The purpose of the EPS authentication and key agreement (AKA) procedure is to provide mutual authentication between the user and the network and to agree on a key KASME. The EPS AKA procedure is always initiated and controlled by the network. However, the UE can reject the EPS authentication challenge sent by the network.
A partial native EPS security context is established in the UE and the network when an EPS authentication is successfully performed. During a successful EPS authentication procedure, the CK and IK are computed by the USIM. CK and IK are then used by the ME as key material to compute a new key, KASME. KASME is stored in the EPS security contexts of both the network and in the volatile memory of the ME while attached to the nework, and is the root for the EPS integrity protection and ciphering key hierarchy.
- Authentication initiation by the network
When a NAS signalling connection exists, the network can initiate an authentication procedure at any time. The network initiates the authentication procedure by sending an AUTHENTICATION REQUEST message to the UE.
The AUTHENTICATION REQUEST message contains the parameters necessary to calculate the authentication response.
- Authentication response by the UE
The UE responds to an AUTHENTICATION REQUEST message. The UE processes the authentication challenge data and respond with an AUTHENTICATION RESPONSE message to the network. Upon a successful EPS authentication challenge, the UE determines the PLMN identity to be used for the calculation of the new KASME from the authentication challenge data.
Upon a successful EPS authentication challenge, the new KASME calculated from the authentication challenge data is stored in a new EPS security context in the volatile memory of the ME.
The USIM computes the authentication response (RES) using the authentication challenge data received from the ME, and pass RES to the ME.
- Authentication completion by the network
Upon receipt of an AUTHENTICATION RESPONSE message, the network checks the correctness of RES. If the authentication procedure has been completed successfully and the related eKSI is stored in the EPS security context of the network.
When the network initiates a new authentication procedure, it includes a different eKSI value in the AUTHENTICATION REQUEST message.