# MEC Access Control Box
## Introduction
Due to the realization of MEC platform enables service providers deploying applications for low transmission delay, and the high bandwith characteristics, the fifth-generation mobile networks can support URLLC, i.e., ultra-reliable low-latency communication. However, before deploying 5G-enabled MEC for IoT, we need to consider the realiztion of user authentication for the MEC platform to replace the original functionalities supported by the core network component and the cloud server to reduce the high transmission delay for user authentication. Also, standard-compatibility is also urgently required to deploy 5G-enabled MEC for IoT with minimized costs and changes to facilitate the applications. In conclusion, we proposed a modular authentication framework named MEC Access Control Box (**MECAC Box**) which supposed to be provided by the telecom operator enabling MEC platform access control, and service provider applying for MEC-based user decentralized authentication. The MECAC box is independent of 5G and MEC architecture, but can interface with 3GPP standard. By using MECAC Box, service providers are allowed to employ MEC-based user authentication functionality and handover without modifying existing architectures.
## Benefits
### For Telecommunications Service Provider (TSP)
Telcos are keen to use MEC to build new revenues. In theory, it offers the opportunity for telcos to:
* Improve network operations to achieve efficiencies and cost savings
* Differentiate own service offerings through MEC capabilities
* Enable others to make use of distributed compute capabilities
* Provide new applications and solutions using MEC capabilities
Although there are multiple business models that Telcos can apply to capture the emerging commercial opportunities in MEC, there exists security challenges (such as privacy, access control, etc.) that Telcos need to address first. MECAC provides TSP with the access control function of the first layer, which can be used as a function to determine whether the user can use the MEC platform. This is used as the basis for whether users are legal and direct the traffic when using the MEC platform, and MECAC also provides traffic direct functions.
### For Application Service Provider (ASP)
MECAC box provide MEC-based application servers with an access control module can authenticate user identity, protect user privacy against identity analysis, and support partial distributed access control. With high scalability, our security design also supports handover functionality and real-time active revocation.
* **Isolation between communication and application access control:** MECAC introduces a two-tier access control for the flexibility to manage access control of MEC platforms and the data of MEC application servers upon them by TSPs and MEC service providers, respectively. The management of the access control logic to the services by MEC-based applications is separated from that of the traffic access control to the MEC platform with MEC-based applications.
* **Compatible of standards authentication:** In this work, the authentication framework provided by MECAC for access control to the MEC-based application can interface with the standard authentication framework, i.e., OIDC.
* **Efficient deployment:** Service providers do not need to modify their original service to deploy MECAC between the base station and MEC platform. Service providers only need to change the configuration file on MECAC for the access traffic control to the cor-responding MEC platform for specific applications.
### For User
They are vested interests in the edge computing of using MECAC box. MECAC Box protect user privacy against identity analysis. In addition, our designed base on the edge computing environment. Devices generate a lot of data (such as IoT devices in smart factories or cities) and consume a lot of data bandwidth (such as viewing 4K video or VR gaming devices using a 5G mobile phone). Edge computing brings computing and storage capabilities to the edge of the network, physically or geographically as close as possible to end devices, reducing network bandwidth usage and latency, and reducing response times.
## System Model
We considered a 5G mobile network environment with a MEC platform. Our system not only provides high reliability and low latency, but also supports user authentication, user anonymity, mobility, and fine-grained access control. We divided the entire system into four domains: radio access network (RAN), core network, MEC Platform, and the Internet.
### RAN Domain
RAN connects IoT devices to the core network.
* **gNB** is the base station of 5G that provides two-way wireless communication with UE. According to the transmission, power is divided into macro cells and small cells.
* **UE** is an IoT device that can connect to the mobile network through the gNB and execute some applications.
### Core Network Domain
Next generation core, i.e., NGC, is the 5G core network, which is responsible for user identity authentication and data decentralization on the MECAC box used to verify the user’s authority to access the MEC platform.
* **User Plane Function (UPF)** is responsible for UE-Internet connection, data packet inspection, and routing forwarding, as well as user-plane traffic monitoring and QoS, management of the connection to an external data network, etc.
* **Authentication Server Function (AuSF)** provides the functionalities of the two-way UE identity authentication and is responsible for encryption, decryption, and integrity key generation.
* **Access and Mobility Management Function (AMF)** is responsible for the registration management and authentication of UE entering the mobile network, encryption, and integrity protection of Non-access stratum (NAS) transmission, etc.
* **Unified Data Management (UDM)** is a database for unified data management. It can access the user information stored in the user database and is responsible for handling access authorization and registration, etc.
* **MECAC box** is capable of redirecting the UE's traffic to the MEC platform, based on the tunnel endpoint identifier (TEID) assigned to the UE. Furthermore, it enables access to MEC-based applications. The MECAC Box comprises two principal components: a transmission module, which transmits data packets in accordance with a variety of protocols, and an access control module, which implements an access control mechanism from the RAN to the MEC platform.
### MEC platform domain
MEC is a network solution that provides service and computing capabilities closer to the user to reduce service latency and improve quality. As MEC processes information on the edge in real-time, it responds faster and provides users with a better service experience.
* **Application Server (App server)** is a server of service providers deployed on the MEC Platform. Any service provider can deploy their servers on the MEC platform, giving their services the advantages of high reliability and low latency.
### Internet domain
The Internet is a huge network system that connects different computer networks and offers many applications and services. The transmission latency between the UE and the Internet is higher compared to that between the UE and the edge computing platform.
* **Cloud Server** deployed on the Internet by the service provider, the cloud server is a general server that provides some application services and holds all user identity data. However, its transmission latency to the UE is higher than in the UE-MEC communication because of the distance to the UE. The cloud server provides user registration before using the application service and distributing relevant information after registration to the App Server in the MEC platform. It can also revoke the authority of malicious users to prevent them from continuing to use the service illegally.
* **OIDC Server (Optional)** is a third-party server that compiles with the OIDC specification. It can also support service providers to replace the default login and registration functionalities with OIDC service. When a UE wants to use the OIDC login or registration, the OIDC Server will participate in the authentication of the identity of the user and send relevant information to the application server.
## MECAC Box Architecture
<!---->
* **Traffic direct:** can redirect the traffic from UE to Internet or UE to the MEC platform and accesses MEC-based applications based on the TEID assigned by the UE. Whenever a UE wants to use services on the MEC platform, the traffic direct is responsible for the user’s MEC service usability.
* **Handover:** Responding to the MEC environment, our design supports handover functionalities, i.e., when a user moves to a new domain where no user information is available, our cryptosystem can still authenticate the user. Implementing handover functionality in MEC systems not only markedly enhances network performance and user experience, but also fortifies system stability and reliability. These advantages are pivotal in facilitating the integration of future high-demand mobile applications and services, and in promoting the pervasive adoption of MEC technology.
* **First layer access control:** The access control we have designed is divided into two parts. In the MEC architecture, in particular, it is necessary to pay close attention to the node that is subjected to a large number of illegal packet attacks. Therefore, the first part of the system intercepts the GPRS Tunneling Protocol (GTP) in the TEID and IP as the authenticated token. This is done in order to achieve the effect of filtering illegal packets.
* **Low dependency on infrastructure and high combability:** The incorporation of the MECAC Box into the MEC system serves to enhance the overall security of the system while simultaneously facilitating the handover function. Furthermore, the design is readily adaptable to the 5G environment, necessitating only minor alterations to the existing infrastructure.
* **Revocation:** The revocation of a user's subscription is a crucial aspect of mobile networks. This process ensures that the subscription can be terminated in the event of service expiration or suspension. When a user equipment transitions to the coverage area of a new service, the system disseminates a temporary group key for expeditious authentication and revocation of the previous area's identity.
## Prerequisites
### Hardware Requirement:
| Component | Hardware |
|:---------------------------:|:-----------------------------------------------:|
| MEC access control module | MECAC Box (Intel NUC) |
| Core network (E.g., srsLTE) | Computer x 1 (Optional) |
| Cloud and MEC platform | Computer x 2 |
| User equipment (UE) | Commercial cellphone or android studio emulator |
| srseNB | USRP |
### Software Requirement
<style type="text/css">
.tg{border-collapse:collapse;border-spacing:0;}
.tg td{border-style:solid;sans-serif;overflow:hidden;padding:10px 5px;word-break:normal;}
.tg th{border-style:solid;border-width:1px;;overflow:hidden;padding:10px 5px;word-break:normal;}
.tg .tg-wa1i{font-weight:bold;text-align:center;vertical-align:middle}
.tg .tg-nrix{text-align:center;vertical-align:middle}
</style>
<table class="tg">
<thead>
<tr>
<th class="tg-wa1i">Software</th>
<th class="tg-wa1i">Requirement</th>
</tr>
</thead>
<tbody>
<tr>
<td class="tg-nrix" rowspan="2">ICCSL MECAC Client ( E.g., Android Studio )</td>
<td class="tg-nrix">bcprov-jdk14-1.69.jar</td>
</tr>
<tr>
<td class="tg-nrix">ICCSL_MECAC_Client ver 1 </td>
</tr>
<tr>
<td class="tg-nrix" rowspan="9">ICCSL MECAC Server<br> ( E.g., Eclipse )</td>
</tr>
<tr>
<td class="tg-nrix">IEclipse Enterprise Java and Web Developer Tools 3.24 </td>
</tr>
<tr>
<td class="tg-nrix">Eclipse Web Developer Tools 3.24 </td>
</tr>
<tr>
<td class="tg-nrix">Eclipse JST Server Adapters
(Apache Tomcat, JOnAS, J2EE) Luna </td>
</tr>
<tr>
<td class="tg-nrix">bcprov-jdk14-1.69.jar</td>
</tr>
<tr>
<td class="tg-nrix">Java™ SE Development Kit 8 </td>
</tr>
<tr>
<td class="tg-nrix">apache-tomcat-8.0.36 </td>
</tr>
<tr>
<td class="tg-nrix">mysql-connector-java-8.0.26</td>
</tr>
<tr>
<td class="tg-nrix">ICCSL_MECAC_Serverv ver 1 </td>
</tr>
<tr>
<td class="tg-nrix" rowspan="8">MECAC Box<br> ( E.g., Eclipse )</td>
</tr>
<tr>
<td class="tg-nrix">IEclipse Enterprise Java and Web Developer Tools 3.24
</td>
</tr>
<tr>
<td class="tg-nrix">Eclipse Web Developer Tools 3.24
</td>
</tr>
<tr>
<td class="tg-nrix">Eclipse JST Server Adapters
(Apache Tomcat, JOnAS, J2EE) Luna
</td>
</tr>
<td class="tg-nrix">bcprov-jdk14-1.69.jar</td>
</tr>
<tr>
<td class="tg-nrix">Java™ SE Development Kit 8 </td>
</tr>
<tr>
<td class="tg-nrix">apache-tomcat-8.0.36 </td>
</tr>
<tr>
<td class="tg-nrix">mysql-connector-java-8.0.26</td>
<tr>
</tbody></table>
### Database
| Table | Description |
|:----------------------:|:-----------------------:|
| app_server_userdata | Storage User Information ( pseudo public key, username, email, Uid, authority level, pseudo public key signature and data stored time ) |
| app_server_revokelist | Revoke List |
| app_server_datastorage | Storage Data Model |
### Install Android Studio
Download the latest version of android studio as the following link [Android Studio Installation.](https://developer.android.com/studio?gclid=Cj0KCQjwpcOTBhCZARIsAEAYLuViB6DMRhOJeZIoJfGHmhXXvOyaBzXGroyyCs6mrEyBbfJiP4TzCc4aAoD3EALw_wcB&gclsrc=aw.ds)
### Install Eclipse
Download the latest version of eclipse on the MECAC Box, Cloud server and App server as the following link [Eclipse Installation.](https://www.eclipse.org/downloads/)
### Install OpenSSL
Download the latest version of eclipse on the MECAC Box, Cloud server and App server as the following link [OpenSSL Installation.](https://www.openssl.org/source/)
## System Requirement
### Deploy Cloud Server (Optional)
If you have your own cloud server, you can skip this issue. The follwing step is refer to [Deploy Servlet Server](https://ithelp.ithome.com.tw/articles/10184842)
* **Step 1:** File -> new -> Dynamic Web Project. **Note the setting of "Target runtime", "Dynamic web module version", "Configuration"**
**Trouble shooting:** [No dynamic web project](https://www.796t.com/content/1544373031.html)
* **Step 2:** Change the project name "Context root". **Note that we suggest to check "Generate web.xml deployment descriptor"**
* **Step 3:** Project name -> New -> Servlet
* **Step 4:** Input your own class name
* **Step 5:** Check "doPost", "doGet", "Constructors from superclass", "Inherited abstract methods"
* **Step 6:** Set the "web.xml"
```
<servlet>
<servlet-name>servletName</servlet-name>
<servlet-class>com.servlet.servletName</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>servletName</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
```
* **Step 7:** Start the server -> http://localhost:8080/servletName -> Test
### Deploy MEC Platform App Server (Optional)
If you have your own App server, you can skip this issue. Otherwise, you can follow the issue metioned above.
### Deploy MECAC Box (Optional)
If you have your own MECAC Box, you can skip this issue. The follwing step is refer to [Deploy Servlet Server](https://ithelp.ithome.com.tw/articles/10184842).
About the settings of layer 1 access control.
* **Step 1:** Make the following "makefile"
`sudo make`
* **Step 1:** Start up
`sudo MECACBox`
### Deploy the Certificate
Generate the certificate for server to create https server.
* **Step 1:** Generate certificates in the keystore file key.keystore
`keytool -genkey -alias Server -keyalg RSA -keysize 2048 -keystore key.keystore`
* **Step 2:** Export the generated certificate to the file server.cer
`keytool -export -alias Server -file server.cer -keystore key.keystore`
* **Step 3:** Convert files in keystore to pkcs12 format
`keytool -importkeystore -srckeystore key.keystore -destkeystore key.p12 -deststoretype pkcs12`
* **Step 4:** Output file in PEM format
`openssl pkcs12 -in key.p12 -nodes -nocerts -out key.pem`
* **Step 5:** Generate private key
`openssl pkcs8 -topk8 -in key.pem -out pkcs8_prikey.der -inform PEM -outform DER -nocrypt`
* **Step 6:** Generate public key
`openssl rsa -in key.pem -pubout -outform DER -out pubkey.der`
### Key management
<style type="text/css">
.tg{border-collapse:collapse;border-spacing:0;}
.tg td{border-style:solid;sans-serif;overflow:hidden;padding:10px 5px;word-break:normal;}
.tg th{border-style:solid;border-width:1px;;overflow:hidden;padding:10px 5px;word-break:normal;}
.tg .tg-wa1i{font-weight:bold;text-align:center;vertical-align:middle}
.tg .tg-nrix{text-align:center;vertical-align:middle}
</style>
<table class="tg">
<thead>
<tr>
<th class="tg-wa1i">Entity</th>
<th class="tg-wa1i">Key Type</th>
</thead>
<tbody>
<tr>
<td class="tg-nrix" rowspan="1">MECAC Box</td>
<td class="tg-nrix">Certificate for MEC Service and UE ( including. public key and UE identity )</td>
</tr>
<tr>
<td class="tg-nrix" rowspan="2">MEC Server Service</td>
<td class="tg-nrix">MEC Service's Certificate ( including. group key )</td>
</tr>
<tr>
<td class="tg-nrix">UE’s identity and key in the region</td>
</tr>
<tr>
<td class="tg-nrix" rowspan="0">UE</td>
<tr>
<td class="tg-nrix">UE’s identity, key and UAM in the region</td>
</tr>
</td></tbody></table>
### SrsLTE deployment (Optional)
If you have your own communication approach, you can skip this issue. Otherwise, you can refer to this article ["srsLTE building guideline"](https://hackmd.io/cCx7uqWNSIyAez3cgByw2w)
## API configuration
<!---->
### ICCSL_MECAC_Server (Java)
These additional API make it easy to add additional functionality to your MEC Server.
<!---->
#### Public methods
| Name | Type | Description |
| :---------------------: | :----: | :--------------: |
| UAM_Request | String | To generate User Authentication Message (UAM) for users |
| Fast_Login | String | Check if there is user information in the database, if it exists then login, else handover |
| Handover | String | Update the database for the new domain MEC server |
| Data_Request | String | Return user requested data model |
#### UAM_Request(KUEi, pid, authority, iv)
| Name | Type | Description |
|:---------------:|:-------------------:|:-----------------------:|
| KUEi | String | User's key |
| pid | String | UE’s anonymous identity |
| authority | String | UE’s access rights |
| iv | String | GCMParameterSpec |
#### Fast_Login(UAM, I, Source IP, ru)
| Name | Type | Description |
|:---------------:|:-------------------:|:-----------------------:|
| UAM | String | Layer 2 access control token|
| I | String | Index |
| Source IP | String | Used to find the corresponding Box IP |
| ru | String | Random session key |
#### Handover(UAM, I, Source IP, ru)
| Name | Type | Description |
|:---------------:|:-------------------:|:-----------------------:|
| UAM | String | Layer 2 access control token|
| I | String | Index |
| Source IP | String | Used to find the corresponding Box IP |
| ru | String | Random session key |
#### Data_Request(UAM, I, Source IP, Data number)
| Name | Type | Description |
|:---------------:|:-------------------:|:-----------------------:|
| UAM | String | Layer 2 access control token|
| I | String | Index |
| Source IP | String | Used to find the corresponding Box IP |
| ru | String | Random session key |
### ICCSL_MECAC_Client (Java)
These additional API make it easy to add additional functionality to your UE.
#### Public methods
| Name | Type | Description |
|:-----------------:|:------:|:-----------:|
| UAM_Request | String | User send requests to the MEC server, then MEC server generate User Authentication Message (UAM) for users |
| Fast_Login | String | Fast login if user has UAM |
| Hand_Over | void | Transfer your own information to the new MEC server and update the database |
| manualSignIn | String | Send information to the cloud server for manual registration |
| Data_Request | String | Access data from MEC server |
#### UAM_Request(ki, pid, authority)
| Name | Type | Description |
|:------------:|:------:|:---------------------------:|
| ki | String | Key between UE and MECAC Box|
| pid | String | UE’s anonymous identity |
| authority | String | UE access rights |
#### Fast_Login(UAM, bUi, Uiv)
| Name | Type | Description |
|:-----------:|:------:|:---------------------------:|
| UAM | String | User Authentication Message |
| bUi | String | Authentication index |
| Uiv | String | GCMParameterSpec |
#### Hand_Over(UAM, bUi, Uiv)
| Name | Type | Description |
|:-----------:|:------:|:---------------------------:|
| UAM | String | User Authentication Message |
| bUi | String | Authentication index |
| Uiv | String | GCMParameterSpec |
#### manualSignIn(getEmail, getPassword, getName)
| Name | Type | Description |
|:-----------:|:------:|:-------------:|
| getEmail | String | User email |
| getPassword | String | User password |
| getName | String | User name |
###### tags: `MEC`
Google Drive
Gist
Clipboard
Sign in via Google
Sign in via Facebook
Sign in via X(Twitter)
Sign in via GitHub
Sign in via Dropbox
Sign in with Wallet
