Page 503 - 5G Basics - Core Network Aspects
P. 503
Core network aspects 1
AM-FE 1
TAA-FE 1
client
AM-FE 2 Home
TAA-FE
TAA-FE 2
UE AM-FE 3 client server
Authentication result,
configure DSRK
1. Full authentication
and authorization
Derive DS-rRK
for local domain.
Derive rMSK
Derive rMSK for
2. UE moves within new location
the same local domain
with DS-rRK
Request DSRK
3. UE moves to a Derive DS-rRK
different domain for new domain.
Derive rMSK
Figure 8 – Information flow for pre-authentication
The first time UE attaches to the network, it will perform the full authentication process. In order to improve
handover performance with lower authentication latency, fast authentication and/or re-authentication is
needed for subsequent attachments. That means that when a mobile user hands over from the serving AM-
FE to the target AM-FE, the TAA-FE will receive the user authentication request from the target AM-FE and
derive an authentication key for it. The user is authenticated based on the authentication key. If TAA-FE
identifies that the serving AM-FE and target AM-FE belong to different security domains (i.e., controlled by
different local TAA-FE), the TAA-FE will request a domain-specific root key (DSRK) from the AAA server for
the new security domain, providing appropriate parameters such as domain name and sequence number in
the request, depending on the authentication algorithm. The AAA server uses the handover root key
generated in the original full authentication and the received domain-related parameters to generate a DSRK
for the local domain. This is shown in the first and third cases of Figure 8. Note that in the case of split mode
it may be necessary to carry out this process twice, once for the keying material related to network access
authentication and a second time for keying material related to mobility service authentication.
If the UE moves within a local security domain, e.g., the UE just moves to a different access link, the TAA-FE
in the local domain may re-authenticate the UE in a single round trip. In this case the target AM-FE shares
the handover root key with the serving AM-FE and only the session key needs to be re-negotiated. The TAA-
FE may use this root key to authenticate the user. This is shown in the second case of Figure 8.
The pre-authentication process may include generation of keying material for protection of user plane traffic
between the UE and the EN-FE, if such protection is required by the user profile.
493
