XMAC-A

Expected Message Authentication Code for Authentication

Security
Introduced in Rel-8
XMAC-A is a security value computed during the EPS Authentication and Key Agreement (AKA) procedure. The UE calculates XMAC-A and compares it with the MAC-A value received from the network within the authentication token (AUTN). A match authenticates the network to the UE, ensuring the connection is established with a legitimate operator network.

Description

XMAC-A (Expected MAC for Authentication) is a pivotal parameter in the Evolved Packet System (EPS) Authentication and Key Agreement (AKA) protocol, which is used in 4G LTE and 5G NSA/SA networks. It is generated by the User Equipment (UE), specifically within its secure module (like the USIM or a similar tamper-resistant element), during the primary authentication procedure. When the UE receives an authentication request from the Mobility Management Entity (MME) or Access and Mobility Management Function (AMF), it contains a random challenge (RAND) and an authentication token (AUTN).

The calculation of XMAC-A employs a cryptographic algorithm, such as the MILENAGE suite standardized by 3GPP. The UE uses its long-term shared secret key (K), which is stored securely and is known only to the UE and its home network's Authentication Centre (AuC), along with the received RAND and the Sequence Number (SQN) extracted from the AUTN. These elements are fed into the MAC generation function (f1). The output of this computation is the XMAC-A. The security-critical action is a comparison: the UE parses the AUTN to obtain the network-provided MAC-A and compares it byte-for-byte with its locally computed XMAC-A. If they are identical, the UE has cryptographically verified that the authentication request originated from a network entity that possesses the correct secret key K, thereby authenticating the network.

This process is the user's side of the mutual authentication exchange in EPS AKA. The network authenticates the user by comparing the received response (RES) with its expected response (XRES). Conversely, the user authenticates the network via the XMAC-A/MAC-A check. This two-way handshake is fundamental to the trust model of 4G/5G networks, thwarting impersonation attacks. The entire computation and comparison are designed to occur in a secure environment (e.g., on the UICC/USIM) to shield the secret key K from potential compromise by software on the main device processor.

Specification TS 33.105 details the security algorithms, including the mathematical definition of the functions used to compute XMAC-A. It ensures algorithmic interoperability between all UEs and network AuCs globally. The robustness of this mechanism underpins the initial attachment procedure, ensuring that a UE only derives subsequent session keys (CK, IK, Kasme) and proceeds with registration after confirming it is communicating with a valid network authorized by its home operator.

Purpose & Motivation

XMAC-A exists to provide mutual authentication within the EPS security framework, continuing and enhancing the security principles established in 3G UMTS. Its primary purpose is to allow the UE to cryptographically verify the identity of the network it is attempting to connect to, solving the problem of one-sided authentication. Without this, a UE could be tricked into attaching to a rogue network node, leading to privacy breaches, traffic interception, or denial of service.

The problem it addresses is central to establishing trust in a cellular network. In the EPS architecture, where the core network (EPC) may involve roaming between multiple operators, it is crucial for the user's device to confirm that the serving network (e.g., a visited MME) is acting with the authority of the home network. The XMAC-A verification provides this assurance by proving the serving network possesses credentials (derived from K) that only the legitimate home operator could have provided.

Its development was motivated by the need for a strong, standardized authentication mechanism for the new Evolved Packet Core (EPC) defined in 3GPP Release 8. While based on the 3G AKA concept, EPS AKA and its XMAC-A parameter were specified to integrate seamlessly with the new network entities like the MME and HSS. The specification in TS 33.105 provided a clear, algorithm-agnostic framework, with MILENAGE as the standard example, ensuring all implementations could interoperate securely and form the foundation for key derivation for NAS and AS security.

Key Features

  • Core element of EPS AKA for network authentication by the UE
  • Computed by the UE's secure module using the long-term key K
  • Utilizes the RAND, SQN, and key K as inputs to the f1 function
  • Directly compared with the MAC-A value received in the AUTN
  • Verification is a prerequisite for deriving session keys (CK, IK, Kasme)
  • Specified in 3GPP TS 33.105 for algorithmic interoperability

Evolution Across Releases

Rel-8 Initial

XMAC-A was introduced with the EPS Authentication and Key Agreement (AKA) protocol in Release 8, as part of the new LTE/EPC security architecture defined in TS 33.105. This initial specification established its role in mutual authentication, defining it as the value computed by the UE for comparison with the network's MAC-A to authenticate the network, using the new key hierarchy leading to Kasme.

TS 33.105

Defining Specifications

SpecificationTitle
TS 33.105 3GPP TR 33.105