Authentication and Key Management for Applications

Description

AKMA (Authentication and Key Management for Applications) is a standardized security architecture within 3GPP that provides a mechanism for application functions (AFs) to securely authenticate user equipment (UE) and establish cryptographic keys for securing application-layer communication. It operates by reusing the credentials and authentication procedures from the 3GPP primary authentication (e.g., 5G-AKA or EAP-AKA'), thereby avoiding the need for separate, application-specific authentication protocols. The core idea is to derive application-specific keys from the long-term key material established during the UE's initial network attachment, enabling efficient and secure bootstrapping for a wide range of services.

The architecture involves several key functional entities: the AKMA Anchor Function (AAnF), the Network Exposure Function (NEF), and the Application Function (AF). The AAnF, typically collocated with the Authentication Server Function (AUSF) in the home network, is the central component. It generates and manages the AKMA Application Key (K_AF) for a specific UE and AF pair. The K_AF is derived from the anchor key (K_AKMA), which itself is derived from the primary authentication key (e.g., K_AUSF). The NEF acts as a secure intermediary, allowing the AF (which may be located in a third-party domain) to request the K_AF from the AAnF without direct access to core network functions.

The procedure begins when a UE successfully completes 3GPP primary authentication. The AUSF generates the K_AKMA and provides it to the AAnF. The UE can independently derive the same K_AKMA. When the UE wants to access a service from an AF, it provides an AKMA Application Key Identifier (A-KID) to the AF. The AF, via the NEF, uses this A-KID to request the corresponding K_AF from the AAnF. The AAnF generates the K_AF specific to that UE and AF pair and provides it to the AF. Subsequently, both the UE (which can derive the same K_AF) and the AF possess a shared secret key for securing their communication, enabling mutual authentication and enabling the establishment of further application-layer security contexts (e.g., TLS-PSK).

AKMA's role is to decouple application security from network access security, providing a scalable and standardized method for service providers to offer secure services. It is particularly valuable for services that require persistent secure sessions or frequent re-authentication, as it avoids repeated full network authentication procedures. By leveraging the robust security of the 3GPP ecosystem, AKMA enhances trust in third-party applications and enables new business models for network operators and application providers.

Purpose & Motivation

AKMA was created to address the growing need for secure, efficient authentication and key management for application-layer services in mobile networks. Prior to AKMA, application functions often had to implement their own authentication mechanisms, such as username/password, OAuth, or custom certificate-based methods. These approaches introduced several problems: they created a fragmented security landscape, increased complexity for users (multiple credentials), incurred significant signaling overhead (separate authentication runs), and did not inherently leverage the strong, subscriber-based authentication already performed by the mobile network.

The historical context is the evolution towards service-based architectures in 5G and the proliferation of IoT and edge computing applications. These services require lightweight, yet secure, methods to authenticate devices and establish keys without burdening the core network with redundant authentication traffic. AKMA solves this by reusing the trust established during the initial 3GPP access authentication. It allows Application Functions, whether operated by the network operator or a trusted third party, to securely obtain keys derived from that initial authentication, ensuring end-to-end security based on the subscriber's identity and the network's security credentials.

This approach addresses limitations of previous methods by providing a standardized, network-operator-anchored security framework. It reduces latency for service access, minimizes signaling load, enhances user experience through seamless authentication (single sign-on concept for network services), and provides a consistent security baseline across diverse applications. It is a key enabler for secure network exposure and monetization of network capabilities through APIs.

Key Features

• Reuses 3GPP primary authentication credentials for application security
• Derives application-specific keys (K_AF) from the network anchor key (K_AKMA)
• Utilizes a central AKMA Anchor Function (AAnF) for key generation and management
• Employs the Network Exposure Function (NEF) for secure key delivery to external AFs
• Supports mutual authentication between UE and Application Function
• Enables efficient key establishment without additional full authentication runs

Evolution Across Releases

Defining Specifications