← Book home
Part 2 · Authentication and Access Security
7

Key Hierarchy and Key Management

From one secret on a SIM card to every key on the air

“There is exactly one secret in your subscription. Everything else is mathematics performed on it — and the mathematics is designed so that stealing a leaf never gives you the root.” — THE WHOLE CHAPTER IN ONE SENTENCE

5G never reuses the long-term key K for actual traffic. Instead it grows a tree of derived keys, each one step further from the root, each one protecting a narrower thing for a shorter time. This is the chapter that ties the whole book together: authentication (Chapters 5–6) produces the anchor; NAS, AS, and handover security (Chapters 8, 9, 16) consume the branches. Learn the tree and you can place any 5G key in seconds.

🎯 Learning objectives
📘 Standards reference box — Chapter 7
SpecificationTitleRelease / version verified
TS 33.5015G security — key hierarchy (clause 6.2) + Annex A (KDFs)Rel-18, v18.11.0 (2026-04)
TS 33.220Generic KDF specification (HMAC-SHA-256 construction)Rel-18 edition
TS 33.401EPS key hierarchy (for comparison)Rel-18 edition

Checked June 2026. KDF input strings and FC values live in Annex A — verify exact values against your TS 33.501 version.

7.1 The Whole Tree in One Picture

Here is the entire hierarchy. Spend time on it — every other diagram in this chapter is a zoom into one branch.

FIGURE 7.1The Complete 5G Key Hierarchy
K 🔑 (long-term) USIM + ARPF only CK ∥ IK from f3/f4 (or CK′/IK′) K_AUSF home: AUSF + UE K_SEAF (anchor) SEAF + UE K_AMF AMF + UE · (+ABBA) NAS keys K_NASint · K_NASenc (in AMF + UE) K_gNB gNB + UE — uses UL NAS COUNT NH (+ NCC) handover chain (§7.7) K_RRCintRRC integrity K_RRCencRRC ciphering K_UPintUP integrity K_UPencUP ciphering ↑ HOME / SUBSCRIBER ROOT ↑ SERVING ANCHOR ↑ ACCESS STRATUM (in the gNB) one-way KDFs: a stolen AS key never reveals K_gNB; a stolen K_gNB never reveals K_AMF; the root K never leaves the card/vault
Purpose: the master map of every 5G key. Read top-down as “further from the root, narrower in scope, shorter in life.” Memorize this and Chapters 8, 9 and 16 become lookups.
💡 Key idea — the one-way property
Every arrow in the tree is a one-way key derivation function. Given a child key you cannot compute the parent; given a sibling you cannot compute another sibling. That single property is why compromising one gNB, or one bearer’s key, cannot unravel the subscription — the damage stays at the leaf.

7.2 The Root: K and CK/IK

K is the only permanent secret, stored in exactly two places — the USIM and the home ARPF (Chapter 3). It is never used to encrypt traffic and never transmitted. During authentication the AKA functions produce CK and IK (cipher key, integrity key) from K and RAND; for EAP-AKA′ these become CK′/IK′ with the serving network name folded in. CK/IK are the bridge from the permanent root into the 5G-specific tree.

FIGURE 7.2The Twin Roots — K in USIM and ARPF
USIM (in the UE) holds K 🔑 computes CK, IK locally when challenged ARPF (in the UDM) holds the SAME K 🔑 computes CK, IK in the authentication vector never transmitted — computed independently at both ends CK ∥ IK 5G-AKA: used directly → K_AUSF EAP-AKA′: become CK′/IK′ (SN-bound)
Purpose: the symmetric root. The same K exists at both ends and produces the same CK/IK without ever crossing the network — the foundation of the whole tree.
FIGURE 7.3CK/IK → KAUSF — and the EAP-AKA′ Variant
5G-AKA path CK ∥ IK K_AUSF = KDF(CK,IK,SN-name, SQN⊕AK) SN name bound at THIS step EAP-AKA′ path CK′ ∥ IK′ K_AUSF = KDF(CK′,IK′,…)EAP master key path SN name already bound INSIDE CK′/IK′
Purpose: two roads, same destination. The serving-network binding happens at different steps in the two methods, but KAUSF is network-bound either way.

7.3 KAUSF, KSEAF, KAMF — the Control Keys

FIGURE 7.4KAUSF → KSEAF → KAMF — the Control-Plane Spine
K_AUSF lives: AUSF + UE also roots: SoR, UPU, AKMA (survives the visit) KDF(SN-name) K_SEAF lives: SEAF + UE the ANCHOR — released only on AUSF success KDF(SUPI, ABBA) K_AMF lives: AMF + UE ABBA binds the feature set → NAS keys + K_gNB notice the inputs: SN-name binds K_SEAF to the network; SUPI + ABBA bind K_AMF to the subscriber and the negotiated feature set K_AUSF outlives K_SEAF — it stays home to protect Steering-of-Roaming, UE Parameter Update and AKMA between authentications
Purpose: the control-plane spine and what each derivation binds. ABBA at the KAMF step is the anti-bidding-down anchor — it ties the context to the security features both sides agreed on.
FIGURE 7.5KAMF and the ABBA Parameter — Anti-Bidding-Down
K_SEAF + SUPI + ABBA ABBA = a value encoding the security feature set in use (e.g. baseline) K_AMF feature set is now baked in WHAT IT STOPS an attacker who strips a feature flag in transit changes the ABBA → both sides derive different K_AMF → security mode fails, attack visible ABBA = Anti-Bidding-down Between Architectures: a downgrade attempt breaks the keys instead of silently succeeding
Purpose: the parameter that makes downgrade attacks fail loudly. Tamper with the negotiated feature set and the keys simply won’t match.
FIGURE 7.6NAS Keys — KNASint and KNASenc
K_AMF in AMF + UE KDF(alg-type=NAS-int, NIA-ID) KDF(alg-type=NAS-enc, NEA-ID) K_NASint integrity-protects NAS (NIA) K_NASenc ciphers NAS (NEA) the algorithm identity is an INPUT — change algorithm, get a different key. This is how 5G binds each key to exactly one algorithm (Chapter 8).
Purpose: the NAS branch consumed by Chapter 8. Note the algorithm ID is a KDF input — keys are algorithm-specific by construction, blocking cross-algorithm misuse.

7.4 KgNB and the Access-Stratum Keys

When the UE goes connected, the AMF derives KgNB from KAMF using the uplink NAS COUNT as a freshness input, and hands it to the gNB over N2. The gNB then derives four AS keys, each algorithm-bound, all consumed in PDCP (Chapter 9).

FIGURE 7.7KgNB and the AS Key Set
K_AMF (in AMF) + uplink NAS COUNT (freshness) KDF(K_AMF, UL NAS COUNT) K_gNB delivered to gNB over N2 (NGAP) gNB derives 4 AS keys ↓ K_RRCintRRC integrity (NIA) K_RRCencRRC ciphering (NEA) K_UPintUP integrity (NIA) K_UPencUP ciphering (NEA) all four execute inside PDCP at the gNB (Chapter 9). They live only as long as this K_gNB does — refreshed on handover and re-keying.
Purpose: the access-stratum branch — the keys that actually scramble your radio bits. The UL NAS COUNT input guarantees a fresh KgNB each time the UE transitions to connected.

7.5 KDF Mechanics: How a Derivation Actually Works

Every arrow in the tree is the same function: the 3GPP generic KDF (TS 33.220), an HMAC-SHA-256 keyed by the parent key, over an input string assembled from an FC byte (which derivation this is) plus parameters (P0,L0,P1,L1…) — each value followed by its length. Different FC + parameters = different, independent child key.

FIGURE 7.8The 3GPP KDF — HMAC-SHA-256 With an FC-Tagged Input String
parent key = the HMAC key input string S = FC P0 L0 P1 L1 FC = which derivation · Pn = a parameter · Ln = its length (e.g. SN-name, NAS COUNT, algorithm type+ID) HMAC-SHA-256 ( key = parent, message = S ) 256-bit output child key (truncated as needed, e.g. 128 bits for algos) WHY THIS DESIGN IS SAFE • one-way: HMAC can’t be inverted → no parent from child • distinct FC → distinct keys, even with same parent • length-tagging prevents parameter-boundary ambiguity • algorithm ID as input → algorithm-bound keys
Purpose: the engine behind every arrow. The FC byte is the “which derivation am I” tag; combined with length-prefixed parameters it guarantees that two derivations never collide.

7.6 NH and NCC: Keys Built for Mobility

Handovers need fresh keys without re-running authentication each time. 5G solves this with the NH (Next Hop key) and its counter NCC (Next-hop Chaining Counter). The AMF pre-computes a chain of NH values from KAMF; each handover advances the chain, giving the target gNB a key the source gNB cannot predict. Full handover flows are Chapter 16; here is the key machinery.

FIGURE 7.9The NH/NCC Chain
K_AMF seeds the chain NH₀ (NCC=0)= initial NH₁ (NCC=1) NH₂ (NCC=2) NH₃ … each NH = KDF(K_AMF, previous NH) — a one-way chain; knowing NH₂ does not reveal NH₁ or NH₃’s successors VERTICAL derivation target K_gNB = KDF( fresh NH, PCI, ARFCN ) uses a NEW NH (NCC advances) ✓ forward security: source gNB can’t derive it HORIZONTAL derivation target K_gNB = KDF( current K_gNB, PCI, ARFCN ) same NCC — used when no fresh NH available ⚠ weaker: source gNB knows the input
Purpose: the mobility key engine. The NCC in a handover command tells the UE which NH to use — and whether it’s getting a strong (vertical) or weaker (horizontal) derivation.
FIGURE 7.10Horizontal vs Vertical — the Forward-Security Difference
HORIZONTAL (same NCC) gNB-A K_gNB gNB-B K_gNB B’s key = KDF(A’s key, …) if gNB-A is compromised, it can compute gNB-B’s key → no forward security on this hop VERTICAL (fresh NH, NCC+1) AMF: fresh NH gNB-B K_gNB B’s key = KDF(fresh NH from AMF, …) gNB-A never saw the NH, so it cannot compute B’s key → forward security restored
Purpose: why 3GPP prefers vertical derivation. The fresh NH comes from the AMF (via path switch / N2), an entity the source gNB cannot impersonate — breaking the compromise chain. Chapter 16 shows exactly when each is used.

7.7 Where Every Key Lives

FIGURE 7.11Key Distribution Map — Which NF Holds Which Key
key held by (network side) UE side KARPF (UDM) onlyUSIM CK/IKARPF (transient)USIM K_AUSFAUSF (home)ME K_SEAFSEAF (in AMF)ME K_AMFAMFME K_NASint / K_NASencAMFME K_gNB / NHgNB (K_gNB) · AMF (NH)ME K_RRCint/enc, K_UPint/encgNB (in PDCP)ME READ THE TABLE AS A BLAST-RADIUS LADDER the higher the key, the fewer elements hold it and the worse its loss. K lives in two places; AS keys live in every gNB you operate. the UE (ME) holds a copy of everything below the USIM — which is why UE compromise caps at session keys, never K
Purpose: the operational view of the tree — who must protect what. Maps directly onto Chapter 3’s blast-radius ranking and your patch/monitoring priorities.

7.8 Lifetime, Refresh, and Re-keying

FIGURE 7.12Key Lifetimes — From Permanent to Per-Bearer
key lives for… K the life of the subscription (years) — reissue card to change K_AUSF / K_SEAF / K_AMF one authentication run (until the next primary auth or re-key) NAS keys as long as K_AMF (re-derived on K_AMF change / algo change) K_gNB one RRC-connected period / per handover AS keys (RRC/UP) as long as the current K_gNB refresh triggers: new authentication · handover · transition to CONNECTED · COUNT wrap-around risk · operator re-key policy
Purpose: the time dimension of the tree. Leaf keys churn constantly; the root is effectively forever — which is exactly the security goal.
FIGURE 7.13Re-keying Without Re-authentication — Key Change On-the-Fly
UE AMF trigger: policy timer · NAS COUNT near wrap · re-key request NAS Security Mode Command (new ngKSI, K_AMF change indication) NAS Security Mode Complete (protected with new keys) a fresh K_AMF (and all children) without the cost/latency of a full 5G-AKA run — useful before COUNT exhaustion
Purpose: how the network refreshes keys cheaply. When you don’t need a new authentication but do need new keys (e.g., COUNT nearing wrap), key change on-the-fly re-roots KAMF via a NAS SMC.
FIGURE 7.14Key Handling at Xn Handover (Preview of Chapter 16)
source gNB target gNB AMF derive K_gNB* (horizontal or with stored NH) Handover Request ( K_gNB*, NCC ) Path Switch Request Path Switch Ack ( fresh NH, NCC+1 ) → ready for NEXT hop the current hop may be horizontal; the path switch refreshes the NH so the NEXT hop can be vertical → forward security restored periodically
Purpose: the key story behind a handover — the part Chapter 16 expands. The NH refresh on path switch is how 5G keeps re-establishing forward security as the UE moves.
FIGURE 7.15Key Handling at Idle Mobility and Registration Update
same AMF UE returns from IDLE → reuse stored K_AMF context re-derive K_gNB from UL NAS COUNT on next connect no re-auth needed AMF change new AMF fetches the UE context from the old AMF (horizontal K_AMF derivation) or triggers re-authentication per operator policy from EPS (mapped) coming from 4G → the 5G context is MAPPED from the EPS context (Chapter 17) native vs mapped matters for security level
Purpose: how keys move when the UE does — without paying for authentication every time. Native contexts are strongest; mapped contexts (from 4G) carry the source system’s ceiling, which Chapter 17 examines.

7.9 The Full Walkthrough: From K to a Ciphered Packet

FIGURE 7.16From the Long-Term Key to a Single Encrypted Byte
Kcard/vault CK/IKauth K_AUSFhome K_SEAFanchor K_AMFAMF K_gNBgNB K_UPencPDCP in PDCP at the gNB keystream = NEA( K_UPenc, COUNT, bearer, direction ) ciphertext = plaintext ⊕ keystream your data byte, finally encrypted SEVEN DERIVATIONS, ONE SECRET a single user byte is protected by a key seven KDF steps removed from K — each step one-way, each binding network, subscriber, algorithm, bearer, and COUNT. capture the byte and the key — neither reveals K
Purpose: the chapter’s thesis made concrete. Trace the path of one encrypted user byte all the way back to K — and see why no leaf ever endangers the root.
FIGURE 7.17LTE vs 5G Key Hierarchy — What 5G Added
LTE / EPS (TS 33.401) K → CK/IK → K_ASME (anchor) K_ASME → K_NASint/enc, K_eNB K_eNB → K_RRCint/enc, K_UPenc ✗ no K_AUSF layer ✗ no user-plane integrity key ✗ no serving-network-name binding 5G (TS 33.501) K → CK/IK → K_AUSFK_SEAF → K_AMF K_AMF → NAS keys, K_gNB K_gNB → RRC keys + K_UPint + K_UPenc ✓ extra K_AUSF layer (home control, AKMA) ✓ user-plane INTEGRITY key (K_UPint) ✓ SN-name + ABBA binding throughout
Purpose: the upgrade in one frame. 5G inserts a home-anchored layer (KAUSF), adds a user-plane integrity key (the aLTEr fix, Chapter 9), and binds keys to the network and feature set.
FIGURE 7.18Key-Management Pitfalls — and Which Key They Endanger
COUNT reusekeystream reuse → XOR breakendangers: K_*enc bearers no key refresh before wrapCOUNT wraps → forced reusefix: re-key on-the-fly (§7.8) mapped-context downgrade5G keys carry 4G ceilingendangers: whole context (Ch 17) NH/NCC desynchandover key mismatchendangers: mobility (Ch 16) weak/null algorithm chosenstrong keys, weak cipherendangers: everything (Ch 8/25) the tree is strong; key MANAGEMENT is where real networks fail — COUNT discipline, refresh policy, algorithm selection
Purpose: a forward pointer to the operational chapters. The mathematics rarely breaks; the management around it does. Each pitfall links to where the book treats it.

7.10 The Practical Operator View

Common misconfiguration risks

7.11 Threats and Mitigations

ThreatTargets which keyDefense
Root key theftKHSM at ARPF, no export, tamper-resistant USIM
Keystream reuseK_*enc(key,COUNT,bearer,direction) uniqueness; refresh before wrap
Compromised gNB reading future cellsK_gNB chainvertical derivation, NH refresh (forward security)
Downgrade via context mappingK_AMF (mapped)policy control at interworking (Ch 17)
Cross-algorithm key misuseAS/NAS keysalgorithm ID bound into KDF inputs
Bidding-down of featuresK_AMFABBA parameter binding

7.12 Terminology, Example, Checklist

TermMeaning
K / CK,IKLong-term key / cipher & integrity keys from AKA
K_AUSF / K_SEAF / K_AMFHome-anchored key / serving anchor / AMF-level key (control-plane spine)
K_NASint/enc, K_gNB, K_RRC*/K_UP*NAS keys / RAN key / access-stratum RRC and user-plane keys
NH / NCCNext-hop key / next-hop chaining counter (handover key engine)
KDF / FCHMAC-SHA-256 key derivation / the function-code byte tagging each derivation
ABBAAnti-bidding-down parameter bound into K_AMF
horizontal / vertical derivationNext K_gNB from current K_gNB / from a fresh NH (forward-secure)

Real network example. An operator running fixed-wireless-access CPEs — devices that stay RRC-connected for days — began seeing sporadic ciphering errors on high-throughput bearers. Root cause: those sessions approached PDCP COUNT exhaustion, a condition normal handsets never hit because they idle and re-key constantly. The stationary CPEs never handed over and never re-authenticated, so KgNB (and its AS keys) lived far too long. Fix: an operator policy to force key change on-the-fly (fresh KAMF → fresh KgNB) on a timer for long-lived connections. The tree was perfect; the refresh policy assumed mobility that these devices didn’t have.

Chapter Summary

? Review Questions

  1. Draw the full key hierarchy from memory. For each key, state where it lives on the network side.
  2. Explain the one-way property and why it means a compromised gNB cannot decrypt a neighbor cell’s past traffic.
  3. What four kinds of input does the KDF use to make derived keys context-specific? Give an example of each.
  4. Distinguish horizontal from vertical key derivation at handover, and explain which provides forward security and why.
  5. Why is the uplink NAS COUNT an input to K_gNB derivation? What would go wrong if K_gNB were derived from K_AMF alone?
  6. What is ABBA, where is it bound, and what attack does it defeat?
  7. A stationary device stays connected for days. Which key is at risk, of what, and what policy fixes it?
  8. Name the three things 5G’s key hierarchy adds over LTE’s, and the chapter where each pays off.
🧪 Mini lab — derive a key by hand (almost)

Using TS 33.501 Annex A and a scripting language: (1) implement the generic KDF (HMAC-SHA-256 over FC ∥ P0 ∥ L0 ∥ …). (2) From a chosen KAMF (any 32-byte test value) and the KgNB FC with an uplink NAS COUNT, compute KgNB; change the COUNT by one and confirm a completely different key. (3) From that KgNB, derive KUPenc with the AS-key FC and a NEA algorithm ID; change the algorithm ID and confirm, again, a different key. You have now reproduced the exact mechanism that binds every 5G key to its context — and proven to yourself why the tree’s one-way derivations contain damage to a single leaf.

← Chapter 6 Chapter 7 Chapter 8 →