AUSF

Authentication Server Function

Security →
Introduced in Rel-15 Also in: Security, Services

AUSF is the 5G core network function that performs primary authentication and key agreement to verify subscriber identities and establish secure session keys for accessing services.

Category
Security
Introduced
Rel-15
Where
Core Network › 5G Core
Also touches
2 segments
Specifications
19 specs
AUSF Description Purpose Related Classification Detected Changes Specifications

Description

The Authentication Server Function (AUSF) is a critical component within the 5G Core (5GC) network's security architecture, specifically part of the Security Anchor Function (SEAF) framework. It resides in the home public land mobile network (HPLMN) and is responsible for executing the primary authentication procedure with the User Equipment (UE). The AUSF interfaces with the Unified Data Management (UDM) function to retrieve authentication credentials and subscription data, and with the Security Anchor Function (SEAF), typically co-located with the Access and Mobility Management Function (AMF) in the serving network, to relay authentication vectors and results. The AUSF does not store long-term credentials itself; instead, it acts as a relay and processing node that orchestrates the 5G Authentication and Key Agreement (5G-AKA) or Extensible Authentication Protocol (EAP)-based methods defined by 3GPP.

During the authentication procedure, when a UE attempts to register with the network, the SEAF/AMF requests authentication from the AUSF. The AUSF, in turn, interacts with the UDM/ARPF (Authentication Credential Repository and Processing Function) to obtain an authentication vector. This vector contains a random challenge (RAND), an expected response (XRES*), a network authentication token (AUTN), and the crucial keying material: the anchor key (K_AUSF). The AUSF forwards the RAND and AUTN to the UE via the SEAF. The UE computes a response (RES*) using its stored subscriber key and sends it back. The AUSF compares the received RES* with the XRES* from the UDM. Upon successful verification, the AUSF generates the primary session keys: K_SEAF (for the SEAF) and the anchor key K_AUSF, which serves as the root for deriving further keys for subsequent security contexts.

The AUSF's role is pivotal in establishing a chain of trust. The K_AUSF key it generates or receives becomes the root key for the entire security context of that registration session. From K_AUSF, further keys are derived for access network security (K_AMF), NAS signaling integrity and confidentiality, and user plane integrity (if enabled). This hierarchical key derivation ensures key separation and limits the impact of a key compromise. Furthermore, the AUSF supports re-authentication and key refresh procedures. Its architecture is designed as a stateless function, with the UDM holding the permanent state, which aids in scalability and reliability within cloud-native deployments.

A key architectural advancement in 5G is the separation of the authentication server (AUSF) from the subscription data repository (UDM). This enhances security by limiting the exposure of sensitive long-term keys and allows for independent scaling of authentication workloads. The AUSF also plays a role in supporting authentication for non-3GPP access (e.g., Wi-Fi) via the Non-3GPP InterWorking Function (N3IWF) and is integral to the security framework for network slicing, ensuring that authentication policies can be slice-specific. Its interfaces, such as Nausf (service-based interface) and N13 (reference point interface to the UDM), are defined for these interactions.

Purpose & Motivation

The AUSF was introduced in 3GPP Release 15 as a fundamental part of the new 5G Service-Based Architecture (SBA) to address evolving security requirements that were inadequately served by previous generations. In 4G EPS, the authentication function was integrated within the Home Subscriber Server (HSS) and Mobility Management Entity (MME) through the S6a interface. This monolithic approach presented limitations in scalability, flexibility, and security granularity. The 5G design principles demanded a more decomposed, cloud-native, and service-based architecture to support diverse use cases like massive IoT, ultra-reliable low-latency communications, and network slicing.

The primary purpose of the AUSF is to provide a dedicated, scalable function for executing robust primary authentication. By separating authentication from subscription data management (handled by the UDM), the system achieves a stronger security posture through the principle of least privilege. No single network function holds all sensitive data (long-term key and subscription profile), reducing the attack surface. This separation also allows the AUSF to be optimized for high-volume authentication transactions, which is critical for IoT scenarios with millions of devices. Furthermore, the AUSF enables the support of new, more flexible authentication methods like EAP-5G, which allows for integration with non-3GPP credentials and third-party authentication servers, a necessity for enterprise and industrial applications.

Another key motivation was to establish a permanent security anchor in the home network. The K_AUSF key generated during authentication remains stable in the home network even if the UE moves between different serving networks or access types (3GPP, non-3GPP). This 'home control' model enhances security by ensuring the home operator always verifies the subscriber's identity and controls the root of the key hierarchy. It solves the problem of key context transfer across network borders that existed in previous systems, providing a cleaner and more secure mobility security framework. The AUSF is, therefore, not just an evolutionary step but a foundational redesign for 5G security, enabling trust, scalability, and service flexibility.

Architecture

Classification

Part ofSEAF
Specific typesACEAKMAAUCHXRESROSAGESSK
Related approachesUDMAMF

Detected Changes Across Releases

from 3GPP Change Requests

Specific changes extracted from the „Change history“ tables of 3GPP specifications (273 CRs across 6 releases). Complements the general historical overview above with the evidence-based evolution of this function.

Rel-15 67 changes

In Release 15, the AUSF was newly introduced as a core network function within the 5G System's service-based architecture, providing a unified authentication framework. Its introduction specifically enabled support for primary authentication procedures, including EAP-based methods, and established key service-based (Nausf) and reference point (N12, N13) interfaces. Furthermore, the AUSF's role was defined in architectures for non-seamless WLAN offload and in procedures involving secondary authentication and interactions with the UDM and NSSAAF.

  • Introduction of PLMN Id in UECM & UE Authentication Services TS 29.503CR0026
  • 5G Trace for AUSF TS 29.509CR0014
  • Rules on concurrent running of authentication and NAS SMC procedure TS 33.501CR0004
  • Clarifications to: Protection at the network or transport layer, Authorization and authentication between network functions and the NRF TS 33.501CR0147
  • Supporting early trace in AUSF TS 23.501CR0791
  • Addition of ABBA in 5G based primary authentication procedure TS 24.501CR0036

+ 61 more changes

Rel-16 73 changes

In Release 16, the AUSF's functionality was extended to support slice-specific authentication and authorization via a new interface (N83) to the NSSAAF, and to enable authentication for new device types like N5GC devices over wireline access via the W-AGF. It also gained enhanced capabilities for Non-Seamless WLAN Offload (NSWO) through integration with an NSWOF and expanded support for EAP-based primary authentication methods beyond EAP-AKA' and EAP-TLS.

  • eSBA communication schemas related to AUSF discovery and selection TS 23.501CR0803
  • Introduction of Slice-Specific Authentication and Authorisation TS 23.501CR1174
  • Slice-specific authentication and authorization procedure TS 24.501CR1450
  • Primary authentication using EAP methods other than EAP-AKA' and EAP-TLS TS 24.501CR1510
  • Extensions of EAP-TLS usage in primary authentication TS 24.501CR1512
  • Extensions of EAP-AKA' usage in primary authentication TS 24.501CR1513

+ 67 more changes

Rel-17 86 changes

In Release 17, the AUSF saw enhancements to support authentication for Standalone Non-Public Networks (SNPN) via an AAA Server, including new procedures for SNPN verification and "list of subscriber data" handling. It introduced a new reference point, N83, between the AUSF and the Network Slice-specific Authentication and Authorization Function (NSSAAF). Furthermore, the AUSF gained support for Non-Seamless WLAN Offload (NSWO) authentication, interfacing with an NSWOF via the Nausf service-based interface.

  • SNPN support AAA Server for primary authentication and authorization TS 23.501CR2611
  • Remote provisioning of credentials for NSSAA or secondary authentication/authorisation TS 23.501CR2714
  • Reference point AUSF - NSSAAF TS 23.501CR3095
  • AUSF/UDM discovery based SUCI information TS 23.501CR3170
  • Use UPF to transfer DNS message between EASDF and DNS server TS 23.501CR3186
  • Authentication and Subscription information checking for Disaster Roaming service TS 23.501CR3251

+ 80 more changes

Rel-18 35 changes

In Release 18, the AUSF's enhancements primarily focused on expanding authentication support for new scenarios, including Non-Seamless WLAN Offload (NSWO) in 5GS and SNPNs using a Credentials Holder (CH) with an AAA Server, and for AUN3 devices behind a 5G-RG or FN-RG. The release also introduced the Home Trigger primary authentication procedure and further clarified authentication procedures for 5G ProSe UE-to-UE relays. These updates were supported by new architectural elements like the NSWOF and the N60 reference point between AUSF and NSWOF.

  • Secondary DN authentication and authorization in EPS IWK case TS 23.501CR3701
  • Capability of SL Positioning Server UE over PC5 TS 24.501CR5437
  • Authentication for AUN3 devices supporting 5G key hierarchy TS 24.501CR5811
  • Impact on NAS signalling for supporting authentication of AUN3 devices supporting and not supporting 5G key hierarchy TS 24.501CR5812
  • Authentication and key agreement procedure for 5G ProSe UE-to-UE relay TS 24.501CR5820
  • Resolve EN on NAI construction for SNPN authentication TS 24.502CR0242

+ 29 more changes

Rel-19 11 changes

In Release 19, the AUSF saw enhancements including support for AUSF Selection with a Default Routing Indicator and handling the UE unreachable case for the Re-AuthenticationNotification procedure. Corrections were made to the authentication procedure for the N5CW device and to the handling of the AUTHENTICATION REJECT message by a UE configured to use timer T3245. Additionally, the release introduced updates for AUSF subscribers reallocation and corrected requirements for the attempt counter reset at authentication reject.

  • AUSF subscribers reallocation TS 29.503CR1481
  • Correction to when and how the UPF can provide the SMF with DNS server information TS 23.501CR6043
  • AUSF Selection with Default Routing Indicator TS 23.501CR6471
  • Corrected requirements for attempt counter reset at authentication reject TS 24.501CR6675
  • Correction in handling AUTHENTICATION REJECT message by a UE configured to use T3245 TS 24.501CR7066
  • Correction of IE length for Service-level AA container in Service-level authentication command/complete message TS 24.501CR7092

+ 5 more changes

Rel-20 1 change

In Release 20, the AUSF's enhancements included explicit support for authentication in Non-seamless WLAN offload (NSWO) architectures, where it interfaces with a new Non-Seamless WLAN Offload Function (NSWOF) via the Nausf service-based interface. This introduces a new N60 reference point between the AUSF and the NSWOF to support these procedures. Furthermore, the release clarified the AUSF's role in architectures involving a Credentials Holder or Default Credentials Server, particularly for SNPN access, as part of a unified authentication framework.

  • Removal of editor's notes related to VFL server registration TS 23.501CR6488

Explore further

Broader topics and technologies where AUSF plays a role.

Topics
Authentication (5G-AKA, EAP)Service Based ArchitectureNAS (Non-Access Stratum)Lawful InterceptNetwork Slicing5G Core (5GC)
Technologies
LTE5G

Defining Specifications

3GPP specifications that define or reference AUSF, with the latest known release. Sourced from the 3GPP document catalog — see methodology.

SpecificationTitleRelease
TS 23.501 vk00 5G System Architecture Stage 2 Rel-20
TR 23.758 vh00 Study on Edge Application Architecture Rel-17
TS 24.501 vj50 5G NAS Protocols Specification Rel-19
TS 24.502 vj20 5G Core Access via Non-3GPP Networks; Stage 3 Rel-19
TS 26.891 vg00 Media Distribution Services in 5G System Rel-16
TS 29.503 vj50 UDM Service Based Interface Stage 3 Rel-19
TS 29.509 vj50 AUSF Service Based Interface Protocol Rel-19
TS 29.535 vj40 5G AKMA Anchor Services Stage 3 Protocol Rel-19
TS 32.255 vk10 Telecom Management; Charging for 5G Data Connectivity Rel-20
TS 33.127 vj50 Lawful Interception Architecture and Functions Rel-19
TS 33.501 vk00 5G Security Architecture and Procedures Rel-20
TS 33.514 vk00 5G Security Assurance for UDM Rel-20
TS 33.535 vj00 5G AKMA: Authentication and Key Management for Apps Rel-19
TS 33.545 vj20 Security for NR Femto Subsystem Rel-19
TS 33.701 vj00 Study on mitigations against bidding down attacks Rel-19
TR 33.739 vi10 Study on security enhancement of support for Rel-18
TR 33.741 vi01 Home Network Triggered Authentication Rel-18
TS 33.794 vj10 Study on Zero Trust Security Enablers for 5G Rel-19
TS 33.835 vg10 Study on authentication and key management for apps Rel-16