KAKMA

AKMA Anchor Key

Security
Introduced in Rel-16
The root, long-term symmetric key in the AKMA framework, generated from 5G core network authentication. It serves as the master secret from which application-specific keys (KAF) are derived, anchoring application security to the subscriber's primary network credential.

Description

The KAKMA (AKMA Anchor Key) is the foundational cryptographic key within the Authentication and Key Management for Applications (AKMA) system. It is a symmetric key established as a byproduct of a successful primary authentication procedure between the User Equipment (UE) and the 5G Core Network, specifically using 5G AKA or EAP-AKA' protocols. During this authentication, the Authentication Server Function (AUSF) generates the KAKMA. It is then securely stored and managed by a dedicated network function called the AKMA Anchor Function (AAnF) within the subscriber's home network. A corresponding KAKMA is also derived independently by the UE using its stored subscription credentials and the authentication parameters received from the network.

The KAKMA is not used directly to secure any traffic. Instead, its sole purpose is to serve as a root key for deriving other keys, primarily the AKMA Application Keys (KAFs). The derivation of a KAF from the KAKMA uses a Key Derivation Function (KDF) with specific input parameters, including the target Application Function's identity. This ensures cryptographic separation: each application gets a unique key derived from the same root, preventing compromise of one application from affecting others. The AAnF acts as the custodian of the KAKMA for the network side, using it to generate KAFs on-demand for authorized Application Functions.

Architecturally, the KAKMA sits at the heart of the AKMA trust model. It bridges the world of network access security (handled by the AMF, AUSF, and UDM) and application-level security. Its lifecycle is managed by the network and is typically valid for the duration of the UE's registration state or a configured time period. When the UE deregisters or the key expires, the KAKMA is deleted, invalidating all KAFs derived from it, thereby providing centralized security control. The security of the entire AKMA framework hinges on the confidentiality and integrity of the KAKMA, which is protected within the secure environments of the UE's tamper-resistant element and the home network's trusted functions.

Purpose & Motivation

The KAKMA was created to provide a persistent, network-derived cryptographic anchor that extends the trust from 3GPP primary authentication into the application layer. Prior to AKMA, there was no standardized mechanism for applications to leverage the strong, SIM-based authentication of the cellular network. Applications had to establish their own security context from scratch, often with weaker methods. The KAKMA solves this by creating a reusable security asset post-network authentication.

Its existence addresses the problem of authentication silos. Without it, each service provider (Application Function) would need to implement its own authentication and key agreement with the user, leading to a fragmented user experience and complex key management. The KAKMA provides a common root of trust within the home operator's domain, allowing multiple, potentially unrelated, Application Functions to obtain secure, user-specific keys without ever interacting with the user's long-term credential directly.

The motivation is rooted in enabling new service paradigms like secure IoT onboarding, seamless media service access, and identity federation, where the mobile network identity is a valuable asset. By establishing the KAKMA, 3GPP defined a standardized way to bootstrap a wide array of application security sessions, simplifying development for service providers and enhancing security and usability for end-users. It transforms the network from a pure connectivity provider into a trusted security anchor for a digital ecosystem.

Key Features

  • Generated once per successful primary network authentication (5G AKA/EAP-AKA').
  • Serves as the root key for deriving all AKMA Application Keys (KAFs).
  • Securely stored in the AKMA Anchor Function (AAnF) in the home network and in the UE.
  • Has a lifecycle tied to UE registration, providing centralized invalidation.
  • Never exposed to Application Functions, protecting the root of the key hierarchy.
  • Enables cryptographic separation for different applications via key derivation with unique inputs.

Evolution Across Releases

Rel-16 Initial

Introduced as the cornerstone of the new AKMA framework. Defined its generation by the AUSF after successful primary authentication, its storage in the new AAnF logical function, and its role as the source for deriving KAFs. Established the fundamental key hierarchy for application security bootstrapping.

TS 33.127TS 33.535

Defining Specifications

SpecificationTitle
TS 33.127 3GPP TR 33.127
TS 33.535 3GPP TR 33.535