The 5G authentication and key agreement protocols provide increased home control. Compared to EPS AKA in EPS, this provides better security useful in preventing certain types of fraud as explained in more detail below.
This increased home control comes in the following forms in 5GS:
In the case of EAP-AKA', the AUSF in the home network obtains confirmation that the UE has been successfully authenticated when the EAP-Response/AKA'-Challenge received by the AUSF has been successfully verified, cf. subclause 184.108.40.206 of the present document.
In the case of 5G AKA, the AUSF in the home network obtains confirmation that the UE has been successfully authenticated when the authentication confirmation received by the AUSF in Nausf_UEAuthentication_Authenticate Request message has been successfully verified, cf. subclause 220.127.116.11 of the present document.
When 3GPP credentials are used in above cases, the result is reported to the UDM. Details are described in clause 18.104.22.168a.
The feature of increased home control is useful in preventing certain types of fraud, e.g. fraudulent Nudm_UECM_Registration Request for registering the subscriber's serving AMF in UDM that are not actually present in the visited network. But an authentication protocol by itself cannot provide protection against such fraud. The authentication result needs to be linked to subsequent procedures, e.g. the Nudm_UECM_Registration procedure from the AMF in some way to achieve the desired protection.
The actions taken by the home network to link authentication confirmation (or the lack thereof) to subsequent procedures are subject to operator policy and are not standardized.
But informative guidance is given in subclause 22.214.171.124 as to what measures an operator could usefully take. Such guidance may help avoiding a proliferation of different solutions.
The feature of increased home control is also used to allow the UDM to keep track of the AUSF that stores the KAUSF to be used during e.g. the control plane solution for Steering of Roaming or UE Parameter Update procedures; i.e. the AUSF that stores the latest KAUSF generated after successful completion of the latest primary authentication reported to the UDM.
After the UDM is informed that the UE has been successfully (re-)authenticated, the UDM shall store the AUSF instance which reported the successful authentication. If the UDM has been previously informed that the UE was authenticated by a different AUSF instance, the UDM may request the old AUSF to clear the stale security parameters (KAUSF, SOR counter and UE parameter update counter). If the UDM determines to delete the security parameters in the old AUSF, then the UDM shall use the Nausf_UEAuthentication_deregister service operation (see clause 14.1.5).
The information sent from the AUSF to the UDM that a successful or unsuccessful authentication of a subscriber has occurred, shall be used to link authentication confirmation to subsequent procedures. The AUSF shall send the Nudm_UEAuthentication_ResultConfirmation service operation for this purpose as shown in Figure 126.96.36.199a-1.
The AUSF shall inform UDM about the result and time of an authentication procedure with a UE using a Nudm_UEAuthentication_ResultConfirmation Request. This shall include the SUPI, a timestamp of the authentication, the authentication type (e.g. EAP method or 5G-AKA), and the serving network name.
Upon reception of subsequent UE related procedures (e.g. Nudm_UECM_Registration_Request from AMF) UDM may apply actions according to home operator's policy to detect and achieve protection against certain types of fraud (e.g. as proposed in clause 188.8.131.52).
This subclause gives informative guidance on how a home operator could link authentication confirmation (or the lack thereof) to subsequent Nudm_UECM_Registration procedures from AMF to achieve protection against certain types of fraud, as mentioned in the preceding subclause.
The home network records the time of the most recent successfully verified authentication confirmation of the subscriber together with the identity of the 5G visited network that was involved in the authentication. When a new Nudm_UECM_Registration Request arrives from a visited network, the home network checks whether there is a sufficiently recent authentication of the subscriber by this visited network. If not, the Nudm_UECM_Registration Request is rejected. The rejection message may include, according to the home networks policy, an indication that the visited network should send a new Nausf_UEAuthentication_Authenticate Request (cf. subclause 6.1.2 of the present document) for fetching a new authentication vector before repeating the Nudm_UECM_Registration Request.
As a variant of the above Approach 1, Approach 2 is based on a more fine-grained policy applied by the home network; the home network could classify roaming partners into different categories, depending on the trust - e.g. derived from previous experience placed in them, for example as follows:
For a visited network in the first category, the home network would require a successful authentication 'immediately preceding' the Nudm_UECM_Registration Request from an AMF.
For a visited network in the second category, the home network would only check that an authentication in a network visited by the subscriber was sufficiently recent (taking into account that there may have been a security context transfer between the visited networks).
For a visited network in the third category, the home network would perform no checks regarding Nudm_UECM_Registration Requests and authentication at all.
Further approaches are possible, depending on the home operator's policy.
The support of Home Network triggered authentication is optional for the HN and the SN. If both the networks (HN and SN) support Home Network triggered primary authentication, the following clauses apply.
The UDM may initiate primary authentication based on procedures initiated by the UE (e.g. UE registration in 5GC) or towards the UE (e.g. SoR/UPU) or events from other NFs, considering the local policy into account as well.
The UE registers to the network. As part of the registration, the serving AMF registers the UE with the UDM via the Nudm_UECM_Registration as per clause 184.108.40.206.2 of TS 23.502. The AMF shall provide a callback URI within the AMF registration for the UDM to create an implicit subscription to later notify the AMF for potential home network triggered re-authentication using the Nudm_UECM_Re-AuthenticationNotification service operation as in step 2.
The UDM decides itself based on events (e.g., SoR/UPU or NF requests such as AAnF requests as defined in TS 33.535) or authentication policy and performs home network triggered primary authentication as described in the following steps. The NF such as the AAnF considers based on operator's local authentication policy described in TS 33.535 to send Nudm_UECM_AuthTrigger request to the UDM for primary authentication using the UDM services as described in clause 14.2.6. The NF may send a Nudm_UECM_AuthTrigger Request message to the UDM with the SUPI of the target UE. The UDM may acknowledge the request with an Nudm_UECM_AuthTrigger Response to the NF.
If there are different AMFs registered in the UDM for different access, the UDM shall select one AMF to perform the re-authentication. The criteria for selecting the AMF are dependent of the local UDM authentication policy.
After receiving the Nudm_UECM_Re-AuthenticationNotification message from the UDM, the AMF/SEAF shall decide whether to run the primary authentication procedure based on its own local authentication policy, and the UE state (e.g. , if the UE is under handover, or if the UE is already under authentication by the AMF before receiving the authentication notification from the UDM). If the AMF/SEAF determines that it cannot run a primary authentication as described in step 4 (e.g., due to local policy), the AMF/SEAF sends the authentication response message to the UDM with a failure cause else it acknowledges the request. If the AMF/SEAF acknowledged the request but the AMF/SEAF is not able to initiate the primary authentication towards the UE (e.g. if UE is not reachable), the AMF/SEAF shall set the authentication pending flag. Upon receiving a failure from the AMF, the UDM may check if another AMF is available over the other access. If available, the UDM may select another AMF and retry Step 2.
When UE re-attaches to the same AMF or becomes reachable, the AMF checks the authentication pending flag and performs the reauthentication if needed. Once UE reauthentication is done, the AMF resets the authentication pending flag.