The present document captures the network product class descriptions, threats and critical assets that have been identified in the course of the work on 3GPP security assurance specifications. The main body of the present document contains generic aspects that are believed to apply to more than one network product class, while Annexes cover the aspects specific to one network product class.
As part of the gNB-CU-CP network product, it is expected that the gNB-CU-CP contains gNB-CU-CP application, a set of running processes (typically more than one) executing the software package for the gNB-CU-CP functions and OAM functions that are specific to the gNB-CU-CP network product model. Functionalities specific to the gNB-CU-CP network product introduce additional threats and/or critical assets as described below. Related security requirements and test cases have been captured in TS 33.523.
In addition to the critical assets of a GNP described in clause 5.2 of the present document, the critical assets specific to the gNB-CU-CP to be protected are:
gNB-CU-CP Application;
Mobility Management data: e.g. subscriber's identities (e.g. SUCI, GUTI), subscriber keys (i.e. KUPenc, KUPint, KRRCenc, KRRCint, NH), authentication parameters, APN name, data related to mobility management like UE measurements, UE's IP address, etc., QoS and so on, etc;
The interfaces of gNB-CU-CP to be protected and which are within SCAS scope;
N2 interface;
Xn interface;
E1 interface;
Uu interface;
F1 interface;
Console interface, for local access: local interface on gNB-CU-CP; and
OAM interface, for remote access: interface between gNB-CU-CP and OAM system; and
gNB-CU-CP Software: binary code or executable code.
Threat name: gNB-CU control plane data confidentiality protection.
Threat Category: Information Disclosure.
Threat Description: If the gNB-CU-CP does not provide confidentiality protection for control plane packets on the N2/Xn/F1-C/Uu/E1 reference points, then the control plane packets sent over Xn (e.g. inter-gNB handover), N2 (e.g. handover on AMF change), Uu, E1 and F1-C referemnce points can be compromised by attackers. This means the UE identifiers, security capabilities, the security algorithms and key materials exchanged can be accessed by the attackers leading to huge security breach. This threat scenario assumes that the N2, Xn, E1 and F1-C reference points are not within the security environment.
Threat name: Control plane data integrity protection.
Threat Category: Tampering data, Denial of Service.
Threat Description: If the gNB-CU-CP does not provide integrity protection for control plane packets on N2/Xn/F1-C/Uu/E1 reference points, the control plane packets sent over these reference points can be modified without detection. The intruder manipulations on control plane packets can lead to denial of service to legitimate users. This threat scenario assumes that the N2, Xn, E1 and F1-C reference points are not within the security environment.
Threat Category: Tampering data, Information Disclosure, Denial of Service
Threat Description: If AS does not use the highest priority algorithm to protect AS layer, i.e. RRC and PDCP, data on the AS layer risks being exposed and/or modified, or denial of service.
Threatened Asset: Sufficient Processing Capacity, Mobility Management data
Threat Category: Tampering Data, Information Disclosure, Denial of Service.
Threat Description: If the gNB-CU-CP does not send the UE 5G security capabilities, the AMF cannot verify 5G security capabilities are the same as the UE security capabilities that the AMF has stored, the attacker may force the system to accept a weaker security algorithm than the system is allowed, forcing the system into a lowered security level making the system easily attacked and/or compromised.
Threat Description: If AS keys are not refreshed by the gNB-CU-CP when PDCP COUNTs is about to be re-used with the same Radio Bearer identity and with the same KgNB, key stream reuse is possible. This can result in information disclosure of AS signalling and user plane data. The threat of key stream reuse occurs under the following conditions when the PDCP COUNT is reset to 0 but the RB identity and key stay the same (e.g. the successive Radio Bearer establishment uses the same RB identity and keys, or the RB identity is increased after multiple calls and wraps around.
Threatened Asset: User plane data, Mobility Management data.
Threat Category: Tampering data, Information Disclosure.
Threat Description: If gNB-CU-CP does not follow the security based on security policy provided by SMF, this can lead to no security or reduced security provided to the UE user plane, (e.g. not applying integrity protection when it is required to do so), etc.
Threatened Asset: Sufficient Processing Capability, User plane data.
Threat name: State transition from inactive state to connected state
Threat Category: Denial of Service.
Threat Description: When state transits from inactive state to the connected state, if the gNB-CU-CP does not reactivate/activate the UP security based on UP activation status included in the UE 5G AS security context, the UP activation status between the network and the UE may be different. This will cause the misalignment on UP activation status, and result in the UE has to reconnect to the Network again which wastes resource both at UE and network