Signalling Protection Key

Description

The Signalling Protection Key (SPK) is a security key introduced in 5G to provide targeted protection for certain non-access stratum (NAS) signaling messages that carry sensitive network management instructions to the User Equipment (UE). It is distinct from the primary authentication and key agreement keys (like K_AUSF) and is derived specifically for securing the delivery of Steering of Roaming (SoR) and UE Parameters Update (UPU) information. The SPK is generated by the network's Authentication Server Function (AUSF) and securely provisioned to both the Unified Data Management (UDM) function, which originates the protected information, and the UE.

The derivation of the SPK occurs during the primary authentication procedure. The AUSF calculates it using the anchor key K_AUSF, a specific string label ("N5G-SOR"), and other parameters like the serving network name. This key is then sent to the UDM. When the UDM needs to send an SoR or UPU message to the UE, it uses the SPK to compute a message authentication code (MAC) for integrity protection and may use it for encryption. The protected message, along with the MAC, is sent via the AMF to the UE. The UE, which has independently derived the same SPK using its stored K_AUSF and the received parameters, can verify the MAC (and decrypt if needed). This proves the message originated from the home network's authorized UDM and was not tampered with.

This mechanism is crucial because SoR and UPU messages have the power to modify the UE's behavior. An SoR message can update the UE's list of preferred Public Land Mobile Networks (PLMNs) for roaming, while a UPU message can update configuration parameters like the IMSI of a embedded SIM (eSIM). Without cryptographic protection, a malicious actor could forge such messages to steer a UE to a rogue network or alter its subscription details. The SPK provides a layer of end-to-end security between the UDM and the UE that is independent of the NAS security context established between the UE and the AMF, ensuring the home network's direct control over these critical procedures.

Purpose & Motivation

The SPK was created to address a security gap in the management of roaming and subscriber parameters in 5G. In previous generations, mechanisms like Steering of Roaming often relied on less secure methods or were not cryptographically verified from the home network directly to the UE. As 5G enables more dynamic network steering and remote SIM provisioning (e.g., for IoT devices), the risk of attackers intercepting or injecting fraudulent management commands increased. A compromised or fake SoR message could, for example, steer millions of devices to a malicious network for eavesdropping.

The motivation for SPK stems from the 5G security principle of providing service-based, granular security. While primary authentication secures the initial link, and NAS security protects general signaling, specific procedures with high impact required dedicated, verifiable home network control. The SPK mechanism ensures that only the legitimate home network operator, through its UDM, can issue authoritative SoR and UPU commands. This protects both the subscriber from fraud and the operator from losing control over their subscribers' roaming behavior or subscription data. It is a key enabler for secure, policy-driven mobility and remote device management in 5G, particularly for IoT deployments where manual intervention is impossible.

Key Features

• Dedicated key for protecting Steering of Roaming (SoR) messages
• Also used for UE Parameters Update (UPU) security
• Derived from the 5G anchor key K_AUSF during authentication
• Provisioned to the UDM in the home network and the UE
• Enables integrity protection (MAC) and confidentiality for sensitive NAS signaling
• Provides end-to-end security between UDM and UE, independent of serving network

Evolution Across Releases

Defining Specifications