A Survey on Security Aspects for 3GPP 5G Networks

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/COMST.2019.2951818, IEEE Communications Surveys & Tutorials 1 A Survey on Security Aspects for 3GPP 5G Networks Jin Cao, Maode Ma, Hui Li, Ruhui Ma, Yunqing Sun, Pu Yu, and Lihui Xiong Abstract—With the continuous development of mobile communication technologies, Third Generation Partnership Project (3GPP) has proposed related standards with the fifth generation mobile communication technology (5G), which marks the official start of the evolution from the current Long Term Evolution (LTE) system to the next generation mobile communication system (5GS). This paper makes a large number of contributions to the security aspects of 3GPP 5G networks. Firstly, we present an overview of the network architecture and security functionality of the 3GPP 5G networks. Subsequently, we focus on the new features and techniques including the support of massive Internet of Things (IoT) devices, Device to Device (D2D) communication, Vehicle to Everything (V2X) communication, and network slice, which incur the huge challenges for the security aspects in 3GPP 5G networks. Finally, we discuss in detail the security features, security requirements or security vulnerabilities, existing security solutions and some open research issues about the new features and techniques in 3GPP 5G network. Index Terms—5G security, IoT security, D2D security, V2X security, Slice security. I. I NTRODUCTION T HE fifth Generation (5G) network is the main carrier for the communication network in 2020 that supports the Internet of Everything and large-scale heterogeneous connections. At present, several standardization organizations have basically completed the discussion and experimental verification of 5G communication technology where the Third Generation Partnership Project (3GPP) R15 has been terminated. The experimental commercial network has also been in the actual testing stage, and the mobile internet is about to enter the 5G era. The 5G network can enable the seamless integration of 2G, 3G, 4G, WiFi and other access technologies, provide speeds in excess of 10Gb/s, low latency, high reliability, ultra-high density user capacity, the support of high mobility, and so on. In addition, 5G can not only provide the support for more abundant application scenarios in the mobile Internet, such as ultra-high definition visual communication, multimedia interaction, mobile industrial automation, and vehicle interconnection, but also be widely used in the Internet of Things (IoT) including mobile medical, smart home, industrial control, car networking and environmental monitoring. Hundreds of billions of devices are connected to the 5G network to realize the “Internet of Everything”. J.Cao is with the State Key Laboratory of Integrated Service Network, Xidian University, Xi’an, China. (e-mail: [email protected]) M.Ma is with School of Electrical and Electronic Engineering, Nanyang Technological University, Singapore H.Li, R.Ma, Y.Sun, P.Yu and L.Xiong are with the State Key Laboratory of Integrated Services Networks, Xidian University, Xi’an, China Compared with 3G and 4G, the future 5G network will present the features such as diversified terminals and huge number of nodes, ultra-high density deployment of nodes, coexistence of multiple wireless network technologies and security mechanisms, end-to-end direct communication, and the introduction of new techniques including V2X, Software Defined Network (SDN) and Network Function Virtualization (NFV). These new features and techniques make 5G networks face several new security challenges. 3GPP organizations have conducted pre-research and provided several standards on the 5G security aspects. For example, 3GPP TS 33.501 has developed a new 5G security framework including the security features and security mechanisms of 5G systems and 5G core networks, and how to run on 5G core networks and 5G new radio access networks [1]. 3GPP TR 33.811 has carried out the security research on network slice management, and proposed the features, security threats, security requirements and solutions on 5G network slice management aspects [2]. 3GPP TR 33.841 has analyzed the security threats and the impact on UE, NR Node B (gNB) and core network entities in the post-quantum era symmetric and asymmetric encryption algorithms, and studied the application of 256-bit key length encryption algorithm in 5G, including key derivation, Authentication and Key Agreement (AKA) key generation, key integrity protection, key distribution, key refresh, key size negotiation, handling of confidential Control Plane (CP)/User Plane (UP)/Management Plance (MP) information, etc., to ensure the security of 5G system in the future [3]. Recently, relevant researchers have made some investigations on 5G network security [4]–[7]. The potential security requirements and mechanisms of 5G mobile networks are discussed in [4]. This survey points out that the privacy and integrity of the user’s information and transmission data need to be guaranteed in the future 5G network. In addition, the survey analyzes the security issues in the virtualization and SDN network scenarios. In the survey [5], how to provide a more secure mobile computing environment is mainly emphasized for 5G network. In addition, the survey also discusses the security architecture of the future 5G network and analyzes the five security pillars of the 5G network. The survey [6] summarizes the existing authentication and privacy protection schemes for 4G and 5G network security and gives some further suggestions for future 5G security. In this survey, the security threats in the 5G network are mainly divided into four categories including privacy attacks, integrity attacks, availability attacks and authentication attacks. Then, the following three countermeasures including cryptography, human factors and intrusion detection methods are discussed for these 1553-877X (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/COMST.2019.2951818, IEEE Communications Surveys & Tutorials 2 threats. The survey [7] designs a new security architecture for 5G network and gives some solutions to threats from WLANs and mobile access devices in a consistent manner. However, the previous surveys [4]–[7] mainly focus on the 5G network security architecture, the security requirements and security vulnerabilities for specific scenarios, which lacks the systematically discussion on 5G network security requirements or vulnerabilities, and potential solutions and open research directions. In this paper, we present a scientific survey of security aspects in 3GPP 5G networks. Our contributions made in this work are described as follows. (1) We give an overview of the security architectures and functionalities in the 3GPP 5G networks. (2) We mainly focus on the security aspects of the new features and techniques in the 3GPP 5G networks. (3) We analyze their security requirements or vulnerabilities and discuss the existing solutions for the corresponding issues. (4) Finally, we give some potential areas and research directions for these new features and techniques. Table I shows the comparison of our survey with previous surveys [4]–[7]. According to the Table I, our survey covers 3GPP 5G network security architecture, 5G access security, 5G handover security, IoT security, D2D security, V2X security and network slice security. At the same time, our survey analyzes the security mechanisms suggested by the 3GPP standards, security requirements, security vulnerabilities, corresponding solutions and future research directions in each field. But previous surveys [4]–[7] do not fully cover all of the above. The remainder of this paper is organized as follows. Section II gives the overview of the network and security architecture of the 3GPP 5G networks. From Section III to Section VII, the security features and functionalities, security vulnerabilities, the corresponding solutions and open research topics of the 5G access and handover security, IoT security, D2D security, V2X security and network slice security are explored, respectively. Finally, we draw a conclusion in Section VIII. V2X device AMF/SMF AUSF V2X Control V2X Function device 5G NF UE D2D (R)AN gNB UPF gNB Untrusted non3GPP access NB-IoT device N3IWF 5GC eMTC server eMTC server eMTC User DN eMTC device Fig. 1. Network Architecture of 5G. Function (NRF), Policy Control Function (PCF), Unified Data Management (UDM) and Application Functions (AF). It is worth noting that information interaction can be performed between all network functions when necessary. (2) In addition to the 5G radio access network, the 5G system also supports the connection of a non-3GPP access network such as a Wireless Local Area Network (WLAN) to the 5G core network. When accessing to the 5G core network through a non-3GPP access network, the UE needs to connect to the Non-3GPP InterWorking Function (N3IWF) in the 5G core network. (3) The 5G system supports large-scale IoT communication, such as eMTC, NB-IoT, etc. (4) The Device-toDevice communication (D2D) is also introduced in 5G system. At this time, the proximity devices can communicate directly through the D2D link without establishing a connection with the server, which improves resource utilization and network capacity. (5) 5G system also supports vehicle networking technology, i,e, Vehicle to Everything (V2X). V2X is the key technology of future intelligent transportation system where a new entity: V2X control function is introduced in 5GC. When a V2X device connects to a 5G network, the V2X device can communicate with the V2X control function. In addition, V2X devices can also be directly connected to the 5G core network via a 5G wireless access network. B. 3GPP 5G Security Architecture II. S ECURITY A RCHITECTURE OVERVIEW A. 3GPP 5G Network Architecture As shown in Fig. 1, the 3GPP 5G system is mainly composed of 5G Core network (5GC) and 5G Radio Access Network ((R)AN). The 5GC mainly consists of Access and Mobility management Function (AMF), Session Management Function (SMF), User Plane Function (UPF), Authentication Server Function (AUSF) and some new network functions in the 5G network. When the UE is connected to the 5GC, the AMF will perform mutual authentication with the UE on behalf of the AUSF. In the 5G radio access network, the 5G base station gNB mainly communicates with the UE. Compared with the current LTE/LTE-A system, the 5G system introduces some new network functions and entities. To simplify the drawing, we collectively refer to them as 5G Network Function (NF). (1) These new 5G network functions mainly include Structured Data Storage Network Function (SDSF), Unstructured Data Storage Function (UDSF), Network Exposure Function (NEF), Network Repository As shown in Fig. 2, there are six security levels defined by 3GPP committee [1], which are specified as follows: Network access security (I): the set of security features that enable a UE to authenticate and access services via the network securely, including the 3GPP access and non-3GPP access, and in particularly, to protect against attacks on the (radio) interfaces. In addition, it includes the security context delivery from Serving Network (SN) to UE for the access security. Network domain security (II): the set of security features that enable network nodes to securely exchange signalling data and user plane data. User domain security (III): the set of security features that enable the user to securely access mobile equipment. Application domain security (IV): the set of security features that enable applications in the user domain and in the provider domain to exchange messages securely. Service Based Architecture (SBA) domain security (V): the set of security features about the SBA security including 1553-877X (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/COMST.2019.2951818, IEEE Communications Surveys & Tutorials 3 TABLE I C OMPARISON OF AREAS COVERED BY THESE PAPERS Scheme [4] [5] [6] [7] Our Paper 5G Network Security Architecture 5G Access Security 5G Handover Security IoT D2D 1 Mentioned − − − ⃝ Mentioned − − − − 3⃝ 4 3⃝ 4 Not Mentioned − − ⃝ ⃝ Mentioned − − − − 1⃝ 2⃝ 3⃝ 4 1⃝ 2⃝ 3⃝ 4 1⃝ 2⃝ 3⃝ 4 1⃝ 2⃝ 3⃝ 4 ⃝ ⃝ ⃝ ⃝ Mentioned 1 Indicate that the paper covers security mechanisms in the current field. ⃝: 2 Indicate that the paper covers security requirements/security flaws in the current field ⃝: 3 Indicate that the paper covers related solutions in the current field ⃝: 4 Indicate that the paper covers future research direction in the current field ⃝: −: Indicate that the paper does not discuss the current field User Application (I) (III) USIM (IV) Provider Application (V) (II) HE (I) ME SN (I) (I) Fig. 2. Home Stratum/ Serving Stratum (I) (I) Application Stratum 3GPP AN Non-3GPP AN Transport Stratum (II) Overview of Security Architecture. the network element registration, discovery, and authorization security aspects, and also the protection for the service-based interfaces. Visibility and configurability of security (VI): the set of features that enable the user to be informed whether a security feature is in operation or not. C. 3GPP 5G Security Aspects of New Features and Techniques The introduction of the new features and techniques such as the support of massive IoT devices, D2D communication, V2X communication, SDN/NFV, etc., brings about the huge challenges for the security aspects in 3GPP 5G networks. Here, we firstly pay attention to the new changes in 5G network security compared with the LTE-A networks where the focuses are network access security level and application domain security level. Then, we mainly discuss the security aspects of the new features and techniques introduced in 3GPP 5G networks. Based on the innovation for the current 3GPP 5G network, the following five aspects will be specified for the 3GPP 5G security. (1) 5G access and handover security. 5G network will provide the support for a large number of users and secure access to multiple types of devices. There are a lot of security problems in access security aspects for 5G network including multi-domain ultra-short-time authentication and authorization, heterogeneous network security communication and seamless security roaming handover. (2) IoT security. Based on various emerging IoT technologies, 3GPP has designed several standards, where the most important standards are LTE enhanced MTC (eMTC) and Narrow Band Internet of Things (NB-IoT). eMTC is a technology designed to meet the needs of IoT devices based on existing LTE carriers. For the NB-IoT system, it is a new air V2X − − 4 ⃝ − 1⃝ 2⃝ 3⃝ 4 ⃝ 5G Slice 2 ⃝ − 4 ⃝ − 1⃝ 2⃝ 3⃝ 4 ⃝ interface technology proposed by the 3GPP for the IoT. 3GPP committee has specified the network architecture, performance requirements, Quality of Service (QoS) guarantee mechanisms and discussed the security requirements, the corresponding solutions and so on. However, there are still a lot of security problems to be solved including massive IoT device concurrent security access, differentiated secure access for different types of IoT devices, privacy protection, and lightweight security mechanism, etc. (3) D2D security. D2D communication technology, defined as a direct communication technology between two user devices, can be closely integrated with 5G networks to reduce the load on the base station, and thereby reduce the end to end latency, increase the system capacity, and achieve the design goals of 5G networks. D2D communication presents a hybrid architecture in which the distributed and centralized methods are coupled together. Therefore, it is vulnerable to multiple security threats and privacy threats from the cellular and adhoc networks. (4) V2X security. Compared to traditional Dedicated Short Range Communications (DSRC), 5G-V2X offers several advantages including much larger coverage area, pre-existing infrastructure, deterministic security and QoS guarantees, as well more robust scalability. However, there are still security and performance issues in 5G-V2X such as a centralized architecture, several different types of authentications for distinct scenarios, broadcasting message security protection for one-tomany V2X communication, and V2X UE privacy protection, etc. (5) Network Slice security. As the future 5G network will widely adopt the technologies such as SDN and NFV, the topology of the 5G core network will be more flat, and network resources and relay node resources will be controllable and dynamically optimized. However, due to many network characteristics and changes caused by the widespread use of SDN/NFV, many security methods, security policies, trust management policies, etc., which are originally designed around traditional network structures and communication devices may no longer be applicable in 3GPP 5G networks. In the subsequent sections, we specify the above five security aspects in terms of security features and functionalities, security requirements or vulnerabilities, the corresponding solutions and future open issues. 1553-877X (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/COMST.2019.2951818, IEEE Communications Surveys & Tutorials 4 III. S ECURITY IN 5G UE ACCESS AND H ANDOVER M ETHODS UE SEAF 1.<N1 message> (SUCI or 5G-GUTI) A. Security Review in 5G UE Access and Handover Methods (1) Security in the access procedure Mutual authentication between the UE and the network and key agreement used to provide keying material to protect the subsequent security procedures are the two most important security features in the 5G network. In 5G system, a new AKA protocol named 5G AKA is supported by 3GPP committee [1], [8], which enhances 4G AKA protocol, i.e., EPS AKA [9] by offering the home network with the proof of successful authentication of the UE. Before 5G, after the Home Network (HN) sends the Authentication Vector (AV) to the Visited Network (VN), it does not participate in the subsequent authentication process, which easily leads to a security problem. That is, in the roaming scenario, the visiting operator obtains the complete authentication vector of the roaming user from the home operator, and the visiting operator falsifies the user location update information by using the authentication vector of the roaming user, thereby generating a roaming fee by forging the bill. As shown in Fig. 3, in order to withstand this attack, 5G AKA protocol performs a one-way transformation on the authentication vector where the visited operator can only obtain the transformed authentication vector of the roaming user. The visited operator implements the authentication of the roaming user without acquiring the original authentication vector, and sends the authentication result of the roaming user to the home operator, and thus the home operator enhances the authentication control for the visited operator. Except for the 5G AKA protocol, the EAP-AKA’ protocol [1], [8] is also supported to perform the mutual authentication and key agreement in 5G network as shown in Fig. 4. In LTE/LTE-A network, the EAP-AKA or EAP-AKA’ is only a complementary authentication approach, and is only used for UE to connect to the 4G core network via non-3GPP access networks such as WLAN. In addition, it is implemented in a set of independent Network Elements (NEs) compared with the EPS-AKA protocol, such as Authentication, Authorizing, and Accounting (AAA) server. In the 5G network, a UE can execute the 5G AKA or the EAP-AKA’ to accomplish the mutual authentication with the 5GS via 5G wireless access network. Here, the EAP-AKA’ has been upgraded by the use of the same methods of 5G-AKA, and they use the same NEs. This means that NEs used to achieve the 5G authentication must support both of the two authentication methods on the standard. The 5G system also supports the non-3GPP access for the UE [10]. For an untrusted non-3GPP access network, the channel between the UE and the 5G core network is considered unsafe. In order to protect the communication between the UE and the 5G core network, the UE shall establish an IPSec tunnel by using IKEv2. Both the EAP-AKA’ and 5G AKA are allowed for the authentication of UE via non-3GPP access during the IPSec tunnel establishment procedure [11], [12]. During a successful authentication and key agreement procedure, the KAM F , which is necessary for the 5G system UDM/ARP F/SIDF AUSF 2. UE Authentication Req (SUCI or SUPI, SN name) 3.Authentication Data Req (SUCI or SUPI, SN name) 4. Generate 5G HE AV: RAND,AUTN,XRES*,KAUSF 5.Authentication Data Res (5G HE AV, [SUPI]) 6. Store XRES*, 7. Calculate HXRES* and generate 5G AV: RAND, AUTN, HXRES*, KSEAF 8.UE Authentication Rep 9.UE Authentication Rep (5G AV,[SUPI]) (RAND,AUTN) 10.Verify AUTN And compute RES* 11.UE Authentication Res (RES*) 12.Compute HRES* and compare to HXRES* 13.UE Authentication Res (RES*) 14. Compare RES* and XRES* 15.UE Authentication Result Compute CK, IK, KAUSF and KSEAF Fig. 3. 5G-AKA process. UE SEAF 1.<N1 message> (SUCI or 5G-GUTI) UDM/ARPF /SIDF AUSF 2. UE Authentication Req (SUCI or SUPI, SN name) 3.Authentication Data Req (SUCI or SUPI, SN name) 4. Generate EAP AKAÿ AV: RAND,AUTN,XRES,KAUSF 7.UE Authentication Rep (RAND,AUTN) 8.Verify AUTN And compute RES 9.UE Authentication Res (RES) 6.UE Authentication Rep (RAND, AUTN) 5.Authentication Data Res (EAP AKAÿAV, [SUPI]) 10.UE Authentication Res (RES) 11. Compare RES and XRES 12.UE Authentication Result {EAP SUCCESS,KSEAF,[SUPI]} 13.UE Authentication Result {EAP SUCCESS} Compute CK, IK, KAUSF and KSEAF Fig. 4. EAP-AKA’ process. integrity protection and ciphering key hierarchy, is stored by both the UE side and the SEcurity Anchor Function (SEAF) side. Then the SEAF would send the KAM F to the AMF. Finally, the AMF and the UE can derive the necessary keys for 5G system such as KgN B and KN 3IW F . The detail key hierarchy is introduced in Fig. 5. (2) Security in the handover procedure 3GPP committee has specified the different mobility scenarios for 5G system including Mobility intra New Radio (NR), Mobility inter-3GPP access and Mobility between the 3GPP and untrusted non-3GPP access [12], [13]. 1) Mobility intra NR. In order to achieve a secure handover procedure, a new key management mechanism based on horizontal or vertical key derivation has been specified as shown in Fig. 6, which is similar to the 4G system. To ensure the channel security between UE and gNB, the AMF and the UE shall derive a KgN B and a Next Hop (NH) parameter from the KAM F . On handovers, the KgN B * that will be used between the UE and the target gNB, shall be derived from either the KgN B or from the NH parameter [1], [13]. 2) Mobility inter-3GPP access. Mobility inter-3GPP access mainly includes two aspects: mobility intra New Generation- 1553-877X (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/COMST.2019.2951818, IEEE Communications Surveys & Tutorials 5 Network side UE side K ARPF USIM CK, IK ARPF ME 5G AKA EAP-AKA’ CK’, IK’ KAUSF AUSF ME KAUSF KSEAF SEAF ME KAMF AMF ME KNASint KRRCint N3IWF Fig. 5. KNASenc KgNB, NH KN3IWF KRRCenc KUPint KUPenc gNB ME ME Key hierarchy generation in 5GS. NAS uplink COUNT K AMF . PCI, EARFCN-DL Initial K gNB . . . K gNB PCI, EARFCN-DL K gNB * K gNB . * K gNB K gNB NCC=1 NH PCI, EARFCN-DL NH . NH Fig. 6. NCC=0 . * K gNB PCI, EARFCN-DL . * K gNB PCI, EARFCN-DL PCI, EARFCN-DL K gNB . * K gNB K gNB PCI, EARFCN-DL K gNB . * K gNB K gNB . * K gNB K gNB NCC=2 K gNB NCC=3 PCI, EARFCN-DL . * K gNB Handover Key Management. Radio Access Network (NG-RAN) and mobility between NG-RAN and E-UTRAN. For the intra NG-RAN handover, the handover procedure is similar to the intra NR handover procedure [1], [12], [13]. For the handover from the NG-RAN to the Evolved-Universal Terrestrial Radio Access Network (E-UTRAN), the source AMF shall derive a KASM E from the KAM F and send it to the target Mobility Management Entity (MME). The KeN B , which shall be used to secure the channel between the UE and the target eNB, can be calculated by the target LTE eNB and the UE from the KASM E . For the handover from the E-UTRAN to the NG-RAN, the source MME sends the UE’s Evolved Packet System (EPS) security context including the KASM E to the target AMF. The target AMF shall derive a mapped key KAM F from the received KASM E and further obtain the KgN B from the KAM F . Simultaneously, the UE shall derive a mapped KAM F key from the KASM E in the same way as the AMF and further obtain the KgN B [1]. Since inter Radio Access Technology (RAT) measurements in NR are only limited to E-UTRA [13], the handovers to/from 2G/3G Radio Access Network (RAN) are not considered in 5G system. 3) Mobility between 3GPP and untrusted non-3GPP access. 3GPP committee has specified the mobility approaches for the UE to achieve secure handovers between an untrusted non-3GPP access and 3GPP access [12]. Different handover authentication processes should be executed for different mobility scenarios. According to the 3GPP standard [12], if the target core network is 5GC, the handover procedure from a source non-3GPP access to a target 3GPP access is based on the Protocol Data Unit (PDU) session establishment procedure for the 3GPP access. Before performing the PDU session establishment procedure for the 3GPP access, the UE needs to implement the EAP-AKA’ or 5G-AKA procedure if the UE has not been registered via the 3GPP access. The handover procedure from a source 3GPP access to a target non-3GPP access is based on the PDU session establishment for non-3GPP access. Before performing the PDU session establishment procedure for non-3GPP access, if the UE is not registered via untrusted non-3GPP access, the UE needs to execute the IKEv2 with EAP-AKA’ or 5G-AKA to achieve the authentication of UE via the non-3GPP access. If the target core network is EPC, the UE initiates the handover attach procedure for a non-3GPP access to EPS as stated in [14], [15]. B. Security Vulnerabilities (1) Vulnerability in the 5G access procedure Compared with the EPS-AKA, 5G-AKA [1] has some improvements. For example, the public-key cryptography technology is adopted to encrypt the Subscription Permanent Identifier (SUPI) in order to solve the International Mobile Subscriber Identification (IMSI) catching attacks. Thus, only the 5G core network can obtain the SUPI with its private key. However, there are still some vulnerabilities in 5G access processes. 1) The identifiers disclosure shall enable various privacy attacks. Although 5GS adopts temporary identifiers 5G-Globally Unique Temporary Identity (5G-GUTI) and the Subscription Concealed Identifier (SUCI) to protect the SUPI, there still exists some unsolved vulnerabilities about the identifiers. On the one hand, the temporary value 5G-GUTI which has no change for a long time, shall also cause the same problems as the disclosure of IMSI. On the other hand, unlike LTE-A system, when the AMF sends Identity Request message to the UE, the UE shall response with the SUCI which contains the concealed SUPI. However, in case of emergency situation, the UE shall still send directly the SUPI in the Identifier Response message, the identifier confidentiality shall not be guaranteed. 2) 5G-AKA cannot avoid Denial of Service (DoS) attack. Upon receiving the Identifier Request message, the UE shall response with the SUCI. If the rogue base station sends multiple Identifier Request messages, the UE has to consume its overheads to response it, and thus run out of UE’s resources. In addition, as shown in Fig. 3 and Fig. 4, the UE shall use 5G-GUTI or SUCI in the N1 message. If the SEAF receives a valid 5G-GUTI, the SEAF shall contain the corresponding SUPI in the authentication request message. Otherwise, the SEAF will forward the SUCI. In this process, it is easy for an adversary to launch DoS attacks to the SEAF, the AUSF and UDM/Authentication credential Repository and Processing Function (ARPF)/Subscription Identifier De-concealing 1553-877X (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/COMST.2019.2951818, IEEE Communications Surveys & Tutorials 6 Function (SIDF). On the one hand, since the 5G-GUTI shall not be changed for some time, if an adversary sends previously obtained 5G-GUTIs to the SEAF, the SEAF must forward the corresponding SUPIs to the AUSF in the UE Authentication Request message and the AUSF needs to re-authenticate the SUPI. On the other hand, as shown in Fig. 3, the AUSF can only authenticate the UE until the Message 12: calculating HRES* and comparing it to HXRES*. The adversary can forge as the legitimate UE to send a fake SUCI, and thus the AUSF must check the invalid SUCI. Based on the above two conditions, the SEAF, AUSF and UDM/ARPF/SIDF have to consume their computational, communication and storage overheads to authenticate the UE. 3) Similar to the EPS-AKA, in 5G-AKA, it requires strong trust relationship between the visited network and the home network. Besides, for the 5GS, the authentication processes are required not only between the visited network and the home network, but also among service parties in 5G wireless networks [17]. With the emerging of the heterogeneous networks in 3GPP 5G architecture, the completely trust relationship between them seems impossible. 4) Similar to the EPS-AKA, in 5G-AKA, all the keys that are used to protect data integrity and confidentiality are derived from the long-term secret key by using the key hierarchy as shown in Fig. 5. 5G-AKA relies on the security assumptions: the long-term secret key stored in the USIM would never be disclosed to any adversary. However, it shows that such assumption is not always true [18]. For example, the longterm key K may have been leaked during the production phase of the USIM card. Once obtaining the long-term secret key, it is possible for an adversary to obtain the shared key to further wiretap the communication channels, or to perform man-in-the-middle attacks, impersonation attacks and so on. Thus, the leakage of the long-term secret key would cause serious problems to the whole network [19]. 3GPP has set up a project on long-term key update to try to solve this problem, but there is no final conclusion. 5) 5G-AKA suffers from the traceability attack [16]. The AKA protocol may be subject to a traceability attack because two different types of error messages (M AC F AIL, SY N C F AIL) may be sent to the SEAF when the authentication of UE fails. In order to detect whether the UE is in a certain area, the active attacker captures a legal authentication request message (RAND, AUTN) sent to the UE and binds it to the UE. The attacker does not need to obtain the IMSI of the UE, and only needs to replay the authentication request message containing the previously captured (RAND, AUTN), and judges whether the UE is the originally bound UE according to the type of the error message. If the attacker receives the SY N C F AIL message, it can be determined that the UE to be tracked is in a specific area. 6) 5G-AKA/EAP-AKA’ suffers from the missing key confirmation attacks [16]. In 5G-AKA/EAP-AKA’, the authentication is demonstrated by the successful use of keys in subsequent procedures, which may pose two vulnerabilities. Firstly, the 3GPP committee has specified that the serving network can initiate key change on−the−f ly [1], and thus an attacker could forge as a legitimate base station or serving network to modify the session key after the execution of the 5G-AKA/EAP-AKA’. Secondly, in order to prevent attackers from counterfeiting the serving network, the key KSEAF is bound to the serving network identity. However, since the key KSEAF may not be used in some special scenarios, for example, subscribers use the presence of SNs for making sensitive decisions, it is feasible for an attacker to impersonate as a legal serving network. 7) similar to 4G-AKA, 5G-AKA is vulnerable to the TORPEDO (TRacking via Paging mEssage DistributiOn) attack [20]. Concretely, upon obtaining the victim’s paging occasion from TORPEFO, it is feasible for an attacker to hijack the victim’s paging channel and further inject fabricated, empty paging messages and thus, stop the victim from receiving any pending services. In addition, providing a sniffer in a specific area, the attacker can detect the victim’s presence in that area. 8) 5G-AKA suffers from the IMSI-cracking attack [20]. IMSI can be identified by 49-bit binary numbers, of which 18 bits are common codes, such as the country codes, and 7 bits can be calculated by TORPEDO, so that the attackers only guess 24 bits. Concretely, the attacker makes a guess that Iguess is the victim’s identity. Firstly, the attacker encrypts Iguess with the public key of the core network and forwards it to the core network. Thus, the attacker can determine that whether the identity belongs to this core network or not from the core network’s response message (auth request, registration reject). Subsequently, if a auth request message is received, the attacker forwards it to the victim to further validate whether the identity belongs to this victim from the victim’s response message (auth response, auth f ail). It has been proved that it only takes about 74 hours to crack the victim’s identity [20]. (2) Vulnerability in the 5G handover procedure To prevent some malicious attacks existing in LTE handover processes, 3GPP has enhanced the 5G handover process. However, there are some security issues. 1) As shown in Fig. 7, the source gNB shall derive the KgN B * from the current active KgN B or from the NH parameters. Since the derivation function is a one-way key derivation function, even obtaining the current KgN B , the adversary cannot obtain the previous sessions keys from the current KgN B . Therefore, the forward security can be achieved. However, since the source gNB knows the target gNB keys, once an adversary compromises the source gNB, the subsequent key KgN B * will be obtained, which cannot achieve the backward security. As stated in [1], in order to ensure the backward security, an intra-gNB 5G handover process is necessary upon completing the Xn-based 5G handover process. However, it will cost a lot of communication and computational overheads. 2) Similar to the LTE handover process [21], the 5G handover process is vulnerable to the jamming attack. As shown in Fig. 7, if the adversary modifies the NH Chaining Counter (NCC) value involved in Message 3, 5 or 11, the 5G handover process between the UE and the target gNB shall fail. 3) The 5G handover process is vulnerable to the replay attack. As shown in Fig. 7, the adversary can easily intercept the Message 3: handover request. When a UE wants to hand 1553-877X (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/COMST.2019.2951818, IEEE Communications Surveys & Tutorials 7 UE Source gNB Target gNB AMF 1. Measurement Control and Reports 2.KgNB*=KDF(NHNCC,PCI,ARFCN-DL) Or KgNB*=KDF(KgNB,PCI,ARFCN-DL) 3. Handover Request (KgNB*,NCC) 4.store (KgNB*,NCC) 6. Handover Command NCC 5. Handover Request Acknowledge NCC 7.derive KgNB* 8. Handover Confirm 9. Path Switch Request 10.NCC+1, NHNCC 11. Path Switch Request Ack Intra-gNB handover Fig. 7. ((NCC,NH), optional NSCI) Xn-based 5G Handover. over to the target gNB, the adversary sends the intercepted message to the target gNB. Then, the target gNB believes the received message and directly uses the received KgN B * as KgN B with the UE. In addition, the target gNB associates the received NCC with the KgN B and forwards the NCC to the UE. Since the NCC comes from the previous message and is less than the locally UE’s NCC, the UE believes the handover is failure. Thus, the handover between the UE and the target gNB shall not be established. 4) In order to provide ultra-high throughputs and facilitate the access to massive number of devices, small cells are deployed [22]. Thus, users and different access points in 5G need to perform more frequent mutual authentications than before [23], [24], so that users cannot feel that they are switching from one cell to another. However, the 5G handover procedure and the 5G handover key management mechanism will increase the handover complexity when they are applied to the above scenarios. Besides, since the authenticate server is often located far away from the small cells, the handover delay between the small cells and the authentication server may be too large to meet the low latency requirement of 5G [23]. 5) With the advent of high-speed mobile devices in 5G network, the handover authentication process is rather complex. Since the deployment of the small cells, if the UE’s velocity is very high, the UE will rapidly get out from one small cell and switch to another small cell. Under this circumstance, the measurement control and report process as shown in Fig. 7, which does not consider the high speed of UE, shall increase a lot of useless overheads [25]. C. Security Solution In this section, we will review some existing solutions to the above issues. (1) Security in the 5G access procedure A USIM compatible 5G-AKA protocol has been proposed in [26]. In this scheme, since the Diffie-Hellman (DH) key exchange protocol is embedded in the 5G-AKA protocol, the generation of the session key depends on not only the long-term secret key, but also the ephemeral DH-parameters. Even if the long-term secret key is compromised, it is infeasible for an adversary to obtain the shared key. Thus, this scheme can achieve Perfect Forward Secrecy (PFS) and resist against passive attacks simultaneously. However, with the use of the Diffie-Hellman (DH) algorithm, it costs some computational and communication overheads for mobile devices with resource limitation. Similar to the scheme in [26], a single novel scheme in [18] can also accomplish the PFS. This scheme in [18] can withstand the identifiers disclosure by encrypting the identifiers with the encrypted key and replay attacks by using one-time random number and Message Authentication Code (MAC). Additionally, in this scheme, these two different authentication failure messages (M AC F AIL, SY N C F AIL) are sent to the SEAF with the same format and are encrypted with the encryption key KE calculated from the DH key. Thus, this scheme can avoid the traceability attacks. A blockchain-based anonymous access scheme is introduced for 5G network in [27]. By introducing the blockchain-based distribution trust architecture in access process, the scheme can save a large number of signaling and connection costs. Moreira et al. [28] propose a cross-layer authentication scheme for ultra-dense 5G HetNet based on channel information and EAPAKA protocol. In this scheme, when a UE wants to access to the network, the EAP-AKA authentication protocol is first adopted to perform the initial authentication. After the initial authentication is completed successfully, the physical layer authentication scheme in [29] is employed. By this mechanism, the scheme in [28] can reduce the time delay and computation complexity and satisfy the strong security requirement. A lightweight authentication scheme for 5G network is proposed in [30]. Combining the traditional light weight authentication with the cross-layer access authentication mechanism, the scheme can achieve fast authentication and minimize the packet transmission overheads without compromising the security requirements simultaneously. The access control scheme based on a Simple Public Key Infrastructure (SPKI) certificate is presented in [31] on a multilayer communication architecture designed for 5G networks. In this scheme, taking the advantage of the Zero Knowledge Proof (ZKP) scheme in [32], the verifier signs the authorization certificate and sends it to the device. Then, the device uses the certificate to perform the mutual authentication with the network. However, the scheme in [31] brings a lot of computational, communication and storage costs due to the use of the certificate. For the scheme in [33], the UE first collects the physical information and generates the fingerprint parameters which would be used to randomize the parameters used in the AKA protocol. Subsequently, with the aid of the fingerprint parameters, an enhanced AKA protocol is performed. Since the fingerprint parameters are used to masquerade the important parameters in handover authentication scheme, the scheme can avoid man-inthe-middle attacks, impersonation attacks and so on. Besides, the author introduces the concept of the radio trusted zone database and thus the computation complexity can be largely reduced. Basin et al. [16] propose two simple solutions in order to withstand the missing key confirmation attacks in 5G-AKA. 1553-877X (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/COMST.2019.2951818, IEEE Communications Surveys & Tutorials 8 Firstly, a MAC with a key derived from KSEAF can be added at the very end of the protocol. Secondly, by binding AU T N to SN identity, subscribers can acknowledge that the HN has committed to a specific SN identity without using KSEAF . (2) Security in the 5G handover procedure In order to achieve a secure and efficient handover authentication for 5G networks, a large number of handover authentication schemes are proposed. For the scheme in [23], a UE switches from the source cell to the target cell with the help of an Authentication Handover Module (AHM) which is installed in the SDN controller, and can monitor and predict the location of users. Since the AHM can prepare the relevant cells before the UE arrives and the relevant cells can also prepare resources for the UE in advance, this handover scheme could greatly reduce handover latency. Besides, since the UE and the cells are always under the supervision of AHM, this scheme could avoid impersonation and MitM attacks. For the scheme in [34], similar to the handover scheme in [23], the weighted Secure-Context-Information (SCI) including several attributes is introduced to achieve fast authentication in 5G network. When performing the handover authentication, instead of using complex and forgeable cryptographic exchange mechanism, SDN controller compares the observed attributes matrix through zero-mean white Gaussian noises with the validated original SCI attributes matrix, and obtains the offset. Then, SDN controller compares each attribute with the threshold. If the difference between them is less than the threshold, the authentication is successful. Otherwise, the authentication is failed. In this way, this scheme can significantly reduce handover latency. However, they ignore the impact on the latency due to false alarms [35]. For the scheme in [25], in order to minimize the number of handovers (HOs) and reduce the energy consumption, the author introduces a new handover self-optimization algorithm. In this algorithm, the velocity of the UE is added as a measurement parameter to select the appropriate target cell. Concretely, high speed UEs can only be authorized to connect to the high loaded macrocells, while low speed UEs shall be directed to high loaded femtocells. This algorithm could greatly reduce the energy consumption. However, the algorithm only considers the measurement process during the whole handover procedure. For the scheme in [36], similar to the scheme in [25], the author also proposes a cell selection scheme based on the moving direction and velocity of the UE, and the relative position between the UE and the candidate connecting cells. In this scheme, a negative offset is assigned to candidate connecting cells located in the opposite direction of the moving UE, which makes it difficult for the UE to connect to those cells and reduces the number of handovers compared with the traditional power detection scheme. For the scheme in [37], the author achieves a handover authentication with the assist of the nonparametric Kolmogorov-Smirnov (K-S) test. During the authentication process, the K-S test is performed on each available physical layer attributes and then the final decision depends on the voting scheme. Since the K-S test does not require complicated calculation, the scheme could reduce computational and storage overheads. However, the security property of this scheme has not been demonstrated, although the author claims that it can provide reliable security performance. For the scheme in [38], the authors propose a SDN-based handover cell selection scheme. The SDN controller first collects the necessary information such as the user movement information for the cell calculation. Subsequently, when performing the handover authentication process, SDN controller selects the optimal cell by linear programming and allocates a channel for the selected cell in advance. In this way, the scheme can significantly reduce the overhead and meet the requirement of 5G network with the delay time less than 1 millisecond (ms). For the scheme in [39], the idea of integrating fog computing into the handover scheme is discussed. In this scheme, with the assistance of the Fog-computing Access Points (F-APs) with certain caches, users do not need to connect to the core network every time, which can largely reduce the handover signalling cost. For these schemes in [23], [34], [37], [38], since SDN is adopted to monitor and control devices, once the SDN is compromised, the whole network will crash. Finally, we give two comparisons of the aforementioned 5G access and handover security schemes as shown in Table II and Table III, respectively, which show which technologies are employed for a scheme to solve the above issues, and what security flaws still exist in this scheme. D. Open Research Issues On the aspects of 5G access and handover security, there are still a lot of issues to be researched in the future. (1) The 5G-AKA scheme needs to be further improved to withstand several protocol attacks including identifiers disclosure, traceability attack, DoS attack and so on and to satisfy the QoS requirements for different 5G applications. In addition, the 5G access authentication process should resist attacks caused by the disclosure of the secret keys. The schemes in [26] and [18] have adopted the DH algorithm to avoid this vulnerabilities. However, with the use of the DH algorithm, they will cost some extra computational and communication overheads comparing with the conventional one which may not suit the lightweight devices. (2) The handover authentication procedures need to be further improved to withstand several protocol attacks such as jamming attacks, replay attacks and so on, and to meet the low latency requirement of 5G HetNet. Some handover authentication schemes have been proposed in [23], [25], [34], [36]–[39] to meet the requirements. However, since the SDN technique is adopted in these schemes in [23], [34], [37], [38] to monitor the devices, once the SDN is compromised, the whole network will crash. In addition, these proposed schemes cannot be applied to all scenarios in 5G system, specially, high-speed rail networks, and satellite-terrestrial integration networks in the 5G environment. For the high-speed rail networks and satellite-terrestrial integration networks in the 5G environment, many UEs in the train or on the land have to perform fast handover simultaneously to meet the users’ low latency requirements. If these existing schemes are adopted, it may incur a large amount of handover overheads in an instant when the train or satellite is moving quickly. It is serious in the ultra-dense scenario. 1553-877X (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/COMST.2019.2951818, IEEE Communications Surveys & Tutorials 9 TABLE II C OMPARISON OF RELATED SCHEMES IN THE 5G Scheme [26] [18] [27] [28], [30] Technologies Embed DH key exchange into 5G-AKA Embed DH key exchange into 5G-AKA, public key encryption algorithms, one-time random number and MAC, authentication failure message using the same format and symmetric encryption Blockchain-based distribution trust architecture, public key encryption algorithms Cross-layer authentication by integrating the EAP-AKA and physical layer authentication mechanism ACCESS FIELD . Issues Solved Achieve perfect forward secrecy and protect against passive attackers Security Flaws Incur some computational and communication overheads Achieve perfect forward secrecy, withstand privacy attacks, replay attacks, and traceability attacks Incur a lot of computational and communication overheads Save signaling and connection costs, and achieve anonymity Lack of the consideration for other security features Reduce the computation complexity and satisfy the strong security requirement Require additional physical layer authentication [31] Simple PKI certificate and ZKP Achieve mutual authentication Incur a lot of computational, communication and storage costs [33] Enhance AKA protocol with the channel-based fingerprinting parameters Avoid man-in-the-middle attacks, replay attacks, impersonation attacks, reduce computation complexity Require fingerprinting database and lack of privacy protection mechanism [16] Add a M AC and bind AUTN to SN identity in 5G-AKA Avoid missing key confirmation attacks Can not withstand other attacks in 5G-AKA TABLE III C OMPARISON OF RELATED SCHEMES IN Scheme [23] [34] [25] [36] [37] [38] [39] Technologies SDN controller monitors and predicts the location of users Utilize secure-context-information and compare the observed attributes matrix Select the appropriate base station based on the UE’s velocity Select the appropriate base station based on the UE’s moving direction and velocity, and the relative position between the UE and the candidate connecting cells Kolmogorov-Smirnov test SDN controller selects the optimal cell by linear programming and allocate a channel in advance Employ Fog-computing Access Points with certain caches THE 5G HANDOVER FIELD . Issues Solved Greatly reduce handover latency, avoid impersonation and MitM attacks Security Flaws Require the assistance of SDN and the current base station Ignore the impact on the latency due to false alarms Only focus on the measurement process during the whole handover procedure Greatly reduce handover latency Greatly minimize the number of handovers and reduce the energy consumption Greatly reduce the number of handovers Only focus on the measurement process during the whole handover procedure Reduce computational and storage overheads Lack of consideration for handover security The delay time is less than 1 ms Lack of consideration for handover security Largely reduce the signalling cost of handovers Lack of consideration for handover security IoT IV. S ECURITY IN I OT A. Introduction on 3GPP 5G IoT IoT’s wireless communication technologies are mainly divided into two categories: one is Zigbee, WiFi, Bluetooth, Z-wave and other short-range communication technologies; the other one is Low-Power Wide-Area Network (LPWAN), which is a wide area network communication technology. LPWAN can be divided into two categories: one works on unlicensed spectrum such as LoRa, SigFox, etc., and the other is based on 2/3/4G cellular communication technologies, such as EC-GSM, LTE Cat-m, NB-IoT, etc. which are supported by 3GPP and operate under licensed spectrum. 3GPP mainly designed three IoT-related standards: LTE-Machine (LTE-M), Extended Coverage Global System of Mobile Communication (EC-GSM) and NB-IoT. Since EC-GSM is based on the evolution of the GSM system, we do not consider this situation here. The LTE-Machine-to-Machine (LTE-M) is viewed as the Low-Cost MTC or MTC system in R12, and enhanced MTC (eMTC) system in R13, which is designed to meet the needs of IoT devices based on existing LTE carriers. The NarrowBand Internet of Things (NB-IoT) system is a new air interface Short-Range Communication Zigbee,WiFi, Bluetooth... LPWAN Unlicensed Spectrum Authorized Spectrum LTE-M NB-IoT EC-GSM R12 MTC R13 eMTC Fig. 8. 3GPP IoT System Evolution Process. technology proposed by the 3GPP for the IoT. Fig. 8 details the classification and evolution of the IoT system. For the 3GPP 5G IoT, we mainly take the security of the eMTC system and the NB-IoT system into considerations in this paper. Unlike the NB-IoT, the device coverage and module cost of the eMTC system is weaker than that of the NB-IoT system, 1553-877X (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/COMST.2019.2951818, IEEE Communications Surveys & Tutorials 10 CP UP eMTC device eMTC device gateway eMTC device eMTC device gateway Fig. 9. ʒ SCEF ʒ Operator Domain UE eMTC User Operator Domain A Operator Domain B 5G RAN CIOT Service ʓ ʓ eMTC Server eMTC device a.eMTC device and server communication architecture eMTC device AMF eMTC Server SMF ʓ UPF eMTC device Fig. 10. gateway NB-IoT network optimization solutions. eMTC device b. eMTC device and device communication architecture eMTC device eMTC system architecture. but it has advantages in peak rate, certain mobility and the support of the high voice (VoLTE). As shown in Fig. 9, the eMTC architecture is mainly composed of three parts: eMTC device domain, eMTC network domain and eMTC application domain. The eMTC device can connect to the core network via the radio access network through a gateway and communicate with one or more eMTC servers via the 5G network. 3GPP has defined two communication scenarios for the eMTC system [40], which are the communication between the eMTC device and the server and the communication between the eMTC devices without the involvement of the eMTC server in the network, respectively. Here, the AMF represents the core network [1] to mutually authenticate the eMTC device by the use of EAP-AKA’ or 5G-AKA to implement secure communication between the eMTC device and the eMTC server. Until now, 3GPP committee has not yet proposed an effective way to establish the secure communication between two eMTC devices. The NB-IoT has become an important branch of the Internet of Everything. NB-IoT consumes only about 180KHz of bandwidth and can be deployed directly on GSM networks, UMTS networks or LTE/LTE-A networks to reduce the deployment costs and achieve a smooth upgrade. Different from the current eMTC system, the NB-IoT system is mainly suitable for IoT scenarios with set locations or relatively low speed and low mobility. In addition, the number of NB-IoT devices is much higher than that of eMTC devices, and these large numbers of NB-IoT devices present “bursty” network access feature with its extremely low latency. The current NB-IoT system is mainly carried under the LTE-A network. According to the 3GPP plan, in the first phase of 5G, the introduction of the new radio access network NR will coexist with the LTE-A access network, and both of them share the EPC. Therefore, we can use the LTE-A network architecture as a 5G architecture to study the NB-IoT system. In the NB-IoT system, each NB-IoT device uses the EPS-AKA protocol to implement the authentication process through the radio access network NR and the core network. In order to better meet the lowfrequency and delay-insensitive IoT services and adapt the data transmission characteristics of NB-IoT, the NB-IoT system in 5G core network has been optimized and enhanced in terms of data transmission, power optimization, protocol optimization, and service capabilities. Specifically, the 3GPP committee has proposed the following two NB-IoT network optimiza- tion solutions [41]: “Control Plane Optimized Transmission Scheme” (CP) and the “User Plane Optimized Transmission Scheme” (UP) as shown in Fig. 10, where the “Control Plane Optimized Transmission Scheme” must be supported, and the “User Plane Optimized Transmission Scheme” can be optionally supported. The CP mainly is used to support the small IP or non-IP data transmission in NB-IoT scenarios. By the CP, Non-Access Stratum (NAS) Protocol Data Units (PDUs) are used to send some small IP data or non-IP data without establishing Data Radio Bearers (DRBs) and S1-U bearers in Radio Resource Control (RRC) connection request process. The data transmission path in the CP can be divided into two parts: (1) transmitted to the User Plane Function (UPF) through the Session Management Function (SMF) and then transmitted to the application server; (2) transmitted to the application server through the Service Capability Exposure Function (SCEF) Server and this path only supports non-IP data transmission. By the UP, a RRC connection suspension state and a RRC connection recovery state are introduced. When the terminal enters the idle state, the network side still maintains relevant information of the terminal so that the terminal can quickly reconnect. This solution is mainly applicable to support multiple QoS services in NB-IoT scenarios. B. Vulnerability in IoT security mechanism At present, the IoT system has been widely deployed on the LTE/LTE-A network, but the deployment of the IoT system in the 5G network is still in its infancy and research stage. Most of the devices are more vulnerable to threats and attacks than traditional wireless networks because of their limited resources, dynamic topology changes, complex network environments, data-centricity, and close correlation with applications. The existing standards and related papers mainly focus on the network architecture, performance and QoS of the IoT system [42]–[44] where security issues have not been highlighted. There are a series of security vulnerabilities in the IoT system in the future 5G network. (1) The IoT system lacks an efficient mutual authentication mechanism for mass devices. Ericsson predicts that the number of connected devices will increase to nearly 28 billion by 2021 [45]. Once these large-scale connected IoT terminals are controlled by opponents or attackers, it may cause a serious adverse effect on the normal operation of 5G networks. If each message of each device needs to be separately authenticated, it may bring a lot of network resource consumptions. In the 4G network standard, this problem of massive device authentication is rarely considered. Once the number of authentication request messages received by the network exceeds 1553-877X (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/COMST.2019.2951818, IEEE Communications Surveys & Tutorials 11 the processing capability of the network signaling resources, it will trigger a signaling storm, and thus result in network services failure. Seriously, it may cause the malfunction and collapse of the entire mobile communication system. (2) The IoT system is vulnerable to security attacks in the process of sensitive data transmission. In the scheme in [21], the relevant researchers pointed out that there are multiple security vulnerabilities in the traditional EAP-AKA’ protocol, such as user identity privacy protection, MitM attacks and simulated attacks. In addition, the scheme in [46] pointed out that it is vulnerable for an attacker to affect data integrity by modifying stored data in IoT devices for malicious purposes. (3) The IoT system is vulnerable to many types of DoS attacks [46]. DoS attacks may hinder the provision of normal services to IoT devices. For example, in sinkhole attacks, an attacker can lure normal data into a malicious node. Once the data passes through this node, the node tampers with the normal data to achieve the purpose of the attacks. In addition, the attacker can repeatedly send a valid data transmission maliciously or fraudulently, which causes the server crash. This series of DoS attacks will worsen the QoS of IoT users. problem. Cao et al. [55] proposed a simple and secure groupbased handover authentication scheme for mass devices based on multi-signature and AMAC technology. This scheme can achieve the mutual authentication between a large number of devices and the network simultaneously and provide the strong security protection including privacy protection and greatly reduce signaling congestion. Subsequently, the scheme in [56] proposed a fast authentication and data transfer protocol for the NB-IoT system based on the certificateless aggregation signcryption scheme. The scheme not only greatly simplifies the authentication process, but also greatly reduces the network burden and has a powerful security, such as the privacy and non-repudiation of user identity. However, the schemes in [55] and [56] may bring a lot of computational costs due to the use of public key cryptography including aggregate signcryption scheme and multi-signature scheme. In addition, these schemes are still under an evolved LTE system and not a future 5G architecture, so it is not suitable for IoT systems in future 5G networks. As shown in Table IV, we compare the above relevant schemes in the IoT field in terms of the technology involved in the scheme, the problems solved by the scheme, and the remaining security issues. C. IoT Security Solution For the access authentication and data transmission problems of sea of IoT terminals in the future 5G network, if each IoT device still employs the EAP-AKA’ or 5G-AKA method to implement the device authentication, a large amount of signaling and communication overheads will be generated. In the future 5G network, the massive devices accessing the network at the same time is still a key issue in the IoT system. In order to solve this problem, related researchers have proposed a series of solutions. First, in the traditional LTE system, some group handover authentication schemes have been proposed [47]–[51]. These schemes construct device groups and then perform handover authentication in the form of groups, which greatly reduce signaling overhead. However, most of these schemes bring a lot of computational overheads by using the asymmetric cryptography. Moreover, the schemes proposed in [49] and [51] cannot achieve mutual authentication. Therefore, it is not applicable to the IoT system of the future 5G network. In addition, relevant researchers have proposed some group-based access authentication schemes [52]–[54], With these schemes, a large number of devices form device groups and select group leaders. When a device group is connected to the network, the group leader aggregates all of access request messages from the group members into a single group access request message and sends it to the network. Then, the network can verify that the device group also passes the aggregated signature generated by the group leader or Aggregate Message Authentication Code (AMAC). These schemes significantly reduce signaling overhead and communication overhead. However, these schemes incur a lot of computational overheads due to the use of public key cryptography and there are many security vulnerabilities, such as internal forgery attacks, DoS attacks, lack of identity privacy protection, and so on. In the 5G network, relevant researchers have also proposed some solutions to solve this D. Open Research Issues According to the above analysis, the IoT application is one of the main axes of 5G technology targeting. However, there are still many security challenges for the security aspects of IoT in 5G networks. Here we present some promising research directions related to 5G IoT. (1) An effective access authentication scheme that avoids signaling congestion is needed when sea of IoT devices connect to the network at the same time. In the future 5G network, more even 1 million IoT devices will access the network with lower power consumption. In addition, the battery life of these networked terminals can also last for 5 to 10 years. In such a case, when a large number of IoT devices simultaneously send messages to the network, the EAP-AKA’ or 5G-AKA access authentication method is still used by each IoT device in the traditional 5G network. AMF and AUSF located on the network side may generate signaling overload and thus cannot provide services for a large number of IoT devices. Therefore, how to design an effective and secure group-based access authentication scheme for mass IoT device connections remains a key issue in 5G networks. (2) A secure handover authentication mechanism is required for eMTC devices supporting mobility. At present, there is no related research work to deal with the handover authentication problem of massive IoT devices in the 3GPP 5G network architecture. Due to the heterogeneous convergence and ultradense characteristics of 5G networks, how to provide a handover security method for these devices is a challenging task when massive eMTC devices with high-speed mobility move from one cell to another at the same time. (3) End-to-end security mechanisms for eMTC devices are required. In the future 5G network, communication between two devices is likely to become the main communication method. Therefore, 5G networks need to provide end-to-end 1553-877X (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/COMST.2019.2951818, IEEE Communications Surveys & Tutorials 12 TABLE IV C OMPARISON Scheme Technologies [47] [50] Group-based handover authentication, the multi-signature and aggregate message authentication codes [48] Group-to-Route handover authentication, trajectory prediction, handover ticket mechanism [49] Group-based handover authentication, symmetric cryptography and MAC [51] proxy re-encryption mechanism [52] Group-based access authentication, aggregate signature technology [53] Group-based access authentication, the secret share scheme and DH key agreement protocol [54] Group-based access authentication, aggregate message authentication code [55] Group-based handover authentication and re-authentication for massive MTCDs, aggregate message authentication code [56] Group-based access authentication and data transmission, certificateless aggregation signcryption technique OF RELATED SCHEMES IN THE I OT FIELD Issues Solved Achieve mutual authentication between a lot of MTC devices (MTCDs) and eNBs simultaneously, reduce signaling overhead Achieve mutual authentication between a lot of MRNs in the same train and eNBs simultaneously in high speed rail networks, reduce signaling overhead and computational cost achieve the anonymity handover key establishment between a lot of MTCDs and eNBs, reduce signaling overhead Achieve secure handover session key establishment between each on-board UE and the eNB in high speed rail networks, ensure PFS and PBS, resist against the desynchronization attack Achieve mutual authentication between multiple MTCDs and MME simultaneously, reduce signaling overhead and avoid signaling congestion, support dynamic group member management Achieve mutual authentication between multiple MTCDs and MME simultaneously, reduce signaling overhead Achieve mutual authentication between multiple MTCDs and MME simultaneously reduce signaling cost and avoid signaling congestion Achieve mutual authentication between multiple MTCDs and MME or AAA server simultaneously when handover happens between LTE-A network and WLAN reduce signaling overhead and achieve identity privacy protection, support dynamic group member management Achieve mutual authentication and secure data transmission between multiple NB-IoT devices and MME simultaneously, simplify the authentication process security mechanisms for Machine-to-Machine (M2M) communication between eMTC devices. Further network modifications and optimizations are required to address new threats in order to optimally integrate M2M communications into 5G networks. (4) It is necessary to ensure the confidentiality and integrity of sensitive data during high-speed transmission. Extremely high speed, extremely large capacity, and extremely low latency are the distinguishing features of the future 5G network. The transmission rate of the 5G network is 10 to 100 times higher than that of the 4G network. How to design the lightest weight security protection mechanism while ensuring the confidentiality and integrity of sensitive data from massive IoT devices in such a fast transmission process is a major challenge in the future 5G network. Security Flaws Incur a lot of computational overheads and bandwidth consumption Incur a lot of storage overheads and communication costs Lack of mutual authentication can not withstand protocol attacks Incur a lot of computational overheads Lack of mutual authentication can not resist against several protocol attacks Incur a lot of computational costs, lack of identity privacy protection can not resist against protocol attacks Incur a lot of computational costs, lack of identity privacy protection can not resist against protocol attacks Lack of identity privacy protection can not resist against inter forgery attacks and DoS attacks, lack of group member management Incur a lot of storage costs and bandwidth consumptions Incur a lot of computational costs and it is not feasible for NB-IoT devices V. S ECURITY IN D2D A. Introduction on 3GPP D2D Device-to-Device (D2D) communication technology, viewed as a direct communication technology between two devices, can be closely integrated with 5G networks to reduce the load on the base station. D2D communication can reduce the end to end latency, increase the system capacity, and achieve the design goals of 5G networks. It can also be applied to 5G IoT networks to provide them with new communication methods and achieve better performance. D2D technology can work in the licensed and unlicensed spectrum compared to the 5G IoT, which has a better security and is easier to manage. The 3GPP has conducted a series of studies on the D2D technology and mainly discussed the security aspects and radio aspects [57]–[59]. As shown in Fig. 11, the D2D communication scenarios can be divided into the following three types: coverage, enhanced coverage (relay coverage) and out of coverage under the 5G architecture which are labeled with “1”, “2”, “3”, respectively. 1553-877X (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/COMST.2019.2951818, IEEE Communications Surveys & Tutorials 13 AF CN hSMF/UPF hSMF/UPF vSMF/UPF SEAF gNB vSMF/UPF SEAF N3IWF/AMF AMF Untrusted non3GPP access 3GPP Access Non-3GPP Access system gNB 1 1 1 2 3 Fig. 11. 3 D2D communication scenarios under the 5G architecture. The commercial D2D network is presented as shown in the scenario “1”, which can be further divided into the following five scenarios: (1) both devices are served by the same Home Network (HN), which subscribe to the same HN; (2) both devices are served by the same Visiting Network (VN), which subscribe to the same HN; (3) both devices are served by the same VN, which subscribe to different HNs; (4) two devices are served by the different VNs, respectively, which subscribe to the same HN; and (5) the two devices are served by the different VNs and registered by different HNs. The publicsafety D2D network is deployed as shown in the scenarios “2” and “3”, which aims to provide reliable communication services to the users located outside of the coverage area of the gNB. This network can be applied to the cases of emergency and disaster. The public-safety D2D can be further classified into autonomous D2D and eNB-controlled D2D. In the public safety scenarios, 3GPP committee has proposed the Group Communication Service (GCS) to distribute content from a device to multiple devices, which plays a major role in 5G D2D networks. As shown in Fig. 11, D2D communication presents a hybrid architecture in which the distributed and centralized methods are coupled together. Therefore, it is very vulnerable to multiple security threats and privacy threats from the cellular and ad-hoc networks. Due to the wireless communication characteristics of D2D, it may incur a lot of air interface attacks, such as Denial of Service, counterfeiting, network traffic manipulation, Man-in-the-Middle attack, and so on. The 3GPP committee has described the security threats and requirements for the D2D communication [1], [57], [60]. However, there is no related solution in current 3GPP standards. B. Security Requirement in the D2D Communication For the major scenarios and procedures of D2D communication, the security mechanisms should be designed to meet the following specific requirements. (1) Secure and effective device discovery. The D2D communication is initiated by the device discovery process. However, there is still no definitive solution or standard mechanism for device discovery. The 3GPP committee has put forward the following requirements for the open device discovery procedure and the restricted procedure, such as resisting against the replay and impersonation attacks for the ProSe open discovery, resisting against the tracking attacks, supporting the integrity protection, confidentiality protection and identity privacy protection on the air interface [60], [61]. (2) Confidentiality and integrity protection during the data transmission process. It is required to achieve the mutual authentication between two D2D UEs to prevent the occurrence of pseudo base stations. The effective session key agreement and management mechanism can further be used to protect the data security. In addition, D2D relay communication is an inevitable mode in D2D communication. It can extend the coverage of cellular networks and improve the quality of service at the cellular edge. However, the intermediate nodes involved may bring some risks to the integrity and confidentiality of the data. (3) Continuous seamless secure data transmission in D2D roaming scenarios. The future 5G wireless network is designed as an ultra-dense Heterogeneous Network (HetNet) with a reduced cell radius, the introduction of D2D communication technology in the 3GPP 5G HetNet can effectively offload the bearer network traffic of the based stations and achieve the seamless coverage of signals. However, D2D communication is easily subject to various passive or active attacks in 3GPP 5G HetNet due to the connections directly established between the proximity devices. In addition, roaming or non-roaming D2D direct communication will be executed in several distinct application scenarios, where different scenarios require the complex and diverse communication methods in 3GPP 5G HetNet, such as the D2D communication between two roaming devices that belong to different home networks and access the same visited network via different access technologies. Different security mechanisms employed in different application scenarios may increase the system complexity. Clearly, current access authentication methods under the 5G architecture such as EAP-AKA’ and 5G-AKA are not suitable for such scenario. Therefore, the more efficient mutual authentication and handover authentication mechanisms are required between D2D UEs because of frequent handovers and the integration of distinct wireless access networks in 3GPP 5G HetNet. (4) Secure group communication and fine-grained access control of devices on the ProSe server. With the rapid increasing in the number of mobile intelligent terminals, a large number of devices construct a device group and adopt the group communication mode to reduce the communication costs and computational costs. The group communication is an important application scenario for the efficient content sharing in D2D communication. For the D2D group communication, the problems such as secure group establishment and batch verification need to be studied. At the same time, 3GPP committee in [62] has pointed out that it is necessary to implement the following key issues including securely adding and removing group members, transmitting group member i- 1553-877X (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/COMST.2019.2951818, IEEE Communications Surveys & Tutorials 14 dentification securely and secure group key update. In addition, a UE using GCS may belong to a member of multiple groups and may communicate with multiple groups at the same time. Therefore, how to protect the content security and identity privacy between different groups becomes a significant issue in 5G D2D group communication. There is still no solution designed for the D2D group communication to meet the requirements defined in [62]. (5) Privacy-preserving in several different D2D communication scenarios. The device needs to broadcast its location and identity to the other device or the network in device discovery, resource allocation and source routing process, which causes the privacy leak threats. In addition, D2D technology can be widely used in many application scenarios, just like the location-based services, the content sharing services, and the local advertising businesses, etc. For these complex application scenarios, more security requirements are introduced into D2D communication, such as privacy preserving. The ProSebased D2D communication may cause some privacy issues, such as location privacy and device privacy. Nevertheless, the current solutions and standards do not take these points into consideration, which brings more security loopholes. What’s more, the privacy protection may conflict with the security requirements because the hiding of information may cause difficulties for the authentication. C. Security Solutions For the secure D2D communication and various application scenarios, the following methods are proposed to solve the loopholes mentioned above. Xie et al. [63] employed the acoustic waves to solve the device discovery between two devices. It accomplishes bidirectional initial authentication by calculating the physical response interval between two devices and designs a novel coding scheme for achieving the key agreement between two devices. However, the scheme cannot achieve the strong security and identity privacy protection. Chao et al. [64] have proposed a bio-inspired distributed D2D discovery and synchronization algorithm. However, this approach is not efficient for the large-scale networks and does not consider the mutual authentication, key agreement, and energy efficiency issues. Huang et al. [65] proposed a distributed synchronization device discovery mechanism. By the scheme, the neighboring devices can form a synchronization group, and then they can announce their existence one by one. This scheme can shorten the discovery time but has high probability of signaling collision and does not involve the D2D security. The scheme in [66] proposed a D2D universal authentication and key agreement protocol based on the DHKE algorithm and the MAC under the LTE network. It can be applied to the D2D roaming scenarios and inter-operator scenarios. By the scheme in [66], the core network cannot acquire the final session key and only the participants can share the final session key directly, which achieves the privacy preserving. However, this solution requires the participation of the base station and a large amount of the signaling exchanges, which easily causes the single point failure. The scheme in [67] introduced an authentication and key agreement protocol for group users in the scenario of network-covered and networkabsent. The scheme achieved the mutual authentication and group anonymity by using the identity-based k-anonymity secret handshake scheme, public-key encryptions and zeroknowledge proof. However, due to the use of public key cryptography, it brings a lot of computational and communication costs and does not take the roaming scenarios into consideration. Wang et al. [68] proposed two authentication schemes for D2D communication that enable a group of D2D users to mutually authenticate with each other. This scheme in [68] implements the privacy preserving by using group key agreement protocol, Hash-based Message Authentication Code (HMAC) and pseudonym management method, and thus it also incurs lots of computational and communication costs. For the scenario of smart city, Guo et al. [69] proposed an attribute-based D2D communication trust negotiation scheme, which modeled the trust negotiation process as a 0/1 knapsack problem. This scheme adopts the homomorphic encryption techniques to ensure the security of D2D communication. Zhang et al. [70] proposed a lightweight and robust securityaware data transmission protocol for the healthcare system based on the Certificateless generalized signcryption (CLGSC) technology. This system requires high privacy, high security and less operations to suit the system environment. In order to improve the deficiencies of the application layer solutions, some physical layer security solutions have been proposed for D2D communication to transfer security functions from the upper layer to the lower layer, so as to solve the wireless link security problem. The physical layer security solutions can effectively reduce interference and prevent eavesdroppers from intercepting communications. The scheme in [71] used the DL transmission and beamforming to achieve a balance between the minimizing power and the maximizing privacy. The scheme in [72] took the advantage of the interference caused by D2D communication against eavesdroppers and optimized the link to satisfy the confidentiality requirements of cellular communications and achieve the access control. However, these schemes in [71], [72] can only solve some special security problems and cannot provide the strong security for D2D direct communication and group communication. Likewise, we compare the above relevant schemes in the D2D field as shown in Table V. D. Open Research Issues Based on the analysis above, we have proposed some promising research directions for the 5G D2D security: (1) The universal security device discovery, secure access, mutual authentication, and key agreement protocols for D2D communication under the 5G architecture are required. The current D2D security protocols are not combined with 5G networks, and most of them can only meet one or two security requirements and cannot be put into application scenarios. Therefore, it is a key point to design a uniform access authentication and key agreement protocol which can meet a variety of security requirements in 5G D2D networks to ensure the full cycle security of the D2D communication. 1553-877X (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/COMST.2019.2951818, IEEE Communications Surveys & Tutorials 15 TABLE V C OMPARISON OF RELATED SCHEMES IN THE 5G D2D FIELD . Scheme [63] Technologies Acoustic waves, acoustic channel response-based authentication [64] Bio-inspired discovery [65] Beacon transmission pattern [66] Diffie-Hellman Key Exchange algorithm (DHKE) and MAC [67] Identity-based k-anonymity secret handshake, key-private encryption and Linear encryption, and zero-knowledge proof [68] HMAC and identity-based signature, pseudonym management [69] Homomorphic encryption and secure two-party computation technique [70] Certificateless generalized signcryption (CLGSC) [71] Bernstein-type inequality and S-Procedure [72] Information-theoretic secrecy capacity Issues Solved Achieve device discovery and bidirectional initial authentication Achieve distributed synchronization device discovery Achieve distributed synchronization device discovery Achieve mutual authentication and key agreement between two D2D devices under LTE network Achieve network-covered and network-absent mutual authentication and key agreement among a group of D2D devices Achieve mutual authentication and group key agreement for D2D group communications Establish a bidirectional trust negotiation for D2D communications Achieve D2D-assist secure data transmission between WBAN client and physician for healthcare system Solve two robust secrecy rate optimisation problems for multiple-input -single- output secrecy channel with multiple D2D communications Introduce D2D communication as interference against eavesdropping (2) The security and performance of the designed security protocol needs to be balanced in 5G D2D communication. The D2D communication technology can be applied to the IoT device communication, which has limited resources. Since high level security protocols often bring about huge computational, storage, and transmission overheads, it is necessary to optimize the current security schemes to balance security and performance. (3) The secure group communication needs to be studied in 5G D2D communication. In the 5G network, with the increasing of the number of terminal devices, the use of group communication technique can effectively reduce signaling, communication and computational costs in both the device and the network, improve the communication efficiency, and be applied to various scenarios. However, there are only a few group communication schemes and most of them can not achieve the security and privacy protection. It is necessary to design a secure communication protocol that can meet the security requirements of group communication [62]. (4) The uniform efficient mutual authentication and handover authentication mechanism needs to be considered for D2D communication in 3GPP 5G HetNet scenarios. The mobility characteristic of the D2D equipment itself, and the low latency and high heterogeneity of the 5G HetNet cause the complex D2D communication scenarios and multiple new security issues. However, there is little research on lightweight and fast handover authentications and roaming access schemes for D2D scenarios in 5G HetNet. Therefore, it is necessary to study a unified and lightweight access authentication and handover authentication protocol for 5G HetNet in order to Security Flaws Lack of identity privacy protection and cannot provide strong security Lack of mutual authentication and key agreement Lack of mutual authentication and key agreement Single point failure due to the involvement of VNs, lack identity privacy protection Incur a lot of computation and communication costs and do not take the roaming scenarios need to manage the D2D group Incur a lot of computation and communication costs and do not take the roaming scenarios the temporary identities of UEs are updated frequently need to manage the D2D group Lack of mutual authentication and key agreement Lack of mutual authentication and key agreement Application restriction and lack of strong security Application restriction and lack of strong security achieve seamless secure communication among D2D UEs. (5) The security and incentive schemes based on social and trust relationships need to be considered. The security and credibility of the relay nodes in relay communication cannot be guaranteed, which brings a large number of security threats to the extended coverage of D2D communication. Based on the trust or reputation, this problem can be solved. Further researches will be conducted in the future. VI. S ECURITY IN V2X A. Introduction on the 3GPP V2X Internet of Vehicles (IoV) technology has evolved toward to the new direction of intelligence and networking recently. Vehicle to Everything (V2X) technology has also become the key technology for information exchanging in intelligent networked vehicles. V2X technology can expand the vehicle’s perception of traffic environment, by gaining the surrounding vehicle operation information, traffic control information, congestion information, visual blind zone and other information in advance, and thus, realize information sharing between the vehicles. It is divided into the following four categories: [73] Vehicle to Infrastructure (V2I) communication, Vehicle to Vehicle (V2V) communication, Vehicle to Pedestrian (V2P) communication, and Vehicle to Network (V2N) communication. V2I communication focuses on the communication between vehicles and road facilities and is used to receive local traffic broadcast information. V2V communication mainly involves the initiative security services by communicating with surrounding vehicles such as the vehicle in front collision 1553-877X (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/COMST.2019.2951818, IEEE Communications Surveys & Tutorials 16 AF V5 AF SGi CN SMF-UPF AMF V4 5GNR 5G-Uu 5G-Uu PC5 Fig. 12. V2 UDM S1 V2X Control Function V3 V3 PC5 V3 PC5 The architectures of 5G V2X. warning emergency braking reminder and lane change hazard warning. V2P communication mainly involves the warning of pedestrian security. V2N communication mainly focuses on the intelligent control services such as line planning, remote control and dynamic map downloading, etc. Nowadays, there are several different standards and protocols supporting the IoV. However, these different mechanisms lead to imperfect data processing and network integration and affect the operational efficiency of the IoV system due to the technical difficulties such as limited mobile area, fast network topology changing, frequent network access and interruption. The major technologies for V2X communication include the following two types: Dedicated Short Range Communication (DSRC) technology [74] and Cellular Vehicle to Everything (C-V2X) technology based on cellular mobile communication systems which includes LTE-V2X and 5G NR-V2X [75], [76]. DSRC-based communication provides a number of benefits for V2X applications, including low end-to-end latency, flexible organization without the centralized control, and relatively low cost. However, there are also several issues, including service degradation in congested scenarios, security problems, and difficulty coping with compromised line of sight. Due to the characteristics of low latency, high performance, and no need to separately deploy roadside infrastructure, 3GPP 5G network can bring great breakthrough for V2X technology. Until now, the 3GPP committee has specified several standards including architecture enhancements, and application layer support for the V2X services in LTE network in release 14/15 [75], [77] and 5G network in release 16 [76], [78], [79]. Compared to DSRC, C-V2X can provide several advantages, including a much larger coverage area, pre-existing infrastructure, deterministic security, QoS guarantees, and robust scalability. As shown in Fig. 12, there are two operation modes for V2X communication, namely over the PC5 interface and over 5G-Uu interface [80]. The 5G-Uu interface is the main interface for the UE to connect to the E-UTRAN, including the physical layer, Packet Data Convergence Protocol (PDCP) and Non-access Stratum (NAS). 5G-Uu interface is aimed at the applications of V2I and V2N, which is the traditional vehicle networking business. In this mode, the V2X terminal transmits the service data to the base station through the uplink of the 5G-Uu interface, and after receiving the information of the multiple terminals, the base station broadcasts them to all the V2X terminals in the coverage of the base station through the downlink of the 5G-Uu interface. The PC5 interface is a communication interface between UEs. In this mode, V2X terminals can exchange service information between vehicles and adjacent devices through the PC5 interface without the involvement of base station. In addition, PC5 supports both IP and non-IP based communication. Based on the coverage of the cellular network, the 5GUu operation mode can provide services to achieve large bandwidth and coverage communication, and the PC5 operation mode can provide services to achieve low latency and high reliability communication between V2X terminals. Independent of the coverage of the cellular network, the V2X communication service can also be provided through the PC5 interface where the cellular network is not deployed, and the communication between each V2X terminal can be realized without the intervention of the base station in the PC5 operation mode. In the scenario of cellular network coverage, data transmission can be flexibly and seamlessly switched between the 5G-Uu interface and the PC5 interface. B. Security Requirement in the V2X Security Mechanism At present, 3GPP committee and researchers have discussed the security requirements on the network entities that are used to support V2X services [81]–[86]. However, the research gap of the security mechanisms of V2X technology has not been filled until now. In addition, due to the characteristics in V2X services, such as high mobility, high node density, dynamic network topology, time sensitivity and high transmission reliability, there are still some new security implications to be researched. (1) Identity authentication. This is one of the most significant security requirements in V2X systems where legitimate entities in V2X systems are differentiated from malicious ones. In V2X systems, there are mainly two types of identity authentication including the authentication for V2I/V2N system and the authentication for V2V/V2P system based on different operation modes. For the authentication for V2I/V2N system, the 5G-AKA protocol or EAP-AKA’ protocol is employed to achieve the mutual authentication between vehicles and the 5G core network. However, this protocol still has some vulnerabilities such as high signalling overhead, bandwidth consumption, lack of quick re-authentication process during handover, which needs to be addressed in V2I/V2N systems. Since the V2V/V2P services can be exchanged directly or via the E-UTRAN, different scenarios envisioned in [76] need to design distinct authentication mechanisms such as V2X UE which is non-roaming or roaming UE, communicates with another one, V2X UE served by E-UTRAN or not served by E-UTRAN communicates with another one, V2X messages are transferred via an RSU, and so on. For the authentication in V2V/V2P systems, there are still no security mechanisms to be addressed. (2) Broadcast message authentication. Message authentication guarantees that the receiver can trust the message received 1553-877X (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/COMST.2019.2951818, IEEE Communications Surveys & Tutorials 17 was sent by the legitimate entities and was not modified in the transmission process. For the V2I/V2N systems, all of messages over the air interface can be protected by using the session key generated after the successful authentication between the V2X UE and 5GC. In addition, V2I broadcast communication security over PC5 interface is required to guaranteed. RSU may combine V2X application logic with the functionality of an eNB (referred to as eNB-type RSU) or UE (referred to as UE-type RSU). 5G network operators may deploy UEtype RSUs to periodically broadcast V2I messages including authority information such as curve speed limit and traffic light status, etc. In order to notify more vehicles or pedestrians in emergency situations, UE-type RSU may transfer eventdriven V2V/V2P messages with its own identity, which can also be seen as V2I communication. Attacks on V2I broadcast information may cause the UE to make erroneous judgments and decisions. Therefore, the authenticity and integrity of V2I messages shall be guaranteed by the receiver UE. In addition, the UE-type RSU shall be checked if it is authorized by the 5G network operators to broadcast V2I messages. For V2V/V2P systems, the confidentiality and integrity of the broadcast message must be protected against several protocol attacks. Attacks on V2V/V2P broadcast message may mislead the receiver V2X UE to make a wrong decision or action about the current road condition. Therefore, the authenticity of the received broadcast information is required to be validated. In addition, the integrity and freshness of V2V/V2P broadcast message shall be ensured so that the receivers accept only freshly generated messages by the authorized sender to protect against forgery attacks and replay attacks. (3) V2X UE Privacy protection. All V2X UEs can frequently transmit application layer data packets containing their identities, location, speed, direction, dynamics, and attributes etc., in order to execute the V2X application. The relationship between the identity and these specific data may cause an attacker to reveal the V2X UE’s personal details. Therefore, the 5G V2X system shall support the pseudonymity and privacy of the UE to ensure that the UE’s identity cannot be tracked or identified by any other UEs and third party beyond a short time period [80]. In addition, the content of the data transmitted by a V2X UE should not influence the ability of another V2X entity including UE, network and application server to identify or track the sender UE beyond a short time period necessary for the V2X application. It is also worth noting that UE privacy achieved in high density vehicles scenarios may be more feasible than that in less travelled areas. Furthermore, the traceability and the non-repudiation must be enforced to ensure no one can create false information by the use of others’ legal identities even if the identities have been concealed. C. Security Solutions Until now, researchers have proposed the following methods to solve the loopholes in 5G V2X system. Authentication and data transmission for V2X systems. Ometov and Bezzateev discussed the availability by the introduction of Multi-Factor Authentication (MFA) into existing vehicular systems [87], which is more secure than SingleFactor Authentication (SFA). In addition, the MFA system based on reversed Lagrange polynomial from Shamir’s Secret Sharing scheme is proposed for V2X applications in order to enable the flexible in-car authentication. The scheme can qualify the missing factor to authenticate the user without providing the sensitive biometric data to the verification entity. Yang et al. proposed two lightweight anonymous credential schemes for anonymous authentication in V2X systems [88], which are applicable to V2V systems and V2I systems, respectively. By the scheme, taking advantage of dynamic accumulator under the rationale of witness update outsourcing, a lightweight anonymous credential mechanism for V2V is proposed in order to solve the credential revocation problem in anonymous credential. Subsequently, the scheme improves the above mechanism for V2V by pushing as much as bilinear pairing computation of the prover to the verifier and thus constructs a new anonymous credential mechanism for V2I to reduce the computation cost of the prover. Muhammada and AliSafdar mainly reviewed the existing V2X authentication solutions, discussed in detail the current authentication issues for cellular-assisted V2X systems [85], and finally gave some open research issues in cellular based V2X security services. Based on the improved certificateless aggregate signcryption technique (CLASC), Basudan et al. proposed a privacy-preserving scheme in vehicular crowdsensing-based road surface condition monitoring system using fog computing [89]. By the scheme, data confidentiality, integrity, mutual authentication and privacy preservation can be achieved among control centers, vehicles, smart devices, roadside units, and cloud servers by the use of CLASC scheme. Xu et al. proposed an efficient and secure identity-based message authentication scheme for vehicular network based on LTE-V [90]. The scheme can achieve privacy protection by using the pseudoidentity and non-repudiation of simple messages and batch messages to reduce the amount of signalling exchange greatly. Subsequently, Xu et al. [91] designed an anonymous handover authentication protocol in LTE-V2X networks based on the elliptic curve cryptography. The proposed scheme can successfully achieve the mutual authentication between an OBU and a target eNB and ensure the security requirements including the anonymous handover, the secure key agreement, privacy preserving, and the ability to resist various malicious attacks. Liu et al. proposed an anonymous group message authentication protocol to support message batch verification for LTEV2X networks [92]. By the use of the MAC and short group signature, the proposed scheme can be applied to different group-oriented applications and achieve V2X UE anonymity, accountability, and trajectory privacy. Abdelaziz et al. [93] proposed a cross-layer message source authentication scheme for V2X based on the cooperation between the traditional PKI-based authentication procedures in V2X and the available physical layer information to mitigate the potential risk of location spoofing and falsifying attack. Performance and certificate management aspects for V2X systems. A dynamic adaptability method in V2X systems was proposed based on application requirements and context [94] to address the safety, security and performance threats 1553-877X (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/COMST.2019.2951818, IEEE Communications Surveys & Tutorials 18 to connected vehicles. By the scheme, the tradeoffs between the safety, security and performance of V2X systems are analyzed and how to increase the safety of V2X technologies is addressed. Whitefield et al. [95] employed the formal verification tool Tamarin prover to formally analyze the revocation protocol of security mechanisms for V2X systems. Specifically, this scheme mainly evaluated the revocation of malicious or misbehaving vehicles from the V2X system by invalidating their credentials. Haidar et al. [96] evaluated in detail the performance of the proposed PKI in terms of the reloading of short-term certificates by comparing two communication profiles with V2X security and without V2X security, respectively. In addition, according to the evaluation results, they developed some optimizations to improve the performance. In order to solve the DoS attacks caused in initial authentication phase due to the generation of mass of pseudonymous certificates, a puzzle-based co-authentication scheme was proposed in [97] to improve the efficiency of certificates verification in 5G-VANET. By the scheme, the hash puzzle is designed to restrict the attacker’s capability to forge fake pseudonymous certificates, and the collaborative verification is used to integrate the computing resources among legitimate vehicles. However, according to the stochastic theory and experimental analysis, the distribution of hash puzzle values generated by the hash function in a same given time is not very concentrated, which may affect the function of the puzzle. A Security Credential Management System (SCMS) was proposed in [98] for V2X communications. This system is designed to support the establishment of a nationwide Public Key Infrastructure for V2X security, which includes the following four main use cases: bootstrapping, certificate provisioning, misbehavior reporting, and revocation. In addition, pseudonym certificates are issued in order to achieve a reasonable level of privacy. As shown in Table VI, we compare the above relevant schemes in the V2X field. D. Open Research Issues Based on the security requirements, we give some promising research directions for the 5G V2X security. (1) Physical layer security technique exploits the characteristics of the wireless channels between vehicles and network to generate keys for secure transmission, which is an emerging security mechanism. This approach can be used to complement upper layer security solutions. Other non-encrypted security methods which are typically deployed at the physical layer can be considered to authenticate and identify the wireless devices. (2) For the authentication solutions specifically proposed for V2I and V2V services, it is significant to consider the compatibility issues of 5G network, such as unbounded network size, high mobility, diverse density, dynamic topology, etc. And the effectiveness of improving the application of these cooperative technologies in 5G V2X communication has not been resolved. (3) The control signaling traffic generated by the security algorithm affects the 5G-V2X core infrastructure to be resolved. Since V2X messages are very small in sizes, and are exchanged frequently between vehicles and other V2X communication entities, the generation of low data payload requires the high control plane signalling overhead due to frequent Radio Resource Control (RRC) state transition. The increase in control signaling traffic needs to be effectively handled. Therefore, it is necessary to accurately model the interaction between the V2X authentication mechanism and the 5G core network, so as not to bring too much signaling traffic load to the core network which may result in DoS attacks. (4) Heterogeneous handover/roaming authentication for V2V/V2P systems. The efficient handover /roaming authentication mechanism needs to be considered for V2V/V2P systems in 3GPP 5G HetNet scenarios. Vehicles have relatively high density especially in urban areas, require small cell size, and move at high speed, and thus have a dynamic network topology with different mobility pattern. The above characteristics displayed in 5G HetNet may cause the more complex V2V/V2P communication scenarios and multiple new security challenges compared with the D2D communication. However, there is no research on lightweight and fast handover authentication and roaming authentication schemes for V2V/V2P systems in 5G HetNet. (5) LTE-V/5G-V group communication security. Dynamic natures of LTE-V/5G-V group communications should be taken into consideration to further improve the efficiency of the group communications. In addition, to meet the needs of new applications in in-vehicle self-organizing networks such as parking navigation, road monitoring and communications in 5G communications, there will be an emerging paradigm reconstruction called 5G small cell-based vehicle group sensing. However, there are many technical challenges in security and privacy aspects to be studied. ProSe communication provides a logical way to envision groups based on location or communication/broadcast range, which are obviously constantly in flux as vehicles drive around. V2X UE groups cannot easily be constructed due to the dynamic feature, especially when out of coverage. If the group membership is extended to large regions, the one single group key provisioned may weaken the entire group communication security. In addition, in ProSe communication, any member can derive any other member’s ProSe Traffic Key, which makes it impossible to ensure proper identification of the sender for traceability that the V2X application needs. Thus, the ProSe security for one-to-many or broadcast group communication cannot be applicable to the LTE-V/5G-V group communications. VII. S ECURITY IN N ETWORK S LICE A. Introduction on 3GPP Network Slice In the 5G era, hundreds of billions of devices will be connected to the network. Different types of devices and different application scenarios have different network requirements. How to meet the QoS requirements of different services to the 5G network on the same network physical facility is the key point. The introduction of NFV and SDN technologies into 5G network, and the use of the network slicing method can effectively guarantee the QoS requirements of different services. The network slice splits the existing physical network 1553-877X (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/COMST.2019.2951818, IEEE Communications Surveys & Tutorials 19 TABLE VI C OMPARISON OF RELATED SCHEMES IN THE V2X Scheme Technologies [87] Multi-Factor authentication and Shamirs Secret Sharing [88] Nguyens dynamic accumulator, zero-knowledge proof, and bilinear pairing operations [89] Certificateless aggregate signcryption technique and fog computing [90] Elliptic Curve Cryptography, and identity-based cryptography [91] Elliptic curve cryptography [92] Elliptic curve cryptography, zero-knowledge proof and bilinear pairing operations [93] Integrate PKI-based authentication and physical layer information FIELD . Issues Solved Achieve the authentication for the occupant by using integrated sensors deployed in the vehicle Achieve the anonymous authentication for V2I and V2V communications Achieve privacy preserving data secure transmission between mobile sensors and RSU in road surface condition monitoring system Achieve message authentication between massive OBUs and the RSU in LTE-V, provide non-repudiation and batch verification, reduce signaling cost Achieve anonymous handover authentication among the OBU, the eNB and the MME in LTE-V Achieve the group message authentication for vehicle group communications in LTE-V, provide batch verification Achieve the message authentication for V2V and V2I communications, mitigate location spoofing and falsifying attack. Evaluate the tradeoffs between security and safety in V2X systems Evaluate the V2X revocation protocols Evaluate the performance of PKI-based protocols with V2X security and without V2X security [95] Dynamic adaptability method based on application requirements and context Tamarin prover [96] Proof-of-Concept (PoC) [97] Hash puzzle and collaborative verification Achieve the anonymity authentication for V2V communications in 5G-V, mitigate DoS attacks [98] PoC, security credential management system Support the nationwide PKI establishment for V2X security [94] to form multiple independent logical networks to provide customized services for differentiated services. According to the QoS service requirements of different services, the corresponding network functions and network resources are allocated for the network slice to realize the instantiation of the 5G architecture. Typically, network slices consist of a large number of network functions and a specific set of RATs. How the network functions and RAT sets are combined depends on the specific usage scenarios or business models. As one of the enabling technologies of network slicing, SDN technology helps to realize the separation of control plane and data plane, and defines an open interface between the two planes to accomplish flexible definition of network functions in the network slice. To meet this requirement of this type of business, network slicing only includes the network functions for specific business. For example, in order to meet the demand of augmented reality for low latency performance, network slicing is designed to arrange caching and data processing functions at the edge of the network to improve local data processing capabilities and reduce data transmission delay. For the remaining non-essential network functions, the slice should be discarded to reduce the redundancy of the network functions. In addition to the SDN technology, network slicing uses NFV technology to implement hardware and software decoupling, and abstract physical resources into Security Flaws Lack of mutual authentication, only for specific application scenarios Lack mutual authentication and key agreement, incur a lot of computational costs Lack of mutual authentication, incur a lot of computational costs Lack of mutual authentication, incur a lot of storage costs Incur a lot of computational and communication overheads Lack of mutual authentication, incur a lot of computational overheads, need to manage the vehicle group Lack of mutual authentication, and strong security Imperfect adaptability framework and single evaluation scenario Application restriction Application restriction Only for the defects of pseudo-random identity mechanisms, the distribution of hash puzzle values is unconcentrated Lack of the performance balancing policy and misbehavior detection algorithms virtual resources. The virtual resources used by the network slice can be divided into two categories: a dedicated resource employed only for a specific slice, and a shared resource used by multiple slices, respectively. In the process of the network slice instantiation, the relevant network element first adapts the slice for the service, and then configures the exclusive resource according to its service requirement and the current network resource condition without affecting the performance of other slices. The allocated network resources are used to implement virtual network functions and interface instantiation and service orchestration in the network slice, and finally complete the slice creation. Network slicing deployed by the use of the SDN and NFV technologies can provide a diverse and personalized network service and effectively guarantee the QoS requirements of different services. However, there are still some challenges in the actual application of network slicing. For example, how to manage network slicing, how to abstract network slicing resources, how to effectively isolate network slicing resources, etc. As a key technology of 5G, the academic researchers and standards organizations including 3GPP committee pay high attention to the network slicing. Academia has analyzed the concepts, framework, slice selection, and some challenges and future research directions for 5G network slicing [99]–[102]. 3GPP committee has also designed multiple topics about the 1553-877X (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/COMST.2019.2951818, IEEE Communications Surveys & Tutorials 20 Slice Selection Function (SSF) Subscriber Repository CP NFs for Slice A UP NFs for Slice A RAN Common CP NFs CP NFs for Slice B UP NFs for Slice B Common CP NFs CP NFs for Slice C Network Slice A Network Slice B UP NFs for Slice C Fig. 13. Network Slice C Network Slice. slice scenario, framework development, network management, requirement analysis and security aspects in network slicing [2], [103]–[108]. Here, 3GPP TR23.799 [104] has given the following three alternative network slicing scenarios in the next-generation network architecture as shown in Fig. 13, where the Slice Selection Function (SSF) handles the UE’s initial Attach Request and New Session establishment request by selecting an appropriate slice for the UE based on the UE’s subscription information, UE usage type, service type and UE capabilities. Network Slice A: All network functions of the core network are sliced, and both the user plane and the control plane are included in the slice instance of one core network. Network Slice B: The shared functions of the control plane of the core network are not sliced, as a shared part of each slice, the function slice of the user plane is not suitable for sharing that of the control plane. Network Slice C: The control plane of the core network is not sliced and all the functions are shared, and only the user plane of the core network is sliced. The 5G gives a unique identification of a particular network slice through S-NSSAI (Network Slice Selection Assistance Information). This information is stored in the UE’s subscription database. In order to achieve flexible selection of network slices, the 5G core network also introduces an independent network element NSSF (Network Slice Selection Function). The UE carries the S-NSSAI information in the session establishment process, and the RAN/AMF transmits the signaling message to the corresponding network slice according to the SNSSAI carried by the UE under the cooperation of the NSSF. B. Security Requirement in the 3GPP Network Slice Owing to the resource sharing among slices and the open interfaces that support the programmability of the network, network slicing security is a key issue to be solved. Network slices serving different types of services may have different security requirements and adopt distinct security protocols and mechanisms. In addition, when the network slicing is executed on multidomain infrastructure, how to design the network slicing security protocols and mechanisms becomes more complex [99]. Currently, 3GPP committee has analyzed the security requirements and potential solutions. The 5G secondary authentication mechanism suggested by the 3GPP committee is used to implement slice specific authentication and authorization [107], but there are still a large number of security issues and requirements to be studied. (1) Security protection between the Network Slice Management Function (NSMF) and the Communication Service Management Function (CSMF) or between the Communication Service Provider (CSP) and Communication Service Customer (CSC) [2]. Network slicing allows operators to provide customized services to customers. The CSP/CSMF will translate the service related requirement to network slice related requirements and notify the NSMF of the operator’s network through the slice management interface. Since a lot of slice management messages such as activation/deactivation, modification, deletion, and/or monitoring of a network slice instance are transmitted through the slice management interface, this slice management interface needs to be protected securely so that only authorized parties can create, alter, and delete network slice instances. The mutual authentication and key agreement mechanism between the CSC and the network is required to withstand several protocol attacks before connecting to the slice management interface. In addition, it is also a key point to design the data integrity and confidentiality protection mechanism to ensure the security of the slice management messages. (2) Differentiated security protection mechanisms for different network slices. Network slices serving different types of services may have different security requirements. Thus, it is a key point to provide different levels of security protections for differentiated network slices at the same time to provide security isolation between network slices in order to limit potential network attacks to a single network slice. In addition, users can simultaneously access multiple core network slices through a wireless network, where these network slices may be mutually exclusive. It is necessary to design an access control mechanism to restrict the use of two services simultaneously. (3) Security protection mechanisms for the support the slicing group. Network slicing can be divided according to the different characteristics of the offering services. Under the premise of providing the same characteristics, the user can be grouped by slicing. In addition, the UE can access several network slices, which can form a network slice group. Within the same group of network slices, each network slice can serve the UE simultaneously with other network slice(s). Thus, there are two types of group: user group for the same network slice and network slice group for the same user. By the use of grouping method, signaling and service optimization can be achieved. However, how to design the group authentication, group security management and group member update mechanism is a key issue. (4) Security interworking mechanisms for slicing mobility between EPC and 5GC. If the UE has established a set of PDN connections active in the EPC for which the UE has been given a corresponding S-NSSAI by the CN, when the UE moves from the EPC to the 5GC, all the slices associated 1553-877X (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/COMST.2019.2951818, IEEE Communications Surveys & Tutorials 21 to PDN connections still need to be served between the UE and the serving AMF, and vice-versa. It is necessary to design security protection mechanisms between the MME in EPC and the AMF in 5GC to ensure the seamless slice mobility. C. Security Solutions In order to mutually establish the trust relationships between operators in 3GPP multi-operator slice creation process, Backman et al. [109] proposed the concept of the blockchain slice leasing ledger, which used 5G network slice broker in a blockchain to simplify service creation process and make manufacturing equipment autonomously acquire the related slices. In order to express the security difference in 5G network slicing service, Niu et al. [110] gave the concept of network slice trust degree and provided a trust degree calculation model. By the model, the network slice trust value can be divided into three aspects: network slice subjective trust value, network slice history trust value, and the reward and punishment value, which can be calculated by the network slice manager according to different security requirements of the network slices. Schneider et al. [111] provided a 5G mobile network slice security isolation model for highly sensitive third-party services. By the scheme, the over-the-topsecurity approach is discussed to ensure the confidentiality and integrity of vertical’s data and different new network architecture deployment models are introduced to protect the vertical’s meta traffic data against Mobile Network Operator (MNO). Zhang et al. [112], [113] proposed a privacy-aware power injection scheme, which is fit for Advanced Metering Infrastructure (AMI) and 5G smart grid network slice. By the scheme, each power storage unit sends its blinded power bid, the related signature and a MAC to the gateway based on the AMI networks, and then the gateway aggregates all of bids and signatures to generate an aggregation signature and sends them to the utility company via the 5G smart grid network slice. Finally, the utility company checks the integrity and authenticity of the data by verifying the aggregation signature. Similar to the above scheme, Zhang et al. [114] subsequently proposed a privacy-preserving communication and power injection over vehicle networks and 5G smart grid slice by the use of aggregation technique without pairing operation. Ni et al. [115] proposed a network-sliced and service-oriented authentication framework, which can achieve anonymous authenticated key agreement for 5G-enable IoT. By the scheme, by integrating network slicing and fog computing, users can trust the 5G operator and IoT service provider based on group signature technique, send service data on network slices and connect to the remote servers and local fog nodes to secure access of IoT service. In addition, a privacy-preserving slice selection mechanism is proposed to guarantee that the proper network slices are chosen by the fog nodes and the links between users and their accessing services are protected. Likewise, we compare the relevant schemes in the network slice field as shown in Table VII. D. Open Research Issues There are still a lot of open research issues to be studied in 5G network slice security. (1) Group-based slice authentication mechanism for massive users. The current slice authentication method, secondary authentication mechanism submitted by the 3GPP committee can only be used for only one slice or multiple slices of single UE authentication. In addition, it needs several signaling message exchanges. When massive users concurrently request the authentication or authorization of one slice or several slices, it may result in signaling storms. Thus, how to handle the secondary authentication of one or more slices of massive users is a key point. (2) Unified separable authentication framework for different security levels of network slices services. Since different slices have different security levels, it is necessary to employ distinct slice authentication mechanisms to meet the specific security degree and QoS requirement. Although the EAP authentication framework provided by the secondary authentication mechanism can provide a variety of different authentication methods, multiple independent authentication mechanisms are employed for different slice services in the EAP which may cause a large amount of energy consumption for resource-limited terminals. Therefore, a uniform, flexible and security separable identity authentication framework is required to provide comprehensive and fine-grained support for slice services in 5G network. VIII. C ONCLUSION The 3GPP committee has released several standards so as to occupy the commanding heights of 5G network research. In this paper, we have reviewed and discussed the security aspects in 3GPP 5G networks. We have first given the current 5G network and security architectures specified by the 3GPP committee. Subsequently, we have discussed and evaluated in detail the security mechanisms, security requirements or security vulnerabilities, security related solutions for these new features and techniques including 5G access and handover, IoT, D2D, V2X and network slice in 3GPP 5G networks. In addition, we have also presented some potential research directions for the future research on these security aspects of 5G networks. It is expected that our work could further improve the 5G network security aspects and make some suggestions for the smooth implementation and deployment of 5G commercials in the future. A PPENDIX A A BBREVIATION AAA Authentication, Authorizing, and Accounting AF AHM Application Function Authentication Handover Module AKA AMAC AMF Authentication and Key Agreement Aggregate Message Authentication Code Access and Mobility Management Function AP Access Point 1553-877X (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/COMST.2019.2951818, IEEE Communications Surveys & Tutorials 22 TABLE VII C OMPARISON OF RELATED SCHEMES IN THE NETWORK SLICE FIELD . Scheme Technologies Implement Blockchain technology to manage the virtualized 5G network resources and slices [109] [110] Cloud model algorithm, user evaluation mechanism and trust reward mechanism [111] Use private infrastructure, introduce provisioning models for 3rd-party slices [112] [113] Hash-then-addition and hash-then-homomorphic aggregation technique [114] Hash-then-homomorphic aggregation technique [115] PS signature, public key sharing technique, group signature Issues Solved Enable manufacturing equipment autonomously acquire the slice, avoid DoS attacks and privacy problems Establish the trust degree calculation model for 5G network slicing service, calculate the network slice historical and dynamic trust value Achieve superior isolation for slices deployment, devices are solely managed Achieve the secure data aggregation between Power Storage Units (PSUs) and Utility Company (UC) for power injection in 5G smart grid slice, Achieve user privacy protection, insure the integrity and authenticity of the collected data Achieve the secure data aggregation between PSUs and UC over vehicle networks and 5G smart grid slice, achieve user privacy protection Achieve privacy-preserving slice selection, service authentication and session key agreement between UEs and IoT server over fog computing nodes and 5G network slice, support batch verification Security Flaws Not be legally recognized, use cases are limited No comparison of efficiency with other schemes, increase the SDN controller’s storage burden and computing cost Not suitable for public network infrastructure, do extra management work such as mobility management Incur a lot of computational overheads, can not resist dishonest adversaries, application restriction Unable to resist dishonest adversaries, lack of mutual authentication, application restriction Incur a lot of computational costs, key agreement need a trusted third party, some service information is exposed ARPF Authentication credential Repository and Processing Function EDGE eMTC Enhanced Data Rate for GSM Evolution enhanced Machine Type Communication AS AUSF Access Stratum Authentication Server Function AUTN AV CK AUthentication TokeN Authentication Vector Ciphering Key eNB EPC ePDG eNodeB Evolved Packet Core Evolved Packet Data Gateway EPS EPS AKA CLASC CLGSC Certificateless aggregate signcryption Certificateless generalized signcryption Evolved Packet System Evolved Packet System Authentication and Key Agreement Evolved UMTS Terrestrial Radio Access CP CSC CSG Control Plane Communication Service Customer Closed Subscriber Group CSMF CSP C-V2X DH/DHKE DoS Communication Service Management Function GCS GERAN Communication Service Provider gNB Cellular Vehicle to Everything GPRS Diffie-Hellman Key Exchange GUTI Denial of Service DRBs DSRC Data Radio Bearers Dedicated Short Range Communication GSM HetNet Global System of Mobile communication Heterogeneous Network D2D EAP-AKA Device-to-Device Extensible Authentication ProtocolAuthentication and Key Agreement HeNB HN HRES Home eNodeB Home Network Hash RESponse EAP-AKA’ ECC Improved EAP-AKA Ellipse Curve Cipher HXRES H2H Hash eXpected RESponse Human to Human EC-GSM Extended Coverage Global System of Mobile Communication IMS IP multimedia subsystem E-UTRA E-UTRAN FN Evolved-Universal Terrestrial Radio Access Network Foreign Network Group Communication Service GSM EDGE Radio Access Network NR Node B General Packet Radio Service Globally Unique Temporary Identity 1553-877X (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/COMST.2019.2951818, IEEE Communications Surveys & Tutorials 23 IMSI SCEF Service Capability Exposure Function IK International Mobile Subscriber Identification Integrity Key SCMS SDN Security Credential Management System Software Defined Network IKE IKEv2 IoT Internet Key Exchange Internet Key Exchange Protocol Version 2 Internet of Things SDSF SEAF SFA Structured Data Storage Function Security Anchor Function Single-Factor Authentication IP KGC Internet Protocol Key Generate Centre SIDF Subscription Identifier De-concealing Function LPWAN LTE/SAE SMF SN SN ID Session Management Function Serving Network Serving Network Identity LTE-A LTE-M Low Power Wide Area Network Long Term Evolution/System Architecture Evolution LTE-Advanced LTE-Machine SUCI SUPI Subscription Concealed Identifier Subscription Permanent Identifier ME MFA Mobile Equipment Multi-Factor Authentication MME MP MTC Mobility Management Entity Management Plane Machine Type Communication UDM UDSF UE Unified Data Management Unstructured Data Storage Function User Equipment UMTS Universal Mobile Telecommunication System M2M NAS Machine to Machine None Access Stratum UP UPF User Plane User Plane Function NB-IoT NCC NE Narrow Band Internet of Things NH Chaining Counter Network Element USIM UTRAN VN Universal Subscriber Identity Module UMTS Terrestrial Radio Access Network Visting Network NEF NFV Network Exposure Function Network Function Virtualization V2X V2I Vehicle to Everything Vehicle to Infrastructure NG-eNB NG-RAN NH Next Generation Evolved Node-B Next Generation Radio Access Network Next Hop V2V V2P V2N Vehicle to Vehicle Vehicle to Pedestrian Vehicle to Network NR NRF New Radio Network Repository Function WLAN XRES Wireless Local Area Network eXpected RESponse NSMF N3IWF OBU Network Slice Management Function Non-3GPP access Interworking Function On Board Unit ZKP 3GPP 5G-AKA Zero Knowledge Proof 3rd Generation Partnership Project 5G-Authentication and Key Agreement PCF PDCP Policy Control Function Packet Data Convergence Protocol 5GC 5G-RAN 5G Core Network 5G Radio Access Network PDN PDUs PKI Packet Data Network Protocol Data Units Public Key Infrastructure 5GS 5G System ProSe QoS Proximity Services Quality of Service RAN RES RRC Radio Access Network RESponse Radio Resource Control RSU SBA Road Side Unit Service Based Architecture SCI Secure Context Information ACKNOWLEDGMENT This work is supported by the National Key R&D Program of China (2017YFB0802700), the National Natural Science Foundation of China (No. 61772404, and U1836203). R EFERENCES [1] 3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Security architecture and procedures for 5G system (Rel 15), 3GPP TS 33.501 V15.3.1, Dec. 2018. [2] 3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Study on security aspects of 5G network slicing management (Rel 15), 3GPP TR 33.811 V15.0.0, Jun. 2018. 1553-877X (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/COMST.2019.2951818, IEEE Communications Surveys & Tutorials 24 [3] 3rd Generation Partnership Project; Technical Specification Group Services and Systems Aspects;Security aspects;Study on the support of 256bit algorithms for 5G (Rel 16), 3GPP TR 33.841 V16.0.0, Dec. 2018. [4] Schneider, P., & Horn, G. (Aug. 2015). Towards 5G security. In 2015 IEEE Trustcom/BigDataSE/ISPA, (pp. 1165-1170). IEEE. [5] Vij, S., & Jain, A. (Mar. 2016). 5G: Evolution of a secure mobile technology. In 2016 3rd International Conference on Computing for Sustainable Global Development, (pp. 2192-2196). IEEE. [6] Ferrag, M. A., Maglaras, L., Argyriou, A., Kosmanos, D., & Janicke, H. (2018). Security for 4G and 5G cellular networks: A survey of existing authentication and privacy-preserving schemes. Journal of Network and Computer Applications, 101, 55-82. [7] Fang, Q., WeiJie, Z., Guojun, W., & Hui, F. (Sep. 2014). Unified security architecture research for 5G wireless system. In 2014 11th Web Information System and Application Conference (WISA), (pp. 91-94). IEEE. [8] 3rd Generation Partnership Project; Technical Specification Group Core Network and Terminals; Non-Access-Stratum (NAS) protocol for 5G System (5GS); Stage 3(Rel 15), 3GPP TS 24.501 V15.2.0, Dec. 2018. [9] 3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; 3GPP System Architecture Evolution (SAE); Security architecture (Rel 15), 3GPP TS 33.401 V15.6.0, Dec. 2018. [10] 3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; System Architecture for the 5G System; Stage 2(Rel 15), 3GPP TS 23.501 V15.4.0, Dec. 2018. [11] 3rd Generation Partnership Project; Technical Specification Group Core Network and Terminals; Access to the 3GPP 5G Core Network (5GCN) via Non-3GPP Access Networks (N3AN); Stage 3(Rel 15), 3GPP TS 24.502 V15.2.0, Dec. 2018. [12] 3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Procedures for the 5G System; Stage 2(Rel 15), 3GPP TS 23.502 V15.4.0, Dec. 2018. [13] 3rd Generation Partnership Project; Technical Specification Group Radio Access Network; NR; NR and NG-RAN Overall Description; Stage 2(Rel 15), 3GPP TS 38.300 V15.3.1, Oct. 2018. [14] 3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; General Packet Radio Service (GPRS) enhancements for Evolved Universal Terrestrial Radio Access Network (EUTRAN) access (Rel 16), 3GPP TS 23.401 V16.1.0, Dec. 2018. [15] 3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Architecture enhancements for non-3GPP accesses (Rel 15), 3GPP TS 23.402 V15.3.0, Mar. 2018. [16] Basin, D., Dreier, J., Hirschi, L., Radomirovic, S., Sasse, R., & Stettler, V. (Oct. 2018). A Formal Analysis of 5G Authentication. In 2018 ACM SIGSAC Conference on Computer and Communications Security, (pp. 1383-1396). ACM. [17] Fang, D., Qian, Y., & Hu, R. Q. (2018). Security for 5G Mobile Wireless Networks. IEEE Access, 6, 4850-4874. [18] Liu, F., Peng, J., & Zuo, M. (Aug. 2018). Toward a Secure Access to 5G Network. In 2018 17th IEEE International Conference On Trust, Security And Privacy, (pp. 1121-1128). IEEE. [19] Behrad, S., Bertin, E., & Crespi, N. (Feb. 2018). Securing authentication for mobile networks, a survey on 4G issues and 5G answers. In 2018 21st Conference on Innovation in Clouds, Internet and Networks and Workshops (ICIN), (pp. 1-8). IEEE. [20] Hussain, S., Echeverria, M., Chowdhury, O., Li. N., & Bertino. E. (Feb. 2019). Privacy Attacks to the 4G and 5G Cellular Paging Protocols Using Side Channel Information. In Network and Distributed Systems Security (NDSS) Symposium 2019, doi: https://dx.doi.org/10.14722/ndss.2019.23442. [21] Cao, J., Ma, M., Li, H., Zhang, Y., & Luo, Z. (2014). A survey on security aspects for LTE and LTE-A networks. IEEE Communications Surveys & Tutorials, 16(1), 283-302. [22] Gavrilovska, L., Rakovic, V., & Atanasovski, V. (2016). Visions towards 5G: Technical requirements and potential enablers. Wireless Personal Communications, 87(3), 731-757. [23] Duan, X., & Wang, X. (2015). Authentication handover and privacy protection in 5G hetnets using software-defined networking. IEEE Communications Magazine, 53(4), 28-35. [24] Panwar, N., Sharma, S., & Singh, A. K. (2016). A survey on 5G: The next generation of mobile communication. Physical Communication, 18, 64-84. [25] Boujelben, M., Rejeb, S. B., & Tabbane, S. (Aug. 2015). A novel green handover self-optimization algorithm for LTE-A/5G HetNets. In 2015 International Wireless Communications and Mobile Computing Conference (IWCMC), (pp. 413-418). IEEE. [26] Arkko, J., Norrman, K., Näslund, M., & Sahlin, B. (Aug. 2015). A USIM compatible 5G AKA protocol with perfect forward secrecy. In 2015 IEEE Trustcom/BigDataSE/ISPA, (pp. 1205-1209). IEEE. [27] Yang, H., Zheng, H., Zhang, J., Wu, Y., Lee, Y., & Ji, Y. (Aug. 2017). Blockchain-based trusted authentication in cloud radio over fiber network for 5G. In 2017 16th International Conference on Optical Communications and Networks (ICOCN), (pp. 1-3). IEEE. [28] Pan, F., Jiang, Y., Wen, H., Liao, R., & Xu, A. (Sep. 2017). Physical Layer Security Assisted 5G Network Security. In 2017 IEEE 86th Vehicular Technology Conference (VTC-Fall), (pp. 1-5). IEEE. [29] Yang, J., Ji, X., Huang, K., Chen, Y., & Qi, X. (Nov. 2015). A physicallayer authentication scheme based on hash method. In 2015 IEEE/CIC International Conference on Communications in China-Workshops (CIC/ICCC), (pp. 99-104). IEEE. [30] Pan, F., Wen, H., Song, H., Jie, T., & Wang, L. (Nov. 2015). 5G security architecture and light weight security authentication. In 2015 IEEE/CIC International Conference on Communications in China-Workshops (CIC/ICCC), (pp. 94-98). IEEE. [31] Boubakri, W., Abdallah, W., & Boudriga, N. (Jun. 2017). Access control in 5G communication networks using simple PKI certificates. In 2017 13th International Wireless Communications and Mobile Computing Conference (IWCMC), (pp. 2092-2097). IEEE. [32] Chatzigiannakis, I., Pyrgelis, A., Spirakis, P. G., & Stamatiou, Y. C. (Oct. 2011). Elliptic curve based zero knowledge proofs and their applicability on resource constrained devices. In 2011 IEEE 8th International Conference on Mobile Adhoc and Sensor Systems (MASS), (pp. 715-720). IEEE. [33] Moreira, C. M., Kaddoum, G., & Bou-Harb, E. (May. 2018). Cross-layer authentication protocol design for ultra-dense 5G HetNets. In 2018 IEEE International Conference on Communications (ICC), (pp. 1-7). IEEE. [34] Duan, X., & Wang, X. (May. 2016). Fast authentication in 5G HetNet through SDN enabled weighted secure-context-information transfer. In 2016 IEEE International Conference on Communications (ICC), (pp. 16). IEEE. [35] Forssell, H., Thobaben, R., Al-Zubaidy, H., & Gross, J. (Dec. 2017). On the Impact of Feature-Based Physical Layer Authentication on Network Delay Performance. In GLOBECOM 2017-2017 IEEE Global Communications Conference, (pp. 1-6). IEEE. [36] Kishida, A., Morihiro, Y., Asai, T., & Okumura, Y. (2018). Cell selection scheme for handover reduction based on moving direction and velocity of UEs for 5G multi-layered radio access networks. In 2018 International Conference on Information Networking (ICOIN), (pp. 362-367). IEEE. [37] Ma, T., Hu, F., & Ma, M. (Nov. 2017). Fast and efficient physical layer authentication for 5G HetNet handover. In 2017 27th International Telecommunication Networks and Applications Conference (ITNAC), (pp. 1-3). IEEE. [38] Lee, J., & Yoo, Y. (Jul. 2017). Handover cell selection using user mobility information in a 5G SDN-based network. In 2017 Ninth International Conference on Ubiquitous and Future Networks (ICUFN), (pp. 697-702). IEEE. [39] Qiu, Y., Zhang, H., Long, K., Sun, H., Li, X,. & Leung, V. (Oct. 2017). Improving handover of 5G networks by network function virtualization and fog computing. In International Conference on Communications in China (ICCC 2017), (pp. 1-5).IEEE. [40] 3rd Generation Partnership Project;Technical Specification Group Services and System Aspects; Service Requirements for Machine-Type Communications (MTC); Stage 1(Rel 14), 3GPP TS 22.368 V14.0.1, Aug. 2017. [41] 3rd Generation Partnership Project;Technical Specification Group Radio Access Network; Evolved Universal Terrestrial Radio Access (E-UTRA) and Evolved Universal Terrestrial Radio Access Network (E-UTRAN); Overall description; Stage 2(Rel 15), 3GPP TS 36.300 V15.3.0, Sep. 2018. [42] Harwahyu, R., Cheng, R. G., Wei, C. H., & Sari, R. F. (2018). Optimization of random access channel in NB-IoT. IEEE Internet of Things Journal, 5(1), 391-402. [43] Yang, X., Wang, X., Wu, Y., Qian, L. P., Lu, W., & Zhou, H. (2018). Small-Cell Assisted Secure Traffic Offloading for Narrowband Internet of Thing (NB-IoT) Systems. IEEE Internet of Things Journal, 5(3), 15161526. [44] Kim, T., Kim, D. M., Pratas, N., Popovski, P., & Sung, D. K. (2017). An enhanced access reservation protocol with a partial preamble transmission mechanism in NB-IoT systems. IEEE Communications Letters, 21(10), 2270-2273. [45] Ericsson. (2016). Internet of Things to overtake mobile phones by 2018, 1-32. 1553-877X (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/COMST.2019.2951818, IEEE Communications Surveys & Tutorials 25 [46] Khan, M. A., & Salah, K. (2018). IoT security: Review, blockchain solutions, and open challenges. Future Generation Computer Systems, 82, 395-411. [47] Cao, J., Li, H., Ma, M., & Li, F. (2018). UPPGHA: Uniform Privacy Preservation Group Handover Authentication Mechanism for mMTC in LTE-A Networks. Security and Communication Networks, 2018, 1-16. [48] Cao, J., Ma, M., & Li, H. (2017). G2RHA: Group-to-route handover authentication scheme for mobile relays in LTE-A high-speed rail networks. IEEE Transactions on Vehicular Technology, 66(11), 9689-9701. [49] Cao, J., Li, H., & Ma, M. (Jun. 2015). GAHAP: A group-based anonymity handover authentication protocol for MTC in LTE-A networks. In 2015 IEEE International Conference on Communications (ICC), (pp. 3020-3025). IEEE. [50] Cao, J., Li, H., Ma, M., & Li, F. (Jun. 2015). UGHA: Uniform groupbased handover authentication for MTC within E-UTRAN in LTE-A networks. In 2015 IEEE International Conference on Communications (ICC), (pp. 7246-7251). IEEE. [51] Kong, Q., Lu, R., Chen, S., & Zhu, H. (2017). Achieve Secure Handover Session Key Management via Mobile Relay in LTE-Advanced Networks. IEEE Internet of Things Journal, 4(1), 29-39. [52] Cao, J., Ma, M., & Li, H. (2015). GBAAM: group-based access authentication for MTC in LTE networks. Security and Communication Networks, 8(17), 3282-3299. [53] Li, J., Wen, M., & Zhang, T. (2016). Group-based authentication and key agreement with dynamic policy updating for MTC in LTE-A networks. IEEE Internet of Things Journal, 3(3), 408-417. [54] Lai, C., Li, H., Lu, R., Jiang, R., & Shen, X. (Dec. 2013). LGTH: A lightweight group authentication protocol for machine-type communication in LTE networks. In 2013 IEEE Global Communications Conference (GLOBECOM), (pp. 832-837). IEEE. [55] Cao, J., Ma, M., Li, H., Fu, Y., & Liu, X. (2018). EGHR: Efficient group-based handover authentication protocols for mMTC in 5G wireless networks. Journal of Network and Computer Applications, 102, 1-16. [56] Cao, J., Yu, P., Ma, M., & Gao, W. (2018). Fast Authentication and Data Transfer Scheme for Massive NB-IoT Devices in 3GPP 5G Network. IEEE Internet of Things Journal, doi: 10.1109/JIOT.2018.2846803. [57] 3rd Generation Partnership Project; Technical Specification Group Radio Access Network; Study on further enhancements to LTE Device to Device (D2D); User Equipment (UE) to network relays for Internet of Things (IoT) and wearables (Rel 15), 3GPP TR 36.746 V15.1.1, Apr. 2018. [58] 3rd Generation Partnership Project; Technical Specification Group Radio Access Network; Study on LTE Device to Device Proximity Services; Radio Aspects (Rel 12), 3GPP TR 36.843 V12.0.1, Mar. 2014. [59] 3rd Generation Partnership Project; Technical Specification Group Radio Access Network; LTE Device to Device (D2D) Proximity Services (ProSe); User Equipment (UE) radio transmission and reception (Rel 12), 3GPP TR 36.877 V12.0.0, Mar. 2015. [60] 3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Proximity-based Services (ProSe); Security aspects (Rel 15), 3GPP TS 33.303 V15.0.0, Jun. 2018. [61] 3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Study on security architecture enhancements to Proximity Services (ProSe) User Equipment (UE)-to-network relay (Rel 15), 3GPP TR 33.843 V15.1.0, Jun. 2018. [62] 3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Study on security issues to support Group Communication System Enablers (GCSE) for LTE (Rel 12), 3GPP TR 33.888 V12.1.0, Sep. 2014. [63] Xie, P., Feng, J., Cao, Z., & Wang, J. (2018). Genewave: Fast authentication and key agreement on commodity mobile devices. IEEE/ACM Transactions on Networking (TON), 26(4), 1688-1700. [64] Chao, S. L., Lee, H. Y., Chou, C. C., & Wei, H. Y. (2013). Bio-inspired proximity discovery and synchronization for D2D communications. IEEE communications letters, 17(12), 2300-2303. [65] Huang, P. K., Qi, E., Park, M., & Stephens, A. (Jun. 2013). Energy efficient and scalable device-to-device discovery protocol with fast discovery. In 2013 IEEE International Workshop of Internet-of-Things Networking and Control (IoT-NC), (pp. 1-9). IEEE. [66] Wang, M., Yan, Z., & Niemi, V. (2017). UAKA-D2D: Universal authentication and key agreement protocol in D2D communications. Mobile Networks and Applications, 22(3), 510-525. [67] Hsu, R. H., Lee, J., Quek, T. Q., & Chen, J. C. (2018). GRAAD: Group Anonymous and Accountable D2D Communication in Mobile Networks. IEEE Transactions on Information Forensics and Security, 13(2), 449-464. [68] Wang, M., & Yan, Z. (2018). Privacy-preserving authentication and key agreement protocols for D2D group communications. IEEE Transactions on Industrial Informatics, 14(8), 3637-3647. [69] Guo, J., Ma, J., Li, X., Zhang, J., & Zhang, T. (2017). An AttributeBased Trust Negotiation Protocol for D2D Communication in Smart City Balancing Trust and Privacy. Journal of Information Science & Engineering, 33(4), 1007-1023. [70] Zhang, A., Wang, L., Ye, X., & Lin, X. (2017). Light-weight and robust security-aware d2d-assist data transmission protocol for mobile-health systems. IEEE Transactions on Information Forensics and Security, 12(3), 662-675. [71] Chu, Z., Cumanan, K., Xu, M., & Ding, Z. (2014). Robust secrecy rate optimisations for multiuser multiple-input-single-output channel with device-to-device communications. IET Communications, 9(3), 396-403. [72] Yue, J., Ma, C., Yu, H., & Zhou, W. (2013). Secrecy-based access control for device-to-device communication underlaying cellular networks. IEEE Communications Letters, 17(11), 2068-2071. [73] 3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Study on LTE support for Vehicle-toEverything (V2X) services (Rel 14), 3GPP TR 22.885 V14.0.0, Dec. 2015. [74] Naik, G., Liu, J., & Park, J. M. (2018). Coexistence of Wireless Technologies in the 5 GHz Bands: A Survey of Existing Solutions and a Roadmap for Future Research. IEEE Communications Surveys & Tutorials, 20(3), 1777-1798. [75] 3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Architecture enhancements for V2X services (Rel 15), 3GPP TS 23.285 V15.2.0, Dec. 2018. [76] 3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Study on architecture enhancements for LTE support of V2X services (Rel 14), 3GPP TR 23.785 V14.0.0, Sep. 2016. [77] 3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Application layer support for V2X services; Functional architecture and information flows (Rel 16), 3GPP TS 23.286 V0.2.0, Dec. 2018. [78] 3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Study on application layer support for V2X services (Rel 16), 3GPP TR 23.795 V16.1.0, Dec. 2018. [79] 3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Study on architecture enhancements for EPS and 5G System to support advanced V2X services (Rel 16), 3GPP TR 23.786 V1.0.0, Dec. 2018. [80] 3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Service requirements for V2X services; Stage 1(Rel 15), 3GPP TS 22.185 V15.0.0, Jun. 2018. [81] 3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Study on security aspects for LTE support of Vehicle-to-Everything (V2X) services (Rel 14), 3GPP TR 33.885 V14.1.0, Sep. 2017. [82] Ahmed, K. J., & Lee, M. J. (2017). Secure, LTE-based V2X service. IEEE Internet of Things Journal, 5(5), 3724-3732 . [83] Bian, K., Zhang, G., & Song, L. (Sep. 2017). Security in Use Cases of Vehicle-to-Everything Communications. In 2017 IEEE 86th Vehicular Technology Conference (VTC-Fall), (pp. 1-5). IEEE. [84] Marojevic, V. (2018). C-V2X Security Requirements and Procedures: Survey and Research Directions. CoRR, abs/1807.09338 . [85] Muhammad, M., & Safdar, G. A. (2018). Survey on existing authentication issues for cellular-assisted V2X communication. Vehicular Communications, 12, 50-65. [86] Bian, K., Zhang, G., & Song, L. (2018). Toward Secure Crowd Sensing in Vehicle-to-Everything Networks. IEEE Network, 32(2), 126-131. [87] Ometov, A., & Bezzateev, S. (Nov. 2017). Multi-factor authentication: A survey and challenges in V2X applications. In 2017 9th International Congress on Ultra Modern Telecommunications and Control Systems and Workshops (ICUMT), (pp. 129-136). IEEE. [88] Yang, Y., Wei, Z., Zhang, Y., Lu, H., Choo, K. K. R., & Cai, H. (2017). V2X security: A case study of anonymous authentication. Pervasive and Mobile Computing, 41, 259-269. [89] Basudan, S., Lin, X., & Sankaranarayanan, K. (2017). A privacypreserving vehicular crowdsensing-based road surface condition monitoring system using fog computing. IEEE Internet of Things Journal, 4(3), 772-782. [90] Xu, C., Huang, X., Ma, M., & Bao, H. (2018). A Secure and Efficient Message Authentication Scheme for Vehicular Networks based on LTE-V. KSII Transactions on Internet & Information Systems, 12(6), 2841-2860. [91] Xu, C., Huang, X., Ma, M., & Bao, H. (2018). An Anonymous Handover Authentication Scheme Based on LTE-A for Vehicular Networks. Wireless Communications and Mobile Computing, 2018, 6251219:1– 6251219:15. 1553-877X (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/COMST.2019.2951818, IEEE Communications Surveys & Tutorials 26 [92] Liu, D., Ni, J., Lin, X., & Shen, X. (2018). Anonymous Group Message Authentication Protocol for LTE-based V2X Communications. Internet Technology Letters, 1(2), e25. [93] Abdelaziz, A., Koksal, C. E., Burton, R., Barickman, F., Martin, J., Weston, J., & Woodruff, K. (Jun. 2018). Beyond PKI: Enhanced Authentication in Vehicular Networks via MIMO. In 2018 IEEE 19th International Workshop on Signal Processing Advances in Wireless Communications (SPAWC), (pp. 1-5). IEEE. [94] Villarreal-Vasquez, M., Bhargava, B., & Angin, P. (Jun. 2017). Adaptable safety and security in V2X systems. In 2017 IEEE International Congress on Internet of Things (ICIOT), (pp. 17-24). IEEE. [95] Whitefield, J., Chen, L., Kargl, F., Paverd, A., Schneider, S., Treharne, H., & Wesemeyer, S. (Sep. 2017). Formal analysis of V2X revocation protocols. In International Workshop on Security and Trust Management, (pp. 147-163). Springer. [96] Haidar, F., Kaiser, A., & Lonc, B. (Sep. 2017). On the performance evaluation of vehicular PKI protocol for V2X communications security. In 2017 IEEE 86th Vehicular Technology Conference (VTC-Fall), (pp. 1-5). IEEE. [97] Liu, P., Liu, B., Sun, Y., Zhao, B., & You, I. (2018). Mitigating DoS Attacks Against Pseudonymous Authentication Through Puzzle-Based Co-Authentication in 5G-VANET. IEEE Access, 6, 20795-20806. [98] Brecht, B., Therriault, D., Weimerskirch, A., Whyte, W., Kumar, V., Hehn, T., & Goudy, R. (2018). A Security Credential Management System for V2X Communications. IEEE Transactions on Intelligent Transportation Systems, 1-22. [99] Li, X., Samaka, M., Chan, H. A., Bhamare, D., Gupta, L., Guo, C., & Jain, R. (2017). Network slicing for 5G: challenges and opportunities. IEEE Internet Computing, 21(5), 20-27. [100] Ordonez-Lucena, J., Ameigeiras, P., Lopez, D., Ramos-Munoz, J. J., Lorca, J., & Folgueira, J. (2017). Network slicing for 5G with SDN/NFV: concepts, architectures and challenges. IEEE Communications Magazine, 55(5), 80-87. [101] Rost, P., Mannweiler, C., Michalopoulos, D. S., Sartori, C., Sciancalepore, V., Sastry, N., ... & Aziz, D. (2017). Network slicing to enable scalability and flexibility in 5G mobile networks. IEEE Communications magazine, 55(5), 72-79. [102] Sama, M. R., Beker, S., Kiess, W., & Thakolsri, S. (Dec. 2016). Service-based slice selection function for 5G. In 2016 IEEE Global Communications Conference (GLOBECOM), (pp. 1-6). IEEE. [103] 3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Service requirements for the 5G system; Stage 1(Rel 16), 3GPP TS 22.261 V16.6.0, Dec. 2018. [104] 3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Study on Architecture for Next Generation System (Rel 14), 3GPP TR 23.799 V14.0.0, Dec. 2016. [105] 3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Telecommunication management; Study on management and orchestration of network slicing for next generation network (Rel 15), 3GPP TR 28.801 V15.1.0, Jan. 2018. [106] 3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Feasibility Study on New Services and Markets Technology Enablers; Stage 1(Rel 14), 3GPP TR 22.891 V14.2.0, Sep. 2016. [107] 3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Study on Enhancement of Network Slicing (Rel 16), 3GPP TR 23.740 V16.0.0, Dec. 2018. [108] 3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Management and orchestration; Concepts, use cases and requirements (Rel 15), 3GPP TS 28.530 V15.1.0, Dec. 2018. [109] Backman, J., Yrjölä, S., Valtanen, K., & Mämmelä, O. (Nov. 2017). Blockchain network slice broker in 5G: Slice leasing in factory of the future use case. In 2017 IEEE Internet of Things Business Models, Users, and Networks, (pp. 1-8). IEEE. [110] Niu, B., You, W., Tang, H., & Wang, X. (Dec. 2017). 5G network slice security trust degree calculation model. In 2017 3rd IEEE International Conference on Computer and Communications (ICCC), (pp. 1150-1157), IEEE. [111] Schneider, P., Mannweiler, C., & Kerboeuf, S. (Apr. 2018). Providing strong 5G mobile network slice isolation for highly sensitive thirdparty services. In 2018 IEEE Wireless Communications and Networking Conference (WCNC), (pp. 1-6). IEEE. [112] Zhang, Y., Zhao, J., & Zheng, D. (2017). Efficient and privacy-aware power injection over AMI and smart grid slice in future 5G networks. Mobile Information Systems, 2017(6), 1-11. [113] Zhang, Y., Zheng, D., Zhao, Q., Lai, C., & Ren, F. (Oct. 2017). PADA: Privacy-Aware Data Aggregation with Efficient Communication for Power Injection in 5G Smart Grid Slice. In 2017 International Conference on Networking and Network Applications (NaNA), (pp. 11-16). IEEE. [114] Zhang, Y., Li, J., Zheng, D., Li, P., & Tian, Y. (2018). Privacypreserving communication and power injection over vehicle networks and 5G smart grid slice. Journal of Network and Computer Applications, 122, 50-60. [115] Ni, J., Lin, X., & Shen, X. S. (2018). Efficient and Secure ServiceOriented Authentication Supporting Network Slicing for 5G-Enabled IoT. IEEE Journal on Selected Areas in Communications, 36(3), 644-657. Jin Cao Received the B.Sc. degree and Ph.D. degrees from Xidian University in 2008 and 2015, respectively. Since July 2015, he has been the associate professor in the school of Cyber Engineering, Xidian University, Xi’an Shaanxi, China. His interests are in wireless network security and application cryptography. He has published more than 50 papers on the topics of wireless network security. Maode Ma Received his BE degree in computer engineering from Tsinghua University in 1982, ME degree in computer engineering from Tianjin University in 1991 and Ph.D. degree in computer science from Hong Kong University of Science and Technology in 1999. He is a tenured Associate Professor in the School of Electrical and Electronic Engineering at Nanyang Technological University in Singapore. He has extensive research interests including wireless networking, wireless network security and optical networking, etc. He has been a member of the technical program committee for more than 110 international conferences. He has been a technical track chair, tutorial chair, publication chair, and session chair for more than 50 international conferences. He has published more than 200 international academic research papers on wireless networks and optical networks. He is a senior member of IEEE and IET Fellow. Hui Li Received B.Sc. degree from Fudan University in 1990, M.A.Sc. and Ph.D. degrees from Xidian University in 1993 and 1998. Since June 2005, he has been the professor in the school of Cyber Engineering, Xidian University, Xi’an Shaanxi, China. His research interests are in the areas of cryptography, wireless network security, information theory and network coding. He is a chair of ACM SIGSAC CHINA. He served as the technique committee chair or co-chair of several conferences. He has published more than 170 international academic research papers on information security and privacy preservation. 1553-877X (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/COMST.2019.2951818, IEEE Communications Surveys & Tutorials 27 Ruhui Ma Received the B.S. and M.S. degrees in Electronics and Communications Engineering from Xidian University, China, in 2013 and 2016, respectively. She is currently pursuing the Ph.D degree in Cyberspace Security, Xidian University, China. Her research interests include Device-to-Device communication and LTE/LTE-A/5G networks. Yunqing Sun Received the B.Sc. degree from Xidian University in 2018. She is currently pursuing the M.Sc. degree in Cyberspace Security, Xidian University, China. Her research interests include Device-to-Device communication and 5G network. Pu Yu Received the B.E. degree from Xidian University in 2018. He is currently studying for a master’s degree at Xidian University and is specialized in computer technology. His research interests include NB-IoT and 5G network security. Lihui Xiong Received the B.E. degree from Xidian University in 2018. He is currently studying for a master’s degree at Xidian University and is specialized in computer technology. His research interests include V2X communication and 5G network security. 1553-877X (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.