via aws.amazon.com => original post link
Strong security, as required by telecommunication, or financial services, can depend on keeping certain cryptographic material, such as keys, secret. On-premises, this has traditionally been done by using hardware security modules (HSM). This post presents a cloud-native solution using AWS Nitro Enclaves to fulfill the same functions as HSM (keeping cryptographic material secret) and support the migration of these services to the Cloud. Our solution supports elasticity, high-availability, and its deployment can be fully automated. We present our solution in the context of a 5G mobile network use-case.
With mobile networks, a vital functionality is mutual authentication of the subscriber device (such as smartphones) with the network. Authentication is performed by a cryptographic challenge-and-response protocol. The protocol is based on a symmetric key shared between the subscriber and the network. On the subscriber device, the key is protected within the universal subscriber identity module (USIM or simply SIM). The SIM has cryptographic capabilities to compute the authentication data needed for the challenge-and-response authentication protocol. In the network, the key is protected within the Unified Data Management (UDM) network function. The UDM hosts functions related to data management. In particular, it hosts the Authentication Credential Repository and Processing Function (ARPF). One task of the ARPF is to compute the authentication data (also called authentication vector or AV) needed for the challenge-and-response authentication protocol on the network side. For this task, the ARPF processes the key in its secure environment. The key is protected from physical attacks and never leave the secure environment of the ARPF unprotected. When implemented on-premises the cryptographic capabilities of the ARPF are generally provided by a custom HSM. HSM for 5G networks are specialized because the cryptographic functions to implement the authentication protocol are specific to 5G mobile networks. They are standardized by the third Generation Partnership Project (3GPP) organization (see 3GPP technical specification 33.501 for details on the authentication protocol).