Security Functional Requirements

Description

Security Functional Requirements (SFR) constitute a foundational set of specifications within the 3GPP security architecture. They are not a single protocol or interface but a comprehensive collection of mandated security capabilities. These requirements are defined across various technical specifications (TS) and are applied to network functions, user equipment (UE), and the interfaces between them. The SFR framework ensures that all compliant implementations provide a minimum, verifiable level of security, covering aspects such as authentication, integrity protection, confidentiality, and availability. The requirements are technology-agnostic in principle but are detailed for specific system architectures like GSM, UMTS, LTE, and 5G.

The SFRs work by being integrated into the normative specifications for each network element and protocol. For example, specifications for the Access Stratum (AS) and Non-Access Stratum (NAS) protocols will include clauses referencing SFRs that mandate the use of specific ciphering algorithms (like 128-EEA3) or integrity algorithms (like 128-EIA3) for 5G. Similarly, specifications for network functions like the AMF, SMF, or UPF will include SFRs detailing requirements for secure storage of keys, protection against replay attacks, and secure logging. Compliance is verified through conformance testing, where equipment is tested against these mandated functions.

Key components of the SFR framework include requirements for User Identity Confidentiality, Entity Authentication, Data Confidentiality, Data Integrity, and Non-Repudiation. These are further broken down into specific technical mandates. For instance, requirements for Entity Authentication detail the need for mutual authentication between the UE and the network using the AKA (Authentication and Key Agreement) protocol suite. Data Confidentiality requirements specify the need for ciphering of user plane and control plane traffic over the radio interface and within the core network. The role of SFR is to provide a cohesive security baseline, preventing vendors or operators from deploying systems with critical security gaps and ensuring that security evolves in lockstep with new network features and threat landscapes.

Purpose & Motivation

The purpose of Security Functional Requirements is to establish a mandatory, standardized security foundation for all 3GPP systems. Prior to their formalization, security implementations could be inconsistent, with vendors potentially omitting certain protections for cost or performance reasons, leading to vulnerabilities and interoperability issues. The SFR framework was created to solve this by defining a non-negotiable set of security functions that every compliant product must implement. This ensures a baseline level of trust and security across the entire ecosystem, from chipsets in handsets to core network servers.

Historically, as cellular technology evolved from 2G (GSM) to 3G (UMTS), security became more complex and critical. GSM's security had known weaknesses, such as one-way authentication and weak encryption algorithms. The introduction of 3GPP's SFR, particularly from Release 9 onwards, provided a structured way to mandate stronger, mutual authentication and more robust cryptographic algorithms. It addressed the limitations of ad-hoc security implementations by providing a clear, specification-driven checklist. This was motivated by the growing value of mobile data, the rise of mobile commerce, and the increasing sophistication of attacks against telecommunications infrastructure.

Furthermore, SFRs enable regulatory compliance and certification (e.g., for government or critical infrastructure use) by providing a clear set of technical criteria against which systems can be evaluated. They ensure that new features introduced in later releases, such as network slicing in 5G or proximity services (ProSe), are built upon a secure foundation from the outset, with specific SFRs defined for these new capabilities to prevent security from being an afterthought.