5G Scenarios and Security Design

November 2016
5G 5G Scenarios and Security Design

4
 5G Scenarios and Security Design 5G

Contents

Foreword

1 Overview 1
5G Security Requirements and Challenges

5G Security Design

Security Concerns of 5G Service Scenarios

2 Security Design for eMBB Service Scenarios 5

Early 5G Services (VR/AR and HD Video) Are Driving the Rapid Growth of 5G Networks

5G Security Supports Differentiated Services, Heterogeneous Access, and Open Application

Environments

Design of Key 5G Security Features

3 Security Design for mMTC Service Scenarios 11

5G Networks Provide Support for Vertical Industries Such as Smart Transportation, Smart Grid, and
Smart Manufacturing

mMTC Security Allows for Low-Cost, Efficient, and Ubiquitous Connectivity

Decentralized Identity Management and Authentication

4 Security Design for uRLLC Service Scenarios 15

5G Is Helping uRLLC Services (Automatic Driving, Industry 4.0) to Mature

uRLLC Needs Lower Latency in Access Authentication, Transmission Protection, and Security Context
Handover

uRLLC Security Design Reduce Network Latency

5 Summary: Innovative Security Design Suitable for

Diverse Service Scenarios 19

5
5G 5G Scenarios and Security Design

Foreword
5G networks bring many novel technologies and advances for mobile
communication operators. Therefore operators are able to offer a platform
for new and better services that have not been seen in the earlier
generations. Number of mobile nodes would increase rapidly because
of developments such as Internet of Things, industrial internet and self-
driving cars. Parallel to this extension of mobile networks to new directions,
traditional users of mobile devices would enjoy from improved feature sets,
including better-quality video calls, augmented reality etc.

Extensions to completely new types of service scenarios and new types

of devices imply that the security feature set needs major extensions as
well, compared to the earlier mobile generations such as GSM, 3G and
LTE. The security architectures from earlier generations serve as a good
starting point and a basis for 5G security. Separate security modules in
the form of SIM cards and UICCs have served mobile operators and their
customers very well, and still continue to do so. Crucial security features
such as mutual authentication between users and networks, and protection
of confidential data on the radio interface are based on these modules.
But this hard-core basis has to be complemented by many other security
solutions in order to fulfill the promise of 5G networks in a secure manner.

The whole 5G service palette is so wide that it is not possible to secure all
of it with one-size-fits-all security solutions. Instead, flexibility is needed
also in the security domain but in such manner that all services are still
adequately protected while extra protection can be added for services that
require higher security. This whitepaper shows how creative solutions can
be found in all major service domains. However, further research is still
needed to explore how all these solutions form a coherent 5G security
architecture.
 5G Scenarios and Security Design 5G

Overview
5G Security Requirements and Challenges
5G Is Expected to Meet Diverse Needs in eMBB, uRLLC, and mMTC
Scenarios
5G is the next generation of mobile networks and seen as the enabler of the future digital world. 5G is neither a single piece of wireless
access technology nor simply a combination of new wireless access technologies. Rather, 5G is a truly converged network and offers
seamless support for a variety of new network deployments.

In order for a single physical network to meet numerous service requirements, the same underlying physical infrastructure is virtualized
into different network topologies and functions. This means that each service type has its own network functions and these network
functions form a separate network slice. All network slices physically originate from the same network infrastructure, greatly reducing an
operator's investment in multi-service networks. Meanwhile, network slices are logically isolated and independent of each other, enabling
different service types to be separately operated and maintained.

LTE RAN-RT
RAN-NRT
5G Cache
eMBB slice Wi-Fi AC CP UP

Mobile cloud engine

RAN-RT
LTE
RAN-NRT
V2X server
5G GW CP CP
uRLLC slice
Mobile cloud engine

LTE RAN-RT

5G
RAN-NRT
IoT server CP UP
mMTC slice Wi-Fi
RAN Mobile cloud engine

Central office DC Switch Local DC Switch Regional DC

Unified physical infrastructure

DC: Data Center eMBB: enhanced Mobile Broadband

mMTC: massive Machine Type Communications uRLLC: ultra-Reliable and Low-Latency Communications

1
5G 5G Scenarios and Security Design

5G Security Challenges and Opportunities

Service diversity is increasing (eMBB, uRLLC, and mMTC), network architecture is going to be cloud-based, and security capabilities
are gradually opening up. All of these changes imply new security challenges and tougher privacy requirements.

Various Services Have Different Security Requirements

5G networks accommodate a variety of services to meet the diverse needs of individual users and industry customers. When it comes
to network architecture, end-to-end (E2E) network slices on native cloud architecture have a rising prominence. Differentiated security is
becoming a top priority to 5G security designers as security requirements vary greatly with service types.

Unified Security Management Across Access Technologies and Devices Is Required

All 5G services need common security features, such as access authentication and confidentiality protection. Despite differences among
services, access technologies, and devices in 5G systems, a security framework with a common and essential set of security features
can address overall security requirements.

· Security management across heterogeneous access

Heterogeneous access is one of the distinct technical features of next-generation access networks. Coordination between concurrent
access from different network systems(5G, LTE, Wi-Fi), access technologies, and site types (macro, small, and micro cells) is an
everyday phenomenon. Security management is expected to offer flexibility for all access technologies.

· Security management for a large number of devices

Vertical industries use a huge variety of Internet of Things (IoT) devices. Compared with traditional devices, IoT devices are larger in
number and a large number of IoT devices have burst access behavior. A more efficient method of access authentication should be
tailored for IoT devices. Meanwhile how to deal with mass IoT devices applying (D) DoS attacks to the network is an important issue.
Comparing to a single UE, (D) DoS attacks are more damaging when massive IoT devices attacks a single network node.

Delivering Security Capabilities Help Industry Customers Develop Services

Open services present security challenges, but they also create stronger demand for security services. As the providers and operators
of 5G infrastructure platforms, telecom operators are the best enablers for service providers and they are also the trusted business
partners for industry customers.

By opening up their security capabilities, operators can develop 5G security technologies and expand their business, unleashing security
capabilities as a major potential catalyst for industry applications.

Stronger Privacy Protection Is Expected

As 5G service diversity increases and networks are more open, user data and private information will be transferred from closed
platforms to open platforms, raising privacy concerns. Meanwhile, privacy of individuals has attracted a lot of attention from people and
governments around the world. There is an immediate need for enhancing user data protection, both online and offline.

2
 5G Scenarios and Security Design 5G

5G Security Design
Common essential security capabilities should be built into 5G systems. This ensures that a unified security management mechanism
can be established across different access technologies and cloud network architectures to provide differentiated security features,
policies, and solutions to specific scenarios.

End-to-end Security Protection

E2E Data Protection Provides Better Security
Cloud network architecture and heterogeneous access increase security environment complexity. Protecting user data E2E reduces
reliance on cloud network security environments. It also avoids adverse impact on data security due to complex coordination between
different network systems, access technologies, and site types. This would ultimately enhance user data security in cloud architecture.

Differentiated Security Protection

Another benefit of E2E security protection is flexible data protection for different services. Security requirements vary greatly within
service types. On-demand data protection for service sessions can be achieved through security policy negotiation and service-specific
security management.

Avoid Repetitive Encryption and Decryption

With E2E data protection, data no longer needs to be repetitively encrypted or decrypted at intermediate network nodes. Compared with
hop-by-hop data protection, E2E data protection allows for fewer encryption and decryption attempts, shorter delay in data processing,
and higher transmission efficiency.

Unified Authentication
Unified Authentication of Heterogeneous Access
Efficient coordination between concurrent access from different network systems, access technologies, and site types is a must for
5G networks. It would be beneficial to build a common authentication mechanism, one that could manage access security of complex
access networks in a unified manner.

Support for Hybrid Authentication Protocols

In the face of diverse industries and complex service environments, 5G networks call for diversified identity management mechanisms
and authentication modes, as well as a unified authentication framework that supports a variety of authentication protocols.

Security Capabilities Open Up

Security is one of the operator's assets. By opening up security capabilities, operators can provide security services to industry
customers. It is beneficial that operators create an open service ecosystem on top of digital identity management and establish an
enhanced security management and protection mechanism that can be seamlessly integrated into the business processes of third
parties.

3
5G 5G Scenarios and Security Design

On-Demand Security Management

The 5G security framework is expected to address security requirements based on service scenarios and customer needs. Within the
security policy management framework, security policies are negotiated based on service scenarios and then applied to corresponding
network slices and nodes. This gives great flexibility in meeting the security requirements of different services.

Security Concerns of 5G Service Scenarios

International Telecommunication Union(ITU) classifies 5G mobile network services into:

· enhanced Mobile Broadband

eMBB refers specifically to bandwidth-intensive services, such as high-definition video, virtual/augmented reality (VR/AR). The
emergence of eMBB enables digital life.

· massive Machine Type Communications

mMTC is suitable in scenarios with dense connectivity, such as smart transportation, smart grid, and smart manufacturing. With the help
of mMTC, a digital society is taking shape.

· ultra-Reliable and Low Latency Communications

uRLLC is a collection of ultra latency-sensitive services, such as automatic/assisted driving and remote control. The advent of uRLLC
paints a bright future for the digital industry.

The following chapters explain how 5G security design can address the security requirements of these service types.

4
 5G Scenarios and Security Design 5G

Security Design for eMBB Service Scenarios

Early 5G Services (VR/AR and HD Video) Are Driving the Rapid

Growth of 5G Networks
With the rapid growth of mobile broadband Internet and the widespread use of smart devices, almost 50% of an operator's network
traffic comes from mobile video services. This figure will continue to increase. An immersive VR/AR service, that is accessible on-
demand, is becoming a primary eMBB scenario. Predictably, evolution from 4K/8K video to this type of immersive, on-demand mobile
service will encourage a strong demand for connectivity, as the service will become the flag bearer for early 5G services, driving 5G
networks forward.

Key 5G security features should be explored in eMBB scenarios.

5G Security Supports Differentiated Services, Heterogeneous

Access, and Open Application Environments
VR/AR and HD Video Demand Differentiated Data Protection
Differentiated security requirements for various services should be fulfilled in eMBB network slices. The potentially large market
for eMBB will produce various security requirements. For example, immersive and interactive VR/AR at anytime and anywhere will
become the next-generation social platform application for individual users, and form an ecosystem with the industry application and
the enterprise application. The former may require encrypted transmission of sensitive information, while the latter may require the
encrypted transmission of all location information. Also, the level of security protection varies among personal applications and public
services, such as security surveillance.

Concurrent High-speed Access from Different Network Systems, Access

Technologies, and Site Types Raises New Security Requirements
Unified authentication of heterogeneous access and security management are critical for a reliable and fast data transmission. Future
networks are converged and support concurrent access from both 5G and Wi-Fi networks. If different access networks use different
authentication mechanisms, security management could become very complex. In addition, the process of handling the security context
of UE mobility between different access technologies is slow and inefficient. Unified authentication and security context management is
the key to addressing these security challenges.

5
5G 5G Scenarios and Security Design

Operators Deliver Security Capabilities to Industry Customers

Since operators are good at security management, they may improve business by sharing their security capabilities with industry
customers. Industry customers are usually required to provide user security management and service content protection. Operators
already have solid security capabilities, including authentication and digital identity management capabilities. They have also won user
trust over a long period of business operations. Opening security capabilities to industry customers can achieve a win-win situation.

Stronger Privacy Protection Should Be Available

eMBB services require stricter privacy protection. Many eMBB services, such as VR/AR, deal with private information, such as user
service information, personal identities, device identifiers, and address information. The openness of heterogeneous access networks
raises new privacy concerns. Moreover, with the advances in data mining technology, private information can be collected and refined
more and more conveniently. This is done either by mining relationships between device identifiers and users or tracking users' online
behavior. A comprehensive privacy protection system must be in place to protect user privacy when they access eMBB services.

6
 5G Scenarios and Security Design 5G

Design of Key 5G Security Features

To meet differentiated security requirements for eMBB and to support high-speed data transmission as well as the rapid growth of
industry customers, 5G security key features should be explored in eMBB scenarios. These features include:

· End-to-end security protection · Unified authentication · Security capabilities open-up

Service-based security
policy negotiation

E2E security protection

Service-based security Open security
policy negotiation capabilities
Authentication
UP-GW
UP-GW Digital identity
UP-GW management
LTE Security context for
5G heterogeneous Unified authentication server for
access heterogeneous access
Wi-Fi

AN CN

Unified authentication of heterogeneous access

Service-Oriented E2E Protection to User Plane

It is advised to design a secure and efficient E2E data protection from user equipment (UE) to service anchors.

Termination Point of E2E User Plane Protection

E2E user plane protection starts from the UE and is terminated at egress gateways on operators' networks. Egress gateways are
usually deployed in core networks. In certain scenarios where services are delay-sensitive and service servers are located in the same
region as users, egress gateways may also be deployed on edge networks. If servers for the actual service are deployed on operators'
networks, user plane protection can also be terminated at these servers. No matter whether user plane protection is terminated at core
networks or local edge networks, it must be implemented in highly-trusted zones to ensure that service data can be securely processed
and stored.

Session-based E2E Protection to User Plane

Session-based E2E data protection increases security protection flexibility. The same UE may transmit different kind of session data
when using different services. 5G security design should allow for differentiated protection to different session data transmission.

Flexible Security Policy Negotiations

The 5G E2E protection design allows for the flexible and efficient negotiation of security policies. 5G networks acquire security
requirements from servers. Then, by matching security requirements with the security capabilities of services, networks, and devices,
differentiated security protection policies are determined. For example, the security algorithm, key length, and termination point of data
protection may vary between policies.

7
5G 5G Scenarios and Security Design

Protocol Design for E2E User Plane Protection

Data from different services is transmitted in different sessions as protocol data units (PDUs). According to PDU transmission protocols,
E2E user plane protection encrypts PDU payload but not headers from one end to the other. This ensures that network nodes can
correctly understand routing information.

Security policy
Internet
controller UP-GW Service provider
UP-GW

Mobile cloud engine

1. Service security requirements

2. Negotiation of E2E user-plane security policies

3. Generation and distribution of E2E protection keys

4. E2E protection to session 1

5. E2E protection to session 2

Unified and Open Authentication Framework Across Different Access

Technologies and Authentication Protocols
On 5G networks, a collection of access technologies will be used, including 5G, Long Term Evolution (LTE), Wi-Fi, and fixed network
access; some access environments are trusted and some are not. Traditionally, different access technologies use different authentication
frameworks and security context management mechanisms. The same device must be authenticated again when switching to a different
access technology. Co-existence of multiple authentication mechanisms increases security management complexity and delay due to
the mobility between different technologies.

Unified Authentication Framework and Security Management

A framework that supports multiple access technologies and authentication protocols should be in place to unify the handling of
authentication and security management. This reduces security management complexity, allowing devices to share the created security
context when moving between different access technologies. This in turn reduces the latency in adapting security context to different
access technologies. In addition, operators can select different authentication protocols for different service authentication modes and
expand their reach into third-party services more easily. The Extensible Access Protocol (EAP) authentication framework is a good
choice. It has evolved to support multiple choices of authentication protocols, such as EAP Authentication and Key Agreement (EAP-AKA)
and EAP Transport Layer Security (EAP-TLS). It is recommended that the unified authentication framework be based on EAP.

Shared
5G base station security
context

Trusted Wi-Fi
Authentication server
User subscriber data

Untrusted Wi-Fi Edge server

8
 5G Scenarios and Security Design 5G

Security Context Sharing During the Handover Between Different Access Technologies
In the unified EAP authentication mechanism, different access technologies share the security context that is used for authentication.
For example, when a device needs to switch to a different access technology, it can directly use the existing security context for fast
authentication, without needing to acquire new authentication data from the user subscriber databases. In this way, access latency is
reduced.

Identity Management Open-up Promotes the Development of the 5G

Service Ecosystem
Operators have established a global digital identity system based on UMTS subscriber identity modules (USIMs) and/or SIMs. This
system outperforms other identity management systems in terms of coverage and user base. The authentication mechanism used by
operators has been widely used and trusted. To improve user authentication reliability, most services with high security requirements
perform multi-factor authentication using short message service (SMS) verification codes.

As services are increasingly converged, it is natural that 5G operators open the security capabilities based on (U)SIM and enhance
service authentication security by introducing more authentication dimensions.

Opening digital identity management and authentication capabilities to a huge variety of 5G services through application platform
interfaces (APIs) can be a win-win situation. On one hand, operators can introduce third-party services into their own platforms, thus
building an open ecosystem favorable to operators, enhancing user loyalty, and exploring new revenue streams. Meanwhile, third-party
service providers can leverage operators' digital identity management capabilities to expand their service footprint.

Once mutual trust has been established between service providers and operators, operators can associate digital identities with service
information, allowing devices and service servers to use operators' digital identity management and network authentication capabilities
through open APIs.

Third-party
service 1. Service auth request carrying Digital identity Service auth parameters
service auth parameters
Service Device
server
6. Auth result 3. Service auth Token
2. Service auth
parameters
4. Service authentication

Digital identity Auth server

mgmt system
3. Service
5. Auth result auth Token
Network

9
5G 5G Scenarios and Security Design

Enhanced User Privacy Protection

5G networks will extend to various industries, and more and more individual users and industry customers will use 5G networks. User
privacy protection is becoming increasingly important. User IDs are important and private information that must be well protected,
especially in open environments.

A way to protect user IDs is to replace permanent IDs with random IDs, eliminating the situation in which permanent IDs have to be
transmitted over air interfaces. LTE base stations are present in 5G access networks. Therefore, the protection of international mobile
subscriber identities (IMSIs) needs to be compatible with LTE authentication signaling. Otherwise, attackers may exploit the LTE
signaling to initiate downgrade attacks. Encrypting user IDs by means of asymmetric cryptographic technique can prevent attackers from
tracing or intercepting user IDs via air interfaces.

Key security features explained above are not restricted to eMBB services. They are equally applicable to mMTC and uRLLC services.
In the following chapters we will discuss security issues that are specific to mMTC and uRLLC.

10
 5G Scenarios and Security Design 5G

Security Design for mMTC Service Scenarios

5G Networks Provide Support for Vertical Industries Such as

Smart Transportation, Smart Grid, and Smart Manufacturing
5G networks must provide reliable network communication to IoT. The large number of IoT sensors emphasize the importance of
connectivity management. For example, vehicle-to-vehicle, vehicle-to-people, vehicle-to-road, and vehicle-to-network communications
within Internet of Vehicles (IoV) systems are all based on hundreds of millions of sensors that, in turn, help keeping transport safe,
efficient, and green. A large city may have tens of millions of smart meters that, all together, report colossal amounts of metering data
to data centers every day. Smart manufacturing demands connectivity that is stable and wide-ranging. Wireless connectivity must be
provided to machines, products, and workers on-demand, linking every part of the production chain.

The large number of IoT devices could make network communication rather costly for vertical industries. 5G networks must provide
secure, reliable yet cost-efficient network access modes to a massive number of IoT devices.

11
5G 5G Scenarios and Security Design

mMTC Security Allows for Low-Cost, Efficient, and Ubiquitous

Connectivity
The conventional (U)SIM-based per-user authentication mode hinders IoT growth and user base expansion due to the conflict between
the relatively high cost in authenticating ubiquitous IoT connectivity and the low average revenue per user (ARPU) in IoT. There is a
pressing need for 5G networks to reduce costs in IoT device authentication and identity management.

A decentralized authentication mode could be a good choice for IoT because it can achieve:

• A shorter authentication chain

• Faster yet secure IoT access

• Lower authentication overheads

In addition, it eliminates the risk of signaling storms and avoids authentication nodes from becoming a bottleneck in the authentication
process.

Comparing to centralized authentication mechanism, decentralized authentication mechanism disperses the risk of attack in the
network, by avoiding a single network node attack by massive number of IoT devices, therefore reduce the risk of (D)DoS attack to the
authentication node.

Some IoT devices will send service data as small data, either individually or in batches. To improve data transmission efficiency and
network resource utilization, asymmetric cryptographic technology can be used to simultaneously transmit small service data and
identity authentication messages.

12
 5G Scenarios and Security Design 5G

Decentralized Identity Management and Authentication

The essence of decentralized management and authentication is to simplify online identity management, reduce complexity and remove
central authentication nodes. This will slash operators' deployment costs.

Layered Design Simplifies Identity Management

Layered yet unified management of network and service identities could help to defining a clear responsibility matrix between operators
and industry customers as well as tailoring identity management policies to customer needs. There are many ways to implement layered
yet unified management of network and service identities: trusted credentials required for network and service access authentication can
be generated solely by operators or by operators and their customers together.

Decentralized Authentication Improves Security Management Efficiency

Network authentication nodes should be deployed in a decentralized manner. For example, by moving them to the network edges, there
will be no need to access user identity databases at the center of networks during authentication between devices and networks.

The asymmetric key management system is based on decentralization— networks do not need to store device keys or have an always-
on-line central identity management node.

Operator Industries
Key management center
Industry 1
Key generation center Industry customer identity Identity management
management center server

NE identity management
center
Device Device

Industry 2
Identity management
server
Authentication Authentication Authentication
node node node

Device Device
Key distribution (offline) Authentication interaction (online)

IBC-based Decentralized Identity Management and Authentication

IBC stands for Identity-Based Cryptography. Unlike certificate management, IBC-based identity management uses device IDs as public
keys, eliminating the need to send credentials at the time of authentication and thus improving transmission efficiency. IBC identity
management can be easily associated with network or application IDs, giving flexibility in customizing or modifying identity management
policies.

13
5G 5G Scenarios and Security Design

IBC authentication could reduce message length and numbers of interaction in the authentication process. This means that security
capabilities can be efficiently provided to 5G mMTC services.

Messages are frequently broadcast within IoV networks. To filter out non-legitimate information between vehicles, all broadcast
messages carry identity information and need to be authenticated. IoV has limitation on the length of broadcast messages in order to
save scarce air-interface resources. If messages are long or authentication interactions are frequent, packet fragmentation will occur,
increasing message broadcast delay. To address this challenge, each vehicle-mounted device could have an IBC identity and related
key. Messages that will be broadcast to these devices are authenticated using the IBC identities. This eliminates the need to send
authentication credentials, reducing message length and delay.

V2X application
KMS server

IBC-Auth

Subscription
database eMBB
IoV scenario

Authentication
node
V2X
eV2I
Control
Function

5G Roadside
eMBB equipment V2X
access application
network
eV2I

Pedestrian IBC-Auth
eV
2I

IBC-Auth

V2X
application Vehicle Vehicle
eV2V eV2V eV2V
IBC-Auth IBC-Auth

V2X V2X
application application

14
 5G Scenarios and Security Design 5G

Security Design for uRLLC Service Scenarios

5G Is Helping uRLLC Services (Automatic Driving, Industry 4.0)

to Mature
Ultra-low latency is key to the wide use of autonomous driving, industrial control, and other ultra latency-sensitive services. E2E 5G
latency can be reduced to 1 ms under ideal conditions. In most cases, it remains between 1 ms and 10 ms. On 4G networks, E2E
latency is usually between 50 ms and 100 ms, about one order of magnitude higher than E2E 5G latency.

uRLLC refers to ultra latency-sensitive services, including autonomous or assisted driving, AR, VR, Tactile internet, and industrial
control. If network latency is too high, the uRLLC service experience will be compromised and control errors are likely to occur.

The figure below shows services that will require latency smaller than 10 ms in the 5G era.

Delay

10 ms

Power grid Real-time gaming

Augmented Tactile Virtual Autonomous

Reality internet Reality driving

1 ms

Source: GSMA Intelligence

15
5G 5G Scenarios and Security Design

uRLLC Needs Lower Latency in Access Authentication,

Transmission Protection, and Security Context Handover
E2E latency is the accumulated latency on all segments of a network path. Reducing latency on an individual segment does only little for
achieving 1-ms E2E latency. All segments of an E2E transmission path must be involved in the latency control.

Ultra-low latency can be achieved by taking a series of actions at each phase of transmission. The actions include:

• Improving air-interface transmission efficiency

• Refining network architecture

• Reducing number of intermediate transmission nodes

• Shortening the distance between a source node and a destination node

• Improving network transmission protocols

• Improving stream encoding/decoding efficiency

To achieve ultra-low E2E latency over 5G networks, the following security activities should be optimized: identity authentication, data
transmission protection, data encryption/decryption at network nodes, and security context transfer during handover of mobile devices.

Latency in context Latency in

Latency in access
re-creation during transmission
authentication
handoff protection

RAN-RT

RAN-NRT
LTE

RAN NRT Server

5G Cache GW

Latency in local Latency in local Latency in local

encryption/decryption encryption/decryption encryption/decryption

MCE CN

16
 5G Scenarios and Security Design 5G

uRLLC Security Design Reduce Network Latency

How can the aforementioned activities be optimized to achieve E2E ultra-low latency over 5G networks?

Reduce Latency in Authentication

To reduce latency during authentication between devices and networks, take the following measures:

• Reduce the distance between devices and authentication servers

For example, use distributed authentication to relocate authentication servers from central nodes to a place close to authenticated
devices. In this way, the authentication chain becomes shorter and authentication messages are transmitted faster.

• Reduce authentication protocol complexity

Methods to establish a more efficient authentication mechanism include reducing parameter quantity or message length and simplifying
authentication message processing and local computation.

Reduce Latency in Data Transmission Protection

Conventional security transmission mechanisms increase the size of the transmitted data. The additional payload increases transmission
load. In small-data transmission scenarios, the security payload may even exceed the data payload.

A new security algorithm could be consider to reduce the additional overhead due to security protection, such as encryption, integrity
protection, and anti-replay. At the same time, data should be encrypted E2E (from devices to service data gateways). This can free
intermediate transmission nodes from repeatedly encrypting or decrypting data, which reduces unnecessary latency in data protection.

Reduce Latency in Security Context Handover

Devices in high-speed cars and trains require a fast handover. In the 4G mobile security mechanism base stations need to compute,
send, and receive keys before handover is completed. On 5G networks, base stations are densely deployed. Coordination between
different access system, access technologies, and site types is an everyday phenomenon. This increases the difficulty of achieving ultra-
low latency with a fast handover.

Measures to reduce latency in a mobile handover include unified authentication of heterogeneous access, efficient security context
derivation, and minimal security context transfer between network nodes.

Reduce Latency in Data Encryption and Decryption at Network Nodes

Cryptographic algorithms use complex logic. To reduce the adverse effect of this complex logic on bitrate and throughput, conventional
communications systems use dedicated cryptographic algorithm chips for cryptographic operations, such as AES, Snow3G, and ZUC.

Methods to accelerate local encryption and decryption include:

17
5G 5G Scenarios and Security Design

• Introducing a more efficient cryptographic algorithm

• Exploiting the computing resource pool available on virtualized or cloud networks

• Using hardware acceleration

• Using a cryptographic algorithm capable of parallel cryptographic operations

Typically, to achieve ultra-low latency on 5G networks, the following enhancements should be made to the security protection
mechanism without degrading the protection level:

• Implement E2E encryption and decryption to reduce the latency from repeated encryption or decryption at intermediate nodes.

• Relocate authentication servers from central nodes to a location close to authenticated devices to reduce latency in authentication
message transmission.

• Introduce an authentication framework and protocol to simplify authentication interaction.

• Adopt a new transmission protection protocol to reduce security payload due to encryption, integrity protection, and anti-replay.

• Establish an efficient mechanism for security context transfer and key re-creation during mobile handover.

• Design an efficient cryptographic algorithm to reduce latency in encryption and decryption.

18
 5G Scenarios and Security Design 5G

Summary: Innovative Security Design

Suitable for Diverse Service Scenarios
Service diversity is increasing (eMBB, uRLLC, and mMTC), network architecture is going to be cloud-based, and security
capabilities are gradually opening up. All of these changes present new 5G security challenges and tougher privacy
requirements. 5G systems are required to build a unified security management mechanism across different access
technologies and cloud network architecture. The security management mechanism should provide common and essential
security capabilities (i.e. E2E security protection, unified authentication, open security capabilities, and on-demand security
management) while allowing for differentiated security features, policies, and solutions in various service scenarios.

5G eMBB services such as VR/AR and HD videoing are driving the rapid growth of 5G networks. 5G security design must
allow for differentiated services, heterogeneous access, and open environments. To support multi-service environments on
cloud 5G networks, security protection should change from the hop-by-hop protection of pipelines to the service-based E2E
protection. In a converged network that accommodates various network systems, access technologies, and site types, it
is beneficial to build a unified and open authentication framework across different access technologies and authentication
protocols. This would simplify security management and improve network efficiency. By opening-up identity management and
authentication capabilities, authentication security can be enhanced, 5G service ecosystem can be improved and operators
can attracts more industry customers.

As new 5G mMTC services are continuously emerging, such as smart transportation, smart grid, smart manufacturing,
the issue of how to provide on-demand ubiquitous connectivity to mMTC users efficiently at low cost has become a major
concern for operators. By deploying a decentralized identity management and authentication mechanism on 5G networks,
operators can slash identity management costs and improve authentication efficiency, building a more efficient security
solution for 5G mMTC.

5G uRLLC services such as automatic driving and Industry 4.0 are becoming a reality. To achieve E2E 5G ultra-low latency,
reducing security protocol interactions and security processing delay, without downgrading security protection strength, is
essential.

19
HUAWEI TECHNOLOGIES CO., LTD.
Bantian, Longgang District
Shenzhen518129, P. R. China
Tel:+86-755-28780808