8 Security
22.2613GPPRelease 18Service requirements for the 5G systemTS
8.1 Description
IoT introduces new UEs with different life cycles, including IoT devices with no user interface (e.g. embedded sensors), long life spans during which an IoT device can change ownership several times (e.g. consumer goods), and which cannot be pre-provisioned (e.g. consumer goods). These drive a need for secure mechanisms to dynamically establish or refresh credentials and subscriptions. New access technologies, including licensed and unlicensed, 3GPP and non-3GPP, drive a need for access-independent security that is seamlessly available while the IoT device is active. High-end smartphones, UAVs, and factory automation drive a need for protection against theft and fraud. A high level of 5G security is essential for critical communication, e.g. in industrial automation, industrial IoT, and the Smart Grid. Expansion into enterprise, vehicular, medical, and public safety markets drive a need for increased end user privacy protection. 5G security addresses all of these new needs while continuing to provide security consistent with prior 3GPP systems.
8.2 General
The 5G system shall support a secure mechanism to store cached data.
The 5G system shall support a secure mechanism to access a content caching application.
The 5G system shall support a secure mechanism to access a service or an application in an operator’s Service Hosting Environment.
The 5G system shall enable support of an access-independent security framework.
The 5G system shall support a mechanism for the operator to authorize subscribers of other PLMNs to receive temporary service (e.g. mission critical services).
The 5G system shall be able to provide temporary service for authorized users without access to their home network (e.g. IOPS, mission critical services).
The 5G system shall allow the operator to authorize a third-party to create, modify and delete network slices, subject to an agreement between the third-party and the network operator.
Based on operator policy, a 5G network shall provide suitable means to allow a trusted and authorized third-party to create and modify network slices used for the third-party with appropriate security policies (e.g. user data privacy handling, slices isolation, enhanced logging).
The 5G system shall support a secure mechanism to protect relayed data from being intercepted by a relay UE.
Subject to HPLMN policy as well as its service and operational needs, any USIM able to access EPS instead of a 5G USIM may be used to authenticate a user in a 5G system to access supported services according to the user subscription.
The 5G system shall provide integrity protection and confidentiality for communications between authorized UEs using a 5G LAN-type service.
The 5G LAN-VN shall be able to verify the identity of a UE requesting to join a specific private communication.
The 5G system shall provide suitable means to allow the use of a trusted third-party provided encryption between any UE served by a private slice and a core network entity in that private slice.
The 5G system shall provide suitable means to allow use of a trusted and authorized third-party provided integrity protection mechanism for data exchanged between an authorized UE served by a private slice and a core network entity in that private slice.
The 5G system shall provide suitable means to allow use of a trusted and authorized third-party provided integrity protection mechanism for data exchanged between an authorized UE served by a non-public network and a core network entity in that non-public network.
8.3 Authentication
The 5G system shall support an efficient means to authenticate a user to an IoT device (e.g. biometrics).
The 5G system shall be able to support authentication over a non-3GPP access technology using 3GPP credentials.
The 5G system shall support operator-controlled alternative authentication methods (i.e. alternative to AKA) with different types of credentials for network access for IoT devices in isolated deployment scenarios (e.g. for industrial automation).
The 5G system shall support a suitable framework (e.g. EAP) allowing alternative (e.g. to AKA) authentication methods with non-3GPP identities and credentials to be used for UE network access authentication in non-public networks.
NOTE: Non-public networks can use 3GPP authentication methods, identities, and credentials for a UE to access network. Non-public networks are also allowed to utilize non-AKA based authentication methods such as provided by the EAP framework, for which the credentials can be stored in the ME.
Subject to an agreement between an MNO and a 3rd party, the 5G system shall support a mechanism for the PLMN to authenticate and authorize UEs for access to both a hosted non-public network and private slice(s) of the PLMN associated with the hosted non-public network.
The 5G network shall support a 3GPP supported mechanism to authenticate legacy non-3GPP devices for 5G LAN-VN access.
The 5G system shall support a mechanism for the non-public network to authenticate and authorize UEs for access to network slices of that non-public network.
The 5G system shall enable an NPN to be able to request a third-party service provider to perform NPN access network authentication of a UE based on non-3GPP identities and credentials supplied by the third-party service provider.
The 5G system shall enable an NPN to be able to request a PLMN to perform NPN access network authentication of a UE based on 3GPP identities and credentials supplied by the PLMN.
8.4 Authorization
The 5G system shall allow the operator to authorize an IoT device to use one or more 5G system features that are restricted to IoT devices.
The 5G system shall allow the operator to authorize /de-authorize UEs for using 5G LAN-type service.
NOTE: When a UE is de-authorized from using 5G LAN-type service, it is removed from all 5G LAN-VNs.
Based on operator policy, before establishing a direct device connection using a non-3GPP access technology, IoT devices may use 3GPP credentials to determine if they are authorized to engage in direct device connection.
Based on operator policy, the 5G system shall provide a means to verify whether a UE is authorized to use prioritized network access for a specific service.
8.5 Identity management
The 5G system shall provide a mechanism for an operator to allow access from a UE using a temporary identifier that hides its subscriber identity.
The 5G system shall provide a mechanism for an operator to allow access from a UE connected in an indirect network connection using a temporary identifier that hides its subscriber identity.
The HPLMN shall be able to associate a temporary identifier to a UE’s subscriber identity.
The 5G system shall be able to protect subscriber identity and other user identifying information from passive attacks.
Subject to regional or national regulatory requirements, the 5G system shall be able to protect subscriber identity and other user identifying information from active attacks.
The 5G system shall be able to allow the equipment identifier to be collected by legitimate entity regardless of UE’s user interface, when required.
The 5G system shall be able to support identification of subscriptions independently of identification of equipment.
The 5G system shall support a secure mechanism to collect system information while ensuring end-user and application privacy (e.g. application level information is not to be related to an individual user identity or subscriber identity and UE information is not to be related to an individual subscriber identity).
Subject to regional or national regulatory requirements, the 5G system shall be able to provide the 5G positioning services while ensuring the protection of the privacy of the UE’s user or owner, including the respect of his consent to the positioning services.
NOTE 1: this includes the ability for the 5G system to provide the positioning services on demand without having to track continuously the position of the involved UE.
NOTE 2: the respect of the user’s consent to some positioning services could abide by different rules in case of emergency (for example, rules that would also receive consent from the user, but well before the emergency occurs).
For a private network using 5G technology, the 5G system shall support network access using identities, credentials, and authentication methods provided and managed by a third-party and supported by 3GPP.
8.6 Regulatory
The 5G system shall support regional or national regulatory requirements for all supported access networks.
The 5G system shall support Lawful Interception, subject to regional or national regulatory requirements.
A 5G satellite access network connected to 5G core networks in multiple countries shall be able to meet the corresponding regulatory requirements from these countries (e.g. Lawful Interception).
A 5G system shall support regulatory requirements for 5G LAN-type services.
8.7 Fraud protection
Subject to regional or national regulatory requirements, the 5G system shall support a secure mechanism for allowing an authorized entity to disable from normal operation of a UE reported as stolen.
Subject to regional or national regulatory requirements, the 5G system shall support a secure mechanism for allowing an authorized entity to re-enable a recovered stolen UE to normal operation.
The 5G system shall be able to protect user location information from passive attacks.
Subject to regional or national regulatory requirements, the 5G system shall be able to protect user location information from active attacks.
Subject to regional or national regulatory requirements, the 5G system shall support mechanisms to protect the production of the user location information and user positioning-related data against tampering and spoofing.
Subject to regional or national regulatory requirements, the 5G system shall support mechanisms to detect tampering and spoofing attempts on the production of the user location information and the user position-related data.
8.8 Resource efficiency
The 5G system shall minimize security signalling overhead without compromising the security level of the 3GPP system.
The 5G system shall support an efficient secure mechanism to transmit the same data (e.g. service provisioning multiple sensors) to multiple UEs.
8.9 Data security and privacy
The 5G system shall support data integrity protection and confidentiality methods that serve URLLC, high data rates and energy constrained devices.
The 5G system shall support a mechanism to verify the integrity of a message as well as the authenticity of the sender of the message.
The 5G system shall support encryption for URLLC services within the requested end-to-end latency.
Subject to regulatory requirements, the 5G system shall enable an MNO to provide end-to-end integrity protection, confidentiality, and protection against replay attacks between a UE and third-party application server, such that the 3GPP network is not able to intercept or modify the data transferred between a UE and third-party application server.
Subject to regulatory requirements and based on operator policy, the 5G system shall provide a mechanism to support data integrity verification service to assure the integrity of the data exchanged between the 5G network and a third-party service provider.
NOTE: This requirement could apply to mechanisms supported over the interface between 5G core network and an external application, with no impact on RAN and UE.
Subject to regulatory requirements and based on operator policy, the 5G system shall provide a mechanism to support confidentiality to prevent exposure of data exchanged between the 5G network and a third party service provider.
NOTE: This requirement could apply to mechanisms supported over the interface between 5G core network and an external application, with no impact on RAN and UE.
8.10 5G Timing Resiliency
The 5G system shall support a mechanism to verify authorization of a 3rd party application to use 5G timing resiliency.
The 5G system shall support a mechanism to monitor and verify authenticity of the timing source, where supported by the time source.