5G Authentication

A User Equipment (UE) attempting to avail the services of a 5G System (5GS) must first be authenticated. The network authenticates the UE, that is, it's indeed a valid subscriber. Likewise, the UE authenticates the network to ensure it's talking to the genuine service provider.

5G improves on the authentication procedures provided by 4G. It introduces new network functions, each executing specific steps of the overall security procedures. Since authentication is accompanied by key agreement, the term Authentication and Key Agreement (AKA) is common. The keys agreed during authentication are used to cipher or integrity protect data where secure communications is warranted.

5G defines primary and secondary AKA. Common authentication methods are 5G AKA and EAP-AKA'. In addition, for private networks, EAP-TLS and EAP-TTLS are available.

Discussion

  • What network functions are involved in 5G authentication?
    Different network functions participating in 5G authentication. Source: ENISA 2021, fig. 13.
    Different network functions participating in 5G authentication. Source: ENISA 2021, fig. 13.

    AKA starts with the UE sending it's identity (such as SUCI or 5G-GUTI) and the Serving Network Name (SNN) to the Security Anchor Function (SEAF). SEAF forwards this information to the Authentication Server Function (AUSF) and requests AUSF to authenticate the UE. In Release 17, SEAF is co-located with the Access and Mobility Management Function (AMF).

    AUSF requests Unified Data Management (UDM) for UE-specific information for the purpose of authentication. Co-located with UDM are Authentication Credential Repository and Processing Function (ARPF) and Subscription Identifier De-concealing Function (SIDF). ARPF obtains and stores authentication subscription data from UDR. It stores the long-term secret key. It also computes authentication data similar to what's done at the UE. SIDF de-conceals SUCI into SUPI using the Home Network Private Key. UE previously formed the SUCI from SUPI using the Home Network Public Key.

    New security functions introduced by 5G are AUSF, ARPF, SIDF and SEAF. AMF and SEAF are in the serving network. AUSF and UDM are in the home network.

  • Could you give an overview of AKA?

    Both UE and home network share a long-term secret key. Network creates a random number challenge RAND. Using the secret key and RAND, it computes an expected response XRES*. It also computes AUTN. It sends RAND to the UE. UE verifies that AUTN is valid. It then computes RES* and sends this back to the home network. Network verifies that RES* equals XRES*.

    The serving network compares only the hashed versions of these responses. This allows the home network to authenticate a subscriber even over an untrusted serving network.

    5G defines four authentication procedures or methods: 5G AKA, EAP-AKA', EAP-TLS and EAP-TTLS. UE and serving network must support 5G AKA and EAP-AKA'. The other two are for private networks.

    UE sends 5G-GUTI if available from a previous authentication. Otherwise it sends SUCI. Thus, when SEAF invokes AUSF for authentication it sends either SUPI (inferred from 5G-GUTI) or SUCI. Based on the SUPI and subscription data, UDM/ARPF selects the applicable authentication procedure.

  • In 5G, what's primary and secondary authentication?
    Overview of primary and secondary authentication. Source: Tabbane 2019, slide 42.
    Overview of primary and secondary authentication. Source: Tabbane 2019, slide 42.

    Primary authentication is how both the UE and the network perform mutual authentication and generate the security keys. Primary AKA involves the UDM and AUSF of the home network. Key \(K_{AUSF}\) is established between UE and home network. The anchor key \(K_{SEAF}\) is generated from \(K_{AUSF}\). AUSF provides \(K_{SEAF}\) to the SEAF of the serving network. \(K_{SEAF}\) can be used to derive keys for more than one security context (such as untrusted non-3GPP access). \(K_{SEAF}\) is bound to that serving network, thus preventing one serving network from claiming to be another. A successful primary authentication leads to NAS Security Mode Command procedure between AMF and UE.

    Secondary authentication is applicable when primary authentication has happened earlier. It allows 5GS to delegate authentication to third parties. For example, external data networks can invoke secondary authentication during the setup of user plane connections. Thus, service providers can choose to implement an extra layer of authentication before their users are allowed to access their services.

  • How does 5G improve upon 4G's authentication?
    Comparing 4G and 5G authentication. Source: CableLabs 2019, table 1.
    Comparing 4G and 5G authentication. Source: CableLabs 2019, table 1.

    5G's authentication framework is unified and extensible. Same methods can be used for 3GPP access and non-3GPP (such as Wi-Fi) access. The use of Extensible Authentication Protocol (EAP) means that new authentication methods can be added in future.

    Subscriber privacy is improved. Unlike in 4G, subscriber identity is not exposed during the attach procedure. 5G uses SUPI as the UE identity but this is encrypted and sent as SUCI. This prevents rogue base stations from capturing the subscriber identity.

    In roaming scenarios, the home network has greater control. Using a field called Serving Network Name, the authentication procedure ensures that the UE is indeed connected to the serving network. Thus there's mutual authentication, that is, UE and network both authenticate each other. Inter-PLMN signalling is secured by new edge nodes called Security Edge Protection Proxy (SEPP). SEPP prevents bidding down attacks.

    5G introduces the Security Anchor Function (SEAF). This reduces signalling when UE moves across access networks or serving networks. Multiple security contexts can be established without invoking a fresh authentication procedure again.

  • What's the 5G Authentication Vector (AV)?
    5G Home Environment Authentication Vector. Source: Adapted from Green 2021, fig. 2.
    5G Home Environment Authentication Vector. Source: Adapted from Green 2021, fig. 2.

    AV consists of a few fields that are used for authentication. 5G has the following variations of AV:

    • 5G Home Environment (HE) Authentication Vector: Consists of RAND, AUTN, XRES*, and \(K_{AUSF}\). AUSF obtains this from UDM/ARPF. UDM/ARPF creates this as part of 5G AKA procedure.
    • 5G Authentication Vector: Consists of RAND, AUTN, HXRES*, and \(K_{SEAF}\). SEAF obtains this from AUSF. This shall not be transmitted between SEAFs or from 5GC to EPC. AUSF generates HXRES* from XRES* and RAND. AUSF generates \(K_{SEAF}\) from \(K_{AUSF}\).
    • 5G Serving Environment (SE) Authentication Vector: Consists of RAND, AUTN and HXRES*.
    • Authentication Vector: Consists of RAND, AUTN, XRES, CK, and IK. UE obtains RAND and AUTN from AMF. The f1-f5 algorithms are used to generate the 5G HE AV.
    • Transformed Authentication Vector: Abbreviated as AV', it's AV with CK and IK replaced by CK' and IK'. For EAP-AKA', UDM/ARPF generates and sends AV' to AUSF.
  • Could you describe the 5G AKA procedure?
    5G AKA procedure. Source: ETSI 2024a, fig. 6.1.3.2-1.
    5G AKA procedure. Source: ETSI 2024a, fig. 6.1.3.2-1.

    UE sends SUCI or 5G-GUTI via N1 message to SEAF. SEAF makes a UE authentication request to AUSF, passing SUCI/SUPI and SNN. AUSF passes the same to UDM.

    UDM/ARPF generates the 5G HE AV. Given SUCI, SIDF will de-conceal it. UDM sends 5G HE AV and SUPI to AUSF in the response. No actual authentication has taken place at this point.

    AUSF computes HXRES* and generates \(K_{SEAF}\) from \(K_{AUSF}\). AUSF then sends 5G SE AV to SEAF. \(K_{SEAF}\) is not sent to SEAF at this point.

    SEAF sends RAND and AUTN to the UE. UE verifies AUTN. It computes RES* and sends this to SEAF. SEAF computes HRES*. If HRES* equals HXRES*, authentication from the serving network's perspective is successful. SEAF forwards RES* to AUSF.

    AUSF compares RES* with XRES*, provided 5G AV hasn't expired. If equal, authentication from the home network's perspective is successful. AUSF sends SUPI and \(K_{SEAF}\) to the SEAF only after successful authentication. SEAF generates \(K_{AMF}\). It sends ngKSI and \(K_{AMF}\) to AMF. SEAF shall provide services to the UE only after SUPI is known within the serving network.

  • Could you describe the EAP-AKA' procedure?
    EAP-AKA' procedure. Source: ETSI 2024a, fig. 6.1.3.1-1.
    EAP-AKA' procedure. Source: ETSI 2024a, fig. 6.1.3.1-1.

    EAP framework of RFC 3748 specifies the roles peer, pass-through authenticator and back-end authentication server. In 5G, these roles are performed by UE, SEAF and AUSF respectively.

    UDM/ARPF generates the AV. It then replaces CK and IK with CK' and IK' to obtain AV'. UDM/ARPF sends AV' to AUSF with an indication that EAP-AKA' is to be used.

    AUSF sends EAP-Request/AKA'-Challenge message to SEAF, which transparently sends the same to UE in a NAS message. SEAF includes ngKSI and ABBA parameter in this message. ME forwards to USIM AUTN and RAND from this NAS message. If AUTN verification in USIM succeeds, UE responds to SEAF with EAP-Response/AKA'-Challenge. SEAF transparently forwards this to AUSF. AUSF and UE may also exchange EAP-(Request|Response)/AKA'-Notification messages. SEAF transparently relays them.

    AUSF compares XRES and RES. If equal, authentication succeeds. Starting from CK' and IK', AUSF generates EMSK, \(K_{AUSF}\) and \(K_{SEAF}\). AUSF sends EAP Success message to SEAF with \(K_{SEAF}\) and optionally SUPI.

    SEAF generate \(K_{AMF}\) from \(K_{SEAF}\). It sends ngKSI and \(K_{AMF}\) to AMF. SEAF sends EAP Success message to UE. UE then derives necessary keys.

  • Under what conditions can 5G authentication fail?

    UE uses AUTN to ensure freshness of the authentication procedure. If verification fails due to synchronization, USIM sends AUTS to ME. ME sends this to SEAF, which forwards it to UDM/ARPF.

    UDM could reject the subscriber based on certain subscription data such as roaming restrictions.

    Even for a valid subscriber, AUSF can reject the procedure for the reason that the serving network is not authorized to use the SNN sent by SEAF.

    Authentication fails if SEAF doesn't get any reply from UE, HRES* doesn't match HXRES* at the SEAF, 5G AV has expired at the AUSF or RES* doesn't match XRES* at the AUSF. In any case, AUSF will inform the authentication result to UDM/ARPF and SEAF.

  • How's 5G authentication done in the case of roaming?
    5G authentication during roaming. Source: Green 2021, fig. 3.
    5G authentication during roaming. Source: Green 2021, fig. 3.

    For roaming, home and visited networks are connected via the IPX (IP eXchange). Unlike 4G, 5G doesn't permit direct connections to the IPX. Instead, a Security Edge Protection Proxy (SEPP) entity at the edge of the PLMN acts as a gateway to the IPX. N32 connects the SEPPs in hPLMN and vPLMN. N9 connects the UPFs in hPLMN and vPLMN. These interfaces are secured using PRINS (Protocol for N32 Interconnect Security) and IPUPS (Inter-PLMN User Plane Security) respectively.

    SEAF in the vPLMN may call an API of AUSF in the hPLMN. This call goes via vSEPP and hSEPP. AVs when sent between SEPPs are end-to-end encrypted using PRINS.

    SEAF also passes RES* to AUSF in the hPLMN. AUSF compares this with XRES* received from UDM/ARPF, thus authenticating the vPLMN, that is, the UE is actually connected to the vPLMN.

  • What vulnerabilities are present with 5G authentication?
    Possible attacks against 2G/3G/4G/5G authentication. Source: 5G Americas 2019, fig. 3.2.
    Possible attacks against 2G/3G/4G/5G authentication. Source: 5G Americas 2019, fig. 3.2.

    Pre-authentication messages are sent in the clear. A Denial-of-Service (DoS) attack is possible. This can lead to discovery of the UE's location. Although Radio Network Temporary Identifier (RNTI) is temporary, it can be used to locate the UE. Spoofing a real gNB is one way to perform a DoS attack. If the fake gNB can connect to the core network it can even get hold of \(K_{gNB}\). This exposes user plane traffic, provided it's not end-to-end encrypted.

    Certain aspects of key management are not standardized and left to operators. In the face of market pressure and early roll out, operators may compromise on security. One study calls this "under-specification of security goals". For example, SQNs monitored over time can lead to the correct SQN. \(K_{SEAF}\) may be reused across sessions, leading to a replay attack. When two AKA procedures run concurrently, it's possible to associate \(K_{SEAF}\) to the correct UE but to the wrong SUPI. An attacker could exploit this to use 5G services but someone else is billed for it.

Milestones

Jan
2006

At the IETF, EAP-AKA is published as RFC 4187. In May 2009, this is improved to EAP-AKA' as RFC 5448. EAP-AKA' itself is improved further by RFC 9048 in October 2021. While RFC 5448 covered only 4G deployments, RFC 9048 covers both 4G and 5G deployments.

Jun
2018

3GPP approves "main drop" of Release 15. This release includes authentication methods 5G AKA and EAP-AKA'.

Sep
2018

In an update to Release 15, 3GPP introduces EAP-TLS as an optional authentication method. This is applicable to private networks. EAP-TLS was published by IETF as RFC 5216 in March 2008. This RFC uses TLS capabilities to enable EAP-TLS with the capability of certificate-based mutual authentication and key derivation.

Oct
2018
Minimal assumptions required for 5G AKA to achieve authentication properties. Source: Basin et al. 2018, table 1.
Minimal assumptions required for 5G AKA to achieve authentication properties. Source: Basin et al. 2018, table 1.

Basin et al. show that 5G specifications under-specifies authentication requirements. They use the Tamarin prover for a detailed analysis of 5G AKA. They model agreements as injective, non-injective or weak.

Mar
2022

In an update to Release 17, 3GPP introduces EAP-TTLS. A UE connected to a Standalone Non-Public Network (SNPN) can use this method when the credential holder (such as an AAA server) is outside of 5GC.

Feb
2024

An IEFT draft (version 12) proposes improvements to EAP-FS' (RFC 5448 and RFC 9048) with Forward Secrecy (FS) for the session keys. FS means that session keys become ephemeral. Even if the long-term key on the USIM is compromised, an attacker can't decrypt past sessions. Attack on future sessions requires an active attack at the risk of detection. Brute force attacks become less worthwhile. This draft was first proposed (version 0) in July 2019.

References

  1. 5G Americas. 2019. "The Evolution of Security in 5G." White paper, 5G Americas, July. Accessed 2024-04-04.
  2. Arkko, J. and H. Haverinen. 2006. "Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP-AKA)." RFC 4187, IETF, January. Accessed 2014-04-04.
  3. Arkko, J., V. Lehtovirta, and P. Eronen. 2009. "Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP-AKA)." RFC 5448, IETF, May. Accessed 2014-04-04.
  4. Arkko, J., K. Norrman, and V. Torvinen. 2019. "Perfect-Forward Secrecy for the Extensible Authentication Protocol Method for Authentication and Key Agreement (EAP-AKA' PFS)." v00, Internet-Draft, IETF, July 25. Accessed 2024-04-04.
  5. Arkko, J., V. Lehtovirta, V. Torvinen, and P. Eronen. 2021. "Improved Extensible Authentication Protocol Method for 3GPP Mobile Network Authentication and Key Agreement (EAP-AKA')." RFC 9048, IETF, October. Accessed 2014-04-04.
  6. Arkko, J., K. Norrman, and J. P. Mattsson. 2024. "Forward Secrecy for the Extensible Authentication Protocol Method for Authentication and Key Agreement (EAP-AKA' FS)." v12, Internet-Draft, IETF, February 19. Accessed 2024-04-04.
  7. Avi Networks. 2023. "Perfect Forward Secrecy (PFS)." Glossary, Avi Networks, June 23. Accessed 2014-04-04.
  8. Basin, D., J. Dreier, L. Hirschi, S. Radomirovic, R. Sasse, and V. Stettler. 2018. "A Formal Analysis of 5G Authentication." CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 1383–1396, October 15-19. doi: 10.1145/3243734.3243846. Accessed 2024-04-04.
  9. CableLabs. 2019. "A Comparative Introduction to 4G and 5G Authentication." CableLabs, March 7. Accessed 2024-04-15.
  10. Dano, Mike. 2019. "Another set of 5G standards was just released, but no one really cares." LightReading, April 5. Accessed 2024-04-04.
  11. ENISA. 2021. "Security in 5G Specifications: Controls in 3GPP Security Specifications (5G SA)." ENISA, February. Accessed 2024-03-03.
  12. ETSI. 2022a. "TS 129 509: 5G; 5G System; Authentication Server Services; Stage 3." V15.8.0, July. Accessed 2024-04-04.
  13. ETSI. 2023a. "TS 129 509: 5G; 5G System; Authentication Server Services; Stage 3." V17.9.0, July. Accessed 2024-04-04.
  14. ETSI. 2024a. "TS 133 501: 5G; Security architecture and procedures for 5G System." V17.12.0, January. Accessed 2024-04-03.
  15. ETSI. 2024b. "TS 129 503: 5G; 5G System; Unified Data Management Services; Stage 3." V17.13.0, January. Accessed 2014-04-04.
  16. GSMA. 2021. "5GS Roaming Guidelines." v5.0, GSMA, December 14. Accessed 2024-04-03.
  17. Green, G. 2021. "5G Security when Roaming – Part 1." Blog, Mpirical, April 22. Accessed 2024-04-03.
  18. Holtrup, G., W. Lacube, D. P. David, A. Mermoud, G. Bovet, and V. Lenders. 2021. "5G System Security Analysis." v2, arXiv, August 20. Accessed 2024-03-03.
  19. Jover, R. P. and V. Marojevic. 2019. "Security and Protocol Exploit Analysis of the 5G Specifications." IEEE Access, vol. 7, pp. 24956-24963. doi: 10.1109/ACCESS.2019.2899254. Accessed 2024-03-03.
  20. Livingston, V. 2019. "What's the answer for 5G security?" TechTarget, November 20. Accessed 2024-04-04.
  21. Simon, D., B. Aboba, and R. Hurst. 2008. "The EAP-TLS Authentication Protocol." RFC 5216, IETF, March. Accessed 2024-04-04.
  22. Tabbane, S. 2019. "4G and 5G networks security techniques and algorithms." Slides, ITU PITA Workshop on Mobile network planning and security, October 23-25. Accessed 2024-04-13.

Further Reading

  1. ETSI. 2024a. "TS 133 501: 5G; Security architecture and procedures for 5G System." V17.12.0, January. Accessed 2024-04-03.
  2. Basin, D., J. Dreier, L. Hirschi, S. Radomirovic, R. Sasse, and V. Stettler. 2018. "A Formal Analysis of 5G Authentication." CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 1383–1396, October 15-19. doi: 10.1145/3243734.3243846. Accessed 2024-04-04.
  3. Simon, D., B. Aboba, and R. Hurst. 2008. "The EAP-TLS Authentication Protocol." RFC 5216, IETF, March. Accessed 2024-04-04.
  4. ENISA. 2021. "Security in 5G Specifications: Controls in 3GPP Security Specifications (5G SA)." ENISA, February. Accessed 2024-03-03.

Article Stats

Author-wise Stats for Article Edits

Author
No. of Edits
No. of Chats
DevCoins
4
0
1448
2159
Words
1
Likes
399
Hits

Cite As

Devopedia. 2024. "5G Authentication." Version 4, April 15. Accessed 2024-04-15. https://devopedia.org/5g-authentication
Contributed by
1 author


Last updated on
2024-04-15 03:18:39