A subscriber's authentication subscription data, including the subscriber's long-term key(s) and sequence number, shall be stored in a single repository so that a single sequence number can be maintained for the subscriber. The subscriber's long-term key(s) shall not be transferred over the NU1 reference point between HSS and UDM. Also it is not expected that the UDM has direct standardized access to the EPS-UDR. Therefore, the following options exist for subscribers with both 5G and EPS subscription:

1. Authentication subscription data are stored in the EPS-UDR and all authentication vectors are calculated in the HSS. Subscription data stored in the 5GS-UDR or locally configured in the UDM indicate that the UDM needs to consume the Nhss_UEAuthentication_Get service operation to retrieve a 5G vector from the HSS. See clause 5.2.2 for details.
2. Authentication subscription data are stored in the 5GS-UDR and all authentication vectors are calculated in the UDM. Subscription data stored in the EPS-UDR or locally configured in the HSS indicate that the HSS needs to consume the Nudm_UEAuthentication_GetHssAv service operation to retrieve an EPS vector from the UDM. See clause 5.2.3 for details.
3. Authentication subscription data are stored in the 5GS-UDR, 5G vectors are calculated in the UDM and EPS vectors are calculated in the HSS. Subscription data stored in the EPS-UDR or locally configured in the HSS indicate that the HSS needs to consume the Nudr_DM_Query service operation to retrieve authentication subscription data from the 5GS-UDR. See clause 5.2.4 for details.

The following clauses specify the system procedures for these different alternatives.

This clause specifies the procedures for authentication vector request when the subscriber's authentication subscription data is stored at the EPS-UDR. In this case, the UDM requests the generation of the Authentication Vector for 5GS to the HSS. When the UDM receives an authentication information Request from the AUSF it shall check (by means of an 5GS-UDR query or local configuration in the UDM) whether the subscribed authentication method is 5G_AKA or EAP_AKA_PRIME and if so whether 5G authentication vector generation for the identified subscriber shall be done in the HSS. If so, the UDM shall make use of the Nhss_UEAuthentication_Get service operation to retrieve a 5G authentication vector from the HSS. Figure 5.2.2-1 shows the scenario where the authentication vector request for a 5G subscriber who also has an EPS subscription is received by the UDM.

This clause specifies the procedures for authentication vector request when the subscriber's authentication subscription data is stored at the 5GS-UDR. In this case, the HSS requests the generation of the Authentication Vector for EPS and/or IMS to the UDM. When the HSS receives an authentication vector request from a serving node (e.g. MME, SGSN, VLR, S-CSCF, BSF) it shall check (by means of an EPC-UDR query) whether authentication vector generation for the identified subscriber shall be done in the UDM. If so, the HSS shall make use of the Nudm_UEAuthentication GetHssAv service operation to retrieve authentication vectors from the UDM. Figure 5.2.3-1 shows the scenario where an authentication vector request for a subscriber is received by the HSS and subscription data stored in the EPS-UDR indicate that for the subscriber authentication vector generation is to be performed in the UDM.

When the HSS receives an S6a-AIR from the MME, it may check (by means of an EPC-UDR query) whether the subscriber has an 5G subscription. If so, the HSS can use of the Nudr_DM_Query Get service operation to retrieve the authentication subscription data from the 5GS UDR and generate the authentication vector. Figure 5.2.4-1 shows the scenario where the authentication vector request for a 5G subscriber who also has an EPS subscription is received by the UDM.