UPU

UE Parameters Update

Security →
Introduced in Rel-15

UPU is a 5G security procedure where the network updates sensitive authentication parameters in the UE's USIM, triggered by policy changes or compromised credentials to ensure key freshness.

Category
Security
Introduced
Rel-15
Where
Core Network › 5G Core
Specifications
3 specs
UPU Description Purpose Detected Changes Specifications

Description

The UE Parameters Update (UPU) is a critical security maintenance procedure defined in the 5G System (5GS). Its primary function is to allow the network's authentication server function (AUSF), in conjunction with the Unified Data Management (UDM), to proactively and securely update the authentication credentials stored within a UE's USIM application. The key parameters subject to update are the long-term secret key (K) and the associated sequence number (SQN) used in the 5G Authentication and Key Agreement (5G-AKA) and Extensible Authentication Protocol (EAP)-AKA' protocols. The procedure is architecturally centered on the AUSF, which generates the new cryptographic material, and the UDM, which stores the subscriber's authentication credentials.

The UPU procedure is initiated by the AUSF/UDM, typically based on operator security policies—such as periodic key rotation, detection of potential credential compromise, or a change in cryptographic algorithms. The network sends a UPU message to the UE, transported securely via the serving AMF over the N1 reference point. This message contains the new authentication parameters (the new key K_new and SQN) encrypted and integrity-protected using security keys derived from the *current* credentials shared between the USIM and the UDM. This ensures that only the legitimate UE can decrypt and process the update. Crucially, the message includes a MAC (Message Authentication Code) that the UE verifies.

Upon receipt, the UE's USIM verifies the MAC. If valid, it replaces the old key (K) and SQN with the new values. The USIM then sends a confirmation back to the network. This entire transaction occurs transparently to the user and the UE's main processor, as it is handled within the secure environment of the USIM. Specifications 29.509 and 29.573 detail the service-based interfaces (Nausf_UEAuthentication, Nudm_UEAuthentication) used for this process, while 33.701 covers the security architecture and procedures. The UPU mechanism ensures that the fundamental root of trust for network access can be renewed without requiring physical SIM replacement, thereby maintaining the long-term security integrity of the subscriber identity.

Purpose & Motivation

UPU was introduced in 5G Release 15 to address a significant security limitation in previous cellular generations: the static nature of the long-term secret key (K) stored on the SIM/USIM. In 2G, 3G, and 4G, this key was typically provisioned once and never changed throughout the subscription's lifetime unless the physical SIM card was replaced. This static nature created risks, including the potential for key compromise through cryptographic attacks over time (key wear-out) and the inability to efficiently respond if a key was suspected to be breached.

The creation of UPU solves these problems by enabling remote, over-the-air rekeying of this foundational secret. This is motivated by the need for stronger, proactive security in 5G, which supports critical infrastructure and services. UPU allows operators to enforce key rotation policies, mitigating the risk of attacks that exploit long-term key usage. It also provides an efficient remediation path if a particular key generation algorithm is found to be weak or if a specific batch of credentials is potentially compromised, without the logistical and customer experience nightmare of mass SIM card replacement. It represents a shift towards dynamic, manageable security lifecycle for subscriber credentials.

Detected Changes Across Releases

from 3GPP Change Requests

Specific changes extracted from the „Change history“ tables of 3GPP specifications (66 CRs across 5 releases). Complements the general historical overview above with the evidence-based evolution of this function.

Rel-15 4 changes

In Release 15, the UPU (UE Parameters Update) function was newly introduced as a service of the Authentication Server Function (AUSF) to protect UE Parameters Update Data. This is implemented via the Nausf_UPUProtection service, where a service consumer like the UDM can request the AUSF to compute security material, specifically the UPU-MAC-I AUSF and Counter UPU, to protect the update procedure from tampering, and optionally the UPU-XMAC-I UE for UE acknowledgement verification.

  • API version number update TS 29.509CR0021
  • UE parameters update support (indicated as C4-190618 + C4-190618_rev7I) TS 29.509CR0046
  • 3GPP TS 29.509 API version update TS 29.509CR0050
  • 3GPP TS 29.573 API version update TS 29.573CR0016
Rel-16 18 changes

In Release 16, the UPU function was enhanced by introducing a new, dedicated AUSF service for UPU protection. This service allows a network function like the UDM to request the AUSF to compute security material, specifically the UPU-MAC-I AUSF and Counter UPU, to protect UE Parameters Update Data from tampering. Furthermore, the service can optionally generate a UPU-XMAC-I UE to enable verification that the UE correctly received the update data.

  • 3GPP TS 29.509 API version update TS 29.509CR0060
  • API version and ExternalDocs update TS 29.509CR0066
  • Add UPU protection in AUSF functionality TS 29.509CR0072
  • 3GPP TS 29.509 API version update TS 29.509CR0074
  • AUSF service update for the authentication result removal TS 29.509CR0083
  • 3GPP TS 29.509 Rel16 API version and External doc update TS 29.509CR0084

+ 12 more changes

Rel-17 15 changes

In Release 17, the UPU function was enhanced by introducing a new "UPU Transparent Container" capability for encoding UE Parameters Update Data and by defining a specific "UPU Header" to be used as an input for security calculations. Furthermore, the AUSF's service operation for UPU protection was updated to explicitly support the generation of a UPU-XMAC-I UE for end-to-end acknowledgement verification from the UE, in addition to the existing UPU-MAC-I AUSF and Counter UPU security material. These updates were accompanied by corresponding API version advancements for the relevant service-based interfaces.

  • UPU Transparent Container TS 29.509CR0162
  • API Version and External Doc Update (R17) TS 29.509CR0112
  • 29.509 Rel-17 API version and External Doc update TS 29.509CR0121
  • 29.509 Rel-17 API version and External doc update TS 29.509CR0126
  • 29.509 Rel-17 API version and External doc update TS 29.509CR0132
  • 29.509 Rel-17 API version and External doc update TS 29.509CR0155

+ 9 more changes

Rel-18 18 changes

In Release 18, the UPU function was enhanced to support the authentication of AUN3 devices behind a 5G-RG by updating the description of the MSK. Furthermore, the release included updates to the Nausf_UPUProtection service API (TS 29.509) and the N32-f interface for TLS-related sub-clauses, alongside general API version and documentation updates for multiple technical specifications.

  • Update the reference model TS 29.509CR0195
  • Update the description of MSK to support authentication for AUN3 devices behind 5G-RG TS 29.509CR0200
  • 29.509 Rel-18 API version and External doc update TS 29.509CR0186
  • 29.509 Rel-18 API version and External doc update TS 29.509CR0198
  • 29.509 Rel-18 API version and External doc update TS 29.509CR0203
  • 29.509 Rel-18 API version and External doc update TS 29.509CR0208

+ 12 more changes

Rel-19 11 changes

In Release 19, the primary updates for the UPU function were focused on API maintenance, including updates to the API version and external documentation references for services like Nausf_UPUProtection. The technical procedures for protecting UE Parameters Update Data, such as the AUSF computing the UPU-MAC-I AUSF, Counter UPU, and UPU-XMAC-I UE, remained functionally consistent with the established framework.

  • Replacing the RFC reference with the updated one TS 29.509CR0226
  • 29.509 Rel-19 API version and External doc update TS 29.509CR0232
  • 29.509 Rel-19 API version and External doc update TS 29.509CR0234
  • 29.509 Rel-19 API version and External doc update TS 29.509CR0236
  • 29.509 Rel-19 OpenAPI version and ExternalDocs Update CRs TS 29.509CR0247
  • Updates of the Roaming Intermediary Procedures TS 29.573CR0222

+ 5 more changes

Explore further

Broader topics and technologies where UPU plays a role.

Topics
Authentication (5G-AKA, EAP)Encryption & IntegrityMEC (Edge Computing)Lawful InterceptManagement & OperationsServices & Applications
Technologies
LTE5G

Defining Specifications

3GPP specifications that define or reference UPU, with the latest known release. Sourced from the 3GPP document catalog — see methodology.

SpecificationTitleRelease
TS 29.509 vj50 AUSF Service Based Interface Protocol Rel-19
TS 29.573 vj50 PLMN/SNPN Interconnection Interface Stage 3 Rel-19
TS 33.701 vj00 Study on mitigations against bidding down attacks Rel-19