Top   in Index   Prev   Next

TR 33.876
Study on Automated Certificate Management in Service-Based Architecture (SBA)

V18.0.1 (Wzip)  2023/06  65 p.
Mr. Peinado, German
Nokia Germany

full Table of Contents for  TR 33.876  Word version:  18.0.1

Here   Top


0  Introductionp. 8

According to TS 33.501, use of mutual TLS for authentication of NF requires compliance to clause 6.1.3c of TS 33.310 for TLS client and TLS server certificate profiles in addition to TLS profile compliance with clause 6.2a of TS 33.310.
The use of TLS certificates in 5G SBA is ubiquitous.
However, unlike standardised model using CMPv2 in RAN, SBA does not have a standardised model and set of procedures for automated certificate management.
SBA also does not have a standardised protocol for managing life cycle events of the certificates, e.g., bootstrap, request, issue, enrolment, revocation, renewal etc.
  • Lack of standardisation has resulted into number of bespoke methodologies and varying choices of certificate management protocols resulting into inconsistent model.
  • Once service slicing and NPN are introduced in service provider network, manual management or lack of standardised procedures for life cycle management of TLS certificates belonging to separate legal entities could further complicate the architecture.
All the above have potential of increasing the security risk and impact the deployment and availability of operators' 5G SBA network.
RAN has benefitted from the standardisation of CMPv2 to be used for eNodeB/gNodeB automated certificate management. The specification defined a bootstrap procedure based on the use of vendor certificate for requesting an operator certificate for the set-up of IPSec IKE2 towards the SeGW. 5G SBA is within the operator core network domain that could benefit from a study that leads to the standardisation of an automated certificate management procedure using a standardised protocol that fits for purpose to serve the 5G Core Network.

1  Scopep. 9

The objectives of this study are to identify key issues, potential security and privacy requirements and solutions with respect to
  • Standardise the use of a single automated certificate management protocol and procedures for certificate life cycle events within intra-PLMN 5G SBA (i.e. to be used by all 5GC NFs including NRF, SCP, SEPP etc.).
  • Study the impact of service mesh in certificate management within 5G SBA.
  • Study which lifecycle events (e.g., enrolment, renewal, revocation (e.g., OCSP, CRLs), status monitoring) of a certificate need to be covered.
  • Study the relation between certificate management lifecycle and NF management lifecycle.
  • Study to reference at minimum following principles:
    • Principle to be reusable when 5G SBA is for NPN (standalone and PNI)
    • Principles standardised to be able to support NFs doing mutual TLS in Slicing.
    • Principles standardised to support both intra and inter PLMN, in the latter referring to SEPP certificates in N32 interfaces and potential cross-certification considerations.
    • Principles involving 'Chain of Trust' of Certificate Authorities hierarchies.
    • Principles for security of CA's cryptographic private key.

2  Referencesp. 9

3  Definitions of terms, symbols and abbreviationsp. 10

3.1  Termsp. 10

3.2  Symbolsp. 11

3.3  Abbreviationsp. 11

4  Architectural and security assumptionsp. 11

5  Key issuesp. 12

5.1  Key Issue #1: Single certificate management protocol and proceduresp. 12

5.2  Key Issue #2: Security protection of NF certificate enrolmentp. 13

5.3  Key Issue #3: NF Certificate Updatep. 13

5.4  Key Issue #4: Trust Chain of Certificate Authority Hierarchyp. 14

5.5  Key Issue #5: Certificates revocation proceduresp. 15

5.6  Key Issue #6: Relation between certificate management lifecycle and NF management lifecyclep. 15

5.7  Key Issue #7: Multiples certificates to be associated with a Network Functionp. 16

5.8  Key Issue #8: Trusted Network Function instances identifiersp. 17

5.9  Key Issue #9: Automated Certificate Management for Network Slicingp. 17

6  Solutionsp. 19

6.0  Mapping of solutions to key issuesp. 19

6.1  Solution #1: Certificate Enrolment and MAnagement Framework (CEMAF)p. 19

6.2  Solution #2: Using CMP protocol for certificate enrolment and renewalp. 21

6.3  Solution #3: Secure initial enrolment of NF certificatesp. 26

6.4  Solution #4: Cross-Certification Based Trust Chain in the SBA Architecturep. 29

6.5  Solution #5: Interconnection CA Based Trust Chain in the SBA Architecturep. 32

6.6  Solution #6: OCSP based revocation procedurep. 35

6.7  Solution #7: A solution addressing the relation between certificate lifecycle management and NF lifecycle managementp. 36

6.8  Solution #8: Enhance the security protection for Certificate parametersp. 38

6.9  Solution #9: Certificates revocation query procedure based on NRFp. 39

6.10  Solution #10: Solution to indicate and validate the purpose of the certificatep. 42

6.11  Solution #11: OCSP Stapling addressing Key Issues #5 and #6p. 44

6.12  Solution #12: Automated Certificate Management for Network Slicesp. 46

6.13  Solution #13: Build initial trust for NF certificate enrolmentp. 48

6.14  Solution #14: Ensuring the management of bulk certificate updatesp. 51

6.15  Solution #15: Policy based certificate update/renewalp. 52

6.16  Solution #16: Using ACME protocol for certificate enrolment and renewalp. 52

6.17  Solution #17: Assurance of unique NF identifiers in certificatesp. 57

6.18  Solution #18: Slice specific initial enrolment procedurep. 59

7  Conclusionsp. 60

$  Change historyp. 65

Up   Top