About 5G primary authentication

3GPP TS 33.501 defines two mandatory primary authentication methods for 5G: 5G-AKAand EAP-AKA′. Both are rooted in the long-term key Kstored in the USIM and in the ARPF (part of UDM). Both derive the serving-network anchor key K_SEAF, from which all further NAS and AS keys (K_AMF, K_NASenc, K_NASint, K_gNB) are derived.

The key difference: 5G-AKA adds a second, lightweight verification at SEAF (comparing HRES* against HXRES*), letting the serving network drop obvious failures before going back to AUSF. EAP-AKA′ is a pure EAP method (RFC 5448) — SEAF is only a pass-through, and RES / MAC are checked at AUSF. EAP-AKA′ is mandatory for non-3GPP access (Wi-Fi offload to 5GC) and optional for 3GPP access.

In both flows, the UE’s permanent identity never travels in the clear. The SUCI (Subscription Concealed Identifier) uses ECIES to encrypt the MSIN portion of the SUPI with the home network’s public key, and only UDM/SIDF can de-conceal it — solving the IMSI-catcher problem that plagued earlier generations.

Who uses this visualizer?

Core-network and security engineers use it to map 3GPP stage-2 procedure text to the actual Nausf_UEAuthentication / Nudm_UEAuthentication service operations. Trainers use it in 5G certification courses. Penetration testers use it as a reference for which keys exist at which NF at each instant.

Related tools

• SUPI / SUCI Analyzer
• 5G SBA Architecture
• Random Access Simulator