{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,2]],"date-time":"2026-04-02T03:22:20Z","timestamp":1775100140311,"version":"3.50.1"},"reference-count":47,"publisher":"Springer Science and Business Media LLC","issue":"1","license":[{"start":{"date-parts":[[2021,2,19]],"date-time":"2021-02-19T00:00:00Z","timestamp":1613692800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2021,2,19]],"date-time":"2021-02-19T00:00:00Z","timestamp":1613692800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"name":"University Of South-Eastern Norway"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Wireless Pers Commun"],"published-print":{"date-parts":[[2021,7]]},"abstract":"<jats:title>Abstract<\/jats:title><jats:p>The 3GPP-based 5G System marks a clear departure form the previous generations. There is a new radio system and a complete overhaul of the core network design. The core network is redesigned both on the control plane parts and the transport plane. The control plane signalling within the core network is now largely based on the service based architecture (SBA) design, featuring Web-based technologies and the associated security solutions. In this paper we conduct a preliminary generic survey of threats to the SBA.<\/jats:p>","DOI":"10.1007\/s11277-021-08200-0","type":"journal-article","created":{"date-parts":[[2021,2,20]],"date-time":"2021-02-20T00:21:10Z","timestamp":1613780470000},"page":"97-116","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":27,"title":["On Threats to the 5G Service Based Architecture"],"prefix":"10.1007","volume":"119","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-7363-0076","authenticated-orcid":false,"given":"Geir M.","family":"K\u00f8ien","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2021,2,19]]},"reference":[{"key":"8200_CR1","doi-asserted-by":"publisher","unstructured":"Moore, T., Kosloff, T., Keller, J., Manes, G., & Shenoi, S. (2002). Signaling system 7 (ss7) network security. In The 2002 45th Midwest Symposium on Circuits and Systems, 2002. MWSCAS-2002. (Vol. 3, pp. III\u2013III).https:\/\/doi.org\/10.1109\/MWSCAS.2002.1187082.","DOI":"10.1109\/MWSCAS.2002.1187082"},{"key":"8200_CR2","unstructured":"ETSI, TS 09.02. Mobile Application Part (MAP) Specification. TS 09.02, ETSI, France (1995)."},{"key":"8200_CR3","doi-asserted-by":"crossref","unstructured":"3GPP, TS 29.002. Mobile Application Part (MAP) specification. TS 29.002 15.5.0, 3GPP, France, 06 2019.","DOI":"10.1088\/1475-7516\/2019\/06\/002"},{"key":"8200_CR4","unstructured":"3GPP, TS 29.060. General Packet Radio Service (GPRS); GPRS Tunnelling Protocol (GTP) across the Gn and Gp interface. TS 29.060 15.5.0, 3GPP, France, 06 2019."},{"key":"8200_CR5","unstructured":"3GPP, TS 29.274. 3GPP Evolved Packet System (EPS); Evolved General Packet Radio Service (GPRS) Tunnelling Protocol for Control plane (GTPv2-C); Stage 3. TS 29.274 16.0.0, 3GPP, France, 06 2019."},{"key":"8200_CR6","unstructured":"3GPP, TS 29.281. General Packet Radio System (GPRS) Tunnelling Protocol User Plane (GTPv1-U). TS 29.281 15.5.0, 3GPP, France, 12 2018."},{"key":"8200_CR7","unstructured":"3GPP, TS 33.210. 3G security; Network Domain Security (NDS); IP network layer security. TS 33.210 16.2.0, 3GPP, France, 06 2019."},{"key":"8200_CR8","doi-asserted-by":"crossref","unstructured":"Fajardo, V. (ed). (2012). Diameter Base Protocol. RFC 6733, IETF, 10.","DOI":"10.17487\/rfc6733"},{"key":"8200_CR9","unstructured":"3GPP, TS 29.272. Evolved Packet System (EPS); Mobility Management Entity (MME) and Serving GPRS Support Node (SGSN) related interfaces based on Diameter protocol. TS 29.272 15.8.0, 3GPP, France, 06 2019."},{"key":"8200_CR10","unstructured":"GSMA. Inter-Service Provider IP Backbone Guidelines, Version 7.0, 23 January 2012. IR\u00a034, 01 2012."},{"key":"8200_CR11","unstructured":"GSMA.(2018). Guidelines for IPX Provider networks (Previously Inter-Service Provider IP Backbone Guidelines) v14.0. IR\u00a034, 08 2018."},{"key":"8200_CR12","unstructured":"3GPP, TS 23.501. System architecture for the 5G System (5GS). TS 23.501 16.1.0, 3GPP, France, 06 2019."},{"key":"8200_CR13","unstructured":"3GPP, TS 33.501. Security architecture and procedures for 5G System. TS 33.501 17.0.0, 3GPP, France, 12 2020."},{"issue":"6","key":"8200_CR14","doi-asserted-by":"publisher","first-page":"114","DOI":"10.1145\/3172866","volume":"51","author":"MS Bonfim","year":"2019","unstructured":"Bonfim, M. S., Dias, K. L., & Fernandes, S. F. L. (2019). Integrated NFV\/SDN architectures: A systematic literature review. ACM Computing Surveys (CSUR), 51(6), 114.","journal-title":"ACM Computing Surveys (CSUR)"},{"key":"8200_CR15","unstructured":"Fielding, R.T., & Taylor, R. N. (2000).Architectural styles and the design of network-based software architectures (Vol. 7. University of California, Irvine Doctoral dissertation)."},{"key":"8200_CR16","unstructured":"ITU-T. Information technology-Abstract Syntax Notation One (ASN.1): Specification of basic notation. Recommendation X.680, ITU-T, 08 2015."},{"key":"8200_CR17","doi-asserted-by":"crossref","unstructured":"Dierks,T., & Rescorla, E.(2008). The Transport Layer Security (TLS) Protocol; Version 1.2. RFC 5246, IETF, 08.","DOI":"10.17487\/rfc5246"},{"key":"8200_CR18","doi-asserted-by":"crossref","unstructured":"Rescorla, E. (2018). The Transport Layer Security (TLS) Protocol; Version 1.3. RFC 8446, IETF, 08.","DOI":"10.17487\/RFC8446"},{"key":"8200_CR19","unstructured":"Sakimura, N., Jones, M., & Bradley. J. (2015). JSON Web Signature (JWS). RFC 7515, IETF, 05."},{"key":"8200_CR20","unstructured":"Hildebrand, J., & Jones, M. (2015). JSON Web Encryption (JWE). RFC 7516, IETF, 05."},{"key":"8200_CR21","doi-asserted-by":"crossref","unstructured":"Hardt, D., (ed). (2012). The OAuth 2.0 Authorization Framework. RFC 6749, IETF, 10.","DOI":"10.17487\/rfc6749"},{"key":"8200_CR22","volume-title":"Normal accidents","author":"C Perrow","year":"1999","unstructured":"Perrow, C. (1999). Normal accidents. New Jersey: Princeton University Press."},{"issue":"1","key":"8200_CR23","doi-asserted-by":"publisher","first-page":"6","DOI":"10.1109\/32.481513","volume":"22","author":"M Abadi","year":"1996","unstructured":"Abadi, M., & Needham, R. (1996). Prudent engineering practice for cryptographic protocols. IEEE Transactions on Software Engineering, 22(1), 6\u201315.","journal-title":"IEEE Transactions on Software Engineering"},{"key":"8200_CR24","unstructured":"Nicolas, S. (2018). JSON Parsing Considered Harmful. Technical report, Toulouse Hacking Convention, 03 2018."},{"key":"8200_CR25","unstructured":"Justin, R., Antonio, S., & Ian, G. (2017). OAuth 2 in Action. Manning Publications Shelter Island."},{"key":"8200_CR26","unstructured":"Daniel, F., Ralf, K., & Guido, S. (2016). A comprehensive formal security analysis of OAuth 2.0. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pages 1204\u20131215. ACM."},{"key":"8200_CR27","unstructured":"San-Tsai, S., & Konstantin, B. (2012). The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems. In Proceedings of the 2012 ACM conference on Computer and communications security (pp. 378\u2013390). ACM."},{"key":"8200_CR28","doi-asserted-by":"crossref","unstructured":"Ethan, S., Henry, C., Dave, T., Patrick, T., & Kevin, B. (2015). More Guidelines Than Rules: CSRF Vulnerabilities from Noncompliant OAuth 2.0 Implementations. In Magnus Almgren, Vincenzo Gulisano, and Federico Maggi, editors, Detection of Intrusions and Malware, and Vulnerability Assessment (pp. 239\u2013260). Cham, Springer International Publishing. ISBN 978-3-319-20550-2.","DOI":"10.1007\/978-3-319-20550-2_13"},{"issue":"4","key":"8200_CR29","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/2237796.2237803","volume":"37","author":"A Janus","year":"2012","unstructured":"Janus, A. (2012). Towards a common agile software development model (ASDM). ACM SIGSOFT Software Engineering Notes, 37(4), 1\u20138.","journal-title":"ACM SIGSOFT Software Engineering Notes"},{"issue":"4","key":"8200_CR30","doi-asserted-by":"publisher","first-page":"791","DOI":"10.1007\/s10515-016-0206-x","volume":"24","author":"C Zolotas","year":"2017","unstructured":"Zolotas, C., Diamantopoulos, T., Chatzidimitriou, K. C., & Symeonidis, A. L. (2017). From requirements to source code: A Model-Driven Engineering approach for RESTful web services. Automated Software Engineering, 24(4), 791\u2013838.","journal-title":"Automated Software Engineering"},{"key":"8200_CR31","doi-asserted-by":"publisher","first-page":"3909","DOI":"10.1109\/ACCESS.2017.2685629","volume":"5","author":"M Shahin","year":"2017","unstructured":"Shahin, M., Babar, M. A., & Zhu, L. (2017). Continuous integration, delivery and deployment: A systematic review on approaches, tools, challenges and practices. IEEE Access, 5, 3909\u20133943.","journal-title":"IEEE Access"},{"key":"8200_CR32","unstructured":"Thomas, P. Comments on \u201cJWT is a Bad Standard That Everyone Should Avoid\u201d. Lobste.rs: https:\/\/lobste.rs\/s\/r4lv76\/jwt_is_bad_standard_everyone_should_avoid, 03 2017."},{"key":"8200_CR33","unstructured":"Arciszewski, S. No Way, JOSE! Javascript Object Signing and Encryption is a Bad Standard That Everyone Should Avoid. Paragon Initiative.https:\/\/paragonie.com\/blog\/2017\/03, 03 2017."},{"key":"8200_CR34","unstructured":"Madden, N. Should you use jwt\/jose? Neil Madden Blog: https:\/\/neilmadden.blog\/2017\/03\/15\/should-you-use-jwt-jose\/, 03 2017."},{"key":"8200_CR35","unstructured":"Fraser, T. No way, jose! lessons for authors and implementers of open standards. The 2018 Pass the SALT conference."},{"key":"8200_CR36","unstructured":"Dennis, D., Juraj, S., Christian, M., Vladislav, M., & J\u00f6rg S. (2017). On the (in-) security of javascript object signing and encryption. In Proceedings of the 1st Reversing and Offensive-oriented Trends Symposium. ACM."},{"key":"8200_CR37","unstructured":"Tozny. Cryptography and abstractions: Why all the jose hate? Tozny.com: https:\/\/tozny.com\/blog\/jose-cryptography-and-abstraction\/, 03 2017."},{"key":"8200_CR38","unstructured":"NIS Coordination Group. EU coordinated risk assessment of the cybersecurity of 5G networks. Report, European Commission and ENISA, Brussel, Belgium, 10 2019."},{"key":"8200_CR39","unstructured":"ENISA. ENISA Threat Landscape for 5G Networks. TRL 2019-5G, European Union Agency for Network and Information Security (ENISA), 11 2019."},{"key":"8200_CR40","unstructured":"OWASP Foundation. OWASP Top Ten; Top 10 Web Application Security Risks (2017). https:\/\/owasp.org\/www-project-top-ten\/#, 2017."},{"key":"8200_CR41","unstructured":"Acunetix. Web Application Vulnerability Report 2020. https:\/\/www.acunetix.com\/resources\/report\/Acunetix_2020_Web_Application_Vulnerability_Report.pdf, 05 2020."},{"key":"8200_CR42","unstructured":"ptsecurity.com. Web application vulnerabilities and threats: statistics for 2019. https:\/\/www.ptsecurity.com\/upload\/corporate\/ww-en\/analytics\/web-vulnerabilities-2020-eng.pdf, 05 2020."},{"key":"8200_CR43","unstructured":"MITRE Common Weakness Enumeration. 2020 CWE Top 25 Most Dangerous Software Weaknesses. https:\/\/cwe.mitre.org\/top25\/archive\/2020\/2020_cwe_top25.html, 05 2020."},{"key":"8200_CR44","unstructured":"Microsoft. Develop secure applications on Azure. https:\/\/docs.microsoft.com\/en-us\/azure\/security\/develop\/secure-develop, 12 2019."},{"key":"8200_CR45","doi-asserted-by":"crossref","unstructured":"Dennis, V. & Geoffrey, S. (1997). A type-based approach to program security. In Michel Bidoit and Max Dauchet, editors, TAPSOFT \u201997: Theory and Practice of Software Development, pages 607\u2013621, Berlin, Heidelberg, Springer Berlin Heidelberg. ISBN 978-3-540-68517-3.","DOI":"10.1007\/BFb0030629"},{"issue":"10","key":"8200_CR46","doi-asserted-by":"publisher","first-page":"40","DOI":"10.1109\/2.161279","volume":"25","author":"B Meyer","year":"1992","unstructured":"Meyer, B. (1992). Applying\u2019design by contract\u2019. Computer, 25(10), 40\u201351.","journal-title":"Computer"},{"key":"8200_CR47","unstructured":"3GPP, TS 33.517. 5G Security Assurance Specification (SCAS) for the Security Edge Protection Proxy (SEPP) network product class. TS 33.517 16.1.0, 3GPP, France, 12 2019."}],"container-title":["Wireless Personal Communications"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s11277-021-08200-0.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s11277-021-08200-0\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s11277-021-08200-0.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,12,18]],"date-time":"2022-12-18T08:03:53Z","timestamp":1671350633000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s11277-021-08200-0"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,2,19]]},"references-count":47,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2021,7]]}},"alternative-id":["8200"],"URL":"https:\/\/doi.org\/10.1007\/s11277-021-08200-0","relation":{},"ISSN":["0929-6212","1572-834X"],"issn-type":[{"value":"0929-6212","type":"print"},{"value":"1572-834X","type":"electronic"}],"subject":[],"published":{"date-parts":[[2021,2,19]]},"assertion":[{"value":"29 January 2021","order":1,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"19 February 2021","order":2,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}}]}}