🔐 Zero Trust Architecture for Securing Smart IoT Devices in 5G Networks - mhradhika/5GTrial GitHub Wiki

This project showcases a Zero Trust-based security framework for Smart IoT devices operating in 5G network environments. It emphasizes continuous authentication, lightweight hybrid encryption, and real-time monitoring — all integrated into a simulated 5G core using Open5GS and UERANSIM.

System Overview

Tech Stack:

  • ESP32 – Collects sensor data
  • Raspberry Pi 4 – Acts as UE (User Equipment) with UERANSIM
  • UERANSIM + Open5GS – Simulate 5G RAN and Core
  • Keycloak – OAuth 2.0-based Identity Provider
  • Flask-based Authenticator – Validates token, encrypts data
  • Flask Dashboard – Monitors decrypted, verified data in real-time

Security Architecture

  • Zero Trust Principle: No device is trusted by default. Each session requires re-authentication.
  • OAuth 2.0 with Keycloak: Devices use access tokens to communicate securely.
  • Hybrid Encryption:
    • RSA for secure session key exchange
    • ChaCha20-Poly1305 for authenticated, fast, symmetric encryption

Prerequisites

Before setting up the system, ensure the following hardware, software, and configurations are in place.

Hardware Requirements

  • ESP32 development board (with USB cable)
  • Sensors (e.g., DHT11, ultrasonic, etc.)
  • Raspberry Pi 4 (or similar SBC with network access)
  • Linux PC (to run Open5GS and Flask receiver)
  • All devices should be connected to the same local network

Software Requirements

On ESP32:

  • Arduino IDE or PlatformIO
  • ESP32 board support installed
  • Required libraries for serial communication

On Raspberry Pi (UE):

  • Python 3.x
  • pip or pip3
  • UERANSIM (built from source)
  • Python libraries: Flask, PySerial, Requests, Cryptography

Install required libraries:

pip install flask pyserial requests cryptography

🛠️ Setup Instructions

This section provides step-by-step guidance to set up and run the complete system.

1. ESP32 Setup (IoT Device)

  • Connect sensors (e.g., DHT11, ultrasonic, etc.) to the ESP32.
  • Flash firmware that reads sensor values and sends them over the serial port.

Note: Ensure baud rate (e.g., 115200) matches the Flask serial reader.

2. Raspberry Pi Setup (User Equipment / UE)

  • Install Ubuntu / Raspberry Pi OS
  • Connect to your local network (same as Open5GS Core)

Install UERANSIM:

git clone https://github.com/aligungr/UERANSIM.git
cd UERANSIM
make

Run Flask Authenticator

cd /home/isfcr/server/authenticator
pip install -r requirements.txt
python3 app.py

This server:

  • Reads data from ESP32 over /dev/ttyUSB0

  • Authenticates with Keycloak using client credentials

  • Encrypts data using RSA + ChaCha20

  • Sends encrypted UDP packets to Receiver

3. Core-PC Setup

  • Setup Open5gs and Configure yaml files for AMF, SMF, and UPF

Run Flask UDP Receiver:

cd /home/isfcr/server/receiver
pip install -r requirements.txt
python3 receiver.py

4. Dashboard Setup (Optional)

cd /home/isfcr/server/dashboard
python3 dashboard.py
  • Open in browser: http://:5000

Displays:

  • Authenticated sensor data

  • Connection status

  • Optional logging or alerts

5. Testing

  • Boot ESP32 → should begin sending sensor data.

Confirm:

  • Raspberry Pi is connected to 5G via UERANSIM

  • Authenticator sends encrypted data

  • Receiver decrypts and verifies tokens

  • Dashboard shows live data

Note

  • All components must be on the same local network.

  • Keycloak must be reachable by Raspberry Pi (use local IP).

  • Ensure ueransim and Open5GS are correctly configured with matching PLMN.

Potential Issues

Below are some common issues you might encounter during setup or execution, along with suggestions for resolving them.

1. UERANSIM Fails to Connect to Open5GS

  • Cause: Mismatch in PLMN settings (MCC/MNC) between UERANSIM and Open5GS.
  • Solution: Ensure both use the same values (e.g., 208/93) and that the UE is properly registered in the Open5GS subscriber database.

2. Keycloak Token Authentication Fails

  • Cause: Invalid client credentials or wrong realm URL.
  • Solution: Verify the client ID, secret, and token endpoint URL. Ensure the client has "Service Accounts" enabled.

3. ESP32 Not Detected by Flask Serial Reader

  • Cause: Incorrect serial port (e.g., /dev/ttyUSB0 not matching actual port).
  • Solution: Use ls /dev/tty* to find the correct port. Update Flask code accordingly.

4. Encrypted UDP Packets Not Received

  • Cause: Firewall blocking UDP port or IP mismatch.
  • Solution: Allow the correct UDP port (e.g., 5005) in the firewall. Confirm IPs between sender and receiver are correct.

5. Decryption or Token Verification Fails

  • Cause: RSA key mismatch or expired token.
  • Solution: Ensure the receiver has the correct private key. Implement token refresh logic if required.

6. Dashboard Not Loading

  • Cause: Flask app not running or bound to wrong host.
  • Solution: Make sure the Flask app is running and accessible via 0.0.0.0 or correct IP.

If you encounter new issues not listed here, feel free to open an issue on GitHub.

⚠️ **GitHub.com Fallback** ⚠️