The present document captures the network product class descriptions, threats and critical assets that have been identified in the course of the work on 3GPP security assurance specifications. The main body of the present document contains generic aspects that are believed to apply to more than one network product class, while Annexes cover the aspects specific to one network product class.
As part of the gNB network product, it is expected that the gNB to contain gNB application, a set of running processes (typically more than one) executing the software package for the gNB functions and OAM functions that are specific to the gNB network product model. Functionalities specific to the gNB network product introduce additional threats and/or critical assets as described below. Related security requirements and test cases have been captured in TS 33.511.
In addition to the critical assets of a GNP described in clause 5.2 of the present document, the critical assets specific to the gNB to be protected are:
gNB Application;
Mobility Management data: e.g. subscriber's identities (e.g. SUCI, GUTI), subscriber keys (i.e. KUPenc, KUPint, KRRCenc, KRRCint, NH), authentication parameters, APN name, data related to mobility management like UE measurements, UE's IP address, etc., QoS and so on, etc.
user plane data
The interfaces of gNB whose data needs to be protected and which are within SCAS scope:
N2 interface
Xn interface
N3 interface
Uu interface
Console interface, for local access: local interface on gNB
OAM interface, for remote access: interface between gNB and OAM system
Threat name: gNB control plane data confidentiality protection.
Threat Category: Information Disclosure.
Threat Description: If the gNB does not provide confidentiality protection for control plane packets on the N2/Xn/Uu reference points, then the control plane packets sent over the N2/Xn/Uu reference points can be intercepted by attackers without detection. This means the UE identifiers, security capabilities, the security algorithms and key materials exchanged can be accessed by the attackers leading to huge security breach. This threat scenario assumes that the N2 and Xn reference points are not within the security environment.
Threat name: Control plane data integrity protection.
Threat Category: Tampering data, Denial of Service.
Threat Description: If the gNB does not provide integrity protection for control plane packets on N2/Xn/Uu reference points, the control plane packets sent over these reference points can be modified. The intruder manipulations on control plane packets can lead to denial of service to legitimate users. This threat scenario assumes that the N2 and Xn reference points are not within the security environment.
Threat name: User plane data confidentiality protection at gNB.
Threat Category: Information Disclosure.
Threat Description: If the gNB does not cipher and decipher user plane packets on the Uu reference point and the N3/Xn reference points, then the attackers can compromise user packets on Uu, Xn-U, and N3 interface. The attackers can gain access to user identifiers, serving network identifiers, location information and can perform user tracking. This threat scenario assumes that the N3 and Xn reference points are not within the security environment.
Threat name: User plane data integrity protection.
Threat Category: Tampering data, Denial of Service.
Threat Description: If the gNB does not handle integrity protection for user plane packets for the Xn reference points then all the uplink/downlink user plane packets over Xn-U can be attacked and/or manipulated by intruders to launch Denial of Service attack. This threat scenario assumes that the Xn reference points are not within the security environment.
Threatened Asset: Sufficient Processing Capacity, User plane data.
Threat Category: Tampering data, Information Disclosure, Denial of Service
Threat Description: If AS does not use the highest priority algorithm to protect AS layer, i.e. RRC and PDCP, data on the AS layer risks being exposed and/or modified, or denial of service.
Threatened Asset: Sufficient Processing Capacity, Mobility Management data
Threat Category: Tampering Data, Information Disclosure, Denial of Service.
Threat Description: If the gNB does not send the UE 5G security capabilities, the AMF cannot verify 5G security capabilities are the same as the UE security capabilities that the AMF has stored, the attacker (e.g gNB) may force the system to accept a weaker security algorithm than the system is allowed, forcing the system into a lowered security level making the system easily attacked and/or compromised.
Threat Description: If AS keys are not refreshed by the gNB when PDCP COUNTs is about to be re-used with the same Radio Bearer identity and with the same KgNB, key stream reuse is possible. This can result in information disclosure of AS signalling and user plane data. The threat of key stream reuse occurs under the following conditions when the PDCP COUNT is reset to 0 but the RB identity and key stay the same (e.g. the successive Radio Bearer establishment uses the same RB identity and keys, or the RB identity is increased after multiple calls and wraps around.
Threatened Asset: User plane data, Mobility Management data.
Threat Category: Tampering data, Information Disclosure.
Threat Description: If gNB does not follow the security based on security policy provided by SMF, this can lead to no security or reduced security provided to the UE user plane, (e.g. not applying integrity protection when it is required to do so), etc.
Threatened Asset: Sufficient Processing Capability, User plane data.
Threat name: State transition from inactive state to connected state
Threat Category: Denial of Service.
Threat Description: When state transits from inactive state to the connected state, if the gNB does not reactivate/activate the UP security based on UP activation status included in the UE 5G AS security context, the UP activation status between the gNB and the UE may be different. This will cause the misalignment on UP activation status, and result in the UE has to reconnect to the Network again which wastes resource both at UE and gNB.