I-ProHoster > Блог > Ukuphatha > Isingeniso se-5G Security Architecture: NFV, Keys and 2 Authentication

Isingeniso se-5G Security Architecture: NFV, Keys and 2 Authentication

Isingeniso se-5G Security Architecture: NFV, Keys and 2 Authentication

Ngokusobala, ukuthatha ukuthuthukiswa kwezinga elisha lokuxhumana ngaphandle kokucabanga ngezindlela zokuphepha kuwumsebenzi ongabazisayo futhi oyize.

I-5G Security Architecture - iqoqo lezindlela zokuphepha nezinqubo ezisetshenziswa ku Amanethiwekhi esizukulwane sesi-5 futhi ihlanganisa zonke izingxenye zenethiwekhi, kusukela kumnyombo kuya ezindaweni zokusebenzelana zomsakazo.

Amanethiwekhi esizukulwane sesi-5, empeleni, ayinguquko Amanethiwekhi esizukulwane sesine we-LTE. Ubuchwepheshe bokufinyelela kumsakazo buye baba nezinguquko ezibaluleke kakhulu. Kumanethiwekhi esizukulwane sesi-5, entsha I-RAT (I-Radio Access Technology) - 5G Umsakazo Omusha. Ngokuqondene nomnyombo wenethiwekhi, ayizange ibe nezinguquko eziphawulekayo. Mayelana nalokhu, i-architecture yokuphepha yamanethiwekhi e-5G yakhiwe ngokugcizelelwa ekusebenziseni kabusha ubuchwepheshe obufanele obumukelwe ezingeni le-4G LTE.

Kodwa-ke, kufanele kuqashelwe ukuthi ukucabanga kabusha ngezinsongo ezaziwayo njengokuhlaselwa kwezindawo zokuxhumana komoya kanye nongqimba lokusayina (ukusayina indiza), ukuhlasela kwe-DDOS, ukuhlasela kwe-Man-In-The-Middle, njll., kushukumisele opharetha bezingcingo ukuba bathuthukise amazinga amasha futhi bahlanganise izindlela zokuphepha ezintsha ngokuphelele kumanethiwekhi esizukulwane sesi-5.

Isingeniso se-5G Security Architecture: NFV, Keys and 2 Authentication

Okudingekayo

Ngo-2015, i-International Telecommunication Union yenza uhlelo lwayo lokuqala lomhlaba wonke lokuthuthukiswa kwamanethiwekhi esizukulwane sesihlanu, yingakho udaba lokuthuthukisa izindlela zokuphepha nezinqubo kumanethiwekhi e-5G selubucayi kakhulu.

Ubuchwepheshe obusha bunikeze isivinini sokudlulisa idatha esihlaba umxhwele ngempela (ngaphezu kuka-1 Gbps), ukubambezeleka okungaphansi kuka-1 ms kanye nekhono lokuxhuma ngesikhathi esisodwa amadivayisi angaba yisigidi esi-1 endaweni eyi-1 km2. Izidingo ezinjalo eziphakeme kakhulu zamanethiwekhi esizukulwane sesi-5 nazo ziboniswa emigomeni yenhlangano yazo.

Okuyinhloko kwaba ukuhlukaniswa, okwakusho ukubekwa kolwazi oluningi lwasendaweni kanye nezikhungo zabo zokucubungula emaphethelweni enethiwekhi. Lokhu kwenze kwaba nokwenzeka ukunciphisa ukubambezeleka uma M2M-ukuxhumana futhi ukhulule umnyombo wenethiwekhi ngenxa yokusevisa inombolo enkulu yamadivayisi e-IoT. Ngakho-ke, unqenqema lwamanethiwekhi esizukulwane esilandelayo lwanda yonke indlela eya eziteshini eziyisisekelo, okuvumela ukudalwa kwezikhungo zokuxhumana zendawo kanye nokuhlinzekwa kwezinsizakalo zamafu ngaphandle kwengozi yokubambezeleka okubalulekile noma ukwenqatshwa kwesevisi. Ngokwemvelo, indlela eguquliwe yokuxhumana nesevisi yamakhasimende yayinesithakazelo kubahlaseli, ngoba ivule amathuba amasha okuba bahlasele kokubili ulwazi oluyimfihlo lomsebenzisi kanye nezingxenye zenethiwekhi ngokwabo ukuze kubangele ukuphika kwesevisi noma ukubamba izinsiza zekhompiyutha zomqhubi.

Ukuba sengozini okukhulu kwamanethiwekhi esizukulwane sesi-5

Indawo enkulu yokuhlasela

Funda kabanziLapho kwakhiwa amanethiwekhi ezokuxhumana esizukulwane sesi-3 nesesine, opharetha bezingcingo ngokuvamile babenomkhawulo ekusebenzeni nomthengisi oyedwa noma abambalwa abahlinzeka ngokushesha ngesethi yehadiwe nesofthiwe. Okusho ukuthi, konke kungasebenza, njengoba bethi, "ngaphandle kwebhokisi" - kwakwanele ukufaka nokulungisa imishini ethengwe kumthengisi; besingekho isidingo sokushintsha noma ukwengeza isoftware yokuphathelene. Amathrendi esimanje aphikisana nale ndlela "yakudala" futhi ahloselwe ukwenziwa ngokubonakalayo kwamanethiwekhi, indlela yabathengisi abaningi ekwakhiweni kwabo nokuhlukahluka kwesoftware. Ubuchwepheshe obufana I-SDN (English Software Defined Network) kanye I-NFV (I-English Network Functions Virtualization), okuholela ekufakweni kwenani elikhulu lesoftware elakhiwe ngesisekelo samakhodi omthombo ovulekile ezinqubweni nasemisebenzini yokuphatha amanethiwekhi okuxhumana. Lokhu kunikeza abahlaseli ithuba lokutadisha kangcono inethiwekhi yomsebenzisi futhi bahlonze inani elikhulu lobungozi, okubuye kukhulise indawo yokuhlasela yamanethiwekhi esizukulwane esisha uma kuqhathaniswa namanje.

Inani elikhulu lamadivayisi we-IoT

Funda kabanziNgo-2021, cishe u-57% wamadivayisi axhunywe kumanethiwekhi e-5G azoba amadivayisi e-IoT. Lokhu kusho ukuthi ababungazi abaningi bazoba namakhono alinganiselwe we-cryptographic (bona iphuzu 2) futhi, ngokufanele, bazoba sengozini yokuhlaselwa. Inani elikhulu lamadivayisi anjalo lizokwandisa ubungozi bokwanda kwe-botnet futhi lenze kube nokwenzeka ukwenza ukuhlasela kwe-DDoS okunamandla kakhulu nokusatshalaliswa.

Amandla we-cryptographic anomkhawulo wamadivayisi we-IoT

Funda kabanziNjengoba sekushiwo kakade, amanethiwekhi esizukulwane sesi-5 asebenzisa ngenkuthalo amadivaysi e-peripheral, okwenza kube nokwenzeka ukususa ingxenye yomthwalo kumgogodla wenethiwekhi futhi ngaleyo ndlela kuncishiswe ukubambezeleka. Lokhu kuyadingeka ezinsizeni ezibalulekile njengokulawula izimoto ezingenamuntu, uhlelo lokuxwayisa oluphuthumayo I-IMS kanye nabanye, okubalulekile kubo ukuqinisekisa ukubambezeleka okuncane, ngoba izimpilo zabantu zincike kukho. Ngenxa yokuxhumeka kwenani elikhulu lamadivayisi e-IoT, okuthi, ngenxa yobukhulu bawo obuncane kanye nokusetshenziswa kwamandla aphansi, anezinsiza zekhompuyutha ezilinganiselwe, amanethiwekhi e-5G aba sengozini yokuhlaselwa okuhloswe ukunqanda ukulawula kanye nokukhohlisa okulandelayo kwamadivayisi anjalo. Isibonelo, kungase kube nezimo lapho amadivayisi e-IoT ayingxenye yesistimu atheleleke khona "Indlu ehlakaniphile", izinhlobo zohlelo olungayilungele ikhompuyutha njenge I-Ransomware ne-ransomware. Izimo zokulawula izimoto ezingenamuntu ezithola imiyalo nolwazi lokuzulazula ngamafu nazo zingenzeka. Ngokusemthethweni, lobu buthakathaka kungenxa yokwabiwa kwamanethiwekhi esizukulwane esisha, kodwa isigaba esilandelayo sizocacisa inkinga yokwabiwa kwezindawo ngokucace kakhudlwana.

Ukwahlukaniswa nokwandiswa kwemingcele yenethiwekhi

Funda kabanziAmadivayisi azungezile, adlala indima yamacores enethiwekhi yendawo, enza umzila wethrafikhi yomsebenzisi, ukucubungula izicelo, kanye nokugcinwa kwesikhashana kwendawo kanye nokugcinwa kwedatha yomsebenzisi. Ngakho-ke, imingcele yamanethiwekhi esizukulwane sesi-5 iyakhula, ngaphezu komnyombo, ku-periphery, kuhlanganise nedathabheyisi yendawo kanye nezixhumanisi zomsakazo we-5G-NR (5G New Radio). Lokhu kudala ithuba lokuhlasela izinsiza zekhompuyutha zamadivayisi asendaweni, avikeleke kakhudlwana kunamanodi amaphakathi engqikithi yenethiwekhi, ngenhloso yokubangela ukwenqatshwa kwesevisi. Lokhu kungaholela ekunqanyulweni kokufinyelela kwe-inthanethi kuzo zonke izindawo, ukusebenza okungalungile kwamadivayisi we-IoT (isibonelo, ohlelweni lwekhaya elihlakaniphile), kanye nokungatholakali kwesevisi yezaziso eziphuthumayo ze-IMS.

Isingeniso se-5G Security Architecture: NFV, Keys and 2 Authentication

Kodwa-ke, i-ETSI ne-3GPP manje sezishicilele amazinga angaphezu kwe-10 ahlanganisa izici ezihlukahlukene zokuphepha kwenethiwekhi ye-5G. Izindlela eziningi ezichazwe lapho zihloselwe ukuvikela ekubeni sengozini (kuhlanganise nalezo ezichazwe ngenhla). Enye yezinto eziyinhloko yizinga TS 23.501 inguqulo 15.6.0, echaza ukwakheka kokuphepha kwamanethiwekhi esizukulwane sesi-5.

I-5G Architecture

Isingeniso se-5G Security Architecture: NFV, Keys and 2 Authentication
Okokuqala, ake siphendukele ezimisweni ezibalulekile zokwakhiwa kwenethiwekhi ye-5G, ezophinde yembule ngokugcwele incazelo nezindawo zomthwalo wemfanelo wemojula ngayinye yesofthiwe nomsebenzi ngamunye wokuphepha we-5G.

  • Ukuhlukaniswa kwamanodi enethiwekhi abe yizici eziqinisekisa ukusebenza kwezivumelwano indiza yangokwezifiso (kusuka ku-English UP - Indiza Yomsebenzisi) nezinto eziqinisekisa ukusebenza kwezivumelwano indiza yokulawula (kusuka ku-English CP - Control Plane), okwandisa ukuguquguquka mayelana nokukala nokusatshalaliswa kwenethiwekhi, okungukuthi ukubekwa endaweni eyodwa noma okuhlukaniselwe indawo yamanodi enethiwekhi yengxenye ngayinye kungenzeka.
  • Ukusekelwa kwe-Mechanism ukusika inethiwekhi, ngokusekelwe kumasevisi anikezwa amaqembu athile abasebenzisi bokugcina.
  • Ukusetshenziswa kwezinto zenethiwekhi kufomu imisebenzi yenethiwekhi ebonakalayo.
  • Ukusekelwa kokufinyelela ngesikhathi esisodwa kumasevisi amaphakathi nawendawo, okungukuthi ukuqaliswa kwemiqondo yamafu (kusuka kusiNgisi. inkungu computing) kanye nomngcele (kusuka esiNgisini. ikhomputha yekhompyutha) izibalo.
  • Ukuqaliswa convergent izakhiwo ezihlanganisa izinhlobo ezahlukene zokufinyelela amanethiwekhi - 3GPP 5G Umsakazo Omusha kanye okungeyona i-3GPP (I-Wi-Fi, njll.) - enomgogodla owodwa wenethiwekhi.
  • Ukusekelwa kwama-algorithms afanayo nezinqubo zokuqinisekisa, kungakhathaliseki ukuthi hlobo luni lwenethiwekhi yokufinyelela.
  • Usekelo lwemisebenzi yenethiwekhi engenasimo, lapho isisetshenziswa esibaliwe sihlukaniswa nesitolo sezisetshenziswa.
  • Usekelo lokuzulazula nomzila wethrafikhi kukho kokubili inethiwekhi yasekhaya (kusukela ekuzuleni okuya ekhaya kwe-English) kanye “nokufikela” kwasendaweni (kusukela ekuphumeni kwendawo yesiNgisi) kunethiwekhi yesihambeli.
  • Ukusebenzisana phakathi kwemisebenzi yenethiwekhi kuvezwa ngezindlela ezimbili: okuqondiswe kwisevisi и esibonakalayo.

Umqondo wokuphepha kwenethiwekhi yesizukulwane sesi-5 uhlanganisa:

  • Ukuqinisekiswa komsebenzisi kusukela kunethiwekhi.
  • Ukuqinisekiswa kwenethiwekhi ngumsebenzisi.
  • Ukuxoxisana kokhiye be-cryptographic phakathi kwenethiwekhi nempahla yomsebenzisi.
  • Ukubethela nokulawula ubuqotho bethrafikhi ebonisa izimpawu.
  • Ukubethela nokulawula ubuqotho bethrafikhi yomsebenzisi.
  • Ukuvikelwa kwe-ID yomsebenzisi.
  • Ukuvikela ukuxhumana phakathi kwezinto ezihlukene zenethiwekhi ngokuhambisana nomqondo wesizinda sokuphepha senethiwekhi.
  • Ukuhlukaniswa kwezingqimba ezihlukene zomshini ukusika inethiwekhi kanye nokuchaza amaleveli okuphepha wesendlalelo ngasinye.
  • Ukuqinisekiswa komsebenzisi nokuvikelwa kwethrafikhi ezingeni lezinsizakalo zokugcina (IMS, IoT nezinye).

Amamojula esofthiwe angukhiye nezici zokuphepha zenethiwekhi ye-5G

Isingeniso se-5G Security Architecture: NFV, Keys and 2 Authentication AMF (kusukela ku-English Access & Mobility Management Function - umsebenzi wokufinyelela nokuhamba) - inikeza:

  • Inhlangano yokusebenzelana kwendiza yokulawula.
  • Inhlangano yokushintshana kwethrafikhi okusayindayo RRC, ukubethela nokuvikelwa kobuqotho bedatha yayo.
  • Inhlangano yokushintshana kwethrafikhi okusayindayo I-NAS, ukubethela nokuvikelwa kobuqotho bedatha yayo.
  • Ukuphatha ukubhaliswa kwezinto ezisetshenziswa abasebenzisi kunethiwekhi kanye nokuqapha izifunda zokubhalisa ezingase zibe khona.
  • Ukuphatha ukuxhunywa kwempahla yomsebenzisi kunethiwekhi nokuqapha izimo ezingase zibe khona.
  • Lawula ukutholakala kwesisetshenziswa somsebenzisi kunethiwekhi kusimo se-CM-IDLE.
  • Ukuphathwa kokuhamba kwemishini yomsebenzisi kunethiwekhi kusimo se-CM-CONNECTED.
  • Ukudluliswa kwemiyalezo emifushane phakathi kwemishini yomsebenzisi ne-SMF.
  • Ukuphathwa kwamasevisi endawo.
  • Ukwabiwa kwe-ID yochungechunge I-EPS ukuxhumana ne-EPS.

SMF (IsiNgisi: Umsebenzi Wokuphathwa Kweseshini - umsebenzi wokuphatha iseshini) - inikeza:

  • Ukuphathwa kweseshini yokuxhumana, okungukuthi ukudala, ukuguqulwa nokukhululwa kwamaseshini, okuhlanganisa nokugcina umhubhe phakathi kwenethiwekhi yokufinyelela ne-UPF.
  • Ukusatshalaliswa nokuphathwa kwamakheli e-IP wezinto zokusebenza zabasebenzisi.
  • Ukukhetha isango le-UPF ozolisebenzisa.
  • Inhlangano yokusebenzisana ne-PCF.
  • Ukuphathwa kokugcinwa kwenqubomgomo QoS.
  • Ukucushwa kwe-Dynamic okokusebenza komsebenzisi kusetshenziswa izivumelwano ze-DHCPv4 ne-DHCPv6.
  • Ukuqapha ukuqoqwa kwedatha yentela nokuhlela ukusebenzelana nohlelo lokukhokha.
  • Ukunikezwa kwezinsizakalo okungenamthungo (kusuka kusiNgisi. I-SSC - Iseshini Nokuqhubeka Kwesevisi).
  • Ukusebenzelana namanethiwekhi esivakashi ngaphakathi kokuzulazula.

UPF (I-English User Plane Function - umsebenzi wendiza yomsebenzisi) - inikeza:

  • Ukusebenzelana namanethiwekhi edatha angaphandle, okuhlanganisa ne-inthanethi yomhlaba wonke.
  • Ukuhambisa amaphakethe abasebenzisi.
  • Ukumakwa kwamaphakethe ngokuhambisana nezinqubomgomo ze-QoS.
  • Ukuxilongwa kwephakheji yomsebenzisi (isibonelo, ukutholwa kohlelo lokusebenza okususelwe kusiginesha).
  • Ukunikeza imibiko ngokusetshenziswa kwethrafikhi.
  • I-UPF futhi iyisizinda sokusekela ukuhamba ngaphakathi naphakathi kobuchwepheshe obuhlukene bokufinyelela kumsakazo.

I-LTM (IsiNgisi Ukuphathwa Kwedatha Ehlanganisiwe - database ehlanganisiwe) - inikeza:

  • Ukuphatha idatha yephrofayela yomsebenzisi, okuhlanganisa ukugcina nokulungisa uhlu lwezinsizakalo ezitholakalayo kubasebenzisi namapharamitha ahambisanayo.
  • Ukubusa I-SUPI
  • Khiqiza imininingwane yokuqinisekisa ye-3GPP AKA.
  • Ukugunyazwa kokufinyelela ngokusekelwe kudatha yephrofayela (isibonelo, imikhawulo yokuzulazula).
  • Ukuphathwa kokubhaliswa komsebenzisi, okungukuthi isitoreji sokuphakela i-AMF.
  • Ukusekelwa kwesevisi engenamthungo kanye nezikhathi zokuxhumana, okungukuthi ukugcina i-SMF eyabelwe iseshini yamanje yokuxhumana.
  • Ukuphathwa kokulethwa kwe-SMS.
  • Ama-UDM amaningana ahlukene anganikeza umsebenzisi ofanayo emisebenzini ehlukene.

UDR (I-English Unified Data Repository - ukugcinwa kwedatha ehlanganisiwe) - inikeza ukugcinwa kwedatha ehlukahlukene yabasebenzisi futhi, empeleni, isizindalwazi sabo bonke ababhalisile benethiwekhi.

I-UDSF (I-English Unstructured Data Storage Function - umsebenzi wokugcina idatha ongahlelekile) - iqinisekisa ukuthi amamojula we-AMF agcina izimo zamanje zabasebenzisi ababhalisiwe. Ngokuvamile, lolu lwazi lunganikezwa njengedatha yesakhiwo esingenamkhawulo. Okuqukethwe komsebenzisi kungasetshenziswa ukuze kuqinisekiswe izikhathi zababhalisile ezingenazihibe nezingaphazamiseki, kokubili ngesikhathi sokuhoxa okuhleliwe kweyodwa yama-AMF kusevisi, kanye nalapho kunesimo esiphuthumayo. Kuzo zombili izimo, i-AMF eyisipele “izocosha” isevisi isebenzisa okuqukethwe okugcinwe ku-USDF.

Ukuhlanganisa i-UDR ne-UDSF endaweni efanayo yomzimba kuwukuqaliswa okujwayelekile kwale misebenzi yenethiwekhi.

PCF (IsiNgisi: Umsebenzi Wokulawula Inqubomgomo - umsebenzi wokulawula inqubomgomo) - idala futhi yabela izinqubomgomo zesevisi ezithile kubasebenzisi, okuhlanganisa amapharamitha we-QoS nemithetho yokushaja. Isibonelo, amashaneli abonakalayo anezici ezihlukile angadalwa ngamandla ukuze adlulisele uhlobo olulodwa noma olunye lwethrafikhi. Ngesikhathi esifanayo, izidingo zesevisi eceliwe obhalisile, izinga lokuminyana kwenethiwekhi, inani lethrafikhi elidliwe, njll.

I-NEF (I-English Network Exposure Function - umsebenzi wokuchayeka kwenethiwekhi) - inikeza:

  • Inhlangano yokusebenzisana okuphephile kwezinkundla zangaphandle nezinhlelo zokusebenza ezinomongo wenethiwekhi.
  • Phatha amapharamitha we-QoS nemithetho yokushaja yabasebenzisi abathile.

USEF (I-English Security Anchor Function - umsebenzi wokuphepha we-anchor) - kanye ne-AUSF, inikeza ukuqinisekiswa kwabasebenzisi lapho bebhalisa kunethiwekhi nganoma ibuphi ubuchwepheshe bokufinyelela.

AUSF (I-English Authentication Server Function - umsebenzi weseva yokuqinisekisa) - idlala indima yeseva yokuqinisekisa eyamukela futhi icubungule izicelo ezivela ku-SEAF futhi iziqondise kabusha ku-ARPF.

I-ARPF (IsiNgisi: I-Authentication Credential Repository and Processing Function - umsebenzi wokugcina nokucubungula iziqinisekiso zokuqinisekisa) - inikeza ukugcinwa kokhiye bemfihlo yomuntu siqu (KI) kanye nemingcele ye-cryptographic algorithms, kanye nokukhiqizwa kwama-vectors okuqinisekisa ngokuhambisana ne-5G-AKA noma I-EAP-AKA. Itholakala esikhungweni sedatha somsebenzisi we-telecom wasekhaya, ivikelwe emathonyeni angaphandle angokwenyama, futhi, njengomthetho, ihlanganiswe ne-UDM.

I-SCMF (I-English Security Context Management Function - umsebenzi wokuphatha ukuphepha umongo) - Ihlinzeka ngokuphathwa komjikelezo wempilo komongo wokuphepha we-5G.

SPCF (Umsebenzi Wokulawula Inqubomgomo Yezokuphepha YesiNgisi - umsebenzi wokuphathwa kwenqubomgomo yezokuphepha) - uqinisekisa ukudidiyela nokusebenzisa izinqubomgomo zokuphepha mayelana nabasebenzisi abathile. Lokhu kucabangela amakhono enethiwekhi, amandla empahla yomsebenzisi kanye nezidingo zesevisi ethile (isibonelo, amazinga okuvikela ahlinzekwa isevisi yezokuxhumana ebalulekile kanye nesevisi yokufinyelela ku-inthanethi ye-wireless ingahluka). Ukusetshenziswa kwezinqubomgomo zokuphepha kuhlanganisa: ukukhethwa kwe-AUSF, ukukhethwa kwe-algorithm yokuqinisekisa, ukukhethwa kokubethelwa kwedatha kanye nama-algorithms okulawula ubuqotho, ukunqunywa kobude nomjikelezo wokuphila wokhiye.

I-SIDF (Isihlonzi sokubhaliselwe sesiNgisi sokususa ukufihla umsebenzi - umsebenzi wokukhipha isihlonzi somsebenzisi) - siqinisekisa ukukhishwa kwesihlonzi sokubhalisa unomphela sobhalisile (i-English SUPI) kusihlonzi esifihliwe (IsiNgisi I-SUCI), etholwe njengengxenye yesicelo senqubo yokuqinisekisa “I-Auth Info Req”.

Izidingo eziyisisekelo zokuphepha zamanethiwekhi okuxhumana e-5G

Funda kabanziUkuqinisekisa komsebenzisi: Inethiwekhi enikezayo ye-5G kufanele iqinisekise i-SUPI yomsebenzisi kunqubo ye-5G AKA phakathi komsebenzisi nenethiwekhi.

Inikeza Ukuqinisekiswa Kwenethiwekhi: Umsebenzisi kufanele aqinisekise i-ID yenethiwekhi yokunikeza i-5G, nokuqinisekisa okutholwa ngokusetshenziswa ngempumelelo kokhiye abatholwe ngenqubo ye-5G AKA.

Ukugunyazwa komsebenzisi: Inethiwekhi ephakelayo kufanele igunyaze umsebenzisi esebenzisa iphrofayela yomsebenzisi eyamukelwe kunethiwekhi ye-telecom yasekhaya.

Ukugunyazwa kwenethiwekhi yokuphakelwa yinethiwekhi ye-opharetha yasekhaya: Umsebenzisi kufanele anikezwe isiqinisekiso sokuthi uxhumeke kunethiwekhi yesevisi egunyazwe inethiwekhi yo-opharetha wasekhaya ukuthi ahlinzeke ngamasevisi. Ukugunyazwa kucacile ngomqondo wokuthi kuqinisekiswa ukuphothulwa ngempumelelo kwenqubo ye-5G AKA.

Ukugunyazwa kwenethiwekhi yokufinyelela yinethiwekhi ye-opharetha yasekhaya: Umsebenzisi kufanele anikezwe isiqinisekiso sokuthi uxhumeke kunethiwekhi yokufinyelela egunyazwe inethiwekhi ye-opharetha yasekhaya ukuthi inikeze amasevisi. Ukugunyazwa kucacile ngomqondo wokuthi kuphoqelelwa ngokusungula ngempumelelo ukuphepha kwenethiwekhi yokufinyelela. Lolu hlobo lokugunyazwa kufanele lusetshenziselwe noma yiluphi uhlobo lwenethiwekhi yokufinyelela.

Izinsizakalo eziphuthumayo ezingagunyaziwe: Ukuze uhlangabezane nezidingo zokulawula kwezinye izifunda, amanethiwekhi e-5G kufanele anikeze ukufinyelela okungagunyaziwe kwezinsizakalo eziphuthumayo.

Umgogodla wenethiwekhi nenethiwekhi yokufinyelela kumsakazo: Umgogodla wenethiwekhi ye-5G kanye nenethiwekhi yokufinyelela kumsakazo we-5G kufanele isekele ukusetshenziswa kwe-128-bit encryption kanye ne-algorithms yobuqotho ukuze kuqinisekiswe ukuphepha. AS и I-NAS. Izixhumanisi zenethiwekhi kufanele zisekele okhiye bokubethela abangu-256-bit.

Izidingo eziyisisekelo zokuphepha zempahla yomsebenzisi

Funda kabanzi

  • Okokusebenza komsebenzisi kufanele kusekele ukubethela, ukuvikela ubuqotho, nokuvikelwa ekuhlaselweni kabusha kwedatha yomsebenzisi edluliswa phakathi kwayo nenethiwekhi yokufinyelela kumsakazo.
  • Okokusebenza komsebenzisi kufanele kusebenze ukubethela kanye nezindlela zokuvikela ubuqotho bedatha njengoba kuqondiswa inethiwekhi yokufinyelela kumarediyo.
  • Okokusebenza komsebenzisi kufanele kusekele ukubethela, ukuvikelwa kobuqotho, kanye nokuvikelwa ekuhlaselweni kwe-replay ye-RRC kanye nethrafikhi esayinayo ye-NAS.
  • Okokusebenza komsebenzisi kufanele kusekele ama-cryptographic algorithm alandelayo: NEA0, NIA0, 128-NEA1, 128-NIA1, 128-NEA2, 128-NIA2
  • Okokusebenza komsebenzisi kungasekela ama-algorithms alandelayo e-cryptographic: 128-NEA3, 128-NIA3.
  • Okokusebenza komsebenzisi kufanele kusekele ama-cryptographic algorithms alandelayo: 128-EEA1, 128-EEA2, 128-EIA1, 128-EIA2 uma isekela ukuxhumeka kunethiwekhi yokufinyelela yomsakazo we-E-UTRA.
  • Ukuvikelwa kokugcinwa kuyimfihlo kwedatha yomsebenzisi edluliswa phakathi kwezinto zokusebenza nenethiwekhi yokufinyelela kumarediyo kuyinketho, kodwa kufanele kuhlinzekwe noma nini lapho kuvunyelwa ngokomthetho.
  • Ukuvikelwa kobumfihlo kwe-RRC kanye nethrafikhi esayinayo ye-NAS kuyinketho.
  • Ukhiye waphakade womsebenzisi kufanele uvikelwe futhi ugcinwe ezingxenyeni ezivikelwe kahle zempahla yomsebenzisi.
  • Inkomba yokubhaliselwe unomphela kobhalisile akufanele isakazwe ngombhalo ocacile ngenethiwekhi yokufinyelela emsakazweni ngaphandle kolwazi oludingekayo ukuze kube nomzila olungile (isibonelo. I-Mcc и MNC).
  • Ukhiye wasesidlangalaleni wenethiwekhi yomsebenzisi wasekhaya, isihlonzi sokhiye, isihlonzi sesikimu sokuvikela, nesihlonzi somzila kufanele kugcinwe ku- USIM.

I-algorithm ngayinye yokubethela ihlotshaniswa nenombolo kanambambili:

  • "0000": NEA0 - Null ciphering algorithm
  • "0001": 128-NEA1 - 128-bit iqhwa I-algorithm esekelwe ku-3G
  • "0010" 128-NEA2 - 128-bit I-AES i-algorithm esekelwe
  • "0011" 128-NEA3 - 128-bit I-ZUC i-algorithm esekelwe.

Ukubethelwa kwedatha kusetshenziswa i-128-NEA1 ne-128-NEA2Isingeniso se-5G Security Architecture: NFV, Keys and 2 Authentication

PS Isekhethi ibolekwe kuyo I-TS 133.501

Isizukulwane sokufakiwe okulingiswayo ngama-algorithms 128-NIA1 kanye ne-128-NIA2 ukuze kuqinisekiswe ubuqothoIsingeniso se-5G Security Architecture: NFV, Keys and 2 Authentication

PS Isekhethi ibolekwe kuyo I-TS 133.501

Izidingo eziyisisekelo zokuphepha zemisebenzi yenethiwekhi ye-5G

Funda kabanzi

  • I-AMF kufanele isekele ukuqinisekiswa okuyinhloko isebenzisa i-SUCI.
  • I-SEAF kufanele isekele ukuqinisekiswa okuyinhloko isebenzisa i-SUCI.
  • I-UDM ne-ARPF kufanele igcine ukhiye waphakade womsebenzisi futhi iqinisekise ukuthi ivikelekile ekwebiweni.
  • I-AUSF izohlinzeka kuphela nge-SUPI kunethiwekhi yendawo lapho kugunyazwa khona ngempumelelo kusetshenziswa i-SUCI.
  • I-NEF akumele idlulisele phambili ulwazi lwenethiwekhi oluyimfihlo ngaphandle kwesizinda sokuphepha somsebenzisi.

Izinqubo Zokuphepha Eziyisisekelo

Themba Izizinda

Kumanethiwekhi esizukulwane sesi-5, ukuthembela ezintweni zenethiwekhi kuncipha njengoba ama-elementi asuka kumongo wenethiwekhi. Lo mqondo unomthelela ezinqumweni ezisetshenziswe ekwakhiweni kokuphepha kwe-5G. Ngakho-ke, singakhuluma ngemodeli yokuthembela yamanethiwekhi e-5G enquma ukuziphatha kwezindlela zokuphepha zenethiwekhi.

Ngasohlangothini lomsebenzisi, isizinda sokuthembana sakhiwe yi-UICC ne-USIM.

Ohlangothini lwenethiwekhi, isizinda sokuthembana sinesakhiwo esiyinkimbinkimbi.

Isingeniso se-5G Security Architecture: NFV, Keys and 2 Authentication Inethiwekhi yokufinyelela kumsakazo ihlukaniswe izingxenye ezimbili - DU (kusuka ku-English Distributed Units - amayunithi enethiwekhi asabalalisiwe) kanye CU (kusuka ku-English Central Units - amayunithi amaphakathi enethiwekhi). Ndawonye bayakha gNB - Isixhumi esibonakalayo somsakazo wesiteshi senethiwekhi ye-5G. Ama-DU awanakho ukufinyelela okuqondile kudatha yomsebenzisi njengoba angafakwa kumasegimenti engqalasizinda engavikelekile. Ama-CU kufanele asetshenziswe ezigabeni zenethiwekhi ezivikelwe, njengoba anesibopho sokunqamula ithrafikhi ezindleleni zokuphepha ze-AS. Emnyombweni wenethiwekhi itholakala AMF, eqeda ithrafikhi evela ezindleleni zokuphepha ze-NAS. Ukucaciswa kwamanje kwe-3GPP 5G Phase 1 kuchaza inhlanganisela AMF ngomsebenzi wokuphepha USEF, equkethe ukhiye wempande (owaziwa nangokuthi "ukhiye wehange") wenethiwekhi evakashelwe (enikezayo). AUSF unesibopho sokugcina ukhiye otholwe ngemva kokuqinisekisa ngempumelelo. Kuyadingeka ukuthi uphinde usetshenziswe ezimeni lapho umsebenzisi exhumeke ngesikhathi esisodwa kumanethiwekhi omsakazo ambalwa. I-ARPF igcina imininingwane yabasebenzisi futhi iyi-analogue ye-USIM yababhalisile. UDR и I-LTM gcina ulwazi lomsebenzisi, olusetshenziselwa ukunquma umqondo wokukhiqiza izifakazelo, ama-ID wabasebenzisi, ukuqinisekisa ukuqhubeka kweseshini, njll.

Ukulandelana kokhiye nezikimu zabo zokusabalalisa

Kumanethiwekhi esizukulwane sesi-5, ngokungafani namanethiwekhi e-4G-LTE, inqubo yokuqinisekisa inezingxenye ezimbili: ukuqinisekiswa okuyisisekelo nokwesibili. Ukufakazela ubuqiniso okuyisisekelo kuyadingeka kuwo wonke amadivayisi abasebenzisi axhumeka kunethiwekhi. Ukuqinisekisa okwesibili kungenziwa ngesicelo esivela kumanethiwekhi angaphandle, uma obhalisile exhuma kuwo.

Ngemva kokuphothulwa ngempumelelo kokuqinisekisa okuyinhloko kanye nokuthuthukiswa kokhiye owabiwe u-K phakathi komsebenzisi nenethiwekhi, i-KSEAF ikhishwa kukhiye K - ukhiye okhethekile wehange (impande) wenethiwekhi yokuphakela. Ngokulandelayo, okhiye bakhiqizwa kusukela kulo khiye ukuze kuqinisekiswe ukugcinwa kuyimfihlo nobuqotho be-RRC kanye nedatha yethrafikhi esayindayo ye-NAS.

Umdwebo onezincazeloIsingeniso se-5G Security Architecture: NFV, Keys and 2 Authentication
Izikhundla:
CK I-Cipher Key
IK (IsiNgisi: Integrity Key) - ukhiye osetshenziswa ezindleleni zokuvikela ubuqotho bedatha.
CK' (eng. Cipher Key) - omunye ukhiye we-cryptographic odalwe kusukela ku-CK womshini we-EAP-AKA.
IK' (English Integrity Key) - omunye ukhiye osetshenziswa ezindleleni zokuvikela ubuqotho bedatha ze-EAP-AKA.
KAUSF - okukhiqizwa umsebenzi we-ARPF kanye nemishini yomsebenzisi evela CK и IK ngesikhathi se-5G AKA ne-EAP-AKA.
I-KSEAF - ukhiye we-anchor otholwe umsebenzi we-AUSF kukhiye KAMFAUSF.
KAMF — ukhiye otholwe wuhlelo lwe-SEAF kukhiye I-KSEAF.
KNASint, KNASenc - okhiye abatholwe umsebenzi we-AMF kukhiye KAMF ukuvikela ithrafikhi ye-NAS yokusayina.
I-KRRCint, I-KRRCenc - okhiye abatholwe umsebenzi we-AMF kukhiye KAMF ukuvikela ithrafikhi yokusayina ye-RRC.
KUPint, KUPenc - okhiye abatholwe umsebenzi we-AMF kukhiye KAMF ukuvikela ithrafikhi ekhombisayo ye-AS.
NH — ukhiye ophakathi nendawo otholwe umsebenzi we-AMF kukhiye KAMF ukuqinisekisa ukuphepha kwedatha ngesikhathi sokunikezela.
KgNB - ukhiye otholwe umsebenzi we-AMF kukhiye KAMF ukuqinisekisa ukuphepha kwezindlela zokuhamba.

Amasu okukhiqiza i-SUCI kusuka ku-SUPI futhi ngokuphambene nalokho

Amasu okuthola i-SUPI ne-SUCI

Ukukhiqizwa kwe-SUCI kwa-SUPI kanye ne-SUPI kwa-SUCI:
Isingeniso se-5G Security Architecture: NFV, Keys and 2 Authentication

Ukufakazela ubuqiniso

Ukufakazela ubuqiniso okuyinhloko

Kumanethiwekhi e-5G, i-EAP-AKA ne-5G AKA izindlela zokuqinisekisa eziyinhloko ezijwayelekile. Ake sihlukanise indlela yokuqinisekisa eyinhloko ibe izigaba ezimbili: esokuqala sinesibopho sokuqalisa ukufakazela ubuqiniso nokukhetha indlela yokuqinisekisa, esesibili sinesibopho sokuqinisekisa okufanayo phakathi komsebenzisi nenethiwekhi.

Isingeniso se-5G Security Architecture: NFV, Keys and 2 Authentication

Ukuthwasa

Umsebenzisi uhambisa isicelo sokubhalisa ku-SEAF, equkethe i-ID yokubhalisa efihliwe yomsebenzisi SUCI.

I-SEAF ithumela ku-AUSF umlayezo wesicelo sokuqinisekisa (Nausf_UEAuthentication_Authenticate Request) oqukethe i-SNN (Igama Lenethiwekhi Yokuhlinzeka) kanye ne-SUPI noma i-SUCI.

I-AUSF ihlola ukuthi ingabe umfakisicelo wokuqinisekisa we-SEAF uvumelekile yini ukusebenzisa i-SNN enikeziwe. Uma inethiwekhi ephakelayo ingagunyaziwe ukusebenzisa le SNN, i-AUSF iphendula ngomlayezo wephutha wokugunyaza “Ukunikeza inethiwekhi akugunyaziwe” (Nausf_UEAuthentication_Authentication_Authenticate Response).

Ukuqinisekisa kucelwa i-AUSF ku-UDM, ARPF noma i-SIDF nge-SUPI noma i-SUCI ne-SNN.

Ngokusekelwe ku-SUPI noma i-SUCI kanye nolwazi lomsebenzisi, i-UDM/ARPF ikhetha indlela yokuqinisekisa ezosetshenziswa ngokulandelayo futhi ikhiphe izifakazelo zomsebenzisi.

Ukuqinisekisa Okuhlanganyelwe

Uma usebenzisa noma iyiphi indlela yokuqinisekisa, imisebenzi yenethiwekhi ye-UDM/ARPF kufanele ikhiqize i-vector yokuqinisekisa (AV).

I-EAP-AKA: I-UDM/ARPF iqala ikhiqize i-vector yokuqinisekisa ngokuhlukanisa kancane i-AMF = 1, bese ikhiqiza CK' и IK' kusuka ku CK, IK kanye ne-SNN futhi yakha ivekhtha entsha yokuqinisekisa i-AV (RAND, AUTN, XRES*, CK', IK'), ethunyelwa ku-AUSF nemiyalo yokuyisebenzisela i-EAP-AKA kuphela.

I-5G AKA: I-UDM/ARPF ithola ukhiye KAUSF kusuka ku CK, IK kanye ne-SNN, ngemva kwalokho ikhiqize i-5G HE AV. IVector Yokuqinisekisa Imvelo Yasekhaya ye-5G). I-5G HE AV yokuqinisekisa i-vector (RAND, AUTN, XRES, KAUSF) ithunyelwa ku-AUSF nemiyalo yokuyisebenzisela i-5G kuphela u-AKA.

Ngemuva kwalokhu i-AUSF kutholwa ukhiye wehange I-KSEAF kusukela kukhiye KAUSF futhi ithumela isicelo ku-SEAF “Challenge” kumlayezo othi “Nausf_UEAuthentication_Authenticate Response”, equkethe ne-RAND, AUTN kanye ne-RES*. Okulandelayo, i-RAND ne-AUTN kudluliselwa kumishini yomsebenzisi kusetshenziswa umlayezo wokusayinda we-NAS ovikelekile. I-USIM yomsebenzisi ibala i-RES* kusukela ku-RAND eyamukelwe kanye ne-AUTN bese iyithumela ku-SEAF. I-SEAF idlulisela leli nani ku-AUSF ukuze kuqinisekiswe.

I-AUSF iqhathanisa i-XRES* egcinwe kuyo kanye ne-RES* etholwe kumsebenzisi. Uma kukhona okufanayo, i-AUSF ne-UDM kunethiwekhi yasekhaya yomsebenzisi bayaziswa ngokugunyazwa ngempumelelo, futhi umsebenzisi kanye ne-SEAF bakhiqiza ngokuzimela ukhiye. KAMF kusuka ku I-KSEAF kanye ne-SUPI ukuze kuqhubeke ukuxhumana.

Ukuqinisekisa okwesibili

Izinga le-5G lisekela ukuqinisekiswa kwesibili kokuzithandela okusekelwe ku-EAP-AKA phakathi kwempahla yomsebenzisi nenethiwekhi yedatha yangaphandle. Kulokhu, i-SMF idlala indima yesiqinisekisi se-EAP futhi incike emsebenzini AAA-iseva yenethiwekhi yangaphandle eqinisekisa futhi egunyaza umsebenzisi.

Isingeniso se-5G Security Architecture: NFV, Keys and 2 Authentication

  • Ukuqinisekiswa kokuqala komsebenzisi okuyisibopho kunethiwekhi yasekhaya kwenzeka futhi umongo ojwayelekile wokuphepha we-NAS uthuthukiswa nge-AMF.
  • Umsebenzisi uthumela isicelo ku-AMF ukuze kusungulwe iseshini.
  • I-AMF ithumela isicelo sokusungula iseshini ku-SMF ebonisa i-SUPI yomsebenzisi.
  • I-SMF iqinisekisa izifakazelo zomsebenzisi ku-UDM isebenzisa i-SUPI enikeziwe.
  • I-SMF ithumela impendulo esicelweni esivela ku-AMF.
  • I-SMF iqala inqubo yokuqinisekisa ye-EAP ukuze ithole imvume yokusungula iseshini kusuka kuseva ye-AAA kunethiwekhi yangaphandle. Ukuze wenze lokhu, i-SMF kanye nemiyalezo yokushintshanisa umsebenzisi ukuqalisa inqubo.
  • Umsebenzisi kanye neseva yenethiwekhi yangaphandle ye-AAA bese beshintshana ngemilayezo ukuze baqinisekise futhi bagunyaze umsebenzisi. Kulokhu, umsebenzisi uthumela imilayezo ku-SMF, yona eshintshanisa imiyalezo nenethiwekhi yangaphandle nge-UPF.

isiphetho

Nakuba ukwakheka kwezokuphepha kwe-5G kusekelwe ekusetshenzisweni kabusha kobuchwepheshe obukhona, kuletha izinselele ezintsha ngokuphelele. Inani elikhulu lamadivayisi e-IoT, imingcele yenethiwekhi enwetshiwe kanye nezakhi zezakhiwo ezihlukaniselwe ezinye zezimiso ezibalulekile zezinga le-5G elinikeza amandla amahhala emicabangweni yezigebengu ze-inthanethi.

Izinga eliyinhloko le-5G yokuvikela i-architecture TS 23.501 inguqulo 15.6.0 - iqukethe amaphuzu abalulekile okusebenza kwezindlela zokuphepha nezinqubo. Ikakhulukazi, ichaza indima ye-VNF ngayinye ekuqinisekiseni ukuvikelwa kwedatha yomsebenzisi namanodi enethiwekhi, ekukhiqizeni okhiye be-crypto nasekusebenziseni inqubo yokuqinisekisa. Kodwa ngisho naleli zinga alinikezi izimpendulo ezindabeni ezicindezelayo zokuphepha ezibhekana nabasebenzi be-telecom kaningi lapho amanethiwekhi esizukulwane esisha athuthukiswa futhi aqala ukusebenza.

Mayelana nalokhu, ngithanda ukukholelwa ukuthi ubunzima bokusebenza nokuvikela amanethiwekhi esizukulwane sesi-5 angeke nakancane kuthinte abasebenzisi abajwayelekile, abathenjiswe isivinini sokudlulisela nezimpendulo njengendodana yomngane kamama futhi sebevele bemagange ukuzama konke. amakhono amenyezelwe amanethiwekhi esizukulwane esisha.

Izixhumanisi eziwusizo

3GPP Specification series
I-5G security Architecture
Isakhiwo sesistimu ye-5G
I-5G Wiki
Amanothi ezakhiwo ze-5G
Ukubuka konke kokuphepha kwe-5G

Source: www.habr.com

Engeza amazwana