摘自3GPP 5G Security的
5G最重要的增强是:
The most important 5G security enhancements are:
- access agnostic primary authentication with home control(这一个没看懂什么意思)归属控制对不可知接入的主身份验证
- security key establishment and management安全秘钥的建立与管理
- security for mobility 移动安全
- service based architecture security SBA
- inter-network security
- privacy and security for services provided over 5G with secondary authentication
1、信任模型的演化:
信任模型
非漫游场景
漫游场景
秘钥层次结构:
- The long term secret key (K) provisioned in the USIM and the 5G core network acts as the primary source of security context in the same way as in of an 4G system. Different to LTE, in 5G there are 2 types of authentication, primary authentication that all devices have to perform for accesing the mobile network services, and secondary authentication to an external data network (DN), if so desired by the external data network
- 在usim和5g核心网络中提供的长期密钥(k)与在4g系统中一样,充当安全上下文的主要来源。与lLTE不同,5g中有两种类型的认证,即所有设备访问移动网络服务时必须执行的主认证和外部数据网络(dn)的辅助认证(如果外部数据网络需要的话)。
| 秘钥 | 意思 |
|---|---|
| K | |
| CK | cipher key |
| IK | integrity key |
| KAUSF | |
| KSEAF | |
| KAMF | |
| K’AMF | 发生移动时的KAMF |
| int | integrity |
| enc | confidentiality |
| KNASint | |
| KNASenc | |
| KN3IWF | |
| KgNB | |
| KRRCint | |
| KRRCenc | |
| KUPint | |
| KUPenc | |
| NH | |
| K~~ | |
| K~~ | |
| K~~ | |
| K~~ | |
| K~~ |
KAUSF:
- The KAUSF is derived by ME and ARPF from CK and IK during 5G Authentication and Key Agreement (AKA).
- If the 3GPP credential K is used for authentic ation over a radio access technology supporting the extensible authentication protocol EAP, KAUSFis derived by ME and AUSF according to the EAP AKA’ specification.
KSEAF:
- From KAUSF, the AUSF and ME derive the anchor key KSEAFthat is then used to derive the KAMF by ME and SEAF.
KAMF and K’AMF:
- KAMF is derived by ME and SEAF from KSEAF
- The K’AMF is a key that can be derived by ME and AMF from previous KAMF when the UE moves from one AMF to another during inter-AMF mobility
KNASint and KNASenc:
- The integrity and confidentiality keys, KNASint and KNASenc respectively, are derived by ME and AMF from KAMF for the NAS signalling protection.
KgNB:
- The KgNBis derived by ME and AMF from KAMF.
- The KgNBis also derived by ME and source gNB using a intermediary key, K*gNB, during mobility that can lead to, what is known as, horizontal or vertical key derivation.
KUPint、 KUPenc、 KRRCint and KRRCenc:
- The integrity and confidentiality keys for AS, i.e. UP (KUPint and KUPenc) and RRC (KRRCint and KRRCenc), are derived by ME and gNB from KgNB.
- UP integrity protection is another enhancement in 5G that is valuable for the expected Internet of Things (IoT) services.
NH:
- The intermediate key NH is derived by ME and AMF to provide forward secrecy during handover.
2、接入和身份认证:
- Up to 4G, the home network had to trust the visited network through which the authentication took place.
SUCI
The UE constructs the SUCI from
- the protection scheme identifier,
- the home network public key identifier,
- the home network identifier and
- the protection scheme-output that represents the output of a public key protection scheme.
3、多次注册
4、移动性 Mobility
DU-CU安全接口
服务安全-辅助身份认证
运营商之间的网络安全
互通安全
4G与5G的互通安全
来源:https://blog.csdn.net/qq_37160773/article/details/102678897