AK

Anonymity Key

Security →
Introduced in Rel-4 Also in: User Equipment

AK is a cryptographic key used in 3GPP networks to protect a user's identity during authentication by ensuring temporary identities cannot be linked to their permanent identifier, thereby preventing subscriber tracking.

Category
Security
Introduced
Rel-4
Where
Security
Also touches
1 segments
Specifications
12 specs
AK Description Purpose Related Classification Detected Changes Specifications

Description

The Anonymity Key (AK) is a fundamental cryptographic element within 3GPP's Authentication and Key Agreement (AKA) framework, specifically designed to protect user identity privacy. It is generated by the Authentication Centre (AuC) or Home Subscriber Server (HSS) as part of the quintet or authentication vector generation process for 3G UMTS or as part of the authentication vector for EPS AKA in 4G/LTE and 5G AKA in 5G systems. The AK is derived using a key derivation function (KDF) that takes the subscriber's permanent secret key (K) and a random challenge (RAND) generated by the network as inputs. This derivation ensures the AK is unique for each authentication instance.

In operation, the AK is used to conceal the subscriber's permanent identity, the International Mobile Subscriber Identity (IMSI), when temporary identities like the Temporary Mobile Subscriber Identity (TMSI) in 3G/4G or the 5G-GUTI in 5G are used. During initial network attachment or when a temporary identity cannot be validated, the network may request the permanent identity. To prevent eavesdroppers from capturing the IMSI in plaintext, the AK is used to encrypt it. Specifically, the IMSI is XORed with a keystream generated from the AK (and often other parameters like the sequence number SQN) before transmission over the air interface. Only the legitimate network, possessing the same AK, can decrypt this to retrieve the true IMSI.

The AK's role is distinct from other keys in the AKA hierarchy, such as the Cipher Key (CK) and Integrity Key (IK), which protect user data and signaling messages. The AK is solely focused on identity protection. Its strength relies on the randomness of the RAND and the secrecy of the root key K. The separation of the anonymity function from confidentiality and integrity functions is a key architectural principle, allowing for independent evaluation and potential algorithmic updates. In 5G, the principles remain, though the key hierarchy is enhanced with the anchor key K_AUSF, and privacy mechanisms are strengthened within the 5G AKA and EAP-AKA' protocols.

The effectiveness of the AK mechanism is critical for mitigating subscriber location tracking and identity capture attacks. By ensuring the permanent identity is never transmitted in the clear, it addresses a significant privacy vulnerability present in early cellular systems. The AK is a core component in fulfilling 3GPP's regulatory and design requirements for subscriber privacy, making it an indispensable element across UMTS, EPS, and 5G System security architectures.

Purpose & Motivation

The Anonymity Key was introduced to solve the critical privacy vulnerability of subscriber identity capture in mobile networks. In early 2G GSM systems, the IMSI could be transmitted in plaintext during initial network registration or under certain failure conditions, allowing passive eavesdroppers to identify and track subscribers. This represented a significant privacy threat, enabling user profiling, location tracking, and targeted attacks. The creation of the AK as part of the 3G UMTS security architecture was a direct response to this limitation, embedding strong cryptographic identity protection into the core network authentication protocol from the outset.

The primary problem the AK addresses is the linkability of user sessions and actions. Without it, an adversary could correlate temporary identities with permanent ones by capturing an initial plaintext IMSI transmission. The AK breaks this link by ensuring the permanent identity is always encrypted when necessary for recovery procedures. This design protects subscriber confidentiality, a fundamental requirement in modern telecommunications standards and data protection regulations like the GDPR. It ensures that even if signaling messages are intercepted, the user's long-term identity remains hidden from unauthorized parties.

Furthermore, the AK supports network operational efficiency. It allows networks to freely use and reallocate temporary identities (TMSI, 5G-GUTI) for routing and paging without compromising privacy. The system can recover from temporary identity synchronization failures (e.g., when a mobile device presents a TMSI the network no longer recognizes) by securely requesting the permanent identity, all while maintaining over-the-air protection. Thus, the AK enables a practical balance between robust privacy and reliable network access, a motivation central to its inclusion and persistence from 3G UMTS (Release 4) through all subsequent 5G releases.

Classification

Part ofAKA
Related approachesIMSITMSI5G-GUTI

Detected Changes Across Releases

from 3GPP Change Requests

Specific changes extracted from the „Change history“ tables of 3GPP specifications (4 CRs across 2 releases). Complements the general historical overview above with the evidence-based evolution of this function.

Studied in Rel-4, normative work from Rel-16.

Rel-16 2 changes

In Release 16, the specification introduced support for a Dedicated AID for USIM Applications to enable the use of non-IMSI based SUPI Types. This change facilitates the AK (Anonymity Key) function by allowing subscriber anonymity to be managed through subscription identifiers that are not derived from the IMSI, moving beyond the traditional reliance on the IMSI's MCC, MNC, and network subset codes.

  • Either IMSI or NSI - Report of SA3 S3-194455 Tdocs recommendation (in Rel16) TS 31.102CR0884
  • Dedicated AID for USIM Applications with non-IMSI based SUPI Types TS 31.102CR0897
Rel-17 2 changes

In Release 17, the calculation of the Anonymity Key (AK) was enhanced by introducing the use of MACS as a freshness parameter. This modification strengthens the security of the key derivation process. Additionally, the explicit reference to the IMSI within the specification's clause 5.2.33 was removed, further aligning with privacy-focused design principles.

  • Using MACS as a freshness parameter in the calculation of AK TS 33.102CR0282
  • Removal of IMSI in clause 5.2.33 TS 31.102CR0924

Explore further

Broader topics and technologies where AK plays a role.

Topics
Authentication (5G-AKA, EAP)IMS & Voice (VoLTE, VoNR)Encryption & IntegrityPrivacy (SUPI, SUCI)MEC (Edge Computing)LTE / LTE-Advanced
Technologies
LTE5G

Defining Specifications

3GPP specifications that define or reference AK, with the latest known release. Sourced from the 3GPP document catalog — see methodology.

SpecificationTitleRelease
TR 21.905 vj00 3GPP Technical Terms and Definitions Rel-19
TS 29.109 vj00 GAA Bootstrapping Interfaces (Zh, Dz, Zn, Zpn) Rel-19
TS 31.102 vj40 USIM Application Specification Rel-19
TS 31.103 vj00 ISIM Application Specification Rel-19
TS 33.102 vj10 3G Security Architecture Specification Rel-19
TS 33.105 vj00 3G Security: Cryptographic Algorithm Requirements Rel-19
TS 33.220 vj00 Generic Authentication Architecture (GAA); Generic Bootstrapping Architecture (GBA) Rel-19
TS 33.221 vj00 Subscriber Certificate Distribution via GBA Rel-19
TS 33.401 vj10 EPS Security Architecture Rel-19
TS 35.205 vj00 MILENAGE Algorithm Set: General Overview Rel-19
TR 35.909 vj00 3GPP MILENAGE Algorithm Design Report Rel-19
TR 35.934 vj00 Tuak algorithm set for 3GPP auth & key gen Rel-19