Authentication Server Function

Description

The Authentication Server Function (AUSF) is a critical component within the 5G Core (5GC) network's security architecture, specifically part of the Security Anchor Function (SEAF) framework. It resides in the home public land mobile network (HPLMN) and is responsible for executing the primary authentication procedure with the User Equipment (UE). The AUSF interfaces with the Unified Data Management (UDM) function to retrieve authentication credentials and subscription data, and with the Security Anchor Function (SEAF), typically co-located with the Access and Mobility Management Function (AMF) in the serving network, to relay authentication vectors and results. The AUSF does not store long-term credentials itself; instead, it acts as a relay and processing node that orchestrates the 5G Authentication and Key Agreement (5G-AKA) or Extensible Authentication Protocol (EAP)-based methods defined by 3GPP.

During the authentication procedure, when a UE attempts to register with the network, the SEAF/AMF requests authentication from the AUSF. The AUSF, in turn, interacts with the UDM/ARPF (Authentication Credential Repository and Processing Function) to obtain an authentication vector. This vector contains a random challenge (RAND), an expected response (XRES*), a network authentication token (AUTN), and the crucial keying material: the anchor key (K_AUSF). The AUSF forwards the RAND and AUTN to the UE via the SEAF. The UE computes a response (RES*) using its stored subscriber key and sends it back. The AUSF compares the received RES* with the XRES* from the UDM. Upon successful verification, the AUSF generates the primary session keys: K_SEAF (for the SEAF) and the anchor key K_AUSF, which serves as the root for deriving further keys for subsequent security contexts.

The AUSF's role is pivotal in establishing a chain of trust. The K_AUSF key it generates or receives becomes the root key for the entire security context of that registration session. From K_AUSF, further keys are derived for access network security (K_AMF), NAS signaling integrity and confidentiality, and user plane integrity (if enabled). This hierarchical key derivation ensures key separation and limits the impact of a key compromise. Furthermore, the AUSF supports re-authentication and key refresh procedures. Its architecture is designed as a stateless function, with the UDM holding the permanent state, which aids in scalability and reliability within cloud-native deployments.

A key architectural advancement in 5G is the separation of the authentication server (AUSF) from the subscription data repository (UDM). This enhances security by limiting the exposure of sensitive long-term keys and allows for independent scaling of authentication workloads. The AUSF also plays a role in supporting authentication for non-3GPP access (e.g., Wi-Fi) via the Non-3GPP InterWorking Function (N3IWF) and is integral to the security framework for network slicing, ensuring that authentication policies can be slice-specific. Its interfaces, such as Nausf (service-based interface) and N13 (reference point interface to the UDM), are defined for these interactions.

Purpose & Motivation

The AUSF was introduced in 3GPP Release 15 as a fundamental part of the new 5G Service-Based Architecture (SBA) to address evolving security requirements that were inadequately served by previous generations. In 4G EPS, the authentication function was integrated within the Home Subscriber Server (HSS) and Mobility Management Entity (MME) through the S6a interface. This monolithic approach presented limitations in scalability, flexibility, and security granularity. The 5G design principles demanded a more decomposed, cloud-native, and service-based architecture to support diverse use cases like massive IoT, ultra-reliable low-latency communications, and network slicing.

The primary purpose of the AUSF is to provide a dedicated, scalable function for executing robust primary authentication. By separating authentication from subscription data management (handled by the UDM), the system achieves a stronger security posture through the principle of least privilege. No single network function holds all sensitive data (long-term key and subscription profile), reducing the attack surface. This separation also allows the AUSF to be optimized for high-volume authentication transactions, which is critical for IoT scenarios with millions of devices. Furthermore, the AUSF enables the support of new, more flexible authentication methods like EAP-5G, which allows for integration with non-3GPP credentials and third-party authentication servers, a necessity for enterprise and industrial applications.

Another key motivation was to establish a permanent security anchor in the home network. The K_AUSF key generated during authentication remains stable in the home network even if the UE moves between different serving networks or access types (3GPP, non-3GPP). This 'home control' model enhances security by ensuring the home operator always verifies the subscriber's identity and controls the root of the key hierarchy. It solves the problem of key context transfer across network borders that existed in previous systems, providing a cleaner and more secure mobility security framework. The AUSF is, therefore, not just an evolutionary step but a foundational redesign for 5G security, enabling trust, scalability, and service flexibility.

Key Features

• Executes 5G-AKA and EAP-based primary authentication procedures
• Generates and manages the anchor key (K_AUSF) for the security context hierarchy
• Interfaces with UDM/ARPF to retrieve authentication vectors and subscription data
• Supports authentication for both 3GPP and non-3GPP access networks
• Enables home-routed authentication, maintaining security anchor in HPLMN
• Facilitates re-authentication and key refresh for ongoing session security

Evolution Across Releases

Defining Specifications