← Book home
Part 8 · Practical Labs and Training Material
34

Interview Questions and Trainer Notes

115 questions, scenarios, and a course map for teaching 5G security

"If you can explain 5G-AKA to someone who's never seen it, draw the key hierarchy from memory, and name the misconfiguration behind a real incident — you know 5G security." — THE BAR THIS CHAPTER SETS

This chapter turns the book into training material: a graded question bank (beginner → advanced → scenario → troubleshooting), a self-assessment, and trainer notes with course maps for one-, three-, and five-day formats. Use it to interview candidates, prepare for interviews, or build a 5G security course.

🎯 Learning objectives
FIGURE 34.1Question Difficulty Map by Topic
topicbeginnerintermediateadvanced identity (SUCI)what is SUCI?ECIES stepsnull-scheme risk authenticationmutual auth?5G-AKA flowHXRES* vs XRES* key hierarchywhat is K?tree to AS keysNH/NCC, forward sec SBAmTLS?OAuth scope/audlateral-movement containment roamingwhat is SEPP?TLS vs PRINSfiltering vs encryption operationswhat's a KPI?auth funnelSOC↔NOC handshake
Purpose: a map for building or grading interviews. Pick a topic row and the difficulty column appropriate to the role.
FIGURE 34.2The "Explain-It" Whiteboard Set — Draw These From Memory
1 · architectureNFs + interfaceskey placementCh 3 2 · key hierarchyK → AS keysone-way treeCh 7 3 · 5G-AKA flowRAND/AUTN/RES*two checksCh 6 4 · SBA securitymTLS + OAuthNRF authorityCh 10 5 · threat map8 surfaces+ controlsCh 24 a candidate who can draw all five from memory understands 5G security — this is the interviewer's gold standard
Purpose: the five diagrams that separate someone who has read about 5G security from someone who understands it. Drawing them cold is the bar for an expert.

34.1 Beginner Questions (with answer cues)

💡 30 beginner questions
  1. What does SUCI conceal, and why? (permanent identity; stop IMSI catching — Ch4)
  2. What is mutual authentication? (both UE and network prove identity — Ch5)
  3. Where is the long-term key K stored? (USIM and ARPF only — Ch3,7)
  4. What does NEA0 mean? (null ciphering — Ch8)
  5. What is the SEPP for? (roaming border security — Ch13)
  6. What is the NRF's role? (NF directory + OAuth token authority — Ch3,10)
  7. What is a 5G-GUTI? (temporary identity — Ch4,19)
  8. What does the UPF do? (forwards user traffic; no keys — Ch3)
  9. NSA vs SA in one line? (LTE-anchored vs full 5GC — Ch18)
  10. What is NAS? (UE↔AMF signaling — Ch8)
  11. What new protection did 5G add to the user plane? (integrity — Ch9)
  12. What is mTLS? (both ends authenticate by cert — Ch10)
  13. What is a network slice? (logical network on shared infra — Ch20)
  14. What is an SNPN? (standalone private network — Ch21)
  15. What is the AMF? (access/mobility + NAS security — Ch3)
  16. What is AUTN? (network's proof token — Ch6)
  17. Why is null SUCI scheme dangerous in production? (identity exposed — Ch4,25)
  18. What is a false base station? (rogue cell — Ch1,24)
  19. What does AKA stand for? (Authentication and Key Agreement — Ch5)
  20. What is the home vs serving network? (subscription vs location — Ch1)
  21. What is OAuth used for in SBA? (per-call authorization — Ch10)
  22. What is K_SEAF? (the anchor key — Ch6,7)
  23. What protects backhaul? (IPsec/NDS/IP — Ch14)
  24. What is the NEF? (API exposure doorway — Ch12)
  25. What is a handover? (connected cell change — Ch16)
  26. What does the USIM hold? (K, AKA functions, home key — Ch3,4)
  27. What is a KPI in security monitoring? (measurable indicator — Ch26)
  28. What is the SOC? (Security Operations Center — Ch27)
  29. Why do we audit? (verify protections are on — Ch28)
  30. What is the biggest source of real breaches? (misconfiguration — Ch25)

34.2 Intermediate Questions

📘 30 intermediate questions
  1. Walk the 5G-AKA message flow end to end. (Ch6)
  2. How does ECIES conceal the SUPI? (Ch4)
  3. Draw the key hierarchy from K to AS keys. (Ch7)
  4. Explain the NAS SMC and replayed capabilities. (Ch8)
  5. How does the SMF set UP security policy? (Ch9)
  6. What do OAuth scope and audience claims do? (Ch10)
  7. Compare TLS mode and PRINS on N32. (Ch13)
  8. Explain NH/NCC at handover. (Ch16)
  9. What is a mapped vs native security context? (Ch8,17)
  10. How does NSSAA work? (Ch20)
  11. What are the four slice isolation layers? (Ch20)
  12. How does CMPv2 help at scale? (Ch10,14)
  13. What does the AMF separation bit prevent? (Ch5,6)
  14. Explain serving network name binding. (Ch5)
  15. How does increased home control work? (Ch5,6)
  16. Distinguish 5G-AKA and EAP-AKA′. (Ch5)
  17. What does topology hiding do? (Ch13)
  18. How is K_gNB derived and refreshed? (Ch7,16)
  19. What is the authentication funnel? (Ch26)
  20. How does the SEPP stop SS7-class attacks? (Ch13)
  21. What is CAG in a PNI-NPN? (Ch21)
  22. Explain UP integrity required vs preferred. (Ch9)
  23. How does the NRF authorize discovery? (Ch10)
  24. What is AKMA? (Ch5)
  25. What changes for the edge UPF's N4/N9? (Ch22)
  26. What is harvest-now-decrypt-later? (Ch32)
  27. How does NWDAF support security? (Ch26,31)
  28. What's the difference between authentication and authorization? (Ch1,10)
  29. What is a signaling storm? (Ch23)
  30. How does CU/DU split affect key placement? (Ch15)

34.3 Advanced Questions

🎯 25 advanced questions
  1. Why does the serving network get HXRES* not XRES*, and what attack does it stop? (Ch6)
  2. Explain horizontal vs vertical derivation and forward security. (Ch7,16)
  3. How does ABBA defeat bidding-down, and where is it bound? (Ch7)
  4. Why is a mapped context a security downgrade, item by item? (Ch17,18)
  5. How does OAuth scope/audience contain SBA lateral movement? (Ch10,24)
  6. What's the AKA linkability problem and its fix direction? (Ch6)
  7. Why does "preferred" UP integrity fail open? (Ch9)
  8. How would you detect a rogue gNB from telemetry? (Ch6,26,27)
  9. Design a per-IE PRINS protection policy. (Ch13)
  10. Where must K live in a cloud-native core, and why? (Ch11,29)
  11. How do the four slice isolation layers fail independently? (Ch20)
  12. What is crypto agility and why does it beat algorithm choice? (Ch32)
  13. How does container escape reach the crown jewels? (Ch29)
  14. Why is the NRF the SBA's single most critical NF? (Ch10,11)
  15. Explain the SOC↔NOC handshake and a failure mode. (Ch27)
  16. What's the difference between confidentiality and privacy in 5G? (Ch1,19)
  17. Why does NSA security equal LTE security despite a 5G radio? (Ch18)
  18. How do you prove (not assume) UP integrity is active? (Ch9,28)
  19. What makes an audit evidence-based vs questionnaire-based? (Ch28)
  20. How does the SN name break a network-relay attack? (Ch5)
  21. Why is ML detection-only, and what are poisoning/evasion? (Ch31)
  22. Design the monitoring to catch a stale-GUTI tracking attack. (Ch19,26)
  23. How does the AUTS token resist SQN manipulation? (Ch6)
  24. Map the top-5 risks of a national 5G network and their controls. (Ch24)
  25. What's the highest-impact "zero trust" win in a typical 5G core? (Ch30)
FIGURE 34.3Scenario Question Architecture Template
situationa symptom/incident diagnosewhat's happening? root causewhy? fixremediate prevent 15 scenarios + 15 troubleshooting questions below use this five-step structure — it also models real incident response (Ch27)
Purpose: the structure for scenario interviews. Diagnose → root cause → fix → prevent mirrors real incident response (Chapter 27).

34.4 Scenario & Troubleshooting Questions

⚠️ 30 scenario/troubleshooting questions
  1. A region shows a 2% auth-success dip, all MAC failures, off-hours, geo-clustered. Diagnose. (rogue gNB — Ch6,27)
  2. Thousands of sync failures after a UDM restore. Attack or not? (SQN rewind, not attack — Ch6)
  3. A capture shows NIA2 but NEA0. Is the network under attack? What leaks? (no attack; content leaks — Ch8,25)
  4. An enterprise slice has UP integrity "off" despite "preferred." Why? (non-capable RAN; set required — Ch9)
  5. A token for UDM-A works at UDM-B. What's wrong? (no audience check — Ch10)
  6. Subscribers can be tracked despite SUCI. Why? (stale GUTI — Ch19)
  7. A roaming partner sends location queries it never sent before. (interconnect attack — Ch13,27)
  8. gNB backhaul over a leased line — is it secure? (no; needs IPsec — Ch14)
  9. Core keys stolen via a node compromise; 3GPP security was perfect. (cloud layer; K not in HSM — Ch29)
  10. SEPP filtering disabled 8 months ago for a partner. Risk? (SS7-class attacks — Ch13,25)
  11. Frequent caller stuck on a mapped context all day. (no re-auth policy — Ch17)
  12. A "5G" enterprise claim turns out to be NSA. What's false? (no UP integrity etc — Ch18)
  13. Two million meters reconnect at once after an outage. (signaling storm — Ch23)
  14. A location API is being used to track individuals. (no consent/quota — Ch12)
  15. An ML detector auto-throttled real fans at an event. (no human-in-loop — Ch31)
  16. NCC never increments across a boundary. Impact? (no forward security — Ch16)
  17. A decommissioned UDM still trusted in the NRF. (lifecycle gap — Ch11)
  18. SBA runs plaintext "because internal is safe." (enable mTLS — Ch10)
  19. VIP SIMs have a unique routing indicator. (metadata leak — Ch4)
  20. An MVNO's roamers fail at the SMC step but pass AUTN. (SN-name mismatch — Ch5)
  21. Edge UPF N4 runs unencrypted across a venue network. (IPsec N4 — Ch22)
  22. A private 5G network is flat into the OT VLAN. (segment IT/5G/OT — Ch21)
  23. Annual "audit" is a vendor questionnaire, always green. (evidence-based audit — Ch28)
  24. OAuth on but scopes near-universal. Best zero-trust fix? (tighten scopes/audience — Ch30)
  25. Secrets in K8s env vars on the ARPF pod. (vault + HSM — Ch29)
  26. A slice "isolated" but starved by a neighbor. (no resource isolation — Ch20)
  27. UE sends cleartext identity at registration. (null scheme — Ch4)
  28. Aggregate auth KPI fine but attack underway. (need cause breakdown — Ch26)
  29. SOC throttled an AMF without NOC; neighbor region dropped. (handshake — Ch27)
  30. Long-lived FWA CPE hits ciphering errors. (COUNT exhaustion; re-key — Ch7)
FIGURE 34.4Trainer Course Map — 1-Day / 3-Day / 5-Day
1-DAY (overview) Ch 1-3 foundationsCh 4-6 identity+authCh 10,13 SBA+roamingCh 24-25 threats/misconfig+ Lab 1,2 (Ch33) 3-DAY (engineer) Day1: Parts 1-2 (Ch1-9)Day2: Parts 3-4 (Ch10-18)Day3: Parts 5-6 (Ch19-28)+ all 5 labs 5-DAY (mastery) full book Part by Partall labs + scenariosbuild a threat modelrun an auditcapstone project
Purpose: ready-made course structures. Map the book's parts and labs to a one-, three-, or five-day format depending on audience and depth.
FIGURE 34.5Knowledge Self-Assessment Radar
identity auth keys NAS/AS SBA/roaming slicing/ops rate yourself 1-5 per axis; the dents are where to re-read. Aim for a balanced hexagon before claiming "5G security" expertise.
Purpose: find your gaps. Rate yourself per axis; the dents point to the chapters to revisit before an interview or an audit.

34.5 Trainer Teaching Notes

🧪 Mini exercise — mock interview

Pair up. One person picks five questions spanning beginner → advanced → scenario from this bank; the other answers, drawing where asked (key hierarchy, AKA flow). Score on accuracy, ability to reproduce diagrams from memory, and — for scenarios — whether they reach the root cause (usually a misconfiguration) not just a symptom. Swap. The candidate who can draw the key hierarchy cold and name the misconfiguration behind each scenario is the one who actually understands 5G security.

← Chapter 33 Chapter 34 · 115 questions Chapter 35 →