5G made a significant jump in cellular network security by offering enhanced subscriber identity protection and a user-network mutual authentication implementation. However, it still does not fully follow the zero-trust (ZT) requirements, as users need to trust the network, 5G network is not necessarily authenticated in each communication instance, and there is no mutual authentication between end users. When critical communications need to use commercial networks, but the environment is ZT, specific security architecture is needed to provide security services that do not rely on any 5G network trusted authority. In this paper, we propose SCC5G Secure Critical-mission Communication over a 5G network in ZT setting. SCC5G is a post-quantum cryptography (PQC) security solution that loads an embedded hardware root of authentication (HRA), such as physically unclonable functions (PUF), into the users' devices, to achieve tamper-resistant and unclonability features for authentication and key agreement. We evaluate the performance of the proposed architecture through an exhaustive simulation of a 5G network in an ns-3 network simulator. Results verify the scalability and efficiency of SCC5G by showing that it poses only a few kilobytes of traffic overhead and adds only an order of $O(0.1)$ second of latency under the normal traffic load.

翻译：5G通过增强型用户身份保护以及用户-网络双向认证机制，在蜂窝网络安全领域实现了重大飞跃。然而，该体系仍未能完全满足零信任（ZT）要求，原因在于：用户需信任网络、5G网络未必在每个通信实例中都进行认证，且端用户之间缺乏双向认证。当关键通信需利用商业网络部署于ZT环境时，必须设计不依赖5G网络可信权威机构提供安全服务的专用安全架构。本文提出SCC5G——面向ZT环境下5G网络的安全关键任务通信方案。SCC5G是一种后量子密码（PQC）安全解决方案，通过在用户设备中植入物理不可克隆函数（PUF）等嵌入式硬件根认证（HRA）机制，实现认证与密钥协商的防篡改及不可克隆特性。我们通过ns-3网络模拟器对5G网络进行穷举仿真，评估了所提架构的性能。结果表明，SCC5G在正常网络负载下仅引入数KB流量开销，且时延增加量级为$O(0.1)$秒，验证了其可扩展性与高效性。