Previous: CENTAURI 200 IoT Gateway Solution
Security Solutions for 5G Era Mobile Terminals
18 Feb 2021
This article first analyzes the main security risks faced by mobile terminals and mobile communications in the 5G era. It then summarizes the current status and shortcomings of mainstream terminal security technologies such as system isolation technology and virtual private network (VPN) technology.
A terminal security solution that meets the requirements of secure mobile communications and mobile office is proposed, consisting of three components: hardware-based system isolation, gateway-style intranet VPN access, and inter-system secure communication. This solution systematically addresses the security issues of mobile terminal hardware, operating systems, applications, data, and network communications.
As the types and application scenarios of 5G mobile terminals continue to expand, mobile terminals have evolved from traditional communication devices primarily focused on voice calls and text messages to intelligent terminals used in various domains of daily life and work. The architecture of terminal technology has also undergone significant changes: higher integration of terminal chips and richer functional modules. The trend of intelligent operating systems is becoming stronger, capable of supporting increasingly complex applications and services.
At the same time, various industries are leveraging the mobility, convenience, and flexibility of mobile communications, integrating mobile terminals into their internal networks, utilizing mobile terminals for handling work and production affairs, and storing internal enterprise data on mobile devices.
5G mobile terminals face information security risks. Ensuring communication security, data security, protection of personal privacy, safeguarding commercial secrets, and ensuring national information security while leveraging the convenience of mobile communications has become a key issue in the field of mobile information security. Consequently, research on critical mobile terminal security technologies is of great significance.
This article provides an in-depth analysis of the security risks faced by 5G mobile terminals and the current mainstream terminal security technologies. It innovatively proposes a dual-hardware, dual-system gateway-style isolation protection and internal network security access technology for 5G terminals, providing information security guarantees for the protection of personal privacy, commercial secrets, and national encryption.
Security Risk Analysis
Employees use mobile terminals to access internal networks for office purposes and store internal network data locally. If the data communication between the mobile terminal and the office internal network, as well as the storage of data on the mobile terminal, lack effective security protection, the data of the office internal network will be exposed to the internet, posing significant information security risks.
Therefore, both the mobile terminal and the office internal network, as well as the communication process between them, urgently require security protection capabilities. When mobile terminals and office internal networks communicate, the following security issues are primarily encountered:
a) Identity authentication security risks. Whether it is passwords, verification codes, or biometrics, there is a risk of being cracked or impersonated. If a mobile terminal is falsely connected to the internal network, there is a hidden risk of data leakage in the internal network.
b) Data storage security risks. Mobile terminals lack fine-grained control measures for data storage. Data is usually stored in plaintext format on storage devices, lacking confidentiality and integrity protection, making it highly susceptible to viruses, trojans, malicious program tampering, and theft. Additionally, if a phone is lost, the risk of data leakage is high.
c) Communication security risks. Mobile communication provides various data transmission links, including wireless data, voice, and text messages, as well as near-field communication such as Bluetooth, infrared, and NFC. Communication networks and devices are subject to numerous uncontrollable factors, making user communication data susceptible to interception and tampering by malicious actors.
d) Terminal software and hardware security risks. Mobile terminals typically adopt software and hardware platforms such as iOS, Android, and Arm. According to disclosures, these platforms have security vulnerabilities and backdoors, posing significant security risks.
Overview of Security Technologies
Currently, there are two main approaches to terminal security technology solutions. One is the use of terminal virtualization and system isolation technologies to run multiple operating systems on a single hardware, ensuring the security of terminal data and operating environments. The other approach involves virtual private network (VPN) technologies such as VPDN and VPN to ensure secure access and network transmission between mobile terminals and enterprise intranets.
Terminal System Isolation
In current mainstream mobile terminals, a single set of hardware supports only one operating system, while different applications are isolated using software sandboxing techniques. For example, the Android system extends the Linux kernel's security model and user and permission mechanisms, applying isolation mechanisms between different users to isolate programs. Each application is assigned a separate Linux system user identity (UID), enabling Android applications to run in independent Linux process spaces.
With the advancement of virtualization technology and the improvement of terminal hardware capabilities, it is now possible to use virtual machines (VM) for isolating multiple applications within a terminal. The purpose of using VM is to create an isolated and controlled runtime environment, protecting applications from security risks outside the VM. Access between different VMs must be done through system interfaces, making it easier to monitor and more secure.
The virtualization platform can monitor the operating systems and application software within the VM through probes, allowing virus scanning. At the same time, it is crucial to ensure that applications within the VM cannot access the data of the virtualization platform, protecting it from network attacks.
Dual System in Terminals refers to running two mutually isolated and independent operating systems within a single terminal, catering to different needs for work and personal use.The two systems, one being a secure system (work system) and the other being a personal system (life system), have separate runtime environments, file systems, and data storage, achieving application and data isolation.
The secure system restricts certain functionalities of the terminal's hardware (e.g., microphone, camera, Bluetooth) based on security requirements from the hardware driver level. Furthermore, mobile terminals can define dual system switching management strategies and set independent security policies for the two systems to reduce information security risks.
Virtual Private Network Technologies
After years of development, virtual private network (VPN) technology has evolved into two mature technical architectures: Internet Protocol Security (IPSec) and Secure Sockets Layer (SSL) protocols. In the TCP/IP layered model, IPSec operates at the network layer and reconstructs IP packets to establish secure virtual network transmission channels, providing confidentiality and integrity protection through cryptographic algorithms.
SSL protocol and its successor, Transport Layer Security (TLS) protocol, operate between the transport layer and application layer, providing security and data integrity for network communication.
Adopting VPN technology enables secure access of mobile terminals to enterprise intranets and ensures network transmission security. Initially, the legitimacy of terminal access to the enterprise intranet is verified through various means, such as MAC addresses, IP addresses, usernames and passwords, biometrics, PKI public key certificate systems, USB keys, or a combination of these methods.
Only after successful authentication can VPN communication proceed. During VPN communication, IPSec or SSL protocols provide the following security capabilities:
a) Data confidentiality: The sender encrypts the data using cryptographic algorithms, transmitting ciphertext data through the communication channel. Legitimate recipients can decrypt the data to obtain plaintext using the same cryptographic algorithms. Even if the ciphertext data is intercepted during transmission, the interceptor cannot correctly decrypt it to obtain the plaintext data.
b) Data integrity: The sender calculates message digests and signatures using cryptographic algorithms, transmitting both the digest and signature values along with the data. The recipient can verify the data's origin and ensure it has not been tampered with by performing verification calculations using cryptographic algorithms.
c) Protection against replay attacks: The data receiver can detect outdated or duplicate packets.
Whether using terminal system isolation technology or virtual private network technology, the hardware level is constrained by the mobile terminal's hardware structure. The security mechanisms and policies of mobile terminals rely on the CPU for implementation. At the software level, security mechanisms are controlled by the operating system, and data processing, transmission, and storage are implemented through the operating system.
Therefore, system isolation and secure communication protocols are implemented by the CPU and operating system within the mobile terminal. If the CPU or operating system itself has vulnerabilities or backdoors, all security mechanisms could be bypassed, compromising security.
Terminal Security Solution
This article presents an innovative and optimized design for the security architecture of 5G mobile terminals based on existing technological solutions. Firstly, it proposes hardware-based system isolation. By integrating two sets of hardware (including CPU, memory, and storage) within a single mobile terminal, one set is dedicated to running the secure system, and the other set is for the life system.
The operating systems or virtual machines are established on separate hardware systems, ensuring thorough isolation of application runtime environments and storage space. Secondly, it introduces a gateway-style intranet VPN access. By placing an encryption coprocessor between the baseband chip and the secure system CPU, the terminal achieves physical isolation between the CPU and baseband chip, and all communication data between them must pass through the secure coprocessor, ensuring that the VPN path cannot be bypassed or substituted. Lastly, it presents a secure communication solution between systems.
The CPUs of the secure system and life system communicate via the encryption coprocessor and utilize encrypted communication protocols for the interaction of control signals and communication data.
Hardware-Based System Isolation
In a secure mobile terminal, two sets of hardware (including CPU, memory, and storage) are integrated into a single device to run two operating systems and upper-layer applications. The secure mobile terminal consists of the secure system, life system, secure communication module (encryption coprocessor), general communication module (baseband processor and RF module), and system peripherals.
The secure communication module serves as the security core of the secure mobile terminal, connecting the secure system, life system, and general communication module. The key component of the secure communication module is the encryption coprocessor, which ensures secure data communication between the secure system, general communication module, and life system through hardware means, achieving hardware isolation between the dual systems of the secure mobile terminal.
The secure system primarily includes the application processor (CPU), memory, and storage, providing a runtime environment, file system, and data storage for office applications. The CPU of the secure system is directly connected to the secure coprocessor, and all interaction data with the general communication module or life system must be processed through the secure communication module without direct physical connections to the general communication module or life system.
The secure system cannot engage in regular network communication and must establish a gateway-style VPN communication channel through the secure communication module to connect to the office intranet. The secure system is directly connected to the system peripherals and controls their functionalities.
The life system includes the application processor (CPU), memory, and storage and is directly connected to the general communication module. Its basic functionalities are not significantly different from those of a regular smartphone's related modules. There is no direct physical connection between the life system and the secure system. The interaction of control signals and communication data between the life system and the secure system is controlled and processed through the secure communication module.
There is no physical connection between the secure system and system peripherals. When accessing peripheral functionalities, the life system requires authorization from the secure system and operates under its supervision.
The general communication module consists of the baseband processor and RF module, which are not significantly different from the communication modules of a regular smartphone. This module is responsible for transmitting communication data from the secure system through the secure communication module or from the life system for network transmission.
The system peripherals include power supply, display screen, camera, earpiece, microphone, USB, etc., and their functionalities are similar to those of regular smartphone peripherals. The system peripherals are directly controlled by the secure system and can be indirectly accessed by the life system under controlled conditions.
At the software level, the secure mobile terminal can be divided into the secure system, life system, and VPN module, as shown in Figure 3. The secure system and application system have independent hardware abstraction layers, operating system layers, and application layers, running independently. The VPN module is responsible for the network communication functionality of the secure system. By establishing the operating system or virtual machine on separate hardware systems, the isolation of application runtime environments and storage space is further enhanced.
Gateway-Style Intranet VPN Access
The secure mobile terminal enables secure communication between the terminal and the office intranet, providing gateway-style security capabilities for intranet access and data transmission. With the advantages of mobile communication convenience and flexibility, the secure mobile terminal effectively prevents external attacks, unauthorized user access, and information leakage.
The access area is the core module of the office intranet's secure access functionality, mainly consisting of a VPN gateway. The VPN gateway is deployed between the application server and the Internet, serving as the entry point for external users to enter the office intranet. It facilitates user authentication, virtual network channel protocols, and password security functions. The secure mobile terminal communicates with the VPN gateway through a VPN communication protocol for secure intranet data communication.
The service area is the module that carries various office intranet services, mainly composed of application servers. The application servers in the service area do not significantly differ from those in the Internet application servers.
The key aspect of gateway-style intranet VPN access is that the communication channel between the mobile terminal and the intranet VPN gateway cannot be bypassed or maliciously substituted. On the network side, the office intranet is physically isolated from the intranet access area (VPN gateway) to ensure physical separation between the office intranet and the Internet.
Ordinary Internet users cannot access the office intranet. On the terminal side, the secure system of the secure mobile terminal is connected to the baseband through the secure communication module (encryption coprocessor). The encryption coprocessor establishes a virtual network communication channel between the secure system and the office intranet VPN gateway. The virtual network communication between the secure system and the office intranet is transmitted through the mobile Internet, ensuring confidentiality, integrity, and reliable source of all communication data.
Inter-System Secure Communication Solution
The secure system and life system of the secure mobile terminal are physically isolated, and direct access between them is not possible. However, the two systems need to cooperate with each other, requiring interaction of control instructions and some business data. Therefore, it is crucial to establish limited secure communication between the dual systems under controlled conditions.
The encryption coprocessor serves as the implementation module for secure communication between the dual systems. It establishes a secure communication protocol between the systems, similar to secure communication protocols between servers. Only when the security policies are met can data interaction occur between the dual systems, enabling the secure system to authorize the use of system peripherals by the life system and provide message notifications between the two systems.
This article has described the security risks faced by mobile terminals in enterprise applications and analyzed commonly used terminal security technologies and existing issues. It proposes hardware-based system isolation, gateway-style intranet VPN access, and inter-system secure communication solutions based on virtualization system isolation technology and virtual private network technology.
The hardware and software structures and functionalities of the secure mobile terminal and office intranet have been analyzed. The secure mobile terminal and office intranet proposed in this article have been successfully applied in government communication and office fields with high requirements for information security, playing a significant role in safeguarding national information security.
Previous: CENTAURI 200 IoT Gateway Solution