Description
Authenticated Encryption with Associated Data (AEAD) is a symmetric-key cryptographic operation that combines encryption and authentication into a single, secure mode. In 3GPP systems, it is specified as the primary mechanism for protecting user plane and control plane traffic, particularly within the 5G security architecture defined in TS 33.501. The core function takes four inputs: a secret key, a nonce (number used once), the plaintext message to be encrypted, and the Associated Data (AD) which requires authentication but not encryption. It produces two outputs: the ciphertext (encrypted version of the plaintext) and an authentication tag.
The algorithm works by processing both the plaintext and the associated data through a cryptographic construction that provides indistinguishability under chosen plaintext attacks (IND-CPA) for confidentiality and existential unforgeability under chosen message attacks (EUF-CMA) for integrity. The associated data, which can include packet headers, sequence numbers, or other metadata critical for protocol operation, is authenticated but transmitted in clear text. This allows intermediate network nodes (like gNBs or UPFs) to inspect necessary header information without compromising the security of the encrypted payload.
In 3GPP implementations, specific AEAD algorithms like AES-GCM (Galois/Counter Mode) and ChaCha20-Poly1305 are mandated. For 5G, the 128-bit AES-GCM is the primary algorithm for NAS and RRC signaling protection, as well as for user plane integrity protection when enabled. The nonce must be unique for each invocation with the same key, typically constructed from parameters like the COUNT value (for signaling) or the PDCP SN and bearer identity (for user plane). The authentication tag length is typically 16 bytes (128 bits) for AES-GCM, providing a high level of assurance against forgery attempts.
AEAD's role in the network is pervasive. It secures the N1 (UE-AMF) and N2 (RAN-AMF) interfaces for control plane signaling. For the user plane, it can provide both confidentiality and integrity protection (as per the 'integrity protected' indication) on the Uu (UE-gNB) and N3 (gNB-UPF) interfaces. Its efficiency—requiring only a single pass over the data for both encryption and authentication—reduces latency and computational overhead compared to using separate encryption and MAC algorithms, which is crucial for high-throughput 5G applications.
Purpose & Motivation
AEAD was introduced to address the limitations of previous 3GPP security mechanisms that often used separate, composition-based approaches for encryption and integrity. In 4G (EPS), confidentiality and integrity were provided by distinct algorithms (e.g., SNOW 3G or AES for encryption, and a separate MAC for integrity). This compositional approach, while secure if implemented correctly, is more complex, less efficient, and prone to implementation errors. The move to AEAD in 5G aligns with modern cryptographic best practices, simplifying protocol design and reducing the attack surface.
The primary motivation was to enhance security assurance and performance for 5G's diverse service requirements, including enhanced Mobile Broadband (eMBB), Ultra-Reliable Low-Latency Communications (URLLC), and massive IoT. AEAD algorithms are provably secure under standard assumptions, offering robust protection against both passive eavesdropping and active tampering. Their single-pass nature is critical for meeting the low-latency targets of URLLC services and for handling the high data rates of eMBB without introducing significant processing delays.
Furthermore, AEAD supports the authentication of associated data, which is essential for 3GPP protocols. Packet headers, sequence numbers, and QoS flow identifiers often need to be authenticated to prevent protocol-level attacks (like replay or reordering) but do not require encryption for network functionality. AEAD elegantly solves this by allowing this metadata to be included in the authentication calculation without being encrypted, enabling efficient network operation while maintaining a strong security guarantee.
Key Features
- Simultaneous confidentiality and integrity protection in a single cryptographic operation
- Authentication of associated data (AD) that remains in cleartext
- Use of provably secure algorithms like AES-GCM as specified in 3GPP
- Mandatory support for 128-bit AES-GCM across all 5G security profiles
- Unique nonce construction from protocol parameters (e.g., COUNT, PDCP SN) to prevent reuse
- Single-pass processing for low latency and high efficiency suitable for 5G throughput
Evolution Across Releases
Introduced AEAD as the foundational cryptographic mechanism for 5G security in TS 33.501. Mandated 128-bit AES-GCM as the primary algorithm for protecting NAS, RRC, and user plane traffic. Defined the security procedures for key derivation and the use of unique nonces constructed from protocol counters to ensure cryptographic security.
Enhanced support for integrity protection of the user plane, making its activation more explicit in signaling. Refined the cryptographic algorithm requirements for edge computing and non-3GPP access (e.g., Wireline access) scenarios, maintaining AEAD as the core security primitive.
Extended AEAD application to new service areas including 5G LAN-type services and enhanced support for UAV (Unmanned Aerial Vehicle) communications. Introduced considerations for lightweight cryptography in TS 33.938 for constrained IoT devices, evaluating potential AEAD alternatives while maintaining the security framework.
Further evolution for advanced 5G-Advanced features, including integrated access and backhaul (IAB) security. Continued work on performance optimizations and potential new AEAD algorithm profiles to support diverse deployment scenarios and future-proof against cryptographic advances.
Defining Specifications
| Specification | Title |
|---|---|
| TS 33.501 | 3GPP TR 33.501 |
| TS 33.938 | 3GPP TR 33.938 |