Do you recognize these challenges
The enhanced security that 5G provides, puts additional requirements on the MNOs:
- Protection of the closely placed base stations from threats like device tracking, call interception, frequency jamming, physical base station attacks, and flooding.
- Implementation of the TLS-based mutual authentication and transport security between the Network Functions (NFs) in the Service-Based Architecture (SBA) as prescribed by 3GPP 5G specification.
- Automation of the certificate lifecycle management for the NFs to cope with the frequent updates imposed by continuous deployment strategies
- Securing Customer Premises Equipment (CPE), e.g. broadband routers
- PKI for virtualization platforms requirements
- PKI for Open RAN (O-RAN) Security
In 5G mobile networks, base stations and small cells are deployed in an unsecured area, mandating a secured connection to the backbone network to ensure confidentiality and integrity in order to prevent malicious exploit of an unprotected communication link.
The network elements communicating over an unsecure network are using strong public key authentication based on machine certificates. The certificates are regularly requested and renewed from the Certificate Authority (CA) of the corporate PKI typically using standard protocols Simple Certificate Enrolment Protocol (SCEP) and Certificate Management Protocol (CMP).
Secure NF communication
As per 3GPP Rel-15 (TS 33.501), the NFs in the 5G Core (5GC) Service-Based Architecture (SBA) communicate with each other based on TLS based mutual authentication and transport security and OAuth 2.0 token-based authorization. This relies on the use of a Public-Key Infrastructure (PKI) in place in the network, where a Certificate Authority (CA) issues certificates to each of the communication endpoints.
5GC microservice architecture with continuous deployment and updates and the overall use of TLS for connections between the NFs furthermore constitutes a need for a highly automated process to issue and manage certificates.
Internet Service Provider (ISP) Customer Premises equipment (CPE), i.e. broadband routers, remote management and communication shall be authenticated and secured based on use of digital certificates as per broadband-forum specification TR-369.
ISPs can enrol their operator certificate to the CPEs by having the CPEs request the certificate from the Certificate Authority based on Enrolment over Secure Transport (EST) protocol, authenticating with their birth certificates.
Manufacturers of CPE can inject birth certificates from a Factory CA at time of production, enabling a trusted device identity and allowing them to securely authenticate to the ISP’s Operational CA.
Open RAN (O-RAN) Security
The 5G Open RAN concept is for a more open radio access network architecture.
3GPP prescribes Open RAN zero-trust architecture, with IPSec/DTLS on E1, Xn, midhaul (F1) and open fronthaul (M-Plane) interfaces. Mandatory support for TLS 1.2+ and Public Key Infrastructure X. 509 (PKIX) for mutual authentication is also required.
How does it work?
Nexus Smart ID Certificate Manager can issue and manage the lifecycle of trusted identities based on PKI certificates through standard certificate management protocols, including ACME, SCEP, EST and CMP.
Nexus SmartID and the GO IoT service offered based on it, are based on mature, scalable, highly reliable, continuously tested and maintained products. The multi-CA and multitenancy solution helps you adapt the PKI hierarchy, administration, and reporting, to your needs. Nexus' solution offers automation features and a solid track record.
Nexus’ platform for 5G PKI has the following key benefits: