Description
In 3GPP security, the Message Authentication Code (MAC) is a critical element generated during the Authentication and Key Agreement (AKA) procedure. Specifically, it refers to the MAC included within the Authentication Token (AUTN) that the network sends to the User Equipment (UE) for mutual authentication. The MAC is computed by the network's Authentication Centre (AuC) using the cryptographic algorithm f1 (or its variant f1* for 5G AKA) with a secret key K (shared with the UE's USIM), a random challenge RAND, a sequence number SQN, and an Authentication Management Field (AMF) as inputs. The formula is MAC = f1_K(SQN || RAND || AMF).
The architecture involves the Home Subscriber Server (HSS)/AuC in the core network generating the authentication vector, which contains RAND, AUTN (which includes MAC and other fields), XRES, and session keys. The AUTN is sent to the serving network (e.g., MME in 4G, AMF in 5G), which forwards RAND and AUTN to the UE. Upon receipt, the UE's USIM independently computes an expected MAC (XMAC) using the same f1 algorithm, its shared key K, and the received RAND, SQN, and AMF. The USIM then compares the computed XMAC with the MAC value extracted from the received AUTN. If they match, it proves to the UE that the authentication vector was generated by an entity possessing the correct secret key K, thereby authenticating the network. A mismatch indicates a potential security threat, and authentication fails.
How it works is deeply tied to the AKA protocol's mutual authentication goal. The MAC's inclusion in AUTN allows the UE to verify the network's legitimacy before proceeding. It protects against forgery attacks; an attacker cannot construct a valid AUTN without knowledge of K. The MAC computation is one-way and cryptographically strong, ensuring that even if RAND and AUTN are intercepted, the secret key cannot be derived. Its role is foundational for establishing a trusted session, as successful MAC validation is a prerequisite for the UE to compute the session keys (CK, IK) and the network's expected response (RES), completing the mutual authentication handshake. This mechanism is used across 3G (UMTS), 4G (EPS-AKA), and 5G (5G AKA, EAP-AKA').
Purpose & Motivation
The Message Authentication Code within AKA was created to provide explicit network authentication to the user equipment, addressing a security weakness in the earlier 2G (GSM) system. In GSM, only the network authenticated the mobile station (one-way authentication), leaving it vulnerable to false base station attacks ("IMSI catchers") where a rogue network could impersonate a legitimate one. The introduction of mutual authentication in 3GPP UMTS was a fundamental security enhancement, and the MAC is the mechanism that enables the UE to verify the network.
The problem it solves is proving the network's authenticity to the UE in a shared secret key context. Without the MAC, a UE could not distinguish between a legitimate network and an attacker broadcasting a captured RAND. The MAC, derived from the shared secret K and other freshness parameters (SQN, RAND), provides this proof. Its creation was motivated by the need for stronger security as mobile networks evolved to carry sensitive data and transactions. It addresses the limitation of one-way authentication by ensuring that both parties in the communication are verified, forming the basis for secure key derivation and protecting against man-in-the-middle and replay attacks. This established the trusted foundation for all subsequent 3GPP security architectures.
Classification
Detected Changes Across Releases
from 3GPP Change RequestsSpecific changes extracted from the „Change history“ tables of 3GPP specifications (573 CRs across 5 releases). Complements the general historical overview above with the evidence-based evolution of this function.
In Release 15, the MAC (Medium Access Control) layer saw specific enhancements for new radio scenarios. This included defining MAC functionality for euCA (enhanced uplink Carrier Aggregation) and aligning MAC Control Elements (MAC CEs) between LTE and NR to ensure consistent operation. Furthermore, support was introduced for a MAC PDU containing a UE contention resolution identity MAC control element without an RRC response message, specifically for NB-IoT.
- EPS mobile identity and UE status in the ATTACH REQUEST message TS 24.301CR3028
- UE configuration for NAS signalling low priority via OMA-DM or USIM not applicable in 5GS TS 24.501CR0084
- Preferred list terminating at ME or USIM TS 24.501CR0212
- SOR acknowledge message coding TS 24.501CR0216
- Protection of initial NAS messages – overall description TS 24.501CR0424
- Support for protection of initial NAS messages TS 24.501CR0425
+ 123 more changes
In Release 16, the MAC function was enhanced to support new authentication and security procedures, including slice-specific authentication and authorization and primary authentication using extended EAP methods. It also introduced specific handling for non-integrity protected NAS messages in scenarios like SNPN access and for Restricted Local Operator Services (RLOS). Furthermore, the release defined authentication procedures for new device types such as N5GC devices.
- Authentication and security handling for restricted local operator services TS 24.301CR3162
- Abnormal case handling when authentication is not accepted TS 24.301CR3193
- RLOS integrity and authentication handling TS 24.301CR3266
- Authentication and security handling for RLOS TS 24.301CR3334
- UE behaviour upon receiving non-integrity protected NAS reject messages in 5GS TS 24.501CR0998
- MA PDU request in UL NAS TRANSPORT message TS 24.501CR1020
+ 138 more changes
In Release 17, 3GPP introduced new MAC-layer related authentication and authorization enhancements, specifically for Multi-USIM UEs in both EPS and 5GS, enabling procedures like using the Service Request to remove paging restrictions. Furthermore, Release 17 expanded authentication frameworks by formally integrating Authentication and Key Management for Applications (AKMA) and detailing the usage of a GBA-based shared secret with PSK authentication in TLS 1.3. These updates also included new handling for UUAA re-authentication, re-authorization, and revocation, alongside mechanisms for SNPNs supporting AAA-Server for primary authentication.
- Update of HTTP Digest Access Authentication and reference update for HTTP/1.1 protocol TS 24.109CR0069
- GBA-based shared secret with PSK authentication in TLS 1.3 TS 24.109CR0071
- Using Service Request procedure for removing paging restrictions in EPS for a Multi-USIM UE TS 24.301CR3517
- Leaving procedure and Reject Paging Indication for Multi-USIM UEs in EPS TS 24.301CR3534
- Multi-USIM UE support indications in EPS TS 24.301CR3514
- UAS services not allowed indication in EPS NAS message TS 24.301CR3618
+ 161 more changes
In Release 18, the MAC function's scope was extended to support new authentication and key agreement procedures, specifically for 5G ProSe UE-to-UE relay and for AUN3 devices behind a 5G-RG. These enhancements introduced new authentication procedures and updated the handling of security parameters, including the storage of 5G Security Parameters on the USIM. Additionally, the release addressed the protection of identifier information in the REGISTRATION REJECT message as part of the broader security framework.
- Exchanging the SDNAEPC EAP message in ESM procedures TS 24.301CR3853
- Resolving the EN related to exchanging the SDNAEPC EAP message TS 24.301CR3870
- Transport of messages of network-requested UE policy management procedure TS 24.301CR3934
- Introduce Maximum time offset IE in the TAU ACCEPT message TS 24.301CR3970
- Indicating Uplink data status IE in REGISTRATION REQUEST message after failure of resumption of the RRC connection for UE that has joined Multicast session TS 24.501CR5320
- Inclusion of Extended LADN information IE in REGISTRATION ACCEPT message TS 24.501CR5214
+ 78 more changes
In Release 19, the MAC (Medium Access Control) layer enhancement specifically introduced new Scheduling Request (SR) resources within a MAC Control Element (CE) for the LTM cell switch procedure. This change, detailed in the CR titled "Introducing SR resources in LTM cell switch MAC CE," provides a concrete mechanism for uplink resource requests during this specific mobility operation. The update modifies the MAC sub-layer's role in providing access to transport channels by defining this new control element format and procedure.
- Provisioning an S-NSSAI via the PDN CONNECTIVITY REQUEST message TS 24.301CR3655
- New message for transferring data over NAS - Part 2: procedures TS 24.301CR4367
- New message for transferring data over NAS - Part 1: message format TS 24.301CR4366
- Handling of inactive PDP context in EMM TRANSPORT message TS 24.301CR4517
- Alignment of EMM Transport message TS 24.301CR4459
- Handling of paging message while T3451 is running TS 24.301CR4456
+ 43 more changes
Explore further
Broader topics and technologies where MAC plays a role.
Defining Specifications
3GPP specifications that define or reference MAC, with the latest known release. Sourced from the 3GPP document catalog — see methodology.
| Specification | Title | Release |
|---|---|---|
| TR 21.905 vj00 | 3GPP Technical Terms and Definitions | Rel-19 |
| TR 22.944 vj00 | UE Functionality Split Scenarios and Requirements | Rel-19 |
| TS 23.050 v1100 | UMTS Network Principles and Architecture | R99 |
| TS 23.060 vj00 | GPRS Service Description Stage 2 | Rel-19 |
| TS 23.146 vj00 | 3G Facsimile Group 3 Technical Realization | Rel-19 |
| TS 24.109 vj00 | HTTP Digest AKA & GAA Stage 3 | Rel-19 |
| TS 24.229 vj50 | IMS call control protocol based on SIP and SDP | Rel-19 |
| TS 24.244 vj00 | Wireless LAN Control Plane Protocol | Rel-19 |
| TS 24.301 vj60 | NAS protocol for Evolved Packet System | Rel-19 |
| TS 24.369 vj00 | AIoT NAS protocol for 5G System | Rel-19 |
| TS 24.501 vj50 | 5G NAS Protocols Specification | Rel-19 |
| TS 25.201 vj00 | UTRA Physical Layer General Description | Rel-19 |
| TS 25.212 vj00 | UTRA FDD Layer 1 Multiplexing & Channel Coding | Rel-19 |
| TS 25.222 vj00 | UTRA TDD Multiplexing & Channel Coding | Rel-19 |
| TS 25.224 vj00 | UTRA TDD Physical Layer Procedures | Rel-19 |
| TS 25.301 vj00 | UE-UTRAN Radio Interface Protocol Architecture | Rel-19 |
| TS 25.302 vj00 | UTRA Physical Layer Services | Rel-19 |
| TS 25.321 vj00 | MAC Protocol Specification for UTRAN | Rel-19 |
| TS 25.322 vj00 | RLC Protocol Specification | Rel-19 |
| TS 25.324 vj00 | Broadcast/Multicast Control Protocol | Rel-19 |
| TS 25.331 vj00 | UTRAN RRC Protocol Specification | Rel-19 |
| TS 25.401 vj00 | UTRAN Overall Architecture | Rel-19 |
| TS 25.402 vj00 | UTRAN Synchronisation Mechanisms | Rel-19 |
| TS 25.420 vj00 | Iur Interface Introduction for UTRAN | Rel-19 |
| TS 25.423 vj00 | UTRAN RNSAP Specification | Rel-19 |
| TR 25.912 vj00 | Evolved UTRA and UTRAN Technical Report | Rel-19 |
| TR 25.931 vj00 | UTRAN Signalling Procedures Examples | Rel-19 |
| TS 26.202 vj00 | AMR-WB Speech Codec Mapping Specification | Rel-19 |
| TR 26.902 vj00 | Video Codec Performance for 3GPP Packet Services | Rel-19 |
| TR 26.935 vj00 | Speech Codec Performance for Packet Switched Multimedia | Rel-19 |
| TS 27.060 vj00 | TE-MT Interworking for Packet Domain | Rel-19 |
| TS 29.204 vj00 | SS7 Security Gateway Functional Description | Rel-19 |
| TS 29.509 vj50 | AUSF Service Based Interface Protocol | Rel-19 |
| TS 29.521 vj40 | 5G Binding Support Management Service Stage 3 | Rel-19 |
| TS 29.890 vg00 | CT3 5G System Technical Report | Rel-16 |
| TS 31.102 vj40 | USIM Application Specification | Rel-19 |
| TS 31.103 vj00 | ISIM Application Specification | Rel-19 |
| TS 31.113 v1800 | USAT Interpreter Byte Code Specification | Rel-8 |
| TS 31.114 v1800 | USAT Interpreter Transmission Protocol | Rel-8 |
| TR 31.900 vj00 | 3GPP TS 31.900: Security Interworking Guidance | Rel-19 |
| TS 33.102 vj10 | 3G Security Architecture Specification | Rel-19 |
| TS 33.105 vj00 | 3G Security: Cryptographic Algorithm Requirements | Rel-19 |
| TS 33.110 vj00 | UICC-Terminal Key Establishment | Rel-19 |
| TS 33.203 vj10 | IMS Security Specification | Rel-19 |
| TS 33.204 vj00 | TCAP Security (TCAPsec) Stage 2 Specification | Rel-19 |
| TS 33.210 vj20 | UMTS Security for IP Networks | Rel-19 |
| TS 33.224 vj00 | Generic Push Layer (GPL) Specification | Rel-19 |
| TS 33.246 vj00 | MBMS Security Specification | Rel-19 |
| TS 33.259 vj00 | Key Establishment between UICC Hosting & Remote Device | Rel-19 |
| TS 33.700 | 3GPP TR 33.700 | R99 |
| TS 33.814 vg01 | Security aspects of enhanced Location Services (eLCS) | Rel-16 |
| TS 33.821 v900 | LTE/SAE Security Threat Analysis and Countermeasures | Rel-9 |
| TR 33.851 vh10 | Security for Industrial IoT in 5G | Rel-17 |
| TS 35.205 vj00 | MILENAGE Algorithm Set: General Overview | Rel-19 |
| TS 35.234 vj00 | MILENAGE-256 Algorithm Set Specification | Rel-19 |
| TS 35.235 vj00 | MILENAGE-256 Algorithm Set Specification | Rel-19 |
| TS 35.236 vj00 | MILENAGE-256 Algorithm Set Specification | Rel-19 |
| TS 35.249 vj10 | f5** Algorithm for MILENAGE and Tuak | Rel-19 |
| TR 35.909 vj00 | 3GPP MILENAGE Algorithm Design Report | Rel-19 |
| TR 35.934 vj00 | Tuak algorithm set for 3GPP auth & key gen | Rel-19 |
| TR 35.937 vj00 | MILENAGE-256 Algorithm Set Specification | Rel-19 |
| TS 36.133 vj20 | E-UTRA RRM Requirements | Rel-19 |
| TS 36.201 vj00 | LTE Physical Layer General Description | Rel-19 |
| TS 36.300 vj00 | E-UTRAN Radio Interface Protocol Architecture Overview | Rel-19 |
| TS 36.302 vj00 | E-UTRA Physical Layer Services | Rel-19 |
| TS 36.305 vj00 | UE Positioning in E-UTRAN Stage 2 | Rel-19 |
| TS 36.306 vj00 | E-UTRA UE Radio Access Capability Parameters | Rel-19 |
| TS 36.321 vj00 | E-UTRA MAC Protocol Specification | Rel-19 |
| TS 36.322 vj00 | E-UTRA Radio Link Control Protocol Specification | Rel-19 |
| TS 36.323 vj00 | PDCP Protocol Specification | Rel-19 |
| TS 36.331 vj00 | LTE RRC Protocol Specification | Rel-19 |
| TS 36.509 vh40 | EPC Special UE Conformance Testing Functions | Rel-17 |
| TS 36.938 v900 | E-UTRAN to 3GPP2/Mobile WiMAX Mobility | Rel-9 |
| TS 37.320 vj00 | Minimization of Drive Tests (MDT) Overview | Rel-19 |
| TS 37.355 vj20 | LTE Positioning Protocol (LPP) | Rel-19 |
| TR 37.901 vf10 | UE Application Layer Data Throughput Performance | Rel-15 |
| TS 38.133 vj20 | 5G UE Radio Requirements for RRC_IDLE Mobility | Rel-19 |
| TS 38.201 vj00 | NR Physical Layer General Description | Rel-19 |
| TS 38.202 vj00 | 5G NR Physical Layer Services | Rel-19 |
| TS 38.305 vj00 | NG-RAN UE Positioning Stage 2 | Rel-19 |
| TS 38.306 vj00 | NR UE Radio Access Capability Parameters | Rel-19 |
| TS 38.323 vj00 | Packet Data Convergence Protocol (PDCP) | Rel-19 |
| TS 38.331 vj00 | NR Radio Resource Control (RRC) Protocol Specification | Rel-19 |
| TS 38.522 vj11 | UE Conformance Test Applicability Statement | Rel-19 |
| TS 43.051 vj00 | GERAN Stage 2 Service Description | Rel-19 |
| TS 43.064 vj00 | GPRS Radio Interface Lower-Layer Functions | Rel-19 |
| TS 43.129 vj00 | PS Handover in GERAN A/Gb and GAN Modes | Rel-19 |
| TS 43.318 vj00 | Generic Access Network (GAN) Stage 2 | Rel-19 |
| TR 43.901 vj00 | Generic Access to A/Gb Interface Feasibility Study | Rel-19 |
| TR 43.902 vj00 | GAN Enhancements Feasibility Study | Rel-19 |
| TS 44.060 vj00 | GERAN RLC/MAC Protocol Specification | Rel-19 |
| TS 44.160 vg00 | GERAN Iu Mode RLC/MAC Protocol Specification | Rel-16 |
| TS 44.318 vj00 | Generic Access Network (GAN) Interface Procedures | Rel-19 |
| TS 45.820 vd10 | CIoT for Internet of Things | Rel-13 |
| TR 45.902 vj00 | Flexible Layer One (FLO) for GERAN | Rel-19 |
| TS 48.016 vj00 | Gb Interface Network Service Specification | Rel-19 |
| TS 55.241 vj00 | 3GPP Integrity Algorithm GIA4 Specification | Rel-19 |
| TS 55.251 vj00 | GEA5 and GIA5 Encryption Algorithm Specification | Rel-19 |