KDF (Key Derivation Function) — 3GPP Glossary

A cryptographic function that generates one or more secret keys from a master key and other input parameters. It is fundamental to 3GPP security architecture, enabling secure derivation of keys for encryption, integrity protection, and authentication across different network domains and services.

Description

The Key Derivation Function (KDF) is a cornerstone of the 3GPP security framework, specified in the 3GPP TS 33 series. It is a deterministic algorithm that takes a master secret key (like CK/IK from AKA or K_ASME from EPS-AKA) along with other specific input parameters and produces one or more cryptographically strong, derived keys. These derived keys are used for distinct security purposes, such as ciphering (encryption) and integrity protection of user data and control signalling on various interfaces (e.g., Uu, N1, N2). The KDF ensures key separation, meaning keys used for different purposes, in different network domains, or for different users are cryptographically distinct even if derived from the same root secret.

Architecturally, the KDF is implemented within security entities in both the User Equipment (UE) and the network, such as the USIM, the UE's security module, the Authentication Server Function (AUSF), and the Access and Mobility Management Function (AMF). Its operation is tightly integrated with authentication and key agreement procedures like 5G-AKA and EAP-AKA'. The function itself is typically based on a hash-based message authentication code (HMAC), often using SHA-256, providing a proven and standardized method for key derivation.

How it works involves a precise input string construction. The standard input includes the master key, a FC (Function Code) value identifying the purpose of the derived key (e.g., for NAS encryption, RRC integrity), and a set of parameters (P0, P1, ... L0, L1, ...). These parameters provide context, such as the serving network name, algorithm type distinguisher, and sequence numbers. The KDF processes these inputs to generate a bit string of the required length, which is then partitioned into the specific derived keys (e.g., K_{NASenc}, K_{RRCint}, K_{UPenc}). This process guarantees that a unique key is generated for each specific cryptographic context, preventing the compromise of one key from affecting others.

Purpose & Motivation

The KDF exists to solve the critical problem of key management and lifecycle within a complex, multi-layered mobile network. Relying on a single, static key for all security functions is a major vulnerability; if that key is compromised, the entire security of the subscriber's session collapses. The KDF enables the creation of a hierarchy of keys from a single root, established during authentication. This root key never leaves secure storage, while derived, session-specific keys are used for actual protection of traffic.

Historically, as networks evolved from 2G to 3G and beyond, the need for stronger and more granular security became apparent. Early systems had simpler key usage. The introduction of the KDF in 3GPP Release 8 with EPS (LTE) was a formalization and strengthening of this concept, providing a standardized, algorithm-agile framework. It addressed limitations of previous ad-hoc approaches by ensuring cryptographic separation of keys used for control plane and user plane, for integrity and confidentiality, and for different network access technologies (e.g., 3G vs LTE). This separation limits the impact of any potential key exposure and is a fundamental security-by-design principle.

Furthermore, the KDF provides the flexibility needed for network evolution. As new services (like network slicing), new interfaces, and new cryptographic algorithms are introduced, the KDF framework can be extended by defining new Function Codes and input parameters without altering the core authentication mechanism. This future-proofs the security architecture, allowing new derived keys to be cleanly integrated for novel security contexts, such as those required for Non-3GPP access or service-based architecture interfaces.

Key Features

Standardized algorithm based on HMAC-SHA-256 for cryptographic robustness
Enforces key separation principle for different cryptographic contexts (e.g., NAS vs RRC, integrity vs encryption)
Uses a structured input string with Function Code and parameters to define key purpose unambiguously
Generates multiple session-specific keys from a single long-term master key
Integral part of 5G-AKA, EPS-AKA, and EAP-AKA' authentication procedures
Provides algorithm agility, allowing for future updates to the underlying cryptographic hash function

Evolution Across Releases

Rel-8 Initial

Introduced as a core component of the EPS (LTE) security architecture. The initial specification defined the KDF framework for deriving keys like K_{ASME} from CK/IK, and subsequently keys for NAS and AS security (e.g., K_{NASenc}, K_{RRCint}) from K_{ASME}. It established the HMAC-SHA-256 based construction and the principle of key derivation with distinct FC values.

TS 31.213 TS 33.110 TS 33.122 TS 33.180 TS 33.220 TS 33.224 TS 33.259 TS 33.401 TS 33.535 TS 33.739 TS 33.834 TS 33.835 TS 33.841 TS 33.859 TS 33.863 TS 33.880 TS 33.938

Rel-15

Enhanced for 5G System (5GS) security. Introduced new anchor key K_{AUSF} and the key hierarchy based on K_{SEAF}. Defined new Function Codes and parameters for deriving 5G-specific keys like K_{AMF}, K_{NASenc}, and K_{gNB} to support the service-based architecture and enhanced subscriber privacy (SUCI).

TS 31.213 TS 33.110 TS 33.122 TS 33.180 TS 33.220 TS 33.224 TS 33.259 TS 33.401 TS 33.535 TS 33.739 TS 33.834 TS 33.835 TS 33.841 TS 33.859 TS 33.863 TS 33.880 TS 33.938

Rel-16

Extended KDF usage for new scenarios including Integrated Access and Backhaul (IAB), where keys are derived for secure communication between IAB nodes, and for enhanced support of Non-3GPP access (e.g., wireline) interworking with the 5G core.

TS 31.213 TS 33.110 TS 33.122 TS 33.180 TS 33.220 TS 33.224 TS 33.259 TS 33.401 TS 33.535 TS 33.739 TS 33.834 TS 33.835 TS 33.841 TS 33.859 TS 33.863 TS 33.880 TS 33.938

Rel-17

Further refinements for advanced use cases. This included key derivation enhancements for UAV (drone) control and authentication, and for application layer security in mission-critical services, ensuring proper key isolation for these specialized services.

TS 31.213 TS 33.110 TS 33.122 TS 33.180 TS 33.220 TS 33.224 TS 33.259 TS 33.401 TS 33.535 TS 33.739 TS 33.834 TS 33.835 TS 33.841 TS 33.859 TS 33.863 TS 33.880 TS 33.938

Rel-18

Continued evolution to support network slicing security isolation, with potential refinements in parameter usage for slice-specific key derivation contexts, and ongoing work for post-quantum cryptography readiness within the KDF framework.

TS 31.213 TS 33.110 TS 33.122 TS 33.180 TS 33.220 TS 33.224 TS 33.259 TS 33.401 TS 33.535 TS 33.739 TS 33.834 TS 33.835 TS 33.841 TS 33.859 TS 33.863 TS 33.880 TS 33.938

Defining Specifications

Specification	Title
TS 31.213	3GPP TR 31.213
TS 33.110	3GPP TR 33.110
TS 33.122	3GPP TR 33.122
TS 33.180	3GPP TR 33.180
TS 33.220	3GPP TR 33.220
TS 33.224	3GPP TR 33.224
TS 33.259	3GPP TR 33.259
TS 33.401	3GPP TR 33.401
TS 33.535	3GPP TR 33.535
TS 33.739	3GPP TR 33.739
TS 33.834	3GPP TR 33.834
TS 33.835	3GPP TR 33.835
TS 33.841	3GPP TR 33.841
TS 33.859	3GPP TR 33.859
TS 33.863	3GPP TR 33.863
TS 33.880	3GPP TR 33.880
TS 33.938	3GPP TR 33.938