At the request of the FCC, the Communications Security, Reliability, and Interoperability Council (CSRIC) VIII advisory group examined and made recommendations to enhance security for the newly adopted 5G signaling protocol, HTTP/2. The wireless industry’s 5G Security Test Bed conducted an analysis to assess CSRIC’s findings and recommendations, determining that the use of mutual transport layer security (mTLS) encryption enhances network security.
Access the full report and one-pager.
In the 5G Security Test Bed’s analysis to assess CSRIC’s HTTP/2 concerns and recommendations, no new tests specific to those recommendations were necessary. The Test Bed leveraged results from prior tests, which provide relevant evidence supporting mitigations to the potential vulnerabilities associated with HTTP/2 use on the 5G Service-Based Architecture (SBA) interface (SBI).
The Test Bed’s analysis confirmed that:
- The use of mTLS, by constantly encrypting and authenticating information as it travels through the network, prevents a bad actor with access to the core, but without valid credentials, from deciphering or inserting malicious messages into the network.
- mTLS prevents a malicious network function (NF), without approved credentials, from connecting with other network functions, and the malicious NF is consequently unable to send such requests.
HTTP/2 is used in the 5G core because it is has better performance, and its vulnerabilities are well understood. In spite of its vulnerabilities, the way HTTP/2 is being used in the 5G core in conjunction with mTLS, along with other recommendations made in the CSRIC WG3 report that help enable Zero Trust, make it significantly more secure. As a result, the 5GSTB recommendation to employ mTLS among the 5GC network functions form part of the solution to the vulnerabilities raised in the CSRIC VIII WG1 report on HTTP/2 vulnerabilities.