Do you recognize these challenges
The enhanced security that 5G provides, puts additional requirements on the MNOs:
- Protection of the closely placed base stations from threats like device tracking, call interception, frequency jamming, physical base stations attacks and flooding.
- Implementation of the TLS based mutual authentication and transport security between the Network Functions (NFs) in the Service-Based Architecture (SBA) as prescribed by 3GPP 5G specification.
- Automation of the certificate lifecycle management for the NFs to cope with the frequent updates imposed by continuous deployment strategies
- PKI for virtualization platforms requirements
- PKI for management of Subscription Concealed Identifier (SUCI)
In 5G mobile networks, base stations and small cells are deployed in an unsecured area, mandating a secured connection to the backbone network to ensure confidentiality and integrity in order to prevent malicious exploit of an unprotected communication link.
The network elements communicating over an unsecure network are using strong public key authentication based on machine certificates. The certificates are regularly requested and renewed from the Certificate Authority (CA) of the corporate PKI typically using standard protocols Simple Certificate Enrolment Protocol (SCEP) and Certificate Management Protocol (CMP).
Secure NF communication
As per 3GPP Rel-15 (TS 33.501), the NFs in the 5G Core (5GC) Service-Based Architecture (SBA) communicate with each other based on TLS based mutual authentication and transport security and OAuth 2.0 token-based authorization. This relies on the use of a Public-Key Infrastructure (PKI) in place in the network, where a Certificate Authority (CA) issues certificates to each of the communication endpoints.
5GC microservice architecture with continuous deployment and updates and the overall use of TLS for connections between the NFs furthermore constitutes a need for a highly automated process to issue and manage certificates.
Virtualization Platforms PKI
In the 5G SBA (Service-Based Architecture) mobile networks with strong regulatory requirements, the issue of tenant control of certificates goes deep.
In order not to circumvent security, it is important that the certificates used by virtualization platforms, e.g. Kubernetes, have its root in an officially managed external CA rather than being autogenerated by the virtualization platform itself.
Subscriber identity (IMSI) is not transmitted in cleartext in the network communication in 5G but instead an encrypted identity, Subscription Concealed Identity (SUCI), is used.
This asymmetric encryption is based on PKI where the private key is stored in UDM network component and the public key is stored on the SIM card.
How does it work?
Nexus Smart ID Certificate Manager can issue and manage the lifecycle of trusted identities based on PKI certificates through standard certificate management protocols, including ACME, SCEP, EST and CMP.
Nexus SmartID and the GO IoT service offered based on it, are based on mature, scalable, highly reliable, continuously tested and maintained products. The multi-CA and multitenancy solution helps you adapt the PKI hierarchy, administration, and reporting, to your needs. Nexus' solution offers automation features and a solid track record.
Nexus’ platform for 5G PKI has the following key benefits: