5G/NR - Network Architecture            

 

 

 

 

NR CORE - Authentication

 

This tutorial is about Authentication process, but it is not much of Authentication algorithm. I would mostly focus on what kind 5G core network components and which interfaces are involved in this process and the message details being exchanged via N12, N13. Regarding the details of Authentication parameters and algorithms you may refer to my notes on LTE Authentication.

 

Followings are the name of each network component.

    AMF     Access and Mobility Management Function ==> Equivalent to MME in 4G

    AUSF    Authentication Server Function

    DN       Data Network

    NEF      Network Exposure Function

    NRF      Network Repository Function

    NSSF    Network Slice Selection Function

    PCF      Policy Control Function ==> Equivalent to PCRF in 5G

    (R)AN   (Radio) Access Network

    SMF     Session Management Function

    UDM     Unified Data Management ==> Equivalent to HSS in 4G

    UPF      User Plane Function ==> Equivalent to PGW in 4G

    SMSF   SMS Function

    SEAF    SEcurity Anchor Function ==> part of AMF function

    ARPF    Authentication credential Repository and Processing Function

    SIDF    Subscription Identifier De-concealing Function

 

 

< 33.501 - Figure 6.1.2-1: Initiation of authentication procedure and selection of authentication method >

 

 

 

< 33.501 - Figure 6.1.3.1-1: Authentication procedure for EAP-AKA' >

 

 

 

< 33.501 - Figure 6.1.3.2-1: Authentication procedure for 5G AKA >

 

 

 

Following is an example log captured with Amarisoft Callbox.

 

 

 

[1]

Message: 127.0.1.100:5555 POST http://127.0.1.100:5555/nausf-auth/v1/ue-authentications

 

Data:

Stream id: 1

HEADERS:

  :method: POST

  :path: /nausf-auth/v1/ue-authentications

  :scheme: http

  :authority: 127.0.1.100:5555

  accept: application/3gppHal+json

  accept: application/problem+json

  content-type: application/json

DATA:

  {"supiOrSuci":"suci-0-001-01-0-0-0-0123456789","servingNetworkName":"5G:mnc001.mcc001.3gppnetwork.org"}

 

 

[2]

 

Message: Deciphered IMSI: 001010123456789

 

 

[3]

 

Message: 127.0.1.100:5556 POST http://127.0.1.100:5556/nudm-ueau/v1/imsi-001010123456789/security-information/generate-auth-data

 

Data:

Stream id: 1

HEADERS:

  :method: POST

  :path: /nudm-ueau/v1/imsi-001010123456789/security-information/generate-auth-data

  :scheme: http

  :authority: 127.0.1.100:5556

  accept: application/json

  accept: application/problem+json

  content-type: application/json

DATA:

  {"servingNetworkName":"5G:mnc001.mcc001.3gppnetwork.org",

    "ausfInstanceId":"311730b4-5b0b-4451-a858-bae064887944"}

 

 

[4]

 

Message: 127.0.1.100:5556 Status: 200

 

Data:

Stream id: 1

HEADERS:

  :status: 200

  content-type: application/json

DATA:

  {"authType":"5G_AKA","authenticationVector":{"avType":"5G_HE_AKA",

    "rand":"87d3bc51f51f058c36057d088ce9fa72",

    "xresStar":"35e6b894eac81bcd3a6753a1ba8d3be9",

    "autn":"62b14a63fb9f900187c29e62b16bf3fa",

    "kausf":"fe6ad77e9341e377888a31682f86ac995d20b340049eba3a8e1082e11b95ed6b"}}

 

 

[5]

 

Message: 127.0.1.100:5555 Status: 201

 

Data:

Stream id: 1

HEADERS:

  :status: 201

  content-type: application/json

DATA:

  {"authType":"5G_AKA",

   "5gAuthData":{"rand":"87d3bc51f51f058c36057d088ce9fa72",

   "hxresStar":"40f1c1d2c15251492305922cdeb524fe",

   "autn":"62b14a63fb9f900187c29e62b16bf3fa"},

   "_links":{"5g-aka":{"href":"http://127.0.1.100:5555/nausf-auth/v1/ue-authentications

                                             /imsi-001010123456789/5g-aka-confirmation"}},

   "servingNetworkName":"5G:mnc001.mcc001.3gppnetwork.org"}

 

 

[6]

 

Message: Authentication request

 

Data:

 

Protocol discriminator = 0x7e (5GS Mobility Management)

Security header = 0x0 (Plain 5GS NAS message, not security protected)

Message type = 0x56 (Authentication request)

ngKSI:

  TSC = 0

  NAS key set identifier = 1

ABBA:

  Length = 2

  Data = 00 00

Authentication parameter RAND:

  Data = 87 d3 bc 51 f5 1f 05 8c 36 05 7d 08 8c e9 fa 72

Authentication parameter AUTN:

  Length = 16

  Data = 62 b1 4a 63 fb 9f 90 01 87 c2 9e 62 b1 6b f3 fa

 

 

[7]

 

Message: Authentication response

 

Data:                                ...;.

Protocol discriminator = 0x7e (5GS Mobility Management)

Security header = 0x0 (Plain 5GS NAS message, not security protected)

Message type = 0x57 (Authentication response)

Authentication response parameter:

  Length = 16

  Data = 35 e6 b8 94 ea c8 1b cd 3a 67 53 a1 ba 8d 3b e9

 

 

[8]

 

Message: 127.0.1.100:5555 PUT http://127.0.1.100:5555/nausf-auth/v1/ue-authentications

                                            /imsi-001010123456789/5g-aka-confirmation

 

Data:

Stream id: 3

HEADERS:

  :method: PUT

  :path: /nausf-auth/v1/ue-authentications/imsi-001010123456789/5g-aka-confirmation

  :scheme: http

  :authority: 127.0.1.100:5555

  accept: application/json

  accept: application/problem+json

  content-type: application/json

DATA:

  {"resStar":"35e6b894eac81bcd3a6753a1ba8d3be9"}

 

 

[9]

 

Message: 127.0.1.100:5555 Status: 200

 

Data:

Stream id: 3

HEADERS:

  :status: 200

  content-type: application/json

DATA:

  {"authResult":"AUTHENTICATION_SUCCESS",

   "supi":"imsi-001010123456789",

   "kseaf":"a6cdd46b7e2efc93c39b4dde72002fde36f92a0a3af119628121fc7146a9a6e2"}

 

 

[10]

 

Message: AUSF_5G_AKA_CONFIRMATION

 

 

[11]

 

Message: UE auth OK