Network operators are attempting many innovations and changes in 5G using self-organizing networks(SON).The SON operates on the measurement reports(MR),which are obtained from user equipment(UE)and secured against mal...Network operators are attempting many innovations and changes in 5G using self-organizing networks(SON).The SON operates on the measurement reports(MR),which are obtained from user equipment(UE)and secured against malware and userspace programs.However,the synchronization signal block that the UE relies on to measure the wireless environment configured by a base station is not authenticated.As a result,the UE will likely gauge the wrong wireless environment configured by a false base station(FBS)and transmit the corresponding MR to the serving base station,which poisons the data used for 5G SONs.Therefore,the serving base stations must verify the authenticity of the MR.The 3GPP has advocated numerous solutions for this issue,including the use of public key certificates,identity-based keys,and group keys.Although the solution leveraging group keys have better efficiency and practicality than the other two,they are vulnerable to security threats caused by key leaks via insiders or malicious UE.In this paper,we analyze these security issues and propose an improved group key protocol that uses a new network function,called a broadcast message authentication network function(BMANF),which validates broadcasted messages on behalf of the UE.The protocol operates in two phases:initial and verification.During the initial phase,the 5G core network distributes a shared secret key to the BMANF and UE,allowing the latter to request an authentication ticket from the former.During the verification phase,the UE requests the BMANF to validate the broadcasted messages received from base stations using the ticket and its corresponding shared key.For evaluation,we formally verified the proposed protocol,which was then compared with alternative methods in terms of computing cost.As a result,the proposed protocol fulfills the security requirements and shows a lower overhead than the alternatives.展开更多
基金This work was supported by Institute of Information&communications Technology Planning&Evaluation(IITP)grant funded by the Korea government(MSIT)(No.2020-0-00952,Development of 5G Edge Security Technology for Ensuring 5G+Service Stability and Availability,100%)。
文摘Network operators are attempting many innovations and changes in 5G using self-organizing networks(SON).The SON operates on the measurement reports(MR),which are obtained from user equipment(UE)and secured against malware and userspace programs.However,the synchronization signal block that the UE relies on to measure the wireless environment configured by a base station is not authenticated.As a result,the UE will likely gauge the wrong wireless environment configured by a false base station(FBS)and transmit the corresponding MR to the serving base station,which poisons the data used for 5G SONs.Therefore,the serving base stations must verify the authenticity of the MR.The 3GPP has advocated numerous solutions for this issue,including the use of public key certificates,identity-based keys,and group keys.Although the solution leveraging group keys have better efficiency and practicality than the other two,they are vulnerable to security threats caused by key leaks via insiders or malicious UE.In this paper,we analyze these security issues and propose an improved group key protocol that uses a new network function,called a broadcast message authentication network function(BMANF),which validates broadcasted messages on behalf of the UE.The protocol operates in two phases:initial and verification.During the initial phase,the 5G core network distributes a shared secret key to the BMANF and UE,allowing the latter to request an authentication ticket from the former.During the verification phase,the UE requests the BMANF to validate the broadcasted messages received from base stations using the ticket and its corresponding shared key.For evaluation,we formally verified the proposed protocol,which was then compared with alternative methods in terms of computing cost.As a result,the proposed protocol fulfills the security requirements and shows a lower overhead than the alternatives.
