Description
In 3GPP security, the Message Authentication Code (MAC) is a critical element generated during the Authentication and Key Agreement (AKA) procedure. Specifically, it refers to the MAC included within the Authentication Token (AUTN) that the network sends to the User Equipment (UE) for mutual authentication. The MAC is computed by the network's Authentication Centre (AuC) using the cryptographic algorithm f1 (or its variant f1* for 5G AKA) with a secret key K (shared with the UE's USIM), a random challenge RAND, a sequence number SQN, and an Authentication Management Field (AMF) as inputs. The formula is MAC = f1_K(SQN || RAND || AMF).
The architecture involves the Home Subscriber Server (HSS)/AuC in the core network generating the authentication vector, which contains RAND, AUTN (which includes MAC and other fields), XRES, and session keys. The AUTN is sent to the serving network (e.g., MME in 4G, AMF in 5G), which forwards RAND and AUTN to the UE. Upon receipt, the UE's USIM independently computes an expected MAC (XMAC) using the same f1 algorithm, its shared key K, and the received RAND, SQN, and AMF. The USIM then compares the computed XMAC with the MAC value extracted from the received AUTN. If they match, it proves to the UE that the authentication vector was generated by an entity possessing the correct secret key K, thereby authenticating the network. A mismatch indicates a potential security threat, and authentication fails.
How it works is deeply tied to the AKA protocol's mutual authentication goal. The MAC's inclusion in AUTN allows the UE to verify the network's legitimacy before proceeding. It protects against forgery attacks; an attacker cannot construct a valid AUTN without knowledge of K. The MAC computation is one-way and cryptographically strong, ensuring that even if RAND and AUTN are intercepted, the secret key cannot be derived. Its role is foundational for establishing a trusted session, as successful MAC validation is a prerequisite for the UE to compute the session keys (CK, IK) and the network's expected response (RES), completing the mutual authentication handshake. This mechanism is used across 3G (UMTS), 4G (EPS-AKA), and 5G (5G AKA, EAP-AKA').
Purpose & Motivation
The Message Authentication Code within AKA was created to provide explicit network authentication to the user equipment, addressing a security weakness in the earlier 2G (GSM) system. In GSM, only the network authenticated the mobile station (one-way authentication), leaving it vulnerable to false base station attacks ("IMSI catchers") where a rogue network could impersonate a legitimate one. The introduction of mutual authentication in 3GPP UMTS was a fundamental security enhancement, and the MAC is the mechanism that enables the UE to verify the network.
The problem it solves is proving the network's authenticity to the UE in a shared secret key context. Without the MAC, a UE could not distinguish between a legitimate network and an attacker broadcasting a captured RAND. The MAC, derived from the shared secret K and other freshness parameters (SQN, RAND), provides this proof. Its creation was motivated by the need for stronger security as mobile networks evolved to carry sensitive data and transactions. It addresses the limitation of one-way authentication by ensuring that both parties in the communication are verified, forming the basis for secure key derivation and protecting against man-in-the-middle and replay attacks. This established the trusted foundation for all subsequent 3GPP security architectures.
Key Features
- Generated using the f1 (or f1*) cryptographic algorithm with the shared secret key K
- Embedded within the Authentication Token (AUTN) sent from network to UE
- Enables UE-side verification of network authenticity during AKA
- Uses inputs including sequence number (SQN), random challenge (RAND), and AMF for freshness
- Critical for achieving mutual authentication in 3G, 4G, and 5G systems
- Failure of MAC comparison leads to authentication rejection and possible synchronization failure procedure
Evolution Across Releases
Introduced the MAC as part of the UMTS AKA protocol for 3G security. Defined the f1 algorithm for MAC computation within the AUTN. Established the mutual authentication framework where the UE verifies the network using the MAC, a fundamental shift from GSM's one-way authentication.
Enhanced with EPS-AKA for LTE/EPS. The core MAC mechanism remained the same, but integrated into the evolved packet system architecture with the HSS and MME. Introduced new key hierarchy but maintained f1-based MAC for network authentication.
Updated for 5G security with 5G AKA. Introduced the f1* algorithm variant for MAC computation to provide cryptographic separation from previous generations and to include the serving network name (SNN) in the input, enhancing home network control and privacy.
Defining Specifications
| Specification | Title |
|---|---|
| TS 21.905 | 3GPP TS 21.905 |
| TS 22.944 | 3GPP TS 22.944 |
| TS 23.050 | 3GPP TS 23.050 |
| TS 23.060 | 3GPP TS 23.060 |
| TS 23.146 | 3GPP TS 23.146 |
| TS 24.109 | 3GPP TS 24.109 |
| TS 24.229 | 3GPP TS 24.229 |
| TS 24.244 | 3GPP TS 24.244 |
| TS 24.301 | 3GPP TS 24.301 |
| TS 24.369 | 3GPP TS 24.369 |
| TS 24.501 | 3GPP TS 24.501 |
| TS 25.201 | 3GPP TS 25.201 |
| TS 25.212 | 3GPP TS 25.212 |
| TS 25.222 | 3GPP TS 25.222 |
| TS 25.224 | 3GPP TS 25.224 |
| TS 25.301 | 3GPP TS 25.301 |
| TS 25.302 | 3GPP TS 25.302 |
| TS 25.321 | 3GPP TS 25.321 |
| TS 25.322 | 3GPP TS 25.322 |
| TS 25.324 | 3GPP TS 25.324 |
| TS 25.331 | 3GPP TS 25.331 |
| TS 25.401 | 3GPP TS 25.401 |
| TS 25.402 | 3GPP TS 25.402 |
| TS 25.420 | 3GPP TS 25.420 |
| TS 25.423 | 3GPP TS 25.423 |
| TS 25.912 | 3GPP TS 25.912 |
| TS 25.931 | 3GPP TS 25.931 |
| TS 26.202 | 3GPP TS 26.202 |
| TS 26.902 | 3GPP TS 26.902 |
| TS 26.935 | 3GPP TS 26.935 |
| TS 27.060 | 3GPP TS 27.060 |
| TS 29.204 | 3GPP TS 29.204 |
| TS 29.509 | 3GPP TS 29.509 |
| TS 29.521 | 3GPP TS 29.521 |
| TS 29.890 | 3GPP TS 29.890 |
| TS 31.102 | 3GPP TR 31.102 |
| TS 31.103 | 3GPP TR 31.103 |
| TS 31.113 | 3GPP TR 31.113 |
| TS 31.114 | 3GPP TR 31.114 |
| TS 31.900 | 3GPP TR 31.900 |
| TS 33.102 | 3GPP TR 33.102 |
| TS 33.105 | 3GPP TR 33.105 |
| TS 33.110 | 3GPP TR 33.110 |
| TS 33.203 | 3GPP TR 33.203 |
| TS 33.204 | 3GPP TR 33.204 |
| TS 33.210 | 3GPP TR 33.210 |
| TS 33.224 | 3GPP TR 33.224 |
| TS 33.246 | 3GPP TR 33.246 |
| TS 33.259 | 3GPP TR 33.259 |
| TS 33.700 | 3GPP TR 33.700 |
| TS 33.814 | 3GPP TR 33.814 |
| TS 33.821 | 3GPP TR 33.821 |
| TS 33.851 | 3GPP TR 33.851 |
| TS 35.205 | 3GPP TR 35.205 |
| TS 35.234 | 3GPP TR 35.234 |
| TS 35.235 | 3GPP TR 35.235 |
| TS 35.236 | 3GPP TR 35.236 |
| TS 35.249 | 3GPP TR 35.249 |
| TS 35.909 | 3GPP TR 35.909 |
| TS 35.934 | 3GPP TR 35.934 |
| TS 35.937 | 3GPP TR 35.937 |
| TS 36.133 | 3GPP TR 36.133 |
| TS 36.201 | 3GPP TR 36.201 |
| TS 36.300 | 3GPP TR 36.300 |
| TS 36.302 | 3GPP TR 36.302 |
| TS 36.305 | 3GPP TR 36.305 |
| TS 36.306 | 3GPP TR 36.306 |
| TS 36.321 | 3GPP TR 36.321 |
| TS 36.322 | 3GPP TR 36.322 |
| TS 36.323 | 3GPP TR 36.323 |
| TS 36.331 | 3GPP TR 36.331 |
| TS 36.509 | 3GPP TR 36.509 |
| TS 36.938 | 3GPP TR 36.938 |
| TS 37.320 | 3GPP TR 37.320 |
| TS 37.355 | 3GPP TR 37.355 |
| TS 37.901 | 3GPP TR 37.901 |
| TS 38.133 | 3GPP TR 38.133 |
| TS 38.201 | 3GPP TR 38.201 |
| TS 38.202 | 3GPP TR 38.202 |
| TS 38.305 | 3GPP TR 38.305 |
| TS 38.306 | 3GPP TR 38.306 |
| TS 38.323 | 3GPP TR 38.323 |
| TS 38.331 | 3GPP TR 38.331 |
| TS 38.522 | 3GPP TR 38.522 |
| TS 43.051 | 3GPP TR 43.051 |
| TS 43.064 | 3GPP TR 43.064 |
| TS 43.129 | 3GPP TR 43.129 |
| TS 43.318 | 3GPP TR 43.318 |
| TS 43.901 | 3GPP TR 43.901 |
| TS 43.902 | 3GPP TR 43.902 |
| TS 44.060 | 3GPP TR 44.060 |
| TS 44.160 | 3GPP TR 44.160 |
| TS 44.318 | 3GPP TR 44.318 |
| TS 45.820 | 3GPP TR 45.820 |
| TS 45.902 | 3GPP TR 45.902 |
| TS 48.016 | 3GPP TR 48.016 |
| TS 55.241 | 3GPP TR 55.241 |
| TS 55.251 | 3GPP TR 55.251 |