The AAnF is the anchor function in the HPLMN. The AAnF stores the AKMA Anchor Key (KAKMA) and SUPI for AKMA service, which is received from the AUSF after the UE completes a successful 5G primary authentication. The AAnF also generates the key material to be used between the UE and the Application Function (AF) and maintains UE AKMA contexts. The AAnF sends SUPI of the UE to AF located inside the operator's network according to the AF request or sends to NEF.
The following interfaces are involved in AKMA network architecture:
Nnef: Service-based interface exhibited by NEF.
Nudm: Service-based interface exhibited by UDM.
Naanf: Service-based interface exhibited by AAnF.
The AAnF interacts with the AUSF and the AF using Service-based Interfaces. When the AF is located in the operator's network, the AAnF shall use Service-Based Interface to communicate with the AF directly. When the AF is located outside the operator's network, the NEF shall be used to exchange the messages between the AF and the AAnF.
The key hierarchy (see Figure 5.1-1) includes the following keys: KAUSF, KAKMA, KAF. KAUSF is generated by AUSF as specified in clause 6.1 of TS 33.501.
Keys for AAnF:
KAKMA is a key derived by ME and AUSF from KAUSF.
Keys for AF:
KAF is a key derived by ME and AAnF from KAKMA.
KAKMA and KAF are derived according to the procedures of clauses 6.1 and 6.2.
The KAKMA and A-KID are valid until the next successful primary authentication is performed (implicit lifetime), in which case the KAKMA and A-KID are replaced.
AKMA Application Keys KAF shall use explicit lifetimes based on the operator's policy. The lifetime of KAF shall be sent by the AAnF as described in clauses 6.2 and 6.3. In case that a new AKMA Anchor Key KAKMA is established, the AKMA Application Key KAF can continue to be used for the duration of the current application session or until its lifetime expires, whichever comes first. When the KAF lifetime expires, a new AKMA Application Key is established based on the current AKMA Anchor Key KAKMA.