MAC-A

Message Authentication Code for Authentication

Security
Introduced in Rel-8
A cryptographic Message Authentication Code (MAC) used within the 3GPP Authentication and Key Agreement (AKA) protocol. It verifies the authenticity of authentication challenge messages exchanged between the network and the User Equipment (UE), ensuring they originate from legitimate parties and preventing impersonation attacks.

Description

MAC-A is a core cryptographic component of the 3GPP Authentication and Key Agreement (AKA) procedure, standardized from Release 8 onwards. It functions as a Message Authentication Code, a short piece of information generated using a cryptographic algorithm and a secret key to verify both the authenticity and integrity of a message. In the AKA context, MAC-A is specifically generated by the network side (typically the Authentication Centre, AuC, within the Home Subscriber Server, HSS) and included in the authentication vector (AV) sent to the serving network (e.g., MME in EPS, AMF in 5GS). This AV contains parameters like RAND (a random challenge), AUTN (the Authentication Token), XRES (Expected Response), and session keys.

The AUTN (Authentication Token) itself is a constructed parameter that includes, among other fields, the MAC-A. When the UE receives the authentication challenge (RAND and AUTN), it independently computes its own version of MAC-A using the shared secret key K (stored on the USIM and in the AuC), the received RAND, and other parameters like the Sequence Number (SQN). The UE then compares its computed MAC-A with the one extracted from the received AUTN. If they match, the UE has cryptographically verified that the authentication challenge originated from a genuine network entity that possesses the correct shared secret K. This mutual authentication step is fundamental to establishing trust before any user data session begins.

Architecturally, MAC-A generation and verification are distributed between the core network's authentication infrastructure (HSS/AuC) and the USIM application on the UE's UICC card. The algorithm used for computing MAC-A is the MILENAGE algorithm suite, as specified in 3GPP TS 35.205 and 35.909, which is based on the AES (Advanced Encryption Standard) block cipher. The specific input to the MAC-A function includes the secret key K, the random challenge RAND, and the sequence number SQN, ensuring that each authentication attempt produces a unique, non-replayable MAC. Its role is purely for network authentication from the UE's perspective; it does not provide integrity protection for user data traffic, which is handled by separate keys and mechanisms like MAC-I.

The security of the entire AKA protocol hinges on the robustness of MAC-A. A failure in MAC-A verification at the UE side results in authentication rejection, protecting the user from connecting to rogue base stations or networks attempting to intercept communications. It is a critical element in the chain of trust that underpins mobile network security, enabling services from basic voice calls to high-value financial transactions over cellular connections.

Purpose & Motivation

MAC-A was introduced to provide a standardized, cryptographically strong mechanism for the UE to authenticate the network within the 3GPP AKA framework. Prior to 3GPP's unified AKA, earlier cellular systems had various authentication methods, but they often lacked the robust mutual authentication and key derivation procedures needed for evolving packet-switched services and increasing threat landscapes. The primary problem MAC-A solves is network impersonation, where a malicious entity could attempt to pose as a legitimate operator network to harvest user credentials or launch man-in-the-middle attacks.

Its creation was motivated by the need for a clean-slate, algorithm-agile security architecture for EPS (LTE) and subsequent systems, moving away from the COMP128 algorithms used in 2G/3G. The 3GPP TSG SA WG3 (Security group) specified MILENAGE as the example algorithm set, with MAC-A as a core function. This allowed for mutual authentication: while the network authenticates the UE via the RES/XRES check, the UE authenticates the network via the MAC-A check within AUTN. This mutual verification establishes a two-way trust relationship essential for secure service delivery.

Furthermore, MAC-A's design as part of a comprehensive key hierarchy supports the derivation of multiple subsequent cryptographic keys (CK, IK, Kasme) for ciphering and integrity protection of both control plane and user plane traffic. It addresses the limitation of previous approaches by being transparently implementable on USIM cards, enabling backward compatibility and smooth migration, while providing a foundation that was intended to be resistant to cryptographic attacks for the foreseeable future.

Key Features

  • Used specifically for network authentication towards the UE within the AKA protocol.
  • Generated by the network's AuC/HSS and verified by the UE's USIM.
  • Computed using the MILENAGE algorithm suite based on AES.
  • Inputs include the shared secret key K, random challenge RAND, and sequence number SQN.
  • Embedded within the Authentication Token (AUTN) sent to the UE.
  • Failure in verification causes immediate authentication rejection, blocking connection to untrusted networks.

Evolution Across Releases

Rel-8 Initial

Introduced as a fundamental component of the EPS Authentication and Key Agreement (AKA) protocol. Defined within the MILENAGE algorithm set (TS 35.205) for use with the new USIM application. It established the mechanism for the UE to authenticate the network core (MME/HSS) in LTE/EPC networks, forming a critical part of the mutual authentication process.

TS 21.905TS 31.102TS 33.105TS 35.205TS 35.909TS 35.934

Defining Specifications

SpecificationTitle
TS 21.905 3GPP TS 21.905
TS 31.102 3GPP TR 31.102
TS 33.105 3GPP TR 33.105
TS 35.205 3GPP TR 35.205
TS 35.909 3GPP TR 35.909
TS 35.934 3GPP TR 35.934