5G Security Architecture

5G Security Architecture

Article by Abhijeet Kumar

Overview of the security architecture

  • Network access security (I): This security domain secures the user equipment (UE) and the network connection. It includes features that enable a UE to authenticate and access services securely via the network. This includes both 3GPP and Non-3GPP access, and specifically protects against attacks on the radio interfaces. It also includes the secure delivery of the security context from the Security Node (SN) to the Access Network (AN).
  • Network domain security (II): This security domain protects the exchange of data between network nodes. It includes features that enable network nodes to securely exchange signalling data and user plane data.
  • User domain security (III): This security domain secures the user's access to their mobile equipment.
  • SBA domain security (V): This is a new security feature for 5G networks that secures communication between network functions within the serving network domain and with other network domains. It includes security features for network function registration, discovery, and authorization, as well as protection for service-based interfaces.
  • Application domain security (IV): This security domain is not shown in the figure, but it refers to the set of security features that enable applications in the user domain and in the provider domain to exchange messages securely. This is considered outside the scope of the document that the figure is from.


Security at the perimeter of the 5G Core network

SEPP and IPUPS are security functionalities that operate at the perimeter of the 5G Core network, providing protection for different types of traffic:

  • Security Edge Protection Proxy (SEPP): This functionality sits at the edge of the Public Land Mobile Network (PLMN), acting as a security proxy for control plane messages. The control plane manages the establishment, modification, and termination of user sessions. SEPP enforces security on the N32 interface, which connects different PLMNs (carrier networks). This helps to ensure secure communication between networks and prevent unauthorized access.
  • Inter-PLMN UP Security (IPUPS): IPUPS focuses on protecting user plane messages. The user plane carries the actual data content that users transmit (e.g., voice calls, video streams, web browsing). IPUPS is a functionality of the User Plane Function (UPF) that enforces security on the N9 interface between the UPFs of the visited PLMN (where the user is currently roaming) and the home PLMN (the user's subscribed network). By securing the N9 interface, IPUPS helps to protect user data from eavesdropping or tampering during roaming.

In simpler terms, both SEPP and IPUPS act as security guards at the edge of the 5G Core network, but they guard different "doors":

  • SEPP secures the control room door (N32 interface) where network operators communicate to manage user sessions.
  • IPUPS secures the data transfer door (N9 interface) where user content flow


The 5G System architecture introduces the following security entities in the 5G Core network:

AUSF (Authentication Server Function)

Acts as the central manager for authentication processes in the 5G system.

Verifies a subscriber's identity and generates authentication data (security keys) to be used for secure network access and communication.

Works closely with the SEAF to ensure secure handling of authentication materials.

ARPF (Authentication credential Repository and Processing Function)

Serves as a secure storage for subscriber authentication credentials (think of it as a secure vault).

Handles the retrieval and processing of those credentials during the authentication process, following instructions from the AUSF.

SIDF (Subscription Identifier De-concealing Function)

Responsible for protecting subscriber privacy.

Decodes the concealed permanent subscriber identifier (SUPI) to reveal the user's actual subscription identity (such as their IMSI).

This is done only when necessary and under strict authorization procedures to prevent unauthorized tracking of subscribers.

SEAF (Security Anchor Function)

Plays the role of a 'trust anchor' for the 5G core network.

It serves as the starting point for establishing trusting relationships between different network entities involved in authentication processes.

Generates and distributes security keys to other network functions to ensure secure communication and data transfer.

How they work together:

These security entities operate in concert to enforce strong security measures within the 5G Core:

  1. Subscriber connects: When a user's device connects to the 5G network, the AUSF initiates the authentication process.
  2. Authentication: The AUSF communicates with the ARPF to retrieve necessary subscriber credentials and verifies user identity.
  3. Protecting Privacy: If required, the SIDF helps to de-conceal the user's permanent identifier in a privacy-preserving manner.
  4. Trust Establishment: The SEAF provides secure keys to the AUSF, ensuring the authentication process is trustworthy.
  5. Secure Access: Upon successful authentication, the subscriber's device is granted access to the 5G network and its services.

NFs for 5G Authentication Framework

ARPF (Authentication Credentials Repository and Processing Function):

  • Integrated deployment with the UDM: The ARPF is not a standalone function; it's combined with the Unified Data Management (UDM). The UDM stores and processes user data and subscription information.
  • Deployed on the home network in roaming scenarios: When you're roaming (using your phone on a different network, typically abroad), the ARPF remains on your home network. So, even if you're in another country, your authentication credentials are managed by your home network.

AUSF (Authentication Server Function):

  • Independent NF: The AUSF is a separate network function. It's like a specialized security office that verifies your identity when you try to use the network.
  • Deployed on the home network in roaming scenarios (5G phase 1): Similar to the ARPF, the AUSF stays in your home network when you roam. It means that your home network is still the one that checks your credentials and approves your access, no matter where you are.

SEAF/SCMF (Security Anchor Function / Security Context Management Function):

  • Integrated deployment with the AMF: These functions are part of the Access and Mobility Management Function (AMF), which manages your connection to the network, especially when you're moving around.
  • Deployed on the visited network in roaming scenarios: Unlike the ARPF and AUSF, the SEAF/SCMF is located in the network you're visiting. So when you're roaming, the local network you're connecting to will have its own SEAF/SCMF working with the AMF to manage security aspects like encrypting your data.


Key Architecture

4G Key Architecture:

  1. USIM/AuC & UE/HSS (Home Subscriber Server): The USIM (Universal Subscriber Identity Module) on your device holds a key called 'K'. The HSS, part of the home network, uses 'K' to derive two keys, CK and IK, which are used for ciphering and integrity protection, respectively.
  2. UE/MMF (Mobility Management Function): The device uses 'K' to derive the 'K_ASME', a key associated with the access security management entity. 'K_ASME' is then used to create two more keys: 'K_NASenc' for encrypting non-access stratum (NAS) messages, and 'K_NASint' for checking their integrity.
  3. UE/eNB (Evolved Node B): The eNB is a base station in the 4G LTE network. From 'K_ASME', the eNB and the UE derive additional keys for use in protecting radio communications: 'K_eNB' for encrypting data and 'K_RRCint' and 'K_UPenc' for integrity protection of the Radio Resource Control (RRC) and the user plane (UP).

5G Key Architecture:

  1. ARPF & USIM: Similar to 4G, the process starts with the key 'K' in your USIM. The ARPF processes the authentication credentials and contributes to deriving 'K_AUSF'.
  2. 5G AKA (Authentication and Key Agreement): This is a more advanced authentication mechanism than 4G's. It uses 'K' to produce 'CK' and 'IK', and with a process called EAP-AKA', it further derives 'K_SEAF', which is sent to the SEAF (Security Anchor Function) at the visited network during roaming.
  3. AUSF: The Authentication Server Function uses 'K_AUSF' (derived from 'CK', 'IK') for authentication services in the home network.
  4. AMF (Access and Mobility Function): The 'K_AMF' is derived and used by the AMF for secure communication.
  5. SEAF/AMF & gNB (Next Generation Node B): Finally, the AMF and the gNB derive keys such as 'K_NASenc' and 'K_NASint' for NAS message encryption and integrity, and 'K_gNB' for protecting data at the radio layer.

Sudeep Batra

Senior Cloud Architect

7 个月

Nice Article.

要查看或添加评论,请登录

社区洞察

其他会员也浏览了