Why 5G Authentication Is Different
Authentication in 5G represents a fundamental architectural shift from 4G LTE. In LTE, the MME directly communicates with the HSS to fetch authentication vectors, and the entire process is based on EPS-AKA -- a single method. 5G introduces a unified authentication framework defined in TS 33.501 (Security architecture and procedures for 5G System) that supports two primary methods: 5G-AKA and EAP-AKA' (EAP-AKA Prime). Both methods derive from the same root key K stored in the USIM but differ in their confirmation mechanisms and extensibility.
The key innovation is the introduction of the AUSF (Authentication Server Function) and SIDF (Subscription Identifier De-concealing Function) as dedicated network functions, separating authentication logic from mobility management. This separation enables home-network-controlled authentication even when the UE is roaming -- a critical security improvement over 4G where the visited network's MME had significant control.
Network Functions in 5G Authentication
| Network Function | Role in Authentication | Location | 3GPP Reference |
|---|---|---|---|
| UE (USIM) | Stores root key K, computes RES, derives keys | Terminal | TS 33.501 clause 6.1 |
| SEAF (in AMF) | Initiates authentication, derives K-AMF | Visited PLMN | TS 33.501 clause 6.1.3 |
| AUSF | Authentication server, stores K-AUSF, confirms auth | Home PLMN | TS 33.501 clause 6.1.2 |
| UDM/ARPF | Generates AV from K, selects auth method | Home PLMN | TS 33.501 clause 6.1.2 |
| SIDF (in UDM) | De-conceals SUCI to recover SUPI | Home PLMN | TS 33.501 clause 6.12 |
The ARPF (Authentication credential Repository and Processing Function) is co-located with the UDM and has access to the subscriber's permanent key K and the sequence number SQN. The SIDF uses the home network's private key to decrypt the SUCI and recover the SUPI -- ensuring that the permanent identity is never exposed over the air interface.
SUPI vs SUCI: Identity Privacy
In 4G, the IMSI is transmitted in cleartext during initial attach, enabling IMSI-catcher attacks. 5G solves this with SUCI (Subscription Concealed Identifier):
| Identity | Format | Privacy | When Used |
|---|---|---|---|
| SUPI | IMSI (MCC+MNC+MSIN) or NAI | Permanent, never sent over air | Stored in USIM, used internally by core |
| SUCI | ECIES-encrypted MSIN + home network public key ID | Concealed | Sent in Registration Request |
| 5G-GUTI | AMF-assigned temporary ID | Temporary | Used after initial registration |
The SUCI is generated by the USIM or ME using ECIES Profile A (Curve25519) or Profile B (secp256r1) as defined in TS 33.501 Annex C. The encryption uses the home network's public key, which is provisioned in the USIM.
Worked Example 1 -- SUCI Construction
Given:
- SUPI (IMSI): 310260123456789
- MCC: 310, MNC: 260, MSIN: 123456789
- Home Network Public Key ID: 1
- Protection Scheme: ECIES Profile A (X25519 + AES-128-CTR + HMAC-SHA-256)
The SUCI construction process:
- USIM generates ephemeral X25519 key pair: (eSK, ePK)
- Compute shared secret: SS = X25519(eSK, HN_PK) where HN_PK is the home network public key
- Derive encryption key and MAC key from SS using ANSI-X9.63-KDF
- Encrypt MSIN: EncMSIN = AES-128-CTR(K_enc, "123456789")
- Compute MAC: MAC = HMAC-SHA-256(K_mac, EncMSIN)
- SUCI = {SUPI Type=IMSI, MCC=310, MNC=260, RoutingIndicator=0xff, ProtectionSchemeId=1, HN_PubKey_ID=1, ePK || EncMSIN || MAC}
The resulting SUCI is approximately 50--70 bytes depending on the scheme. Only the home PLMN's SIDF can decrypt it because it holds the corresponding private key.
NTT DOCOMO confirmed in their 2024 security implementation report that 100% of 5G SA registrations on their network use SUCI with ECIES Profile A, with decryption at the SIDF adding less than 2 ms to the authentication procedure.
5G-AKA Procedure -- Step by Step
5G-AKA is the primary authentication method for 3GPP access. The full procedure involves the following steps:
Message Flow
| Step | Direction | Message | Key Parameters |
|---|---|---|---|
| 1 | UE -> AMF | Registration Request | SUCI (or 5G-GUTI) |
| 2 | AMF (SEAF) -> AUSF | Nausf_UEAuthentication_Authenticate Request | SUCI, Serving Network Name (SN-name) |
| 3 | AUSF -> UDM | Nudm_UEAuthentication_Get Request | SUCI, SN-name |
| 4 | UDM (SIDF) | De-conceal SUCI -> SUPI | Internal operation |
| 5 | UDM (ARPF) | Generate 5G HE AV | Compute (RAND, AUTN, XRES, K-AUSF) from K and SQN |
| 6 | UDM -> AUSF | Nudm_UEAuthentication_Get Response | 5G HE AV (RAND, AUTN, XRES, K-AUSF) |
| 7 | AUSF | Store XRES, derive HXRES | HXRES = SHA-256(RAND, XRES) |
| 8 | AUSF -> AMF | Nausf_UEAuthentication_Authenticate Response | 5G SE AV (RAND, AUTN, HXRES) |
| 9 | AMF -> UE | NAS Authentication Request | RAND, AUTN, ngKSI |
| 10 | UE (USIM) | Verify AUTN, compute RES | Verifies SQN, MAC; derives CK, IK, RES |
| 11 | UE -> AMF | NAS Authentication Response | RES |
| 12 | AMF (SEAF) | Compute HRES, compare with HXRES | HRES = SHA-256(RAND, RES); if HRES == HXRES -> success |
| 13 | AMF -> AUSF | Nausf_UEAuthentication_Authenticate Request | RES |
| 14 | AUSF | Compare RES with XRES* | Final confirmation at home PLMN |
| 15 | AUSF -> AMF | Authentication result + K-SEAF | Derived from K-AUSF |
The critical difference from 4G EPS-AKA is the dual confirmation: the AMF performs a preliminary check using HXRES/HRES (a hash of the response), while the AUSF performs the definitive check using XRES/RES. This ensures the home network always has the final say on authentication success.
EAP-AKA' Procedure
EAP-AKA' (defined in RFC 9048 and referenced in TS 33.501 clause 6.1.3.1) wraps the AKA challenge inside EAP messages. It is mandatory for non-3GPP access (e.g., Wi-Fi) and optional for 3GPP access.
| Aspect | 5G-AKA | EAP-AKA' |
|---|---|---|
| Primary use | 3GPP access (NR, LTE) | Non-3GPP access (Wi-Fi, wireline) |
| Confirmation | HXRES/RES at AMF/AUSF | EAP-Success/Failure from AUSF |
| Messages over NAS | Auth Request/Response (direct) | NAS messages carrying EAP packets |
| Key derivation | K -> CK'/IK' -> K-AUSF | K -> CK'/IK' -> K-AUSF (same) |
| SQN management | Same USIM SQN | Same USIM SQN |
| Home control | AUSF confirms RES* | AUSF sends EAP-Success |
| Extensibility | 5G-specific only | Standard EAP framework, can integrate with AAA |
Both methods ultimately derive the same K-AUSF from the transformed keys CK' and IK'. The subsequent key hierarchy is identical regardless of which method was used.
5G Key Hierarchy
The 5G key hierarchy derives all session keys from the permanent key K stored in the USIM. Each derivation uses a Key Derivation Function (KDF) based on HMAC-SHA-256, as specified in TS 33.220 Annex B.
| Key | Derived From | Derivation Input | Purpose | Length |
|---|---|---|---|---|
| K | Pre-provisioned in USIM | -- | Root key | 128 or 256 bits |
| CK, IK | K (via Milenage/TUAK) | RAND | Cipher key, Integrity key (3GPP legacy) | 128 bits each |
| CK', IK' | CK, IK | SN-name | Transformed keys for 5G | 128 bits each |
| K-AUSF | CK', IK' | SN-name, SQN xor AK | Anchor key at AUSF | 256 bits |
| K-SEAF | K-AUSF | SN-name | Anchor key at SEAF (AMF) | 256 bits |
| K-AMF | K-SEAF | ABBA parameter, SUPI | AMF-specific key | 256 bits |
| K-NAS-enc | K-AMF | Algorithm ID, NAS-enc distinguisher | NAS ciphering key | 128/256 bits |
| K-NAS-int | K-AMF | Algorithm ID, NAS-int distinguisher | NAS integrity key | 128/256 bits |
| K-gNB | K-AMF | NAS uplink COUNT, Access Type | gNB key (sent via NGAP) | 256 bits |
| K-RRC-enc | K-gNB | Algorithm ID, RRC-enc distinguisher | RRC ciphering key | 128/256 bits |
| K-RRC-int | K-gNB | Algorithm ID, RRC-int distinguisher | RRC integrity key | 128/256 bits |
| K-UP-enc | K-gNB | Algorithm ID, UP-enc distinguisher | User-plane ciphering key | 128/256 bits |
| K-UP-int | K-gNB | Algorithm ID, UP-int distinguisher | User-plane integrity key | 128/256 bits |
| NH | K-AMF | K-gNB or prev NH, NCC | Next Hop key for handover | 256 bits |
Worked Example 2 -- Key Derivation Chain Timing
During an authentication on Vodafone Germany's 5G SA network (Ericsson core), the following timing was measured for each key derivation step:
| Step | Operation | Time |
|---|---|---|
| SIDF SUCI decryption | X25519 + AES-128-CTR | 1.8 ms |
| ARPF AV generation (Milenage) | f1-f5 functions | 0.3 ms |
| AUSF K-AUSF derivation | HMAC-SHA-256 KDF | 0.1 ms |
| AUSF HXRES* computation | SHA-256 | 0.05 ms |
| SEAF K-SEAF, K-AMF derivation | 2x HMAC-SHA-256 | 0.2 ms |
| AMF -> gNB K-gNB derivation | HMAC-SHA-256 | 0.1 ms |
| gNB AS key derivation (4 keys) | 4x HMAC-SHA-256 | 0.4 ms |
| Total cryptographic processing | 2.95 ms |
The cryptographic operations themselves take under 3 ms -- the majority of the 45--80 ms total authentication time is consumed by network transport between AMF, AUSF, and UDM over the SBI interfaces.
SQN Synchronization
The Sequence Number (SQN) prevents replay attacks. The USIM maintains a SQN counter that must be within an acceptable range of the network's SQN. If the USIM detects a SQN out of range (indicating a potential replay or de-synchronization), it sends an Authentication Failure with cause SYNCH_FAILURE and includes an AUTS parameter to resynchronize.
The AUTS (Authentication Re-synchronization Token) allows the UDM to recover the USIM's current SQN value without exposing it. The UDM then generates a new AV with a corrected SQN and re-initiates authentication.
T-Mobile US reported a SQN synchronization failure rate of 0.02% across their subscriber base, primarily occurring after long periods of USIM inactivity (devices stored without power for months) or after USIM swap operations.
Authentication in Roaming Scenarios
In roaming, the visited PLMN's AMF communicates with the home PLMN's AUSF via the SEPP (Security Edge Protection Proxy). The SN-name (Serving Network Name) parameter binds the authentication to the visited network, preventing a compromised visited network from reusing authentication vectors on a different network.
| Roaming Scenario | Auth Method | Key Anchor | Key Binding |
|---|---|---|---|
| Home-routed traffic | 5G-AKA or EAP-AKA' | K-AUSF at home AUSF | SN-name = visited PLMN ID |
| Local breakout | 5G-AKA or EAP-AKA' | K-AUSF at home AUSF | SN-name = visited PLMN ID |
| Non-3GPP access (Wi-Fi roaming) | EAP-AKA' | K-AUSF at home AUSF | SN-name = visited PLMN ID |
The SN-name is constructed as "5G:mnc
Deutsche Telekom reported that cross-border 5G SA roaming authentication latency averages 120 ms due to the additional SEPP-to-SEPP hop between PLMNs, compared to 45 ms for home-network authentication. Their SEPP deployment uses TLS 1.3 with mutual certificate authentication.
Comparison with 4G EPS-AKA
| Feature | 4G EPS-AKA | 5G-AKA | 5G EAP-AKA' |
|---|---|---|---|
| Identity privacy | IMSI sent in cleartext (initial) | SUCI (ECIES encrypted) | SUCI (ECIES encrypted) |
| Auth server | HSS (combined) | AUSF + UDM (separated) | AUSF + UDM (separated) |
| Home network confirmation | No (visited MME decides) | Yes (AUSF confirms RES*) | Yes (AUSF sends EAP-Success) |
| Key hierarchy depth | K -> CK,IK -> K-ASME -> K-eNB | K -> CK',IK' -> K-AUSF -> K-SEAF -> K-AMF -> K-gNB | Same as 5G-AKA |
| Key separation (NAS vs AS) | Yes | Yes (improved with ABBA) | Yes |
| SN binding | Limited | Strong (SN-name in key derivation) | Strong (SN-name in key derivation) |
| Non-3GPP support | Separate EAP-AKA (RFC 4187) | N/A | Unified with 3GPP access |
Operator Deployment Statistics
| Operator | Auth Method (3GPP) | SUCI Scheme | Avg Auth Time | Auth Success Rate |
|---|---|---|---|---|
| T-Mobile US | 5G-AKA | ECIES Profile A | 42 ms | 99.91% |
| SK Telecom | 5G-AKA | ECIES Profile A | 38 ms | 99.94% |
| Vodafone Germany | 5G-AKA | ECIES Profile B | 48 ms | 99.88% |
| NTT DOCOMO | 5G-AKA | ECIES Profile A | 45 ms | 99.90% |
| Reliance Jio | 5G-AKA | ECIES Profile A | 55 ms | 99.82% |
All major operators have deployed 5G-AKA as the primary method for 3GPP access, with EAP-AKA' reserved for non-3GPP (Wi-Fi offload) scenarios. SK Telecom achieves the lowest latency due to co-located AUSF and UDM deployment within the same data center.
Key Takeaway: 5G authentication through 5G-AKA and EAP-AKA' provides three critical improvements over 4G: permanent identity concealment via SUCI, home-network-controlled authentication confirmation at the AUSF, and a deeper key hierarchy with strong serving-network binding. The entire cryptographic chain from K to application keys takes under 3 ms -- network transport dominates the total authentication time. Understanding the key hierarchy, SUCI construction, and the dual-confirmation mechanism is essential for 5G security certification.