SEAF

Security Anchor Functionality

Security
Introduced in Rel-15
The SEAF is a core security function in the 5G Core network, part of the Authentication Server Function (AUSF). It acts as the primary security anchor point within the serving network, managing authentication and key agreement procedures with the UE. It is critical for establishing secure communication and enabling network access.

Description

The Security Anchor Functionality (SEAF) is a fundamental security component within the 5G System (5GS) architecture, defined as a sub-function of the Authentication Server Function (AUSF). Its primary role is to serve as the security termination point in the serving network during primary authentication and key agreement (AKA) procedures. The SEAF does not perform authentication calculations itself but orchestrates the process by interacting with the home network's Authentication Credential Repository and Processing Function (ARPF/UDM). It receives authentication vectors from the home network and uses them to authenticate the User Equipment (UE). Upon successful authentication, the SEAF derives the anchor key (K_SEAF) from the home network key (K_AUSF), establishing a security association rooted in the serving network. This K_SEAF is then used to derive further keys for securing Non-Access Stratum (NAS) signaling between the UE and the Access and Mobility Management Function (AMF). The SEAF's location in the serving network is crucial for security localization, reducing latency and dependency on the home network for subsequent security procedures like re-authentication and key refresh. Architecturally, the SEAF is co-located with the AUSF, and its interfaces, such as Nausf, are used for communication with the AMF. Its operation is central to the 5G security framework, providing a clear separation between home and serving network security responsibilities and enabling features like seamless mobility and network slicing with isolated security contexts.

Purpose & Motivation

The SEAF was introduced in 3GPP Release 15 as part of the new 5G security architecture to address limitations of previous generations, particularly 4G EPS. In EPS, the MME in the serving network acted as the security endpoint, which created a complex key hierarchy and potential vulnerabilities during inter-MME handovers. The primary motivation for SEAF was to provide a dedicated, stable security anchor in the serving network that is separate from the mobility management function (AMF). This separation of concerns enhances security by isolating the long-term anchor key (K_SEAF) and simplifies key management during mobility events. It solves the problem of key chaining and reduces the attack surface by localizing the primary security context. Furthermore, the SEAF design supports the 5G requirement for serving network visibility and control over authentication, which is essential for regulatory compliance and enabling new business models like network slicing, where each slice may require independent security anchoring from the serving network's perspective.

Key Features

  • Acts as the security termination point in the serving network for 5G AKA
  • Derives the anchor key (K_SEAF) from the home network key (K_AUSF)
  • Orchestrates primary authentication by interfacing with the home network ARPF/UDM
  • Enables derivation of NAS security keys (K_AMF) for securing signaling with the AMF
  • Supports re-authentication and key refresh procedures locally within the serving network
  • Facilitates security context separation for network slicing

Evolution Across Releases

Rel-15 Initial

Introduced as a new sub-function of the AUSF within the 5G Core security architecture. Defined its role in the 5G AKA procedure, establishing the K_SEAF as the serving network anchor key and specifying interfaces like Nausf for communication with the AMF.

TS 23.501TS 29.509TS 33.501TS 33.741TS 33.835TS 33.841
Rel-16

Enhanced support for integrated access and backhaul (IAB) and non-3GPP access (e.g., WLAN) by clarifying SEAF's role in authentication over these accesses. Introduced refinements for edge computing security contexts.

TS 23.501TS 29.509TS 33.501TS 33.741TS 33.835TS 33.841
Rel-17

Extended SEAF functionalities to support enhanced authentication methods and identity privacy for IoT devices. Provided further specifications for network slicing isolation, ensuring slice-specific security anchoring.

TS 23.501TS 29.509TS 33.501TS 33.741TS 33.835TS 33.841
Rel-18

Strengthened security for AI/ML service exposure and continued enhancements for massive IoT scenarios. Clarified procedures for secondary authentication where the SEAF interacts with external authentication servers.

TS 23.501TS 29.509TS 33.501TS 33.741TS 33.835TS 33.841
Rel-19

Further evolution to support advanced network automation and zero-touch security management. Enhanced capabilities for seamless authentication in non-terrestrial networks (NTN) and 5G-Advanced systems.

TS 23.501TS 29.509TS 33.501TS 33.741TS 33.835TS 33.841
Rel-20

Ongoing work to integrate with 6G foundational security concepts, including post-quantum cryptography readiness and enhanced privacy for immersive services. Continued refinement for extreme mobility and ubiquitous coverage scenarios.

TS 23.501TS 29.509TS 33.501TS 33.741TS 33.835TS 33.841

Defining Specifications

SpecificationTitle
TS 23.501 3GPP TS 23.501
TS 29.509 3GPP TS 29.509
TS 33.501 3GPP TR 33.501
TS 33.741 3GPP TR 33.741
TS 33.835 3GPP TR 33.835
TS 33.841 3GPP TR 33.841