Content for TR 33.926 Word version: 17.6.0
D Aspects specific to the network product class gNB
D.1 Network product class description for the gNB
D.2 Assets and threats specific to the gNB
D.2.1 Critical assets
D.2.2 Threats related to Control plane and User plane in the network
...
...
D Aspects specific to the network product class gNB |R16| p. 38
D.1 Network product class description for the gNB p. 38
D.1.1 Introduction p. 38
The present document captures the network product class descriptions, threats and critical assets that have been identified in the course of the work on 3GPP security assurance specifications. The main body of the present document contains generic aspects that are believed to apply to more than one network product class, while Annexes cover the aspects specific to one network product class.
D.1.2 Minimum set of functions defining the gNB network product class p. 39
As part of the gNB network product, it is expected that the gNB to contain gNB application, a set of running processes (typically more than one) executing the software package for the gNB functions and OAM functions that are specific to the gNB network product model. Functionalities specific to the gNB network product introduce additional threats and/or critical assets as described below. Related security requirements and test cases have been captured in TS 33.511.
D.2 Assets and threats specific to the gNB p. 39
D.2.1 Critical assets p. 39
In addition to the critical assets of a GNP described in clause 5.2 of the present document, the critical assets specific to the gNB to be protected are:
- gNB Application;
- Mobility Management data: e.g. subscriber's identities (e.g. SUCI, GUTI), subscriber keys (i.e. KUPenc, KUPint, KRRCenc, KRRCint, NH), authentication parameters, APN name, data related to mobility management like UE measurements, UE's IP address, etc., QoS and so on, etc.
- user plane data
-
The interfaces of gNB whose data needs to be protected and which are within SCAS scope:
- N2 interface
- Xn interface
- N3 interface
- Uu interface
- Console interface, for local access: local interface on gNB
- OAM interface, for remote access: interface between gNB and OAM system
- gNB Software: binary code or executable code
D.2.2 Threats related to Control plane and User plane in the network p. 39
D.2.2.1 Control plane data confidentiality protection p. 39
- Threat name: gNB control plane data confidentiality protection.
- Threat Category: Information Disclosure.
- Threat Description: If the gNB does not provide confidentiality protection for control plane packets on the N2/Xn/Uu reference points, then the control plane packets sent over the N2/Xn/Uu reference points can be intercepted by attackers without detection. This means the UE identifiers, security capabilities, the security algorithms and key materials exchanged can be accessed by the attackers leading to huge security breach. This threat scenario assumes that the N2 and Xn reference points are not within the security environment.
- Threatened Asset: Mobility Management data.
D.2.2.2 Control plane data integrity protection p. 40
- Threat name: Control plane data integrity protection.
- Threat Category: Tampering data, Denial of Service.
- Threat Description: If the gNB does not provide integrity protection for control plane packets on N2/Xn/Uu reference points, the control plane packets sent over these reference points can be modified. The intruder manipulations on control plane packets can lead to denial of service to legitimate users. This threat scenario assumes that the N2 and Xn reference points are not within the security environment.
- Threatened Asset: Sufficient Processing Capacity, Mobility Management data.
D.2.2.3 User plane data confidentiality protection at gNB p. 40
- Threat name: User plane data confidentiality protection at gNB.
- Threat Category: Information Disclosure.
- Threat Description: If the gNB does not cipher and decipher user plane packets on the Uu reference point and the N3/Xn reference points, then the attackers can compromise user packets on Uu, Xn-U, and N3 interface. The attackers can gain access to user identifiers, serving network identifiers, location information and can perform user tracking. This threat scenario assumes that the N3 and Xn reference points are not within the security environment.
- Threatened Asset: user plane data.
D.2.2.4 User plane data integrity protection p. 40
- Threat name: User plane data integrity protection.
- Threat Category: Tampering data, Denial of Service.
- Threat Description: If the gNB does not handle integrity protection for user plane packets for the Xn reference points then all the uplink/downlink user plane packets over Xn-U can be attacked and/or manipulated by intruders to launch Denial of Service attack. This threat scenario assumes that the Xn reference points are not within the security environment.
- Threatened Asset: Sufficient Processing Capacity, User plane data.
D.2.2.5 AS algorithm selection and use p. 40
- Threat name: AS algorithm selection and use
- Threat Category: Tampering data, Information Disclosure, Denial of Service
- Threat Description: If AS does not use the highest priority algorithm to protect AS layer, i.e. RRC and PDCP, data on the AS layer risks being exposed and/or modified, or denial of service.
- Threatened Asset: Sufficient Processing Capacity, Mobility Management data
D.2.2.6 Bidding down on Xn-Handover p. 41
- Threat name: Bidding down on Xn-Handover.
- Threat Category: Tampering Data, Information Disclosure, Denial of Service.
- Threat Description: If the gNB does not send the UE 5G security capabilities, the AMF cannot verify 5G security capabilities are the same as the UE security capabilities that the AMF has stored, the attacker (e.g gNB) may force the system to accept a weaker security algorithm than the system is allowed, forcing the system into a lowered security level making the system easily attacked and/or compromised.
- Threatened Asset: Sufficient processing capability, Mobility Management data.
D.2.2.7 Key Reuse p. 41
- Threat name: Key Reuse.
- Threat Category: Information Disclosure.
- Threat Description: If AS keys are not refreshed by the gNB when PDCP COUNTs is about to be re-used with the same Radio Bearer identity and with the same KgNB, key stream reuse is possible. This can result in information disclosure of AS signalling and user plane data. The threat of key stream reuse occurs under the following conditions when the PDCP COUNT is reset to 0 but the RB identity and key stay the same (e.g. the successive Radio Bearer establishment uses the same RB identity and keys, or the RB identity is increased after multiple calls and wraps around.
- Threatened Asset: User plane data, Mobility Management data.
D.2.2.8 Security Policy Enforcement p. 41
- Threat name: Security Policy Enforcement.
- Threat Category: Tampering data, Information Disclosure.
- Threat Description: If gNB does not follow the security based on security policy provided by SMF, this can lead to no security or reduced security provided to the UE user plane, (e.g. not applying integrity protection when it is required to do so), etc.
- Threatened Asset: Sufficient Processing Capability, User plane data.
D.2.2.9 State transition from inactive state to connected state |R17| p. 41
- Threat name: State transition from inactive state to connected state
- Threat Category: Denial of Service.
- Threat Description: When state transits from inactive state to the connected state, if the gNB does not reactivate/activate the UP security based on UP activation status included in the UE 5G AS security context, the UP activation status between the gNB and the UE may be different. This will cause the misalignment on UP activation status, and result in the UE has to reconnect to the Network again which wastes resource both at UE and gNB.
- Threatened Asset: Sufficient Processing Capability.
