Sign in Subscribe

5G Standalone NAS Authentication and Security Procedure Explained

Last updated on 
5G Standalone NAS Authentication and Security Procedure Explained
5G Standalone NAS Authentication and Security Procedure Explained
5G & 6G Prime Membership Telecom

Understanding NAS Authentication and Security in 5G Standalone Access Registration

The 5G Standalone (SA) network runs on a fully native 5G Core (5GC) architecture, which brings along advanced features for authentication, encryption, and mobility management that are independent of LTE. A key part of registering in 5G SA is the NAS (Non-Access Stratum) Authentication and Security procedure, which sets up a secure communication link between the User Equipment (UE) and the 5G Core (AMF) through the gNB.

An image uploaded shows the detailed signaling exchange—from the AMF selection and UE identification to the generation of security keys and activation of NAS protection. Let's break it down step-by-step to clarify things.

Overview: Why NAS Authentication and Security Matter in 5G

Before a UE can tap into 5G services, the network has to:

Confirm the UE’s identity (authentication).

Set up encryption and integrity protection (security).

Generate keys to secure all future signaling and data exchanges.

The NAS layer, which operates between the UE and AMF, manages identity and authentication, while the AS (Access Stratum)—which sits between the UE and gNB—handles the radio-level security. Together, they make sure confidentiality, integrity, and authenticity are maintained throughout the 5G system.

AMF Selection and Initial Signaling

Once the RRC connection is established (as done in earlier steps of access registration), the gNB directs the UE’s NAS message to the right AMF in the 5G Core.

Step 11: AMF Selection

The gNB has to choose the right AMF based on configuration facts like:

Tracking Area Identity (TAI),

Network Slice Selection Assistance Information (NSSAI),

UE’s Registration Type,

Policies from the operator.

This way, the UE’s request gets processed by the right AMF that covers its specific geographical and service area.

Step 12: Allocate RAN UE NGAP ID

The gNB gives a RAN UE NGAP ID—a unique ID used between the gNB and AMF to track NAS messages for this particular UE session.

This ID is crucial for keeping track of the UE context during communication and mobility events.

Step 13: NGAP Initial UE Message

The gNB sends the UE’s NAS Registration Request over to the AMF using the NGAP (Next Generation Application Protocol) Initial UE Message.

This message includes:

RAN UE NGAP ID,

NAS Registration Request (including Registration type, 5G-GUTI, Last TAI, UE capabilities, and the desired NSSAI),

User location details,

RRC establishment cause,

5G-S-TMSI (Temporary Mobile Subscriber Identity),

AMF Set ID.

Purpose: This message officially transfers control from RAN to the 5GC for handling authentication and registration management.

NAS Identity Request and Response

When the AMF gets the registration request, it needs to verify the UE’s identity before moving on to authentication.

Step 14: NAS Identity Request

The AMF sends out a NAS Identity Request message to the UE through the gNB.

This message specifies:

Security header type,

Identity request message identity,

Identity type (like SUCI, GUTI, or IMEI).

If the UE hasn’t provided a valid 5G-GUTI, the AMF will ask for its SUCI (Subscription Concealed Identifier)—which is a hidden version of the IMSI, encrypted with the Home PLMN’s public key for privacy purposes.

Step 15: NAS Identity Response

The UE replies with a NAS Identity Response, which contains:

Security header type,

Identity response message identity,

Mobile identity (SUCI).

This ensures that even if someone intercepts the signaling path, the permanent subscriber identity (IMSI) stays hidden. This privacy feature is one of the significant security improvements in 5G compared to LTE.

NAS Authentication Request and Response

After validating the UE’s identity, the AMF kicks off mutual authentication using the 5G-AKA or EAP-AKA’ protocol.

Step 16: NAS Authentication Request

The AMF sends an Authentication Request message to the UE with:

ngKSI (NAS key set identifier),

RAND (a random challenge),

AUTN (an authentication token),

ABBA (anti-bidding-down protection parameter).

Purpose: To check that both the UE and the network have matching subscription credentials stored in the USIM and UDM/AUSF on the network side.

Step 17: NAS Authentication Response

The UE processes the authentication challenge and computes a response parameter using its internal key and the received RAND.

It then sends a NAS Authentication Response back to the AMF. If the response lines up with what the network is expecting, authentication goes through. If not, the AMF will turn down the registration attempt.

NAS Security Mode Command and Completion

Once authentication is a go, the next step is to set up the security algorithms for protecting the following NAS signaling.

Step 18: NAS Security Mode Command

The AMF sends a NAS Security Mode Command message to the UE to establish:

Selected NAS security algorithms (for encryption and integrity),

Replayed UE security capabilities (from earlier registration),

IMEISV request (optional for equipment verification),

ngKSI (NAS key set identifier),

Additional 5G security parameters.

This message is essential—it lays out how NAS messages will be encrypted and set for integrity moving forward.

Step 19: NAS Security Mode Complete

The UE confirms with a NAS Security Mode Complete, containing:

NAS message container,

IMEISV (if requested).

This marks the end of the NAS security setup. After this, all NAS signaling between the UE and AMF is encrypted and integrity-protected.

Key Parameters in 5G NAS Authentication and Security

Parameter Description SUCI Subscription Concealed Identifier derived from IMSI using Home PLMN public key for privacy ng KSI Key Set Identifier for NAS security context RAND / AUTN Random challenge and authentication token for mutual verification ABBA Anti-bidding-down protection field to prevent weaker algorithm selection KAMF Master key derived for NAS security between UE and AMFNAS Security Algorithms Define encryption (NEAx) and integrity (NIAx) mechanisms for NAS messages

Relationship Between NAS and AS Security

While NAS manages end-to-end protection between the UE and AMF, the AS (Access Stratum) looks after security between the UE and gNB at the RRC and PDCP layers.

The NAS procedure ensures that even before AS-level ciphering kicks in, the UE and AMF have established a secure, authenticated relationship. Later, keys derived from this NAS context (like Kgnb, KRRC-int, KUP-int) are what the gNB uses to protect radio communication.

Importance of NAS Security in 5G Networks

With the new NAS security in 5G SA, network resilience and user data protection take a significant leap.

Key benefits include:

End-to-end encryption for sensitive signaling messages.

Subscriber identity protection with SUCI.

Mutual authentication between UE and network.

Algorithm flexibility, so operators can select strong cipher suites.

Integration with 5G-AKA and EAP-AKA’ for unified identity management.

All of these enhancements make 5G a more secure and privacy-focused system than older generations.

Conclusion

The NAS Authentication and Security Procedure is fundamental for the registration process in 5G Standalone. It ensures that only genuine users can access the network while also safeguarding every NAS message shared between the UE and AMF.

From AMF selection and identity verification to mutual authentication and key derivation, every step adds to the trust and integrity of the 5G ecosystem.

For those in telecom and network engineering, getting a grip on this procedure is vital—not just for troubleshooting registration issues but also for fine-tuning security setups that support the reliability of next-gen 5G networks.