AUSF
Understanding the AUSF in 5G Networks
Before a 5G phone can make a call or access data, it must prove its identity to the network. The AUSF is the 5G core network function that executes this identity verification — ensuring that only authorized SIM cards can access the network and that the authentication process generates the encryption keys that protect every subsequent communication.
The Authentication Flow
When a UE attempts to register with the 5G network:
- The AMF sends an authentication request to the AUSF, including the subscriber's permanent identifier (SUPI or SUCI).
- The AUSF requests authentication vectors from the UDM/ARPF, which computes them using the subscriber's secret key (K) stored in the Home Subscriber Server.
- The AUSF sends an authentication challenge to the UE (via the AMF).
- The UE's USIM computes a response using its stored key K and returns it.
- The AUSF verifies the response. If correct, authentication succeeds and the AUSF generates the anchor key KAUSF.
Why the AUSF Matters for RF
While the AUSF operates at the application layer (far from the RF air interface), its authentication speed directly affects the time between a UE's initial radio access and its ability to transmit user data. In mobility scenarios (handovers, cell reselections), reauthentication latency contributes to the total service interruption time.
Key Equations
The Authentication Server Function (AUSF) is a mandatory Network Function (NF) in the 5G Core (5GC) Service-Based Architecture (SBA), defined in 3GPP TS 33.501 and...
Key specifications:
33.501 a | 0 dB | 1 mW | 30 dB | 1 W | 110 GHz
Power: P(dBm) = 10log(PmW), 0dBm = 1mW
Comparison
| Aspect | AUSF Spec | Typical Range | Impact | Design Note |
|---|---|---|---|---|
| Primary function | The Authentication Server Function (AUSF... | Application-dep. | Critical | Verify in sim |
| Operating range | Understanding the AUSF in 5G Networks Be... | Application-dep. | Critical | Verify in sim |
| Performance | The Authentication Flow When a UE attemp... | Application-dep. | Critical | Verify in sim |
| Integration | The AUSF requests authentication vectors... | Application-dep. | Critical | Verify in sim |
| Trade-off | The AUSF sends an authentication challen... | Application-dep. | Critical | Verify in sim |
Frequently Asked Questions
What is the difference between 5G-AKA and EAP-AKA'?
5G-AKA is a challenge-response protocol where the USIM computes a response using its secret key — identical in principle to 4G AKA but with enhanced key hierarchy. EAP-AKA' encapsulates the AKA authentication inside an Extensible Authentication Protocol framework, enabling authentication over non-3GPP access networks (Wi-Fi, fixed broadband) where the EAP framework is already supported. Both achieve mutual authentication (the network proves its identity to the UE, and vice versa).
What is SUCI and why does it matter?
SUCI (Subscription Concealed Identifier) is a privacy enhancement in 5G. In 4G, the permanent subscriber identifier (IMSI) was sent in cleartext during initial attach, enabling IMSI catchers to track subscriber movements. In 5G, the SUPI (permanent identifier) is encrypted by the USIM into a SUCI before transmission over the air interface. Only the Home Network's UDM/SIDF can decrypt the SUCI to recover the SUPI, preventing eavesdroppers from identifying subscribers.
Can the AUSF be deployed by a third party?
The AUSF is a Home Network function — it must be deployed by the subscriber's home mobile operator, not by the visited network. In roaming scenarios, the visited network's AMF communicates with the home network's AUSF via the Security Edge Protection Proxy (SEPP) to authenticate the subscriber. This architecture ensures that the subscriber's secret key never leaves the home network, maintaining security even when roaming on untrusted visited networks.