Do you recognize these challenges

The enhanced security that 5G provides, puts additional requirements on the MNOs:

  • Protection of the closely placed base stations from threats like device tracking, call interception, frequency jamming, physical base stations attacks and flooding.
  • Implementation of the TLS based mutual authentication and transport security between the Network Functions (NFs) in the Service-Based Architecture (SBA) as prescribed by 3GPP 5G specification.
  • Automation of the certificate lifecycle management for the NFs to cope with the frequent updates imposed by continuous deployment strategies
  • PKI for virtualization platforms requirements
  • PKI for Open RAN (O-RAN) Security

Backhaul protection

In 5G mobile networks, base stations and small cells are deployed in an unsecured area, mandating a secured connection to the backbone network to ensure confidentiality and integrity in order to prevent malicious exploit of an unprotected communication link.

The network elements communicating over an unsecure network are using strong public key authentication based on machine certificates. The certificates are regularly requested and renewed from the Certificate Authority (CA) of the corporate PKI typically using standard protocols Simple Certificate Enrolment Protocol (SCEP) and Certificate Management Protocol (CMP).

 

Secure NF communication

As per 3GPP Rel-15 (TS 33.501), the NFs in the 5G Core (5GC) Service-Based Architecture (SBA) communicate with each other based on TLS based mutual authentication and transport security and OAuth 2.0 token-based authorization. This relies on the use of a Public-Key Infrastructure (PKI) in place in the network, where a Certificate Authority (CA) issues certificates to each of the communication endpoints.

5GC microservice architecture with continuous deployment and updates and the overall use of TLS for connections between the NFs furthermore constitutes a need for a highly automated process to issue and manage certificates.

Virtualization Platforms PKI

In the 5G SBA (Service-Based Architecture) mobile networks with strong regulatory requirements, the issue of tenant control of certificates goes deep.

In order not to circumvent security, it is important that the certificates used by virtualization platforms, e.g. Kubernetes, have its root in an officially managed external CA rather than being autogenerated by the virtualization platform itself.

 

Open RAN (O-RAN) Security

The 5G Open RAN concept is for a more open radio access network architecture.

3GPP prescribes Open RAN zero-trust architecture, with IPSec/DTLS on E1, Xn, midhaul (F1) and open fronthaul (M-Plane) interfaces. Mandatory support for TLS 1.2+ and Public Key Infrastructure X. 509 (PKIX) for mutual authentication is also required.

How does it work?

Nexus Smart ID Certificate Manager can issue and manage the lifecycle of trusted identities based on PKI certificates through standard certificate management protocols, including ACME, SCEP, EST and CMP.

Nexus SmartID and the GO IoT service offered based on it, are based on mature, scalable, highly reliable, continuously tested and maintained products. The multi-CA and multitenancy solution helps you adapt the PKI hierarchy, administration, and reporting, to your needs. Nexus' solution offers automation features and a solid track record.

Read more on DOCS

Why Nexus

Nexus’ platform for 5G PKI has the following key benefits:

Proven worldwide

Is used in critical, large-scale installations by several of the biggest mobile operators world-wide.

High security

Offers proven high security as Nexus’ quality-assured PKI platform is being certified according to Common Criteria EAL4+, and Nexus’ organization comply with ISO 27001 and TISAX.

Offered as a service

Is offered as a service, with guaranteed SLA and capacity as you grow.