AUSF (Authentication Server Function) is an essential component of the 5G network architecture. It is responsible for verifying the identity of a subscriber, validating their subscription data, and determining the appropriate security context for the subscriber.
One of the primary functions of the AUSF is to support 5G authentication and authorization procedures. When a subscriber attempts to connect to the 5G network, the AUSF plays a key role in verifying their identity and ensuring that they have the proper authorization to access the network.
The AUSF interacts with several other network functions to provide a seamless and secure experience for 5G subscribers. For example, it communicates with the Access and Mobility Management Function (AMF) to manage subscriber mobility and handover procedures. It also interacts with the Unified Data Management (UDM) function to manage subscriber data and profiles.
The AUSF is designed to be scalable and flexible, allowing it to support a wide range of 5G use cases and applications. It is also designed to provide robust security features, including encryption and authentication mechanisms, to protect against unauthorized access and data breaches.
Function of AUSF:
Authentication: When a subscriber tries to access the 5G network, the AUSF performs authentication by verifying the subscriber's identity and checking whether they have the proper credentials to access the network.
Authorization: After authentication, the AUSF performs authorization by checking whether the subscriber has the appropriate authorization to access specific network functions or services.
Security context: The AUSF determines the appropriate security context for the subscriber based on their identity, subscription data, and authorization level.
Mobility management: The AUSF interacts with other network functions, such as the Access and Mobility Management Function (AMF), to manage subscriber mobility and handover procedures.
Session management: The AUSF supports session management, including the establishment, maintenance, and termination of 5G network sessions.
Subscriber data management: The AUSF interacts with the Unified Data Management (UDM) function to manage subscriber data and profiles.
Authentication and key agreement (AKA): The AUSF support the AKA protocol, which is used for mutual authentication between the subscriber and the network. The AKA protocol provides a secure mechanism for exchanging keys and establishing a secure communication channel between the subscriber and the network.
Subscriber privacy: The AUSF is responsible for protecting subscriber privacy by managing subscriber identity and authentication information. It ensures that subscriber data is protected and not disclosed to unauthorized parties.
Subscription data management: The AUSF interacts with the UDM to manage subscription data and profiles for 5G subscribers. This includes managing subscriber profiles, policies, and authentication credentials.
Security protection: The AUSF provides security protection against attacks and threats, such as replay attacks, man-in-the-middle attacks, and denial-of-service attacks. It uses advanced security mechanisms, such as encryption and authentication, to protect against these threats.
Network slicing: The AUSF supports network slicing, which allows the 5G network to be divided into multiple logical networks to support different use cases and applications. It ensures that subscribers are authenticated and authorized for the appropriate network slice based on their identity and subscription data.
Interoperability: The AUSF supports interoperability between different 5G network elements and interfaces, ensuring that subscribers can access 5G services and applications regardless of the network provider or location.
Initiation of authentication and selection of authentication method
The initiation of the primary authentication is shown in Figure 6.1.2-1.
Above Figure 6.1.2-1 in the 3GPP TS 33.501 standard shows the initiation of the primary authentication procedure in the 5G network architecture. The figure illustrates the messages exchanged between the UE, AMF, and AUSF during the primary authentication procedure.
SUCI (Subscription Concealed Identifier) is a 5G network identifier that consists of the Mobile Country Code (MCC), Mobile Network Code (MNC), and a Subscription Permanent Identifier (SUPI). It is used to protect the subscriber's identity and privacy. SUPI is a unique identifier assigned to each subscriber by their home network, which is used for identification and authentication purposes in the 5G network.
In the first step, the AMF sends an Authentication Request message to the UE, which includes a Random Number (RAND) and an Authentication Challenge (AUTN). The UE then calculates an expected response (XRES) based on the received RAND, AUTN, and the subscriber's authentication credentials.
Next, the UE sends an Authentication Response message to the AMF, which includes the XRES and a session key (Ks_nas) encrypted with the subscriber's authentication key (Ki).
The AMF then selects the appropriate AUSF based on the subscriber's identity and subscription data, and sends an Authentication Request message to the selected AUSF. The Authentication Request message includes the subscriber's authentication credentials and the received RAND and AUTN.
The AUSF then performs the necessary authentication and security functions, including authentication and key agreement (AKA) procedures, to verify the subscriber's identity and ensure that they are authorized to access the 5G network. If the authentication is successful, the AUSF sends an Authentication Response message to the AMF, which includes the Ks_nas and an indication of the selected authentication method.
Finally, the AMF sends an Authentication Response message to the UE, which includes the Ks_nas and the selected authentication method. The UE and AMF can then use the Ks_nas to secure subsequent communication between the UE and the 5G network.
Overall, Figure 6.1.2-1 provides a clear visualization of the messages exchanged during the primary authentication procedure in the 5G network architecture.
Authentication procedure for EAP-AKA
Figure 6.1.3.1-1 in the 3GPP TS 33.501 standard, which illustrates the point-to-point authentication procedure for EAP-AKA (Extensible Authentication Protocol - Authentication and Key Agreement) in the 5G network architecture.
The EAP-AKA authentication procedure uses the AKA algorithm to perform authentication and key agreement between the UE and the network. The figure shows the messages exchanged between the UE and the network during the EAP-AKA authentication procedure, including the EAP-Request and EAP-Response messages.
The procedure starts with the UE sending an EAP-Request/Identity message to the network, which includes the UE's identity. The network responds with an EAP-Request/AKA Challenge message, which includes a Random Number (RAND) and an Authentication Token (AUTN).
The UE then calculates a Response (RES) and a Ciphering Key (CK) based on the received RAND, AUTN, and the subscriber's authentication credentials, and sends an EAP-Response/AKA Challenge message to the network, which includes the RES and CK.
The network then verifies the UE's response and generates a Session Key (Ks_nas) and an Integrity Key (Ik_nas) based on the AKA algorithm. The network sends an EAP-Success message to the UE, which includes the Ks_nas and Ik_nas, indicating a successful authentication and key agreement.
Authentication procedure for 5G AKA
Figure 6.1.3.2-1 in the 3GPP TS 33.501 standard illustrates the point-to-point authentication procedure for 5G AKA (Authentication and Key Agreement) in the 5G network architecture. The diagram provides a visual representation of the messages exchanged between the UE and the network during the 5G AKA authentication procedure.
The 5G AKA authentication procedure is initiated by the UE sending a NAS (Non-Access Stratum) Authentication Request message to the network, which includes the UE's identity and security parameters. The network responds with a NAS Authentication Response message, which includes a Random Number (RAND), an Authentication Token (AUTN), and a Sequence Number (SQN).
The UE then calculates a Response (RES) and a Ciphering Key (CK) based on the received RAND, AUTN, SQN, and the subscriber's authentication credentials, and sends a NAS Authentication Request message to the network, which includes the RES and CK
The network verifies the UE's response and generates a Session Key (Ks_nas) and an Integrity Key (Ik_nas) based on the AKA algorithm. The network sends a NAS Authentication Response message to the UE, which includes the Ks_nas and Ik_nas, indicating a successful authentication and key agreement.
The UE's identity can be represented as either SUCI or SUPI, depending on the privacy settings. The UE includes this identity in the NAS Authentication Request message.
The network generates the RAND, AUTN, and SQN values and sends them to the UE in the NAS Authentication Response message. These values are used by the UE to calculate the RES and CK values.
The UE uses the UE authentication credentials (e.g., a shared secret) to calculate the RES and CK values, which are included in the NAS Authentication Request message. The network verifies these values to authenticate the UE.
The network generates the Ks_nas and Ik_nas values based on the AKA algorithm and sends them to the UE in the NAS Authentication Response message. These keys are used for secure communication between the UE and the network.
The UE sends a Security Mode Command message to the network after the authentication procedure is complete, which includes the Ks_nas and Ik_nas values. This message is used to activate the security keys and establish a secure communication channel between the UE and the network.
While discussing more into there are some other points to remember
The AUTN value sent by the network to the UE is a concatenation of several values, including the RAND value, the network authentication token (Kausf), the UE authentication token (Kseaf), and the SQN value. The UE uses these values to calculate the RES and CK values.
The sequence number (SQN) is used to prevent replay attacks. The network generates a new SQN value for each authentication procedure, and the UE is expected to include the same SQN value in its response. If the network receives an authentication response with an incorrect SQN value, it will reject the response.
The 5G AKA algorithm is based on the challenge-response mechanism, where the network challenges the UE to provide a valid response based on the RAND and AUTN values. The UE uses its authentication credentials and the received values to calculate the response. If the response is valid, the network generates the Ks_nas and Ik_nas values and sends them to the UE.
The Ks_nas key is used for encrypting and decrypting NAS messages between the UE and the network. The Ik_nas key is used for integrity protection of the NAS messages, to ensure that they have not been modified in transit.
The Security Mode Command message is used to activate the security keys and establish a secure communication channel between the UE and the network. This message includes the Ks_nas and Ik_nas values and other security parameters, such as the algorithm used for encryption and integrity protection.
After the authentication procedure is complete and the security keys are activated, the UE and the network can exchange secure communication messages, such as signaling messages and user data.
