AUTS

Re-synchronisation Token

Security
Introduced in Rel-6
AUTS is a security token used in 3GPP networks to re-synchronize the sequence number (SQN) between a User Equipment (UE) and the Authentication Centre (AuC) during the AKA protocol. It is generated by the UE when it detects a sequence number synchronization failure, allowing the network to securely recover and continue authentication. This mechanism is critical for preventing denial-of-service attacks and ensuring robust, uninterrupted service for subscribers.

Description

The AUTS (Re-synchronisation Token) is a fundamental component of the 3GPP Authentication and Key Agreement (AKA) protocol, specifically designed to handle sequence number (SQN) synchronization failures. The AKA protocol relies on a counter, the SQN, which is maintained independently by the Authentication Centre (AuC) in the network and the Universal Subscriber Identity Module (USIM) in the user's device. This SQN must increment with each authentication attempt to prevent replay attacks. However, due to network issues, state mismanagement, or a USIM being used in a different network, the USIM's expected SQN can fall outside the acceptable window of the SQN received from the network, causing authentication failure.

When such a synchronization failure occurs, the UE (specifically the USIM) does not simply reject the authentication. Instead, it triggers a re-synchronization procedure. As part of this, the UE constructs the AUTS token. The AUTS is a concatenation of two main elements: the SQN concealed from the network (SQN_MS) and a Message Authentication Code (MAC-S). The SQN_MS is the USIM's current estimate of the sequence number, concealed using the anonymity key (AK) to protect subscriber identity privacy. The MAC-S is a cryptographic checksum calculated over the SQN_MS using the re-synchronization key (K) and a specific algorithm (f1*), providing integrity and authentication for the re-synchronization request.

The UE sends this AUTS token back to the network within the authentication failure response message. Upon receipt, the serving network (e.g., the VLR/SGSN or MME) forwards it to the subscriber's home network (HLR/HSS). The HSS/AuC then processes the AUTS. It first extracts the concealed SQN_MS by applying the anonymity key (AK), which is derived from the shared secret key (K) and a random challenge (RAND). It then verifies the MAC-S using the same f1* algorithm and the shared key K. If the MAC-S is valid, the AuC accepts the SQN_MS from the UE as the new, correct sequence number, updates its internal database, and generates a new authentication vector with a fresh SQN that is in sync with the UE.

This entire process allows the network to recover from a desynchronized state without requiring manual intervention or causing a permanent service denial for the user. The AUTS mechanism is embedded within the standard authentication response flow (specified in TS 33.102 and related specs), ensuring it is a seamless part of network security operations. Its design ensures that the re-synchronization is itself secure, as the MAC-S proves the request originated from a legitimate USIM possessing the correct secret key, preventing malicious actors from forcing a sequence number reset.

Purpose & Motivation

The AUTS token was created to solve a critical robustness problem in the 3GPP AKA protocol. The original AKA protocol's security heavily depended on the synchronization of the SQN counter between the network and the USIM. Without a recovery mechanism, any persistent mismatch—caused by database errors in the network, the USIM being used in a different network with a different SQN space, or other operational glitches—would permanently block a subscriber from authenticating, resulting in a denial of service. This was an unacceptable reliability issue for commercial mobile networks.

Prior to the formalization of the AUTS-based procedure in 3GPP, handling such failures was non-standard and potentially insecure. Operators might have relied on manual resets or proprietary fallback methods that could compromise security. The introduction of AUTS in Release 6 provided a standardized, cryptographically secure method for automatic recovery. It addressed the limitation of the earlier, more rigid AKA flow by adding a feedback loop from the UE to the AuC, allowing the network to be corrected by the client's state in a controlled manner.

The motivation was to enhance both the security and service availability of 3G (and later 4G/5G) networks. It ensures that the strong mutual authentication of AKA is maintained without being brittle. By solving the SQN synchronization problem, AUTS prevents a class of failures that could otherwise be exploited for denial-of-service attacks or lead to poor customer experience, making the overall security architecture more resilient and operator-friendly.

Key Features

  • Enables secure recovery from sequence number (SQN) mismatches in the AKA protocol
  • Contains a concealed version of the UE's sequence number (SQN_MS) for privacy
  • Includes a Message Authentication Code (MAC-S) to verify the authenticity of the re-sync request
  • Prevents denial-of-service attacks resulting from permanent authentication failures
  • Operates within the standard authentication failure response message flow
  • Allows the HSS/AuC to securely update its SQN record based on legitimate UE input

Evolution Across Releases

Rel-6 Initial

Introduced the AUTS token and the standardized re-synchronization procedure for UMTS AKA. It defined the structure of AUTS (concatenation of SQN_MS and MAC-S) and the algorithms for its generation and verification, primarily specified in TS 33.102. This provided the initial architecture for securely resolving SQN synchronization failures between the USIM and the network's AuC.

TS 24.109TS 33.223TS 35.205TS 35.234

Defining Specifications

SpecificationTitle
TS 24.109 3GPP TS 24.109
TS 33.223 3GPP TR 33.223
TS 35.205 3GPP TR 35.205
TS 35.234 3GPP TR 35.234