ABBA

Anti-Bidding down Between Architectures

Security →
Introduced in Rel-15

ABBA is a 3GPP security mechanism that prevents bidding-down attacks between different network architectures, ensuring a user's security capabilities are not downgraded when moving between networks like 4G and 5G.

Category
Security
Introduced
Rel-15
Where
Security
Specifications
3 specs
ABBA Description Purpose Detected Changes Specifications

Description

ABBA (Anti-Bidding down Between Architectures) is a critical security parameter defined in 3GPP specifications, primarily within the 5G System (5GS) security framework. It functions as a bit string included in security signaling messages, specifically within the NAS (Non-Access Stratum) security context and authentication procedures. The primary technical role of ABBA is to provide cryptographic binding between the UE's (User Equipment) security capabilities and the serving network's architecture type, preventing an attacker from forcing the UE and network to use security algorithms or procedures from a previous, potentially less secure generation.

Architecturally, ABBA operates within the Authentication and Key Agreement (AKA) procedures defined for 5G. During initial registration or handover procedures involving inter-system mobility (e.g., between 5G Core and 4G Evolved Packet Core), both the UE and the network (specifically the AMF - Access and Mobility Management Function in 5GC, or corresponding MME in EPC) exchange and verify the ABBA parameter. This parameter is constructed to be unique to the network architecture and the security context being established. The UE derives the ABBA value based on information received from the network in the authentication request, and the network independently computes the expected value. A mismatch indicates a potential bidding-down attack, causing the procedure to fail.

Key components involved in ABBA implementation include the UE's security module (USIM), the serving network's security anchor function (SEAF in 5GC, which interacts with the AUSF - Authentication Server Function), and the home network's authentication credentials (stored in the UDM/ARPF - Unified Data Management / Authentication Credential Repository and Processing Function). The ABBA parameter itself is not a standalone message but is embedded within other security containers, such as the Authentication Response message sent from UE to network. Its value is calculated using inputs that include the network's serving network name (SNN) and explicitly indicates the core network type (5GC or EPC) the UE is registering to.

In the broader 5G security architecture, ABBA complements other security mechanisms like SUPI (Subscription Permanent Identifier) protection, integrity protection of NAS signaling, and ciphering of user plane data. Its specific role is to address architectural transition threats that were not fully mitigated in previous generations. By ensuring that security negotiations cannot be manipulated to revert to older, weaker protocols when a UE moves between 4G and 5G coverage areas, ABBA maintains the overall security assurance level of the 5G system, which is a fundamental design principle. This is particularly important in non-standalone (NSA) deployment scenarios where 5G NR radio access connects to a 4G core, and in early migration phases where networks operate dual architectures.

Purpose & Motivation

ABBA was created to solve a specific security vulnerability known as a "bidding-down" or "downgrade" attack in the context of inter-generational network mobility. In 4G (EPS), while security mechanisms existed within a single architecture, the transition between 3G and 4G networks had potential vulnerabilities where an attacker could manipulate signaling to make the UE and network believe the other only supported older, less secure cryptographic algorithms (e.g., forcing a fallback from AES to SNOW 3G). With the introduction of 5G and the expectation of long-term coexistence with 4G EPC networks (especially in Non-Standalone deployments), 3GPP identified that a new form of this attack was possible: an attacker could try to force a UE registering to a 5G Core network to instead use security procedures defined for the 4G Evolved Packet Core, which might have different or weaker security properties.

The historical context is rooted in the evolution of mobile security. Each generation (3G, 4G, 5G) introduced stronger authentication algorithms, key derivation functions, and integrity protection mechanisms. However, for backward compatibility, UEs and networks must support multiple security suites. An active attacker in the radio path could intercept and modify the security capability exchange messages to remove references to newer, stronger algorithms, tricking both ends into agreeing on an older set. ABBA specifically addresses this between architectures (5GC vs. EPC), not just between algorithm sets within one architecture. It ensures that the security context is explicitly bound to the core network type being used.

The limitation of previous approaches, particularly in 4G, was that while algorithm negotiation was protected within the EPS AKA procedure, the architectural context (whether the UE was attaching to EPC or a previous core) was not cryptographically verified in a way that prevented an active attacker from manipulating this association. ABBA fills this gap by making the network architecture a mandatory and verified parameter in the authentication and key agreement process. This was motivated by the 5G design principle of providing stronger security than previous generations, especially for new threat vectors introduced by network slicing, service-based architecture, and increased reliance on untrusted access networks.

Detected Changes Across Releases

from 3GPP Change Requests

Specific changes extracted from the „Change history“ tables of 3GPP specifications (67 CRs across 5 releases). Complements the general historical overview above with the evidence-based evolution of this function.

Rel-15 19 changes

In Release 15, the ABBA (Anti-Bidding down Between Architectures) function was newly introduced as part of the 5G primary authentication procedure, specifically for both the 5G-AKA and EAP-AKA' based methods. This addition included the definition and specification of values for the ABBA parameter, which is used within the NAS security context to prevent security bidding-down attacks during authentication. The parameter's handling was clarified in relation to the key set identifier (ngKSI) to ensure robust security during interworking scenarios between different access networks.

  • Interworking between ePDG/EPC and NG-RAN/5GCN TS 24.501CR0174
  • Interworking between E-UTRAN/EPC and N3IWF/5GCN TS 24.501CR0176
  • Clarifications to: Protection at the network or transport layer, Authorization and authentication between network functions and the NRF TS 33.501CR0147
  • Addition of ABBA in 5G based primary authentication procedure TS 24.501CR0036
  • Clarify abnormal cases in the UE for independency of 5GMM procedures between accesses TS 24.501CR0200
  • Differences between NAS over 3GPP access and NAS over non-3GPP access TS 24.501CR0210

+ 13 more changes

Rel-16 16 changes

In Release 16, the ABBA function was enhanced to handle the ABBA parameter with a non-zero value and a length of more than two octets. This change improved the security context handling between the UE and the AMF by allowing for more complex anti-bidding-down protections. The update ensured integrity protection for NAS messages could be maintained against more sophisticated bidding-down attacks.

  • CIoT capability negotiation between UE and network TS 24.501CR0987
  • Authentication and authorization between SeCoP and network functions TS 33.501CR0693
  • Authentication and authorization between SeCoPs TS 33.501CR0694
  • TLS between NF and SEPP based on custom HTTP header TS 33.501CR0696
  • Coordination between GMM and 5GMM TS 24.501CR1027
  • Interaction between active time for MICO mode and eDRX TS 24.501CR1129

+ 10 more changes

Rel-17 17 changes

In Release 17, the ABBA function was enhanced with specific procedures to handle collisions between UE-initiated deregistration and UUAA-MM procedures, as well as between UE-requested PDU session release and UUAA-SM procedures. It also clarified the coordination between 5GMM and EMM states to prevent bidding down. Furthermore, it introduced mechanisms for handling collisions between UE-requested 5GSM procedures and the release of the N1 NAS signalling connection.

  • Collision between UUAA-MM and UE initiated deregistration TS 24.501CR3789
  • Collision between UUAA-SM and UE requested PDU session release TS 24.501CR3790
  • Handling of collisions between UE-requested 5GSM procedures and N1 NAS signalling connection release TS 24.501CR2961
  • Delete the PCO parameters after handover between 3GPP and non-3GPP access TS 24.501CR3737
  • Collision between UCU and SR TS 24.501CR3937
  • Correcting the terminology of the signalling between the UE and the SMF TS 24.501CR4079

+ 11 more changes

Rel-18 13 changes

In Release 18, the ABBA function was enhanced to prevent security downgrades by explicitly defining the coordination between 5GMM and EMM states in single registration mode. This ensures a consistent security context is maintained during mobility events, such as intersystem changes between 5GS and EPS. Furthermore, procedures were specified to handle collisions between 5GMM common procedures and the deregistration procedure, securing the integrity of the NAS signalling connection.

  • Use of NF Instance ID in the mutual authentication between the NF Consumer and NRF TS 33.501CR1761
  • Clarification of interworking between N1 mode over non-3GPP access and ePDG TS 24.501CR4551
  • Abnormal cases for the SMC initiated for context synchronization between 3GPP access and non-3GPP access TS 24.501CR4304
  • EAP-TTLS used between the UE and the DCS TS 24.501CR4717
  • Interaction between a 5GSM entity and upper layers for URSP handling TS 24.501CR5355
  • Coordination between 5GMM and EMM states in single registration mode TS 24.501CR5398

+ 7 more changes

Rel-19 2 changes

In Release 19, the ABBA function was enhanced with clarifications on the association between a QoS flow and its mapped EPS bearer context to ensure consistent anti-bidding down behavior during inter-system mobility. Furthermore, the release specified UE handling procedures for resolving collisions between registration and de-registration events, improving the robustness of architecture transitions. These updates provided more precise operational rules for maintaining service continuity and security context integrity when moving between 4G and 5G core networks.

  • Clarification of the association between the QoS flow and the mapped EPS bearer context TS 24.501CR6587
  • Clarification to UE handling of collision between registration and de-registration procedure. TS 24.501CR7054

Explore further

Broader topics and technologies where ABBA plays a role.

Topics
Authentication (5G-AKA, EAP)EPC (Evolved Packet Core)NAS (Non-Access Stratum)Encryption & IntegrityMEC (Edge Computing)5G NR (New Radio)
Technologies
LTE5G

Defining Specifications

3GPP specifications that define or reference ABBA, with the latest known release. Sourced from the 3GPP document catalog — see methodology.

SpecificationTitleRelease
TS 24.501 vj50 5G NAS Protocols Specification Rel-19
TS 33.501 vk00 5G Security Architecture and Procedures Rel-20
TS 33.835 vg10 Study on authentication and key management for apps Rel-16