5.2 Authentication

23.6323GPPRelease 18Stage 2TSUser data interworking, coexistence and migration

5.2.1 General

A subscriber’s authentication subscription data, including the subscriber’s long-term key(s) and sequence number, shall be stored in a single repository so that a single sequence number can be maintained for the subscriber.

The subscriber’s long-term key(s) shall not be transferred over the NU1 reference point between HSS and UDM. Also it is not expected that the UDM has direct standardized access to the EPS-UDR. Therefore, the following options exist for subscribers with both 5G and EPS subscription:

1) Authentication subscription data are stored in the EPS-UDR and all authentication vectors are calculated in the HSS. Subscription data stored in the 5GS-UDR or locally configured in the UDM indicate that the UDM needs to consume the Nhss_UEAuthentication_Get service operation to retrieve a 5G vector from the HSS. See clause 5.2.2 for details.

2) Authentication subscription data are stored in the 5GS-UDR and all authentication vectors are calculated in the UDM. Subscription data stored in the EPS-UDR or locally configured in the HSS indicate that the HSS needs to consume the Nudm_UEAuthentication_GetHssAv service operation to retrieve an EPS vector from the UDM. See clause 5.2.3 for details.

3) Authentication subscription data are stored in the 5GS-UDR, 5G vectors are calculated in the UDM and EPS vectors are calculated in the HSS. Subscription data stored in the EPS-UDR or locally configured in the HSS indicate that the HSS needs to consume the Nudr_DM_Query service operation to retrieve authentication subscription data from the 5GS-UDR. See clause 5.2.4 for details.

The following clauses specify the system procedures for these different alternatives.

5.2.2 Vector Generation in HSS

This clause specifies the procedures for authentication vector request when the subscriber’s authentication subscription data is stored at the EPS-UDR. In this case, the UDM requests the generation of the Authentication Vector for 5GS to the HSS.

NOTE: The HSS acts as ARPF rather than as AuC and it is required to generate authentication vectors as defined in 3GPP TS 33.501 [6].

When the UDM receives an authentication information Request from the AUSF it shall check (by means of an 5GS-UDR query or local configuration in the UDM) whether the subscribed authentication method is 5G_AKA or EAP_AKA_PRIME and if so whether 5G authentication vector generation for the identified subscriber shall be done in the HSS. If so, the UDM shall make use of the Nhss_UEAuthentication_Get service operation to retrieve a 5G authentication vector from the HSS.

Figure 5.2.2-1 shows the scenario where the authentication vector request for a 5G subscriber who also has an EPS subscription is received by the UDM.

Figure 5.2.2-1: Authentication for 5G subscriber with authentication vector generation in HSS

1. The UDM receives an Authentication Vector request, containing the identity of the user (SUPI or SUCI). If SUCI is received, the UDM performs SUCI to SUPI de-concealment. For details of the Nudm_UEAuthentication Service see 3GPP TS 23.502 [5] and 3GPP TS 33.501 [6].

2. If the 5GS-UDR is used, the UDM queries the 5GS-UDR using the SUPI to retrieve Authentication Subscription Information. In this scenario the Authentication Subscription Information contains a subscribed authentication method of 5G_AKA or EAP_AKA_PRIME and an indicator indicating that authentication vector generation shall be performed in the HSS. Optionally, the indication that the authentication vector generation shall be performed in the HSS could be locally configured at the UDM/ARPF.

3. The UDM uses the Nhss_UEAuthentication_Get service operation to retrieve an authentication vector from the HSS. The request contains the IMSI the authentication method and serving network name.

4. The HSS reads authentication subscription data from the EPS-UDR. This step is omitted if all relevant authentication subscription data are stored locally in the HSS.

5. The HSS (AuC/ARPF) calculates the requested authentication vector taking into account the serving network name and authentication method received in step 3 and the authentication subscription information retrieved from the EPS-UDR.

6. The calculated authentication vector is sent to the UDM.

7. The HSS updates the EPS-UDR with the new sequence number. This step is omitted if the sequence number is stored locally in the HSS.

8. The UDM forwards the authentication vector to the AUSF.

5.2.3 Vector Generation in UDM/ARPF

This clause specifies the procedures for authentication vector request when the subscriber’s authentication subscription data is stored at the 5GS-UDR. In this case, the HSS requests the generation of the Authentication Vector for EPS and/or IMS to the UDM.

NOTE: The UDM acts as AuC rather than as ARPF and it is required to generate authentication vectors as defined in 3GPP TS 33.401 [8], 3GPP TS 33.402 [9], 3GPP TS 33.203 [10] and 3GPP TS 33.220 [11].

When the HSS receives an authentication vector request from a serving node (e.g. MME, SGSN, VLR, S-CSCF, BSF) it shall check (by means of an EPC-UDR query) whether authentication vector generation for the identified subscriber shall be done in the UDM. If so, the HSS shall make use of the Nudm_UEAuthentication GetHssAv service operation to retrieve authentication vectors from the UDM.

Figure 4.2.3-1 shows the scenario where an authentication vector request for a subscriber is received by the HSS and subscription data stored in the EPS-UDR indicate that for the subscriber authentication vector generation is to be performed in the UDM.

Figure 5.2.3-1: Authentication for a subscriber with authentication vector generation in UDM

1. The HSS receives an Authentication Vector request, containing the identity of the user (IMSI, or Public User Identity and/or Private User Identity).

2. The HSS queries the EPS-UDR using the identity of the user to retrieve Authentication Subscription Information. In this scenario the Authentication Subscription Information contains an indicator indicating that authentication vector generation shall be performed in the UDM.

3. The HSS uses the Nudm_UEAuthentication_GetHssAv service operation to retrieve an authentication vector from the UDM. The request contains the identity of the user, the type of the requested vector (E-UTRAN/UTRAN or GERAN/ IMS-AKA and when available the visited PLMN-ID.

4. The UDM reads authentication subscription data from the 5GS-UDR.

5. The UDM (ARPF) calculates the requested authentication vectors taking into account the information received in step 3 and the authentication subscription information retrieved from the 5GS-UDR.

6. The calculated authentication vectors are sent to the HSS.

7. The UDM updates the 5GS-UDR with the new sequence number.

8. The HSS forwards the authentication vectors to the serving node.

5.2.4 HSS using the Nudr SBI

When the HSS receives an S6a-AIR from the MME, it may check (by means of an EPC-UDR query) whether the subscriber has an 5G subscription. If so, the HSS can use of the Nudr_DM_Query Get service operation to retrieve the authentication subscription data from the 5GS UDR and generate the authentication vector.

Figure 5.2.4-1 shows the scenario where the authentication vector request for a 5G subscriber who also has an EPS subscription is received by the UDM.

Figure 5.2.4-1: Authentication for 5G subscriber with EPS subscription

1. The HSS receives an Authentication Vector request containing the identity of the user (IMSI).

2. The HSS queries the EPC-UDR using the IMSI to retrieve Authentication Subscription Information. Since the subscriber is a 5G subscriber the response indicates that the subscriber’s authentication information is stored in the 5GS UDR.

NOTE: Local configuration in the HSS may indicate that authentication subscription data for all subscribers can be obtained from the 5G UDR and thus this step may be omitted.

3. The HSS uses the Nudr_DM_Query Get service operation to retrieve the authentication subscription data from the 5GS UDR. The request contains the IMSI formatted as a SUPI.

4. The HSS (AuC) calculates the requested authentication vector taking into account the serving network name and authentication method received in step 1 and the authentication subscription information retrieved from the 5GS-UDR in step 3.

5. The calculated authentication vector is returned to the MME.

6. The HSS updates the 5GS-UDR with the new sequence number.