Network security standards
Ericsson joins with leading players across sectors such as ICT, transport, media, and academia, to drive and develop an industry-wide framework of common standards and together provide a strong baseline for seamless interoperability and secure evolution of the world’s mobile networks.
From transport to healthcare, commerce to education – new industries and innovations are connecting to mobile networks on an unprecedented scale. With increased value at stake, the need to ensure trustworthiness in mobile networks has never been more critical.
As a leading contributor to the network security standards forums, Ericsson continues to play a definitive role in developing the security standards of this next industrial age.
What are network security standards?
The global security standards forums
Security standardization is a multilateral effort comprising several worldwide standards organizations and a diverse set of stakeholders from industry, government and academia. Given the scale of the 5G ecosystem and the increasing complexity of the security challenges, we believe it is more important than ever to ensure a holistic, collective approach to standardization across all stakeholders and standards organizations.
The 3rd Generation Partnership Project (3GPP), the main mobile network standards organization, is driving security architecture standards through its SA3 working group. This also comprises security solutions from several other partners and standards organizations such as IETF, ETSI and NIST.
The Internet Engineering Task Force (IETF) defines protocols and best-practice solutions for the global internet. As part of this, the organization defines security protocols such as IPsec, EAP and TLS. Several of these protocols are incorporated by 3GPP in the 5G security architecture.
A 5G network is built using cloud and virtualization technologies. The European Telecommunications Standards Institute (ETSI), developing standards for ICT systems and services defines security standards for the network’s cloud and virtualization technologies through it’s Industry Specification Group for network functions virtualization (ISG NFV).
NIST, GSMA, and others
The US National Institute of Standards and Technology (NIST) defines, among other things, security standards for cryptography solutions, such as the Advanced Encryption Standard (AES). GSMA works on several mobile network security related topics such as the eSIM specifications and interconnect security between operators. The recently approved NESAS framework for security assurance is a joint effort between 3GPP SA3 and GSMA.
Network security standards: In focus
eSIM standard for constrained IoT
eSIM is a remote SIM provisioning technology replacing plastic SIM cards for consumer devices and large IoT devices, such as cars. So far, the use of eSIM has not been possible for constrained IoT devices, which have limitations in network, memory, power, UI, CPU, and so on.
Ericsson has worked with GSMA on the new eSIM standard for constrained IoT that was released in May 2023.
The new standard optimizes data exchange and enables subscription provisioning over low power wide area (LPWA) networks using protocols such as CoAP over UDP, without reliance on TCP and SMS. The remote subscription management is also simpler and enables new use cases, where the eSIM IoT remote manager (eIM) can easily interact with, or even be embedded into, the IoT device and data management platform. Such an embedded eIM does not need costly and complex certifications.
In the new standard, there is no mandatory factory binding of a subscription manager to the eUICC, like there is in the eSIM M2M standard. Instead, the eIM can be configured and changed easily in the eUICC at any lifecycle state of the device, which makes it possible to manufacture large batches of devices without pre-customizations or bindings. The standard is also compatible with the provisioning server (SM-DP+) of the consumer eSIM standard, so the existing eSIM ecosystem can be readily used.
Non-constrained IoT devices may also benefit from the new standard.
The work with test specification, compliance, and certification for the new standard is expected to be ready during the second half of 2024.
The SNOW crypto
SNOW 3G is the result of a very successful technology transfer from the academic world to the industry. The SNOW cipher was developed by Lund University in the beginning of the 2000s as a pure academic work. SNOW is a classic stream cipher which generates a pseudo-random key stream given a secret key and a public initial vector as input. The key stream is then xor:ed to the bits in the plain text to encrypt the data.
Ericsson has a long-standing relationship with the crypto researchers at Lund University and SNOW was picked up by Ericsson and as a first step it was submitted as an ISO standard (ISO/IEC 18033-4:2005) in 2004.
Not long after, ETSI Security Algorithms Group of Experts (SAGE) needed a new algorithm for the air interface protection in the 3GPP mobile network system. SAGE took SNOW and enhanced it with a larger internal state to mitigate a newly discovered potential weakness. SAGE's modified version was given the name SNOW 3G and was incorporated into the 3GPP specifications as one of the air interface encryption and integrity protection core algorithms. SNOW 3G has been part of the 3GPP standardized algorithms since 3G and is still part of the air interface protection in 5G.