1、1/45ContentsPreface.3I.Wireless Physical Layer Security Technology.51.1 Scenarios and Security Requirements.51.2 Technical Principles.51.3 Technology Application Concepts.61.4 Challenges an������d Suggestions.7II.Distributed Trust Technology.72.1 Scenarios and Security Requirements.72.2 Technical Principl
2、es.82.3 Techno�����logy Application Concepts.92.4 Challenges and Sugg��������estions.11III.Ubiquitous Trust Technology.73.1 Scenarios and Security Requirements.133.2 Technical Principles.133.3 Technology Application Concepts.143.4 Challenges and Suggestions.15IV.Quantum Security Technology.134.1 Scenarios and Se
3、curity Requirements.164.2 Technical Principles.164.3 Technology Application Concepts.184.4 Challenges and Suggestions.19V������.Privacy Protection Technology.205.1 Scenarios and Security Requirements.205.2 Technical Principles.205.3 Technology Application Concepts.225.4 Challenges and Suggestions.23VI.Sec
4、urity Capability Service-Oriented Technology.256.1 Scenarios and Security Requirements.256.2 Technical Principles.256.3 T������echnology Application Concepts.266.4 Challenges and Suggestions.27VII.Mimic Defense����� Technology.257.1 Scenarios and Security Requirements.297.2 Technical Principles.297.3 Technolog
5、y Appli������cation Concepts.307.4 Challenges and Suggestions.31VIII.AI Security Management and Decision-Making Technology.328.1 Scenarios and Security Requirements.328.2 Technical Principles.328.3 Technology Application Concepts.3�������48.4 Challenges and Suggestions.352/45IX.DTN Security Deduction Technology.
6、379.1 Scenarios and Se��curity Requirements.379.2 Technical Principles.389.3 Technology Application Concepts.389.4 Challenges and Suggestions.39Summary.41References.42Abbreviations.43Writing Organization.453/45Preface6G networks are evolving towards complexity and diversity,with increasing opennesslea
7、ding to further blurring of traditional network security boundaries.As network attackmethods continue to escalate,future networks cannot rely solely on passive defensemechanisms such as boundary isolation and plug-in security capabilities to ensure security.Therefore,6G netw�������o�������rks should have built-in
8、 security genes to fully guarantee theend-to-end security and trustworthiness of�������� 6G networks.Built-in security is a concept and method for r�����ealizing 6G security.It emphasizesintegrating security as a core element and basic feature into the entire life cycle of 6Gnetworks.Security is rooted in 6G net
9、works and coexists with the network,enabling 6Gnetworks to have self-protection,self-repair,and self-adaptation capabilities.It proactivelyresponds to various thre�����ats and attacks through internal mechanisms to improve the overallsecurity and reliability of 6G networks.The reconstruction of 6G networ
10、k architecture provides an opportunity and windowperiod for establishing a new security system.The IMT-2030(6G)Promotion Grouppointed out in the 6G Network Security������ Vision Technology Research������ Report1that 6Gnetwork security should have the four characteristics of active immunity,resilientautonomy,dig
11����、ital twin security,and ubiquitous collaboration;In the 6G Trustworthybuilt-in Security Architecture Research Report2,it proposes the concept of integratingtrust+security,and constructs a 6G trustworthy built-in security architecture from threelevels of security capability,security control,and securi
12、ty decision-making.It collaborateswith digital twin networks,artificial intelligence analysis capabilities,and resourceorchestration and schedulin�����g capabilities.In the f�����orm of a security plane,it provides built-insecurity genes for 6G networks to achieve the security and reliability of 6G networks.4
13、/45Figure 1 Schematic Diagram of 6G Trustworthy Built-in Security Ar�������chitectureBased on the 6G trustworthy built-in security architecture,this white paper describesthe application scenarios and security requirements,technical principles,applicationconcepts,re�����lated challenges,and suggestions of potent
14、ial key technologies for 6G securityfrom three levels of security ca�����pability,security control,and security decision.Among them,Chapter 1 Wireless Physical Layer������ Security Technology,Chapter 2 Distributed TrustTechnology,Chapter 3 Ubiquitous Trusted Technology,Chapter 4 Quantum SecurityTechnology,and
15、Chapter 5 Privacy Protection Technology belong to������� the potential keytechnologies at the security capability level;Chapter 6 Security Capability Ser�����vice-OrientedTechnology and Chapter 7 Mimic Defense Technology belong to the potential keytechnologies at the security control layer;Chapter 8 AI Security
16、 Management and DecisionTechnology and Chapter 9 DTN Security Deduction Technology belong to the potential keytechnologies at the security decision-making layer.The above three categories oftechnologies will support the design of the ov������erall 6G trustworthy built-in security systemaround the goals of
17、 trust and security.5/45I.Wir�������eless Physical Layer Security Technology1.1 Scenarios and Security RequirementsIn the future,the types and quantities of 6G termi������nals will continue to increase.VariousInternet of Things(IoT)devices with different capabilities will gradually become the mainforce.However,m
18、ost IoT terminals have limited processing capabilities and cannot carrycomplex signaling and processing overhead.In addition,they are distributed in different openelectromagnetic environments,�������facing severe wireless security challenges3.Wirelessphysical layer security(PLS)technology utilizes the natu
19、ral security attributes of wirelesschannels,such as anisotropy,random variability,and third-party uncertainty,to providesecurity capabilities that can be integrated but do not rely on traditional security mechanisms.By mining and utilizing the bu�������ilt-in security attributes of wireless channels,PLS ca
20、n achievethe integrated design of communication and security,which is expected to provide li��������ghtweightsecurity capabilities for the information security of 6G Internet of Things4.Wireless built-insecurity technology is based on the theory of physical layer security,which can achieve theendogenous int
21、egrated design of communication and securityby further�������� exploring andutilizing the built-in security attributes of wireless channels.Under the stimulation of newtechnologies such as Reconfigurable Intelligent Surface(RIS)and integrated sensing andcommunication,wireless built-in security technology ca
22、n further perceive,customize,andmanipulate the electromagnetic environment more finely,thereby actively shaping the optimalenvironment fo������r combating wireless disturbances and providing adaptive security capabilitiesfor 6G.1.2 Technical Principles(1)Physical Layer Key GenerationThe physical layer key
23、 generation technology�������� utilizes channel reciprocity.Thetransmitter and receiver can respectively obtain consistent channel features,such as channelstate information and received signal strength,to generate consistent physical layer keys.However,the natural wireless channel is uncontrollable.By using
24、 RIS and other potential keytechnologies of 6G,the wireless environment can be actively remodeled,through optimizingthe channel conditions of communi������cation,and reducing th����e correlation between the legitimatechannel and the eavesdropping channel,increases the randomness of the channel and the6/45entr
25、opy of the channel as a random source,thereby greatly improving the key generationperformance.(2)Physical Layer Securi���ty TransmissionThe physical layer security transmission technology designs secure beamforming basedon the characteristics of wireless channels.It may incorporate the artificial noise
26、 injection toensure reliable transmission of confidenti�����al information within the desired channel space,while attempting to transmit the artificial noise as much as possible in the null space of thedesired channel,thus maximizing the capacity for secure transmission.Additionally,RIS canbe leveraged t
27、o customize and optimize the wireless environment,amplifying the qualitydifference between legitimate channels and eavesdropping channels,thereby achieving s����ecuretransmission.(3)Channel Fingerprint AuthenticationChannel fingerprint authentication utilizes the uniqueness and time-space specificity o������f
28、wireless channels to realize the authentication of node identity or network packets throughcontinuous channel comparison or channel comparison within coherent time.In essence,thechannel characteristics are used to add position stamp to users.In t�����hat case,it not onlyincreases the length of the truste
29、d root,but also extends the traditional trusted rootcomparison and authentication mechanism based on identity information����� index to theauthentication of wirel������ess signals,resisting unknown wireless access attacks.1.3 TechnologyApplication ConceptsWireless built-in security technology can solve securit
30、y threats in the physical layersignal domain,such as wireless eavesdropping,wireless interference,and wireless deception,thu�����s building������ 6G air interface physical layer security atomic capabilities.Furthermore,itcould be integrated into the upper-layer security capability layer to form an integrated s
31、ecuritycapability,which could provide a secure and trusted foundation for upp�����er-layer applications tomeet differentiated security protection requirements.The wireless built-in security mechanismcould provide security capabilities which do not depend on computational complexity,reducethe requirements
32、 for terminal energy consumption and processing capabilities,and meet thesecurity and lightweight requirements of typical 6G application scenarios.For example,inmassive IoT scenarios,the physical layer key generation techn��������ology can be combined withthe upper-layer key system or lightweight encryption
�������33、 algorithm to reduce the burden of keydistribution/management,and improve security while reducing computational complexity.At the same time,by using 6G potential key technologies such as Extremely Large-ScaleMIMO antennas,RIS,and integrated sensing and communication,we can actively control and7/45fi
34、nely perceive the wireless environment,excavate and �������customize wireless ����channelinformation,and improve communication quality while assisting in improving wirelesssecurity performance.Figure 2 Schematic Diagram ofApplication Concepts of Wireless Physical LayerSecurity Technology1.4 Challenges and Sugg
35、estionsLeveraging the inherent sensing and control channel capabilities������ of 6G,it is expected toconstruct a new wireless physical layer security technology with intelligent native integration.However,the related research is still in its initial stage and needs to be explored as follows:Utilize emergi
36、ng 6G technologies such as RIS,integrated sensing and communication,etc.,toenhance the ability for channel customization and precise sensing,exploring the empoweringmechanism from sensing capabilities to secure communication capabilities,achieving theintegrated design of communicatio������n,sensing,and se
37、curity;Utilize the deep integration ofphysical layer security and upper-layer security mechanisms t�����o further improve the robustnessof 6G security;Design and test the performance evaluation standards,methods andexperimental analysis of physical layer security technology according to 6G securityrequir
38、ements,laying the foundation for its engineering applications,and constructing awireless endogenous secu������rity performance evaluation system.II.Distributed Trust Technology2.1 Scenarios and Security RequirementsThe open network ecology and heterogeneous integrated network architecture of 6G putforward
39、 new requirements for the trust system.On the one hand,6G networks have thecharacteristics of cross-network,cross-industry,and deep participation of all parties in theecology.������6G networks will support multi-party resource sharing.Spectrum resources and8/45computing power will become network resources
40、 that can be dynamically and on-demandshared by multiple parties in the 6G era to achieve resource sharing,value transfer andmonetization.Therefore,there is a need for a decentraliz������ed,open,transpar�������ent,andtamper-proof operational mechanism that can build consensus among multiple parties,addressresour
41、ce competition issues,and ensur�������e the entire process is open,transparent,andtrustworthy5.On the other hand,6G networks support heterogeneous networks such as satellitenetworks,industry networks,and body area net�������works.Devices from different organizationsand institutions need to establish secure and re
42、liable trust relationships.Traditionaltelecommunications networks mainly adopt centralized and endorsement tr�����ust models.In thefuture,6G network������s need to introduce trust models based on consensus.The entitiesparticipating in the network use technical means to achieve mutual trust among multiplepartie
43、s so that the root of trust no longer depends on a single point but is composed ofmultiple participating parties6.2.2 Technical PrinciplesBlockchain is the foundation of distributed trust.Blockchain technology is essentiall����y adecentralized database that writes information into a block and forms a ch
44、ain of blocks byconnecting each block.Each block contains information about the previously connected blockand uses cryptographic techniques such as hash algorithms to prevent the c���ontent andconnection of the block from����� being tampered with.Blockchain has the characteristics ofdecentralization,opennes
45、s,transparency,traceability,andtamper-proof5.Thekeytechnologies to implement blockchain can be summarized as P2P protocol,consensusalgorithm,ledger structure,incentive mechanism,smart contract,cryptographic algorithm,etc.According to the access system authorization method o����f participants,blockc�����hain
46、systemscan be divided into two categ���ories:Permissionless blockchain systems,where anyone canaccess the system without authorization,and participants are untrusted;Permissionedblockchain systems,where participants can only access the system after being authenticated,and participants do not fully trus
47、t each other(semi-trusted).According to the differentapplication scopes of blockchain,the permissioned blockchain systems can be divided intoconsortium chains and private ch��ains.A consortium chain is a blockchain jointly managed bymultiple institutions6.In addition to using blockchain to build a tru
48、st base,6G also needs to design a distributedauthentication sc������heme.The authentication of a telecommunication network consists of two9/45parts.One is the authentication between telecommunication network devices.The currentmethod mainly adopts the public key certificate method,and the trust root is us
49、u�����ally the CAof the operator or equipment vendor.This is a kind of endorsement trust mechanism6.Decentralized Public Key Infrastructure(DPKI)may become an alternative tech������nology fordistributed device authentication.By building a trust platform collaboratively,and storingcertificates and certificate v
50、erification processes in a distributed manner,DPKI can achievecross-domain certificate verification,enhancing the trustworthiness and reliability of CAs.The second is th�������e authentication between telecommunication network users������ and thenetwork.Currently,the identity of a user is typically createdby ope
51、rators and issued whenth�����e user signs contracts with the operator.All identities are centrally created,maintained,andmanaged by the operator,essentially constituting a centralized authentication scheme.Digitalidentity may emerge as an alternative technology for distributed user authentication.Decentr
52、alized Identifiers(DID)defined by the W3C are a verifiable,decentralized form ofdigital identity.DID is held by th�������e controller,decoupled from the centralized registrationauthority,identity provider and certificate authority,and does not require any endorsementfrom other parties.2.3 TechnologyApplica
53、tion Concepts(1)6G BlockchainThe 6G blockchain is based on the 6G network as the infrastructure,and mobilecommunication network nodes as the infrastructure nodes of blockchain.6G blockchainserves 6G services,and around the core function of multi-party trust,it provides a secureand tru������sted platform f
54、or upper-layer service.The service also needs to reshape the serviceprocedures due to the introduction of blockchain7.According to the different roles o����fblockchain in telecom networks,blockchain is deployed in different positions of the network,and there are three �������deployment modes.The following figu
55、re is a schematic diagram:10/45Figure 3 Schematic Diagram of Blockchain Deployment1)Underlying blockchain mode:The core network blockchain module is deployed atthe level of network elements������� or network management,generating initial blockchainnodes after the establishment of the network,and undertakin
56、g the functions ofblockchain construction,maintenance,and permission authentication of blockchainnodes.The blockchain capabilities of acc�������ess networks and������ terminals(in whichblockchain clients may be provided)are pre-installed and can be used after access to thenetwork.The blockchain exists with the e
57、stablishment of the network and can realizefunctions such as user authenticatio�����n and authorization and core network servicediscovery empowered by blockch������ain.2)Upper-layer blockchain mode:The blockchain is built on top of the existing telecomnetwork architecture,and blockchain functions can be plugge
58、d in or removed acco����rdingto requirements.The blockchain functionality is deployed in the form of networkfunctions in the core network,evolving independently and iterating quickly.Theblockchain capabilities of access networks ����and terminals(in which blockchain clientsmay be provided)can be issued by t
59、he core network,and the blockchain capabilities canbe freely configured according to requirements.3)Hybrid blockchain mode:The blo�����ckchain module is divided into two parts,one partbelonging to the basic functions of the telecom network,deployed in the underlyingmode,and only containing basic trust fu
60、nctions such as identity authentication;The otherpart belongs to ������the service functions of the telecom network,deployed in the upper-layermode,and additional functions can be added or removed as needed.(2)Distributed AuthenticationFor distributed authentication among telecom network devices,6G networ
6�����1、ks willintroduce the DPKI technology based on blockchain.It will leverage the blockchains1�����1/45characteristics of openness and transparency,consensus among multiple parties,andtamper-proof to build a trust alliance,enabling blockchain-based certificate and identitymanagement,transparent auditing,and
62、cross-domain verification.There are three maintechnical approaches:First,the real values of certificates are stored in a storage system,whilethe hashes of certificates are stored in the blockchain������.The blockchain maintains the integrityof the data,thereby preventingfrom the failure of nodes in the st
63、orage system due to attacks.Second������,operators form a consortium chain,with each operator writing their certificates andCA certificates required for network operations into the c������onsortium chain.Duringauthentication,complete certificates do not need to be provided,and only the correspondingidentifiers
64、on the blockchain need to be carried.Third,device public keys are generated basedon identity information,without the need for signatures from authoritative entities or the useof digital certificates,simplifying the c������omplexity of key management7.For distributed authentication between telecom network
65、users and the network,6Gnetworks will adopt digital id����entity technology.Users have their own digital identities and canautonomously control the scope of their identities���� use in different trust domains or services,selectively sharing specific identity information with entities that need verification.
66、Digitalidentity can support anonymous identity verification.Users can provide the necessary identityinformation when they need to verify th��������eir identity,while simultaneously protecting theirprivacy;Identity authentication is extended������� to all entities within the network,encompassingnot only user authen
67、tication but also the authe����ntication of digital personas,AI assistants,network nodes,and even distributed autonomous networks as a whole;Combining digitalidentity with smart contracts can realize automated identity authentication and permissioncontrol.2.4 Challenges and SuggestionsBlockchainfacesthe
68、impossibletriangleofsecurity,transactionrate,anddecentralization.It is impossible to simultaneously achieve all three.If blockchain is appliedto 6G networks,the existing blockchain architecture used in the internet cannot cope������ with thelarge and fast transactions characteristic of 6G.This presents a
69、critical flaw,as the securityand transaction rate fall short of requirements,significantly impacting system security.Therefore,research is needed on aspects of blockchain suitable for������ 6G networks,includingledger structure,deployment mode,consensus algorithm,and application mode.An analysisof the thr
70、ee sides of the impossible triangle is necessary to select the most suitable blockchainfor 6G networks.Distributed authentication introduces a new way of managing and verifying certificates12/45and identities,bringing������ new challenges to the network.Firstly,effectively managing,storing,and transmittin
71、g distributed certificates and identities presents a challenge.This requiresconsidering data reliability and maintaining dat��������a consistency.Secondly,the authenticationprocess before network entities interact needs to be reconstructed.New and advancedcryptographic technologies can be utilized to enhanc
72、e the security and verification efficiencyof certificates and identities,ensuring secure protection and efficient verification duringdistributed storage.Furthermore,the introduction of smart contract technology can realizeautoma�����ted authentication and permission control of certifica����tes and identities
73、,ultimatelyimproving system efficiency.13/45III.Ubiquitous Trust Technology3.1 Scenarios and Securi�����ty RequirementsThe 6G cloud-edge-terminal converged architecture will blur the traditional securityboundaries,requiring cross-domain and consistent security solutions to realize a unifiedorchestration
74、of security policies.At the same time,the development of generative artificialintelligence will greatly reduce the attack threshold and improve the automation of attacks.Traditional security protection mechanism��������s of detecting and then filtering will not be able tomeet the requirements of massive ser
75、vice connections and low latency.6G ne�����tworks need asecurity technology that does not rely on prior knowledge of attacks,does not affect serviceprocessing performance,and��������� can ensure the security of data processing and cross-domaininterconnection and interoperability.This technology should also be abl
76、e to provide aconsistent security solution for the cloud,edge,and ��������terminal,and provide re�����al-timeassessment and protection of network assets.3.2 Technical PrinciplesTrusted computing is a technology based on hardware,software,and protocols that aimsto protect the integrity,availability,and confidenti
77、ality o���f computer systems,preventunauthorized access �����and attacks,and provide the ability to verify and assess thetrustworthiness of computer systems.Trusted computing mainly includes the following keytechnologies:secureboot,securemetric,remoteauthentication,trustedexecutionenvironment,and memory/vir
78、tual machine security.(1)Secure Boot and Trusted MetricBy verifying the integrity and authenticity of the firmware,operating system,and driversduring the system boot process,it ensures that only authorized software is loaded andexecuted.�����This function can effectively detect and prevent unauthorized o
79、r tampered softwarefrom being loaded and executed during the boot process,thus effectively preventing theintrusion of malicious software.It can also prevent attacks on chips by exploiting hardwarevulnerabilities.T�����he application of secure boot and trusted metric can ensure that asse�����ts can bediscovere
80、d in time when attacked by malicious software.Th����rough the remote authenticationserver,the security posture of all assets can be evaluated,so that security O&M personnel canperform security O&M on assets more efficiently.14/45(2)Trusted Execution EnvironmentA trusted execution environment p�������rovides an
81、 environm�����ent that is isolated from the mainoperating system.This means that even if the main �����operating system is attacked,sensitivedata and code will not be affected.At the same time,applications running in the trustedexecution environment can securely process sensitive data without worrying about t
82、his databeing accessed by malicious software or unauthorized������ applications.For users,since thetrusted execution environment allows equipment manufacturers and application developers tobuild a verifiable chain of trust,e��������nsuring that every link from boot to runtime is secure,itincreases user trust in d
83、evices and applications.Therefore,the �������trusted execution environmentcan be used to protect assets that are in an insecure environment or assets that run high-riskapplications an������d process sensitive data.3.3 TechnologyApplication ConceptsBy applying trusted computing solutions in 6G networks,it is poss
����84、ible to provide usersof 6G networks with a higher level of security,and allow 6G network maintainers to providethe same quality of service at a lower cost and with less energy consumption.A complete trusted computing solution requires the collaboration of chips,firmware,operating systems,etc.The fol
85、lowing figure shows the relationship between key trustedcomputing technologies:Figure 4 Schematic Diagram of the Relationship Between Key Technologies of TrustedComputingAs can be seen from the figure above,the root of trust is the cornerstone,providing������ atrusted foundation.Secure metric builds a cha
86、in of trust to extend trust to the operating systemand applications.The trusted execution environment provides a s�������ecurity mechanism to protect15/45sensitive data processed during application execution.Since the root of trust is located in aread-onl�������y area and trusted verification is located on a remo
87、te server,it is difficult for attackersto upload malicious software or tamper with applications.For assets that have applied trusted computing solutions,O&M strategies are moreconcerned ����with how to configure them so that attackers cannot cause harm,rather than theattacksandattackvectorslaunchedagain
88、sttheassets.Thismakessecuritydetection/prote������ction no longer in series with the business,not only e������liminating the problemsof increased service latency,bandwidth,and impact on service continuity caused by securitydetection/defense,butalsogreatlyreducingtheresourceconsumptionandenergyconsumption of sec
89、urity detection/defense.For security O&M,trusted computing provides a unified solution for heterogeneousassets.Through the same protocol,the remote authentication server continuously evaluatesthe s������ecurity state of assets,providing an endorsement for cross-domai������n interconnection andinteroperability.A
90、ssets that fall into an untrusted state can be quickly di�����scovered and isolated.For data providers,trusted computing provides an isolated����� secure operating environment.Sensitive/private data is transmitted encrypted and processed in an isolated memory area by asecure application developed by the data
91、provider.This technical approach effectivel������yeliminates the possibility of third-party platforms stealing data,alleviating concerns for dataproviders and facilitating cross-domain data flow,thereby empowering innovation in variousfields.3.4 Challenges and SuggestionsUbiquitous trusted technology incl
92����、udes multiple trusted modes,and trusted computingprovides a root of trust for various trusted modes.However,applying trusted computing to 6Gn��������etworks still faces some challenges.For example,secure boot increases the applicationrestart time,indirectly affecting network elasticity.Furthermore,since the
93、 root of trusted islocated within hardware OTP resources,once the root of trusted is leaked,the cost ofchanging is very high.Based on these challenges,selectively im����plementing certainfunctionalities of trusted computing in 6G networks��������� is necessary.Additionally,it is alsonecessary to consider how to
9�����4、improve the trustworthiness of existing security functions basedon the trusted computing root of trust,to build a trusted interaction environment betweendifferent nodes in the whole network and realize ubiquitous trusted in the whole network.16/45IV.Quantum Security Technology4.1 Scenarios and Secur
95、ity RequirementsIn the 6G era,with the continuous maturity and����� development of quantum computingtechnology,its importance in mobile communications will increase exponentially.Thesecurity of public key cryptographic algorithms depends on the difficulty of computationalproblems,such as integer factoriz
96、ation or discrete logarithm problems over various groups������.Quantumcomputerscaneffectivelysolvetheseproblems,makingallpublickeycryptosystems based on these assumptions insecure.Therefore,sufficiently powerful quantumcomputers will put modern cryptographic systems such as key exchange,encryption,anddigi
97、tal authentication at risk.Quantum computers will���� affect the security strength ofsymmetric and asymmetric algorithms to different degrees,the strength of symmetriccryptographic algorithms will be halved,while many commonly used asymmetric algorithms,such as RSA,Digital Signature Algorithm(DSA)and El
�����98、liptic Curve Cryptography(ECC)will not provide any security.The two mainstream quantum security technologies are Quantum Key Distribution(QKD)and Post Quantum Cryptography(PQC).These two technologies have differentcharacter������istics and advantages.In the information security of the post-quantum computi
99、ng era,with the help of the related characteristics of quantum technology and cryptography,we canbe prepared for quantum secure communication.4.2 Technical Principles(1)QKDQKD is an encrypted communication technology based o�����n the principles of quantummechanics.Its main goal is to securely distribute
100、 keys between communicating parties,so thatsubsequent communication can be theoretically unbreakable.Similar to public keycryptography,QKD also allows the establishment of shared keys;different from public keycryptography�����,QKD protocols are based on the principles of quantum mechanics,and can beprove
101、n to be theoretically secure even in the scenario of a hypothetical eavesdropper withunlimi�����ted computing power.Atypical QKD network is shown in the figure below:17/45Figure 5 Schematic Diagram of the Typical Architecture of QKDN and User NetworksDefined by ITUThe QKD protocol is executed by a pair o
102、f QKD modules connected via a QKD link,which consists of a classical channel and a quantum channel.Keys(i.e.symmetric randomstrings)are established between QKD modules.Paired QKD modules connected via a QKDlink and the corresponding key managers(KMs����������������)connected to the QKD modules via a KMlink constitu
103、te the basis of a QKDN.The QKDN allows cryptographic applications to sharesecure keys between any two designated nodes via appropri����ate key relays.The keys generatedin the QKD modules themselves must be securely managed in the QKDN throughout theirentire life cycle(from generation to provision to the
104、 cryptographi�����c applications in the usernetwork)8.(2)PQCPQC,on the other hand,follows the concept of classical cryptographic systems andseeks new complex mathematical problems that are difficult for quantum algorithms to crackquickly.The goal of PQC is to develop cryptographic algorithms that are sec
10������5、ure for bothquantum and classical computers,and that can interoperate with existing communicationprotocols and networks.In the symmetric cryptosystem,to resist the potential impact of quantum computing onthe classical cryptosystem,a 256-bit algorithm will be used to replace the 128-bit algorithm.In
106、5G,128-bit algorithms NIA/NEA 1/2/3 are used for security protection of AS and NASlayers,and the corresponding 256-bit algorithms������� are already being studied �����in 3GPP SA3 andETSI SAGE.In the 6G era,if AES-256 is adopted,NIST believes that AES-256 will remainsecure for a long time even under attack usin
107、g currently known quantum algorithms(such asGrovers quantum algorithm),and recommends that current application systems can c���ontinue18/45to useAES with key sizes of 128 bits,192 bits,and 256 bits.Public key cryptographic algorithms,such as ECCSI and RSA,are widely used in 5Gsystems and Internet ser�������vi
108、ces.NIST(National Institute of Stan�����dards and Technology)launched a process in 2016 to solicit,evaluate,and standardize one or more quantum-resistantpublic key cryptographic algorithms.The new public key cryptography standard will specifyone or more additional non-secret,publicly disclosed digital si
109、gnatures,public key encryption,and key establishment algorithms that are available worldwide and capable of protectingsensitive regulatory information.NIST will publish a standard on quantum-resistantcryptography in 2024.The stability and security����� of quantum-resistant algorithms are also themost cri
110、tical issues for deploying PQC to 6G.After three rounds of selection,NIST hasselected the following algorithms9:1)CRYSTA������LS-KYBER:LATTICE-based key encapsulation mechanism2)CRYSTALS-DILITHIUM:DigitalsignaturealgorithmbasedonLATTICE,recommended by NIST as the main digital signature algorithm3)FALCON:A
111、nother digital signature algor��������ithm wit�����h smaller bandwidth,but morecomplex to deploy4)SPHINCS+:A stateless hash-based digital signature algorithm with strong security,but not as performant as DILITHIUM and FALCON.4.3 TechnologyApplication ConceptsIf cost is not considered,QKD can be used to generate
112、shared keys between the radioaccess network and the core network,and then use quantum secure symmetric key algorithmsbased on these keys to encrypt communication between the two.PQC plays a critical role in the general security framework of 6G systems.They are used������for ������quantum secure trust anchors,se
113、cure protocols for quantum security,and quantum securenetworks to ensure the sec�������urity of systems or data transmission.Quantum s������ecure trust anchorsare the security foundation of 6G systems,where long-term quantum secure keys are used toauthenticate users and derive session keys,while quantum secure P
114、KI is used to ensure theauthenticity of public keys used in quantum secure protocols.Quantum-secure IPSec,T�������LS,and DTLS c�����an be deployed in forward and reverse paths to protect data transmission.Quantum-secure TLS can be deployed in the core network to protect communication betweenNFs.19/454.4 Challen
115、ges and SuggestionsCurrently,QKD technology is relatively matu���re,but it still has certain limitations indeployment.Optical fiber QKD can be implemented on existing optical infrastructure.However,due to photon transmission losses,the maximum transmission distance of QKDphotons is limited.The solution
116、 to this problem relies on trusted relay nodes,thereby chainingmultiple QKD systems.This solution also imposes high requi������rements on relay nodes.QKDN deployment also has corresponding security threats in various layers andinterfaces.ITU-T X.1710 gives a detailed analysis and security protec������tion enhan
117、cem������ent.Although PQC algorithms are about to be released,their security and reliability need toundergo rigorous and extensive evaluation by academia,industry,and research before theyca�������n truly be applied in communication and internet systems.20/45V.Privacy Protection Technology5.1 Scenarios and Securi
118、ty Requirements6G networks rely on the entire data lifecycle of massive data collection,storage,processi������ng,and flow to carry out various services,and the ����data contains privacy-sensitiveinformation such as personal identity.Due to the frequent dynamic changes of datatransmission and the unpredictabil
119、ity of transmission paths,the ownership and managementrights of d������ata in the entire lifecycle are separated,which makes it difficult to verify dataintegrity and ownership,and there are risk�����s of user privacy being easily leaked,tampered andillegally tracked.Therefore,6G networks need to ensure data se
120、curity and privacy protectionthro�������ughout the data lifecycle,and ensure that data and privacy information flow followinglaws and regulations.Due to the integration of multiple h��������eterogeneous networks in 6G,the physical andlogical boundaries are blurred,and users of different security levels frequently
121、perform������cross-domain access,which makes it difficult to authenticate data sources,and there are greatsecurity risks and difficulties in cross-domain data sharing.Existing traditional access controltechnologies can no longer meet the requirements of cross-domain dynamic fine�����-grainedaccess control of 6
122、G networks.Therefore,it is necessary to support large-sc������ale,highlydynamic fine-grained cross-domain access control,realize data source authentication in theenvironment of frequent cross-domain authentication of massive data,and ensure the credibletransmission and contro����lled sharing of data across do
123、mains.5.2 Technical PrinciplesThroughout the entire lifecycle of data,corresponding privacy protection techniques arerequired at each stage to ensu�����re data security,as shown in the following figure.21/45Figure ������6 Schematic Diagram of Privacy Protection Technology Throughout the DataLifecycleIn the dat
124、a collection stage,anonymization,data masking and data de-identification aremethods used to protect personal privacy and sensitive information.A���������������nonymization processesdata to remove personally identifiable information.This is usually done by replacing ordeleting the personally identifiable informatio
125、n.Data masking techniques reduce thesensitivity of data by encrypting,replacing,masking,or deleting it,to protect privacy whileretaining the analytical value of the d�����ata.Data de-identification techniques remove or replaceindividual iden�������tity information in the process of data sharing and processing.T
126、his can beachieved through generalization,suppres����sion,dissection,permutation,and disturbance toprotect privacy while allowing effective data analysis and sharing.Symmetric encryption is a widely used technology during the data transmission andprocessing stages.The sender and receiver use the same ke
127、y to encrypt and decrypt data,ensuring secure transmission.Common symmetric encryption algorithms include DES,AES,and SM4,which ensure the confi������dentiality and integrity of data transmission.Symmetricencryptionhastheadvantagesofhigh�������speedand lowcost,andissuitable forresource-constrained environments s
128、uch as mobile devices and embedded systems,effectivelyprotecting data privacy.Data masking,differential privacy,and data de-identification are important methods usedto protect personal privacy and sensitive informati�������on in the data processing and analysis stage.Data masking and data de-identification
129、 are as described above.Differential privacyintroduces noise������ into the data to ensure that even if individu������al data is added to the dataset,it isimpossible to infer the information of specific individuals,thereby protecting personalprivacy.22/45In the data usage and sharing stage,quick verification an
130、d access control of user identityand permissions,such as Role-Based���� Access Control(RBAC)and Attribute-Based AccessControl(ABAC),can ensure that only authorized users or systems can access data.At thesame time,by performing secure computing on edge devices,such as homomorphicencryption and Secure Mul
131������、ti-Party Computation(MPC),the risk of data transmission delayand privacy leakage can be reduced.Deploying a trusted execution environment provides apro������tected execution environment for sensitive data processing and computing tasks.Combined with federated learning technology,distributed data sharing a
132、nd model training canbe realized.This en������ables data sharing and utilization while protecting data privacy.5.3 TechnologyApplication ConceptsToaddressthesecurityprotectionissuesofdatacross-domaincirculation,topology-dynamic cross-domain access control,and secure isolation exchange technologies�������can be u
133、tilized.By formulating effective access control policies,authentication of datasources in environments with frequent cross-domain authentication of massive data can beachieved,effectively and legitimately controlling large-scale,highly dynamic fi����ne-grainedcross-domain access behaviors.(1)In 6G netwo
134、rks,anonymization,masking,and data de-identification technologies arewidely used to protect user privacy.Anonymization hides user identity by repl�������acing �������realidentity information with pseudo-identifiers.Masking sensitive data,such as personallyidentifiable and location information,to prevent leakage.D
135、ata����� de-identification hides personalidentity and health data to protect user privacy.These technologies are not only used forpersonal data transmission and processing but also support applications such as smart citiesand health monitoring.In the future,6G networks will facilitate a wider range of he
136、althmonitoring and medical applications,such as telemedicine and health data���� collection,whileensuring that user privacy is not violated.(2)6G networks utilize higher frequencies and wider frequency bands to achieve highercommunication speeds and capacities,supporting higher data transmission rates.D
137、������atatransmission and storage e������mploy symmetric encryption algorithms to ensure confidentiality,with only authorized users able to decrypt.The 6G network effectively protects data securityand privacy,providing more secure and reliable communication and data services.(3)In data processing and analysis,l
138、everaging the high-speed data transmission andlarge-scale data processing capabilities of 6G,differential privacy,data masking technology,and data de-identification technology may collaborate to play more crucial roles.Differentialprivacy te�����chnology can be widely applied in the data t�����ransmission and
139、 processing processes23/45between mobile devices and central servers,providing stronger protection for user privacy.Asthe sensitivity of ����the data increases,data masking t������echnology can reduce the sensitivity of thedata by masking or replacing sensitive information to protect the data,becoming one of
140、theessential means to safeguard����� data.Combining data de-identification technology withdifferential privacy technology and data masking technology can ensure a higher level ofprivacy protection for data processing and analysis while ensuring the correct andeffectiveness of data analysis when dat����a shar
141、ing and model training are performed in a securecomputing environment.(4)Data usage and sharing stage.In 6G networks,leveraging their characteristics of highbandwidth and low latency,rapid verification of user identity and permissions,and accesscontrol can be achieved.������During the design process,fine-
142、grained access control can beimplemented on data based on factors such as user identity,role,and permissions.At the sametime,the high-speed communication and mobile edge computing capabilities of 6G networksca�������n be used to offload secure computing tasks to edge devices.Trusted executionenvironments c
143、an be deployed in 6G networks to execute data processing and computingtasks in secure processors or protected hardware environmen������ts,ensuring the security of dataand computing.Combined with federated learning technology,multiple parties can besupported to perform model training and parameter updates
144、in a distributed envir�����onment,thusrealizing data us������e and sharing.By combining the above technologies,it is possible to build a secure and efficient datause and sharing system.In such a system,data is protected at every stage of collection,storage,processing,and sharing.Users can safely share data and
145、 perform related calculationsand analysis while ensuring that the privacy and integrity of the data are protected.5.4 Challenges and SuggestionsWith the popularization of intelligent applications in the 6G era,data types are becomingincreasingly diversified,involving �������multi-dimensional data such as b
146、iometric features andbehavioral habits.At the same time,the data sources are also becoming increasingly rich,involving multiple entities such as indivi����dual users,corporate institutions,and IoT devices.Different data types and entities have different privacy protection requirements,so it isnecessary
147、to flexibly apply various technologies to cope with the diversification of protectionobjects.In addition,to ensure data security and privacy protection,it is necessary to establisha systematic framework.The comprehensive������ use of multiple cryptographic technologies andtheir integration into����� a complete
148、 security framework can improve the efficiency of privacyprotection.However,there are also some chall���������enges in designing a reasonable security24/45framework.With the increase of cross-domain data�������� flow,privacy protection laws andregulations in different industries and regions may vary,which brings com
149、plexity to datasecurity.Therefore,future privacy protection technol�������ogies need to follow general dataprotection policies to ensure the interoperability and effectiveness of various technologies andmethods in different environments.25/45VI.Security �������Capability Service-Oriented Technology6.1 Scenarios a
150、nd Security Requiremen����tsThe 6G network,which is developed with a user-centric approach,aims to meet theneeds of all users.It needs to provide differentiated security capabilities required by differentservices,which brings great secur���������ity challenges to network management,resource allocation,and data t
151、ransmission.As network capabilities penetrate various industry applicationscenarios,lightweight,efficient processing,and on-demand o�������rchestration are gra�������duallybecoming the important features of 6G network security capabilities.This requires thenetwork security architecture to have the ability of auto
152、nomous adaptation,intelligentcollaboration,and scalability.It needs to be able to support the vertical and horizontalexpansion of security capabilities on demand and e��������nsure the robustness and flexibility of thesecurity architecture.Therefore,both from the perspective of network ar�����chitecture and serv
153、icerequirements,security capabilities are req����uired to dynamically adapt to heterogeneousnetworks,diverse terminals,and complex service scenarios.It needs to realize rapidscheduling and elastic deployment to ensure the continuity and security of services.6.2 Technical PrinciplesThe technical foundati
154、on of security capability servitiza������tion is Software Defined Security(SDS).It decouples physical and virtual network security devices from their access mode,deployment methods,and network functions.The underlying security capabilities areatomized,and the top layer is unified t�������hrough software programm
155、ing to realize i�������ntelligent andautomated service orchestration and management.It completes the corresponding securityfunctions and realizes the servitization of security capabilities to meet the diversified securityprotection requirement�������s of different services and scenarios.26/45Figure 7 Software Def
156、ined Security D��������iagramNetwork securit��y capabilities and virtualized security systems are abstracted into aresource pool with multiple different security capabilities.This resource pool can behorizontally scaled according to the specific service volume and different securityrequirements of customers.T
157、he security orchestration and control center connects to thesecurity resource pool through the southbound interface.The northboun�������d interface providesprogramming interfaces for security capability opening and service provision.The east-westinterface adapts to platforms such as operation support syste
158、ms and service managementsystems.The security orchestration and control center converts the information obtained fromthe northbound and southbound interfaces into normalized and standardized security policies,asset library information����,log alerts,etc.It completes task scheduling and intelligentdecisi
159、on-making through the intellig�����ent orchestration model.Security capabilities are open todifferent types of users or third-party platforms.Security applications are developed based ondifferent user security requirements.The security functions in the security capability resourcepool are called by combi
160、ning the task scheduling and orchestration capabilities of the securityorchestration and control center.This provides agile,on-demand,and flexibly scheduled anddeployed security services.6.3 TechnologyApplication ConceptsSDS deplo�����ys security capability resources through software programming,making i
161、tpossible to achieve flexible and scalable network security protection.According to differentscenarios and service characteristics and needs of different users,it can customizepersonalized security services and security policies through sec��������urity models.It can alsoschedule security resources on deman
162、d to quickly adapt to and meet the elastic security27/45requiremen�����ts of 6G networks.SDS technology is applied in various scenarios in 6G networksto achieve security intelligence orchestration and unified collaboration with 6G networks.(1)When the service is deployed or migrated across different doma
163、ins,the serviceneeds to�������� switch between multiple subnet�������s or different networks.The security policy needs torealize adaptive policy orchestration and follow-up to ensure the consistency and continuity ofsecurity protection.(2)When the network is dynamically created and the network topology changesdyna
164、mically,the security policy needs to be automatically sensed and adjusted according tothe changes in the network and security environment to ensure the consistency of securityprotectio�������n and the continuity of the network.(3)According to the changes in general computing resources and security computin
165、gcapabilities,security resources can be automatically scheduled and deployed to meetdifferentiated security protection requirements.(4)Based on the differe���nt security requirements of complex services,the networkfunctions can be automatically decomposed and mapped to achieve o���n-demand protection ofth
166、e entire network for security services.At the same time,the security poli����cy can beseamlessly converted when the service scenario switches.6.4 Challenges and SuggestionsSecurity capability service-oriented technology can provide differentiated,scalable,andsustainable security services for 6G networks
167、.The software defined security architecture,withsec�����urity intelligent control and orchestration as the core,will integrate AI capabilities.Combined with AI models,it will further intelligentize the orchestration of securitycapabilities and external services ������according to service type,risk level,and ma
168、nagementrequirements.This will play a role in reducing costs and increasing efficiency.It is necessaryto pay attention to the insufficient interpretability of the AI intelligent orchestration modelitself and the�������� security risks such as open so���urce vulnerabilities used in security capabilityservitizat
169、ion,and to ensure the security of the intelligent models and algorithms used insecurity capability servitization.In addition,the 5G service-oriented network architecture supports a new mode ofnetwork capability opening.T�����o ensure its security,general security requirements forcapability opening,APIs,a
170、nd devices have been formulated.The flexible and elastic networkarchitecture of 6G will further supports the atomization of security capabilities and the����servitization of security capabilities.Therefore,i�������t is more necessary to promote thestandardization of security atomic capability control and openi
171、ng,and provide standardized28/45support for the intelligent orchestration and on-demand scheduling of security capabilities fordifferent manufacturers.29/45VII.Mimic Defense Technology7.1 Scenarios and Security Requirements5G ������networks have realized service-oriented network function and infrastructur
172、evirtualization,which can quickly integrate the functions of various network components tobuild new use cases and new scenarios.However,this also exposes many security risks.Thecomponentization and������ servitization of components make it possible for each component to beactively attacked or passively ea
173、vesdropped.In addition,the inherent untrustworthiness ofsoftware systems makes it possible for random errors,failures,and faults to occur.6G willcontinue to use the cloud-based and service-oriented architecture of 5G.Therefore,anyunreliable netwo�������rk component will increase the system risk,and any sec
174、urity protection thatis not in place will lead to the risk of being attacked,eventually evolving into a networka������ccident.6G should support traditional security capabilities while expanding to supporttrustworthiness,including security,safety,resilience,and reliability,to achieve built-insecurity and t
175、rustworthiness in the generalized 6G networks.In particular,in extremelyreliable communication scenarios,it is necessary to solve the general security problemscausedby6Gnetworksduetothecloud-basedinfrastructurehardwareplatformvulnerabilities,operating system software �������vulnerabilities,and network func
176、tion softwarevulnerabilities.7.2 Technical PrinciplesMimic defense technology is an built-in security architecture technology.It employs aclosed-loop iterative multi-dimensional dynamic reconfigurable robust control structu�������re,namely DHR,based on policy decisions.It consists of ������functionally equivalen
177、t heterogeneousexecutors,input/output proxies,mimic decisions,feedback control,and schedulers.Amongthem,the input proxy is used to distribute external input signal sequences,the output proxyand the mimic decision together form a normalized judgment inte������rface,the core of thefeedba����ck control and the s
178、cheduler consists of a set of pre-set scheduling���� policies andintelligent learning algorithms.When an abnormality is detected by the mimic decision,thefeedback scheduler is activated and instructs the relevant components to perform operationssuch as replacement,migration,cleaning,reorganization,and r
179、econstruction of the current30/45operating environment.This process is iteratively executed until the abnormal condition of themimic decision disappears or the occurrence frequency is lower than a certain set threshold.Figure 8 Abstract Model Diagram of Dynamic Hetero�����geneous Redundancy Architecture(
180、DHR)7.3 TechnologyApplication ConceptsWith the trend of cloud-network integration,the scale and composition of 6G networkdevices are becoming more complex,involving the collaborative work of multiple devices,systems,and networks.The 6G system can a����dopt the dynamic heterogeneous red����undancy(DHR)constr
181、uction concept in the top-level architecture design.The complexity of mul����tipledevices,systems,and networks can be used to change the similarity and singularity ofexisting servic�������e objectives.This enables flexible changes in the carrying devices,systemtypes,and network paths of network elements in the
182、 event of attacks or failures,achievinghigh reliability and elastic services for the network.Specifically,this is refl������ected in theintegration of DHR and NFV functions.On one hand,NFV provides global network viewinformation.On the other hand,DHR continuously monitors and analyzes the networkinfrastru
183、cture and changes the service behavior through the feedback control loop to ensurenetwork security.Mimic defense te�����chnology can also be integrated into the built-in security framework ofthe 6G system.The security control layer carries the mimic controller capability,and thestructured policy control
184、module integrates the mimic defense policy.According to thesecu������rity deployment request of the decision-making layer,it converts the user-orientedsecurity service into dynamic scheduling,random migration,and redundancy management31/45policies,such as dynamic adjustment of network and software paramet
185、ers,management offunctionally equivalent heterogeneous entities,and rotation policies.Then,the tasks areassigned to the orchestrator.The orchestrator is responsib����le for creating a new mimic domainnetwork slicing and generating multiple N������Fs(including heterogeneous replicas of VNFs andmimic decisions
186、at the network function level)on virtual resources.With the assistance of theSDN controller,these NFs link connections,routing rule assignment,and automaticdeployment are completed according to security requirement��������s.Then,the informationgenerated by the network slice is fed back to the mimic controll
187、er to complete the generationof a mimic network slice.The mimic network slice will periodica���lly rotate the networkelement replicas to confuse the attacker.At the same time,when the mimic decision sensesthat the executor is under attack��������,it will notify the mimic controller,which will clean androtate t
188、he attacked executor.Even if a�������� single���� executor is compromised,the redundancymechanism can be used to avoid service interruption caused by a single point of failure.7.4 Challenges and SuggestionsMimic defense is based on the diversity of software and hardware,with the main goal ofmaximizingheterogene
189、ity.Itintegratesredundancy,voting,dynamiccleaning������,andreconfiguration technologies.Challenges in applying mimic defense technology in 6Gnetworks include:1)the presence of a large number of heterogeneous and redundantresources in the network increases system costs and complexity.The mimetic controller
190、 needsto dynamically schedule resources without affecting network commu��������nication efficiency.2)The decision mechanism of mimic defense improves system security but also increases thetime overhead of network processing.In response to the above challenges,the first is to introduce intelligent algorithms
191、 andadaptive policies to realize dynamic resource management.At the same time,AI technology isintroduced in the voting process to sense the state of the executor in advance,assist inimproving the decision efficiency,and reduce the ��������decision delay.The second is to reduceeconomic costs by using �������diversi
192、fied compilation to generate heterogeneous executors andgeneral decision technology to adapt to various service needs.32/45VIII.AI Security Management and Decision-Maki�����ng Technology8.1 Scenarios and Security RequirementsCurrently,AI technology has been integrated with 5G networks in various aspects
193、suchas radio access networks,core networks,and network O&M,and it has also been applied invertical industry fields.In the petrochemical,construction,and mining industries,5G privatenetw�������orks are deployed and AI technology is used to monitor and analyze large-scalemulti-modal data at the edge side to
194、realize intelligent and precise abnorm������al fault earlywarning and risk management,thereby significantly reducing production faults and safetyaccidents,leading to a substantial increase in production efficiency.With the further breakthroughs of artificial intelligence in algorithms,computing power,and
195、data,AI and communication integration is one of the six key application scenarios of6G,which will promote the transformat�����ion of human-to-human and things-to-things tointelligent connection.6G AI services will support multiple scenarios such as Smart City,S����mart Home,Smart Industry,Smart Transportatio
196、n,and Smart Healthcare,fully integratinginto all aspects of social life.This also requires 6G networks to support native intelligence������architecture,privacy protection of user data,trustworthy networking,and a diversifiedecosystem that supports both consumers and vertical markets.Security capabilities�������
197、such astrusted data federation modeling and AI model robustness for 6G networks are also critical.8.2 Technical PrinciplesAI security management and decision-making technology is a method that utilizes thedistri���buted network element computing power of network elements and mature AI algorithmsto assi
198、st the network system in completing communication and security processes.Thissignificantly improves the networks capabilities in security management,securit�������y O&M,andsecurity incident response.In current 5G networks,the Network Data Analytics Function(NWDAF)has been introduced to leverage its �������advanta
199、ges in data collection,training,inference,andclosed-�������loopcontrolintheprocessofsecuritymanagementanddecision-making.In 6G networks,the distributed deployment of NWDAF collects networktraffic data,extracts key features of the network,and utilizes mobile federated learning,privacy computing,and Artifici
200、al Intelligence algorithms to a����chieve accurate monitoring andanalysis of user equipment(UE)be�������havior,communication patterns,and network traffic as33/45well as privacy protection in 6G networks,effectively identifying potential security threatsand providing a basis for decision-making for network secu
201、rity management,agile securitypolicy construction and full-stack Network protection.At the same time,by integr������ating othernetwork functions(NF)(such as 5G unified data repository(UDR),application fu����nction(AF),and operation and maintenance(OAM)data)in the network,NWDAF can support dynamicadjustment of
202、 network security policy,and form a 6G network big data analytics systemarchitecture that can provide diversified security solutions.Figure 9 Schematic Diagram ofAI Security Management and Decision-MakingTechnologyFacing the diversified services an�������d multi-source data of 6G,further introduction of AI
203、capabilities can promote the built-in intelligence and adaptability of the network.Benefitingfrom t������he integrated sensing and communication technology,6G can achieve a comprehensiveperception of multidimensional data such as network data,service data,and user data.Through unified management,unified d
204、ictionary,unified analysis,and unified presentation ofdata,as well as relying on comprehensive data sour������ces to further expand and solidify thescenarios based on existing service scenarios,continuous monitoring and feedback loops,along with advanced AI algorithms,the performance of the 6G Network in
205、terms of securitymanagement and decision-making can significantly exceed that������ of the existing 5G Network.By conducting real-time analysis and processing of extensive data,6G networks canr��������ecognize and respond to security threats more quickly and accurately,while providingpersonalized security solutio
206、ns that significantly improve network security and user trust.Furthermore,6G networks will enable intelligent collaboration and knowledge sharing amongmultiple NWDAF and NF through distributed federated learning technol����ogy.This not onlyimproves the efficiency of data processing and decision-making b
207、ut also forms a morecomprehensive and ef������ficient network security management and decision-making supportsystem through cross-region and cross-layer data synthesis.This improves the adaptability34/45and flexibility of 6G networks and provides stronger built-in security capabilities,facilitatingmore po
208、werful and inherent security protection for the network.8.3 TechnologyApplication ConceptsAI will bring new opportunities for 6G network security,promoting the integration of AItechnology and the ���network through AI-empowered 6G security and AI security assurance.This will further facilitate the deve
209、lopment of 6G network security.(1)AI For Security:Provide intelligent analysis and decision-making related to networksecurity.With the advancement of new technologies,traditional external security detectionmethods are inadequate in dealing with diverse secur������ity attacks.It is necessary to use AI fori
210、ntelligent detection of network security in order to improve detection efficiency.AItechnology helps to enhance the security defense capabilities of the 6G network,especiallyplaying an����� important role in network threat detection and situational research,intelligentsecurity decision-making,automated r
211、esponse and response,and policy self-adaptation.Transfer learning technologies help address the problem of insufficient training data for AIanalysis models��������,while deep learning techniques are suitable for the rapid detection of securityincidents.Reinforcement learning technology is able to improve mo
212、del prediction accuracyand efficiency.In addition,AI-based security capabilities can be embedded in various stagesof n������etwork operation.Embedding AI models into security analysis platforms enables quickprediction and judgment o����f security posture through real-time data analysis,outputtingsecurity poli
213、cies to guide the deployment of secu�����rity measures and dynamic defense bysecurity controllers.In the implementation of security capabilities,intelligent sensing andanalysis capabilities of AI models are utilized to evaluate defense effectiveness,promotemodel���� optimization,improve model analysis and de
214、cision-making accuracy,and achieveprecise defense.(2)Security For AI:Provide s�������ecure transmission and privacy protection for AI modelsand algorithms.In 6G networks,AI security management and decision-making technologies not onlyenhance the intelligence level of network management but also bring new s
215、ecurity challenges.Thereliabilityandavailabilityofnetwork-basedAIsecuritymanagementanddecision-making heavily rely on AI capabilities processing the entire chain of user data,includingacquisition,analysis,training,a������ndinference.Consequently,itfacesmultidimensional security thr�����eats.During the data col
216、lection stage,collaborative poisoningattacks from malicious terminals ma����y contaminate the data source and affect the training35/45quality and decision correctness of AI models.To mitigate this threat,methods based on zerotrust and improved user authentication,authorization,and data governance can be
217、 effectivelyapplied.Adversarial attacks aim to mislead AI models by designing input data,t������herebythreatening the models robustness during t�������he training stage.To effectively filter and resistadversarial attack data,and protect AI models,improving wireless air interface security andintegrating end-to-en
218、d transmission security mechanisms into upper-layer interfaces withmobile ce�������llular systems can������ be effective policies.During the model transmission anddeployment stage,model inversion attacks and privacy inference attacks can lead to theleakage of user privacy.To address security threats caused by th
219、e disclosure of criticalparameters(such as gradients)used in the model,methods such as homomorphic encryptio�������n,privacy-preserving computation,and model compression transmission can be used to ensurethe security of AI model usage.By comprehensively applying the lat������est technical means andpolicies,ensur
220、ing the security of the entire AI process will become an important direction in6G security research and practice,supporting the he�����althy development of 6G networkintelligent management and the security and privacy guarantee of user data.8.4 Challenges and S�����uggestionsIn the field of intelligent networ
221、k security management and decision-making for the 6Gera,it is necessary to ensure the security of AI capabilities and services,including the securityof AI algor������ithms themselves and the use of AI technology to address security management inmobile communication networks.To address data security �������risks
222、in the Core Network,it isrecommended to establish strict data processing������ and protection guidelines during AI trainingand adopt a graded and classified protection mechanism to encrypt,mask,and control accessto sensitive information.In addition,to address potential security vulnerabilities that mayari
223、se during the collection and processing of data for Core Network AI����� applications,strengthen�������ed security monitoring and audit of data flow should be implemented to ensureend-to-end security throughout the data lifecycle.To mitigate security risks inherent to AIsystems,including vulnerabilities in mode
224、ls and algorithms,it is recommended to increase therobustness of AI models through methods such as adversarial training,to��� i�������dentify and defendagainst potential unknown attacks and ensure the stable and reliable operation of the AIsystem.Given the significant expansion of the 6G network service scope
22�������5、 and granularity,it isrecommended to research intelligent security management frameworks that can achievehighly personalized security policy implementation for security and privacy guarantees.Theframework s�����hould have real-time learning and adaptation capabilities,and be able toautomatically adjust s
226、ecurity policies based on dynamic changes of network state and use�������r36/45behavior,thus providing precise and effective security and privacy guarantees.37/45IX.DTN Security Deduction Technology9.1 Scenarios and Security RequirementsIn the Framework and Overall Objectives of the Future Development of I
227、MT for 2030and Beyond10released by the ITU-R,it is proposed that digital twin is one of the nine majoruser applicati�������on development trends for 2030 and future 6G systems.It aims to achieveconnectivity among humans,devices,and things,enabling real-time synchronization betweenthe physical and virtual w
228、orl��������ds.The digital twin network is a network system that consists ofphysical network entities and virtual twin bodies,which can interact with each other inreal-time mapping.By analyzing,diagnosing,simulating,and controlling the network basedon the virtual twin body,it is possible to achieve low-cost
229、trial and error,intelligentdecision-making,efficient innovation,and predictive maintenance.Digital twin technology can help the security field seek solutions beyond physicalnetworks.Digital twin technolog��������y can be applied to the following security scenarios:Incombinati������on with security deduction,it ca
230�������、n provide a digital verification environment close tothe real network for network security,enabling low-cost trial and error,intelligentdecision-making,and predictive maintenance,which can ensure the security and reliability ofphysical networks;in combination with attack deception,the digital twin n
231、etwork provides amore realistic tr����ap environment and a real-time network monitoring system,and candynamically adjust the trapping plan according to the attackers behavior;in combination withsecurity O&M,it can evaluate the state of the communication network,diagnose existingproblems and predict futu
232、re trends.By simulating the possibility of various attacks,itprovides a more comprehensive and optimized security policy.At the same time,its ability toautonomously construct a�������nd expand enables exploration of new service requirements andverification of their effectiveness,providing precise security
233、services for vertical industr�����ies.Digital twin networks have the characteristics of digitization,networking,andintelligence.Their application environment is more open,interconnected,and shared,whilealso introducing new security requirements for 6G networks,such as massive datatransmission,storage,usa
234、ge,and privacy protection,the trustworthiness guarantee of th������e twinmodel,and the secure interaction between the twin network and the physical network.38/459.2 Technical Principles(1)Data Security CollectionThe foundation of digital twin networks is the acquisition of vas��t amounts of physicalnetwork
235、data,which requires ensuring the comprehensiveness,credibility,and security of thedata during the data collection process.To ensure the simulation of the digital twin network,massive data must be collected,including device data,user data,interaction data,andmanag������ement data.Inaccurate or unreliable d
236、ata collection could result in errors in theprediction and simulation of di�������gital twins.Therefore,it is necessary to protect theconfidentiality,integrity,and credibility of the col������lected data.Additionally,to meet thereal-time requirements of digital twin networks,more lightweight and efficient data s
237、ecurityprotection solutions,such as phys�������ical layer encryption technology,need to be designed.(2)Virtualization Scenario ConstructionTo meet t�������he differentiated network security requirements of upper-layer applications,digital twin networks can customize network simulation scenarios based on the speci
238、ficapplication scenarios.A microservice-oriented modeling and simulation architecture canpro�����vide a range of flexible and pluggable microservice simulation technology components.Each microservice component implements a small,highly reusable function that can berequested as needed for different scenar
239、ios,and flexibly assembled and linked together.Simulation tools and simulation scheduling platforms are deployed in the cloud,allowingusers to submit and manage simulation tasks through a cloud-based application platform andrapidly o�������btain elasti�����c,reliable,and secure simulation services.9.3 Technolog
240、yApplication ConceptsThe integrated architecture for digital twin networks and security simulation consists ofphysical entity networks,virtual twin networks,and interactive parts between networks.In thedigital twin network system,the physical network p������rovides basic data to the digital twinnetwork.Ba
241、������sed on the basic data,basic models,etc.,the digital twin network generates highlyconsistent twin network instances with the physical network������.Through the twin networkinstances,real attacks are simulated for attack-defense deduction,and risks and impacts areaccurately evaluated through practical verif
242、ication to form optimal solutions.The verificationresults are synchronized with the physical network.The physical network is updated based onthe results and provides its basic data to the digital twin network,forming an interactiveclosed loop betwee������n the physical and digital twin networks.39/45Figur
243、e 10 Schematic Diagram of Security Deduction Architecture based on Digital Twins TwinApplic��������ation LayerCustomized simulation scenarios can be defined according to service requirements,and the security simulation process can be visualized with automated analysis of thesimulation res������ults.Twin Network L
244、ayerGenerate attack models based on the attack data captured in the honey net,createcorresponding digital twin scenarios based on the deduced scenarios designed at the twinapplication layer,and deploy the deduced results(security policies)to the physicalnetwork for real-time execution.Physical Netw����o
245、rk LayerCollect basic data and honey net data,report it to the digital twin network layer,anddynamically adjust security measures based on the deduced results of the digital twinnetwork layer.9.4 Challenges and SuggestionsAs an emerging techn�������ology,digital twins involve the collection �����and usage of a
246、largeamount of data.Ensuring the compatibility of data from different vendors and achievin�������gmulti-level data security sharing and data privacy protection across domains pose significantchallenges.Moreover,it ������is crucial to address the key issue of how to verify the credibility ofdigital twin models an
247、d improve the reliability of security policies generated by the twinnetwork.To address the above challenges,it is recommended to start with stan���dardization andunification of the technical framework and security system.Defining the types,������sizes,40/45collection frequencies,encapsulation formats,and tra
248、nsmission protocols of the data collectedby the digital twin network,standardizing t�������he data transmission interfaces between physicaldevices and twin networks;clarifying which data inv�������olves user privacy,designingdifferentiated data security protection schemes using technologies such as masking,encryp
249、tion,and privacy computing according to different types of data,to prevent the abuseor leakage of data.41/45SummaryThe current research on 6G networkis at a critical stage.Security is the cornerstone ofthe 6G network,its not only the ������basic guarantee for the industrialization and commercialdevelopmen
250、t of 6G but also a hot topic and important content of 6G network.This whitepaper proposes nine key security technologies for future 6G networks,including wireless�����physical layer security technology,distributed trust technology,ubiquitous trusted technology,quantumsecuritytechnology,privacyprotectiont
251、echnology,securitycapabilityservice-oriented technology,mimic defense technology,AI security management anddecision-making technology,and DTN secu�������rity deduction technology.For each technology,the applicable scenarios and security requirements,technical principles,application in 6Gnetwork,and relevan
252、t challenges and suggestions are fully explained to provide a technicaldirection reference for the industry to conduct 6G network securit���y research.On the one hand,in the subsequent research process,it is necessary for further study ofthe above nine key security technology application in the 6G netw
253、ork.On the other hand,wealso need to pay attention to the impact of relevant technologies and solutions on theperformance,cost,and user experience of the 6�������G network.While conducting research onnetwork security and network architecture in synchronization,we need to seek a balancebetween security and
254、network and ensure th�����e security and credibility of various servicescenarios of 6G.Finally,standardization of security is crucial����� to promoting industryconsensus and practical applications of key security technologies for 6G networks.We lookforward to continuous technical innovation and cooperation wi
255、th all parties in the industry,actively promoting the standardization of security technologies,and achieving furtherbreakthroughs in the research of key security technologies for 6G netw��������orks,with a consensusreached globally.42/45References1 IMT-2030(6G)Promotion Group,Research Report on 6G Network S
256、ecurity VisionTec������hnology 20212 IMT-2030(6G)Promotion Group,Research Report on 6G Trusted built-in SecurityArchitecture 20233 IMT-2030(6G)Promotion Group,White Paper on Typical 6G Scenarios and KeyCapabilities 20224 Network Communication and Security Lab,Purple Mountain Laboratories,WhitePaper on bui
257、lt-in Security and Trusted Technology for 6G 20235 IMT-2030(6G)Promotion Group,Research on 6G Blockchain �����Technology:Scenarios and Requirements 20236 Huawei and Xidian University,White Paper on 6G Network Trust SystemEmpowered by Blockchain 20227 IMT-2030(6G)Promotion Group Research on 6G Blockchain
258、Architecture and KeyTechnologies 20238 ITU-T X.1710 Security framework for QKD������N9 NIST PQC Standardization Process:Announcing Four Candidates to be Standardized,Plus Fourth Round Candidates10 ITU-R Framework and overall objective������s of the future development of IMT for2030 and beyond43/45AbbreviationsE
259、nglishAbbreviationsFull English NameChinese Expl�����anationABACAttribute-Based Access Control基于属性的访问控制AESAdvanced Encryption Standard高级加密标准AFApplication Func�����tion应用功能AIArtificial Intelligence人工智能APIApplication Programming Interface应用程序编程接口CACertificateAuthority证书权威机构DHRDynamic HeterogeneousRedundancy动态异构
260、冗余DIDDecentralized IDentifier去中心化身份标识DPKIDecentralized Public KeyInfrastructure分布式公钥基础设施DSADigital Signature Algorithm数字签名算法DTNDigital Twin Network数字孪生网络ECCElliptic Curves Cryptography椭圆加密算法IPSecInternet Protoc�������ol Security互联网安全协议ITUInternational TelecommunicationUnion国际电信联盟MPCSecure Multi-party Compu
261、tation安全多方计算NEANew radio Encryption Algorithm新空口加密算法NFNetwork Function网络功能NFVNetwork����� Function Virtualization网络功能虚拟化NIANew radio IntegrityAlgorithms新空口完整性算法44/45EnglishAbbreviationsFull English NameChinese ExplanationNISTNational Institute of Standards andTechnology美国国家标准与技术研究院NWDAFNetwork Data Analy
262、tics Function网络数据分析功能OAMOperation Administration andMaintenance操作维护管理OTPOne Time Programmable一次性可编程存储������器PKIPublic Key Infrastructure公钥基础设施PQCPost Quantum Cryptog�����raphy后量子密码QKDQuantum Key Distribution量子密钥分发QKDNQuantum Key DistributionNetworks量子密钥分发网络RBACRole-BasedAccess Control基于角色的访问控制RISReconfigurable
263、 Intelligent Surface智能超表面RSARivest-Shamir-AdlemanRSA 公钥加密算法SDSSof������tware Defined Security软件定义安全TLSTransport Layer Security传输层安全协议UDRUnified Data Repository统一数据仓库功能UEUser Equipment用户设备VNFVirtual Network Functions虚拟网络功能W3CWorld Wide Web Consortium万维网联盟45/45Writing OrganizationS/NMain Contributors1China
264、Mobile Communications Corporati�������on2PLAInformation Engineering University3China Unicom Research Institute4CAICT5Huawei Technologies Co.,Ltd.6ZTE Corporation7Apple R&D(Beijing)Co.,Ltd.8Purple Mountain Laboratories9Beijin������g University of Posts and Telecommunications10Xidian University11QiAn Xin Technology Group Inc.
sgpjbg002
工作日 8:30 - 17:30
会员动态:
报告分类
新质生产力
ChatGPT
新能源汽车
大模型
Sora
机器人
微短剧
芯片
薪酬
白皮书
低空经济
数据要素
创新药
人工智能
AI产业
信息科技
互联网
消费经济
汽车交通
电商零售
传媒娱乐
医药健康
投资金融
能源环境
地产开发
传统产业
全球化
其它
扫码登录
手机快捷登录
账号登录
