TR 33.875
Study on enhanced Security aspects of the
5G Service Based Architecture (SBA)
V18.1.0 (Wzip)
2023/09 84 p.
- Rapporteur:
- Miss Jerichow, Anja
Nokia Germany
full Table of Contents for TR 33.875 Word version: 18.1.0
0 Introduction
1 Scope
2 References
3 Definitions of terms, symbols and abbreviations
4 Trust model
5 Key issues
6 Solutions
7 Conclusions
$ Change history
0 Introduction p. 9
The 5G core network introduced a Service-Based Architecture (the so-called SBA). This brought fundamental impacts on the way new services are created and how the individual Network Functions (NF) communicate. A more open and adaptable system design necessitated to study different approaches to enforce the security requirements of 3GPP systems, whilst not impeding flexible service creation and future innovations. Along with these architectural challenges, SBA further introduced changes to the protocol stack and serialization format of the 5G core network.
The SBA security was set on providing solutions for authentication and authorization in direct communication scenarios as well as the N32 roaming security. Later on enhancements were introduced for indirect communication scenarios as well as the concept of Client Credential Assertion to allow NRF/NF Service Producer to directly authenticate a NF Service Consumer.
While the SBA provides a good level of security, several additional aspects have been identified that may bring new potential threats. This will be documented by the present document.
1 Scope p. 10
The present document studies enhanced security aspects of the 5G Service Based Architecture. It will analyse potential threats, study necessary security enhancements, and document decisions of solutions to be adopted or not adopted after evaluating the risks versus the complexity.
In particular, the following topics are addressed:
- Need and mechanism of enabling end to end authentication in roaming case if no cross-certification between operators is enabled;
- Need and mechanism of enabling NF Service Consumer authentication of NRF and the NF Service Producer;
- Need for addressing potential security impact of different deployment scenarios including the several SCPs;
- Verification of URI in subscription/notification;
- Dynamic authorization between SCPs or NF and SCP;
- End-to-End Critical HTTP headers/body parts integrity protection;
- Access token usage in NF Sets;
- Authorization mechanism determination;
- Security of NRF service management;
- Inter-Slice access authorization;
- N32 roaming security considerations for deployment scenarios including roaming hub and hosted SEPP.
2 References p. 10
3 Definitions of terms, symbols and abbreviations p. 11
4 Trust model p. 11
4.0 General p. 11
4.1 Actors p. 12
4.2 Deployment options p. 12
4.3 Description of the trust assumptions p. 13
5 Key issues p. 15
5.1 Key issue #1: Authentication of NRF and NF Service Producer by the NF Service Consumer in indirect communication p. 15
5.1.1 Key issue details p. 15
5.1.2 Security threats p. 15
5.1.3 Potential security requirements p. 15
5.2 Key issue #2: Need for additional security at operational level among SCP domains p. 15
5.2.1 Key issue details p. 15
5.2.2 Security threats p. 16
5.2.3 Potential security requirements p. 16
5.3 Key Issue #3: Service access authorization in the "Subscribe-Notify" scenarios p. 17
5.3.1 Key issue details p. 17
5.3.2 Security threats p. 18
5.3.3 Potential security requirements p. 18
5.4 Key issue #4: Authorization of SCP to act on behalf of an NF or another SCP p. 18
5.4.1 Key issue details p. 18
5.4.2 Security threats p. 19
5.4.3 Potential security requirements p. 19
5.5 Key issue #5: End-to-end integrity protection of HTTP messages p. 19
5.5.1 Key issue details p. 19
5.5.2 Security threats p. 19
5.5.3 Potential security requirements p. 19
5.6 Key issue #6: Access token usage by all consumer NFs of an NF Set p. 19
5.6.1 Key issue details p. 19
5.6.2 Security threats p. 20
5.6.3 Potential security requirements p. 21
5.7 Key issue #7: Authorization mechanism determination p. 21
5.7.1 Key issue details p. 21
5.7.2 Security threats p. 21
5.7.3 Potential security requirements p. 21
5.8 Key issue #8: Service access authorization requirements in intra-PLMN scenarios for PLMN deploying multiple NRFs (in OAuth2.0 AS role) p. 21
5.8.1 Key issue details p. 21
5.8.1.1 Introduction p. 21
5.8.1.2 Hierarchical NRFs / Deployment model with local NRFs p. 22
5.8.1.3 Deployment model with NF Service Consumer directly accessing the NRF where the NF Service Producer is registered p. 22
5.8.2 Security threats p. 23
5.8.3 Potential security requirements p. 23
5.9 Key issue #9: Authorization for Inter-Slice Access p. 24
5.9.1 Key issue details p. 24
5.9.2 Security threats p. 24
5.9.3 Potential security requirements p. 24
5.10 Key issue #10: N32 security in mediated roaming scenarios p. 24
5.11 Key issue #11: NRF validation of NFc for access token requests p. 26
5.11.1 Key issue details p. 26
5.11.1.0 General p. 26
5.11.1.1 NFc registration at NRF not mandatory (Problem 1a) p. 26
5.11.1.2 IEs mandated in SBA TLS certificate not sufficient for NFc validation (Problem 1b) p. 26
5.11.1.3 Questions from Problems 1a and 1b p. 26
5.11.1.4 TLS certificate or NF profile - precedence in NFc validation (Problem 2) p. 26
5.11.1.5 Questions from Problem 2 p. 26
5.11.2 Security threats p. 26
5.11.3 Potential security requirements p. 27
5.12 Key issue #12: Security in Hosted SEPP scenarios p. 27
5.12.1 Key issue details p. 27
5.12.1.1 Background p. 27
5.12.1.2 Issues to be studied p. 28
5.12.2 Threats p. 28
5.12.3 Security requirements p. 28
6 Solutions p. 30
6.0 Mapping of solutions to key issues p. 30
6.1 Solution #1: Verification of the entity sending the service response in indirect communication without delegated discovery p. 31
6.2 Solution #2: Authorization between NFs and SCP p. 33
6.3 Solution #3: Using existing procedures for authorization of SCP to act on behalf of an NF Service Consumer p. 34
6.3.1 Introduction p. 34
6.3.2 Solution details p. 35
6.3.2.1 Request of access token on behalf of the consumer p. 35
6.3.2.2 Service request on behalf of the consumer p. 35
6.3.2.4 Protection of the NF Service Consumer's CCA p. 36
6.3.3 Evaluation p. 37
6.4 Solution #4: Service request authenticity verification in indirect communication p. 37
6.5 Solution #5: End-to-end integrity protection of HTTP body and method p. 38
6.6 Solution #6: Verification of Service Response from a NF Service Producer at the expected NF Set p. 41
6.6.1 Introduction p. 41
6.6.2 Solution details p. 41
6.6.2.1 For indirect communication without delegated discovery procedure p. 41
6.6.2.2 For indirect communication with delegated discovery p. 42
6.6.2.3 Client credentials assertion of NF Service Producer p. 43
6.6.3 Evaluation p. 44
6.7 Solution #7: Access token request for NF Set p. 44
6.8 Solution #8: Integrity protection of HTTP message in consideration of update by SCP p. 47
6.9 Solution #9: Authorization mechanism negotiation p. 48
6.10 Solution #10: NRF deployment clarifications p. 49
6.11 Solution #11: Registered NF Profile changes for Inter-Slice Access p. 50
6.12 Solution #12: Authorization of notification endpoint in "Subscribe-Notify" scenarios p. 51
6.13 Solution #13: Authentication of NF Service Producer in Indirect Communication p. 53
6.14 Solution #14: SCP trust domain or technical domain grouping p. 54
6.15 Solution #15: Authorization mechanism for the involved NFs in the delegated "Subscribe-Notify" scenario. p. 56
6.16 Solution #16: Selective End of End Protection of HTTP Request and Response in Indirect Communication p. 58
6.17 Solution #17: Authorization mechanism negotiation using existing methods p. 59
6.18 Solution #18: Avoiding slice isolation violation p. 61
6.19 Solution #19: Hosted SEPP requirements p. 62
6.20 Solution #20: PRINS for Roaming Hubs p. 63
6.20.1 Introduction p. 63
6.20.2 Solution details p. 64
6.20.3 RH Proxy Resolves pSEPP Well-Known FQDN p. 67
6.20.4 Evaluation p. 67
6.21 Solution #21: Certificate solution for NRF validation of NFc for access token requests p. 68
6.21.1 Introduction p. 68
6.21.2 Solution details p. 68
6.21.2.1 NF Service Consumer information to validate at Service Request Authorization p. 68
6.21.2.2 Certificates p. 68
6.21.2.3 NRF validation solution p. 68
6.21.3 Evaluation p. 69
6.22 Solution #22: Combined certificate and profile solution for NRF validation of NFc for access token requests p. 69
6.22.1 Introduction p. 69
6.22.2 Solution details p. 69
6.22.2.1 NF Service Consumer information to validate at Service Request Authorization p. 69
6.22.2.2 O&M Provisioning solution p. 69
6.22.2.3 Certificates p. 69
6.22.2.4 NRF validation solution p. 70
6.22.3 Evaluation p. 70
6.23 Solution #23: SCP authorization check by NRF p. 70
6.23.1 Introduction p. 70
6.23.2 Solution details p. 70
6.23.2.1 Enabling NRF to check on SCP information p. 70
6.23.2.2 Including service request information into the CCA p. 71
6.23.3 Evaluation p. 72
6.24 Solution #24: Authorization negotiation with bootstrapping mechanism p. 72
6.25 Solution #25: Solution on N32 security profiles p. 73
6.26 Solution #26: Authorization of NF Service Consumer accessing Nnrf_AccessToken service p. 75
7 Conclusions p. 77
7.1 KI#1: Authentication of NRF and NF Service Producer in indirect communication p. 77
7.1.1 Analysis p. 77
7.1.2 Conclusion p. 77
7.2 KI#2: Need for additional security at operational level among SCP domains p. 78
7.2.1 Analysis p. 78
7.2.2 Conclusion p. 78
7.3 KI#3: Service access authorization in the "Subscribe-Notify" scenarios p. 78
7.3.1 Analysis p. 78
7.3.2 Conclusion p. 78
7.4 KI#4: Authorization of SCP to act on behalf of an NF or another SCP p. 78
7.4.1 Analysis p. 78
7.4.2 Conclusion p. 79
7.5 KI #5: End-to-end integrity protection of HTTP messages p. 79
7.5.1 Analysis p. 79
7.5.2 Conclusion p. 80
7.6 KI#6: Access token usage by all NFs of an NF set p. 80
7.6.1 Analysis p. 80
7.6.2 Conclusion p. 80
7.7 KI#7: Authorization mechanism determination p. 80
7.7.1 Analysis p. 80
7.7.2 Conclusion p. 81
7.8 KI#8: Service access authorization requirements in intra-PLMN scenarios for PLMN deploying multiple NRFs (in OAuth2.0 AS role) p. 81
7.8.1 Analysis p. 81
7.8.2 Conclusion p. 81
7.9 KI #9: Authorization for Inter-Slice Access p. 81
7.9.1 Analysis p. 81
7.9.2 Conclusion p. 82
7.10 KI #10: N32 security in mediated roaming scenarios p. 82
7.10.1 Analysis p. 82
7.10.2 Conclusion p. 82
7.11 KI #11: NRF validation of NFc for access token p. 82
7.11.1 Analysis p. 82
7.11.2 Conclusion p. 83
7.12 KI #12: Security in Hosted SEPP scenarios p. 83
7.12.1 Analysis p. 83
7.12.2 Conclusion p. 83
$ Change history p. 84
