ACE

Authentication and Authorization for Constrained Environments

Security →
Introduced in Rel-8

ACE is a 3GPP security framework for authenticating and authorizing resource-constrained devices, such as in IoT, to enable their secure and lightweight access to network services.

Category
Security
Introduced
Rel-8
Where
Services
Specifications
4 specs
ACE Description Purpose Related Classification Detected Changes Specifications

Description

Authentication and Authorization for Constrained Environments (ACE) is a security framework standardized by 3GPP to address the unique challenges of securing devices with limited computational resources, such as those in massive Machine-Type Communication (mMTC) and Internet of Things (IoT) scenarios. It provides a standardized method for these constrained devices to authenticate themselves to the network and obtain authorization to access specific services or resources. The framework is designed to be lightweight, minimizing the signaling overhead and processing requirements to conserve battery life and reduce complexity in low-cost devices.

Architecturally, ACE operates within the 3GPP security architecture, often interfacing with core network functions like the Authentication Server Function (AUSF) and the Network Exposure Function (NEF). It defines protocols and procedures for bootstrapping security contexts and managing authorization tokens. A key component is the use of efficient cryptographic suites and token-based authorization mechanisms, such as those based on the OAuth 2.0 framework adapted for constrained environments (like ACE-OAuth). This allows a device to present a compact, verifiable token to a resource server (e.g., an application server) to prove it is authorized for a specific action, without needing to perform complex authentication during every transaction.

How it works involves several steps. First, the constrained device (the client) and the network establish an initial security association, which may leverage credentials pre-provisioned on the device or derived from a subscription. The device then requests an access token from an authorization server within the 3GPP ecosystem. This token is bound to specific permissions (scopes) and is cryptographically protected. The device presents this token when accessing a protected resource. The resource server validates the token's integrity and the client's permissions before granting access. This token-based flow reduces the need for the constrained device to store complex session states or perform heavy cryptographic operations repeatedly.

ACE's role in the network is to enable scalable and secure service access for billions of IoT devices. It integrates with 3GPP's primary authentication and key agreement procedures but adds a layer optimized for authorization in service-layer communications. By decoupling authentication (proving identity) from authorization (granting permissions), it allows for flexible policy enforcement. It is particularly important for enabling secure communication from IoT devices to application servers hosted outside the operator's immediate trust domain, facilitating vertical industry applications.

Purpose & Motivation

ACE was created to solve the security challenges inherent in connecting vast numbers of resource-constrained IoT devices to 3GPP networks. Traditional 3GPP authentication and key agreement procedures, while robust for smartphones, are often too heavy for simple sensors or actuators with limited battery, memory, and processing power. The signaling overhead and computational cost of full AKA procedures could drain device batteries quickly and increase network load, making massive IoT deployments economically and technically unfeasible without optimization.

The historical context is the 3GPP's focus on Cellular IoT (CIoT) starting in Release 13, with technologies like NB-IoT and LTE-M. These radio technologies were optimized for low power and wide area coverage, but a corresponding optimization was needed at the security and service layer. Previous approaches either applied the full UE security model, which was inefficient, or relied on non-standardized, proprietary security solutions that hindered interoperability and scalability across different device vendors and network operators.

Therefore, ACE was introduced to provide a standardized, lightweight framework for authentication and authorization tailored to constrained environments. It solves the problem of enabling strong security without imposing prohibitive resource costs on the device. This allows network operators and vertical industries to deploy secure, scalable IoT solutions with confidence, knowing that device authentication and service authorization are handled efficiently and in accordance with 3GPP standards.

Classification

Part ofAUSF
Related approachesNEF

Detected Changes Across Releases

from 3GPP Change Requests

Specific changes extracted from the „Change history“ tables of 3GPP specifications (3 CRs across 2 releases). Complements the general historical overview above with the evidence-based evolution of this function.

Studied in Rel-8, normative work from Rel-16.

Rel-16 2 changes

In Release 16, the ACE (Authentication and Authorization for Constrained Environments) function was introduced to enable application-controlled extensions for ProSe direct discovery. This is specifically indicated by a new "ACE Enabled Indicator" parameter within discovery request messages, which when set, allows the ProSe Function to authorize a UE for using these extensions and to obtain related suffix information from the ProSe Application Server. The update also involved modifications to both the User Authentication Client (SIM-C) and User Authentication Server (SIM-S) procedures to support this new functionality.

  • Updates to User Authentication Client (SIM-C) procedure TS 24.547CR0001
  • Updates to User Authentication Server (SIM-S) procedure TS 24.547CR0002
Rel-17 1 change

In Release 17, the new Authentication and Authorization for Constrained Environments (ACE) function introduced an "ACE Enabled Indicator" parameter within PC5 signalling messages to explicitly enable application-controlled extension for ProSe direct discovery. This allows a ProSe Function to check a UE's authorization for ACE and, if authorized, to obtain specific suffix-related information or masks from a ProSe Application Server. The release also defined specific rejection cause behavior for UEs from previous releases that do not include this new indicator when requesting an application that uses these extensions.

  • Addition of CoAP user authentication procedure TS 24.547CR0010

Explore further

Broader topics and technologies where ACE plays a role.

Topics
Authentication (5G-AKA, EAP)Encryption & IntegrityMEC (Edge Computing)LTE / LTE-AdvancedLawful InterceptSMS & Messaging
Technologies
LTE

Defining Specifications

3GPP specifications that define or reference ACE, with the latest known release. Sourced from the 3GPP document catalog — see methodology.

SpecificationTitleRelease
TS 24.334 vj00 ProSe Protocols and Procedures Rel-19
TS 24.547 vj00 SEAL Identity Management Protocol Rel-19
TS 29.343 vj00 PC2 Reference Point Stage 3 Specification Rel-19
TS 32.808 v1800 Common User Profile Storage Framework Rel-8