Wednesday, May 5, 2010

EPS Authentication and Key Agreement Procedure

EPS AKA is the authentication and key agreement procedure that is used between UE and EPC Core Network.  EPS AKA produces keying material forming a basis for user plane (UP), RRC, and NAS ciphering keys as well as RRC and NAS integrity protection keys.

The MME sends to the USIM via ME the random challenge RAND and an authentication token AUTN for network authentication from the selected authentication vector. It also includes a KSIASME for the ME which will be used to identify the KASME (and further keys derived from the KASME) that results from the EPS AKA procedure.

At receipt of this message, the USIM verify's the freshness of the authentication vector by checking whether AUTN can be accepted. If so, the USIM computes a response RES. USIM also computes CK and IK which are sent to the ME.

An ME accessing E-UTRAN checks during authentication that the "separation bit" in the AMF field of AUTN is set to 1. The "separation bit" is bit 0 of the AMF field of AUTN.

UE responds with User authentication response message including RES in case of successful AUTN verification and successful AMF verification as described above. In this case the ME computes KASME from CK, IK, and serving network's identity (SN id) using the KDF algorithm. SN id binding implicitly authenticates the serving network's identity when the derived keys from KASME are successfully used.

Otherwise UE shall send User authentication reject message with a CAUSE value indicating the reason for failure. In case of a synchronisation failure of AUTN, the UE also includes AUTS that was provided by the USIM.

The MME checks that the RES equals XRES. If so the authentication is successful. If not or in cause of an authentication failure response by the UE, the MME may initiate further identity requests or authentications towards the UE.

8 comments:

Liana-Cristina said...

May a obtain more information about AKA LTE?

Liana-Cristina said...

sorry,i wanted to say "i", not "a":P

ahmed3188 said...

yes, please it will be good :)

Vitty said...

Why is there a need to request multiple authentication vectors? When my UE attaches to the network I see a request for 2 authentication vectors and subsequently two vectors are returned. How do I know which vector to use and what to use it for? It seems like the first vector I get back is used for NAS ciphering. I'm just not sure how to tell which I should be using for what.

John Garrigan said...

What does ME stand for?

vikram korde said...

Mobile Equipment

johng said...

Thanks Vikram, so is this the same as the UE or refer to something different?

vikram korde said...

Yes John, its same as UE :)