In the rapidly evolving telecommunications landscape, the transition from 2G/3G/4G to 5G SA introduces new requirements, challenges, and security responsibilities. Although 5G SA roaming is not yet fully operational, its standardisation is necessary, making now the perfect time to get prepared before it becomes commonplace.
GSMA FS.34 “GSMA Key Management” version 7.0 outlines the new industry standards and responsibilities of mobile network operators (MNOs) and Internet Protocol (IP) Packet eXchange IPX providers and serves as the basis for an emerging process for secure key management with enhanced scalability/automation. It offers a comprehensive framework to address the complexities of securing interworking in a multi-operator environment. Part of this automated framework relates to the GSMA RAEX Certificate Database (already available as part of GSMA Roaming Gateway), which serves as a repository for all root certificates. By following FS.34, both IPX providers and MNOs are guided on how to implement key management best practices, ensuring the benefits of 5G without compromising security. In other words, the main aim of FS.34 is to build better trust within the industry.
What will be required from the market players to reach this goal?
The main challenge lies in the new responsibilities: they are now better defined, more concise, higher elevated, and equally applicable to both IPX providers and MNOs. But most importantly, new practices (and related terminology) must be described and integrated into daily routines. This applies especially to the concept of Certificate Authorities (CAs) and Trust Anchors:
- A Certificate Authority (CA) is an entity that verifies the identity of participants in a network and issues digital certificates confirming that verification was successful. These certificates bind a participant’s public key to a unique identifier, enabling secure communication. Essentially, CAs act as trusted third parties that ensure the authenticity of network participants, using cryptographic algorithms to allow recipients of the certificates to verify the certificates’ validity.
- A Trust Anchor represents a list of trusted certificates and an associated list of mobile network identifiers (PLMN-IDs). Any given PLMN ID can appear in at most one Trust Anchor, while any given root certificate can appear in multiple Trust Anchors.
How does it apply to MNO’s and IPX Providers?
The main responsibilities of MNOs and any IPX provider that deploys an intermediate service node in this context will be the following:
- Deploy a robust PKI (Public Key Infrastructure) and implement a CA
- Operate the full lifecycle for certificates (generate, publish, verify, map and revoke). This includes publishing their root certificates to the GSMA RAEX Certificate Database, downloading the certificates of other entities, and updating the database in case any of their certificates are revoked.
An IPX provider may also choose to offer certificate management as a service to MNOs. Some MNOs may choose to outsource certificate management to an IPX provider to reduce their operational activities as part of 5G SA roaming deployment. IPX providers must be ready to take on these responsibilities.
As we move further into the 5G era, security in roaming is taking center stage, becoming a crucial aspect of both connectivity and business offerings. IPX providers and MNOs must work together to establish and uphold strong key management practices to protect their own networks, those of their roaming partners, and the subscribers they serve. This collaboration is essential to building the trust needed for the ongoing growth and success of global mobile communications.