TR 33.876
Study on Automated Certificate Management in Service-Based Architecture (SBA)

3GPP‑Page fToC_↓ Partial Content _→

V18.0.1 (Wzip) 2023/06 65 p.

Rapporteur:: Mr. Peinado, German
Nokia Germany

full Table of Contents for TR 33.876 Word version: 18.0.1

each clause number in 'red' refers to the equivalent title in the Partial Content

Introduction p. 8

Scope p. 9

References p. 9

Definitions of terms, symbols and abbreviations p. 10

3.1	Terms p. 10
3.2	Symbols p. 11
3.3	Abbreviations p. 11

Architectural and security assumptions p. 11

4.1

Security Assumption #1: Security requirements of intra NF communications p. 11

4.1.1	Background p. 11
4.1.2	Security threats p. 12
4.1.3	Detailed Assumptions p. 12

4.2

Security Assumption #2: Protection of private keys at rest p. 12

4.2.1	Background p. 12
4.2.2	Security threats p. 12
4.2.3	Detailed Assumptions p. 12

Key issues p. 12

5.1

Key Issue #1: Single certificate management protocol and procedures p. 12

5.1.1	Key issue details p. 12
5.1.2	Security threats p. 13
5.1.3	Potential security requirements p. 13

5.2

Key Issue #2: Security protection of NF certificate enrolment p. 13

5.2.1	Key issue details p. 13
5.2.2	Security threats p. 13
5.2.3	Potential security requirements p. 13

5.3

Key Issue #3: NF Certificate Update p. 13

5.3.1	Key issue details p. 13
5.3.2	Security threats p. 14
5.3.3	Potential security requirements p. 14

5.4

Key Issue #4: Trust Chain of Certificate Authority Hierarchy p. 14

5.4.1	Key issue details p. 14
5.4.2	Security threats p. 14
5.4.3	Potential security requirements p. 14

5.5

Key Issue #5: Certificates revocation procedures p. 15

5.5.1	Key issue details p. 15
5.5.2	Security threats p. 15
5.5.3	Potential security requirements p. 15

5.6

Key Issue #6: Relation between certificate management lifecycle and NF management lifecycle p. 15

5.6.1	Key issue details p. 15
5.6.2	Security threats p. 16
5.6.3	Potential security requirements p. 16

5.7

Key Issue #7: Multiples certificates to be associated with a Network Function p. 16

5.7.1	Key issue details p. 16
5.7.2	Security threats p. 16
5.7.3	Potential security requirements p. 16

5.8

Key Issue #8: Trusted Network Function instances identifiers p. 17

5.8.1	Key issue details p. 17
5.8.2	Security threats p. 17
5.8.3	Potential security requirements p. 17

5.9

Key Issue #9: Automated Certificate Management for Network Slicing p. 17

5.9.1	Key issue details p. 17
5.9.2	Security threats p. 18
5.9.3	Potential security requirements p. 18

Solutions p. 19

6.0

Mapping of solutions to key issues p. 19

6.1

Solution #1: Certificate Enrolment and MAnagement Framework (CEMAF) p. 19

6.1.1

Introduction p. 19

6.1.2

Solution details p. 19

6.1.2.1	General p. 19
6.1.2.2	Architecture p. 20
6.1.2.3	Procedures p. 20

6.1.3

Evaluation p. 21

6.2

Solution #2: Using CMP protocol for certificate enrolment and renewal p. 21

6.2.1

Introduction p. 21

6.2.2

Solution details p. 21

6.2.2.1

CMPv2 Profiling for SBA p. 22

6.2.2.1.1	General Requirements p. 22
6.2.2.1.2	Profile for PKIMessage p. 23
6.2.2.1.3	Profile for PKIHeader Field p. 23
6.2.2.1.4	Profile for the PKIBody Field p. 23

6.2.2.2

CMPv2 Transport p. 25

6.2.3

Evaluation p. 26

6.3

Solution #3: Secure initial enrolment of NF certificates p. 26

6.3.1	Introduction p. 26
6.3.2	Solution details p. 27
6.3.3	Evaluation p. 28

6.4

Solution #4: Cross-Certification Based Trust Chain in the SBA Architecture p. 29

6.4.1

Introduction p. 29

6.4.2

Solution details p. 30

6.4.2.1	General architecture p. 30
6.4.2.2	Verify certificate in SBA architecture p. 31

6.4.3

Evaluation p. 32

6.5

Solution #5: Interconnection CA Based Trust Chain in the SBA Architecture p. 32

6.5.1

Introduction p. 32

6.5.2

Solution details p. 33

6.5.2.1	General architecture p. 33
6.5.2.2	Verify certificate in SBA architecture p. 34

6.5.3

Evaluation p. 35

6.6

Solution #6: OCSP based revocation procedure p. 35

6.6.1

Introduction p. 35

6.6.2

Solution details p. 35

6.6.2.1	General p. 35
6.6.2.2	Procedure p. 35

6.6.3

Evaluation p. 36

6.7

Solution #7: A solution addressing the relation between certificate lifecycle management and NF lifecycle management p. 36

6.7.1	Introduction p. 36
6.7.2	Solution details p. 36
6.7.3	Evaluation p. 37

6.8

Solution #8: Enhance the security protection for Certificate parameters p. 38

6.8.1

Introduction p. 38

6.8.2

Solution details p. 38

6.8.2.1	General p. 38
6.8.2.2	Procedure p. 38

6.8.3

Evaluation p. 39

6.9

Solution #9: Certificates revocation query procedure based on NRF p. 39

6.9.1

Introduction p. 39

6.9.2

Solution details p. 40

6.9.2.1	General p. 40
6.9.2.2	NF service Registration procedure p. 40
6.9.2.3	NF/NF service discovery in the same PLMN p. 40

6.9.3

Evaluation p. 41

6.10

Solution #10: Solution to indicate and validate the purpose of the certificate p. 42

6.10.1	Introduction p. 42
6.10.2	Solution details p. 42
6.10.3	Evaluation p. 43

6.11

Solution #11: OCSP Stapling addressing Key Issues #5 and #6 p. 44

6.11.1	Introduction p. 44
6.11.2	Solution details p. 44
6.11.3	Evaluation p. 45

6.12

Solution #12: Automated Certificate Management for Network Slices p. 46

6.12.1	Introduction p. 46
6.12.2	Solution details p. 46
6.12.3	Evaluation p. 48

6.13

Solution #13: Build initial trust for NF certificate enrolment p. 48

6.13.1	Introduction p. 48
6.13.2	Solution Details p. 49
6.13.3	Evaluation p. 50

6.14

Solution #14: Ensuring the management of bulk certificate updates p. 51

6.14.1	Introduction p. 51
6.14.2	Solution details p. 51
6.14.3	Evaluation p. 52

6.15

Solution #15: Policy based certificate update/renewal p. 52

6.15.1	Introduction p. 52
6.15.2	Solution details p. 52
6.15.3	Evaluation p. 52

6.16

Solution #16: Using ACME protocol for certificate enrolment and renewal p. 52

6.16.1

Introduction p. 52

6.16.2

Solution details p. 53

6.16.2.1

Solution overview p. 53

6.16.2.2

ACME Profiling for SBA p. 54

6.16.2.2.1	General Requirements p. 55
6.16.2.2.2	Profile for PKI Fields p. 55

6.16.2.3

ACME Transport p. 56

6.16.3

Evaluation p. 57

6.17

Solution #17: Assurance of unique NF identifiers in certificates p. 57

6.17.1	Introduction p. 57
6.17.2	Solution details p. 57
6.17.3	Evaluation p. 58

6.18

Solution #18: Slice specific initial enrolment procedure p. 59

6.18.1	Introduction p. 59
6.18.2	Solution details p. 59
6.18.3	Evaluation p. 59

Conclusions p. 60

7.1

KI#1: Single certificate management protocol and procedures p. 60

7.1.1	Analysis p. 60
7.1.2	Conclusion p. 60

7.2

KI#2: Security protection of NF certificate enrolment p. 60

7.2.1	Analysis p. 60
7.2.2	Conclusion p. 61

7.3

KI#3: NF Certificate Update p. 61

7.3.1	Analysis p. 61
7.3.2	Conclusion p. 61

7.4

KI#4: Trust Chain of Certificate Authority Hierarchy p. 61

7.4.1	Analysis p. 61
7.4.2	Conclusion p. 62

7.5

KI#5: Certificates revocation procedures p. 62

7.5.1	Analysis p. 62
7.5.2	Conclusion p. 62

7.6

KI#6: Relation between certificate management lifecycle and NF management lifecycle p. 62

7.6.1	Analysis p. 62
7.6.2	Conclusion p. 63

7.7

KI#7: Multiples certificates to be associated with a Network Function p. 63

7.7.1	Analysis p. 63
7.7.2	Conclusion p. 63

7.8

KI#8: Trusted Network Function instances identifiers p. 63

7.8.1	Analysis p. 63
7.8.2	Conclusion p. 64

7.9

KI#9: Automated Certificate Management for Network Slicing p. 64

7.9.1	Analysis p. 64
7.9.2	Conclusion p. 64

Change history p. 65

TR 33.876 Study on Automated Certificate Management in Service-Based Architecture (SBA)

full Table of Contents for TR 33.876 Word version: 18.0.1

TR 33.876
Study on Automated Certificate Management in Service-Based Architecture (SBA)