Privacy-Preserving Access for Multi-Access Edge Computing (MEC) Applications

Multi-Access Edge Computing (MEC) is one of the emerging key technologies in Fifth Generation (5G) Mobile Networks, providing reduced end-to-end latency for applications and reduced load in the transport network. This paper is about user privacy in MEC within 5G. We consider a basic MEC usage scenario, where the user accesses an application hosted in the MEC platform via the radio access network of the Mobile Network Operator (MNO). First, we create a system model based on this scenario, then define the adversary model and privacy requirements for this system model. Second, we introduce a privacy-preserving access solution for the system model and analyze the solution against the privacy requirements.Peer reviewe

Privacy-Aware Access Protocols for MEC Applications in 5G

Multi-access edge computing (MEC) is one of the emerging key technologies in fifth generation (5G) mobile networks, providing reduced end-to-end latency for applications and reduced load in the transport network. This paper proposes mechanisms to enhance user privacy in MEC within 5G. We consider a basic MEC usage scenario, where the user accesses an application hosted in the MEC platform via the radio access network of the mobile network operator (MNO). First, we create a system model based on this scenario. Second, we define the adversary model and give the list of privacy requirements for this system model. We also analyze the impact on user privacy when some of the parties in our model share information that is not strictly needed for providing the service. Third, we introduce a privacy-aware access protocol for the system model and analyze this protocol against the privacy requirements

AKMA Support in Multi SIM User Equipment

Multi SIM User Equipment (UE) can have more than one physical slot for Universal Integrated Circuit Card (UICC). The eUICC is an embedded version of the UICC, which cannot be physically removed from the communication device. Currently, 3rd Generation Partnership Project (3GPP) is working on developing Authentication and Key Management for Applications (AKMA), with which user can bootstrap authentication towards application server from his mobile subscription. We consider the scenario that may become common in devices with Multi SIM and eUICC, in which one subscription is used for primary services such as voice and data, and another subscription is used for AKMA services. In this scenario, the purpose is to use AKMA services simultaneously and without interrupting primary services. There are existing requirements for Multi SIM and eUICC, which restrain this scenario from being successful. The solution that we propose includes arrangements and adaptations, in order to provide secure and uninterrupted services of both primary and AKMA services.Peer reviewe

Privacy-Enhanced AKMA for Multi-Access Edge Computing Mobility

Multi-access edge computing (MEC) is an emerging technology of 5G that brings cloud computing benefits closer to the user. The current specifications of MEC describe the connectivity of mobile users and the MEC host, but they have issues with application-level security and privacy. We consider how to provide secure and privacy-preserving communication channels between a mobile user and a MEC application in the non-roaming case. It includes protocols for registration of the user to the main server of the MEC application, renewal of the shared key, and usage of the MEC application in the MEC host when the user is stationary or mobile. For these protocols, we designed a privacy-enhanced version of the 5G authentication and key management for applications (AKMA) service. We formally verified the current specification of AKMA using ProVerif and found a new spoofing attack as well as other security and privacy vulnerabilities. Then we propose a fix against the spoofing attack. The privacy-enhanced AKMA is designed considering these shortcomings. We formally verified the privacy-enhanced AKMA and adapted it to our solution

IMSI-based Routing and Identity Privacy in 5G

Work-in-Progress paperIn 5G, identity privacy of a user is proposed to be protected by concealing the identifier of the user. In order to route the concealed identifier to the appropriate destination, certain information about the international mobile subscriber identity (IMSI) – country code and network code, need to be revealed. But, as was recently pointed out, the routing of requests for authentication information between visited and home network and also within the home network, needs more information about the IMSI to be revealed. It was also recently pointed out that there are restrictions on user identity privacy due to lawful interception in the serving network. In this new context, we reexamine published alternative solutions of identity privacy. We find the previously promising solutions e.g., solution based on public key of home network become less promising. We find the solution based on identity based encryption becomes more promising than it was before.Non peer reviewe

On De-Synchronization of User Pseudonyms in Mobile Networks

Peer reviewe

Inferring Social Ties in Pervasive Networks: An On-Campus Comparative Study

International audienceWiFi base stations are increasingly deployed in both public spaces and private companies, and the increase in their density poses a significant threat to the privacy of users. Prior studies have shown that it is possible to infer the social ties between users from their (co-)location traces but they lack one important component: the comparison of the inference accuracy between an internal attacker (e.g., a curious application running on the device) and a realistic external eavesdropper (e.g., a network of snifing stations) in the same field trial. We experimentally show that such an eavesdropper can infer the type of social ties between mobile users better than an internal attacker

Trusted Hart for Mobile RISC-V Security

The majority of mobile devices today are based on Arm architecture that supports the hosting of trusted applications in Trusted Execution Environment (TEE). RISC-V is a relatively new open-source instruction set architecture that was engineered to fit many uses. In one potential RISC-V usage scenario, mobile devices could be based on RISC-V hardware. We consider the implications of porting the mobile security stack on top of a RISC-V system on a chip, identify the gaps in the open-source Keystone framework for building custom TEEs, and propose a security architecture that, among other things, supports the GlobalPlatform TEE API specification for trusted applications. In addition to Keystone enclaves the architecture includes a Trusted Hart -- a normal core that runs a trusted operating system and is dedicated for security functions, like control of the device's keystore and the management of secure peripherals. The proposed security architecture for RISC-V platform is verified experimentally using the HiFive Unleashed RISC-V development board.Comment: This is an extended version of a paper that has been published in Proceedings of TrustCom 202