p. 10

References p. 10

Definitions of terms, symbols and abbreviations p. 11

3.1	Terms p. 11
3.2	Symbols p. 11
3.3	Abbreviations p. 11

Security aspects of the CIoT features in the 5G System p. 12

4.1	Background p. 12
4.2	High level potential security requirements p. 12

Key issues p. 12

Key Issue #1: Efficient frequent small data transmissions p. 12

5.1.1	Key issue details p. 12
5.1.2	Security threats p. 12
5.1.3	Potential security requirements p. 12

Key Issue #2: Integrity protection of small data p. 12

5.2.1	Key issue details p. 12
5.2.2	Security threats p. 13
5.2.3	Potential security requirements p. 13

Key Issue #3: Encryption of small data p. 13

5.3.1	Key issue details p. 13
5.3.2	Security threats p. 13
5.3.3	Potential security requirements p. 14

Key Issue #4: Signalling overload due to Malicious Applications on the UE p. 14

5.4.1	Introduction p. 14
5.4.2	Security Threats p. 14
5.4.3	Potential security requirements p. 14

Key Issue #5: gNB Protection from CIoT DoS attack p. 14

5.5.1	Key issue details p. 14
5.5.2	Security threats p. 15
5.5.3	Potential Security requirements p. 15

Key issue #6: Avoiding AS security for application security enabled UEs. p. 15

5.6.0	General p. 15
5.6.1	Potential security threat p. 15
5.6.2	Potential security requirements p. 15

Key Issue #7: Key refreshing for protection of small data p. 16

5.7.1	Key issue details p. 16
5.7.2	Security threats p. 16
5.7.3	Potential security requirements p. 16

Key Issue #8: Key and mac size for protection of small data p. 16

5.8.1	Key issue details p. 16
5.8.2	Security threats p. 16
5.8.3	Potential security requirements p. 16

Key Issue #9: Protection of NIDD interfaces p. 17

5.9.2	Security Threats p. 17
5.9.3	Potential security requirements p. 17

Key issue #10: User Plane data transmission with Connectionless signalling. p. 17

5.10.1	Description p. 17
5.10.2	Potential security threat p. 17
5.10.3	Potential security requirements p. 18

Key Issue #11: Bidding down attack for NAS based redirection between core networks p. 18

5.11.1	Key issue details p. 18
5.11.2	Security threats p. 18
5.11.3	Potential security requirements p. 18

Key Issue #12: Privacy protection of new parameters for CIoT included in NAS message p. 19

5.12.1	Key issue details p. 19
5.12.2	Security threats p. 19
5.12.3	Potential security requirements p. 19

Key Issue #13: Security Handling in RRC Connection Re-Establishment for the control plane for NB-IoT connected to 5GC p. 19

5.13.1	Key issue details p. 19
5.13.2	Security threats p. 20
5.13.3	Potential security requirements p. 20

Key issue #14: Preventing User Plane Botnet Attacks from Improper CIOT Device Usage p. 20

5.14.1	Description p. 20
5.14.2	Potential security threat p. 20
5.14.3	Potential security requirements p. 20

Key Issue #15: Protection of UE capability transfer for UEs without AS security p. 20

5.15.1	Key issue details p. 20
5.15.2	Security threats p. 21
5.15.3	Potential security requirements p. 21

Solutions p. 21

Solution #1: Security Solution for small data transmission via NAS signaling p. 21

6.1.1	Introduction p. 21
6.1.2	Solution details p. 22
6.1.3	Evaluation p. 22

Solution #2: Efficient integrity protection for frequent small data transmissions p. 22

6.2.1	Introduction p. 22
6.2.2	Solution details p. 22
6.2.3	Evaluation p. 23

Solution #3: Security solution for MO SMS at AMF re-allocation p. 24

Introduction p. 24

Solution details p. 24

MO SMS included in initial NAS message p. 24

Evaluation p. 26

Solution #4: Security solution for UL small data transfer in RRC Suspend and Resume with early data transmission (EDT) p. 26

Introduction p. 26

Solution details p. 26

6.4.2.1	UL data transmission from CM-IDLE (SUSPEND) with Early Data Transmission to old eNB p. 26
6.4.2.2	UL UP EDT from RRC SUSPEND to new eNB p. 28
6.4.2.3	Connection Suspend procedure using the Early Data Transmission (EDT) feature p. 28

Evaluation p. 28

Solution #5: Security solution for small data included in initial NAS signalling at mobility p. 28

6.5.1	Introduction p. 28
6.5.2	Solution details p. 29
6.5.3	Evaluation p. 31

Solution #6: Detecting and handling signalling overload due to Malicious Applications on the UE p. 31

Introduction p. 31

Solution details p. 31

6.6.2.1	Architecture p. 31
6.6.2.2	Procedures p. 33

Evaluation p. 34

Solution #7: Procedure for protecting gNB from RRC resume and RRC Re-establishment DoS attack p. 34

6.7.1	Introduction p. 34
6.7.2	Solution details p. 35
6.7.3	Evaluation p. 37

Solution #8: Security solution for protection of interface used by NIDD procedures p. 37

6.8.1	Introduction p. 37
6.8.2	Solution details p. 37
6.8.3	Evaluation p. 37

Solution #9: Security protection of small data at idle mobility p. 37

6.9.1	Introduction p. 37
6.9.2	Solution details p. 38
6.9.3	Evaluation p. 39

Solution #10: Security solution for small data at idle mobility using the Registration Complete message p. 39

6.10.1	Introduction p. 39
6.10.2	Solution details p. 39
6.10.3	Evaluation p. 40

Solution #11: Security-Property-Group-based Mitigation for DDoS Attack Triggered by Malicious Applications on the UE p. 41

Introduction p. 41

Solution details p. 41

Security-Property-Group assignment mechanism p. 41

6.11.2.1.1	Principle of assignment p. 41
6.11.2.1.2	Assignment Procedure p. 42

DDoS attack mitigation p. 42

6.11.2.2.1	DDoS attack on AMF/SMF p. 42
6.11.2.2.2	DDoS attack on UPF/NEF p. 42

Evaluation p. 43

Solution #12: Security Solution on DDoS attack mitigation p. 43

Introduction p. 43

Solution details p. 43

6.12.2.1	Architecture p. 43
6.12.2.2	Procedure p. 43

Evaluation p. 44

Solution #13: Security solution for small data using key refreshing p. 45

Introduction p. 45

Solution details p. 45

6.13.2.1	Support for infrequent small data transmission p. 45
6.13.2.2	Frequent small data communication p. 45

Evaluation p. 45

Solution #14: Privacy protection of new parameters for CIoT included in NAS messages p. 45

6.14.1	Introduction p. 45
6.14.2	Solution details p. 45
6.14.3	Evaluation p. 46

Solution #15: Efficient integrity protection for small data transmissions with immediate result p. 46

Introduction p. 46

Solution details p. 46

6.15.2.1	General p. 46
6.15.2.2	Receiver behaviour p. 47

Evaluation p. 47

Solution #16: Solution to Identify Misbehaving UEs p. 48

6.16.1	Introduction p. 48
6.16.2	Solution details p. 48
6.16.3	Evaluation p. 48

Solution #17: Solution to Mitigate DDoS Attack based on RAN caused by Massive Number of Misbehaving CIoT UEs p. 48

Introduction p. 48

Solution details p. 49

6.17.2.1	Architecture p. 49
6.17.2.2	Procedure p. 49

Evaluation p. 50

Solution #18: Security solution for UL small data transfer in RRC Suspend and Resume with early data transmission (EDT) p. 51

Introduction p. 51

Solution details p. 51

6.18.2.1	UL data transmission from CM-IDLE with Early Data Transmission p. 51
6.18.2.2	Connection Suspend procedure using the Early Data Transmission (EDT) feature p. 52

Evaluation p. 52

Solution #19: Solution to Mitigate DDoS Attack on AMF caused by Massive Number of Misbehaving CIoT UEs p. 52

Introduction p. 52

Solution details p. 52

6.19.2.1	Architecture p. 52
6.19.2.2	Procedure p. 53

Evaluation p. 54

Solution 20: RRC Connection Re-Establishment for the Control Plane for NB-IoT connected to 5GC p. 54

Introduction p. 54

Solution Details p. 55

6.20.2.1	RRC Connection Re-Establishment Procedure without KAMF Change p. 55
6.20.2.2	RRC Connection Re-Establishment Procedure with KAMF Change p. 55

Evaluation p. 56

Solution 21: Protection of NAS Redirection Message p. 56

Introduction p. 56

Solution Details p. 57

6.21.2.1	Procedure of Authorization for Public Key of the AMF p. 57
6.21.2.2	Procedure of Protection of NAS message p. 58
6.21.2.3	Abnormal Cases p. 58

Evaluation p. 59

Solution #22: Security solution for UP IP in PDCP to protect UL EDT data in Msg 3 p. 60

Introduction p. 60

Solution details p. 60

6.22.2.1	UL data transmission from CM-IDLE with Early Data Transmission p. 60
6.22.2.2	Connection Suspend procedure using the Early Data Transmission (EDT) feature p. 61

Evaluation p. 61

Solution #23: Mitigate DDoS Attack on RAN based on RANs coordination p. 62

6.23.1	Introduction p. 62
6.23.2	Solution details p. 62
6.23.3	Evaluation p. 62

Solution #24: Using NAS security for protection of NAS Redirection message p. 62

6.24.1	Introduction p. 62
6.24.2	Solution details p. 62
6.24.3	Evaluation p. 62

Solution #25: Security solution for preventing Botnet Attacks from Improper CIOT Device Use p. 63

6.25.1	Introduction p. 63
6.25.2	Solution A details p. 63
6.25.3	Solution B details p. 63
6.25.4	Solution C details p. 64
6.25.5	Evaluation p. 64

Solution #26: Hash based UE capability protection for CP optimization only CIoT UE p. 64

6.26.1	Introduction p. 64
6.26.2	Solution details p. 64
6.26.3	Evaluation p. 65

Solution #27: Network resilience for UEs without AS security p. 66

6.27.1	Introduction p. 66
6.27.2	Solution details p. 66
6.27.3	Evaluation p. 66

Solution #28: Protection of UE capability transfer for UEs without AS security p. 66

6.28.1	Introduction p. 66
6.28.2	Solution details p. 66
6.28.3	Evaluation p. 67

Solution #29: Security solution for UE Capability Transfer for UE with no AS security. p. 67

6.29.1	Introduction p. 67
6.29.2	Solution details p. 68
6.29.3	Evaluation p. 68

Solution #30: AMF verification of the UE radio capabilities for CP optimization only CIoT UE p. 69

6.30.1	Introduction p. 69
6.30.2	Solution details p. 69
6.30.3	Evaluation p. 70

Conclusions p. 70

7.1	Key Issue #1: Efficient frequent small data transmissions p. 70
7.2	Key Issue 2: Integrity protection of small data p. 70
7.3	Key Issue 3: Encryption of small data p. 70
7.4	Key Issue 4: Signalling overload due to Malicious Applications on the UE p. 70
7.5	Key Issue 5: gNB Protection from CIoT DoS attack p. 70
7.6	Key Issue 6: Avoiding AS security for application security enabled UEs. p. 70
7.7	Key Issue 7: Key refreshing for protection of small data p. 71
7.8	Key Issue 8: Key and mac size for protection of small data p. 71
7.9	Key Issue 9: Protection of NIDD interfaces p. 71
7.10	Key Issue 10: User Plane data transmission with Connectionless signalling. p. 71
7.11	Key Issue 11: Bidding down attack for NAS based redirection between core networks p. 71
7.12	Key Issue 12: Privacy protection of new parameters for CIoT included in NAS message p. 71
7.13	Key Issue 13: Security Handling in RRC Connection Re-Establishment for the control plane for NB-IoT connected to 5GC p. 71
7.14	Key Issue 14: Preventing User Plane Botnet Attacks from Improper CIOT Device Usage p. 71

Change history p. 72