5G/NR  - NAS

 

 

 

NAS Authentication in a Nutshell

 

  • Authentication messages are a set of NAS message involved in Athenticating UE to 5G RAN and Core Network
  • Mainly three NAS messages are involved : AuthenticationRequest, AuthenticationResponse
  • Important Information of RegistrationRequest are :
    • Authentication Key Information
    • RAND
    • AUTN
  • Important Information of RegistrationAccept are :
    • UE ID (GUTI)
    • Registraion Result
    • Allowed Network Slice List

NAS Authentication in Detail

Authentication process in 5G/NR is similar to the Authentication Process in LTE except many of the new Information elements added or renamed in various NAS message mainly due to core network structure changes in 5G/NR.

NOTE : Authentication is not only for NAS message signaling. A lot of things happens in Core Network and a lot of interactions among various core network components occurs. Regarding the core network side process for authentication, refer to this note.

Signaling(message) Sequence

This section outlines the series of messages exchanged between the network (NW) and the UE during the registration and authentication process based on 24.501 - 5.5.1.2. This process ensures secure and reliable communication by verifying the UE's identity before granting access to the network. Depending on the outcome of the authentication procedure, the signaling flow may vary across three distinct scenarios: Normal Authentication, where the process completes successfully; Authentication Reject, where the network denies the authentication; and Registration Reject, where the UE declines to proceed with the registration. Each case is governed by specific message exchanges and timer operations (e.g., T3560) to manage the sequence and maintain synchronization between the UE and the network. These signaling flows highlight the robustness and flexibility of the 5G registration process, accommodating various outcomes and ensuring efficient resolution.

< Case A >  Normal Authentication

In the case of normal authentication, the network (NW) successfully initiates the authentication process with the user equipment (UE) after receiving a Registration Request.

Direction

Message

UE Timer

NW Timer

UE <- NW(AMF)

Authentication Request

T3560 Start

 

UE -> NW(AMF)

Authentication Response

T3560 Stop

 

The network sends an Authentication Request to the UE, prompting it to respond with an Authentication Response. Once the response is verified, the process completes successfully. The UE’s timer (T3560) starts upon receiving the Authentication Request and stops once the Authentication Response is sent, ensuring a smooth and efficient authentication procedure.

< Case B >  Authentication Reject by NW

In this scenario, the authentication process fails because the network does not accept the UE’s credentials or authentication information.

Direction

Message

UE Timer

NW Timer

UE <- NW(AMF)

Authentication Request

T3560 Start

 

UE -> NW(AMF)

Authentication Response

T3560 Stop

 

UE <- NW(AMF)

Authentication Reject

 

 

The process begins with the network sending an Authentication Request, and the UE replies with an Authentication Response. However, the network responds with an Authentication Reject message, indicating the failure of the process. Similar to the normal case, the UE's timer (T3560) starts when the Authentication Request is received and stops upon sending the Authentication Response. This sequence highlights a rejection caused by network-side issues or invalid credentials.

< Case C >  Registration Reject by UE

In this scenario,  the Registration Reject case occurs when the authentication process is not accepted by the UE

Direction

Message

UE Timer

NW Timer

UE <- NW(AMF)

Authentication Request

T3560 Start

 

UE -> NW(AMF)

Authentication Failure

T3560 Stop

 

After receiving an Authentication Request from the network, the UE determines that it cannot proceed with the authentication process. In response, the UE sends an Authentication Failure message back to the network, effectively rejecting the registration. Here, the UE's timer (T3560) starts upon receiving the Authentication Request and stops once the Authentication Failure message is sent. This sequence emphasizes UE-side rejection of the registration process.

Message Structure

There are several important NAS signaling messages related to 5G Authentication. In this section, I will summarize about a few most important messages and look into its structure.

Authentication Request

The "Authentication Request" message is used by the mobile device to initiate the registration process with the 5G core network.

The Authentication Request message contains important information about the mobile device, and is sent to the 5G core network via the Radio Access Network (RAN) and conveyed to AMF. The message also contains other information such as the device's capabilities and supported network features.

Followings are information that are included in RegistrationRequest message. Click on the link to get the details of each components (Information Elements).

    Authentication Request (24.501 - 8.2.1.1)

      ngKSI  : 24.501 - 9.11.3.32

      ABBA  : 24.501 - 9.11.3.10

      RAND (5G authentication challenge)  : 24.501 - 9.11.3.16

      AUTN (5G authentication challenge)  : 24.501 - 9.11.3.15

      EAP message  : 24.501 - 9.11.2.2

Information Element Structure

ngKSI  : 24.501 - 9.11.3.32

The ngKSI (NAS Key Set Identifier) is an identifier used in the NAS to manage security contexts. It can indicate whether the key is part of a native security context (associated with KSI_AMF) or a mapped security context (associated with KSI_ASME). The key set identifier values include 0 (native context), 1 (mapped context), 6 (no key available from the UE to the network), and 7 (reserved for use from the network to the UE).

    NAS key set identifier (TSC)

      0 : native security context (for KSI_AMF)

      1 : mapped security context (for KSI_ASME)

    NAS key set identifier

      0 (000) :  

      6 (100) :

      7 (111) : no key is available (UE to network), reserved (network to UE)

ABBA  : 24.501 - 9.11.3.10

The purpose of the ABBA(Anti-Bidding down Between Architectures) information element is to enable the bidding down protection of security features.

This is designed to protect security features by preventing bidding-down attacks between different architectures. It includes an identifier (ABBA IEI), the length of its contents, and the ABBA contents themselves.

    ABBA IEI

    Length of ABBA contents

    ABBA Contents

NOTE : Bidding-down attacks are a type of security vulnerability in telecommunications systems, including 5G, where an attacker forces a communication session to downgrade to a less secure protocol or weaker encryption standard. The goal of such an attack is to exploit the reduced security level to gain unauthorized access or intercept sensitive information.

RAND (5G authentication challenge)  : 24.501 - 9.11.3.16

The RAND (Random Value for 5G Authentication Challenge) is a random number generated during the 5G authentication process. It is used to ensure a unique challenge for the authentication procedure, providing resistance against replay attacks.

AUTN (5G authentication challenge)  : 24.501 - 9.11.3.15

The AUTN (Authentication Token for 5G Authentication Challenge) is another critical component in the authentication process, ensuring that the challenge is securely linked to UE. It validates the authenticity of the network and prevents unauthorized access.

EAP message  : 24.501 - 9.11.2.2

The purpose of the EAP(Extensible Authentication Protocol) message information element is to transport an EAP message as specified in IETF RFC 3748

This message facilitates the transport of EAP messages. It is used in the 5G NAS layer for flexible and secure authentication, supporting various authentication methods.

    EAP message IEI

    Length of EAP message contents

    EAP message

Reference