AAA (Authentication, Authorization and Accounting)

In current mobile and fixed networks, the AAA functions have mainly been designed to meet the need for network operators and service providers for secure network access as well as end-customer billing possibilities. The authentication options for end-user devices have gradually been extended and evolved to allow for a wide range of different access methods and billing alternatives. The AAA options for different network based end-user services are even more diverse.
The main challenge for 5G will be to cope with this extensive AAA legacy framework while allowing the extensions both with respect to the technology and the business models that will be needed in future networks.

5G-ENSURE will investigate security enablers in the following main areas.

 

 

Basic AAA enabler

The Authentication and Key-agreement (AKA) procedures for 2G, 3G and 4G generations of mobile network have mostly fulfilled the requirements of each of these generations.
Although it can be assumed that 5G will utilize a basic 5G access authentication similar to the current 4G/LTE protocols, the use cases for 5G also bring new requirements that the next generation AKA protocol must support. Additionally, the protocol must address newly discovered security weaknesses that has been discovered in present networks.

The Basic AAA enabler aims to enhance both the basic security requirements in 5G AAA, such as increased privacy properties, and to expand the secure authentication and authorization methods into the operator core networks.

Relevance for 5G-ENSURE
Security has been an important part of the earlier success of mobile communication; the public trust has been steadfast since the introduction of GSM. The Basic AAA enabler will address revealed security weaknesses in current generation networks, study new features in trusted micro-segmentation and the authentication of network nodes.

Challenges addressed
There have been recent reports of compromised long-term keys, stored in the mobile network and the SIM card of the user. In such situations, the protection against both active and attackers is lost. The Basic AAA enabler will research how new methods can mitigate this threat, possibly via properties such as (perfect) forward secrecy. The enabler will also address the privacy aspect in protocol interactions, with enhanced anonymity properties and improved unlinkability.
Finally, the enabler will bring new features to 5G. It will enhance the authentication and authorization protocol between mobile operators, to mitigate the risk of malicious operators, and will study the AAA aspects of trusted micro-segmentation.

 

Internet of Things enabler

The collection of connected devices (or "things""), commonly referred to as Internet of Things (IoT), is likely to increase substantially. As 5G aims to be the network of excellence for IoT, it must provide an adequate level of security, which in turn introduce novel security challenges for authentication of the IoT devices in 5G.
The IoT enabler for 5G will address the novel requirements brought by the expected (massive) deployment of 5G connected IoT devices. The current SIM card, while providing strong key protection, are also known to impose a hurdle for certain use cases, and is also a non-negligible cost. To maximize the attractiveness of 5G for IoT devices, the enabler will research how these devices can authenticate in 5G, without the need of a hardware SIM (UICC).

In massive deployments of devices, the existing AKA protocol is not suitable, as each device have to run the full AKA procedure. 5G need to offer light-weight authentication protocols, hence the IoT enabler will prototype a new feature that provide group based authentication, to efficiently authenticate devices in a group.
It can be foreseen that large "enterprises" may already have an existing AAA infrastructure in place. To further minimize the costs with becoming "5G subscribers", the enabler vision is to allow such user groups to re-use their pre-existing identities as a basis for 5G access, i.e. a bring your own identity (BYOI) solution.

Relevance for 5G-ENSURE
The use cases introduced for 5G has a strong emphasize on the massive deployment of devices. To success as the network of excellence for IoT, 5G-ENSURE must research new protocols and methods, specifically addressing IoT devices.

Challenges addressed
The IoT enabler's main focus will be to provide support for the requirements introduced primarily by IoT. The enabler will address the authentication challenges brought by massive deployments of devices, which will require a light-weight protocol, adapted for large groups of devices, without the security of UICC stored keys. Additionally, to increase the attractiveness in enterprises for 5G, support of third-party identities will be investigated.

 

Authorization enabler

The authorization enabler focuses on authorization for two areas, expected to be strongly involved in 5G:

  • new methods to provide a distributed authorization enhancement, suitable in resource-constraint environments. The goal of the enablers is to make 5G fully ready for Identity and Access management of IoT devices.
  • requirements from 5G satellite business needs and 5G-ENSURE use cases. The goal is to provide an integrated satellite and terrestrial approach, compared to the diverse methods existing today, to provide secure fine-grained access control to services and resources.

Relevance for 5G-ENSURE
Machine-to-machine type communication in resource-constraint devices is expected to be an important aspect in 5G, thus also the authorization methods must be adapted for the needs of such devices.
The enabler will integrate satellite and terrestrial communications, necessary to enable the 5G use cases that can only be served by satellites, or for which satellites provide a more efficient solution.

Challenges addressed
Existing protocols are rarely sufficiently efficient to be run in resource-constrained environments. This enabler will take a distributed approach to enable light-weight authorization decisions in 5G, e.g. integration with existing protocols (OpenID Connect). The goal is a self-sufficient 5G security token, compatible with resource-constrained devices.
The main challenge is the joint approach to terrestrial and satellite communication and integrtion with the existing multitude of AAA protocols.

 

Federative authentication & identification enabler

The vision of the federative and identification enabler is to offer a way to evaluate the trust and liability for incoming requests in different nodes. By analyzing specific data from operators through key performance indicators, the appropriate trust can be measured. This will allow 5G nodes to dynamically adapt their security policy, before delivering content or a service.
The enabler will additionally research how existing federative protocols can be extended into 5G, to provide a complete Single-Sign-On experience beyond the web.

Relevance for 5G-ENSURE
This enabler will study the possibility to enable a federation between actors, re-using existing web technologies and IETF results. The enabler will also bring a similar approach for a joint AAA protocol for both satellite and terrestrial systems.

Challenges addressed
In LTE, there are currently no methods that provide a true Single-Sign-On experience beyond the web. By the integration of existing differentiated methods, 5G-ENSURE aims to provide a secure federative authentication in 5G.
5G nodes also needs to evaluate the trust level of incoming requests, thus being able to dynamically adjust their response based on specific key performance indicated. This challenge is essential to establish a liability scheme between actors in 5G networks.