[Intern] 20/09/2022 Decryption and encryption in 5G.

# [Intern] 20/09/2022 Decryption and encryption in 5G. ###### tags: `BMW-Lab`, `Intern` :::success **Goal:** To explore decryption and encryption in 5G. ::: :::success **References** - [5G encryption](https://www.reply.com/en/industries/telco-and-media/5g-security-for-mobile-networks#:~:text=Data%20traffic%20within%20the%205G,the%20other%20components%20remain%20protected.) ::: ## Background Security in 5G networks is standardized (by 3GPP) in a hop-by-hop fashion, where user data is decrypted and encrypted in different functions within the network. User data is (in most cases) encrypted in transit (over the network) but processed in cleartext in many functions. The air interface is encrypted (and integrity protected) between the device and the gNB (5G base station). From the gNB over the backhaul network to the core network (normally via an edge router), the 3GPP defined NDS/IP security framework is used to protect the integrity and confidentiality of the user plane and control plane between the device, the gNB and the core network. The below figure illustrates how the different planes are protected in a 5G network.. ![](https://imgur.com/kcPkZRa.png) In a 5G (and 4G) network, NAS (Non-Access Stratum) signaling is encrypted between the device and the core network. Moreover, both the control plane (Radio Resource Control, signaling between the device and RAN regarding radio configuration) and the user plane are encrypted and integrity protected between the device and the gNB (or a base station called eNB in the 4G case), meaning that all user data is available unencrypted in the gNB(or eNB) . In many cases, user data can be encrypted at the application level, but this is not guaranteed by 3GPP 5G standards and is out of operator control. ## Non-standalone 5G deployment Initially, 5G radio will, in many cases, be deployed in a non-standalone fashion. In this situation, the gNB is connected not to the 5G core network but to an eNB in a 4G RAN , as shown in Figure 3. The eNB plays the role of a master base station, and the gNB plays the role of a serving base station. This setup is referred to as DC (dual connectivity). The serving gNB forwards the uplink user plane data to the master eNB, and user data is then decrypted in the RAN before being forwarded to the core network. This means that user data is available unencrypted in the eNB when this deployment is used. ![](https://imgur.com/LBAfwCI.png) ## Security in future RAN deployments As discussed in Section 3, in 4G and earlier generations, base stations were designed to perform singular functions (normally implemented as separate physical units). In 5G, however, this is different. The ongoing development to separate the gNB in different functions is essentially aimed at deploying gNB functions in different ways. The 3GPP specifies the possibility of a distributed gNB with a CU and DUs, as shown in Figure (below). ![](https://imgur.com/tzQBuqu.png) The DU and CU are functions in the 3GPP-standardized 5G RAN. So, contrary to previous deployment conventions in 4G and earlier generations, in 5G, these RAN functions can be placed in different physical sites in an actual deployment of RAN, depending on the use case. This enables RAN function distribution over different physical sites and, subsequently, allows a breakout of RAN functions to support low-latency use cases as well as flexible implementations. Consequently, the split between RAN and core may be clear in standards, but it becomes unclear when viewed in actual deployments. Other organizations than 3GPP, such as O-RAN aim to define implementation and deployment architectures, focusing on how we can further split RAN into even more granular building blocks than described above. Specifically, the work on the lower layer split (RAN functions) also introduces an RU in addition to the DU and CUs. This development allows even more ways of distributing RAN functionality, and therefore further blurs the distinction between RAN and core from a security perspective. CPRI/eCPRI (common public radio interface/ enhanced CPRI) is another consortium specification for an interface and protocol between the RU and the baseband. It is currently not fully specified as a multi-vendor interface, meaning that some integration work is needed if the RU and DU are from different vendors. ![](https://imgur.com/SppYUUL.png) With the lower layer split, the termination point for encryption the CU function, which terminates PDCP on the network side. With this split, the RU and the DU are not able to access (that is, decrypt) the user plane and control plane, meaning that the RU and the DU are not as critical as the CU when it comes to the integrity and confidentiality of user data or the signaling. Still, both the RU and the DU can affect the availability of mobile network access. ## Conclusion 3GPP 5G standards allow physical and virtual overlap between RAN and core networks in deployed networks. The separation of RAN and core is critical to the evolution of 5G networks, and may pose hurdles in securing the low latency use cases that have been important drivers for 5G development. Currently, we do not have any standard rules or guidelines for the separation of RAN and core functions; 3GPP standards allow for flexibility. The degree of RAN/core separation in a specific network deployment situation is not uniquely determined by 3GPP standards. RAN and core are both critical components of 5G networks because gNBs (5G base stations) terminate the encryption of user data, except when it is encrypted externally and is beyond the control of an operator’s 5G network. As a result of this, gNBs have full access to all data to and from devices in cleartext. Moreover, technical developments and initiatives, such as distributed RAN, split RAN, O-RAN and CPRI/eCPRI consortiums, further fragment and distribute the deployment of RAN functions, with serious security implications. For instance, all the options make it unclear how functions will be distributed and co-located in the long run.