User Security Settings

Description

User Security Settings (USS) is a critical component within the 3GPP security architecture, specifically defined as part of the Generic User Security Settings (GUSS) framework. It represents a collection of security-related subscription parameters associated with a specific user. These settings are stored in the user's home network, typically within the Home Subscriber Server (HSS) or a Unified Data Management (UDM) function in 5G systems. The USS contains essential data required for authentication and key agreement (AKA) procedures, such as the long-term secret key (K), authentication algorithms (e.g., MILENAGE, TUAK), and key derivation parameters. When a user attempts to access the network, the serving network (e.g., VLR, SGSN, MME, AMF) requests authentication vectors from the home network. The home network uses the USS to generate these vectors, which include a random challenge (RAND), an expected response (XRES), a cipher key (CK), an integrity key (IK), and an authentication token (AUTN). The serving network then uses these vectors to challenge the user equipment (UE) and establish secure ciphering and integrity protection keys for the session.

The architecture for USS management involves interfaces between the HSS/UDM and other network functions. In legacy systems, the USS is accessed via the MAP or Diameter-based interfaces (e.g., Cx, S6a, S6d). In 5G, the UDM provides USS data to the Authentication Server Function (AUSF) and the Access and Mobility Management Function (AMF) via the Nudm service-based interface. The USS is not a monolithic block but can be structured to support different authentication methods and services. For instance, it may contain separate settings for 3G/4G AKA and 5G AKA, or for authentication to the IP Multimedia Subsystem (IMS). This modularity allows the network to apply appropriate security mechanisms based on the access technology and requested service.

The role of USS in the network is foundational for subscriber security. It ensures that each user is uniquely authenticated and that subsequent communications are protected. The integrity and confidentiality of the USS data are paramount, as compromise would allow impersonation and eavesdropping. Network functions never receive the long-term secret key (K) itself; instead, they receive derived authentication vectors, following the principle of never exposing the root secret outside the home domain. The USS also supports features like key freshness and sequence number management to prevent replay attacks. Its proper configuration and synchronization across network elements are essential for preventing authentication failures and service disruptions.

Purpose & Motivation

The USS exists to provide a standardized, secure, and manageable repository for user-specific security credentials within 3GPP networks. Prior to its formalization within the GUSS concept, security settings were often tightly coupled with other subscriber data, making it difficult to manage authentication for multiple services (e.g., circuit-switched, packet-switched, IMS) independently. This could lead to inefficiencies and potential security gaps when introducing new authentication methods or services. The USS framework was created to decouple security settings from other subscription data, enabling more flexible and robust security management.

The primary problem it solves is the need for a consistent and reliable source of truth for user authentication parameters across different network domains and generations. It addresses the challenge of supporting heterogeneous access technologies (2G, 3G, 4G, 5G, non-3GPP) and service platforms (IMS, MMTEL) with a unified security data model. By having a dedicated USS, operators can update security algorithms or key materials for a user or a service without affecting other aspects of the subscription. This is crucial for phased rollouts of new security standards (e.g., moving from 4G EPS-AKA to 5G AKA) and for providing service-specific authentication, enhancing overall network security posture.

Historically, as networks evolved from single-service voice to multi-service converged IP networks, the limitations of monolithic subscriber data management became apparent. The creation of USS, particularly as part of GUSS from 3GPP Release 7 onwards, was motivated by the need for a modular, future-proof security substrate. It allows the network to authenticate a user once and then leverage those credentials for access to multiple services (single sign-on concept for network access), improving user experience while maintaining stringent security. It forms the bedrock for secure mobility and service continuity in modern cellular networks.

Key Features

• Stores long-term secret key (K) and authentication algorithm configuration
• Used to generate authentication vectors (RAND, AUTN, XRES, CK, IK) for AKA procedures
• Supports multiple authentication methods (e.g., 3G AKA, EPS-AKA, 5G AKA, EAP-AKA')
• Enables service-specific security settings within a single user subscription
• Accessed by network functions via standardized interfaces (e.g., Cx, S6a, Nudm)
• Foundational for ciphering and integrity key derivation in 3GPP systems

Evolution Across Releases

Defining Specifications