3GPP TS 33.501标准解读——持续更新

已于 2024-01-18 12:08:23 修改
阅读量996 收藏 12
点赞数 10
分类专栏: 无线通信 5G理解 文章标签: 5G
于 2024-01-08 14:46:10 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/weixin_45552976/article/details/135456587
版权

3GPP TS 33.501标准解读——持续更新

版本:Security architecture and procedures for 5G system V18.4.0 (Release 18)

0. 关键概念

  • Home Network:归属网络
  • Serving Network:服务网络

1. 安全架构 Security Architecture

1.1 安全域 Security domains

在这里插入图片描述

  • 网络接入安全(Network access security, (I) ):保护空口安全,使得终端UE可鉴权接入5G网络,从而通过5G实现顶层业务;
  • 网络域安全(Network domain security, (II) ):保障网络节点之间信令数据和用户面数据安全传输;
  • 用户域安全(User domain security, (III) ):USIM卡和移动终端之间接入安全;
  • 应用域安全(Application domain security, (IV) ):用户应用和服务提供商之间的数据传输安全,属于OTT应用,不在通信网络安全考虑范畴,3GPP TS 33.501中不涉及;
  • SBA域安全(SBA domain security2, (V) ):服务网络(SN)和其它网络实体(HE)之间网络功能(NF)之间安全通信;
  • 安全可见性和可配置性(Visibility and configurability of security, (VI) ):可以让终端UE知道某个安全特征是否正在被使用。

1.2 5G安全实体

  • Security Edge Protection Proxy (SEPP):5G核心网控制面边缘保护节点,用于跨网信令保护(Inter-PLMN on N32 interface);
  • Inter-PLMN UP Security (IPUPS):5G核心网数据面边缘保护节点,用于跨网数据保护(GTP-U security on N9);
  • AUSF: AUthentication Server Function;
  • ARPF: Authentication credential Repository and Processing Function;
  • SIDF: Subscription Identifier De-concealing Function;(标识去隐藏,用于SUCI解密)
  • SEAF: SEcurity Anchor Function。

2. 安全需求和特性 Security requirements and features

2.1 通用安全需求

2.1.1 Mitigation of bidding down attacks

含义:攻击者通过bidding down attacks让UE和网络实体认为对方不支持某个安全特性。

2.1.2 Authentication and Authorization

也就是5G中所说的双向鉴权能力支持,UE <—authentication—> Network。

  • Subscription authentication:服务网络在UE和网络之间鉴权和密钥协商过程对SUPI进行认证
  • Serving network authentication:UE对服务网络进行鉴权。
  • UE authorization(UE授权):服务网络通过从home network(归属网络)获得的订阅信息对UE进行授权。“UE authorization is based on the authenticated SUPI”.
  • Serving network authorization by the home network:归属网络应该对为UE提供服务的服务网络进行授权,使得提供的网络服务安全可信;“This authorization is ‘implicit’ in the sense that it is implied by a successful authentication and key agreement run.
  • Access network authorization:服务网络应对为UE提供服务的接入网进行授权;“This authorization is ‘implicit’ in the sense that it is implied by a successful establishment of access network security.
  • Unauthenticated Emergency Services:

2.1.3 Requirements on 5GC and NG-RAN related to keys

  • The 5GC and NG-RAN shall allow for use of encryption and integrity protection algorithms for AS and NAS protection having keys of length 128 bits.
  • The network interfaces shall support the transport of 256 bit keys.
  • The keys used for UP, NAS and AS protection shall be dependent on the algorithm with which they are used.

2.2 Requirements on the UE

2.2.1 General Requirements

  • 可以选择NEA0、128-NEA1、128-NEA2、128-NEA3对RRC和NAS信令消息进行加密;
  • UE应支持UE和gNB之间的用户数据的完整性保护和重放保护。UE应支持以任何数据速率对用户数据进行完整性保护,最高数据速率为UE支持的最高数据速率。
  • 可以选择NIA0、128-NIA1、128-NIA2、128-NIA3对RRC和NAS信令消息进行完整性保护;
  • Integrity protection of the RRC-signalling, and NAS-signalling is mandatory to use,除了非必要的NAS和RRC信令消息以及emergency service.

2.2.2 Subscriber privacy

隐藏用户标识的一些需求。

  • 5G-GUTI
  • The SUPI should not be transferred in clear text over NG-RAN except routing information(SUPI不能在空口明文传输)
  • Home Network Public Key、protection scheme identifier、Home Network Public Key Identifier应该存储在USIM卡中;(主要用来进行SUPI加密)
  • The SUCI calculation indication, either USIM or ME calculating the SUCI, shall be stored in USIM.(SUCI计算在USIM卡还是终端由USIM卡指定);
  • If the home network has not provisioned the Home Network Public Key in USIM, the SUPI protection in initial registration procedure is not provided.(USIM卡中不带公钥的情况下,初始注册流程SUPI不加密)
  • Provisioning, and updating the Home Network Public Key, Home Network Public Key Identifier, protection scheme identifier, Routing Indicator, and SUCI calculation indication in the USIM shall be in the control of the home network operator. (归属网络需要能够控制USIM卡中的参数。)

2.3 Requirements on the gNB

  • gNB关于用户数据的加密和完整性保护方法由SMF提供安全策略;
  • gNB和UE之间的用户数据可以不用完整性保护,这种情况不能使用NIA0(因为这种方式既没有带来安全性,又增加了协议开销)
  • certificate enrolment mechanism(证书注册机制,避免非鉴权/授权者修改基站配置)
  • gNB和5GC中网元之间需要有安全协商机制(security association TS 33.210, TS 33.310)
  • F1-C:TS 38.470,TS 38.472,TS 38.474
  • E1:TS 38.460

2.4 Requirements on the UDM

  • Security mechanisms for protection of subscription credentials in ARPF are left to implementation.
  • Security mechanisms for storage of subscription credentials in the UDR and for the transfer of authentication subscription data (as specified in 3GPP TS 29.505 [70]) between UDR and ARPF are left to implementation.

2.9 Core network security

9. Security procedures for non-service based interfaces

  • The protection of IP based interfaces for 5GC and 5G-AN according to NDS/IP is specified in TS 33.210
  • IPsec ESP implementation shall be done according to RFC 4303 (IP Encapsulating Security Payload (ESP)) as profiled by TS 33.210. For IPsec implementation, tunnel mode is mandatory to support while transport mode is optional.

TS 33.210: Network Domain Security (NDS); IP network layer security

  • IKEv2 certificate-based authentication implementation shall be done according to TS 33.310. The certificates shall be supported according to the profile described by TS 33.310. IKEv2 shall be supported conforming to the IKEv2 profile described in TS 33.310.

3GPP TS 33.310: Network Domain Security (NDS); Authentication Framework (AF)

  • Architecture and use cases of the NDS/AF
  • Detailed description of architecture and mechanisms
  • clause 6.2: IKE negotiation and profiling
  • Certificate enrolment for base stations
  • Certificate Management for 5GC NFs
  • Manual handling of TLS certificates
  • If the sender of IPsec traffic uses DiffServ Code Points (DSCPs) to distinguish different QoS classes, either by copying DSCP from the inner IP header or directly setting the encapsulating IP header’s DSCP, the resulting traffic may be reordered to the point where the receiving node’s anti-replay check discards the packet. If different DSCPs are used on the encapsulating IP header, then to avoid packet discard under one IKE SA and with the same set of traffic selectors, distinct Child-SAs should be established for each of the traffic classes (using the DSCPs as classifiers) as specified in RFC 4301 (Security Architecture for the Internet Protocol)
  • IPsec ESP and IKEv2 certificates-based authentication可以用在N2/N3/Xn/F1/E1/N4/N9.

9.2 Security mechanisms for the N2/N3 interface

  • In order to protect the N2/N3 reference point, it is required to implement IPsec ESP and IKEv2 certificates-based authentication
  • IPsec is mandatory to implement on the gNB and the ng-eNB. On the core network side, a SEG may be used to terminate the IPsec tunnel.
  • In addition to IPsec, DTLS shall be supported as specified in RFC 6083 (Datagram Transport Layer Security (DTLS) for Stream Control Transmission Protocol (SCTP)) to provide mutual authentication, integrity protection, replay protection and confidentiality protection. Security profiles for DTLS implementation and usage shall follow the TLS profile given in clause 6.2 of TS 33.210 [3] and the certificate profile given in clause 6.1.3a of TS 33.310 [5]. The identities in the end entity certificates shall be used for authentication and policy checks.

Clause 6.2 of 3GPP TS 33.210

  • TLS protocol profiles
  • Profiling for TLS 1.3
  • Profiling for TLS 1.2

Clause 6.1.3a of 3GPP TS 33.310

  • TLS entity certificate profile

11. Security procedures between UE and external data networks via the 5G Network

  • Secondary authentication as described in clause 11,二次鉴权
    在这里插入图片描述
    在这里插入图片描述

12. Security aspects of Network Exposure Function (NEF)

  • NEF - AF,保障接入AF的安全性
  • The NEF also enable secure provision of information in the 3GPP network by authenticated and authorized AFs.
  • 需要在订阅流程中携带用于AF授权的token
    在这里插入图片描述
  • Requirements on security aspects of NEF are captured in clause 5.9.2.3
  • For authentication between NEF and an AF that resides outside the 3GPP operator domain, mutual authentication based on client and server certificates shall be performed between the NEF and AF using TLS.
  • Certificate based authentication shall follow the profiles given in 3GPP TS 33.310 [5], clause 6.1.3a. The identities in the end entity certificates shall be used for authentication and policy checks.
  • TLS shall be used to provide integrity protection, replay protection and confidentiality protection for the interface between the NEF and the AF. The support of TLS is mandatory.
  • Security profiles for TLS implementation and usage shall follow the provisions given in clause 6.2 of TS 33.210
  • The NEF shall authorize the requests from AF using OAuth-based authorization mechanism, the specific authorization mechanisms shall follow the provisions given in RFC 6749 (The OAuth 2.0 Authorization Framework)

13. Service Based Interfaces (SBI)

  • All network functions shall support mutually authenticated TLS and HTTPS as specified in RFC 9113 and RFC 2818 (HTTP Over TLS)
  • TLS client and server certificates shall be compliant with the SBA certificate profile specified in clause 6.1.3c of TS 33.310
    在这里插入图片描述

Annex B. Using additional EAP methods for primary authentication

Annex C. Protection schemes for concealing the subscription permanent identifier;

  • 即SUCI加解密方法,基于椭圆曲线
  • Elliptic Curve Integrated Encryption Scheme (ECIES)
  • Null-scheme
  • Profile A
  • Profile B

Annex E. UE-assisted network-based detection of false base station

  • 即网络根据UE上报的测量报告分析出假基站或者SUPI/5G-GUTI捕获器。false base station, SUPI/5G-GUTI catchers.
  • 根据测量报告中的接收信号强度和位置信息可以分析出假基站(假基站通过发送高功率信号捕捉终端UE);还可以分析出捕获并未经修改的真实的MIB/SIB信息的假基站;
  • 可以通过修改相邻小区、小区重选条件、注册定时器等,避免UE在假基站和真实基站之间来回切换;
  • 收集多个UE的测量报告可以用来筛选出潜在的恶意UE发送的不正确报告。

Annex I. Non-public networks

  • NPN,非公共网络,即5G专网
  • 如果是internal authentication server模式,AUSF为鉴权服务器,可选用5G-AKA、EAP-AKA’以及EAP-TLS鉴权方法;
  • 如果是external authentication server模式,鉴权服务器是AAA的时候,主认证流程在Annex I.2.2.2.2中体现;
  • 如果是external authentication server模式,鉴权服务器是AUSF的时候,主认证流程在Annex I.2.4中体现;
  • UDM可以决定选择internal or external authentication server.

I.2 Authentication in standalone non-public networks

I.2.2 EAP framework, selection of authentication method, and EAP method credentials

  • The UE and the SNPN may support 5G AKA, EAP-AKA’, or any other key-generating EAP authentication method.
I.2.2.2 Credentials holder using AAA server for primary authentication
  • The architecture for SNPN access using credentials from a Credentials Holder using AAA Server is described in clause 5.30.2.9.2 of TS 23.501
    在这里插入图片描述
  • 即,NSSAAF用于安全接入AAA Server,类似AF功能。
  • NSSAAF: Network Slice-specific and SNPN Authentication and Authorization Function
    在这里插入图片描述
  • 这种鉴权方式与5G-AKA,EAP-AKA’不太之处在于Kausf值计算的方法不同
    在这里插入图片描述

I.2.3 Credentials Holder using AUSF and UDM for primary authentication

  • The 5G System architecture for SNPN with Credentials Holder using AUSF and UDM for primary authentication and authorization is described in clause 5.30.2.9.3 of TS 23.501
    在这里插入图片描述

I.6 Authentication in Public Network Integrated Non-Public Networks (PNI-NPN)

  • For public network integrated NPN (PNI-NPN), the primary authentication shall be performed with the public network as described in clause 6.1. Secondary authentication as described in clause 11 and slice-specific authentication as described in the main body can take place after a successful primary authentication.

I.7 Authorization aspects in SNPNs

  • For SNPNs with Credentials Holder using AUSF and UDM for primary authentication, service authorization as specified in clause 13.4.1.2 applies.

I.8 SEPP and interconnect related security procedures

I.9 Security of UE onboarding in SNPNs

  • Onboarding of UEs for SNPNs is specified in clause 5.30.2.10 of TS 23.501

Annex U. Primary authentication using EAP-TTLS in SNPNs

  • In SNPN, when a credential holder is located outside of the 5GC of the SNPN, EAP-TTLS can be used to authenticate the UE. EAP-TTLS consists of two phases of authentication. In the first phase, a TLS tunnel is established between the UE and the EAP-TTLS server on AUSF. In the second phase, a legacy authentication protocol can be run between the UE and the credential holder (namely AAA) through the established TLS tunnel.
    在这里插入图片描述
风杜偏偏
关注
专栏目录
3GPP技术标准中文版
05-18
3GPP TS 25.401 V3.10.0
3GPP标准36.211
11-30
3GPP标准36.211
5G网络通信协议(3GPP
最新发布
球状闪电000的博客
07-30 3135
上次接触5G还是在大唐杯的时候,为了比赛没有理解3GPP协议,只表面地学习了物理层层面,也忘得有点多了,如果考虑运营商的网络工程师或者云网运维岗位得重新温习了吐槽一下通信计网这块儿老本行真的有点文科主要了解了一下3GPP是个什么东西,以防后续学习出现沙子。
3GPP-标准-图
liudong200618的博客
06-03 329
3GPP制定的标准规范以Release作为版本进行管理(如R99,R4,R5等等,需要说明的是,R99是1999年发行的版本,但之后更改了命名方式),平均一到两年就会完成一个版本的制定。从建立之初的R99,之后到R4,目前已经发展到R18。
3GPP标准中文版
03-23
中文版的3GPP标准,更快速便捷的了解3GPP规则,更系统的自学,请点击下载
3gpp标准 3GPP协议中文版
12-16
通信协议 3GPP协议中文版
3Gpp标准链接
dbitc的博客
04-27 766
3GPP标准下载 https://portal.3gpp.org/ChangeRequests.aspx?q=1&versionId=51445&release=189 http://www.3gpp.org/ftp/ http://www.3gpp.org/DynaReport/status-report.htm
3GPP协议 TS 24.501 5G系统(5GS)的非接入层(NAS)协议;
05-31
3GPP TS 24.501 V16.1.0是该协议的一个特定版本,反映了5G标准的最新进展。随着时间的推移,协议会不断演进以适应新的需求和技术发展。 综上所述,3GPP协议 TS 24.501是理解和实现5G网络非接入层功能的基础,它涵盖...
3GPP TS 23.501 V16.3.0 (2019-12).pdf --5G系统架构部分
03-11
3GPP国际标准组织发布的最新5G规范,R16,主要为5G系统架构部分,主要章节为: 1 Scope; 2 Reference; 3 Definitions and abbreviations; 4 Architecture model and concepts; 5 High level features; 6 ...
3GPP TS 27.007最新版本AT指令文档
05-31
3GPP TS 27.007 是一份重要的技术规范文档,主要涵盖了用户设备(UE)的AT命令集,用于拨号驻网、CSFB(电路交换 fallback)以及VOLTE(Voice over LTE)语音服务相关的控制。该文档是3GPP(第三代合作伙伴计划)在...
3gpp ts 24.008
06-20
3GPP的Release 17版本中,TS 24.008 V17.2.0进行了更新,涵盖了UMTS(Universal Mobile Telecommunications System)、GSM(Global System for Mobile Communications)、LTE(Long-Term Evolution)等技术。...
3GPP总体协议标准
04-27
该文档是4G,4.5G LTE系统重要标准。LTE(Long Term Evolution,长期演进)是由3GPP组织制定的UMTS(Universal Mobile Telecommunications System,通用移动通信系统)技术标准的长期演进,于2004年12月在3GPP多伦多会议上正式立项并启动。LTE系统引入了OFDM(Orthogonal Frequency Division Multiplexing,正交频分复用)和MIMO(Multi-Input & Multi-Output,多输入多输出)等关键技术,显著增加了频谱效率和数据传输速率(20M带宽2X2MIMO在64QAM情况下,理论下行最大传输速率为201Mbps,除去信令开销后大概为150Mbps,但根据实际组网以及终端能力限制,一般认为下行峰值速率为100Mbps,上行为50Mbps),并支持多种带宽分配:1.4MHz,3MHz,5MHz,10MHz,15MHz和20MHz等,且支持全球主流2G/3G频段和一些新增频段,因而频谱分配更加灵活,系统容量和覆盖也显著提升。LTE系统网络架构更加扁平化简单化,减少了网络节点和系统复杂度,从而减小了系统时延,也降低了网络部署和维护成本。LTE系统支持与其他3GPP系统互操作。根据双工方式不同LTE系统分为FDD-LTE(Frequency Division Duplexing)和TDD-LTE (Time Division Duplexing),二者技术的主要区别在于空口的物理层上(像帧结构、时分设计、同步等)。FDD系统空口上下行采用成对的频段接收和发送数据,而TDD系统上下行则使用相同的频段在不同的时隙上传输,较FDD双工方式,TDD有着较高的频谱利用率。
3GPP R14标准
11-08
3GPP标准制定是高度系统化的程序,从规范筹备、格式内容到制定程序等都有一套严谨的步骤和规范,以确保标准的一致性和公信力。每一份文件都要经过数次改版(变更请求,CR),每次发布一个版本标准里面包含了数百件技术规范(Technique Specification, TS)和技术报告(Technique Report, TR)
3GPP通讯测试标准——4G
02-18
3GPP通讯测试标准——4G
4G LTE标准文件:3GPP TS 36.521-1 version 15.2.0 Release 15.pdf
12-13
1、http://www.3gpp.org/DynaReport/36-series.htm; 2、4G LTE标准文件:3GPP TS 36.521-1,进化的通用地面无线电接入(E-UTRA);用户设备(UE)符合性规范;无线电收发;第1部分:一致性测试
3GPP 5G标准中文版
07-18
全套5g标准3gpp
3GPP TS 23.501 V16.1.0 5.15 Network Slicing-中英文对照版V1.pdf
04-05
在本文件中,针对3GPP TS 23.501标准的V16.1.0版本的第5.15章节,网络切片的相关概念和要求有详细的描述。 网络切片实例(Network Slice instance)是在公共陆地移动网络(Public Land Mobile Network, PLMN)内...
3gpp 5g标准_3GPP标准成为唯一被ITU认可的5G标准
weixin_39667452的博客
11-27 379
2020年7月9日,国际电信联盟(ITU)无线通信部门(ITU-R)国际移动通信工作组(WP 5D)第35次会议成功闭幕,会议确定3GPP标准成为唯一被ITU认可的5G标准。本次会议是IMT-2020(即5G)技术评估进程的关键会议。在为期三周的会议期间,各主管部门和产业界代表,对包括3GPP 5G标准在内的7项候选技术标准进行了深入研究和分析,最终形成结论: 3GPP系的5G标准成为唯一被国际...
5G--NR 3GPP标准
qq_38480311的博客
07-04 439
5G NR 3GPP协议规范分类
5G NAS协议:3GPP TS 24.501 中英对照
"3GPP TS 24.501V16.1.0 (2019-06)" 是一个关于5G非接入层(NAS)协议的技术规格文档,属于3GPP Release 16的一部分。 5G NAS(Non-Access-Stratum)协议是5G系统(5GS)中的核心组件,它处理网络接入层之外的通信...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值