ASME

Access Security Management Entity

Security →
Introduced in Rel-8

ASME is the logical function in 3GPP networks responsible for managing security keys for user equipment during authentication and for deriving the access-specific keys used to secure communications.

Category
Security
Introduced
Rel-8
Where
User Equipment › SIM/USIM
Specifications
3 specs
ASME Description Purpose Related Classification Detected Changes Specifications

Description

The Access Security Management Entity (ASME) is a pivotal logical security function defined within the 3GPP architecture, primarily specified in the 3GPP TS 33.401 series for the Evolved Packet System (EPS) and carried forward into 5G systems. It is not a standalone physical node but a functional role that can be implemented within a network entity. In LTE/EPC, this role is performed by the Mobility Management Entity (MME). In 5G Core (5GC), the corresponding function is integrated into the Access and Mobility Management Function (AMF). The ASME's core operation begins when a User Equipment (UE) attempts to attach to the network. The serving network's entity (MME or AMF), acting as the ASME, requests authentication vectors from the home network's Authentication Centre (AuC) via the Home Subscriber Server (HSS) in EPS or the Authentication Server Function (AUSF) and Unified Data Management (UDM) in 5GS. These vectors contain cryptographic keys and parameters, including the master session key (K_ASME in EPS, derived from CK/IK; or KAUSF in 5GS, derived from CK'/IK').

Upon receiving these authentication vectors, the ASME performs a crucial key derivation and management function. It uses the received master key to derive a hierarchy of subsequent keys specific to the access network. For example, in EPS, the ASME (MME) derives the K_eNB key from K_ASME. This K_eNB is then provided to the evolved NodeB (eNB) to secure the radio interface. The ASME ensures that the home network's long-term key material is never exposed outside the home domain; only derived, access-specific keys are shared with the serving network's radio access node. This architecture enforces key separation, meaning keys used in one access network (e.g., LTE) cannot be directly reused in another (e.g., 5G NR or non-3GPP access), enhancing overall system security.

The ASME's responsibilities extend beyond initial key derivation. It manages the key hierarchy during mobility events, such as handovers. When a UE moves between base stations, the ASME may trigger key derivation for new base stations (e.g., deriving a new K_eNB* for a target eNB in LTE handovers) based on existing keys and fresh parameters to maintain forward and backward security. Furthermore, the ASME handles security context management, storing the security context associated with a UE during its attached session. This context includes the master key (K_ASME), key set identifiers, and the associated security algorithms. If the security context needs to be established for a non-3GPP access (like trusted WLAN), the ASME also plays a role in facilitating the transfer of the necessary keying material to the appropriate network functions (e.g., the Trusted WLAN Access Gateway in EPS).

In 5G, the principles of the ASME function are preserved but enhanced within the service-based architecture. The AMF, acting as the ASME, interacts with the AUSF/UDM for primary authentication and receives the anchor key (KAUSF). The AMF then derives the subsequent key, K_AMF, which serves a similar role to K_ASME. From K_AMF, keys for the access network (K_gNB) and for NAS signaling protection are derived. The 5G system introduces enhanced key separation, explicitly separating keys for different network slices and service types. The ASME function, embodied by the AMF, is central to enforcing these separation policies, ensuring that the security of one slice does not compromise another. Its operation is fundamental to the 3GPP security architecture, providing a secure bridge between the home network's trust anchor and the volatile access network environment.

Purpose & Motivation

The ASME was introduced in 3GPP Release 8 with the Evolved Packet System (LTE/EPC) to address critical security shortcomings in previous 3GPP architectures and to establish a robust, scalable security framework for all-IP networks. In pre-Release 8 systems like UMTS, security key management was more tightly coupled between the core network and the radio network controller (RNC). The move to a flatter architecture in LTE, with the eNB directly handling radio security, created a new threat model: the eNB resides in a potentially less trusted domain (the access network) compared to the core. The primary purpose of the ASME is to resolve this trust issue by acting as a security mediator. It ensures that the long-term subscriber key, stored only in the home network, is never shared with the access network nodes. Instead, the ASME derives short-term, access-specific keys, limiting the impact of a potential compromise in the radio access network.

Another key problem the ASME solves is enabling secure mobility and interoperability across heterogeneous access networks. As networks evolved to include non-3GPP access (like WiFi) and later 5G New Radio, a mechanism was needed to provide consistent authentication and key agreement while maintaining key separation between different access technologies. The ASME provides this centralized key management point. It receives a single set of credentials from the home network and is responsible for deriving the appropriate keys for whatever access technology the UE is using, whether it's LTE, 5G NR, or a trusted WLAN. This design future-proofs the security architecture, allowing new access types to be integrated without redesigning the fundamental authentication process with the home network.

Furthermore, the ASME facilitates improved network efficiency and security context management. By centralizing the derivation and distribution of access keys, it simplifies handover procedures. During handovers, the ASME can efficiently compute new keys for the target cell without needing to re-authenticate with the home network, reducing latency and signaling load. The creation of the K_ASME (or K_AMF in 5G) as a middle-tier key in the hierarchy also allows for independent re-keying and cryptographic algorithm updates on the access link without affecting the core link to the home network. This layered approach to key management, orchestrated by the ASME, is a foundational concept that enables the advanced security features required for modern mobile broadband, massive IoT, and network slicing in 5G and beyond.

Classification

Part ofAMF
Related approachesAUSFHSS

Detected Changes Across Releases

from 3GPP Change Requests

Specific changes extracted from the „Change history“ tables of 3GPP specifications (24 CRs across 5 releases). Complements the general historical overview above with the evidence-based evolution of this function.

Studied in Rel-8, normative work from Rel-15.

Rel-15 9 changes

In Release 15, the ASME-related updates primarily involved enhancements to the USIM for storing 5G security contexts to support interworking. Specifically, this included introducing new Elementary Files (EFs) to contain the full native NAS security context from 5G and to support the storage of EPS NAS security algorithms received in 5G for mobility procedures. The release also brought updates to USIM management procedures for the 5G System and corrections to the specification of the 5GS 3GPP Access NAS Security Context.

  • Introduce EFs that contain NAS full native security context from 5G Mobility Management Information. TS 31.102CR0776
  • Support storage of EPS NAS security algos received in 5G for mobility over N26 TS 31.102CR0820
  • Updates to USIM management procedures for 5GS TS 31.102CR0806
  • Correction of 5GS 3GPP Access NAS Security Context TS 31.102CR0814
  • Corrections to SgNB security procedures TS 33.401CR0620
  • Aligning the specification of the key derivation function for key to use in security algorithms between UE and SgNB in EDCE5 with the 5G specification TS 33.401CR0625

+ 3 more changes

Rel-16 3 changes

In Release 16, the ASME function was enhanced to protect UE capabilities using Access Stratum security within EPS. This was introduced alongside new security considerations for RLOS (Radio Link Occupancy Sensing) and for DNS and ICMP protocols. These updates were part of a broader effort to extend security mechanisms for new features and to safeguard sensitive UE information during network procedures.

  • Security aspects of RLOS TS 33.401CR0687
  • Security Aspects of DNS and ICMP TS 33.401CR0695
  • UE caps protection using AS security in EPS Rel-16 TS 33.401CR0694
Rel-17 7 changes

In Release 17, updates to the ASME function included enhancements for NAS security context handling in multiple registration scenarios, specifying how the ME updates the NAS Security Context in the EF-5GS3GPPNSC and EF-5GSN3GPPNSC files. Furthermore, corrections were made to the handling of 5GS NAS Security Contexts record 2 and to the examples of NSC management in multiple registrations. The release also introduced new security policies for V2X services, specifically for PC5 DRX configuration and NR-PC5 unicast.

  • Support of PC5 DRX configuration policies and NR-PC5 unicast security policies for V2X services TS 31.102CR0953
  • Correction to 5GS NAS Security Contexts record 2 handling TS 31.102CR0966
  • Avoid linkage between security functions and UE Radio Access Capabilities TS 33.401CR0708
  • E1 interface security requirements TS 33.401CR0709
  • NAS security context storage in multiple registration TS 31.102CR0920
  • Add 24.501 reference on how the ME shall update NAS Security Context in two records of EF-5GS3GPPNSC and EF-5GSN3GPPNSC TS 31.102CR0933

+ 1 more changes

Rel-18 3 changes

In Release 18, the ASME-related updates primarily involved enhancements to USIM storage for 5G security parameters, specifically mandating that Service n°133 (enabling storage of extended security parameters like the SOR counter) must be enabled when Service n°123 (enabling storage of the K~AUSF~) is enabled. This ensures that critical 5G security context parameters are consistently stored together on the USIM. Additionally, the release included editorial corrections to the 5GS 3GPP Access NAS Security Context specification.

  • 5G Security Parameters extended storage on USIM (Mandating Service n°133 to be enabled when Service n°123 is enabled) Rel18. TS 31.102CR1014
  • Editorial correction to 5GS 3GPP Access NAS Security Context Rel18 TS 31.102CR1016
  • Correction on negotiation of security algorithms for EN-DC (R18) TS 33.401CR0717
Rel-19 2 changes

In Release 19, the ASME-related enhancements focused on ensuring backward compatibility for USIMs lacking extended security parameter storage, specifically for handling the SOR counter and UE parameter update counter in association with the stored K~AUSF~. Additionally, new security aspects were introduced to support the integration of 5G satellite access within the system architecture.

  • Security aspects of 5G satellite access TS 33.401CR0727
  • Backward compatibility handling of USIM without extended security parameter storage in EF_5GAuthKeys - Rel19 TS 31.102CR1074

Explore further

Broader topics and technologies where ASME plays a role.

Topics
Authentication (5G-AKA, EAP)EPC (Evolved Packet Core)NAS (Non-Access Stratum)Encryption & IntegrityMEC (Edge Computing)LTE / LTE-Advanced
Technologies
LTE5G

Defining Specifications

3GPP specifications that define or reference ASME, with the latest known release. Sourced from the 3GPP document catalog — see methodology.

SpecificationTitleRelease
TS 31.102 vj40 USIM Application Specification Rel-19
TS 31.121 vi50 UICC-terminal interface test specification Rel-18
TS 33.401 vj10 EPS Security Architecture Rel-19