AKMA

Authentication and Key Management for Applications

Security →
Introduced in Rel-16 Also in: Core Network, Services

AKMA is a 3GPP security framework that enables application functions to securely authenticate and establish keys with user equipment by reusing the credentials from the network's primary authentication.

Category
Security
Introduced
Rel-16
Where
Security
Also touches
2 segments
Specifications
16 specs
AKMA Description Purpose Related Classification Detected Changes Specifications

Description

AKMA (Authentication and Key Management for Applications) is a standardized security architecture within 3GPP that provides a mechanism for application functions (AFs) to securely authenticate user equipment (UE) and establish cryptographic keys for securing application-layer communication. It operates by reusing the credentials and authentication procedures from the 3GPP primary authentication (e.g., 5G-AKA or EAP-AKA'), thereby avoiding the need for separate, application-specific authentication protocols. The core idea is to derive application-specific keys from the long-term key material established during the UE's initial network attachment, enabling efficient and secure bootstrapping for a wide range of services.

The architecture involves several key functional entities: the AKMA Anchor Function (AAnF), the Network Exposure Function (NEF), and the Application Function (AF). The AAnF, typically collocated with the Authentication Server Function (AUSF) in the home network, is the central component. It generates and manages the AKMA Application Key (K_AF) for a specific UE and AF pair. The K_AF is derived from the anchor key (K_AKMA), which itself is derived from the primary authentication key (e.g., K_AUSF). The NEF acts as a secure intermediary, allowing the AF (which may be located in a third-party domain) to request the K_AF from the AAnF without direct access to core network functions.

The procedure begins when a UE successfully completes 3GPP primary authentication. The AUSF generates the K_AKMA and provides it to the AAnF. The UE can independently derive the same K_AKMA. When the UE wants to access a service from an AF, it provides an AKMA Application Key Identifier (A-KID) to the AF. The AF, via the NEF, uses this A-KID to request the corresponding K_AF from the AAnF. The AAnF generates the K_AF specific to that UE and AF pair and provides it to the AF. Subsequently, both the UE (which can derive the same K_AF) and the AF possess a shared secret key for securing their communication, enabling mutual authentication and enabling the establishment of further application-layer security contexts (e.g., TLS-PSK).

AKMA's role is to decouple application security from network access security, providing a scalable and standardized method for service providers to offer secure services. It is particularly valuable for services that require persistent secure sessions or frequent re-authentication, as it avoids repeated full network authentication procedures. By leveraging the robust security of the 3GPP ecosystem, AKMA enhances trust in third-party applications and enables new business models for network operators and application providers.

Purpose & Motivation

AKMA was created to address the growing need for secure, efficient authentication and key management for application-layer services in mobile networks. Prior to AKMA, application functions often had to implement their own authentication mechanisms, such as username/password, OAuth, or custom certificate-based methods. These approaches introduced several problems: they created a fragmented security landscape, increased complexity for users (multiple credentials), incurred significant signaling overhead (separate authentication runs), and did not inherently leverage the strong, subscriber-based authentication already performed by the mobile network.

The historical context is the evolution towards service-based architectures in 5G and the proliferation of IoT and edge computing applications. These services require lightweight, yet secure, methods to authenticate devices and establish keys without burdening the core network with redundant authentication traffic. AKMA solves this by reusing the trust established during the initial 3GPP access authentication. It allows Application Functions, whether operated by the network operator or a trusted third party, to securely obtain keys derived from that initial authentication, ensuring end-to-end security based on the subscriber's identity and the network's security credentials.

This approach addresses limitations of previous methods by providing a standardized, network-operator-anchored security framework. It reduces latency for service access, minimizes signaling load, enhances user experience through seamless authentication (single sign-on concept for network services), and provides a consistent security baseline across diverse applications. It is a key enabler for secure network exposure and monetization of network capabilities through APIs.

Classification

Part ofAUSF
Specific typesA-KIDA-TIDKAFKAKMA
Related approachesNEF

Detected Changes Across Releases

from 3GPP Change Requests

Specific changes extracted from the „Change history“ tables of 3GPP specifications (308 CRs across 5 releases). Complements the general historical overview above with the evidence-based evolution of this function.

Rel-15 39 changes

In Release 15, the AKMA (Authentication and Key Management for Applications) function was newly introduced, as specified in the dedicated technical specification TS 33.535. This foundational release established the architecture for enabling applications to leverage 3GPP credentials for authentication and key management within the 5G System.

  • Introduction of PLMN Id in UECM & UE Authentication Services TS 29.503CR0026
  • Nudm_SDM retrieval of SMS Management Subscription data TS 29.503CR0037
  • Addition of ABBA in 5G based primary authentication procedure TS 24.501CR0036
  • User Plane management to support interworking with EPS TS 23.501CR0122
  • Management of service area restriction information TS 23.501CR0144
  • Corrections to PFD management TS 23.501CR0210

+ 33 more changes

Rel-16 80 changes

In Release 16, the new AKMA (Authentication and Key Management for Applications) function was formally specified in TS 33.535, establishing a standalone framework for application authentication based on 3GPP credentials within the 5G System. This introduced a dedicated procedure and architecture separate from the Generic Bootstrapping Architecture (GBA), enabling applications to securely derive keys from the primary 5G authentication.

  • 5GS Logical TSN bridge management TS 23.501CR1002
  • Further detailing of 5G LAN group management TS 23.501CR1052
  • Introduction of Slice-Specific Authentication and Authorisation TS 23.501CR1174
  • Signalling of UE support for transfer of port management information containers, MAC address and DS-TT residence time TS 24.501CR1358
  • Adding support for transfer of Ethernet port management information containers TS 24.501CR1359
  • Port management information container: Delivery via the NAS protocol and coding TS 24.501CR1470

+ 74 more changes

Rel-17 108 changes

In Release 17, the key enhancements for AKMA included its formal introduction into the 5G reference architecture and the definition of specific application-layer security profiles. These new capabilities primarily involved adding AKMA-based profiles for TLS, including the use of AKMA-derived keys for TLS 1.3 and enabling GBA-based shared secrets for Pre-Shared Key (PSK) authentication within that protocol.

  • Introduction of AKMA into the reference architecture TS 23.501CR2457
  • SNPN support AAA Server for primary authentication and authorization TS 23.501CR2611
  • Adding the usage of Session Management Congestion Control Experience analytics TS 23.501CR2708
  • Remote provisioning of credentials for NSSAA or secondary authentication/authorisation TS 23.501CR2714
  • Authentication and Subscription information checking for Disaster Roaming service TS 23.501CR3251
  • Update of HTTP Digest Access Authentication and reference update for HTTP/1.1 protocol TS 24.109CR0069

+ 102 more changes

Rel-18 61 changes

In Release 18, the AKMA function was enhanced with new procedures to support roaming restrictions and received security enhancements for its second phase. Specifically, the update included modifications to the Nudm_EventExposure_Subscribe service to support AKMA, as indicated in the Change Request titles. These updates built upon the foundation defined in the dedicated AKMA specification, TS 33.535.

  • Secondary DN authentication and authorization in EPS IWK case TS 23.501CR3701
  • UPF event exposure service for TSC management TS 23.501CR3720
  • Service area provisioning and LADN aspects for enhanced group management TS 23.501CR3914
  • Considering ML model management capability during ADRF discovery and selection TS 23.501CR3929
  • KI#1: Support the enhancement of group attribute management TS 23.501CR4086
  • Updates on TSC management information TS 23.501CR4404

+ 55 more changes

Rel-19 20 changes

In Release 19, the AKMA function was updated to clarify the procedure for an Application Function (AF) to disable encryption for a roaming UE when using AKMA services. Additionally, corrections were made to the data type name conveying the AKMA service disablement notification. These changes provide more precise handling of service policies for roaming users.

  • KI#1 Architecture for Local Offloading Management TS 23.501CR5752
  • PCF's awareness of I-SMF insertion for Local Offloading Management TS 23.501CR5833
  • Inclusion of ATSSS status in related session management messages TS 24.501CR6880
  • Updating 5G ProSe direct link management procedures for SNPN TS 24.554CR0668
  • Local Offloading Management TS 29.503CR1379
  • Clarification on session management enhancement TS 23.501CR6007

+ 14 more changes

Explore further

Broader topics and technologies where AKMA plays a role.

Topics
Authentication (5G-AKA, EAP)Encryption & IntegrityMEC (Edge Computing)Lawful InterceptSMS & MessagingIoT & MTC
Technologies
5G

Defining Specifications

3GPP specifications that define or reference AKMA, with the latest known release. Sourced from the 3GPP document catalog — see methodology.

SpecificationTitleRelease
TS 23.501 vk00 5G System Architecture Stage 2 Rel-20
TS 24.109 vj00 HTTP Digest AKA & GAA Stage 3 Rel-19
TS 24.501 vj50 5G NAS Protocols Specification Rel-19
TS 24.554 vj40 5G Proximity Services (ProSe) Protocols Rel-19
TS 29.503 vj50 UDM Service Based Interface Stage 3 Rel-19
TS 29.522 vj40 5G NEF Northbound APIs Stage 3 Rel-19
TS 29.535 vj40 5G AKMA Anchor Services Stage 3 Protocol Rel-19
TS 33.127 vj50 Lawful Interception Architecture and Functions Rel-19
TS 33.503 vj20 Security for Proximity Services (ProSe) in 5G Rel-19
TS 33.533 vj00 Security for 5G Ranging & Sidelink Positioning Rel-19
TS 33.535 vj00 5G AKMA: Authentication and Key Management for Apps Rel-19
TS 33.700 3GPP TR 33.700 Rel-16
TR 33.739 vi10 Study on security enhancement of support for Rel-18
TR 33.741 vi01 Home Network Triggered Authentication Rel-18
TS 33.749 vj00 Study on security aspects of edge computing enhancement Rel-19
TS 33.835 vg10 Study on authentication and key management for apps Rel-16