The fifth-generation (5G) mobile communication technology has already deployed commercially and become a global research focus. The new features of 5G include unlimited information exchange, a large variety of connections with independent energy, and diversified high transmission rate services. Collective synergy of services is expected to change the way of life and future generations and introduce new converged services to the ICT industry. Different application services have to meet differentiated security demands. From the perspective of security, in order to support the multiservice of 5G services, it is necessary to consider the new security mechanism driven by the service. Based on 5G massive data stream, the 5G system can provide customized real-world services for potential users and reduce the user experience gap in different scenarios. However, 3GPP Extensible Authentication Protocol (EAP), which is the present entity authentication mechanism for the 5G service layer, is only an individual authentication architecture and unable to fulfill the flexible security objectives of differentiated services. In this paper, we present a new hierarchical identity management framework as well as an adaptable and composable three-factor authentication and session key agreement protocol for different applications in 5G multiservice systems. Finally, we propose an authorization process by combining with the proposed three-factor authentication mechanism and Service-Based Architecture (SBA) proposed by the 3GPP committee. The proposed mechanism can concurrently provide diverse identity authentication schemes corresponding to four different security levels by easily splitting or assembling three-factor authentication protocol blocks. The proposed scheme can be simultaneously applied to a variety of applications to improve the efficiency and quality of service and reduce the complexity of the whole 5G multiservice system, instead of designing or adopting several different authentication protocols. The performance evaluation results indicate that the proposed scheme can guarantee the multiple security of the system with ideal efficiency.
At present, the global 5th generation mobile communication technology (5G) commercial development has begun to take shape and been recognized as main supporting technologies of mobile networks. It has become the focus of global mobile communication research and technology competition. Compared with the existing 4G network, 5G network aims to provide high quality and reliable services such as higher data rate, ultralower latency, massive connectivity, high energy efficiency, and accurate quality of experience (QoE) . The 5G network can realize more kinds of dynamic customization and scalable network services by adopting software-defined network (SDN) and network function virtualization (NFV) technologies. Due to its powerful bandwidth and service capability, a significant number of new applications are introduced into the 5G network platform, such as augmented reality, multimedia video business, mobile industrial internet, autonomous driving, and mobile electronic health services.
There are new security requirements and challenges in 5G, so it is not enough to provide the traditional security mechanism. 5G network will support massive smart devices and various forms of terminals; thus, 5G network is driven to introduce new identity management methods. The generation, distribution, and other lifecycle management of users’ identification involved in the identity management method will change .
The growing demand for diversified applications has brought about widely different services, as well as security issues such as service authentication. Moreover, due to the openness of services, a variety of different mobile terminals need to be connected to the 5G network, which also raises corresponding security trust issues and attacks [3, 4]. In diverse application scenarios, different kinds of terminals have different security demands. For example, large-scale machine-type communication (MTC) devices need lightweight security mechanisms to adapt to low energy storage; meanwhile, high-speed mobile services need more efficient and secure authentication schemes, and video services need to meet the security requirements of low latency and high reliability. If the same security scheme is used for differentiated applications, it may seriously affect the user’s service experience. The 5G intelligent computing technology, which is user centric, reconfigures the appropriate security scheme after collecting user and scene data, so as to provide better services. It is significant to provide hierarchical security protection for different services in order to better provide security services for the vertical industry. In the traditional networks, multiservice system adopts different authentication schemes for different kinds of terminals, which increases the complexity of the system and reduces the quality of user experience. According to the current 3GPP standard , 5G employs Extensible Authentication Protocol (EAP) to realize the entity identity authentication for third-party services and applications, yet EAP is an identity authentication architecture that can merely adopt unitary authentication schemes such as symmetric key cryptography or digital certificate system alone. Diverse services and applications in EAP adopt a variety of independent authentication mechanisms, which cannot support differentiated and adventurous 5G services. Consequently, a flexible and secure composable authentication and service authorization framework is urgently needed to provide comprehensive and fine-grained entity trusted security support for the vertical industry in the 5G network.
In this paper, we design a new flexible and composable multifactor authentication and session key agreement protocol under a diversified identity management architecture in 5G multiservice systems and finally give an authorization process based on the 5G unified authentication and service authorization framework. In our scheme, a new diversified identity, which includes the security levels of services and applications, is assigned by the 5G Network Repository Function (NRF) and deployed to 5G user equipment (UE) in the initial stages. Subsequently, the biometrics and password are employed in conjunction with the smart card to construct the multifactor service authentication and session key agreement protocol, which can be separated or combined according to 4 different security levels or requirements. Finally, the improved service authorization process based on the 5G service architecture is executed to provide required services for users. Without the separate implementation of different identity authentication protocols, this scheme can greatly improve the quality of service of users and reduce the complexity of the whole 5G multiservice system.
The main contributions of the paper are threefold. (1) A hierarchical identification data structure for the 5G application layer is designed. (2) A composable and potent multifactor service authentication and session key agreement protocol is proposed, which provides 4 grades of security levels of authentication. Furthermore, the proposed protocol is not the simple combination of three authentication factors but flexibly integrates them to ensure the security and the feasibility of the 5G service system. (3) We give an authorization process based on the proposed authentication mechanism and SBA architecture. (4) The BAN logic and the formal verification tool, Scyther tool, have been employed to prove that the proposed scheme can achieve multiple security functions and resist attacks.
Compared with the conference version , which barely proposed a conceptual classified mutual authentication scheme without high efficiency, formal security analysis, or detailed performance evaluation in the 5G multiservice system, we optimize the multifactor authentication scheme and provide key agreement and service authorization protocol in new design. Moreover, the formal analysis including BAN logic and CK model security analysis are employed to verify the scheme security. Then, we evaluate the computational cost, communication cost, and storage cost of our proposed scheme by comparing it with the typical EAP protocol based on the NIST standard and show the protocol performance under unknown attacks.
The rest of the paper is organized as follows. In Section 2, we investigate the related work. Section 3 introduces the biometric authentication fuzzy extractor function. Section 4 presents the security and network model. Section 5 details the processes of the proposed scheme. The security and performance analysis are revealed in Section 6 and Section 7, respectively. Finally, Section 8 summarizes the paper.
2. Related Work
The research works on the network entity authentication and process for services and applications in 4G/5G networks [7, 8] were very lacking. Shin and Kwon  proposed an anonymous three-factor authentication and access control scheme for real-time applications in WSNs. However, the scheme is liable to user collusion and desynchronization attacks. Ni et al.  designed a service-oriented anonymous authentication mechanism for enabling 5G IoT. In the scheme, an anonymous authenticated key agreement mechanism is proposed to ensure the secure connection and authentication for IoT devices and will not disclose user privacy. However, both of the schemes in [7, 8] employ the complex public key cryptosystem to design the related protocol and only achieve the single authentication method, which is not fit for 5G multiservice systems. Due to the introduction of the IoT service, users can also interactively control other devices in the 5G network, such as controlling the startup of the home appliance in the smart home scenario, so stricter authentication methods, such as biometric authentication, are required to ensure that the identity is true. Besides, there are a large number of authentication schemes based on the same authentication factors proposed in [10–14]. These schemes can achieve efficient and high-strength entity authentication, but cannot complete dynamic multifactor authentication which can adjust the security strength in the 5G multiservice network. Furthermore, some authentication mechanisms for the multiserver environment have been proposed in [15, 16]. Huang et al.  proposed a robust multifactor authentication protocol for fragile communications which can be separated to finish dynamical authentication. However, this scheme can only discuss two stand-alone schemes but cannot be composable or achieve the mutual authentication. Liao and Wang  proposed a dynamic ID-based remote user authentication scheme based on the smart card and password for the multiserver architecture. This scheme can achieve the mutual authentication and key agreement between the user and server by the use of hash function. However, Li et al.  pointed out that the scheme  is vulnerable to masquerade attacks.
Biometrics with certain probability distribution characteristics such as facial recognition are not completely random and limited. In order to protect the user’s biometric data and privacy, biometrics cannot be stored on the remote server and must be fuzzed. Fuzzy extractor can compact a pseudo-random eigenvalue string from a low-entropy string and is generally used to extract and recover secret features from biometrics. Based on the definition in , a fuzzy extractor can be described as a quintuple of including the following functions.
3.1. Metric Space
It is a set with a distance function : . The function is a measure of the difference between two variables, for example, Hamming distance.
3.2. Min Entropy
is the minimum-case entropy of a random variable A.
3.3. Statistic Distance
The statistical distance between two probability distributions and is defined as .
3.4. Fuzzy Extractor
A fuzzy extractor is represented as a quintuple of including a pair of procedures, “generate” (Gen) and “reproduce” (Rep).(1)The probabilistic generation procedure is Any input is a low-entropy string. In the output pair, is called as a characteristic string, and is an auxiliary string. For any distribution on of min-entropy , the string is nearly random even for those who observe : if ; then, we have SD , where represents the uniform distribution on bit binary strings.(2)The deterministic reproduction procedure is For all , if and , the fuzzy extractor can recover the pseudo-random string from by computing .
Thus, fuzzy extractors are capable of extracting pseudo-random string from a low-entropy string such as biometrics and then reproduce from any string extremely similar to with the unclassified auxiliary string .
4. System and Security Model
4.1. Network Model
5G network needs to establish different trust models according to the characteristics of different services and provide flexible management modes according to the demands of industry users. Operators already have relatively complete security capabilities, such as authentication, ID management, and key management. In order to reduce operating and maintenance costs, vertical industries can entrust service authentication to operators. Operators can perform network and service authentication in a unified manner to achieve direct network access to multiple services. The authentication capability of the operator not only greatly facilitates the user but also provides a vertical industry as a value-added service to help it rapidly deploy the service.
Based on the principle of the service center, the 3GPP committee has designed a new 5G service secure architecture which describes the authentication and authorization of 5G services and applications: Service-Based Architecture (SBA) , as shown in Figure 1. There are 3 roles of the 5G SBA authentication and authorization framework including user equipment (UE), network repository function (NRF), and network function (NF) service producer. PLMN and gNB in Figure 1 are the public land mobile network and 5G base station, respectively.