Why 5G Security Was Redesigned
4G LTE security had known vulnerabilities that 3GPP addressed head-on in 5G. The most critical were: IMSI catching (passive eavesdropping of permanent identifiers), lack of home network control over authentication, and no integrity protection on the user plane. The 5G security architecture, defined in 3GPP TS 33.501, introduces fundamental changes at every layer.
The security redesign was not incremental. It involved new cryptographic schemes (ECIES for subscriber privacy), new network functions (AUSF, SEPP), and a restructured key hierarchy with anchor keys that the home network controls.
4G vs 5G Security Comparison
The table below captures every significant security difference between the two generations.
| Feature | 4G LTE (TS 33.401) | 5G NR (TS 33.501) | Impact |
|---|---|---|---|
| Permanent ID protection | IMSI sent in cleartext on first attach | SUPI encrypted as SUCI using ECIES | Eliminates IMSI catchers |
| Authentication protocol | EPS-AKA only | 5G-AKA or EAP-AKA' (operator choice) | Extensible framework, home network confirmation |
| Home network auth confirmation | No (visited network only verifies) | Yes (AUSF sends confirmation to UDM) | Prevents visited network fraud |
| Key hierarchy anchor | K_ASME (derived in HSS) | K_AUSF (derived in AUSF at home) | Home network retains key control |
| User plane integrity | Not supported | Mandatory support, optional activation | Prevents data tampering |
| NAS security termination | MME | AMF (with SEAF) | Separation of concerns |
| RRC security | eNB (single hop) | gNB (with CU/DU split consideration) | Security at CU level |
| Roaming security | Diameter-based (no encryption) | SEPP with TLS/PRINS (N32 interface) | Encrypted inter-PLMN signaling |
| Key separation | Single K_eNB tree | Separate K_gNB, K_N3IWF for non-3GPP | Better isolation |
| Algorithm support | EEA0-3, EIA0-3 | NEA0-3, NIA0-3 (128/256-bit) | 256-bit key support added |
| Steering of roaming | Not standardized | SOR with integrity protection | Operator control over roaming |
| SUPI types | IMSI only | IMSI or NAI (for non-3GPP access) | Flexible identity framework |
The 5G Key Hierarchy
The key hierarchy is the backbone of 5G security. Every ciphering and integrity key ultimately derives from the permanent key K stored on the USIM and in the UDM/ARPF. The derivation chain follows strict parent-child relationships per TS 33.501 Section 6.2.
Derivation Chain
`
K (permanent key in USIM/ARPF)
|
+---> CK, IK (generated during AKA)
|
+---> K_AUSF (anchor key, stays at AUSF in home network)
|
+---> K_SEAF (sent to SEAF in visited network)
|
+---> K_AMF (derived at AMF using SUPI + ABBA)
|
+---> K_NAS_enc (NAS ciphering)
+---> K_NAS_int (NAS integrity)
+---> K_gNB (sent to gNB via NGAP)
|
+---> K_RRC_enc (RRC ciphering)
+---> K_RRC_int (RRC integrity)
+---> K_UP_enc (UP ciphering)
+---> K_UP_int (UP integrity)
`
Key Derivation Functions
Each key is derived using HMAC-SHA-256 based key derivation per TS 33.220 Annex B. The inputs vary at each level:
| Key | Input Parameters | Where Derived | Where Used |
|---|---|---|---|
| CK, IK | K + RAND (from AV) | USIM / ARPF | Input to K_AUSF derivation |
| K_AUSF | CK, IK, SQN, SN name | AUSF (home) | Anchor key; never leaves home network |
| K_SEAF | K_AUSF, SN name | AUSF -> SEAF | Stored at SEAF (co-located with AMF) |
| K_AMF | K_SEAF, SUPI, ABBA parameter | AMF | NAS security and K_gNB derivation |
| K_gNB | K_AMF, NAS uplink count | AMF -> gNB | AS security key base |
| K_RRC_enc | K_gNB, algorithm ID, alg distinguisher | gNB | RRC message ciphering |
| K_RRC_int | K_gNB, algorithm ID, alg distinguisher | gNB | RRC message integrity |
| K_UP_enc | K_gNB, algorithm ID, alg distinguisher | gNB | User plane ciphering |
| K_UP_int | K_gNB, algorithm ID, alg distinguisher | gNB | User plane integrity protection |
The critical design decision is that K_AUSF never leaves the home network. Even in roaming scenarios, the visited AMF only receives K_SEAF. This prevents a compromised visited network from deriving all downstream keys for a subscriber in other visited networks.
Authentication Procedures
5G supports two authentication methods. The operator's UDM selects which method to use based on subscription data per TS 33.501 Section 6.1.3.
5G-AKA (Primary Method)
5G-AKA is the enhanced version of EPS-AKA. The key difference is the addition of home network confirmation: after the UE sends its RES*, the AUSF verifies it and sends a confirmation back to the UDM, proving the subscriber was successfully authenticated.
Message flow:- UE sends Registration Request with SUCI to AMF
- AMF sends Nausf_UEAuthentication_Authenticate(SUCI) to AUSF
- AUSF sends Nudm_UEAuthentication_Get(SUCI) to UDM
- UDM/ARPF generates AV (RAND, AUTN, XRES*, K_AUSF); UDM decrypts SUCI to SUPI
- AUSF computes HXRES and stores XRES; sends RAND, AUTN, HXRES* to AMF
- AMF sends Authentication Request (RAND, AUTN) to UE
- UE verifies AUTN, computes RES; sends Authentication Response (RES) to AMF
- AMF computes HRES from RES and compares with HXRES* (visited network verification)
- AMF forwards RES to AUSF; AUSF compares RES with XRES* (home network verification)
- AUSF sends authentication confirmation to UDM
EAP-AKA' (Alternative Method)
EAP-AKA' wraps the AKA exchange inside the EAP framework defined in RFC 9048. This method is preferred for converged access scenarios where the same authentication mechanism works across 3GPP and non-3GPP (Wi-Fi via N3IWF) access.
| Aspect | 5G-AKA | EAP-AKA' |
|---|---|---|
| Protocol framework | Native NAS | EAP (RFC 9048) |
| Home network confirmation | Yes (explicit) | Yes (via EAP-Success) |
| Non-3GPP access support | No | Yes (Wi-Fi, satellite) |
| Key derivation | Direct from CK', IK' | Via EAP MSK/EMSK |
| Message count (NAS) | 2 (Auth Req/Resp) | 4+ (EAP-Req/Resp x2+) |
| Typical use | 3GPP access (NG-RAN) | Non-3GPP, converged operators |
| Binding to SN | SN name in KDF | AT_KDF_INPUT attribute |
SUPI and SUCI Protection
The elimination of IMSI catching is one of 5G's headline security improvements. The mechanism works as follows per TS 33.501 Section 6.12.
SUPI (Subscription Permanent Identifier) is the permanent identity, equivalent to the IMSI in format (IMSI-). It is never transmitted over the air in cleartext.
SUCI (Subscription Concealed Identifier) is generated by the UE's USIM by encrypting the MSIN portion of the SUPI using ECIES (Elliptic Curve Integrated Encryption Scheme) with:
- Home network public key: Provisioned on the USIM
- Protection scheme: Profile A (X25519 + AES-128-CTR) or Profile B (NIST P-256 + AES-128-CTR)
- Ephemeral key pair: Generated fresh for each SUCI computation
The UDM/SIDF (Subscription Identifier De-concealing Function) decrypts the SUCI using the home network private key to recover the SUPI. Only the home network can perform this decryption.
Worked Example: SUCI Generation
Given:- SUPI:
IMSI-310260123456789 - MSIN to encrypt:
123456789 - Protection scheme: Profile A (X25519)
- Home network public key: provisioned on USIM
- UE generates ephemeral X25519 key pair: (eSK, ePK)
- UE computes shared secret:
SS = X25519(eSK, HN_PubKey) - UE derives encryption key:
EK = KDF(SS, "encryption") - UE encrypts MSIN:
Encrypted_MSIN = AES-128-CTR(EK, "123456789") - SUCI =
SUCI-0-310-260-- - -
Each SUCI looks different even for the same subscriber because the ephemeral key changes, defeating correlation attacks.
Worked Example: Key Derivation Path
Given: Successful 5G-AKA for SUPIIMSI-310260123456789 on SN 5G:mnc260.mcc310.3gppnetwork.org
`
Step 1: ARPF generates CK, IK from K and RAND
Step 2: K_AUSF = KDF(CK||IK, SN name, SQN xor AK)
-> 256-bit key, stored at AUSF
Step 3: K_SEAF = KDF(K_AUSF, SN name)
-> 256-bit key, sent to visited SEAF
Step 4: K_AMF = KDF(K_SEAF, SUPI, ABBA=0x0000)
-> 256-bit key, used at AMF
Step 5: K_gNB = KDF(K_AMF, NAS UL Count=0)
-> 256-bit key, sent to gNB
Step 6: K_RRC_enc = KDF(K_gNB, NEA2, RRC-enc-alg)
K_UP_int = KDF(K_gNB, NIA2, UP-int-alg)
`
SEPP and Roaming Security
In 4G, inter-operator signaling for roaming used Diameter over unprotected IPX networks. This allowed eavesdropping and message manipulation between networks.
5G introduces the Security Edge Protection Proxy (SEPP) per TS 33.501 Section 13 and TS 29.573. Every message crossing the N32 interface between PLMNs passes through the SEPP, which provides:
- TLS on N32-c: Handshake and capability negotiation between SEPPs
- PRINS (Protocol for N32 Interconnect Security) on N32-f: Application-layer encryption and integrity protection of individual JSON fields in HTTP/2 SBI messages
- Message filtering: SEPP strips or modifies sensitive IEs before forwarding to the partner network
- Topology hiding: Conceals internal NF addresses from roaming partners
| Roaming Security | 4G (Diameter/SS7) | 5G (SEPP/N32) |
|---|---|---|
| Transport security | IPsec (optional, rarely deployed) | TLS 1.2/1.3 (mandatory) |
| Application security | None | PRINS (field-level protection) |
| Topology hiding | None (internal addresses exposed) | SEPP rewrites NF discovery responses |
| Message filtering | DRA (limited) | SEPP policy engine |
| Mutual authentication | Optional | Mandatory (PKI-based) |
Real Operator Security Deployments
KDDI (Japan) was among the first operators to deploy ECIES-based SUCI protection on commercial USIMs in 2021. Their implementation uses Protection Scheme Profile A (X25519). KDDI reported that IMSI catcher attacks detected on their LTE network dropped to zero on 5G SA after SUCI enforcement. Deutsche Telekom implemented SEPP across their European roaming footprint in 2023, protecting inter-PLMN signaling for 5G SA roaming with 14 partner networks. Their SEPP processes approximately 2.5 million roaming transactions per day with PRINS providing field-level encryption on subscriber identity and location data.Remaining Security Challenges
Despite the improvements, 5G security is not perfect:
- Null ciphering (NEA0): Still permitted in the standard for emergency calls. A rogue base station could negotiate NEA0 for non-emergency traffic.
- Pre-authentication messages: The Registration Request before authentication is sent without integrity protection, enabling limited information leakage (TAI, UE capabilities).
- RAN sharing: When multiple operators share gNBs, ensuring proper key isolation between MOCN tenants requires careful implementation.
- Supply chain: The security architecture assumes trusted hardware and software in network functions. Compromised vendor software undermines all cryptographic protections.
Key Takeaway: 5G security represents a generation leap over 4G with ECIES-based identity protection (SUCI), home-network-anchored key hierarchy (K_AUSF), mandatory user plane integrity, and SEPP-protected roaming. Understanding the key derivation chain and authentication procedures is essential for anyone working in 5G network security.