5G Security Algorithms
- Summary
-
Discussion
- What are the main 5G security algorithms?
- Could you describe the main 5G ciphering algorithms?
- Could you describe the main 5G integrity protection algorithms?
- What are the key elements of 5G NEA and NIA algorithms?
- Given multiple 5G security algorithms, how's one selected and communicated?
- What keys are used with 5G security algorithms?
- What security algorithms does the USIM execute?
- What's the SUPI-SUCI relationship?
- How does 5G improve upon 3G/4G security algorithms?
- What's the performance of 5G security algorithms?
- What are the vulnerabilities in current 5G security algorithms?
- Milestones
- References
- Further Reading
- Article Stats
- Cite As
The 5G System (5GS) has defined security algorithms in terms of data confidentiality and integrity. Algorithms are specified for both the radio access network and the core network. Their corresponding contexts are called Access Stratum (AS) and Non-Access Stratum (NAS).
These algorithms evolved from earlier generations. Closely associated with the algorithms are the security keys. These are essential inputs to the algorithms. Security procedures ensure that keys are properly managed and only authenticated users gain access to the system.
While the security algorithms and procedures have been designed by experts and well-tested, no system can guarantee 100% security. Flaws could be present in the design. Improper implementation could create security gaps. Vendors and operators have to put in place their own processes and checks.
Discussion
-
What are the main 5G security algorithms? 5G security algorithms are of two types:
- Ciphering: Also called encryption, this transforms plaintext message into ciphertext. Even when intercepted, a hacker can't derive the plaintext from the ciphertext.
- Integrity: Integrity protection adds a field called Message Authentication Code (MAC). The receiver also computes the MAC and compares it against the MAC received with the message. If this validation fails, such as when a hacker has tampered with the message, the receiver will reject the message.
For NAS security context, algorithms are executed at NAS layers of UE and AMF. For AS security context, they're executed at the PDCP layer of UE and gNB/ng-eNB. PDCP Control PDUs are not subject to ciphering or integrity protection.
IPSec or TLS could be used to secure communications over 5G Core's non-SBA interfaces such as N1, N2, N3, N4, and N6. Within the 5G SBA, NFs are expected to support TLS 1.2, TLS 1.3 and OAUTH 2.0. This protocol supports five cipher suites. For example, TLS_AES_128_GCM_SHA256 implies AES 128-bit in GCM mode for ciphering and SHA256 for integrity protection.
-
Could you describe the main 5G ciphering algorithms? 5G has the following ciphering algorithms:
- NEA0: Identifier 0000. Null ciphering. Keystream is all zeros. Effectively, the plaintext is not ciphered. Therefore, NEA0 provides no security.
- 128-NEA1: Identifier 0001. 128-bit SNOW 3G based algorithm. It's a word-oriented stream cipher. After key initialization at the start, it produces a keystream sequence of 32-bit words.
- 128-NEA2: Identifier 0010. 128-bit AES based algorithm in CTR mode. While AES is a block cipher, CTR mode effectively makes it a stream cipher. It can be pipelined, parallelized and the keystream precomputed. Where the input plaintext is shorter, extra bits of the last keystream block are discarded. No input padding is needed.
- 128-NEA3: Identifier 0011. 128-bit ZUC based algorithm. It's a stream cipher.
For NAS security context, signalling messages are ciphered. \(K_{NASenc}\) is the KEY. NAS connection identifier is the BEARER. Every NAS message has a sequence number that's part of COUNT.
For AS security context, \(K_{RRCenc}\) and \(K_{UPenc}\) are the keys for control plane and user plane respectively. RB identifier minus 1 is the BEARER. PDCP sequence number is used in COUNT.
-
Could you describe the main 5G integrity protection algorithms? 5G has the following integrity algorithms:
- NIA0: Identifier 0000. Null integrity protection. MAC that's generated is all zeros. Receiver doesn't validate the MAC. Replay protection is not possible with NIA0.
- 128-NIA1: Identifier 0001. 128-bit SNOW 3G based algorithm.
- 128-NIA2: Identifier 0010. 128-bit AES based algorithm in CMAC mode.
- 128-NIA3: Identifier 0011. 128-bit ZUC based algorithm.
For NAS security context, signalling messages are integrity protected. \(K_{NASint}\) is the KEY. NAS connection identifier is the BEARER. Every NAS message has a sequence number that's part of the COUNT. Replay protection is activated when integrity protection is activated. This means that NAS shall accept a COUNT value only once for that NAS security context.
For AS security context, \(K_{RRCint}\) and \(K_{UPint}\) are the keys for control plane and user plane respectively. RB identifier minus 1 is the BEARER. PDCP sequence number is used in COUNT.
-
What are the key elements of 5G NEA and NIA algorithms? We note the following elements:
- Linear Feedback Shift Register (LFSR): This is present in 16 stages in SNOW 3G and ZUC. Each stage holds a 32-bit word. The register is initialized first before used for keystream generation.
- Finite State Machine (FSM): This is present in SNOW 3G and ZUC. ZUC calls it non-linear function F. State is held in the registers. The FSM includes S-boxes. ZUC includes linear transforms L as well.
- Bit Reorganization (BR): This is present only in ZUC. It feeds three 32-bit words from LSFR to F and one 32-bit word towards keystream generation.
- Substitution-Box (S-Box): An input bit pattern is substituted for another. Substitutions are described in tables in the specifications. All three algorithms use S-boxes.
- Round: Used in AES, it's a sequence of four transformations, except for the last one that uses only three transformations. With each transformation, the plaintext is modified. KEY is an input only to the Round Key transformation. In CTR mode, ciphertext will be treated as keystream.
-
Given multiple 5G security algorithms, how's one selected and communicated? Each AMF is configured with a list of allowed security algorithms. Operator sets the priorities. UE informs AMF the algorithms it supports. With these information, AMF selects one ciphering and one integrity algorithm for that UE.
NAS security context is initiated by the AMF towards the UE via the NAS Security Mode Command message. The message contains the chosen algorithms. If N26 interworking is supported, AMF includes selected EPS NAS algorithms. Message is integrity protected but not ciphered. UE's reply NAS Security Mode Complete is both integrity protected and ciphered.
For AS security context, AMF informs gNB/ng-eNB UE security capabilities. gNB/ng-eNB selects algorithms similar to what AMF does for NAS security context. gNB/ng-eNB sends the AS Security Mode Command message with the selected algorithms. UE responds with AS Security Mode Complete message.
At AS, integrity protection and ciphering are applied to RRC signalling and user plane traffic. For the latter, these are activated when a Data Radio Bearer (DRB) is added via RRC Connection Reconfiguration procedure. SMF informs gNB/ng-eNB the UP security policy per PDU session.
-
What keys are used with 5G security algorithms? The USIM on the mobile side, and the Authentication Credential Repository and Processing Function (ARPF) within the 5G Core, both contain the long-term key K. K is 128 or 256 bits long. All other keys used for ciphering and integrity are derived from K. During authentication, USIM generates CK and IK and sends these to the Mobile Equipment (ME).
For NAS security context, ME uses CK and IK to derive \(K_{AMF}\). From \(K_{AMF}\), \(K_{NASint}\) and \(K_{NASenc}\) are derived.
For AS security context, ME derives \(K_{gNB}\) from \(K_{AMF}\). From \(K_{gNB}\), \(K_{RRCint}\) and \(K_{RRCenc}\) are derived for RRC signalling. Likewise, \(K_{UPint}\) and \(K_{UPint}\) are derived for user plane security.
Key Derivation Function (KDF) is HMAC-SHA-256. This function takes as input a key and a string \(S=FC||P0||L0||P1||L1||\dots||Pn||Ln\). For example, when deriving \(K_{AMF}\), the input key is 256-bit \(K_{SEAF}\) and \(S = FC||P0||L0||P1||L1\) where FC = 0x6D, P0 = IMSI/NAI/GCI/GLI, P1 = ABBA parameter = 0x0000, and L0 and L1 are the 2-octet values indicating the number of octets in P0 and P1 respectively.
Sqimway's online tool is useful to generate these keys.
-
What security algorithms does the USIM execute? For the purpose of authentication, USIM executes f1-f5, f1* and f5* algorithms. The same algorithms are executed within the network at UDM/ARPF. These algorithms could be based on MILENAGE or TUAK algorithm sets. Since these sets are not mandatory, an operator can choose to use proprietary algorithms.
-
What's the SUPI-SUCI relationship? Every 5G subscriber is identified uniquely with the Subscription Permanent Identifier (SUPI). This consists of MCC (Mobile Country Code), MNC (Mobile Network Code), and MSIN (Mobile Subscriber Identification Number). Other types of SUPI are also possible.
SUPI shall never be sent in cleartext within the NG-RAN. Instead, Subscription Concealed Identifier (SUCI) can be sent. SUCI encrypts the MSIN field. This prevents IMSI Catcher attack that was possible in 4G. SUPI-to-SUCI conversion and vice versa are performed in the USIM or ME, and in the UDM.
For SUPI concealment, Elliptic Curve Integrated Encryption Scheme (ECIES) is used. UE generates an ephemeral key pair using the home network's public key stored in the USIM. An asymmetric algorithm using ephemeral public-private key pair is used to exchange a shared key. Shared key is used with AES-128 in CTR mode for encrypting SUPI. It's also used with HMAC-SHA-256 to generate a 64-bit MAC.
-
How does 5G improve upon 3G/4G security algorithms? 5G security algorithms are identical to their 4G counterparts. However, 5G improves upon 4G for authentication and key management. In 3G, SNOW 3G algorithm existed. Older KASUMI-based algorithms used in 3G have been discontinued in 4G and 5G.
Unsecure options have been removed for use in TLS profile, IKEv2 profile and CRL profile. For example, TLS Cipher suites without encryption, SHA-1 and elliptic curve groups with less than 256 bits are removed.
Future releases of 5G, perhaps in 5G Advanced, may include enhancements of current algorithms. In particular, 256-bit variants could be standardized: SNOW-V, AES-256 and ZUC-256. MAC will continue to be 32 bits but the use of longer MAC is being studied.
In the post-quantum era, current algorithms might be inadequate. By 2030, a quantum computer built at a cost of USD one billion could break a 2048-bit RSA. The threat to symmetric algorithms is less. In any case, more study is needed to evaluate current quantum algorithms on symmetric cryptography, asymmetric cryptography and hash algorithms. Meanwhile, an AES-based algorithm called Rocca has been proposed for 6G.
-
What's the performance of 5G security algorithms? 5G is specified for a peak downlink data rate of 20Gbps. For URLLC use cases, 1ms end-to-end latency is specified. Security algorithms implemented in either software or hardware must be able to achieve at least these numbers so that they don't become bottlenecks.
Some performance numbers are available for 256-bit algorithms:
- 27Gbps for SNOW-V on Intel i7-8650U with AES-NI for 256-byte plaintext
- 1Tbps for SNOW-V in hardware
- 71Gbps for AES-256 in hardware with data path optimization
-
What are the vulnerabilities in current 5G security algorithms? Analysis has found that SNOW 3G admits the sliding property; that is, internal state of the stream cipher for a given key-IV pair corresponds to the state for another pair after a finite time. This can used towards a key recovery attack, though the risk for SNOW 3G is minimal. The risk is greater for SNOW 2.0 with 256-bit keys.
An attack on the initialization procedure of ZUC was disclosed in 2010. By varying IV, the attacker can find two values that result in identical internal state. This translates to identical keystreams, thus reducing the entropy of the secret key.
Securing IoT devices over 5G connectivity is a challenge since many of them are resource constrained. There's a claim that IoT devices often use symmetric algorithms and there's a need for research into lightweight asymmetric algorithms.
Apart from the algorithms themselves, security of 5G can be compromised at various points: devices, the air interface, edge networks, backhauls and within the core network. Weaknesses could be in design or implementation. The system could even be tricked into using Null algorithms (NEA0 and NIA0) for normal communication.
Milestones
2001
3GPP publishes the MILENAGE Algorithm Set consisting of f1-f5, f1* and f5* algorithms. These are algorithms that execute in the Universal Subscriber Identity Module (USIM) and Authentication Centre (AuC). These algorithms are serve as a reference for operators. Operators are free to implement their own proprietary algorithms. In 5G, AuC is mapped to UDM/ARPF.
2001
NIST publishes the Advanced Encryption Standard (AES) block cipher algorithm. This is based on the Rijndael block cipher family that was selected as the AES competition winner. In December 2001, different modes of operation are published. This includes the mode called Counter (CTR). In May 2005, the Cipher-based Message Authentication Code (CMAC) mode for authentication is published. Years later, 5G adopts AES in modes CTR and CMAC.
2002
NIST publishes Secure Hash Algorithms (SHAs) in the document FIPS PUB 180-2. In particular, SHA-2 family of algorithms is introduced as an improvement over SHA-1 from 1995. In August 2015, this is updated in document FIPS PUB 180-4 with algorithms SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224 and SHA-512/256.
2006
ETSI/SAGE standardizes SNOW 3G specification. SNOW 3G is to be used in 3G as UEA2 and UIA2 for encryption and integrity respectively. The same algorithms are adopted years later for 4G (as 128-EEA1 and 128-EIA1) and 5G (as 128-NEA1 and 128-NIA2). SNOW was originally invented by Ekdahl and Johansson in 2000. In 2002, they released an improved version called SNOW 2.0.
2008
2010
2013
As part of Release 12, 3GPP publishes the TUAK Algorithm Set consisting of f1-f5, f1* and f5* algorithms. This is an alternative to the MILENAGE Algorithm Set. While MILENAGE permits only 128-bit keys, TUAK permits either 128- or 256-bit keys for K, CK, and IK. MAC-A and MAC-S can be 64, 128 or 256 bits. RES can be 32, 64, 128 or 256 bits. MAC-A, MAC-S and RES are 64 bits in MILENAGE.
2018
2019
Ekdahl et al. propose SNOW-V, an evolution of SNOW 3G, where "V" stands for virtualization. It's designed to make the best use of AES-NI and SIMD instructions. It's as secure as and faster than AES-256 in GCM mode. SNOW 3G in software gives only 9Gbps. On Apple A11 ARM processor, SNOW-V achieves 23.6Gbps compared to 16Gbps for AES-CTR at 16KB plaintext size. When used for confidentiality and integrity at the same time, it's called SNOW-V-GCM.
2021
In standard C language, Wei et al. implement ZUC-256, SNOW-V, and AES-256 on RISC-V platform. They avoid the use of AES New Instructions (AES-NI). Via simulations, they compare the performance on AndeaCore N25 CPU at 400 MHz. Although other studies looked at performance earlier, comparison was hard due to variations in software and hardware implementations.
References
- 3GPP. 2001. "TS 35.206: 3G Security; Specification of the MILENAGE algorithm set: An example algorithm set for the 3GPP authentication and key generation functions f1, f1*, f2, f3, f4, f5 and f5*; Document 2: Algorithm specification." V3.0.0, April. Accessed 2024-04-13.
- 3GPP. 2013. "TS 35.231: Specification of the TUAK algorithm set: A second example algorithm set for the 3GPP authentication and key generation functions f1, f1*, f2, f3, f4, f5 and f5*; Document 1: Algorithm specification." V12.0.0, December. Accessed 2024-04-13.
- 3GPP. 2019. "TR 33.841: 3rd Generation Partnership Project; Technical Specification Group Services and Systems Aspects; Security aspects; Study on the support of 256-bit algorithms for 5G." V16.1.0, March. Accessed 2024-03-28.
- Addepalli, S. 2021. "5G Security." Pulse, LinkedIn, July 4. Accessed 2024-03-25.
- Adnan, M. H., Z. A. Zukarnain, and N. Z. Harun. 2022. "Quantum Key Distribution for 5G Networks: A Review, State of Art and Future Directions." Future Internet, MDPI, vol. 14, no. 3. Accessed 2024-04-02.
- Anna University. 2024. "AES (Advanced Encryption Standard) Structure." In: Cryptography and Network Security - CS8792, CS6701, Anna University. Accessed 2024-03-28.
- Brodie, A. 2018. "Overview of TLS v1.3." Slides, OWASP London, January. Accessed 2024-03-25.
- Dworkin, M. 2001. "Recommendation for Block Cipher Modes of Operation." NIST Special Publication 800-38A, December. Accessed 2024-03-28.
- Dworkin, M. 2005. "Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication." NIST Special Publication 800-38B, May. Updated 2016-06-10. Accessed 2024-04-02.
- ETSI. 2022. "TS 135 205: Universal Mobile Telecommunications System (UMTS); LTE; 3G Security; Specification of the MILENAGE algorithm set: An example algorithm set for the 3GPP authentication and key generation functions f1, f1*, f2, f3, f4, f5 and f5*; Document 1: General." V17.0.0, April. Accessed 2024-04-13.
- ETSI. 2023a. "TS 138 323: 5G; NR; Packet Data Convergence Protocol (PDCP) specification." V17.5.0, July. Accessed 2024-03-28.
- ETSI. 2023b. "TS 133 220: Digital cellular telecommunications system (Phase 2+) (GSM); Universal Mobile Telecommunications System (UMTS); LTE; 5G; Generic Authentication Architecture (GAA); Generic Bootstrapping Architecture (GBA)." V17.4.0, January. Accessed 2024-03-28.
- ETSI. 2024a. "TS 133 501: 5G; Security architecture and procedures for 5G System." V17.12.0, January. Accessed 2024-03-03.
- ETSI SAGE. 2006. "Specification of the 3GPP Confidentiality and Integrity Algorithms UEA2 & UIA2. Document 2: SNOW 3G Specification." v1.1, ETSI/SAGE Specification, September 6. Accessed 2024-03-25.
- ETSI SAGE. 2011. "Specification of the 3GPP Confidentiality and Integrity Algorithms 128-EEA3 & 128-EIA3. Document 2: ZUC Specification." v1.6, ETSI/SAGE Specification, June 28. Accessed 2024-03-25.
- Ekdahl, P. and T. Johansson. 2002. "A New Version of the Stream Cipher SNOW." SAC '02: Revised Papers from the 9th Annual International Workshop on Selected Areas in Cryptography, pp. 47-61, August. Accessed 2024-03-28.
- Ekdahl, P. and A. Maximov. 2020. "Encryption in virtualized 5G environments." Blog, Ericsson, June 2. Accessed 2024-03-28.
- Ekdahl, P., T. Johansson, A. Maximov, and J. Yang. 2019. "A new SNOW stream cipher called SNOW-V." IACR Transactions on Symmetric Cryptology, vol. 2019, no. 3, pp. 1-42. doi: 10.13154/tosc.v2019.i3.1-42. Accessed 2024-03-28.
- Ericsson. 2018. "5G security - enabling a trustworthy 5G system." White paper, Ericsson, March 28. Updated 2021-03-29. Accessed 2024-03-25.
- GSMA. 2021. "5G Security Guide." V2.0, GSMA, October 20. Accessed 2024-03-25.
- Guillemot, L. 2024. "Security procedures for 5G system." Sqimway. Accessed 2024-03-03.
- Holtrup, G., W. Lacube, D. P. David, A. Mermoud, G. Bovet, and V. Lenders. 2021. "5G System Security Analysis." v2, arXiv, August 20. Accessed 2024-03-03.
- Housley, R. 2004. "Using Advanced Encryption Standard (AES) Counter Mode With IPsec Encapsulating Security Payload (ESP)." RFC 3686, IETF, January. Accessed 2024-03-25.
- Jasim, K. F., K. Z. Ghafoor, and H. S. Maghdid. 2022. "Analysis of Encryption Algorithms Proposed for Data Security in 4G and 5G Generations." 1st International Conference of Applied Computing & Smart Cities (ICACS21), Erbil, Iraq, ITM Web of Conferences, vol. 42, article no. 01004. Accessed 2024-03-03.
- Jost, C. and B. Smeets. 2020. "Security for 5G Service-Based Architecture: What you need to know." Blog, Ericsson, August 21. Accessed 2024-03-28.
- Kircanski, A. and A. M. Youssef. 2011. "On the Sliding Property of SNOW 3G and SNOW 2.0." IET Information Security, vol. 5, no. 4, pp. 199-206, December. doi: 10.1049/iet-ifs.2011.0033. Accessed 2024-03-28.
- Koranga, A. 2022. "ECIES in 5G Core: SUPI to SUCI Conversion." Blog, on Medium, November 6. Accessed 2024-04-02.
- Liyanage, M., I. Ahmad, A. B. Abro, A. Gurtov, and M. Ylianttila (eds). 2018. "A Comprehensive Guide to 5G Security." doi: 10.1002/9781119293071. John Wiley & Sons Ltd. Accessed 2024-03-03.
- Mattsson, J. P. 2021. "5G Security Update." Slides, Ericsson, IETF 113. Accessed 2024-03-25.
- NIST. 2001. "Advanced Encryption Standard (AES)." FIPS PUB 197, NIST, November 26. Updated 2023-05-09. Accessed 2024-03-25.
- NIST. 2002. "Secure Hash Standard." FIPS PUB 180-2, NIST, August 1. Accessed 2024-04-02.
- NIST. 2008. "The Keyed-Hash Message Authentication Code (HMAC)." FIPS PUB 198-1, NIST, July. Accessed 2024-04-02.
- NIST. 2015. "Secure Hash Standard (SHS)." FIPS PUB 180-4, NIST, August. Accessed 2024-04-02.
- Ogbodo, E. U, A. M. Abu-Mahfouz, and A. M. Kurien. 2022. "A Survey on 5G and LPWAN-IoT for Improved Smart Cities and Remote Area Applications: From the Aspect of Architecture and Security." Sensors, MDPI, vol. 22, article no. 6313. Accessed 2024-03-03.
- Park, S., D. Kim, Y. Park, H. Cho, D. Kim, and S. Kwon. 2021. "5G Security Threat Assessment in Real Networks." Sensors, MDPI, vol. 21, article no. 5524. Accessed 2024-03-03.
- Sakamoto, K., F. Liu, Y. Nakano, S. Kiyomoto, and T. Isobe. 2022. "Rocca: An Efficient AES-based Encryption Scheme for Beyond 5G." Accessed 2024-03-28.
- Wei, M., G. Yang, and F. Kong. 2021. "Software Implementation and Comparison of ZUC-256, SNOW-V, and AES-256 on RISC-V Platform." IEEE International Conference on Information Communication and Software Engineering (ICICSE), Chengdu, China, pp. 56-60, 19-21 March. doi: 10.1109/ICICSE52190.2021.9404134. Accessed 2024-03-28.
- Zhang, R., W. Zhou, and H. Hu. 2021. "Towards 5G Security Analysis against Null Security Algorithms Used in Normal Communication." Security and Communication Networks, vol. 2021, article ID 4498324. Accessed 2024-03-03.
Further Reading
- ETSI. 2024a. "TS 133 501: 5G; Security architecture and procedures for 5G System." V17.12.0, January. Accessed 2024-03-03.
- 3GPP. 2019. "TR 33.841: 3rd Generation Partnership Project; Technical Specification Group Services and Systems Aspects; Security aspects; Study on the support of 256-bit algorithms for 5G." V16.1.0, March. Accessed 2024-03-28.
- Yang, J. 2021. "Contributions to Confidentiality and Integrity Algorithms for 5G." Doctoral Thesis, Department of Electrical and Information Technology, Lund University. Accessed 2024-03-28.
- Liyanage, M., I. Ahmad, A. B. Abro, A. Gurtov, and M. Ylianttila (eds). 2018. "A Comprehensive Guide to 5G Security." doi: 10.1002/9781119293071. John Wiley & Sons Ltd. Accessed 2024-03-03.
Article Stats
Cite As
See Also
- 5G Security
- 5G Authentication
- Authentication Server Function
- Security of 5G SBA
- Cloud Security
- IoT Security