5G-AKA

发表于 | 更新于

5G AKA通过为归属网络提供从访问网络成功认证UE的证据来增强EPS AKA

5G AKA通过为归属网络提供从访问网络成功认证UE的证据来增强EPS AKA;从具体的流程对比来看,EPS的AKA流程是归属网络鉴权中心给访问网络的MME提供一组鉴权向量和XRES,由访问网络拿着这些参数对UE进行鉴权,归属网络并不关心UE的鉴权结果,5G AKA流程归属网络鉴权中心也是给访问网络的安全锚点(SEAF,和AMF在一起)一组5G鉴权向量和对应的HXRES*,访问网络用这些参数对UE鉴权后,还需要将UE的鉴权响应发给归属网络鉴权中心做进一步的鉴权,归属网络再将鉴权结果发给访问网络,可见5G下归属网络会参与鉴权做出最后的鉴权结果。

5G-AKA

1.

1
Serving network initiate an authentication with UE

2.

1
UE send SUCI(include encrypted SUPI and HN's id) to SN

3.

1
SN send SUCI and SNname request authentication material from HN via HN's id

4.

1
2
3
4
5
6
7
8
9
HN selects a random nonce R, then computes the authentication material
MAC = f1(K , < SQN_HN, R>)
Anonymity Key = f5(K, R)
CONC = SQN_HN⊕ AK
AUTN = <CONC, MAC>
xRES∗  = Challenge(K, R, SNname)    this is the full response of challenge
HXRES∗  = SHA256(<R , xRES∗>)     this is the hash of full response
K_SEAF  = KeySeed(K, R, SQN_HN, SNname)   key seed for the secure channel between subscriber and SN
SQN_HN  = SQN_HN  + 1

5.

1
Return R, AUTN, HXRES^∗  and K_SEAF  to the SN

6.

1
SN send R and AUTN to subscriber

7.

1
2
3
4
5
6
7
8
9
10
Subscriber first checks the authenticity and freshness, to do this it 
  a. Compute MAC, checks if xMAC is equal to MAC
    MAC = f1(K , < SQN_HN, R>)  
    AUTN contains xMAC
  b. Compute xSQN_HN  = AK ⊕ xCONC, checks if SQN_UE<xSQN_HN
  c. If all checks hold, do the following things
    SQN_UE  = xSQN_HN  + 1
    RES^∗  = Challenge(K, R, SNname)
    K_SEAF  = KeySeed(K, R, SQN_HN, SNname)
Then send the  RES^∗  to the SN

8.

1
SN checks if SHA256(<R , RES∗>) is equal to the HXRES^∗  if so send RES  and SUCI to HN, otherwise abort

9.

1
HN checks if 〖RES〗^∗  = 〖xRES〗^∗, if not abort, if so return SUPI to SN and finish the authentication