etsi security week june 11 – june 15, 2018 marcus …€¦ · huawei technologies co., ltd....
TRANSCRIPT
HUAWEI TECHNOLOGIES CO., LTD. Page 1HUAWEI Confidential
IoT Security Considerations in 5G
ETSI Security WeekJune 11 – June 15, 2018
Marcus WongHuawei Technologies
HUAWEI TECHNOLOGIES CO., LTD. Page 2HUAWEI Confidential
Background
HUAWEI TECHNOLOGIES CO., LTD. Page 3HUAWEI Confidential
5G Major Use Cases as Defined by ITU
Enhanced Mobile Broadband
Ultra-Reliable and Low-Latency Communications
Massive Machine Type Communications
3D video and UHD screens
Work and play in the cloud
Augmented reality
Industry automation
Mission-critical applications
Self-driving carsSmart City
Voice
Smart Home/Building
Gigabytes in a second
Source: ITU-R M.[IMT.VISION]
HUAWEI TECHNOLOGIES CO., LTD. Page 4HUAWEI Confidential
IoT in 5G
HUAWEI TECHNOLOGIES CO., LTD. Page 5HUAWEI Confidential
Network Slicing
SlicingFlexible and on demand
Connections
1Mper square kilometer
Mobility
500 km/h
for express trains
Throughput
10 Gbit/s
per connection
Latency
1 ms
end-to-end latency
100 Mbit/s 10,000 350 km/h30–50ms Inflexible
30–50x 100x 100x 1.5x NaaS
5G Requirements
5G
LT
E
HUAWEI TECHNOLOGIES CO., LTD. Page 6HUAWEI Confidential
Threats & Challenges
HUAWEI TECHNOLOGIES CO., LTD. Page 7HUAWEI Confidential
Attacks on IoT Devices
• Physical constraints, low power, low costPhysical constraints, low power, low costPhysical constraints, low power, low costPhysical constraints, low power, low cost
• Unsecure credentials (hardcoded, defaults, etc.) Unsecured Unsecure credentials (hardcoded, defaults, etc.) Unsecured Unsecure credentials (hardcoded, defaults, etc.) Unsecured Unsecure credentials (hardcoded, defaults, etc.) Unsecured interfaces interfaces interfaces interfaces (web interface, open ports)(web interface, open ports)(web interface, open ports)(web interface, open ports)
• Unprotected data pathsUnprotected data pathsUnprotected data pathsUnprotected data paths
• SW implementation errorsSW implementation errorsSW implementation errorsSW implementation errors
• Protocol weaknessProtocol weaknessProtocol weaknessProtocol weakness
• DoS / DDoSDoS / DDoSDoS / DDoSDoS / DDoS
• Theft Theft Theft Theft and and and and tamperingtamperingtamperingtampering
• Difficult to update firmware, OS, or security patchesDifficult to update firmware, OS, or security patchesDifficult to update firmware, OS, or security patchesDifficult to update firmware, OS, or security patches
HUAWEI TECHNOLOGIES CO., LTD. Page 8HUAWEI Confidential
IoT Attacking the network
IoT server
How to filter out an DDoS
attack from IoT device?Normal IoT devices
Malicious IoT devices
gNB
DDoS attack from IoT device
HUAWEI TECHNOLOGIES CO., LTD. Page 9HUAWEI Confidential
Challenges
• User User User User Plane/Control Plane delays due to crypto operations Plane/Control Plane delays due to crypto operations Plane/Control Plane delays due to crypto operations Plane/Control Plane delays due to crypto operations
(authentication, key updates, ciphering, etc.)(authentication, key updates, ciphering, etc.)(authentication, key updates, ciphering, etc.)(authentication, key updates, ciphering, etc.)
• Aggregating point at the RAN for multi Aggregating point at the RAN for multi Aggregating point at the RAN for multi Aggregating point at the RAN for multi IoTIoTIoTIoT DevicesDevicesDevicesDevices
• Quicker authentication Quicker authentication Quicker authentication Quicker authentication protocol protocol protocol protocol
• Lighter Lighter Lighter Lighter cryptographic algorithms or/and cryptographic algorithms or/and cryptographic algorithms or/and cryptographic algorithms or/and protocols protocols protocols protocols
• Network AccessNetwork AccessNetwork AccessNetwork Access
• Efficient data protectionEfficient data protectionEfficient data protectionEfficient data protection and privacy protectionand privacy protectionand privacy protectionand privacy protection
• EndEndEndEnd----totototo----end securityend securityend securityend security
Latency Challenges Efficiency Challenges Security Challenges
HUAWEI TECHNOLOGIES CO., LTD. Page 10HUAWEI Confidential
Meeting The Challenges
HUAWEI TECHNOLOGIES CO., LTD. Page 11HUAWEI Confidential
5G Security Architecture
User Application Provider Application
SN
HE
3GPP AN
Non-3GPP AN
(I) (I)
(I)
(II)
(IV)
(V)
Application
Stratum
Home Stratum/
Serving Stratum
Transport Stratum
(II)
(I)
(III)
(I)
ME USIM
(I)
HUAWEI TECHNOLOGIES CO., LTD. Page 12HUAWEI Confidential
Security features 4G ���� 5G
Mutual authentication:
• 5G AKA & EAP-AKA’, 5G authentication
protocols, inherit all features of EPS AKA
• .Unified authentication
Air interface protection:
• Same as in 4G
• NAS/RRC: ciphering and integrity protection
• UP: cipher
• User Plane security is terminated in CUIdentity privacy and enhancements:
• Temporary ID, SUPI/SUCI.
Network Domain Security:
• IPsec/TLS can be used to protect network
domain interfacesKey separation between base stations:
• Target base station doesn’t know the key used
in source base station, and vice versa.
HUAWEI TECHNOLOGIES CO., LTD. Page 13HUAWEI Confidential
Other Considerations of due to 5G
• Devices and Applications proliferationDevices and Applications proliferationDevices and Applications proliferationDevices and Applications proliferation
• Public key algorithmsPublic key algorithmsPublic key algorithmsPublic key algorithms
• Larger key size considerationsLarger key size considerationsLarger key size considerationsLarger key size considerations
• Lighter weight security Lighter weight security Lighter weight security Lighter weight security
• URLLCURLLCURLLCURLLC
• Public safetyPublic safetyPublic safetyPublic safety
• Security policy due to differing capabilities and requirementsSecurity policy due to differing capabilities and requirementsSecurity policy due to differing capabilities and requirementsSecurity policy due to differing capabilities and requirements
• Privacy of Privacy of Privacy of Privacy of userlessuserlessuserlessuserless devicesdevicesdevicesdevices
HUAWEI TECHNOLOGIES CO., LTD. Page 14HUAWEI Confidential
Security enablers: On-demand security
Motivation
• IoT Devices/Applications have different security
requirements and constraints
Security Service negotiation
• RAN gets security policy from SMF via AMF.
• RAN determines security based on security policy,
RAN’s capability and IoT Device’s capability.
• The selected algorithms are sent to the UE.
• Activate security
UE RAN
(128-Cipher+IoT 3
(Lighter weight cipher) SMF
Security policy
UE PCF UDM SMF
Security Policy input
O&MThird party
Configure
Configuration input
IoT(128-Cipher+integrity)
1
IoT(integrity only)
2
HUAWEI TECHNOLOGIES CO., LTD. Page 15HUAWEI Confidential
Continued Research:
Blockchain and IoT
HUAWEI TECHNOLOGIES CO., LTD. Page 16HUAWEI Confidential
• Validate and attest the security posture of the IoT devices.
• Blockchains provide data integrity to perform trust-based operations:
› Distributed operations
› Configuration management
› Software lifecycle management
› Remote asset management
› Field services for updating and adjusting configurations of these industrial assets.
• Blockchain to maintain important data, e.g., s/w signatures, configuration, security policy, network activities, device location, IP address, host and user behavior, file system activities, and etc.
• Decentralization and consensus-base make hacking more difficult and network inherently resilient with no single point of failure.
• Immutable, incorruptible, mathematically provable
Blockchain Based IoT Device FW/SW Remote Attestation
HUAWEI TECHNOLOGIES CO., LTD. Page 17HUAWEI Confidential
IoT FW/SW Management - Traditional Solution
• Traditional Solution: Public Key Cryptography/Signature-based
• Device rejects any firmware update that is not cryptographically signed with the device's manufacture private key
• Limitations
› Potential for Compromise of Private Key.
Revocation of keys when compromised
› Complexity of Key Management
› Expensive Sig validation computation
› Usually only software package is validated before the installation. Once the software is
unpacked and installed, they cannot be validated using the manufacture’s signature.
› The configuration files and security policy are different from host to host and therefore
cannot be protected using digital signature validation.
› Dynamic running environment cannot be protected by the software manufacturer’s digital
signature.
HUAWEI TECHNOLOGIES CO., LTD. Page 18HUAWEI Confidential
Blockchain for IoT security
IoTArea
Network
IoTGateway
IoTArea
Network
Smart Objects
Access network
Corenetwork
BlockchainCore Cluster
IoT AnalyticsIoT Analytics
Data Storage/cloudData Storage/cloud
Compute grid
resources
Compute grid
resources
Blockchain GW Blockchain GW
connectionconnection
APIAPI
APIAPI
APIAPI
APIAPI
APIAPI
Lo
ca
l n
etw
ork
Sta
ck
s
Enterprise IoT APP local
hosting platform/Server
Co
re N
etw
ork
NF
V p
latf
orm
Aggregation Network
AA
BB
CC
DD
EE
Nano
End-To-End IoT Platform
A IoT gateway
BLocal Network Node (Edge) -- Data
& Control
C IoT Orchestration/service chaining
D Aggregation Network
E Blockchain Core Cluster
@Leverage present &
proximity to subscribers
@Leverage Carrier
cloud infrastructure for hosting management
and billing
IoT
vN
F
www.huawei.com
Copyright © 2017 Huawei Technologies Co., Ltd. All Rights Reserved.The information in this document may contain predictive statements including, without limitation, statements regarding the future
financial and operating results, future product portfolio, new technology, etc. There are a number of factors that could cause actualresults and developments to differ materially from those expressed or implied in the predictive statements. Therefore, such
information is provided for reference purpose only and constitutes neither an offer nor an acceptance. Huawei may change theinformation at any time without notice.
Thank you