An Enhanced Application Authentication and Key Management in 5G

AKMA (Application Authentication and Key Management) is a technology that 3GPP (3rd Generation Partnership Project) provides security capabilities to 5G (5th generation wireless systems) as a third party. At present, 3GPP has finalized the publication of AKMA specifications in Release 16 and is developing AKMA phase 2 in Release 18. At the current stage, it is recommended to conduct enhanced research on AKMA to solve some security problems of AKMA. This paper first briefly describes and analyzes the principles and technological development process of two mainstream application authentication technologies GBA (Generic Bootstrapping Architecture) and AKMA, and analyzes the advantages and limitations of these two technologies. Secondly, we also analyze the signaling loss caused by the AKMA process conducted independently by different application servers in the same trust domain, and the security risk caused by the long-term use of the same application key by AKMA users. Finally, this paper proposes solutions to AKMA performance and security problems from the perspective of security, universality, and performance impact.


Introduction
Security is an important component of the interaction between users and application servers.In many current businesses, the authentication between users and application servers is mostly limited to the authentication and authorization of both parties.This level of security and universality is relatively low.With the development of mobile communication networks, both operators and users need reliable authentication mechanisms to ensure the legitimate use of services.To ensure the security of business applications, 3GPP TSG SA WG3 (SA3) proposes a third-party authorization method in the mobile communication network standard.This method is open to applications with 5G security capabilities, such as authentication and authorization capabilities.After the trust relationship between the application server and the operator is established, users are allowed to access 5G and also obtain the key to access the application [1] .Therefore, it can be used not only for current services but also for future new data services.
However, there are currently some issues with the two mainstream application authentication and key management methods GBA and AKMA in 5G.Khan et al. analyzed the security and privacy issues during the AKMA key update process in the AKMA: Delegated Authentication System of 5G [2] .Huang et al. proposed the limitations of GBA and AKMA but did not provide a solution [3] .
This paper is divided into four parts.In the first section, we briefly described the working principle and functions of GBA and AKMA application authentication technologies.In the same section, we also compared GBA and AKMA technologies and analyzed the development, advantages, and disadvantages

GBA
With the development of many services, operators, and users need reliable security mechanisms to ensure the legitimate use of services.In the early 3G (3rd Generation) and LTE (long-term evolution) mobile communication networks, the 3GPP proposed the concept of GBA authorization authentication.It is mainly used to protect the security of commercial applications [6] .At present, 3GPP is also promoting research on the application of GBA to 5G.GBA is a universal authentication architecture based on a shared key, which describes how to use AKA (Authentication Key Agreement) mechanism to provide a shared Key between UE (User Equipment) and NAF (Network Application Function) [7] .
GBA introduces a new logical functional entity BSF into the original network architecture.It can obtain user security information and authentication information through the Zh interface with HSS (home subscriber server).Then BSF and UE will perform two-way authentication and KS (session key) negotiation.When UE interacts with NAF, NAF needs to first obtain KS from BSF through the Zn interface and export specific application key KS_NAF based on shared key-KS.Finally, UE and NAF respectively obtain KS_NAF for protecting the reference point Ua [8] , as shown in Figure 1.Although GBA technology solves the application security problem, it requires multiple interactions between UE and the network to complete the authentication and key negotiation process.This process will have high requirements for UE's computing power and is not suitable for devices with limited computing power in IoT scenarios.

AKMA
For the Internet of Things scenarios where node devices have limited computing power and need high efficiency, 3GPP proposed the technical report of AKMA TR 33.835 in 2018 [9] .AKMA technology was originally designed to enhance GBA.AKMA technology mainly reuses the authentication results of 5G AKA to provide fast and efficient authentication and key management services for the application layer.AKMA technology mainly realizes safe and efficient communication service between UE and application servers.
The AKMA technology specifications TS33.535 [10] introduces a new logical function AAnF (AKMA Anchor Function) in the 5GC architecture, which is located in the HPLMN.If UE subscribes to the AKMA service, after the primary authentication between UE and HPLMN is successful, UE and AUSF will derive KAKMA (AKMA key) and A-KID (AKMA key identifier) from KAUSF.Then AAnF obtains A-KID and KAKMA from AUSF and generates KAFs for specific applications.AAnF sends KAF to the corresponding AF (application function) for secure communication between UE and AF.AF can be internal or external to the operator.If it is outside the operator, it needs to interact with the internal AAnF through the NEF, as shown in Figure 2 [11,12] .Figure 2. AKMA architecture This paper analyzes the advantages and limitations of GBA and AKMA technologies and concludes as shown in Table 1 [13] .Although AKMA technology makes up for the shortcomings of GBA's complex process and signaling loss, it realizes the application authentication and key management architecture and processes with a simplified process, which is lightweight and adaptable to a variety of IoT scenarios.However, AKMA technology still has problems such as imperfect key refresh.3GPP SA3 is developing AKMA phase 2 in Release 18. • KAF that does not refresh for a long time is easy to leak; • KAF refresh needs to trigger 5G primary authentication, which is easy to bring unknown risks.

Problems of AKMA Technology to Be Improved
Although AKMA technology has been widely accepted, there are still some problems to be improved in AKMA technology.The 3GPP standard organization is actively researching and improving AKMA technology.TS 33.535 stipulates that the AKMA technology can only refresh the KAF after the UE reprimary authenticates successfully.Using the same application key for a long time is likely to cause privacy problems such as application key disclosure.At present, the 3GPP SA3 has set up the TR 33.737 [14] research project to conduct AKMA enhancement technology research.One of the main issues is the signaling loss caused by the independent acquisition of application keys by different application servers in the same trust domain.Next, we will briefly analyze these two issues.Corresponding solutions are proposed in the following chapters.

AKMA Application Key Refresh
The key derivation structure of AKMA is specified in 3GPP TS 33.535.The UE and AUSF will derive KAUSF respectively after the primary authentication is successful.UE and AUSF derive KAKMA and A-KID (AKMA key identifier) from KAUSF by using the key derivation function (KDF).UE and AAnF derive KAF from KAKMA respectively and generate the lifetime of KAF [15] , as shown in Figure 3. KAF is computed as KAF = KDF (KAKMA, AF_ID), where the AF_ID is included i to ensure for different application servers.When the KAF lifetime expires, KAF can only be generated based on the same KAKMA, and new KAF can not be generated.Long-term use of the same application key and key identifier will seriously affect security.
Figure 3. AKMA key hierarchy Therefore, in the 3GPP Release 18, it is proposed to refresh all keys by triggering 5G primary authentication when the KAF expires.That is, when the 5G primary authentication is successfully triggered, the new KAUSF and KAKMA will be exported.At this time, after the KAF expires, a new KAF will be derived from the new KAKMA.However, the efficiency of updating KAF in this way is very low, and the triggering of 5G primary authentication may also bring other security risks.In the industrial Internet, Internet of Things, and other scenarios, UEs usually do not retrigger the primary authentication, and they use the same KAF encrypted data for a long time, which poses a risk of key disclosure.

AKMA process of different servers in the same trust domain
Different applications in the same trust domain or the same edge node have the same security level and trust each other.The current AKMA technical standards do not consider how different application servers within the same trust domain or edge node execute the AKMA process.This will cause different application servers in the same trust domain or the same edge node to perform AKMA processing separately to obtain AKMA application keys.3GPP technical report TR 33.737 also points out that this method will cause AAnF to generate AKMA application keys for different servers in the same trust domain many times, thus causing resource consumption.3GPP technical report TR 33.74 [16] writes that the AKMA-related key is refreshed by triggering the primary authentication.Similarly, multiple application services in the same trust domain or the same edge node need to separately trigger primary authentication to refresh the KAF, which will lead to serious consumption of signaling resources, as shown in Figure 4.The problem is that AKMA application keys cannot be refreshed promptly discussed in the previous chapter.This chapter mainly designs an enhanced AKMA architecture.This architecture mainly introduces authentication agents based on the original AKMA architecture.Finally, a key refresh method for AKMA applications is proposed.This new AKMA enhancement method not only solves the problem of signaling loss caused by independent AKMA processes of different servers in the same trust domain but also realizes the AKMA application key refresh without triggering 5G primary authentication.

Enhanced AKMA Architecture
The enhanced AKMA architecture is to set an Authentication Proxy (AP) in each trust domain or each edge node.The authentication agent AP docks with the AAnF in the 5GC to obtain the AKMA intermediate key.Different application servers in each trust domain or edge node are connected to the AP.AP exports specific application keys for each application server based on the obtained AKMA intermediate key.In this way, different application services located in the same trust domain or the same edge node do not need to dock with the 5GC to carry out the AKMA process to obtain the application key.The enhanced AKMA architecture is shown in Figure 5.

Enhanced AKMA Key Hierarchy
The key hierarchy to enhance AKMA architecture mainly includes four layers of keys, as shown in Figure 6.After performing the primary identity authentication specified in TS33.501 [17] , UE and UDM will derive KAUSF by using the KDF.Then UE and AUSF will derive KAKMA and A-KID based on KAUSF.Subsequently, UE and AAnF will derive KAP from KAMKA, AP-ID, and other information.Finally, UE and AP will derive KAS based on information such as AS's FQDN and generate the lifetime of KAS.The AP sends the KAS to different ASs in the trust for secure communication with the UE.The enhanced AKMA key derivation process is shown in Figure 7.When the UE reconnects to 5G and performs 5G primary authentication again, all keys shall be rekeyed by running a successful primary authentication.

Enhanced AKMA Key Refresh Method
When the lifetime of the KAS expires or is lost, the UE can apply to the AP agent for refreshing the KAS.
The AP can refresh the KAS from the KAP and KAS refresh parameters.After the AP realizes the KAS refresh, it will trigger the UE to refresh KAS similarly.During this process, the AP uses the intermediate key-KAP to encrypt the KAS refresh parameters and passes the encryption of the KAS refresh parameters to the UE to ensure the security of the key refresh.The KAS refresh parameters mentioned in this paper can be either time source information or random numbers.This application key refreshing method does not need to trigger 5G primary authentication, saving the cost of signaling resources and improving the efficiency of AKMA.
Figure 8 shows the "KAS refresh" procedure: The development of AKMA technology needs to solve performance and security problems.Introducing the AKMA-enhanced architecture of the AP can avoid signaling loss caused by multiple independent AKMA processes executed by different application servers in the same trust domain or edge node.The AKMA-enhanced architecture proposed in this paper also brings great benefits to the development of AKMA technology in edge computing platforms.At the same time, the new AKMA key hierarchy and AKMA keys refresh method proposed in this paper, which increases the intermediate key-KAP, enables application servers in the same trust domain to independently and securely refresh application keys.This not only solves the risk of key leakage caused by long-term use of the same application key but also avoids the performance loss caused by actively triggering the primary authentication to refresh the keys.The development of AKMA technology also needs to consider interconnection and interworking.To make AKMA technology develop better, AKMA roaming technology still needs to be studied.

Figure 4 .
Figure 4. AKMA process of different servers in the same trust domain

Table 1 .
GBA and AKMA technical analysis 1.The UE sends an application session establishment request containing the AS-KID to the AS; 2. The AS retrieves KAS based on AS-KID, if the KAS expires or is lost, we will proceed to the following steps;3.The AS sends a KAS refresh request to AP to request a new KAS (KAS'); 4. The AP derives KAS and AS-KID from KAP with KAS refresh parameters.The KAS refresh parameters can be time source information or random numbers;5.The AP sends a KAS refresh response to the AS with AS-KID', KAS', and the KAS expiration time; 6.The AP encrypts the KAS refresh parameters with the KAP; 7. The AP carries to send application session establishment requests containing encrypting the KAS refresh parameters to the AS;8.The UE decrypts the KAS refresh parameters with the KAP; 9.The UE derives KAS and AS-KID from the KAP with KAS refresh parameters; 10.The AS sends the application session establishment response to the UE.In a word, this paper analyzes the origin of AKMA technology and the latest research progress of AKMA technology.The potential security threats of AKMA technology are analyzed according to the relevant recommendations that have been determined and are being discussed by 3GPP.Based on the research status and existing security threats of AKMA technology, this paper mainly analyzes the new requirements of AKMA technology, designs the AKMA enhancement architecture and key hierarchy, and draws the following conclusions.