Skip to content
5G/6G Academy
5G/6G AcademyTelecom certifications · since 2009

5G Auth Flow Visualizer

Step through 5G primary authentication — the 5G-AKA method and the EAP-AKA′ method side-by-side — across UE, SEAF (AMF), AUSF and UDM/ARPF. Based on 3GPP TS 33.501 §6.1 and RFC 5448.

Method:Message 1 / 14
UE
SEAF (AMF)
AUSF
UDM / ARPF
#1UE → SEAF (AMF)Registration Request
Mobile IdentitySUCI = scheme-output over SUPI
ngKSI3-bit key set identifier (0..6, 7 = no key)
UE security capabilities5G-EA / 5G-IA bitmap

About 5G primary authentication

3GPP TS 33.501 defines two mandatory primary authentication methods for 5G: 5G-AKAand EAP-AKA′. Both are rooted in the long-term key Kstored in the USIM and in the ARPF (part of UDM). Both derive the serving-network anchor key K_SEAF, from which all further NAS and AS keys (K_AMF, K_NASenc, K_NASint, K_gNB) are derived.

The key difference: 5G-AKA adds a second, lightweight verification at SEAF (comparing HRES* against HXRES*), letting the serving network drop obvious failures before going back to AUSF. EAP-AKA′ is a pure EAP method (RFC 5448) — SEAF is only a pass-through, and RES / MAC are checked at AUSF. EAP-AKA′ is mandatory for non-3GPP access (Wi-Fi offload to 5GC) and optional for 3GPP access.

In both flows, the UE’s permanent identity never travels in the clear. The SUCI (Subscription Concealed Identifier) uses ECIES to encrypt the MSIN portion of the SUPI with the home network’s public key, and only UDM/SIDF can de-conceal it — solving the IMSI-catcher problem that plagued earlier generations.

Who uses this visualizer?

Core-network and security engineers use it to map 3GPP stage-2 procedure text to the actual Nausf_UEAuthentication / Nudm_UEAuthentication service operations. Trainers use it in 5G certification courses. Penetration testers use it as a reference for which keys exist at which NF at each instant.

Related tools

How to use the 5G Auth Flow Visualizer

  1. Choose the method. Toggle between 5G-AKA and EAP-AKA′ to load that procedure’s message sequence.
  2. Read the swimlanes. Follow the diagram across the UE, SEAF (AMF), AUSF and UDM/ARPF lanes; dashed boxes mark internal computations rather than wire messages.
  3. Step message by message. Use Next and Prev to advance one message at a time, or click any message in the diagram to jump straight to it.
  4. Inspect the parameters. For each step the detail card lists the carried fields — RAND, AUTN, RES*, the derived keys and the service operation names.
  5. Compare the two methods. Switch the method toggle and re-step to see where the SEAF acts as a checker (5G-AKA) versus a pass-through (EAP-AKA′).

Frequently asked questions

What is the difference between 5G-AKA and EAP-AKA′?
Both are mandatory primary authentication methods in TS 33.501 and both start from the long-term key K in the USIM and ARPF. The practical difference is where the response is checked. In 5G-AKA the serving network (SEAF in the AMF) does a quick local check, comparing HRES* against HXRES* before forwarding RES* to the AUSF for the authoritative comparison. EAP-AKA′ is a full EAP method (RFC 5448) where the SEAF is just a transparent relay and the AUSF verifies the EAP MAC and RES.
Which authentication method does 5G use for Wi-Fi (non-3GPP) access?
EAP-AKA′ is mandatory for non-3GPP access, such as untrusted Wi-Fi reaching the 5G core through an N3IWF. For 3GPP (NR) access an operator may use either 5G-AKA or EAP-AKA′. EAP-AKA′ fits the Wi-Fi case because it is a standard EAP method that slots into existing EAP transports.
What is K_SEAF and how is the 5G key hierarchy anchored?
K_SEAF is the serving-network anchor key. After successful authentication the AUSF derives K_SEAF from K_AUSF bound to the serving network name and hands it to the SEAF. Everything else flows from it: K_SEAF leads to K_AMF, and K_AMF to the NAS keys (K_NASenc, K_NASint) and the RAN key K_gNB. Binding to the serving network name is what stops a key issued for one network being replayed in another.
Why is the SUCI sent instead of the SUPI during registration?
Sending the permanent identity in the clear is exactly the IMSI-catcher weakness from earlier generations. The SUCI conceals the MSIN part of the SUPI with ECIES using the home network public key, while MCC, MNC and the routing indicator stay readable so the request can be steered to the right AUSF and UDM. Only the home UDM/SIDF holds the private key needed to recover the SUPI.

Get the next 5G/LTE engineering deep-dive in your inbox

These calculators give you the number — the weekly digest gives you the theory. One technical breakdown every Tuesday, plus first access to new tools. Unsubscribe in one click.

7-Day Free Trial

Calculator gave you the answer? Learn the theory in 7 days, free.

Full Pro access — 142+ hands-on exercises, 20+ troubleshooting scenarios, 21 certifications, TelcoMentor AI coach. No credit card. See pricing on /pricing.

  • No credit card
  • Full Pro access
  • 21 verifiable certs
  • TELCOMA since 2009
Start My 7-Day Trial