"The subscriber's permanent identity is never sent over the radio interface. Instead, a concealed version -- the SUCI -- is transmitted. Only the home network can decrypt it. This is the architectural response to thirty years of IMSI-catcher attacks." -- Kurose-Ross 9e, §8.8.2
Lecture (90 min)
8.1 5G Core Architecture: From Monolith to Service-Based Interface
The 4G Evolved Packet Core (EPC) was architecturally monolithic: a fixed set of network functions (MME, SGW, PGW, HSS, PCRF) connected by a fixed set of reference points (S1, S5/S8, S11, S6a). Adding a new capability meant extending the monolith.
5G SA (Standalone) replaces this with a service-based architecture (SBA). Each network function exposes a RESTful HTTP/2 service over the SBI (Service Based Interface). A network function that needs a capability subscribes to the relevant service rather than connecting over a fixed reference point.
The 5G Core functional decomposition:
| Function | Abbreviation | Role |
|---|---|---|
| Access and Mobility Management Function | AMF | NAS signaling, mobility, authentication gateway |
| Session Management Function | SMF | PDU session lifecycle, DHCP, PCF interaction |
| User Plane Function | UPF | Packet forwarding, QoS enforcement; data-plane element |
| Authentication Server Function | AUSF | Runs 5G-AKA and EAP-AKA'; interfaces with UDM |
| Unified Data Management | UDM | Subscriber data, subscription profiles, SQN management |
| Policy Control Function | PCF | Policy rules for session QoS, charging |
| Network Repository Function | NRF | Service discovery registry (analogous to DNS for NF services) |
| Network Slice Selection Function | NSSF | Selects the appropriate network slice for a UE |
The N-interface naming convention (Nnf = interface of Network Function nf):
- N1: UE ↔ AMF (NAS, Non-Access Stratum protocol)
- N2: (R)AN ↔ AMF (NGAP, NG Application Protocol)
- N3: (R)AN ↔ UPF (user plane data, GTP-U tunnels)
- N11: AMF ↔ SMF
- N12: AMF ↔ AUSF
- N8: AMF ↔ UDM
The key insight for security analysis: the AMF is the single point of NAS contact for the UE. All authentication, mobility, and session signaling passes through it. Compromising the AMF or impersonating it at the N2 interface is the highest-value target in the 5G Core attack surface.
8.2 5G-AKA: The Full Six-Step Sequence
The handouts/cross-chapter-wireless-aka-progression.md established the three comparison axes (trust anchor, identity privacy, forward secrecy). This section animates those axes with the full protocol sequence.
Prerequisites: The UE holds its SUPI (Subscription Permanent Identifier, the 5G equivalent of the IMSI), the long-term key K, and the home network's public key for SUCI computation. The home network's UDM holds the same K and the SUPI-to-subscription mapping.
6-step 5G-AKA sequence:
Step 1: UE → gNodeB → AMF
NAS: Registration Request (SUCI = ECIES(SUPI, home_pk))
-- The UE never sends SUPI in plaintext. SUCI is transmitted.
Step 2: AMF → AUSF → UDM
AUSF: Authentication Information Request (SUCI)
UDM: decrypts SUCI → SUPI; generates AV (Authentication Vector)
AV = (RAND, AUTN, XRES*, HXRES*, KAUSF)
RAND = 128-bit random challenge
AUTN = SQN ⊕ AK || AMF || MAC (allows UE to authenticate the network)
XRES* = f2(K, RAND) (expected response)
HXRES* = SHA-256(RAND || XRES*) (hash for AMF-level verification)
Step 3: UDM → AUSF → AMF
AUSF: Authentication Response (HXRES*, KAUSF, SUPI)
AMF: stores HXRES*; derives KSEAF from KAUSF
Step 4: AMF → UE
NAS: Authentication Request (RAND, AUTN, ngKSI)
-- AMF sends the challenge. UE must verify AUTN to authenticate the network.
Step 5: UE processes the challenge
UE: verify AUTN (checks SQN freshness, computes MAC, rejects if stale/wrong)
UE: compute RES* = f2(K, RAND)
NAS: Authentication Response (RES*)
Step 6: AMF verifies
AMF: compute HRES* = SHA-256(RAND || RES*)
AMF: compare HRES* with HXRES*
If match: AMF sends NAS Authentication Result → AUSF for binding confirmation
AUSF: compare RES* with XRES*
If match: authentication successful; KSEAF established
Why HXRES instead of XRES at the AMF?** In 5G roaming, the AMF (Serving-AMFSN, visited network) must verify the UE response, but XRES* is derived from K which lives in the home network. The UDM sends only the hash (HXRES*) to the AMF -- the visited network can verify the hash without ever seeing the actual expected response. This preserves the home-network key confidentiality even from the visited network's AMF.
8.3 SUPI/SUCI Privacy: Closing the IMSI-Catcher Attack Class
The IMSI-catcher (Stingray / IMSI-grabber) attack was feasible in 2G, 3G, and 4G because the UE transmitted its permanent identity in plaintext during initial attach. An attacker operating a fake base station could trigger an Identity Request and harvest the IMSI from the Identity Response.
5G SUCI construction:
SUCI = Home Network Identity || Routing Indicator || Protection Scheme ID
|| Home Network Public Key ID
|| Scheme Output (ECIES(SUPI MSIN portion, home_pk))
ECIES: Elliptic Curve Integrated Encryption Scheme. The UE uses the home network's published public key (distributed in the USIM via provisioning or via SIM OTA) to encrypt the MSIN (Mobile Subscriber Identification Number, the subscriber-unique portion of the SUPI).
Threat model residual: SUCI closes the passive IMSI-catcher class (harvest IMSI from eavesdropping). It does not close:
- Active downgrade attacks: a fake 5G base station that forces the UE to attach via legacy 4G/3G protocols. 5G SA removes 4G fallback; 5G NSA retains it.
- SUCI replay: SUCI changes per-registration (the ECIES ephemeral key is fresh each time), so replay of a captured SUCI provides limited benefit to an attacker; it reveals the home network identity but not the SUPI.
8.4 5G Attack Classes
Fake Base Station (FBS) in 5G SA vs. NSA:
| Attack surface | 5G SA | 5G NSA |
|---|---|---|
| IMSI-catcher (SUPI harvest) | Closed by SUCI | Present (LTE anchor carries IMSI) |
| Network authentication forgery | Mitigated (UE verifies AUTN) | Partial mitigation (inherited from 4G-AKA) |
| Forced downgrade to 4G | Not applicable (no 4G anchor) | Structurally possible via N26 interface |
| Coverage of attack tool kits | Lower (newer protocol, fewer tools) | Higher (mature 4G attack toolkits port to NSA) |
N2 interface attacks (AMF impersonation): The N2 interface carries NGAP between the gNodeB and the AMF. In a compromised RAN environment, an attacker who can inject NGAP messages can manipulate handover procedures, session establishment, and paging -- without breaking 5G-AKA (the AKA protects the subscriber key, not the control-plane sessions).
SS7 residual exposure in 5G NSA: 5G NSA uses LTE as the control-plane anchor (EPC + evolved NodeB). All SS7 attacks against 4G EPC (location tracking via MAP/DIAMETER, forced authentication, call interception setup) remain applicable to 5G NSA deployments that retain SS7-connected roaming.
8.5 Open5GS + UERANSIM: Simulator Architecture
Open5GS implements the 3GPP 5G SA core in open source. UERANSIM implements a simulated gNodeB and UE. Together they form a complete 5G SA testbed that runs on a laptop.
Component map:
[UERANSIM: gNodeB] --N2 (NGAP over SCTP)--> [Open5GS: AMF]
[UERANSIM: UE] --N1 (NAS-5GS over NR)-> [Open5GS: AMF]
[Open5GS: AMF] --N11--> [Open5GS: SMF] --N7--> [Open5GS: PCF]
[Open5GS: AMF] --N12--> [Open5GS: AUSF] --N13--> [Open5GS: UDM]
[Open5GS: SMF] --N4 (PFCP)--> [Open5GS: UPF]
[Open5GS: UPF] --N3 (GTP-U)--> [UERANSIM: gNodeB]
The key NAS dissectors in Wireshark:
- NGAP (dissector:
ngap): decodes N2 signaling between gNodeB and AMF - NAS-5GS (dissector:
nas-5gs): decodes the UE-AMF NAS messages carried inside NGAP
Architecture Comparison Sidebar: 5G SA vs. NSA Security Posture
| Property | 5G SA | 5G NSA | 4G EPC/LTE-A |
|---|---|---|---|
| AKA protocol | 5G-AKA (SUCI protection; HXRES* at visited AMF) | 4G-AKA (EPS-AKA) for initial attach; 5G-AKA possible with inter-working | EPS-AKA (IMSI in plaintext) |
| SUPI/IMSI protection | Yes (SUCI = ECIES(SUPI)) | No (4G LTE anchor sends IMSI) | No |
| FBS detection capability | Partial (AUTN verification prevents network impersonation in AKA) | Minimal (LTE anchor vulnerable to 4G FBS tools) | Minimal |
| Backward compatibility cost | Higher (SA requires new standalone 5G infrastructure) | Lower (reuses 4G EPC core) | N/A |
| Control-plane architecture | Service-based interface (SBI/HTTP2) | 4G EPC reference-point architecture | Reference-point architecture |
| SS7 residual exposure | Eliminated (no SS7 path) | Present (via LTE roaming DIAMETER/SS7) | Present |
Kurose-Ross §7.4 framing: Kurose-Ross §7.4 presents the service-based vs. legacy EPC contrast in terms of functional decomposition -- the SBA model decouples functions that the monolithic EPC bundled. The security implication is bi-directional: decomposition creates new inter-function interfaces (each N-interface is an attack surface), but it also enables fine-grained access control (each NF can authenticate callers via OAuth 2.0 tokens at the SBI layer).
Toolchain Diary Additions
| Tool | Purpose | Introduced |
|---|---|---|
| Open5GS | 5G SA core (AMF/SMF/UPF/AUSF/UDM/PCF/NRF) | Week 8 |
| UERANSIM | Simulated gNodeB + UE for 5G SA testing | Week 8 |
| Wireshark NGAP dissector | Decode N2 NGAP signaling | Week 8 |
| Wireshark NAS-5GS dissector | Decode NAS Registration/Authentication/Security Mode | Week 8 |
Reflection Prompts
- A 5G operator deploys NSA because SA requires more capital expenditure. From the security standpoint, which attack classes from the table above does this tradeoff re-expose, and what mitigating controls (if any) are available within the NSA architecture?
- The AUSF sends HXRES* to the AMF rather than XRES*. Why is this the right design for a roaming scenario where the AMF is in a visited network? What does the AMF learn from the hash comparison that it needs, and what does it deliberately not learn?
- The N2 interface (gNodeB ↔ AMF) uses NGAP over SCTP. SCTP is unusual -- most protocols use TCP or UDP. What properties of SCTP (multi-homing, multi-streaming, message-oriented delivery) make it appropriate for radio access network signaling?