5G Security and Authentication procedures are intensely complex subjects. To fully grasp the procedures outlined in this article, you would require a comprehensive understanding of the algorithms used for Key Generation, Key Derivation, and Message Authentication. To be fully transparent, I am not an algorithm expert and do not pretend to be one. This article will be my best attempt at interpretation of the data that I have collected and analyzed against 3GPP Specification TS 33.501 “Security Architecture and Procedures for the 5G System.”

What is 5G AKA?

5G AKA is the Authentication and Key Agreement between the User Equipment and the 5G Network that ensures secure communication through integrity protection and encryption. 5G systems can also utilize EAP-AKA as an Authentication protocol, a broad authentication framework used in various wireless networks.

5G Networks utilize various Authentication Vectors and Keys calculated based on known values/keys stored in secure locations on the User Equipment USIM and 5G Core UDM.

• 5G HE AV (Home Environment Authentication Vectors)
  • Generated by the UDM/ARPF
  • Sent to the AUSF
    • RAND, AUTN, XRES, and Kausf
• 5G SE AC (Serving Environment Authentication Vectors)
  • Generated by the AUSF
  • Sent to the SEAF/AMF
    • AUTN, RAND, and HXRES
    • Kseaf is sent to SEAF/AMF after successful Authentication

Mutual Authentication

The purpose of the primary authentication and key agreement procedures is to enable mutual authentication between the UE and the network and provide keying material that can be used between the UE and the serving network in subsequent security procedures.

– 3GPP TS 33.501 (6.1.1.1)

What is 5G Security?

Security establishment in a 5G Network protects messages and user data by means of integrity protection and ciphering. This process is conducted between the 5G Core network and the UE with the NAS Security Mode procedure, and between the gNB and UE with the AS Security Mode Procedure.

The UE sends which security algorithms it supports in the NAS REGISTRATION REQUEST message. The AMF selects which Integrity and Encryption algorithms will be used between what the network and UE both support.

Security Algorithms

• Encryption
  • NEA0
    • Null ciphering
  • 128-NEA1
    • 128 bit SNOW 3G based
  • 128-NEA2
    • 128 bit AES based
  • 128-NEA3
    • 128 bit ZUX based
• Integrity
  • NIA0
    • Null integrity protection
  • 128-NIA1
    • 128 bit SNOW 3G based
  • 128-NIA2
    • 128 bit AES based
  • 128-NIA3
    • 128 bit ZUC based

5G Component Responsibilities

User Equipment

RRC and NAS ciphering and integrity protection

ciphering algorithms : NEA0, 128-NEA1, 128-NEA2, and/or 128-NEA3

integrity algorithms: NIA0, 128-NIA1, 128-NIA2 and/or 128-NIA3

SUCI calculation can be performed by either the USIM or ME

PEI/IMEI is only sent over NAS after security protection has been established.

• USIM
  • Stores the SUPI
    • Home Network Public Key
    • Protection Scheme ID
    • Home Network Public Key ID
    • Routing Indicator
  • Stores the long-term key ‘K’
  • SUCI Calculation indication

gNB

RRC ciphering and integrity protection

ciphering algorithms : NEA0, 128-NEA1, 128-NEA2, and/or 128-NEA3

integrity algorithms: NIA0, 128-NIA1, 128-NIA2 and/or 128-NIA3

Messages that can be sent without security protection

• MIB
• Paging
• RRCReconfiguration*
• RRCReconfigurationComplete*
• RRCReject
• RRCRelease
• RRCSetup
• RRCSetupComplete
• RRCSetupRequest
• SIB1
• Security Mode Command (Integrity protected but not ciphered)
• Security Mode Failure
• SystemInformation
• UECapabilityEnquiry
• UECapabilityInformation

*message transfer scenario dependent

5G Core

• SEAF (Security Anchor Function)
  • Provides authentication functionality via the serving network AMF
  • Primary authentication using the SUCI
  • • AMF (Access and Mobility Function)
      • ciphering algorithms : NEA0, 128-NEA1, 128-NEA2, and/or 128-NEA3
      • integrity algorithms: NIA0, 128-NIA1, 128-NIA2 and/or 128-NIA3
      • 5G-GUTI assignment and re-allocation
      • Triggers Authentication using the SUCI
      • Confirms SUPI
• AUSF (Authentication Server Function)
  • Handle Authentication Requests
  • Provides SUPI to VPLMN after Authentication confirmation
  • Informs UDM of Authentication success status
• UDM (Unified Data Management)
  • ARPF (Authentication Credential Repository and Processing Function)
    • Secure Environment in the UDM
    • Stores user long-term key ‘K’
  • SIDF (Subscription Identifier De-concealing Function)
    • Service offered by the UDM
    • Resolves SUPI from SUCI based on protection scheme
    • Stores Home Network Private Key
    • Stores Home Network Public Key ID
    • Algorithms used for subscriber privacy

Primary Authentication Procedure (TS 33.501 – 6.1 & 6.1.3.2)

Disclaimer! The scenario displayed below using Open5GS and UERANSIM. There are differences in how the spec is written and how Open5GS implements Authentication and Security procedures.

Authentication – Step 1: Authentication Initiation

The UE has selected a cell and now needs to Register with the cell’s network. In this scenario, the User’s SUPI is using the Profile A protection scheme.

• 1) USIM
  • Provisioned Home Network Public Key
  • Ephemeral public/private key pair
    • Reference diagrams below for more detailed information on how the UE generates the SUCI using ECIES (TS 33.501 – Annex C.3)

• 2) UE sends REGISTRATION REQUEST
  • Contains available integrity and ciphering algorithms
  • Concealed Permanent Identity – SUCI
    • Profile A

The AMF/SEAF receives the REGISTRATION REQUEST message and forwards the User’s SUCI and the Serving Network Name (SNN) to the AUSF in the Nausf_UEAuthentication_Authenticate Request. The SNN is stored at the SEAF/AMF.

The AUSF receives the UE Authentication Request message from the AMF/SEAF, and sends the Nudm_UEAuthentication_Get Request which also includes the SUCI and SNN.

Authentication – Step 2: Authentication Method Selection

The UDM receives the information and uses the SIDF to de-conceal the user’s SUPI from its transmitted SUCI. Based on the SUPI, the UDM/ARPF chooses an Authentication Method. In this scenario, 5G-AKA is selected. This will be sent back to the AUSF in the Nudm_UEAuthentication_Get Response

Authentication – Step 3: Authentication Vector Generation

The Home Environment Authentication Vectors (5G HE AV) generated by the UDM are also included in the Nudm_UEAuthentication_Get Response. In this scenario, the UDM must query the UDR to retrieve the user’s long-term key, ‘K’, AMF, and SQN.

The UDR sends the information for the specified SUPI back to the UDM

Now the UDM/ARPF can generate the 5G HE AV’s

• Derive Kausf
• Calculate XRES
• Creates 5G HE AV’s – RAND, AUTN, XRES and Kausf

The UDM/ARPF sends the 5G HE AVs and SUPI to the AUSF in the Nudm_UEAuthentication_Get Response.

The AUSF receives the message, stores the XRES and SUPI, and calculates the HXRES based on the XRES. The AUSF also generates the Kseaf from the Kausf.

The AUSF replaces the XRES with the HXRES and the Kausf with the Kseaf in the 5G HE AVs.

The AUSF then sends the 5G Serving Environment Authentication Vectors (5G SE AV) to the SEAF. The 5G SE AVs include the RAND, AUTN, and HXRES in the Nausf_UEAuthentication_Authenticate Response.

Authentication – Step 4: NAS Authentication Procedure

The SEAF receives the 5G SE AVs from the AUSF, and sends the RAND and AUTN in the NAS AUTHENTICATION REQUEST message to the UE. This message also includes the ngKSI and ABBA.

The ngKSI is used by the UE and AMF to identify the Kamf.

The UE receives the AUTHENTICATION REQUEST message. UE USIM verifies the freshness of the AUTN, then computes the RES.

The USIM sends the RES, CK, and IK to the ME.

• Calculates Kausf from CK||IK
• Calculates Kseaf from Kausf

The UE then sends the AUTHENTICATION RESPONSE to the SEAF, including the RES.

SEAF receives the AUTHENTICATION RESPONSE and then computes the HRES from the UE RES.

• Compares HRES with HXRES
  • Match = Successful Serving Network Authentication

The SEAF then sends the RES to the AUSF in the Nausf_UEAuthentication_Authenticate message.

The AUSF takes the RES and verifies whether it has expired. If it has not expired…

• Stores the Kausf
• Compares RES with the XRES
  • Match = Successful Home Network Authentication

The AUSF then notifies the UDM of the Authentication Result.

The AUSF also sends Nausf_UEAuthentication_Authenticate Response message to the SEAF which includes the Kseaf and SUPI.

The SEAF considers the Kseaf the Anchor Key and derives the Kamf from the Kseaf, ABBA, and the SUPI. The SEAF then sends the ngKSI and Kamf for the AMF.

At this point, the 5G-AKA process has been completed. The AMF will initiate the NAS SECURITY MODE COMMAND procedure with the UE.

NAS Security Procedure (TS 33.501 – 6.7.2)

The AMF is configured by its network provider with a prioritized list of available algorithms for ciphering and integrity protection. The AMF will choose the algorithms based on what the UE supports, which is provided to the AMF via the UE in the REGISTRATION REQUEST.

Before sending the SECURITY MODE COMMAND message, the AMF initiates Integrity protection.

The AMF sends the Integrity protected SECURITY MODE COMMAND message to the UE, which contains…

• ngKSI
• UE Security Capabilities
• Selected Ciphering algorithm
• Selected Integrity algorithm
• NAS MAC
• UE IMEI Request

Once the message is sent, the AMF starts uplink deciphering.

UE receives the message, uses the ngKSI to identify the Kamf, and verifies the integrity of the SECURITY MODE COMMAND. The UE checks that the UE Security capabilities sent by the AMF match the ones stored in the UE to ensure they were not modified as an attack.

Upon successful integrity verification, the UE starts

• Uplink ciphering
• Downlink deciphering
• Integrity protection

The UE then sends the ciphered and integrity-protected SECURITY MODE COMPLETE message to AMF, which includes the NAS MAC, IMEI, and the initial REGISTRATION REQUEST.

The AMF receives the SECURITY MODE COMPLETE message and begins downlink ciphering.

The UE and AMF now have security protection established.

Refer to the diagram below to better understand the Key Hierarchy between the 5GC and the UE for this procedure.

NAS Integrity

• NAS 128-bit integrity algorithm
  • Knasint
  • KEY
• NAS Connection identifier
  • BEARER
• Direction of tranmission
  • DIRECTION
  • 0 for UL 1 for DL
• 24-bit Direction-dependent NAS Count
  • NAS COUNT
  • COUNT = 0x00 || NAS COUNT
    • NAS COUNT = NAS OVERFLOW || NAS SQN
    • NAS OVERFLOW = 16-bit value incremented each time NAS SQN is incremented from the max value
    • NAS SQN = 8-bit sequence number carried with each NAS message

NAS Confidentiality

• NAS 128-bit ciphering algorithm
  • Knasenc
  • KEY
• Length of Key stream
  • LENGTH
• NAS Connection identifier
  • BEARER
• Direction of tranmission
  • DIRECTION
  • 0 for UL 1 for DL
• 24-bit Direct
  • NAS COUNT
  • COUNT = 0x00 || NAS COUNT
    • NAS COUNT = NAS OVERFLOW || NAS SQN
    • NAS OVERFLOW = 16-bit value incremented each time NAS SQN is incremented from the max value
    • NAS SQN = 8-bit sequence number carried with each NAS message

AS Security Procedure (TS 33.501 – 6.7.4)

The gNB begins integrity protection and then sends the integrity-protected Security Mode Command message to the UE, which includes…

• RRC integrity algorithm
• RRC ciphering algorithm
• User Plane integrity algorithm
• User Plane ciphering algorithm

The message is integrity-protected based on the RRC integrity key based on the Kgnb.

Once the message is sent, the gNB begins downlink ciphering.

The UE receives the message and verifies its integrity. If successful, the UE begins RRC integrity protection and RRC downlink deciphering. The UE responds with the Security Mode Complete message to the gNB.

When the UE sends the Security Mode Complete message, the UE begins RRC Uplink ciphering. The gNB receives the message and begins RRC Uplink deciphering.

At this point, security is setup between the UE and gNB. To better understand the key hierarchy between the UE and gNB, reference the diagram below.

RRC Integrity Protection

Integrity protection is provided by the PDCP layer

• 128-bit NIA algorithm
• 128-bit integrity key
  • Krrcintas
  • KEY
• 5-bit bearer identity
  • BEARER
• 1-bit direction of transmission
  • DIRECTION
• Bearer specific direction dependent 32-bit PDCP count
  • COUNT

RRC Confidentiality

Confidentiality is provided by the PDCP layer

• 128-bit NEA algorithm
• 128-bit cipher key
  • Krrcencas
  • KEY
• 5-bit bearer identity
  • BEARER
• 1-bit direction of transmission
  • DIRECTION
• Length of Key stream required
  • LENGTH
• Bearer specific direction dependent 32-bit PDCP count
  • COUNT

User Plane Confidentiality

User Plane Confidentiality is provided by the PDCP layer

• 128-bit NEA algorithm
• 128-bit cipher key
  • Kupencas
  • KEY
• 5-bit bearer identity
  • BEARER
• 1-bit direction of transmission
  • DIRECTION
• Length of keystream required
  • LENGTH
• Bearer specific direction dependent 32-bit PDCP count
  • COUNT

User Plane Integrity

User Plane integrity is provided by the PDCP layer

• 128-bit NIA algorithm
• 128-bit cipher key
  • Kupintas
  • KEY
• 5-bit bearer identity
  • BEARER
• 1-bit direction of transmission
  • DIRECTION
• Bearer specific direction dependent 32-bit PDCP count
  • COUNT