NCSC: This is not protecting against IMSI grabbers at all. This only works for passive sniffing.

Ericsson: this use case is very rare. Besides, SA3 should not get involved with cryptographic schemes, this is SAGE work.

Nokia supported to have a look at this use case. T-Mobile found it useful too.

BT(Alex) commented that this would need an IMSI redesigning.

Deutsche-Telekom, Docomo proposed an encoding solution. This would be for the next meeting.

ORANGE didn’t think it was a problem.

Some other companies that this use case was worth considering (e.g. Samsung, Nokia, KPN,T-Mobile). The Chair commented that the problem was understood but companies wanted to have a solution going another way. Contributions are welcome for the next meeting.

 

Vodafone: LTK solution is preemptive as well as reactive. The diagram suggests an only reactive solution.

Ericsson: where would Diffie-Hellman be included?

Interdigital: this solution can include Diffie-Hellman.

Qualcomm: step 2 is optional but it triggers step 3.

Vodafone: it jumps directly to step 5. This was clarified in the revision.

 

ORANGE: relationship number VI is not correct, according to TS 33.102. Huawei agreed that this could be changed.

ORANGE: what is relationship II?

Huawei: Network Domain Security.

Telecom Italia suggested some changes in bullet number one.

IDEMIA: I) should go to USIM.

 

 

 

 

BT: where to keep a list of serving network names?

ORANGE:A list maintaining a list of serving network names? IETF will not do that. This concept is not clear in the contribution.

This had to be clarified offline.

 

Ericsson: Where's the PUI defined? SA2 uses the term but it doesn’t seem to be defined.

Ericsson: in step 13, is it describing behaviour externally to the network? We don’t do that.

Step 13 was not agreed. The definition of PUI had to be checked offline.

 

DT didn’t agree with this document.

It was agreed to merge it with 885.

 

The definition clause affects tdoc 830 from IDEMIA.

 

ORANGE: Leave the requirement.

Vodafone didn’t agree with the "securityt evaluated" statement.

 

TIM: what’s the 5G USIM in the figure?

There was no support for this, hence it was noted.

 

Qualcomm: we discussed this during the last meeting and agreed to take it in phase two.

ORANGE: we don't need the visited network to force the new scheme.

This was noted since there was no support for this.

 

Apple didn’t agree with ME supporting the null-scheme, as they describe in 580.

 

 

 

Ericsson didn’t see it clear why the second Editor's note was removed.

It was agreed to leave both editor's notes.

 

Vodafone: the CRs have ignored what we had agreed. These CRs are agreed but not approved formally in SA, we cannot accept them at this point. The authentication is SA3's business and not CT1's.

NEC: SA or CT plenary?

Docomo: make it clear what part of TS 33.501 is affected by this issue.

 

Docomo: their assumption is correct.

Nokia had tdocs 609 and 610 related to this.

 

ORANGE: this is putting requirements for something that is not done in 3GPP.

Vodafone: we can put it in the evaluation clause.

 

Only the first change was approved.

 

Gemalto commented that this was a subset of the CATT proposal.

 

Vodafone: This seems to be part of the solution, given where it is inserted.

ORANGE: no need to add another key.Sending the OTA message is optional.

 

Vodafone: I'm happy with this but deleting the conclusion.

Vodafone:there are a lot pre Rel-8 sIMs cards in the market. You cannot guarantee that the AMF bit is available.

Huawei: this is for 5G.

Vodafone: we agreed with China Mobile to include legacy USIMs in this solution.

 

Huawei: the advantage is that you don’t need to derive a new KAMF.ZTE supported this, as they considered this was the simplest way.

Ericsson: you need to signal the GUAMI to the UE first before the connection and this would be redundant, since you have to send it again later.

Samsung preferred the NONCE solution. Qualcomm agreed to go this way to progress.

 

ORANGE: this may lead to DoS attacks.

Vodafone agreed: the handset is not the right place where to make the decision whether it needs to be updated.

 

Vodafone: we will not provision public keys in every handset.

BT (Alex): HPLMN's choice to support this, it cannot be mandatory.

Ericsson: this is questioning the decision we made about legacy USIMs after long discussions. We already have content in the TS assuming what kind of USIMs we use. I propose to note this.

There wasn't support for this document, so it was noted.

Qualcomm: no need to re-open these discussions after what we have agreed.

NEC: there would be a backward compatilibity issue here.

Docomo: keep the Kseaf. KPN, BT, DT agreed.

China Mobile: ask SA2.

BT: SA3 decided to keep it; security issues are dealt here.

The Chair commented that there was major support on keeping the Kseaf.

 

KPN and Qualcomm disagreed with the changes.

BT: it’s a bit late to introduce a big change in the security architecture.

 

Nokia: the timer was added to avoid the UDM being overloaded with multiple requests.

 

Verizon: not acceptable.

BT: it introduces VPLMN control, which is not what we want.

 

Qualcomm: you are including both SUCI and SUPI in your solution, this is the only difference with our solution.

 

Interdigital: Easier for the attacker to grab the SUCI.

Ericsson proposed to remove the extended Home Network Identifier.

ORANGE asked whether there was a definition for the Home Network Identifier. This wasn't clear.

 

Docomo: the first requirement is obvious that can be done so we don’t need it as a requirement. The requirement was removed since there was no support for this as for the rest of the document.

 

 

Ericsson: this is misplaced, it should go somewhere else.

Huawei: temporary identifier, what does it mean?

CATT: GUTI.

 

Overlaps with 809.

 

NCSC had quite a few issues with the paper.

There were many issues from NCSC and ORANGE and Vodafone commented that a conference call could progress this.

 

Alf(Docomo): the concept of entropy is used here in a confusing way, although I agree with the meaning.

An editor's note was added for this.

 

NCSC had some issues as well that had be to taken offline and brought back in the next meeting.

 

Huawei and Ericsson: we cannot mandate IPSec here.

It was commented that the discussion included a pCR at the end, so the type was changed.

The sentence with IPSec was modified to require confidentiality and integrity protection in the E1 interface.

 

Vodafone: The assumption that VM is in the cloud is irrelevant. We don’t agree with this.Ericsson agreed and added that SA3 should not mandate IPsec.

 

BT and ORANGE supported this, with modifications.

KPN: not always we have a human with the UE.It depends on the application.

 

 

Telecom Italia: it's supposed to remove an editor's note what it stays. The new text is confusing.

 

Ericsson commented that this interface was supposed to be proprietary and that removing the editor's note should be enough.

 

Ericsson: not the right reference. It's not currently in TS 24.502.

This was taken offline.

 

 

Docomo: When are we planning to fill in the text? I'd rather have this as a draftCR/CR in the next meeting.

 

Ericsson: you can also use the PLMNid as well, better than the GUTI, that might change in the same PLMN several times. This is more an implementation issue.

Nokia agreed with Ericsson.

 

Qualcomm, Nokia and Ericsson didn’t  agree with the use of timers.

 

Vodafone disagreed with this proposal.

Ericsson: this has UE impact so we disagree with the key separation.

Huawei: we would have here two different entities with the same key for different traffic for the same UE, and this should be communicated to RAN3 in the LS response.

Nokia: the two entities are not visible to the UE.

The Chair commented that the support was leaning to the Nokia proposal.

 

 

Docomo: do we have this concept od deactivation?

It was agreed to remove it.

Ericsson, Qualcomm: the second requirement in 5.1.3.1 is not really a requirement, it’s a procedure.

It was taken offline where to place this second sentence.

 

Vodafone: SAGE's position is that they don’t need to be involved.

Ericsson: not necessary now.

 

Ericsson: no need to have the overview text. Have the titles as an editor's note as to-do list in the TS.

The Chair proposed to have it in the living document so as not to add another editor's note on the TS.

 

DT wanted to avoid TLS and go for a viable solution in Rel-16. They didn’t want to enforce a solution that added very little advantages.

Docomo: Application layer between the SEPPs supported on TLS can work in this case. TLS is not the only solution, we need something on top of that.

BT supported this.

 

Vodafone: for me this solution is a backup, while we work on the other solutions. This is better than having no security solution at all.

 

Huawei, Samsung: binding the SUPI is overloading the functionality with another layer of variables.

Ericsson: solution must contain hash+SUPI as endorsed in a previous meeting, and this doesn’t appear in the proposed solution.

Huawei: Hash of the SUPI fails when compared with the hash of the SUPI of the network the connection is terminated.

KPN: go forward to the other two solutions without binding the SUPI.

 

This solution was named key binding.

 

MCC asked whether the references to GSMA were publicly available. It was commented that the Global Platform ones were not available and this had to be taken offline for discussion with MCC.

MCC commented that instances of 4G should be replaced by LTE in the specification.

 

Alf: Remove the sentence on the extra processing power. This sentence was replaced as Docomo suggested.

 

The Chair proposed a show of hands:

 

Who supports tdoc 691?

Vodafone, BT, TIM, IDEMIA,ORANGE,DT, KPN.

 

USIM in tamper resistant secure hardware?

Qualcomm, Lenovo, Nokia, Samsung, China Mobile, Ericsson, Huawei, Intel, Sprint.

 

Who objects to store the USIM in the UICC tdoc 691?

Samsung, Qualcomm, Intel, Ericsson,Nokia, Huawei.

 

Gemalto: what's the timeline for this? There may be things happening in ETSI SCP.

ORANGE replied that SSP could be included later.  

Huawei didn’t agree with the details, but Ericsson replied that this was coming from 33.401 and it wasn't the implementation of a new solution.

 

Telecom Italia: does this work if only TLS is used in Rel-15?

Ericsson: yes.

Nokia didn’t agree with steps 0 and 4 in figure 9.1.3.X. Just a secure connection established should be displayed.

BT didn’t agree with this. ORANGE preferred to move this to the living document.

 

 

Deutsche Telekom supported this.

Nokia commented that this was a lot of work and it was better to put it into the living document for further study. There were different options to choose from.

Ericsson preferred to have it in the TS already since they thought that after its approval it would be more difficult to add more content.

MCC commented that it was possible to add this later since the TS was to be approved when it’s completed in its 80%. SBA would have to be added as outstanding work left in the TS cover.

BT preferred to see the whole thing going into the TS. For example CT4 would likely prefer to have this content in Rel-15.

Telecom Italia asked about the living document. The Chair commented that the living document served as a study given that the SBA task came really late to SA3.

 

It was decided to split it into a living document and to the TS.

 

DT: the use should be optional, not mandatory.

Telecom Italia: in the conference call we had agreed on a different solution from TLS. Why did we do the conference call?

Vodafone: we have talked with IPX providers, they are OK with having direct TLS and not hop-by-hop.

DT: it's really hard to enforce having end-to-end TLS when transitioning to Rel-16.

 

The Chair commented that CT needed a SA3 solution for May, and an exception should be avoided at all costs.

 

It was argued whether gor for "shall be used" or "shall be supported". The second option was chosen.

 

Note from MCC: "Technical standards specify functionality which shall be implemented. They do not specify whether users use that functionality or not".

DT: no time to define a new functionality for SAF.

ORANGE: colocate this functionality in the NRF.

ORANGE: do we need all these functionalities if we are in the same network domain? The functionality should be supported, optional to use.

 

NIST suggested to change some profiles to make them mandatory.

Vodafone: we don’t believe that a single curve is trusted all around the World. We prefer having five curves.

Huawei: Two curves here are not widely implemented, so we have concerns about this. The curve in Qualcomm's proposal is fine with us.We don’t have a strong opinion on the number of curves.

The Chair commented that there was general support for having two curves.

Qualcomm asked whether it was better to restrict to two curves in Rel-15, and go for the rest in later releases.

Curve A and C were the preferred ones by NIST, NCSC and Vodafone.

 

 

ORANGE expressed their concerns on the format of the contributions were making them hard to implement in the TR. Vodafone commented that this would be solved in the next meeting.

Deutsche Telekom had concerns with this, it wasn't helpful for them.

Vodafone agreed with DT.

Huawei: this is not a problem. After 10 years we haven’t seen any issues.

 

TIM: what’s the value of this new text? ORANGE, Vodafone agreed.

 

ORANGE: there is no visited network's UDM. It doesn’t exist.

 

NCSC: In Step 5 send more information.

Nokia: This  is presenting a solution against an attack scenario cited by an external paper by researchers. The scenario they cited is not new and it exists even in LTE. But in actual implementations this attack doesn’t happen because of the reliability mechanisms built in to the transport protocol. It may be a good idea to build the transaction identifier in to the authentication protocol, but the current proposal is not correct. When the source AUSF requests Authentication vectors from ARPF/UDM, it is requesting using the SUCI/SUPI it received from the UE. To bind the response it receives from the ARPF/UDM, the response message should contain the SUCI/SUPI from the Request message, not the actual /de-concealed SUPI by the UDM for which the AVs are generated.

 

NEC: having the SUPI go back is a concern and may be subject to IMSI catchers.

It was discussed how to handle comments from parties outside 3GPP (e.g. researchers). The Chair commented that 3GPP was setting up an official procedure to answer to these kind of comments.

 

ORANGE preferred the Note here to the option in 585. It was also agreed to have normative text instead of the note.

ORANGE: Do you need to know the SUPI when authenticating from LI perspective?

Mark: no, we are fine with this document.

Qualcomm: Why not using USIP for the calculation in all cases? This was taken offline.

 

Vodafone: There are more issues with overloading the authentication. This is just one of the cases.

Similar to 584, they were merged.

 

Ericsson: we are not closing this discussion, just starting it to trigger the work; this is a huge table that needs further input from companies.

The Chair commented for the minutes that more rules are expected on this topic.

 

 

It was agreed to add the abreviations of g-NodeB and NG-RAN and so on instead of the definitions (which are in the SA2 and RAN documents).

 

 

Deutsche Telekom didn’t agree with removing this clause. They wanted to see a detail of what Ies to protect and which ones not to protect.

Ericsson: the work here on the IEs hasn’t progressed with contributions, hence we remove it.

Qualcomm: ask SA2 whether we are protecting an IE that is needed.

Huawei: too late to go back to SA2 to ask for any changes, we agree with Ericsson.

The Chair asked for a show of hands:

BT,Nokia,Huawei, China Mobile supported this document.

Against: Deutsche Telekom, Qualcomm, T-Mobile.

 

Qualcomm: Not key change but security context change in the last bullet.

Discussed in the conference call. Provided for information.