Authentication and Key Agreement

Description

The Authentication and Key Agreement (AKA) protocol is a challenge-response mechanism that provides mutual authentication and cryptographic key derivation in 3GPP networks. It operates between the User Equipment (UE) and the network's Authentication Centre (AuC), which resides within the Home Subscriber Server (HSS) in 4G/5G or the Home Location Register (HLR) in 3G. The core of AKA is a shared secret key (K), which is securely stored in both the UE's Universal Subscriber Identity Module (USIM) and the AuC. This long-term key is never transmitted over the air.

The protocol execution begins when the serving network requests authentication vectors from the HSS/AuC. The AuC generates one or more authentication vectors using the subscriber's key K and a sequence number (SQN). Each vector contains a random challenge (RAND), an expected response (XRES), a cipher key (CK), an integrity key (IK), and an authentication token (AUTN). The AUTN itself contains the SQN and a Message Authentication Code (MAC), which allows the UE to verify the network's authenticity. The serving network (e.g., via the MME in 4G or AMF in 5G) sends the RAND and AUTN to the UE.

Upon receipt, the USIM in the UE uses its stored key K and the received RAND to compute its own version of the expected response (RES), cipher key (CK), integrity key (IK), and the MAC. It first verifies the AUTN by checking the MAC to ensure the challenge originated from a genuine network and by checking the SQN to ensure it is fresh and not a replay of an old authentication. If successful, the UE sends the RES back to the network. The network compares the received RES with the XRES; a match completes mutual authentication. The derived CK and IK are then used by the UE and the network's access stratum to enable confidentiality and integrity protection for all subsequent signaling and user data traffic.

AKA's design is robust, providing key separation—different keys are derived for different purposes (ciphering, integrity) and different network domains (access stratum, non-access stratum). It also supports synchronization mechanisms to handle cases where the sequence numbers in the UE and AuC become mismatched. In 5G, AKA was enhanced to 5G AKA, which includes improved home network control, the derivation of a anchor key (KAUSF) for better key hierarchy, and the inclusion of the serving network name in key derivation to bind keys to a specific network, mitigating certain attack vectors. The protocol's execution is transparent to the user but is triggered during initial network attachment, handovers between different core network types, or periodically for re-authentication.

Purpose & Motivation

AKA was created to address critical security shortcomings in predecessor cellular systems, most notably the weak and one-way authentication in GSM. In GSM, only the network authenticated the user, leaving it vulnerable to fake base station (IMSI catcher) attacks. Furthermore, GSM's encryption algorithms and key lengths were eventually found to be cryptographically weak. The primary purpose of AKA, introduced with 3G (UMTS), was to establish strong, mutual authentication and to generate robust, session-specific cryptographic keys to ensure both confidentiality and integrity of communications.

The protocol solves the problem of securely bootstrapping a trusted session in a hostile radio environment. It ensures that a user is connecting to a legitimate, authorized network and not a malicious impersonator, while simultaneously proving to the network that the user is a valid subscriber. This mutual trust is foundational for all other security services. By deriving fresh, ephemeral cipher and integrity keys (CK/IK) from a long-term secret for every authentication instance, AKA limits the impact of a potential key compromise and provides forward secrecy for user data within a session.

Historically, the development of AKA was motivated by the need for a standardized, future-proof security foundation that could evolve with network generations. Its design incorporated lessons from GSM and fixed-line authentication protocols. The use of a sequence number (SQN) mechanism, while introducing complexity for synchronization, was a deliberate choice to provide replay protection and enable the home network to maintain state. AKA's purpose has expanded from 3G to form the bedrock of the 3GPP security architecture, being adapted and enhanced in each subsequent generation (EPS-AKA for 4G, 5G AKA for 5G) to address new threats like linkability of subscribers and to support new architectural paradigms like network slicing and separation of the control and user planes.

Key Features

• Provides mutual authentication between UE and network
• Derives session-specific cipher (CK) and integrity (IK) keys from a long-term shared secret
• Employs a sequence number (SQN) for replay protection and synchronization
• Enables cryptographic separation of keys for different security contexts and network domains
• Supports the generation of multiple authentication vectors for efficient batch processing
• Forms the security foundation for 3G (UMTS), 4G (EPS), and 5G systems

Evolution Across Releases

Defining Specifications