# AUSF Research
Firstly, I'd like to learn about how AUSF works in order to optimize the protocol.
## What is AUSF?
**Authentication Server Function** is a major component of the 5G core network used to facilitate security processes. The AUSF authenticates UEs and stores authentication keys. The AUSF supports:
- Authentication request from access network
- Interaction with UDM for auth generate: 5G AKA only
- Storage of Kausf until removed by AMF or replaced
## The Need for Authentication
Authentication is the process of verifying the identity and authorization of a user or device that wants to access a network or service. Authentication is essential for ensuring the security and privacy of the network and its users, as well as preventing unauthorized access and fraud.
In 5G networks, authentication is performed by the AUSF (Authentication Server Function), which is a key component of the 5G core network that provides subscriber authentication and key management functions. The AUSF interacts with the AMF (Access and Mobility Management Function), the UDM (Unified Data Management), and the UE (User Equipment) to establish a secure connection between them.
## The Role of AUSF
The AUSF plays an important role in 5G networks by performing the following functions:
1. It acts as a proxy between the AMF in the visited network and the UDM in the home network for authentication purposes. The AMF is the termination point of the N2 interface and the NAS (Non-Access Stratum) protocol, which handles mobility and session management. The UDM is the entity that stores and manages the subscriber's security credentials and profile data.
1. It supports 5G AKA (Authentication and Key Agreement) as the only authentication method. 5G AKA is an enhanced version of EPS AKA (Evolved Packet System AKA) that provides stronger security features such as mutual authentication, confidentiality protection, replay protection, and binding of key freshness.
1. It requests authentication vectors from the UDM, which are sets of parameters that contain a random challenge, an expected response, and a session key. The authentication vectors are generated based on the subscriber's security credentials stored in the UDM/UDR (User Data Repository).
1. It selects one authentication vector and forwards it to the AMF, which sends an authentication challenge to the UE. The UE computes a response based on its own security credentials and sends it back to the AMF.
1. It verifies the response from the UE against the expected response stored in the authentication vector. If the verification is successful, it sends an authentication confirmation to the AMF, which then sends an authentication result to the UE.
1. It derives a key called Kausf from the authentication vector and stores it for future use. The AMF derives another key called Kamf from Kausf and uses it as a security anchor for subsequent NAS messages.
## The Impact of AUSF
The AUSF has a significant impact on 5G networks by providing several benefits such as:
1. It enhances the security and privacy of 5G networks by ensuring that only authorized users and devices can access them. It also prevents unauthorized access and fraud by verifying the identity and authorization of users and devices.
1. It supports seamless mobility and roaming across different networks by acting as a proxy between the AMF in the visited network and the UDM in the home network. It also supports interworking with EPS networks by providing EPS Bearer ID allocation for EPS sessions.
1. It enables efficient key management and distribution by deriving and storing Kausf for each authenticated user or device. It also provides Kausf and other parameters to the AMF for security context management.
## The Necessity of AUSF
The AUSF is a necessary component of 5G core network because without it, users and devices would not be able to authenticate themselves with 5G networks. Authentication is a prerequisite for accessing any network or service, especially for 5G networks that offer high-speed, low-latency, and massive connectivity. Without authentication, users and devices would not be able to establish a secure connection with 5G networks, which would compromise their security and privacy. Moreover, without authentication, users and devices would not be able to access other services or applications that require authentication, such as internet access, online banking, e-commerce, social media, etc. Therefore, without AUSF, users and devices would not be able to access 5G networks or any other services or applications that depend on them.
## Authentication Process of 5G
The authentication process between the UE and the 5G core network involves the following steps:
1. The UE initiates a registration request to the AMF (Access and Mobility Management Function), which is the termination point of the N2 interface and the NAS (Non-Access Stratum) protocol.
1. The AMF sends an authentication request to the AUSF, which acts as a proxy between the AMF and the UDM (Unified Data Management) for authentication purposes.
1. The AUSF requests authentication vectors from the UDM, which generates them based on the subscriber's security credentials stored in the UDM/UDR (User Data Repository).
1. The UDM sends the authentication vectors to the AUSF, which selects one and forwards it to the AMF.
1. The AMF sends an authentication challenge to the UE, which computes a response based on its own security credentials and sends it back to the AMF.
1. The AMF forwards the response to the AUSF, which verifies it against the expected response stored in the authentication vector.
1. If the verification is successful, the AUSF sends an authentication confirmation to the AMF, which then sends an authentication result to the UE.
1. The AUSF also derives a key called Kausf from the authentication vector and stores it for future use. The AMF derives another key called Kamf from Kausf and uses it as a security anchor for subsequent NAS messages.
:::info
Here I begin to question "**why don't AMF just communicate directly with UDM?**". After searching for a while,
One possible reason why we need a proxy from AMF to UDM is to support roaming scenarios. When a UE roams to a visited network, the AMF in the visited network needs to authenticate the UE with the UDM in the home network. However, the AMF may not know the address or identity of the UDM that manages the UE's subscription. Therefore, the AMF uses the AUSF as a proxy to communicate with the UDM. The AUSF can discover the UDM by querying the NRF in the home network. The AUSF can also cache the authentication vectors from the UDM and provide them to the AMF for subsequent authentication requests. This way, the AUSF reduces the signalling load and latency between the AMF and the UDM. Another possible reason why we need a proxy from AMF to UDM is to support different authentication methods. The AUSF is responsible for supporting 5G AKA as the only authentication method for 5G networks. However, the UDM may also support other authentication methods such as EAP-AKA' or EAP-TLS for interworking with EPS (Evolved Packet System) networks. Therefore, the AUSF acts as a proxy to translate between different authentication methods and protocols used by the AMF and the UDM. This way, the AUSF enables seamless interworking and migration between 5G and EPS networks.
:::
## Security Context Management
The security context management is a function of the AMF that receives a key from the AUSF and uses it to derive access-network specific keys These keys are used for ciphering and integrity protection of user plane and control plane data between the UE and the gNB.
The security context management involves the following steps:
1. The AMF requests security context data from the AUSF, which provides Kausf and other parameters such as algorithm identifiers and sequence numbers.
1. The AMF derives Kamf from Kausf and other parameters such as serving network name and access type.
1. The AMF derives Knasenc and Knasint from Kamf and uses them for NAS ciphering and integrity protection respectively.
1. The AMF derives Kgnb from Kamf and sends it to the gNB along with other parameters such as algorithm identifiers and sequence numbers.
1. The gNB derives Kupenc and Kcpenc from Kgnb and uses them for user plane ciphering and control plane ciphering respectively.
1. The gNB derives Kcpint from Kgnb and uses it for control plane integrity protection.
:::info
Note:
## Kamf
Kamf stands for **Key for AMF**. It is a key derived from Kausf by the UE and the AMF (Access and Mobility Management Function) during the authentication process. Kamf is used as a security anchor for subsequent NAS (Non-Access Stratum) messages between the UE and the AMF. Kamf is also used to derive other keys for NAS and MM (Mobility Management) protection.
## Kausf
Kausf stands for **Key for AUSF**. It is a key derived from the authentication vector by the AUSF (Authentication Server Function) and the UE during the authentication process. Kausf is stored by the AUSF and provided to the AMF for security context management. Kausf is also used to derive Kamf by the UE and the AMF.
## Knasenc
Knasenc stands for **Key for NAS encryption**. It is a key derived from Kamf by the UE and the AMF after the authentication process. Knasenc is used to encrypt and decrypt NAS messages between the UE and the AMF using a specific encryption algorithm.
## Knasint
Knasint stands for **Key for NAS integrity**. It is a key derived from Kamf by the UE and the AMF after the authentication process. Knasint is used to protect and verify the integrity of NAS messages between the UE and the AMF using a specific integrity algorithm.
## Kgnb
Kgnb stands for **Key for gNB**. It is a key derived from Kamf by the UE and the AMF after the authentication process. Kgnb is sent by the AMF to the gNB along with other parameters such as algorithm identifiers and sequence numbers. Kgnb is used to derive other keys for user plane and control plane protection between the UE and the gNB.
## Kupenc
Kupenc stands for **Key for user plane encryption**. It is a key derived from Kgnb by the UE and the gNB after receiving Kgnb from the AMF. Kupenc is used to encrypt and decrypt user plane data between the UE and the gNB using a specific encryption algorithm.
## Kcpenc
Kcpenc stands for **Key for control plane encryption**. It is a key derived from Kgnb by the UE and the gNB after receiving Kgnb from the AMF. Kcpenc is used to encrypt and decrypt control plane data between the UE and the gNB using a specific encryption algorithm.
:::
## Analyzing AUSF.log from free5gc
I add numbers to the logs for easier inspection:
```txt!
1. time="2023-04-23T18:46:01-07:00" level=info msg="config version [1.0.2]" category=CFG component=AUSF
2. time="2023-04-23T18:46:01-07:00" level=info msg="AUSF Log level is set to [info] level" category=Init component=AUSF
3. time="2023-04-23T18:46:01-07:00" level=info msg=ausf category=App component=AUSF
4. time="2023-04-23T18:46:01-07:00" level=info msg="AUSF version: \n\tfree5GC version: v3.2.1\n\tbuild time: 2023-03-29T07:23:09Z\n\tcommit hash: ee6a571a\n\tcommit time: 2022-05-02T15:25:07Z\n\tgo version: go1.17.8 linux/amd64" category=App component=AUSF
5. time="2023-04-23T18:46:01-07:00" level=info msg="Server started" category=Init component=AUSF
6. time="2023-04-23T18:46:01-07:00" level=info msg="ausfconfig Info: Version[1.0.2] Description[AUSF initial local configuration]\n" category=Init component=AUSF
7. time="2023-04-23T18:46:01-07:00" level=error msg="AUSF register to NRF Error[Put \"http://127.0.0.10:8000/nnrf-nfm/v1/nf-instances/e2072d86-a5cd-43cb-95c1-6837ef93d98a\": dial tcp 127.0.0.10:8000: connect: connection refused]" category=Consumer component=AUSF
8. time="2023-04-23T19:02:17-07:00" level=info msg=HandleUeAuthPostRequest category=UeAuthPost component=AUSF
9. time="2023-04-23T19:02:17-07:00" level=info msg="Serving network authorized" category=UeAuthPost component=AUSF
10. time="2023-04-23T19:02:17-07:00" level=info msg="Add SuciSupiPair (suci-0-208-93-0000-0-0-0000000003, imsi-208930000000003) to map.\n" category=UeAuthPost component=AUSF
11. time="2023-04-23T19:02:17-07:00" level=info msg="Use 5G AKA auth method" category=UeAuthPost component=AUSF
12. time="2023-04-23T19:02:17-07:00" level=info msg="XresStar = 3339323131626234633131616232373237633331303464376566636231353438\n" category=5gAkaAuth component=AUSF
13. time="2023-04-23T19:02:17-07:00" level=info msg="| 201 | 127.0.0.1 | POST | /nausf-auth/v1/ue-authentications | " category=GIN component=AUSF
14. time="2023-04-23T19:02:17-07:00" level=info msg=Auth5gAkaComfirmRequest category=5gAkaAuth component=AUSF
15. time="2023-04-23T19:02:17-07:00" level=info msg="res*: 3339323131626234633131616232373237633331303464376566636231353438\nXres*: 3339323131626234633131616232373237633331303464376566636231353438\n" category=5gAkaAuth component=AUSF
16. time="2023-04-23T19:02:17-07:00" level=info msg="5G AKA confirmation succeeded" category=5gAkaAuth component=AUSF
17. time="2023-04-23T19:02:17-07:00" level=info msg="| 200 | 127.0.0.1 | PUT | /nausf-auth/v1/ue-authentications/suci-0-208-93-0000-0-0-0000000003/5g-aka-confirmation | " category=GIN component=AUSF
18. time="2023-04-23T19:05:35-07:00" level=info msg="Terminating AUSF..." category=Init component=AUSF
19. time="2023-04-23T19:05:35-07:00" level=info msg="Send Deregister NFInstance" category=App component=AUSF
20. time="2023-04-23T19:05:36-07:00" level=info msg="Deregister from NRF successfully" category=Init component=AUSF
21. time="2023-04-23T19:05:36-07:00" level=info msg="AUSF terminated" category=Init component=AUSF
```
* Lines 1-3: The AUSF component initializes, reporting the configuration version (1.0.2) and logging level (info).
* Line 4: AUSF provides version, build time, commit hash, and other details about the free5GC software.
* Line 5: AUSF server has started and is ready to process requests.
* Line 6: AUSF reports its configuration information, including version (1.0.2) and description (initial local configuration).
* Line 7: AUSF tries to register with the NRF, but there is an error due to connection refusal. This indicates a problem with the connection between AUSF and NRF.
* Line 8: AUSF starts handling the UE Authentication POST request.
* Line 9: The network serving the UE is authorized.
* Line 10: AUSF adds a SuciSupiPair, which is a mapping between the SUPI (Subscription Permanent Identifier) and SUCI (Subscription Concealed Identifier), to its internal data structure.
* Line 11: AUSF selects the 5G-AKA authentication method for the current UE Authentication request.
* Line 12: AUSF generates XresStar, which is an expected response token used in the 5G-AKA authentication process.
* Line 13: AUSF logs the HTTP response status (201) and details for the UE Authentication POST request.
* Line 14: AUSF starts handling the 5G-AKA confirmation request by checking the received resStar against the expected XresStar.
* Line 15: AUSF logs the received resStar and the expected XresStar values, which are the same in this case, indicating successful 5G-AKA authentication.
* Line 16: AUSF confirms the successful 5G-AKA authentication and logs the HTTP response status (200) and details for the 5G-AKA confirmation PUT request.
* Line 17: AUSF logs the HTTP response status (200) and details for the 5G-AKA confirmation PUT request, indicating a successful authentication confirmation.
* Line 18: AUSF logs the termination of its process.
* Line 19: AUSF sends a deregistration request for the NFInstance (Network Function Instance) to the NRF (Network Repository Function).
* Line 20: AUSF logs the successful deregistration from the NRF.
* Line 21: AUSF logs the termination of its process.
## AUSF free5gc Code Analysis
I add comments for each important line in the main.go code for AUSF.
```go
/*
*
* AUSF Service
*
* API version: 1.0.0
* Generated by: OpenAPI Generator (https://openapi-generator.tech)
*/
// This is the main entry point for a 5G Authentication Server Function (AUSF) service.
package main
// Importing required packages for the AUSF service.
import (
"fmt"
"os"
"path/filepath"
"runtime/debug"
"github.com/asaskevich/govalidator"
"github.com/urfave/cli"
"github.com/free5gc/ausf/internal/logger"
"github.com/free5gc/ausf/internal/util"
"github.com/free5gc/ausf/pkg/service"
"github.com/free5gc/util/version"
)
// AUSF variable holds an instance of the AUSF service.
var AUSF = &service.AUSF{}
// main function sets up the command line interface and runs the AUSF service.
func main() {
// Recover from panic and log the stack trace.
defer func() {
if p := recover(); p != nil {
// Print stack for panic to log. Fatalf() will let program exit.
logger.AppLog.Fatalf("panic: %v\n%s", p, string(debug.Stack()))
}
}()
// Setting up CLI for the AUSF service.
app := cli.NewApp()
app.Name = "ausf"
app.Usage = "5G Authentication Server Function (AUSF)"
app.Action = action
app.Flags = AUSF.GetCliCmd()
// Running the CLI with command line arguments.
if err := app.Run(os.Args); err != nil {
logger.AppLog.Errorf("AUSF Run error: %v\n", err)
}
}
// action function initializes log files, sets up the AUSF service, and starts it.
func action(c *cli.Context) error {
// Initialize log files.
if err := initLogFile(c.String("log"), c.String("log5gc")); err != nil {
// Log any errors that occur during log file initialization.
logger.AppLog.Errorf("%+v", err)
return err
}
// Initialize the AUSF service with the provided CLI context.
if err := AUSF.Initialize(c); err != nil {
// Log any errors that occur during AUSF initialization.
switch errType := err.(type) {
case govalidator.Errors:
validErrs := err.(govalidator.Errors).Errors()
for _, validErr := range validErrs {
logger.CfgLog.Errorf("%+v", validErr)
}
default:
logger.CfgLog.Errorf("%+v", errType)
}
logger.CfgLog.Errorf("[-- PLEASE REFER TO SAMPLE CONFIG FILE COMMENTS --]")
return fmt.Errorf("Failed to initialize !!")
}
// Log the AUSF service name and version.
logger.AppLog.Infoln(c.App.Name)
logger.AppLog.Infoln("AUSF version: ", version.GetVersion())
// Start the AUSF service.
AUSF.Start()
return nil
}
// initLogFile function sets up log file directories and paths for the AUSF service.
func initLogFile(logNfPath, log5gcPath string) error {
// Set the default key log path.
AUSF.KeyLogPath = util.AusfDefaultKeyLogPath
// Hook log files.
if err := logger.LogFileHook(logNfPath, log5gcPath); err != nil {
return err
}
// Create directories for log files and set the key log path.
if logNfPath != "" {
nfDir, _ := filepath.Split(logNfPath)
tmpDir := filepath.Join(nfDir, "key")
if err := os.MkdirAll(tmpDir, 0775); err != nil {
logger.InitLog.Errorf("Make directory %s failed: %+v", tmpDir, err)
return err
}
_, name := filepath.Split(util.AusfDefaultKeyLogPath)
AUSF.KeyLogPath = filepath.Join(tmpDir, name)
}
return nil
}
```
Google Drive
Gist
Clipboard
Sign in with Wallet
