Conference PaperPDF Available

Secure Keying Scheme for Network Slicing in 5G Architecture

Authors:
  • Nokia Bell Labs, Espoo, Finland

Abstract and Figures

Network slicing is one of the key enabling technologies of evolving fifth generation (5G) mobile communication that fulfills multitudes of service demands of 5G networks. Although the concept of network slicing, its deployment scenarios and some security aspects like slice isolation are discussed in detail, key management for network slicing based applications is still not a well-investigated research area. In this paper, we propose a secure keying scheme that is suitable for network slicing architecture when the slices are accessed by the third party applications. Since the secure keying scheme is designed using a multi-party computation mechanism, it ensures the consent of monitored use cases or devices which the data is acquired. We discuss the performance, scalability and security properties of the keying scheme to demonstrate its appropriateness under evolving 5G paradigm.
Content may be subject to copyright.
Secure Keying Scheme for Network Slicing in 5G
Architecture
Pawani Porambage, Yoan Miche, Aapo Kalliola, Madhusanka Liyanage∗‡, Mika Ylianttila
Centre for Wireless Communications, University of Oulu, Finland
Nokia Bell Labs, Espoo, Finland
School of Computer Science, University College Dublin, Ireland
Email: [firstname.lastname]@oulu.fi, [firstname.lastname]@nokia-bell-labs.com, madhusanka@ucd.ie
Abstract—Network slicing is one of the key enabling technolo-
gies of evolving fifth generation (5G) mobile communication that
fulfills multitudes of service demands of 5G networks. Although
the concept of network slicing, its deployment scenarios and some
security aspects like slice isolation are discussed in detail, key
management for network slicing based applications is still not a
well-investigated research area. In this paper, we propose a secure
keying scheme that is suitable for network slicing architecture
when the slices are accessed by the third party applications.
Since the secure keying scheme is designed using a multi-party
computation mechanism, it ensures the consent of monitored use
cases or devices which the data is acquired. We discuss the
performance, scalability and security properties of the keying
scheme to demonstrate its appropriateness under evolving 5G
paradigm.
Index Terms—5G, Network Slicing, Security, Key Manage-
ment, Multi-Party Computation, Scalability
I. INTRODUCTION
Fifth generation (5G) of mobile communication are ex-
pected to meet the evolution in terms of capacity, performance
and spectrum access to radio-network segments [1]. More
importantly, 5G will be an evolution of extreme flexibility
and high programmability conversion in all non-radio network
infrastructure. 5G networks will serve a multitude of use cases
that have very diverse characteristics and requirements. The
most mentioned 5G use cases are categorized as enhanced
Mobile Broadband (eMBB), Ultra Reliable Low Latency Com-
munication (URLLC), and massive Machine Type Communi-
cation (mMTC) [2]. To satisfy different needs of these use
cases, network slicing is introduced in 5G that creates multiple
logical networks over a single physical network [3].
By definition, one network slice can accommodate a sep-
arate set of network functions without interfering to support
given application services [4]. In one vertical industry there
can be many standalone or combined use cases running simul-
taneously. Each of these horizontal use cases can be served by
one or multiple network slices. For instance, a smart factory
environment may accommodate all types of traffic classes
including eMBB (human users, Augmented Reality (AR) and
Virtual Reality (VR) applications), URLLC (cobots, automated
machineries), mMTC (sensor networks, IoTs) [5]. Different
traffic classes can be served by one or many network slices. In
these massive industrial verticals, when it is required to detect
an abnormality from a given data set that has a global impact
on the entire industry (i.e., smart factory), the process can be
outsourced to a third party monitoring application. Under such
circumstances, the monitoring application may have to access
one or many network slices (i.e., the corresponding network
storage resources) with the consent of the targeted use cases
or the devices.
In this paper, we propose a keying scheme to securely access
data from the network slices by the third party monitoring
applications with the consent of the monitored use cases or
devices. We discuss the retrieval of data and key management
with the help of multi-party computation mechanisms. The
performance of the proposed scheme is analyzed based on
the involvement of the network devices as an cost analysis.
Moreover, we mention the possibilities of scaling up the
keying scheme for large network and discuss the security
properties of the keying scheme.
The remainder of this paper is organized as follows: Sec-
tion II provides the background and related work on network
slicing and 5G service based architecture. Section III describes
the assumptions, the threat model and the use case. Section IV
presents the proposed key management scheme and its appli-
cability in the 5G architecture. Section V and VI respectively
provide performance and security analysis of the proposed
solution. Finally, section VII summarizes the work and draws
the conclusions.
II. BACKGROU ND A ND RE LATE D WOR K
5G core network is proposed to deploy in two phases [6]:
well-known point-to-point connections which is similar to the
current 4G-LTE (Long Term Evolution) architecture; service
based architecture (SBA). According to the definition released
by 3rd Generation Partnership Project (3GPP), the 5G SBA de-
livers the control plane functionality and common data repos-
itories by a set of interconnected Network Functions (NFs).
Therefore, SBA is more appropriate for the new cloud-native
networking models and has higher flexibility for an iterative
development process. 5G SBA is defined with major functional
elements (or network functions) and their connecting high-
level interfaces [1].
Due to its ability to support multiple service requirements
over a common network, network slicing is considered as a
key commercial driver for 5G [3]. By definition, a network
slice controls its own packet forwarding from the user end
to the cloud servers in the core network [4]. The end-to-
end slicing architecture has three segments including access
slices, core network slices, and pairing functions that connect
former two. CN (Core Network) slices are designed with the
logical separation between control and user plane functions
and the corresponding NFs such as Access and Mobility
Management function (AMF), Session Management function
(SMF), User plane function (UPF), Policy Control Function
(PCF), Authentication Server Function (AUSF), Unified Data
Management (UDM) and Network Slice Selection Function
(NSSF).
Security considerations in network slicing are associated
with many networking and communication technologies and
addressed with different perspectives [7], [8]. Strong slice
isolation is a main requirement to mitigate the spreading
of security threats among multiple network slices. When
two slices are sharing common resources, an attacker who
reveals the cryptographic materials on one slice can exploit to
affect the security functions running on another slice. Other
security considerations are addressed on inter-networking slice
communication, operations of network slice manager, slice
heterogeneity, authentication of network slice instances, and
key management.
Although slicing security has gained a high attention, not
many works are published during the recent past. The majority
of the work consider authentication and key management pro-
tocols from the user end or for the inter-slice communication.
The paper [9] proposes a cross-authentication scheme for 5G
heterogeneous networks by combining non-cryptographic and
cryptographic algorithms. In [10], a secure service oriented
authentication framework is presented to support slicing and
fog computing for 5G-enabled IoT services. It guarantees the
secure access of IoT services and privacy-preserving slice
selection. The solution includes a service-oriented three-party
key agreement to negotiate keys among IoT servers, local
fog servers, and users, based on Diffie-Hellman key agree-
ment. In [11], two heterogeneous signcryption schemes are
proposed to achieve mutual communications among network
slices deployed in different public key cryptosystems (i.e., e
public key infrastructure and certificateless public key cryp-
tography environment). Slice isolation, privacy, and managing
trust among different stakeholder and slices also matter the
most. Customizing slicing security by Software Defined Net-
working (SDN) using micro-segmentation is another approach
to isolate traffic flows related to different applications or
users [12].
However, none of those published articles address the secu-
rity considerations, possible attacks and mitigation techniques
related to networking slicing, when the slices are accessed by
external parties. Throughout this work, we describe how multi-
party computational algorithms can be used to implement
secure keying scheme among the network slice resources,
the served use cases (i.e., devices or users) and the external
entities. Our work is inspired by the scheme in [13], a
distributed approach with a hybrid cryptosystem that ensures
the confidentiality in a video surveillance system. According
to their setup, the recorded video-material is only available
to a subset of authorized users who will finally be able to
decrypt the videos. Similar to the scheme in [13], we also take
the advantage of using a multi-party computation algorithm
(i.e., Shamir’s secret sharing) to compute keys in our security
scheme.
III. USE C AS E AN D THR EAT MO DE L
A. Use case
To elaborate the key management protocol and its necessity,
we consider one particular vertical industry which is smart fac-
tory or Industry 4.0. Under the given industry vertical there are
multiple horizontal use cases or services running with different
requirements and specifications. For instance, a smart factory
environment includes numerous cyber-physical systems such
as cobots (collaborative robots), augmented reality (AR) ap-
plications and sensor networks. As illustrated in Figure 1, one
factory premises may accommodate different such use cases
and each can be served by single or multiple network slices.
When the factories are geographically dispersed, the horizontal
use cases can be also served by dedicated or shared network
slices. Each network slice owns logically isolated computation
and storage resources to perform data processing and storing
tasks to all the use cases that receive their services.
Fig. 1: Provision services for horizontal use cases in factories
using dedicated and shared network slices.
In addition to the aforementioned dedicated services re-
quired by different use cases, there are certain occasions
that need them to be monitored in common by Third Party
Monitoring Applications (TPMAs). For example, while de-
tecting anomalies in a particular process in the factory, the
third party application has to acquire data from multiple use
cases and keep the proper co-ordination among them and the
respective network slices. Under such a scenario, the third
party application has to access the data from the respective
network slices, however with the consent of the particular use
cases (Figure 2) or their individual components (Figure 3).
To cater such secure communication links among the third
party applications, the network slice resources, and the use
Fig. 2: Third party application access data with the consent of
different use cases.
Fig. 3: Third party application access data with the consent of
individual components in a given use case.
cases, we propose a secure key management scheme based on
Shamir’s secret sharing technique.
B. Threat model
1) Adversaries: We consider three possible adversary types.
Internal adversaries with administrative control: An inter-
nal adversary can be located in the factory premises and take
the administrative control of the devices in the factory. This
can be a tenant inside the factory or an external intruder who
has access to a compromised device.
External adversaries with access to data transportation:
An external adversary that could attack the data transportation
between TPMA, factory devices and network slice.
External adversaries with access to TPMA: An external
adversary that could attack a TPMA by accessing its security
credentials or creating Distribute Denial of Service (DDoS)
attacks.
2) Attacks on a slice while accessing by a third party:
DDoS flooding attacks: These can be launched by external
adversaries on network slices (i.e., particularly on AMF) while
TPMA communications in all cases are occurring across an
untrusted network.
Data tampering attacks: These attacks can be launched by
external adversaries when they access data obtained by TPMA.
When a TPMA is compromised the attacker can deliberately
modify, replay or inject bogus data stored. Moreover, tamper-
ing attacks can also be initiated by the external adversaries
those who can access the data transportation.
Key-compromise impersonate attacks: These attacks may
occur when an internal adversary uses a compromised device
to access its keying materials use them for future commu-
nication purposes. If the long term private key shares of the
devices are compromised, the attacker can use those key shares
to compute the security credentials requested by TPMA.
C. Assumptions
The slice operators’ network is functional as the service-
based 5G core network architecture. Within the factory
premises, the monitored devices are protected by a Trusted
Platform Module (TPM) on each device for mutual authen-
tication and integrity checks in all communications. The
communication link establishment between the TPMA and 5G
core is performed by the means of a conventional security
protocol like IPSec and TLS (Transport Layer Security).
Moreover, we consider an ideal situation where the proper
slice implementation is achieved in such a way to avoid slice
specific security vulnerabilities including slice isolation and
side channel attacks.
IV. PROPOSED KEYING SCHEME
A. Preliminaries
For all the calculations in the rest of the sections, we
consider that Gqis a group of prime order q, where the
Discrete Logarithm Problem and closely related problems are
believed to be hard and gis a generator of Gq. All the
computation in Zare also undergoing mod q, although it is not
appeared in the text. In addition to that, the proposed security
architecture exploits Shamir’s secret sharing [14] technique
to distribute and reconstruct the shares of private keys and
ElGamal cryptosystem [15] for encryption and decryption of
interval-keys. Shamir’s secret sharing technique is based on
a(n, k)threshold scheme [14], wherein ndevices process
a polynomial share and kpolynomial shares being enough
to reconstruct the DH keys through the Lagrange polynomial
interpolation. According to [14], the (n, k)threshold scheme
is selected as n= (2k1).
B. Keying scheme
As illustrated in Figure 4, the devices {D1, D2, . . . , Dn}are
accessing one particular network slice. When a TPMA needs
to acquire data related to the given devices from the network
slice, it also has to get the consent of those devices.
As an initial phase, the network slice and the devices will
receive the corresponding cryptographic keys from a Key
Distribution Center (KDC), which is co-operating with the
Authentication Server Function (AUSF). For a given network
slice that serves ndevices (or ndistinctive use cases), KDC
generates a key-pair (d, e)for the ELGamal cryptosystem: d
and eare private and public keys. The shares of the private
key (d1, d2, . . . , dn) and the public key e=gdare respectively
delivered to the devices and the network slice in a secure
manner. The secret key dis generated following a t-degree
Fig. 4: Graphical representation of delivering security creden-
tials in the key management scheme.
polynomial f() (i.e., d=f(0)) and dishares are computed
as follows.
di=f(i) = d+
t
X
j=1
rjij, rjRZ
q(1)
According to Shamir’s Secret Sharing technique and by La-
grange interpolation, in order to reconstruct the private key d,
it is necessary to have at least t+ 1 number of divalues.
There can be multiple security and privacy issues arising
when the third party application can keep the records of
previously accessed data from a network slice. Therefore, it is
necessary to ensure that the data released by the network slice
is transferred as encoded context in an application specific
format (e.g., use homomorphic encryption). There should be
an entity operating at the network slice, that is responsible for
encoding the data and providing it for pre-designed tasks of
TPMA.
The encoded data related to a particular incident or a
given period of time is named as Mand encrypted with an
interval-key kusing symmetric encryption ES(M, k) = c. The
network slice generates a random interval-key kas a one-
time key related to the request made by TPMA. In addition
to that, the slice encrypts kwith the public key eusing
ElGamal asymmetric encryption and computes c1and c2
values: EA(e, k)=(c1, c2).
EA(e, k) = (gα, ekα)=(c1, c2)αRZq(2)
When TPMA accepts the received message (i.e., c, c1, c2),
it has to follow several steps to derive kand reconstruct the
encoded data. First step is to derive the ephemeral key k, using
(c1, c2)and the consent of the devices (or the use cases) in the
factory. On behalf of the TPMA, the network slice manager
sends c1value to the devices who agree to co-operate. Then
each collaborating device performs the ElGamal decryption of
c1using its private key share di(i.e., equation 3) and sends
back c1ito TPMA through the network slice manager.
DA(c1, di) = cdi
1=c1i(3)
After collecting the sufficient number of decrypted values
(i.e., from t+ 1 cooperative devices) from ndevices, TPMA
derives the interval-key kby decrypting the values as follows:
First compute λicoefficients for each received c1iin the subset
P(i.e., size of t+ 1) of the participating devices.
λi=Y
iP,j6=i
j
ij(4)
Then kvalue is decrypted using the Lagrange formula and λi
values.
D((cλ1
11 , cλ2
12 , . . . , cλ(t+1)
1(t+1)), c2) = c2(Q
iP
cdi×λi
1)1
=c2(c
P
iP
di×λi
1)1
=c2(cd
1)1
=k
(5)
Having the key k, TPMA can decrypt the encoded data by
performing DS(c, k) = M.
C. High-level description of proposed scheme
This section describes the high-level overview of the infor-
mation flow of the proposed protocol under the umbrella of
next generation core network architecture (Figure 5).
Fig. 5: Information flow of the proposed keying scheme in 5G
service based architecture.
First, TPMA sends a registration request to Access and
Mobility management Function (AMF). Then AMF selects
an Authentication Server Function (AUSF) and interacts with
User Data Management (UDM), where TPMA can perform the
registration and primary authentication specified in 3GPP to
access 5G network. If the authentication process is successful,
TPMA can proceed with sending service request and authen-
ticating the service to AUSF. Based on the service request,
AUSF generates the ephemeral key kfor the session, and
shares it with AMF. Then AMF selects a network slice instance
based on TPMA’s service request and sends session estab-
lishment request to the corresponding Session Management
Function (SMF) of the slice along with the key k. The slice
specific function, User Plane Function (UPF) manages user
plane traffic. Moreover, the network slice receives the service
area restrictions of the serving devices and the accessibility of
the stored data from UDM. Based on the accessibility policies,
the slice itself accesses the encoded data M, computes c, c1, c2
values and sends c1to the devices. The devices that are willing
to cooperate compute c1ivalues and sends back to the network
slice. Finally, the network slice will send c, c1, c2and all the
received c1ivalues. Since there is no direct communication
between the devices and TPMA, c1ivalues are delivered via
the network slice manager.
V. PERFORMANCE ANALYSIS
To discuss the performance of the proposed keying scheme,
we considered the behaviour of the devices in the factory
premises in terms of their willingness to cooperate with TPMA
to reconstruct the secrets. TPMA requests rightful access to
the data, in order to provide an additional service or to detect
an abnormality related to the devices. Therefore, if the devices
be cooperative with TPMA each device will receive a gain (G)
in return. At the same time, while contributing for the secret
reconstruction, each device has to undertake a cost (C) that
includes computation and communications costs.
For the successful key reconstruction, at least there should
be t+ 1 cooperative devices. Consequently, the total profit
which one device can gain will also depend on the likelihood
of the other devices to cooperate with key reconstruction. We
consider that each device is willing to cooperate (i.e., Di= 1)
with an equal probability of a: the probability that a device
will not cooperate is 1a(i.e., Di= 0). Then the probability
of success or the probability that at least t+ 1 devices are
contributing among ndevices (i.e., D1, ...Di, ...Dn) will be:
P rsuccess =P r{
n
P
i=1
Di(t+ 1)}
=n
t+1a(t+1)(1 a)(n(t+1)) +· · · +n
nan
=
n1
P
i=tn
i+1a(i+1)(1 a)(n(i+1))
(6)
Therefore the expected net profit (Pavg ) at a device would be
the difference between its expected net gain and the expected
cost:
Pavg =G
n1
X
i=tn
i+ 1a(i+1)(1 a)(n(i+1)) C a (7)
The graphs in Figure 6 show the behaviour of the expected
net profit (Pavg ) with the variation of the probability of device
cooperation (a). We keep a fixed gain value as G= 20
and changed the cost value C. Thereby we observe that
Pavg is increasing with the decremented C. In each case, the
maximum Pavg is observed for the probability of abetween
0.8and 0.9.
A clustering mechanism with a hierarchical key distribution
scheme can be used to tailor the proposed keying scheme in
such a way to provide higher scalability for the given use case.
As described in Section III, network slices can be assigned
under multiple scenarios (i.e., dedicated or shared slices) or
TPMA may request data from the devices served by different
slices. Moreover, when the number of devices served by one
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1
Device cooperating probability (a)
-10
-5
0
5
10
15
20
Expected net profit (Pavg)
C = 0.1
C = 1
C = 5
C = 10
C = 20
Fig. 6: The behaviour of the expected net profit with the
probability of device cooperation at different costs
network slice drastically increases from hundreds to thousands
(e.g., sensor networks), it will be challenging to adjust the
values of nand taccordingly. One responsible node (e.g.,
cluster head) can be assigned to a group of devices and each
of those cluster heads can provide the consent to the TPMA
on behalf of their leaf nodes (i.e., end devices).
VI. SE CU RI TY P ROP ERT IE S
Security properties of the keying scheme are described
considering the threat model mentioned in Section III. The
keying scheme takes the advantage of multitude secret shares
to reconstruct key kgenerated by AUSF. Since the scheme
takes the consent of the devices (or use cases), it can be easily
adopted for a group of users and the protocol may provide
an implicit assurance for privacy-protection of the monitored
users.
1) DDoS flooding attacks: Although the devices provide
their consents to the key reconstruction process, they do not
have direct communication with TPMA. Instead the message
is coming from the slice itself, which is assumed to deliver
securely. Therefore, on the networking devices, the protocol
will clearly prevent the DoS attacks created by the external
parties. However, since all the TPMA communications are
occurring across an untrusted network, it is necessary to
apply some conventional protection mechanisms such as IPSec
and TLS. Standard DDoS defensive mechanisms should be
implemented at the network slice manager which is the first
contact point of the TPMA [16].
2) Data tampering attacks: When there is a request coming
from a TPMA, the slice will always share the encoded data
which are associated with that stand-alone request. Since the
data is in encoded form, it will be hard to an external attacker
to retrieve any useful information out of it for future attacks.
Moreover, sending encrypted data will prevent the tampering
attacks during the data transportation.
3) Key-compromise impersonate attacks: According to the
Lagrange polynomial interpolation t+ 1 number of private
key shares out of nshares are used to reconstruct the key
k. Therefore, as long as an internal adversary is not able to
solve discrete logarithm problem and do not compromise at
least t+ 1 devices in the factory, he is not able to get any
information about the private key (d) and reconstruct the key
k. Regular updates of key shares and the polynomials will also
increase the security strength of the scheme and mitigate the
risk of key-compromise attacks.
VII. CONCLUSION
In summary, we proposed a key scheme for network slicing
based systems that provide secure accessibility for third party
monitoring applications with the consent of the networking
devices. The keying scheme is discussed considering its perfor-
mance, scalability and security properties along with its high-
level integration in 5G service based architecture. According
to the performance analysis of the keying scheme, the devices
will receive the maximum average net profit on a cooperation
probability between 0.8 to 0.9. The proposed solution has great
flexibility to tailor its behavior and characteristics based on the
required security strength and use case scenario. Our future
research is focused on implementing the proposed keying
scheme and analyzing its behaviour with respect to the delay
and scalability.
ACKNOWLEDGMENT
This work has been performed under the framework of
6Genesis Flagship (grant 318927), 5GEAR, SecureConnect
and RESPONSE 5G (Grant No: 789658) projects. This re-
search is funded by the Academy of Finland, Business Finland
and the European Union.
REFERENCES
[1] 3GPP, “System Architecture for the 5G Systems,” Technical Specifica-
tion, June 2018. [Online]. Available: https://www.etsi.org/deliver/etsi
ts/123500 123599/123501/15.02.00 60/ts 123501v150200p.pdf
[2] A. Gupta and R. K. Jha, “A survey of 5g network: Architecture and
emerging technologies,” IEEE access, vol. 3, pp. 1206–1232, 2015.
[3] 3GPP, “Study on management and orchestration of network
slicing for next generation network,” Technical Specification,
June 2018. [Online]. Available: https://portal.3gpp.org/desktopmodules/
Specifications/SpecificationDetails.aspx?specificationId=3091
[4] International Telecommunication Union, “Terms and definitions for
IMT-2020 network: ITU-T Y.3100 (09/2017),” Sep 2017.
[5] Y. Siriwardhana, P. Porambage, M. Liyanage, J. S. Walia,
M. Matinmikko-Blue, and M. Ylianttila, “Micro-Operator driven
Local 5G Network Architecture for Industrial Internet,” in IEEE
Wireless Communications and Networking Conference (WCNC).
IEEE, 2019, pp. 1–8.
[6] I. Afolabi, T. Taleb, K. Samdanis, A. Ksentini, and H. Flinck, “Network
slicing and softwarization: A survey on principles, enabling technolo-
gies, and solutions,” IEEE Communications Surveys & Tutorials, vol. 20,
no. 3, pp. 2429–2453, 2018.
[7] NGMN Alliance, “5G security recommendations package 2: Network
slicing,” Apr 2016.
[8] R. Khan, P. Kumar, D. N. K. Jayakody, and M. Liyanage, “A Survey on
Security and Privacy of 5G Technologies: Potential Solutions, Recent
Advancements and Future Directions,IEEE Communications Surveys
& Tutorials, 2019.
[9] C. M. Moreira, G. Kaddoum, and E. Bou-Harb, “Cross-layer authenti-
cation protocol design for ultra-dense 5g hetnets,” in IEEE International
Conference on Communications (ICC), 2018, pp. 1–7.
[10] J. Ni, X. Lin, and X. S. Shen, “Efficient and secure service-oriented
authentication supporting network slicing for 5g-enabled iot,” IEEE
Journal on Selected Areas in Communications, vol. 36, no. 3, pp. 644–
657, 2018.
[11] J. Liu, L. Zhang, R. Sun, X. Du, and M. Guizani, “Mutual heterogeneous
signcryption schemes for 5g network slicings,” IEEE Access, vol. 6, pp.
7854–7863, 2018.
[12] J. Suomalainen, K. Ahola, M. Majanen, O. M¨
ammel¨
a, and P. Ruuska,
“Security Awareness in Software-Defined Multi-Domain 5G Networks,”
Future Internet, vol. 10, no. 3, p. 27, 2018.
[13] M. Schaffer and P. Schartner, “Video Surveillance: A Distributed
Approach to Protect Privacy,” in Communications and Multimedia
Security, ser. Lecture Notes in Computer Science. Springer Berlin
Heidelberg, 2005, vol. 3677, pp. 140–149. [Online]. Available:
http://dx.doi.org/10.1007/11552055 14
[14] A. Shamir, “How to Share a Secret,Communication ACM, vol. 22,
no. 11, pp. 612–613, 1979.
[15] T. El Gamal, “A Public Key Cryptosystem and a Signature Scheme
Based on Discrete Logarithms,” in Proceedings of CRYPTO 84 on
Advances in Cryptology, 1985, pp. 10–18.
[16] J. Mirkovic and P. Reiher, “A taxonomy of ddos attack and ddos
defense mechanisms,” ACM SIGCOMM Computer Communication Re-
view, vol. 34, no. 2, pp. 39–53, 2004.
... The operation of this system obviously must be in synchronization with the cybersecurity systems. As an example, the figure shows a case of potential use of a quantum key distribution system, described in detail in [54], to increase the confidentiality level of transmitted data. Thus, in the case of measuring security indicators and identifying problems, for example, with confidentiality, quantum fundamental distribution mechanisms can be used. ...
... In order to collect information about any operations that occur on the network, analyze them, and, accordingly, make decisions based on the assessments made, it is proposed to add either an additional network function to the core of the network, which will contain all the functionality necessary for this or, more straightforward at first, especially The operation of this system obviously must be in synchronization with the cybersecurity systems. As an example, the figure shows a case of potential use of a quantum key distribution system, described in detail in [54], to increase the confidentiality level of transmitted data. Thus, in the case of measuring security indicators and identifying problems, for example, with confidentiality, quantum fundamental distribution mechanisms can be used. ...
Article
Full-text available
It is clear that 5G networks have already become integral to our present. However, a significant issue lies in the fact that current 5G communication systems are incapable of fully ensuring the required quality of service and the security of transmitted data, especially in government networks that operate in the context of the Internet of Things, hostilities, hybrid warfare, and cyberwarfare. The use of 5G extends to critical infrastructure operators and special users such as law enforcement, governments, and the military. Adapting modern cellular networks to meet the specific needs of these special users is not only feasible but also necessary. In doing so, these networks must meet additional stringent requirements for reliability, performance, and, most importantly, data security. This scientific paper is dedicated to addressing the challenges associated with ensuring cybersecurity in this context. To effectively improve or ensure a sufficient level of cybersecurity, it is essential to measure the primary indicators of the effectiveness of the security system. At the moment, there are no comprehensive lists of these key indicators that require priority monitoring. Therefore, this article first analyzed the existing similar indicators and presented a list of them, which will make it possible to continuously monitor the state of cybersecurity systems of 5G cellular networks with the aim of using them for groups of special users. Based on this list of cybersecurity KPIs, as a result, this article presents a model to identify and evaluate these indicators. To develop this model, we comprehensively analyzed potential groups of performance indicators, selected the most relevant ones, and introduced a mathematical framework for their quantitative assessment. Furthermore, as part of our research efforts, we proposed enhancements to the core of the 4G/5G network. These enhancements enable data collection and statistical analysis through specialized sensors and existing servers, contributing to improved cybersecurity within these networks. Thus, the approach proposed in the article opens up an opportunity for continuous monitoring and, accordingly, improving the performance indicators of cybersecurity systems, which in turn makes it possible to use them for the maintenance of critical infrastructure and other users whose service presents increased requirements for cybersecurity systems.
... providers are able to create a much more reliable and efficient network. This is because resources such as bandwidth and computing power can be dynamically allocated for users based on specific service requirements [2]. Additionally, virtual systems allow for cost savings in resource management by using more efficient resource sharing between multiple services. ...
Article
Full-text available
The emergence of virtualization in 5G cloud computing networks puts it at greater risk of cyber-attacks, with a major reliance on the communication between virtual systems. To address these concerns, this paper proposes a secure serverless communication scheme for virtual systems in 5G cloud networks. A system with two roles, sender and receiver, is used to exchange control messages with the sender being responsible for authentication and encryption while the receiver being responsible for decryption and validation. To ensure secure and reliable communication, the proposed scheme uses the Elliptic Curve Cryptography (ECC) method, along with a proposal of a symmetric cryptographic algorithm called AES-CTR. In addition, the proposed scheme also includes a distributed identity base approach to prevent replay and man-in-the-middle attacks. Simulation results demonstrate that the proposed scheme can securely and reliably transfer data between virtual systems in 5G cloud networks and achieve higher efficiency in terms of security as compared to existing schemes. Additionally, the proposed scheme is verified in an NS-3 simulation framework.
... Others propose security for applications that run on network slicing, others propose security mechanisms between the functional blocks of network slicing architectures. [Porambage et al. 2019] proposed a security keying scheme based on a combination of key generation, distribution, and management techniques for a Smart Factory use case. The scheme uses Shamir's secret sharing method to enable data access for thirdparty monitoring tools of network slicing. ...
Conference Paper
Network slicing architectures are fundamental for providing connectivity to demanding users and applications in heterogeneous network infrastructures. Such architectures have evolved significantly in recent years, especially with improvements in security and reliability functions. However, the improvements in these architectures are functionally specific and are not considered throughout the entire architecture lifecycle, opening opportunities for secure, and reliable native architectures. Thus, this paper designs and evaluates an Identity and Access Management (IAM) mechanism while providing security and reliability for building blocks of slicing architectures. Our findings concern a comparative evaluation of the IAM mechanism and its behavior under stress loads, as well as an experimental assessment of a secure defense mechanism against Distributed Denial-of-Service (DDoS) attacks.
... Since then, secure and privacy-preserving network slicing has received increasing attentions. For example, Porambage et al. [5] proposed a secure keying scheme for network slicing architecture that can protect data against tampering attacks and key-compromise impersonate attacks and privacy protection of mobile users. Hum et al. [6] proposed a secure V2V communication based on 5G by utilizing network slicing to guarantee different features of V2X services and security requirements in network slicing. ...
Preprint
Full-text available
Network slicing in 3GPP 5G system architecture has introduced significant improvements in the flexibility and efficiency of mobile communication. However, this new functionality poses challenges in maintaining the privacy of mobile users, especially in multi-hop environments. In this paper, we propose a secure and privacy-preserving network slicing protocol (SPNS) that combines 5G network slicing and onion routing to address these challenges and provide secure and efficient communication. Our approach enables mobile users to select network slices while incorporating measures to prevent curious RAN nodes or external attackers from accessing full slice information. Additionally, we ensure that the 5G core network can authenticate all RANs, while avoiding reliance on a single RAN for service provision. Besides, SPNS implements end-to-end encryption for data transmission within the network slices, providing an extra layer of privacy and security. Finally, we conducted extensive experiments to evaluate the time cost of establishing network slice links under varying conditions. SPNS provides a promising solution for enhancing the privacy and security of communication in 5G networks.
... Bernhard et al. [14] proposed a mechanism and surveyed some papers related to network slice authentication. Porambage et al. [15] presented an authentication mechanism to generate the security keys during the authentication between the entities involved in the authentication. In order to prevent the learning attack and to secure privacy, [6] proposed an authentication mechanism. ...
Article
Full-text available
Network slicing is considered as one of the key technologies in future telecommunication networks as it can split the physical network into a number of logical networks tailored to diverse purposes that allow users to access a variety of services speedily. The fifth-generation (5G) mobile network can support variety of applications by using network slicing. However, security (especially authentication) is a significant issue when users access the network slice-based services. Various authentication schemes are designed to secure access, and only a few offer cross-network slice authentication. The security analysis of existing cross-network authentication schemes shows that they are vulnerable to several types of attacks. Therefore, we propose an authentication mechanism that offers cross-network slice authentication and prevents all the aforementioned vulnerabilities. The security verification of the authentication mechanism is carried out informally and formally (ROR logic and Scyther tool) to ensure that it handles all the vulnerabilities. The comparison of empirical evaluation shows that the proposed scheme is least costly than its competitors. Java-based implementations of the proposed protocols are used to imitate a real environment, showing that our proposed protocol maintains almost the same performance as state-of-the-art solutions while providing additional security features.
Article
Network slicing is a pivotal technology in upcoming telecommunications. It enables the segmentation of the physical network into multiple tailored logical networks. These networks serve diverse purposes, facilitating users swift access to a range of services. The 5G mobile network leverages network slicing to accommodate various consumer applications. Nevertheless, security concerns, particularly regarding authentication, pose a significant challenge in network slicing. Various asymmetric encryption-based authentication protocols are designed to protect network-slicing communication. The state-of-the-art shows that these solutions are either expensive or vulnerable. They face severe attacks, including privacy issues, traceability, and ephemeral secret leakage. They also do not offer the perfect forward secrecy. Most of the existing protocols are based on asymmetric encryption. Therefore, considering the above-mentioned, a symmetric encryption-based authentication protocol is designed to tackle the problem of cost and security. The security of the designed protocol is verified using both informal and formal methods. These include real-or-random logic and the Scyther validation tool. This ensures that the proposed protocol offers robust security. Moreover, a comparative analysis is conducted to demonstrate the effectiveness of the proposed protocol. This analysis evaluates computational, communication, storage, and energy consumption costs, comparing the protocol to its competitors.
Article
Established and emerging technologies such as 5G, Internet of Things (IoT), and blockchain will play an increasingly significant role in smart city applications, which reinforce the importance of designing security and privacy-aware/preserving solutions. Hence, we comprehensively survey articles focusing on blockchain for a secure IoT-enabled smart city based on 5G and beyond, published between 2016 and 2023. In this survey, we first introduce the seminal contributions and background technological knowledge regarding smart city. Furthermore, based on the layered blockchain-based architecture of the IoT-enabled smart city, we provide an all-inclusive summary of previous works and outline the blockchain research framework in smart city. Then, we discuss how to use blockchain and beyond 5G in smart city applications, including smart manufacturing, and smart vehicular networks. In addition to reviewing the existing approaches described in the 125 articles surveyed, we also identify several limitations and present potential extensions to design future blockchain-based solutions for smart cities.
Article
Full-text available
The dawn of softwarized networks enables Network Slicing (NS) as an important technology towards allocating end-to-end logical networks to facilitate diverse requirements of emerging applications in fifth-generation (5G) mobile networks. However, the emergence of NS also exposes novel security and privacy challenges, primarily related to aspects such as NS life-cycle security, inter-slice security, intra-slice security, slice broker security, zero-touch network and management security, and blockchain security. Hence, enhancing NS security, privacy, and trust has become a key research area toward realizing the true capabilities of 5G. This paper presents a comprehensive and up-to-date survey on NS security. The paper articulates a taxonomy for NS security and privacy, laying the structure for the survey. Accordingly, the paper presents key attack scenarios specific to NS-enabled networks. Furthermore, the paper explores NS security threats, challenges, and issues while elaborating on NS security solutions available in the literature. In addition, NS trust and privacy aspects, along with possible solutions, are explained. The paper also highlights future research directions in NS security and privacy. It is envisaged that this survey will concentrate on existing research work, highlight research gaps and shed light on future research, development, and standardization work to realize secure NS in 5G and beyond mobile communication networks.
Article
Full-text available
Security has become the primary concern in many telecommunications industries today as risks can have high consequences. Especially, as the core and enable technologies will be associated with 5G network, the confidential information will move at all layers in future wireless systems. Several incidents revealed that the hazard encountered by an infected wireless network, not only affects the security and privacy concerns, but also impedes the complex dynamics of the communications ecosystem. Consequently, the complexity and strength of security attacks have increased in the recent past making the detection or prevention of sabotage a global challenge. From the security and privacy perspectives, this paper presents a comprehensive detail on the core and enabling technologies, which are used to build the 5G security model; network softwarization security, PHY (Physical) layer security and 5G privacy concerns, among others. Additionally, the paper includes discussion on security monitoring and management of 5G networks. This paper also evaluates the related security measures and standards of core 5G technologies by resorting to different standardization bodies and provide a brief overview of 5G standardization security forces. Furthermore, the key projects of international significance, in line with the security concerns of 5G and beyond are also presented. Finally, a future directions and open challenges section has included to encourage future research.
Conference Paper
Full-text available
In addition to the high degree of flexibility and customization required by different vertical sectors, 5G calls for a network architecture that ensures ultra-responsive and ultra-reliable communication links. The novel concept called micro-operator (uO) enables a versatile set of stakeholders to operate local 5G networks within their premises with a guaranteed quality and reliability to complement mobile network operators' (MNOs) offerings. In this paper, we propose a descriptive architecture for emerging 5G uOs which provides user specific and location specific services in a spatially confined environment. The architecture is discussed in terms of network functions and the operational units which entail the core and radio access networks in a smart factory environment which supports industry 4.0 standards. Moreover, in order to realize the conceptual design, we provide simulation results for the latency measurements of the proposed uO architecture with respect to an augmented reality use case in industrial internet. Thereby we discuss the benefits of having uO driven local 5G networks for specialized user requirements, rather than continuing with the conventional approach where only MNOs can deploy cellular networks.
Article
Full-text available
Network slicing has been identified as the backbone of the rapidly evolving 5G technology. However, as its consolidation and standardization progress, there are no literatures that comprehensively discuss its key principles, enablers and research challenges. This paper elaborates network slicing from an end-to-end perspective detailing its historical heritage, principal concepts, enabling technologies and solutions as well as the current standardization efforts. In particular, it overviews the diverse use cases and network requirements of network slicing, the pre-slicing era, considering RAN sharing as well as the end-to-end orchestration and management, encompassing the radio access, transport network and the core network. This paper also provides details of specific slicing solutions for each part of the 5G system. Finally, this paper identifies a number of open research challenges and provides recommendations towards potential solutions.
Article
Full-text available
Fifth generation (5G) technologies will boost the capacity and ease the management of mobile networks. Emerging virtualization and softwarization technologies enable more flexible customization of network services and facilitate cooperation between different actors. However, solutions are needed to enable users, operators, and service providers to gain an up-to-date awareness of the security and trustworthiness of 5G systems. We describe a novel framework and enablers for security monitoring, inferencing, and trust measuring. The framework leverages software-defined networking and big data technologies to customize monitoring for different applications. We present an approach for sharing security measurements across administrative domains. We describe scenarios where the correlation of multi-domain information improves the accuracy of security measures with respect to two threats: end-user location tracking and Internet of things (IoT) authentication storms. We explore the security characteristics of data flows in software networks dedicated to different applications with a mobile network testbed.
Conference Paper
Full-text available
Creating a secure environment for communications is becoming a significantly challenging task in 5G Heterogeneous Networks (HetNets) given the stringent latency and high capacity requirements of 5G networks. This is particularly factual knowing that the infrastructure tends to be highly diversified especially with the continuous deployment of small cells. In fact, frequent handovers in these cells introduce unnecessarily recurring authentications leading to increased latency. In this paper, we propose a software-defined wireless network (SDWN)-enabled fast cross-authentication scheme which combines non-cryptographic and cryptographic algorithms to address the challenges of latency and weak security. Initially, the received radio signal strength vectors at the mobile terminal (MT) is used as a fingerprinting source to generate an unpredictable secret key. Subsequently, a cryptographic mechanism based upon the authentication and key agreement protocol by employing the generated secret key is performed in order to improve the confidentiality and integrity of the authentication handover. Further, we propose a radio trusted zone database aiming to enhance the frequent authentication of radio devices which are present in the network. In order to reduce recurring authentications, a given covered area is divided into trusted zones where each zone contains more than one small cell, thus permitting the MT to initiate a single authentication request per zone, even if it keeps roaming between different cells. The proposed scheme is analyzed under different attack scenarios and its complexity is compared with cryptographic and non-cryptographic approaches to demonstrate its security resilience and computational efficiency.
Article
Full-text available
With the emerging of mobile communication technologies, we are entering the fifth generation mobile communication system (5G) era. Various application scenarios will arise in the 5G era to meet the different service requirements. Different 5G network slicings may deploy different public key cryptosystems. The security issues among the heterogeneous systems should be considered. In order to ensure the secure communications between 5G network slicings, in different public cryptosystems, we propose two heterogeneous signcryption schemes which can achieve mutual communications between the Public Key Infrastructure (PKI) and the CertificateLess public key Cryptography (CLC) environment. We prove that our schemes have the INDistinguishability against Adaptive Chosen Ciphertext Attack (INDCCA2) under the Computational Diffie-Hellman Problem (CDHP) and the Existential UnForgeability against adaptive Chosen Message Attack (EUF-CMA) under the Discrete Logarithm Problem (DLP) in the random oracle model. We also set up two heterogeneous cryptosystems on Raspberry Pi to simulate the interprocess communication between different public key environments. Furthermore, we quantify and analyze the performance of each scheme. Compared with the existing schemes, our schemes have greater efficiency and security.
Article
Full-text available
In the near future, i.e., beyond 4G, some of the prime objectives or demands that need to be addressed are increased capacity, improved data rate, decreased latency, and better quality of service. To meet these demands, drastic improvements need to be made in cellular network architecture. This paper presents the results of a detailed survey on the fifth generation (5G) cellular network architecture and some of the key emerging technologies that are helpful in improving the architecture and meeting the demands of users. In this detailed survey, the prime focus is on the 5G cellular network architecture, massive multiple input multiple output technology, and device-to-device communication (D2D). Along with this, some of the emerging technologies that are addressed in this paper include interference management, spectrum sharing with cognitive radio, ultra-dense networks, multi-radio access technology association, full duplex radios, millimeter wave solutions for 5G cellular networks, and cloud technologies for 5G radio access networks and software defined networks. In this paper, a general probable 5G cellular network architecture is proposed, which shows that D2D, small cell access points, network cloud, and the Internet of Things can be a part of 5G cellular network architecture. A detailed survey is included regarding current research projects being conducted in different countries by research groups and institutions that are working on 5G technologies.
Conference Paper
Full-text available
The topmost concern of users who are kept under surveil- lance by a CCTV-System is the loss of their privacy. To gain a high acceptance by the monitored users, we have to assure, that the recorded video-material is only available to a subset of authorized users under ex- actly previously defined circumstances. In this paper we propose a CCTV video surveillance system providing privacy in a distributed way using threshold multi-party computation. Due to the flexibility of the access structure, we can handle the problem of loosing private-key-shares that are necessary for reconstructing video-material as well as adding new users to the system. If a pre-defined threshold is reached, a shared up- date of the master secret and the according re-encryption of previously stored ciphertext without revealing the plaintext is provided.
Article
5G network is considered as a key enabler in meeting continuously increasing demands for future Internet of Things (IoT) services, including high data rate, numerous devices connection and low service latency. To satisfy these demands, network slicing and fog computing have been envisioned as promising solutions in service-oriented 5G architecture. However, security paradigms enabling authentication and confidentiality of 5G communications for IoT services remain elusive, but indispensable. In this paper, we propose an efficient and secure serviceoriented authentication framework supporting network slicing and fog computing for 5G-enabled IoT services. Specifically, users can efficiently establish connections with 5G core network and anonymously access IoT services under their delegation through proper network slices of 5G infrastructure selected by fog nodes based on the slice/service types of accessing services. The privacypreserving slice selection mechanism is introduced to preserve both configured slice types and accessing service types of users. In addition, session keys are negotiated among users, local fogs and IoT servers to guarantee secure access of service data in fog cache and remote servers with low latency. We evaluate the performance of the proposed framework through simulations to demonstrate its efficiency and feasibility under 5G infrastructure.