Description
The Key Derivation Function (KDF) is a cornerstone of the 3GPP security framework, specified in the 3GPP TS 33 series. It is a deterministic algorithm that takes a master secret key (like CK/IK from AKA or K_ASME from EPS-AKA) along with other specific input parameters and produces one or more cryptographically strong, derived keys. These derived keys are used for distinct security purposes, such as ciphering (encryption) and integrity protection of user data and control signalling on various interfaces (e.g., Uu, N1, N2). The KDF ensures key separation, meaning keys used for different purposes, in different network domains, or for different users are cryptographically distinct even if derived from the same root secret.
Architecturally, the KDF is implemented within security entities in both the User Equipment (UE) and the network, such as the USIM, the UE's security module, the Authentication Server Function (AUSF), and the Access and Mobility Management Function (AMF). Its operation is tightly integrated with authentication and key agreement procedures like 5G-AKA and EAP-AKA'. The function itself is typically based on a hash-based message authentication code (HMAC), often using SHA-256, providing a proven and standardized method for key derivation.
How it works involves a precise input string construction. The standard input includes the master key, a FC (Function Code) value identifying the purpose of the derived key (e.g., for NAS encryption, RRC integrity), and a set of parameters (P0, P1, ... L0, L1, ...). These parameters provide context, such as the serving network name, algorithm type distinguisher, and sequence numbers. The KDF processes these inputs to generate a bit string of the required length, which is then partitioned into the specific derived keys (e.g., K_{NASenc}, K_{RRCint}, K_{UPenc}). This process guarantees that a unique key is generated for each specific cryptographic context, preventing the compromise of one key from affecting others.
Purpose & Motivation
The KDF exists to solve the critical problem of key management and lifecycle within a complex, multi-layered mobile network. Relying on a single, static key for all security functions is a major vulnerability; if that key is compromised, the entire security of the subscriber's session collapses. The KDF enables the creation of a hierarchy of keys from a single root, established during authentication. This root key never leaves secure storage, while derived, session-specific keys are used for actual protection of traffic.
Historically, as networks evolved from 2G to 3G and beyond, the need for stronger and more granular security became apparent. Early systems had simpler key usage. The introduction of the KDF in 3GPP Release 8 with EPS (LTE) was a formalization and strengthening of this concept, providing a standardized, algorithm-agile framework. It addressed limitations of previous ad-hoc approaches by ensuring cryptographic separation of keys used for control plane and user plane, for integrity and confidentiality, and for different network access technologies (e.g., 3G vs LTE). This separation limits the impact of any potential key exposure and is a fundamental security-by-design principle.
Furthermore, the KDF provides the flexibility needed for network evolution. As new services (like network slicing), new interfaces, and new cryptographic algorithms are introduced, the KDF framework can be extended by defining new Function Codes and input parameters without altering the core authentication mechanism. This future-proofs the security architecture, allowing new derived keys to be cleanly integrated for novel security contexts, such as those required for Non-3GPP access or service-based architecture interfaces.
Detected Changes Across Releases
from 3GPP Change RequestsSpecific changes extracted from the „Change history“ tables of 3GPP specifications (10 CRs across 4 releases). Complements the general historical overview above with the evidence-based evolution of this function.
Studied in Rel-8, normative work from Rel-15.
In Release 15, the KDF was updated to introduce a dedicated FC value for key derivations in the EDCE5 context and to align the specification of the key derivation function for the SgNB key in EDCE5 with the 5G specification framework. This ensured consistency for security algorithms between the UE and SgNB. Furthermore, the release formalized references to the existing EN-DC algorithm and key derivation descriptions found in TS 33.501.
- Assigning an FC value for EDCE5 key derivations TS 33.220CR0189
- Aligning the specification of the key derivation function for key to use in security algorithms between UE and SgNB in EDCE5 with the 5G specification TS 33.401CR0625
- Referencing algorithm and key derivation description for EN-DC that exist in TS 33.501 TS 33.401CR0659
In Release 16, the key derivation function (KDF) was enhanced to support new procedures for Conditional Handover (CHO) in LTE, including specific UE handling for CHO key derivation. Additionally, new standardized Function Code (FC) values were assigned for these derivations, and the specification defined the use of the Subscription Permanent Identifier (SUPI) as an input parameter for key derivation processes.
In Release 17, the KDF-related updates introduced a new AAnF application key get service that operates without requiring the SUPI, enhancing privacy. Furthermore, specific FC values were changed to accommodate the derivation of new keys, namely KTIPSec and KTNAP, for security in new protocol contexts.
In Release 18, a new clause 6.3 was added for the Kaf derivation descriptions. This update provides specific procedural details for the GBA_U NAF derivation, including the handling of exceptions like GBA_U_NAF_DERIVATION_NOT_DONE when the procedure has not been performed. The technical context clarifies the conditions and parameters for initiating cryptographic operations such as GBAUSignature and GBAUCipher following a successful GBA_U bootstrap.
- Add clause 6.3 in the Kaf derivation descriptions - R18Mirror TS 33.535CR0232
Explore further
Broader topics and technologies where KDF plays a role.
Defining Specifications
3GPP specifications that define or reference KDF, with the latest known release. Sourced from the 3GPP document catalog — see methodology.
| Specification | Title | Release |
|---|---|---|
| TS 31.213 vi30 | Test specification for (U)SIM | Rel-18 |
| TS 33.110 vj00 | UICC-Terminal Key Establishment | Rel-19 |
| TS 33.122 vj20 | Security Architecture for CAPIF | Rel-19 |
| TS 33.180 vk00 | Security of Mission Critical (MC) Service | Rel-20 |
| TS 33.220 vj00 | Generic Authentication Architecture (GAA); Generic Bootstrapping Architecture (GBA) | Rel-19 |
| TS 33.224 vj00 | Generic Push Layer (GPL) Specification | Rel-19 |
| TS 33.259 vj00 | Key Establishment between UICC Hosting & Remote Device | Rel-19 |
| TS 33.401 vj10 | EPS Security Architecture | Rel-19 |
| TS 33.535 vj00 | 5G AKMA: Authentication and Key Management for Apps | Rel-19 |
| TR 33.739 vi10 | Study on security enhancement of support for | Rel-18 |
| TR 33.834 vg10 | Long Term Key Update Procedures Study | Rel-16 |
| TS 33.835 vg10 | Study on authentication and key management for apps | Rel-16 |
| TR 33.841 vg10 | Security aspects; Study on 256-bit algorithms for 5G | Rel-16 |
| TS 33.859 vb10 | UTRAN Key Hierarchy Enhancement Study | Rel-11 |
| TS 33.863 ve20 | Security for Battery-Efficient IoT Device to Enterprise | Rel-14 |
| TS 33.880 vf10 | Security Study for Enhanced Mission Critical Services | Rel-15 |
| TR 33.938 vj10 | 3GPP Cryptographic Inventory for 5G | Rel-19 |