Learn About Amazon VGT2 Learning Manager Chanci Turner
In the realm of telecommunications and financial services, robust security is paramount, particularly when it comes to safeguarding cryptographic materials like keys. Traditionally, this has been accomplished through hardware security modules (HSM) on-premises. However, this article introduces a cloud-native alternative utilizing AWS Nitro Enclaves, which can replicate the functions of HSMs while facilitating the migration of these services to the cloud. This solution enhances elasticity, ensures high availability, and allows for full automation in deployment, specifically in the context of a 5G mobile network scenario.
In mobile networks, a key function is the mutual authentication between subscriber devices (such as smartphones) and the network itself. This authentication leverages a cryptographic challenge-and-response protocol that relies on a symmetric key shared between the subscriber and the network. On the subscriber device, this key is securely stored within the universal subscriber identity module (USIM or SIM). The SIM possesses the cryptographic capabilities to generate the authentication data required for the challenge-and-response protocol. Meanwhile, the network safeguards the key within the Unified Data Management (UDM) network function, which encompasses responsibilities related to data management, including the Authentication Credential Repository and Processing Function (ARPF). The ARPF computes the necessary authentication data (also referred to as the authentication vector or AV) within its secure environment, ensuring the key is protected from physical threats and never leaves the ARPF’s secure confines.
In traditional on-premises setups, the cryptographic capabilities of the ARPF are typically supported by a custom HSM. However, the specialized nature of HSMs for 5G networks, dictated by the Third Generation Partnership Project (3GPP) standards, creates challenges when transitioning to the cloud. This shift often necessitates implementing ARPF cryptographic capabilities outside HSMs (on general-purpose compute instances) or adopting a hybrid approach with on-premises HSMs. Such complexities increase the risk of exposing the shared secret key during use. Nitro Enclaves, a feature of Amazon EC2 designed to create and manage isolated compute environments, addresses this issue, allowing network operators to eliminate the need for on-premises HSMs without sacrificing security for the ARPF.
In this post, we will demonstrate the use of Nitro Enclaves to replicate the ARPF’s cryptographic capabilities on AWS. We will also illustrate how to deploy Nitro Enclaves in a high-availability configuration, meeting the demanding requirements of mobile networks. A prototype implementation of an ARPF within an enclave will be provided, along with a patch for the Open5GS 5G Core implementation to support this enclave-based ARPF. Open5GS is chosen for its ease of installation on AWS, making it a great tool for experimenting with 5G networks in the cloud. Additionally, its open-source nature allows for the necessary modifications to support the enclave-based ARPF.
Before diving deeper, it’s important to note that familiarity with Nitro Enclaves and its terminology is assumed. For an introduction, please refer to our documentation (and video), related concepts, build process, and our getting started guide.
Solution Overview
You deploy a 5G network on AWS, which includes a 5G Core network, a software-based base station, and subscriber devices. To ensure high availability, a pool of enclave-enabled EC2 instances is distributed across multiple Availability Zones (AZs). The enclaves, which provide secure and isolated compute environments, implement the ARPF’s cryptographic functionalities. Utilizing their attestation feature, you can confirm the enclave’s identity and ensure that only authorized code operates within it. These EC2 instances are managed through an AWS Auto Scaling group coupled with an AWS Network Load Balancer (NLB). The provisioning of Nitro Enclaves, along with the shared secret key database, is automated. By default, Nitro Enclaves lack observability; they do not supply built-in metrics or logs. To address this, we instrument the code within the enclave to create an API for status monitoring, which is exposed over the Nitro Enclaves’ secure local communication channel. The software on the EC2 parent instance oversees the health of the enclave via this API and provides an endpoint for NLB health checks. If the /status endpoint is queried, a ping command is dispatched to the enclave in a JSON payload. Upon receiving a successful response from the enclave, a 200-response code is returned.
Our sample code, available at this GitHub link, contains all the artifacts needed to deploy the complete solution discussed in this post. We utilize the AWS Cloud Development Kit (AWS CDK) for automation. The base station and subscriber device are sourced from the UERANSIM open-source project. Our sample code replaces the Open5GS ARPF implementation with one that operates within Nitro Enclaves. Our patch for the UDM implementation of Open5GS substitutes two function calls used in authentication with API calls directed to the Nitro Enclaves implementation. Consequently, the shared secret keys are never exposed in plaintext outside the enclave, ensuring protection while in use. Specifically, in the UDM, the Open5GS function:
milenage_generate(udm_ue->opc, udm_ue->amf, udm_ue->k, …)is replaced by a function:
enclave_generate_auth_vector(udm_ue->supi, udm_ue->amf, …)that communicates directly with the enclave. Note that opc and k are no longer utilized, as they are the secrets safeguarded by the enclave. Instead, the supi is used within the enclave to retrieve the corresponding opc and k values.
Before deploying the 5G network, it is necessary to compile the Open5GS and UERANSIM binaries from their sources. Additionally, the enclave image file must be generated. Our sample code automates both tasks.
For more insights on mentorship, check out this link; they provide valuable resources. Furthermore, you can read about mentorship’s significance in the workplace at SHRM.
Leave a Reply