Every message, every parameter, from SUCI to anchor key
“If Chapter 5 gave you the map, this chapter walks every street — and shows you exactly where the two failure alarms live.”
— HOW TO READ THIS CHAPTER
This is the chapter you will return to with a packet capture open beside it. We trace one complete 5G-AKA run from the UE’s registration request to the anchor key KSEAF sitting in the SEAF — naming every parameter (RAND, AUTN, XRES*, HXRES*, RES*, KAUSF, KSEAF), every service operation, every comparison, and the two ways it can fail: MAC failure and synchronization failure.
🎯 Learning objectives
Trace the complete 5G-AKA sequence across UE, SEAF/AMF, AUSF, UDM/ARPF.
Explain the structure of RAND and AUTN and how the USIM verifies the network.
Derive XRES*, HXRES*, RES* and explain the two-stage comparison.
Show how KAUSF and KSEAF are produced and delivered.
Diagnose MAC failure vs synchronization failure (AUTS) from a trace.
Checked June 2026 — verify against the latest 3GPP version.
6.1 The Master Sequence
Before the details, here is the whole run on one page. Read it top to bottom; every later diagram is a zoom into one band of it.
FIGURE 6.1End-to-End 5G-AKA Master Sequence
Purpose: the whole procedure at a glance. Bands ①–⑤ carry the SUCI home; ⑥–⑨ deliver and verify the challenge; ⑩–⑮ verify the UE and anchor the key. Keep this open as the index to the rest of the chapter.
6.2 Step ①–② — Registration Request and the AUSF Call
The UE begins a registration carrying its SUCI (Chapter 4) and its UE security capabilities (the NEA/NIA algorithms it supports — Chapter 8 will need these). The AMF, hosting the SEAF, picks an AUSF in the subscriber’s home network (resolved from the SUCI’s home network ID) and calls Nausf_UEAuthentication_Authenticate, attaching the serving network name — the string that will bind every key to this network.
FIGURE 6.2Registration Request and the Nausf Authenticate Call
Purpose: what the UE actually sends, and the two things the AMF adds. The SN name is the seed of all key binding; the UE capabilities are the seed of bidding-down defense.
6.3 Step ③–⑤ — Vector Generation in the UDM/ARPF
The AUSF forwards to the UDM via Nudm_UEAuthentication_Get. Inside the UDM: the SIDF de-conceals SUCI → SUPI (Chapter 4), the UDM selects the method (Chapter 5), and the ARPF generates the 5G HE AV (Home Environment Authentication Vector). Critically, the ARPF computes XRES* and derives KAUSF from CK, IK with the SN name folded in.
FIGURE 6.3Inside the UDM/ARPF — Building the 5G HE AV
Purpose: where the 5G-specific transformations happen. Note XRES* (not raw XRES) and KAUSF are the new layer 5G adds on top of classic AKA — and both already carry the serving network name.
FIGURE 6.4RAND and AUTN — Structure and What Each Part Proves
Purpose: the anatomy of the token that finally let phones trust networks. The two halves it verifies map exactly to the two failure modes you will diagnose at the end of this chapter.
6.5 Step ⑥–⑦ — The AUSF Hashes, the SEAF Receives
The AUSF receives the 5G HE AV, stores XRES* and KAUSF, and computes HXRES* = a hash of XRES* (with RAND). It builds the 5G SE AV (Serving Environment AV) containing only RAND, AUTN, and HXRES* — and sends it to the SEAF. The serving network never receives XRES* or KAUSF; it gets a hash it can compare against, and nothing it could use to forge a success.
FIGURE 6.5XRES* → HXRES* — the Hash That Protects the Home Secret
Purpose: the elegant split. The serving network can screen the answer (compare hashes) but cannot manufacture one — the authoritative secret never leaves home.
FIGURE 6.6Step ⑧ — the NAS Authentication Request on the Air
Purpose: the message your trace will show as Authentication request. Two new 5G parameters ride here: ngKSI (key set label) and ABBA (binds the security context to the feature set, blocking architecture downgrade).
6.6 Step ⑨ — The USIM Verifies, the ME Computes RES*
This is the moment the subscriber side does its work. The USIM recomputes AK (f5), recovers SQN, recomputes the expected MAC (f1) and compares — is this my network? — then checks SQN is in range — is this fresh?. On success it outputs RES (f2), CK (f3), IK (f4). The ME then derives RES* from RES with the SN name and RAND, mirroring the ARPF’s XRES* computation.
FIGURE 6.7USIM Verification and RES* Derivation
Purpose: the subscriber’s half of the proof — and the origin of the two failure modes. MAC failure means “not my network”; sync failure means “my network, but stale.”
6.7 Step ⑪–⑬ — The Two-Stage Comparison
5G-AKA verifies the response twice, on purpose. The SEAF hashes the received RES* and compares to HXRES* — a fast local screen that lets a roaming network reject obvious garbage without a home round-trip. Then the AUSF compares the actual RES* to the stored XRES* — the authoritative verdict that decides whether KSEAF is ever released.
FIGURE 6.8The Two-Stage Comparison — Local Screen, then Home Verdict
Purpose: why the design checks twice. Stage 1 is a cheap doorman; Stage 2 is the judge. Keys move only after the judge rules.
6.8 Step ⑮ — KAUSF and KSEAF Delivered
On the AUSF’s success, it derives KSEAF = KDF(KAUSF, SN name) and returns it to the SEAF, along with the SUPI. The SEAF stores KSEAF as the anchor and the procedure is done — every key the UE will use grows from here (Chapter 7). KAUSF stays in the AUSF for SoR/UPU protection and AKMA.
FIGURE 6.9KAUSF → KSEAF — Derivation and Delivery
Purpose: the payoff. One run of 5G-AKA yields one anchor key, network-bound, released only on the home network’s verdict — the seed of the entire key tree.
FIGURE 6.10Step ⑭ — Authentication Result Confirmation (Home Control)
Purpose: the small message with big consequences. Without it, “increased home control” would be a slogan; with it, the UDM can refuse service that contradicts authentication history.
6.9 Step §6.10 — The Two Failure Paths
When authentication fails on the UE side, which failure it is tells you exactly what is wrong. This is the single most useful diagnostic in 5G authentication.
FIGURE 6.11MAC Failure vs Synchronization Failure — Diagnosis
Purpose: the diagnostic fork every SOC analyst needs. Sync failures are routine and self-healing; a cluster of MAC failures in one cell is a rogue-base-station signature.
FIGURE 6.12The AUTS Resynchronization Sequence
Purpose: how the network recovers from drift. The AUTS token carries the UE’s own sequence counter, MAC-protected so it can’t be abused to manipulate SQN.
FIGURE 6.13A Subtle Threat — AKA Linkability and the Rel-16+ Hardening
Purpose: a reminder that authentication privacy is more than identity concealment. Even the type of failure can leak presence — which is why 3GPP keeps refining AKA. Verify your release’s exact behavior.
FIGURE 6.14Parameter Ledger — Where Each Value Lives
Purpose: the whole trust model as a ledger. If you can reproduce this column “who sees it,” you understand 5G-AKA’s security.
FIGURE 6.15Performance & Security View — Round-Trips That Matter
Purpose: the procedure as latency, which matters for capacity and DoS planning. The two red dots are the home round-trips; the SEAF screen guards them.
6.10 The Practical Operator View
Instrument failure causes separately: MAC failure, sync failure, no-response, and timeout are different incidents. Chapter 26 builds the funnel; this chapter defines its buckets.
A spike of MAC failures localized to a cell or area is a rogue-base-station indicator — escalate to the SOC playbook (Chapter 27), don’t just retry.
Sync-failure storms usually mean SQN-array misconfiguration across redundant UDM/ARPF instances or a restored database snapshot — a configuration fix, not an attack.
Confirm ResultConfirmation is enabled toward the UDM — it is your home-control audit trail.
In roaming, watch the home round-trip latency; it caps attach rates and shapes DoS exposure.
Common misconfiguration risks
SEAF local screen (HXRES*) disabled by a vendor flag → every junk response burns a home round-trip (DoS amplifier).
SN name mismatch (Chapter 5 example) → uniform post-challenge failures with successful AUTN verification.
Wrong K/OP after subscriber migration → blanket MAC failures for the affected SIM batch.
Expected response / its hash (to SEAF) / the UE’s computed response
K_AUSF / K_SEAF
Home-anchored key / the serving anchor key released on success
ngKSI / ABBA
Key-set identifier labeling the new context / anti-bidding-down parameter bound into K_AMF
AUTS
Resynchronization token returned on a sync failure (MAC-protected)
MAC failure / synch failure
Wrong/fake network or tampering / SQN out of range (recoverable)
Real network example. An operator’s NOC opened a P1 on a “5G authentication outage” — thousands of sync failures in an hour, all from one region. The 5G-AKA knowledge above solved it in minutes: sync failures are recoverable and network-side, so this was not an attack and not the UEs. The cause: a UDM node had been restored from a backup snapshot, rewinding its SQN array; every returning subscriber’s USIM (with a higher SQN) rejected the stale vectors and demanded resync. Fix: let the AUTS resync drain naturally and correct the SQN-storage replication. Had the same volume been MAC failures, the response would have been the opposite — a rogue-base-station hunt.
Confirm your monitoring separates MAC failure, synch failure, no-response, timeout.
Verify SEAF local HXRES* screening is enabled (not bypassed to the AUSF every time).
Check ResultConfirmation toward UDM is on.
Trace one full success: confirm K_SEAF arrives only after the AUSF (not the SEAF) check.
Validate SQN window size and UDM/ARPF SQN replication after any DB restore.
Alert on geographically clustered MAC failures → SOC rogue-gNB playbook.
★ Chapter Summary
5G-AKA: SUCI travels home → UDM/ARPF builds a vector → challenge (RAND, AUTN) to the UE → USIM verifies and answers (RES*) → two-stage check (SEAF hash screen, AUSF authoritative) → K_SEAF released.
AUTN proves network authenticity (MAC) and freshness (SQN); the USIM checks both, producing the two failure types.
The serving network only ever holds HXRES* and (on success) K_SEAF — never XRES*, K, or K_AUSF.
ResultConfirmation to the UDM is the home-control audit trail.
List, in order, every message in a successful 5G-AKA run and the one new value each introduces.
Why does the AUSF send HXRES* to the SEAF instead of XRES*? What does this prevent a malicious SEAF from doing?
Explain how RES* can equal XRES* without RES* ever revealing K — and what three inputs both derivations share.
A trace shows AUTN verified successfully but the attach still fails at the security mode step. What do you suspect, and why is it not a MAC failure?
Distinguish MAC failure from synch failure: cause, recoverability, and the correct operational response to a cluster of each.
Why is the AUTS token MAC-protected, and what attack would be possible if it weren’t?
At which exact step does the serving network learn the SUPI, and why is that timing important for privacy?
Where does the serving network name enter the derivations of XRES* and K_AUSF, and what does binding it there achieve?
🧪 Mini lab — capture a full 5G-AKA run
With Open5GS + UERANSIM and Wireshark (Chapter 33 setup): (1) Register a UE and capture the NAS exchange — locate Authentication request (read RAND, AUTN, ngKSI, ABBA) and Authentication response (RES*). (2) In the AUSF/UDM logs, find XRES* generation and the RES*==XRES* comparison — confirm they happen in the home functions, not the AMF. (3) Now corrupt one byte of the UE’s key K and re-register: confirm a MAC failure at the USIM. (4) Restore K but force an SQN mismatch (re-use an old config / restore a DB snapshot) and confirm a synch failure with an AUTS token, followed by automatic recovery. You have now reproduced both failure paths — the two most valuable signatures in 5G authentication diagnostics.