SAR

Security Assurance Requirements

Security
Introduced in R99
A framework of mandatory security requirements and testing specifications for 3GPP network products and functions. It ensures that equipment and software implementations meet baseline security levels to protect against vulnerabilities and attacks, forming a critical part of network security certification.

Description

Security Assurance Requirements (SAR) constitute a comprehensive and structured set of security specifications defined by 3GPP. They are designed to provide a standardized methodology for evaluating the security robustness of network elements, including User Equipment (UE), radio access nodes, and core network functions. The framework operates by defining specific security targets, assurance levels, and detailed testing procedures (known as Security Assurance Specifications, or SCAS) for different product types. These requirements are not optional; they are mandated for compliance and certification under schemes like the GSMA's Network Equipment Security Assurance Scheme (NESAS). The process involves independent security evaluations where products are tested against their defined SAR to verify they are resilient to a wide range of threats, such as logical attacks, protocol exploits, and physical tampering.

The architecture of SAR is modular, with requirements categorized by network domain (e.g., 5G Core, NG-RAN, UE) and by security functionality (e.g., authentication, secure boot, cryptographic algorithms). Each set of requirements is documented in a dedicated specification series. For instance, TS 33.805 specifies the security assurance methodology, while other specs detail requirements for specific network functions like the AMF or UPF. The framework defines how security functional requirements (what the product must do) are linked to security assurance requirements (how confident we are that it does it correctly and robustly). This is often aligned with Common Criteria concepts, including the Evaluation Assurance Levels (EAL).

SAR's role is integral to the entire 3GPP security lifecycle. It moves security from a purely design-time consideration to a verifiable, testable attribute of deployed products. By providing a common baseline, it prevents vendors from implementing weak security measures to reduce cost or complexity. It also aids operators in procurement, giving them confidence that certified products have undergone rigorous, standardized security testing. The requirements evolve to address new threats, such as those introduced by network virtualization, cloud-native deployments, and supply chain risks, ensuring that security assurance keeps pace with technological advancements in mobile networks.

Purpose & Motivation

SAR was created to address the critical need for standardized, independent security verification of telecommunications equipment. Prior to its development, security assurance was often ad-hoc, vendor-specific, or based on non-telecom standards, leading to inconsistent security postures across the network and potential weak links that could be exploited. The increasing complexity of mobile networks, the transition to IP-based protocols, and the rising value of transmitted data made it imperative to establish a uniform, high bar for security.

The primary problem SAR solves is the lack of trust and transparency in the security of network products. It provides a common language and a set of measurable criteria for security, enabling fair comparison between vendors and giving network operators a reliable mechanism to assess risk. This is especially crucial in multi-vendor environments, where one insecure component can compromise the entire system. SAR also addresses regulatory and national security concerns by providing a framework for certifying that equipment meets mandated security levels, which is vital for critical infrastructure.

Historically, its development was motivated by collaboration between 3GPP and the GSMA, recognizing that security could not be solely a matter of protocol design but required rigorous implementation testing. It formalizes the concept of 'security by design' into 'security by verification,' ensuring that the robust security mechanisms defined in 3GPP specifications (like authentication and encryption) are correctly and resiliently implemented in real-world products, thereby closing the gap between specification and deployment.

Key Features

  • Standardized testing methodology for network product security
  • Mandatory requirements for compliance and certification (e.g., NESAS)
  • Product-specific Security Assurance Specifications (SCAS)
  • Alignment with Common Criteria Evaluation Assurance Levels (EAL)
  • Coverage across all network domains: UE, RAN, and Core
  • Evolution to address cloud-native and virtualized network functions

Evolution Across Releases

R99 Initial

Introduced the foundational concept of Security Assurance Requirements within the 3GPP framework. Initial specifications focused on establishing the methodology and basic requirements for securing early 3G (UMTS) network elements, laying the groundwork for standardized security evaluation.

TS 21.905TS 23.380TS 25.414TS 25.426TS 25.434TS 29.414TS 33.805TS 36.770TS 37.544TS 38.912

Defining Specifications

SpecificationTitle
TS 21.905 3GPP TS 21.905
TS 23.380 3GPP TS 23.380
TS 25.414 3GPP TS 25.414
TS 25.426 3GPP TS 25.426
TS 25.434 3GPP TS 25.434
TS 29.414 3GPP TS 29.414
TS 33.805 3GPP TR 33.805
TS 36.770 3GPP TR 36.770
TS 37.544 3GPP TR 37.544
TS 38.912 3GPP TR 38.912