Security Enablers

The Group-based AKA feature of this enabler is designed to support the novel requirements introduced by massive deployment of IoT devices and make 5G the network of excellence for IoT. In Release 2, improvements have been made by modifying the implementation with the support of native multiple devices and introducing a resynchronisation procedure into the protocol. Simplifying the deployment of AAA infrastructures is the main design goal behind the new Release 2 feature: Non-USIM based AKA. Another new feature is BYOI, designed to allow enterprises that already have an existing AAA infrastructure in place for devices and/or employees to re-use pre-existing identities as the basis for 5G network access. This is expected to reduce the administrative burden and lower the overall cost. Guide | Demo

Early features in Release 1 include: Basic Authorization in Satellite systems Basic to support access control of multiple users with different rights in satellite devices and services and Basic Distributed Authorisation Enforcement for RCDs to support access control on RCDs based on existing http solutions using ABAC and adapted for these devices.

New features in Release 2 are: AAA integration with satellite systems to implement the policies for decision per user, resource and action, having a server with rationalities between all of them; Authorisation and authentication for RCD based on ongoing IETF standardisation to enable standards-based, fine-grained access control and authentication on resource constrained devices connected at the edge via low power lossy networks; Basic Distributed Authorisation Enforcement for RCDs based on exisiting web standards. This feature demonstrates how, through 5G networks, IoT devices can securely provide services based on existing web standards and relying on existing web access control architecture using a trusted third party authentication server and centralised access control policy without requiring more resource consumption.  Guide | Demo, Demo

The feature, Encryption of Long Term Identifiers (IMSI KPABE-based encryption), was developed for Release 1 to limit (and preferably totally avoid) exposing user permanent or long term identities on (at least) the air interface (i.e., in Attach requests, Identity responses).

The new Release 2 feature is Home Network centric IMSI protection, designed to preserve the confidentiality of the mobile subscriber’s identity in 5G network, thus preventing privacy violations, such as user tracking. The other new feature, IMSI Pseudonymisation, is designed to complement the “Encryption of Long Term Identifiers” feature in order to totally avoid exposing user permanent or long term identities on (at least) the air interface (i.e., in Attach Requests, Identity Responses, Paging Responses) by avoiding user traceability. Guide | Demo

The Release 1 feature, privacy for network attachment protocols, is designed to limit exposure of device identifiers and prior points of attachment, and therefore, limit the ability to track a device. Release 2 encompasses the new feature, anonymous and optimised address selection for network attachment protocols. It is designed for enhanced address anonymity by providing for protection of device identifiers and prior points of attachment, and therefore, limit the ability to track a device. Guide | Demo

This enabler was entirely developed for Release 2. Format preserving anonymisation algorithm is a feature designed to avoid disclosure of sensitive information to all or selected user space applications. The algorithm preserves the input data format for data such as the IMSI, IMEI, telephone number, etc.

Privacy configuration is the other feature of this enabler, designed to make active use of the anonymisation capabilities to protect sensitive data and thus avoid its disclosure to user space applications if user desires so. Guide | Demo

This is a new enabler for Release 2. The Privacy Policy Specification supports the loading of a privacy policy into the enabler as a requirement for a privacy analysis of service offerings. The Privacy Preferences Specification feature encodes users’ preferences as a requirement for comparison with service offerings.The preferences offered to the user are generated by the amount of policy-affecting actions described in each policy, making the process flexible and able to cope with multiple domains and varying services managed.

The comparison of policies and preferences service allows policies managed by the system to be compared with a user’s expressed preferences, with the analysis presented to the user in a clearly understandable form. Policies with offending actions (i.e. actions which do not comply with the user’s preferences) are classified as noncompliant, and all the policies are given, and ordered by, a preference score which is produced taking into account the user’s preferences. Guide | Demo

Release 1 of this enabler was a prototype for calculating a trust metric value from (static) simulated input data. Its main feature was a Trust metric based network domain security policy management, conceived to offer trust based services for customers in mass market and industry.

Release 2 includes an improved trust metric based on extended data. its purpose is to collect monitoring data and KPI from the micro-segment to enable near real-time operation. The main driver is providing quick detection of trust level changes (e.g. due to attacks and risks) in 5G networks. Guide

Release 1 feature is a VNF Trustworthiness to certify the trustworthy implementation of the VNF and to expose characteristics through a Digital Trustworthiness Certificate.

In Release 2 work has focused on providing a more complete prototype by adding new trustworthiness evidence like “VNF hardening”, “kind of communication” (secured or not) and “Runtime environment reference”; a complete certification process; a secured repository (especially with access control addition). Guide | Demo

This is primarily a Release 1 enabler, where the main feature is Log and Event Processing aimed at interoperability between events and logs format, allowing FastData technologies to be deployed inside the 5G Network. Its main driver is tackling novel and complex incidents, cyber-attacks, as well as fraud in a multi-tenant and technology environment.

In Release 2, the Generic Collector Interface has been integrated into System Security State Repository enabler R2: System Security State Repository service and PulSAR: Proactive Security Analysis and Remediation enabler R2: PulSAR interface with Generic Collector. Guide | Demo

Release 1 provides a deployment model ontology (also known as 5G asset model) to enable modelling a system at deployment stage. This deployment model allows capturing the asset and control instances information in a semantic model that bridges the design phase and the operation phase later. It responds to the need for a clear reference security model for a deployed 5G systems.

Release 2 brings the System Security State Repository service to create, update and query the runtime model. The SSSR enabler provides a query interface to allow other enablers’ access to asset status, and a visualisation interface showing the location of any deficiencies in the system. Guide | Demo

Southbound Reference Monitor is the main feature in Release 1. Its purpose is to enforce access control policies that account for the southbound API of an SDN controller. The reference monitor restricts access to the network components according to a given policy.

Access Requirements for VNF Container Resources was developed for Release 2. Its purpose is to enforce policies for containers that host VNFs and restrict their access to other network resources. The first prototype of this feature will be able to limit the network connections of Docker containers that host VNFs. Furthermore, it will allow one to specify and enforce simple requirements and policies for container instantiation and migration. Guide

Release 1 and 2 feature, Basic OpenFlow Compliance Checker is based on continuous development. Its purpose is to verify interaction between multiple network components with respect to policies about the components’ exchanged OpenFlow messages.

Release 2 feature, Basic NFV Reconfiguration Compliance Checker serves to verify reconfigurations on NFV deployments with respect to policies or workflows. A key driver for this feature is identifying non-compliant behaviour to triggers by the orchestrator, making a network less vulnerable to intended or unintended misconfigurations. Guide | Demo

Integrity Attestation of virtual switches is the Release 1 feature. Its main purpose is verifying the virtual switch configuration using trust agents running in trusted execution environments. Verifying the integrity of virtual switches and related assets prior to enrollment in the SDN deployment is a key requirement to mitigate malicious behaviour.

The new feature in Release 2 is Integrity Attestation of VNFs running in Docker containers. While similar to the R1 feature, it targets VNFs deployed in lightweight virtualisation containers, in order to verify the integrity of specified, security-critical software components (assets) on platforms hosting the lightweight containers with NVFs. Guide | Demo

This enabler is based on the framework defined in Release 1 for distributed monitoring, inference, and reactions to security incidents. It enables the development of components that will detect selected on-going attacks in micro-segments, in order to adapt 5G networks or segments’ defences and topology. The main Release 1 feature is Complex Event Processing Framework for Security Monitoring and Inferencing.

Release 2 provides three features: Risk-based adaptation of micro-segments for fast security responses to attacks/risks in 5G micro-segments; extended data gathering to enable extensive awareness over security state of 5G application; cross-domain information exchange to enable interconnection between heterogeneous administrative domains that support different monitoring enablers. Guide