ARPF

Authentication credential Repository and Processing Function

Security →
Introduced in Rel-15

ARPF is the 5G core network function that securely stores subscriber authentication credentials and performs the cryptographic operations needed for authentication and key derivation.

Category
Security
Introduced
Rel-15
Where
Security
Specifications
4 specs
ARPF Description Purpose Related Classification Detected Changes Specifications

Description

The Authentication credential Repository and Processing Function (ARPF) is a fundamental security component within the 5G Core Network's Authentication Server Function (AUSF) and Unified Data Management (UDM) architecture. It serves as the secure repository for subscriber authentication credentials, primarily the long-term secret key (K) and associated subscription identifier (SUPI). The ARPF's primary role is to execute the cryptographic algorithms required for the 5G Authentication and Key Agreement (5G-AKA) and EAP-AKA' procedures. When an authentication request is initiated, the AUSF/UDM invokes the ARPF to generate authentication vectors, which include random challenges (RAND), network authentication tokens (AUTN), expected responses (XRES*), and the anchor key (K_AUSF) from which all subsequent session keys are derived.

Architecturally, the ARPF is not a standalone Network Function (NF) but is logically integrated within the UDM for credential storage and within the AUSF for authentication vector processing, as defined in 3GPP TS 33.501. This separation aligns with the service-based architecture principle, where the UDM manages subscription data and the AUSF handles authentication procedures. The ARPF interfaces internally with these functions via service-based interfaces. It stores credentials per subscription, typically indexed by the Subscription Permanent Identifier (SUPI), and supports the home network's authentication policies. Its processing includes executing the Milenage or TUAK algorithm sets to generate the quintuplet (RAND, XRES*, AUTN, K_AUSF) for 5G-AKA.

The ARPF's operation is triggered during initial registration or re-authentication. Upon receiving a request from the AUSF (for 5G-AKA) or directly from the UDM (for EAP-AKA'), the ARPF retrieves the subscriber's long-term key (K) and SUPI. It then generates a random challenge (RAND) and computes the AUTN, which includes a sequence number (SQN) and a message authentication code (MAC) to authenticate the network to the UE. Simultaneously, it computes the expected response (XRES*) and the anchor key K_AUSF. These outputs form the authentication vector sent to the AUSF, which forwards relevant parts to the UE via the serving network. The UE performs identical computations; if its response (RES*) matches XRES*, authentication succeeds, and both sides derive the same K_AUSF for subsequent key hierarchy derivation.

Key components of the ARPF functionality include the credential database (storing K and SUPI), the cryptographic algorithm engine (Milenage/TUAK), and the policy enforcement module for authentication method selection. Its role extends beyond mere storage—it ensures the long-term key never leaves the secure boundary, mitigating key exposure risks. The ARPF also supports subscription de-synchronization detection by managing SQN synchronization, preventing replay attacks. In roaming scenarios, the ARPF resides in the home network, allowing the home operator to retain control over authentication credentials while the serving network handles access procedures, enhancing security and privacy compared to previous generations.

The ARPF is central to 5G's enhanced security framework, enabling features like subscription privacy (SUCI concealment), service-based architecture security, and network slicing isolation. By centralizing credential processing, it provides a consistent authentication mechanism across access technologies (3GPP and non-3GPP). Its design supports regulatory requirements for secure credential handling and facilitates future authentication method upgrades without impacting other network functions, ensuring longevity and adaptability in evolving threat landscapes.

Purpose & Motivation

The ARPF was introduced in 5G (Release 15) to address critical security shortcomings in previous cellular generations, particularly the vulnerabilities in 3G and 4G authentication systems. In 2G/3G/4G, authentication credentials were often stored in the Home Subscriber Server (HSS) with less granular cryptographic processing, and key derivation was sometimes distributed across network elements, increasing exposure risks. The lack of a dedicated, function-specific credential processor made it harder to implement robust key separation and privacy enhancements. 5G's requirement for stronger subscriber identity protection (via SUCI), support for network slicing (requiring isolated authentication contexts), and integration with non-3GPP access (e.g., Wi-Fi) necessitated a more sophisticated and centralized credential management approach.

The primary problem the ARPF solves is the secure isolation and processing of long-term authentication keys. By encapsulating credential storage and cryptographic operations within a defined logical function, it prevents key leakage across network interfaces and reduces the attack surface. This is especially important in 5G's service-based architecture, where network functions communicate via HTTP/2-based APIs—centralizing sensitive operations in the ARPF minimizes the risk of credential exposure during authentication signaling. Additionally, the ARPF enables the 5G security anchor, K_AUSF, to be derived within a controlled environment, ensuring that the long-term key (K) is never transmitted or used directly for session protection, thereby enhancing forward secrecy and key hierarchy robustness.

Historically, authentication in 4G LTE involved the HSS generating authentication vectors (AVs) containing multiple keys, some of which were sent to the MME and eNodeB, creating potential interception points. The ARPF's creation was motivated by the need to streamline this process while improving security. It supports 5G's home-controlled authentication model, where the home network (via ARPF) always generates the authentication vectors, even in roaming scenarios, ensuring consistent security policies. This addresses limitations like the lack of home network authentication in some 4G roaming setups. The ARPF also facilitates the introduction of new authentication methods (e.g., EAP-TLS for IoT) by providing a modular framework for credential processing, future-proofing the network against evolving threats and regulatory demands for enhanced privacy and data protection.

Classification

Part ofUDM
Related approachesAUSF

Detected Changes Across Releases

from 3GPP Change Requests

Specific changes extracted from the „Change history“ tables of 3GPP specifications (82 CRs across 5 releases). Complements the general historical overview above with the evidence-based evolution of this function.

Rel-15 33 changes

In Release 15, the ARPF was newly introduced as a core security entity within the 5G System architecture, responsible for storing subscription credentials and processing authentication data. It specifically handles the generation of the 5G Home Environment Authentication Vector, which includes RAND, AUTN, XRES*, and K_AUSF for 5G AKA, and provides this data to the AUSF. The release also brought clarifications and corrections to its procedures, including the initiation of authentication, selection of authentication methods, and the handling of unused authentication vectors.

  • Rules on concurrent running of authentication and NAS SMC procedure TS 33.501CR0004
  • Clarifications to: Protection at the network or transport layer, Authorization and authentication between network functions and the NRF TS 33.501CR0147
  • Corrections to secondary authentication procedure TS 33.501CR0064
  • Corrections related to authentication related services TS 33.501CR0080
  • Clarifications to: Initiation of authentication and selection of authentication method TS 33.501CR0084
  • Clarifications to: Authentication procedures TS 33.501CR0115

+ 27 more changes

Rel-16 18 changes

In Release 16, the ARPF's scope was expanded to support new authentication and authorization procedures for network functions and indirect communication, including mutual authentication between network entities. It gained enhanced capabilities for Network Slice Specific Authentication and Authorization (NSSAA) and for authentication in Private Network Integrated Non-Public Network (PNI-NPN) scenarios. Furthermore, the release introduced clarifications and support for SUCI computation and the use of authentication methods, such as EAP-AKA', in these new contexts.

  • Authentication and authorization between SeCoP and network functions TS 33.501CR0693
  • Authentication and authorization between SeCoPs TS 33.501CR0694
  • Authentication in indirect communication scenarios TS 33.501CR0808
  • SUCI computation: implementers' test data for network specific identifier-based SUPI TS 33.501CR0847
  • Network slice specific authentication and authorization clauses TS 33.501CR0853
  • Removing editor's note on capturing all the details for alternative authentication methods TS 33.501CR0684

+ 12 more changes

Rel-17 17 changes

In Release 17, the ARPF's role was clarified and extended in several key areas, including enhancements for network slice-specific re-authentication and revocation procedures involving the AAA server. The release also provided clarifications on the ARPF's interactions for generating authentication vectors during secondary authentication for UE onboarding and for handling authentication behind residential gateways. Furthermore, specific procedures for configuring and processing Anonymous SUCI were defined, impacting the ARPF's function in subscription identifier de-concealing.

  • Change the procedure of network slice re-authentication and revocation by AAA-S TS 33.501CR1091
  • Removing Editor's note on SUPI sent to AAA TS 33.501CR1289
  • Removing Editor's note on Credentials Holder using AUSF and UDM for primary authentication TS 33.501CR1307
  • Editorial for the Figure on key hierarchy for Credentials Holder using AAA TS 33.501CR1309
  • Usage of AN ID for NSWO authentication TS 33.501CR1317
  • Configuration of Anonymous SUCI TS 33.501CR1380

+ 11 more changes

Rel-18 12 changes

In Release 18, the ARPF saw enhancements primarily focused on expanding authentication procedures for devices behind residential gateways and clarifying home network-triggered primary authentication. Specifically, new capabilities were introduced for authenticating UE behind 5G-RG and FN-RG using NSWO, as well as for AUN3 devices behind an RG, and the procedure for Home Network triggered primary authentication was introduced and clarified. Additionally, the release addressed the split between authentication and authorization and resolved editor's notes concerning the selection of authentication methods.

  • Authentication for UE behind 5G-RG and FN-RG using NSWO TS 33.501CR1593
  • Authentication of AUN3 devices behind RG TS 33.501CR1614
  • Introducing Home Trigger primrary authentication procedure TS 33.501CR1670
  • Use of NF Instance ID in the mutual authentication between the NF Consumer and NRF TS 33.501CR1761
  • Resolution of editor notes related to selection of authentication method. TS 33.501CR1767
  • Home Network triggered Primary authentication clarifications TS 33.501CR1777

+ 6 more changes

Rel-19 2 changes

In Release 19, the ARPF saw refinements focused on ensuring correct mutual authentication requirements and updating related test procedures. Specifically, the updates pertained to clarifying the authentication status handling of the UE by the UDM, which interacts with the ARPF. These changes aimed at enhancing the reliability of the 5G authentication and key agreement process between the UE and the network.

  • Correct mutual authentication requirement TS 33.501CR2163
  • Updating test case about authentication status of UE by UDM TS 33.514CR0032

Explore further

Broader topics and technologies where ARPF plays a role.

Topics
OAM (Operations & Maintenance)Authentication (5G-AKA, EAP)Encryption & IntegrityRoaming & InterconnectPrivacy (SUPI, SUCI)MEC (Edge Computing)
Technologies
LTE5G

Defining Specifications

3GPP specifications that define or reference ARPF, with the latest known release. Sourced from the 3GPP document catalog — see methodology.

SpecificationTitleRelease
TS 33.501 vk00 5G Security Architecture and Procedures Rel-20
TS 33.514 vk00 5G Security Assurance for UDM Rel-20
TR 33.741 vi01 Home Network Triggered Authentication Rel-18
TS 33.835 vg10 Study on authentication and key management for apps Rel-16