5G Security Glossary

The 3rd Generation Partnership Project is a standards organization that develops protocols for mobile telecommunications. 3GPP has defined the security architecture for 5G networks in TS 33.501.

The core network of 5G systems, based on a service-based architecture (SBA) where network functions offer services to other authorized network functions via APIs.

5G Authentication and Key Agreement is the primary authentication method in 5G networks, enhancing the security of previous AKA versions with additional security features like binding authentication to the serving network and protection against fake base stations.

5G New Radio is the radio access technology for 5G networks, supporting enhanced mobile broadband (eMBB), ultra-reliable low-latency communications (URLLC), and massive machine-type communications (mMTC).

Anti-Bidding down Between Architectures parameter is used in 5G to prevent bidding down attacks where an attacker forces the use of less secure authentication protocols.

Access and Mobility Management Function is responsible for connection and mobility management in 5G networks. It handles registration, connection, reachability, and mobility management functions.

Authentication Repository and Processing Function is a component of the UDM that stores authentication credentials and generates authentication vectors for 5G-AKA and EAP-AKA'.

Authentication Server Function is responsible for authenticating UEs in 5G networks. It acts as the authentication server for 5G-AKA and EAP-AKA'.

An attack where an adversary forces a UE and network to use a less secure protocol version or security algorithm than they would normally use.

Control and User Plane Separation is an architectural enhancement that separates the control plane and user plane functions, allowing them to scale independently and be deployed in different locations.

A key used by the UE to encrypt the SUPI to create the SUCI, protecting the subscriber's permanent identity over the air interface.

The part of the network that carries signaling traffic and is responsible for routing and controlling the network connections rather than actually carrying the user data.

Extensible Authentication Protocol for Authentication and Key Agreement Prime is an alternative authentication method in 5G networks, particularly useful for non-3GPP access.

Elliptic Curve Integrated Encryption Scheme is used in 5G networks for SUPI protection, encrypting the subscriber's permanent identity to create the SUCI.

Enhanced Mobile Broadband is one of the three main 5G use cases, focusing on high data rates and increased capacity for applications like high-definition video streaming and virtual reality.

An attack where a malicious device impersonates a legitimate base station to intercept communications between UEs and the network. 5G includes several countermeasures against this attack.

Next Generation NodeB is the 5G base station that connects UEs to the 5G Core network. It includes both centralized and distributed units (CU and DU) in some deployments.

Globally Unique Temporary UE Identity is a temporary identifier assigned to a UE to avoid exposing the permanent identity (SUPI) during communications after initial registration.

Home Public Land Mobile Network is the network operated by the mobile provider with whom the subscriber has a contract and maintains their subscription data.

The protocol used for service-based interfaces in the 5G Core, replacing Diameter used in 4G. All 5G Core network functions communicate using RESTful APIs over HTTP/2.

A device that mimics a cell tower to intercept mobile communications and track users. 5G's SUCI mechanism is designed to prevent IMSI catching attacks.

The subscriber's permanent key stored in the USIM and the ARPF, used as the root of all security contexts in 5G authentication.

Key for the Authentication Server Function, derived during 5G-AKA authentication and used to derive further keys in the key hierarchy.

Key for the Access and Mobility Management Function, derived from KSEAF and used to protect signaling between the UE and AMF.

The structured derivation of multiple security keys from a root key in 5G, ensuring that different security contexts use separate keys.

Key for the gNB, derived from KAMF and used to protect the radio interface between the UE and gNB.

Key for the Security Anchor Function, derived from KAUSF and bound to the serving network to prevent key compromise across networks.

Multi-access Edge Computing is a network architecture that enables cloud computing capabilities at the edge of the network, close to the end-users, reducing latency for applications.

Massive Machine Type Communications is one of the three main 5G use cases, focusing on connecting a vast number of IoT devices with low power requirements.

The interface between the UE and AMF, carrying NAS signaling for registration, authentication, session management, and mobility.

The interface between the RAN (gNB) and AMF, carrying signaling related to radio resource management and UE mobility.

The interface between the RAN (gNB) and UPF, carrying user plane data between the radio network and the core network.

Non-Access Stratum is the protocol layer between the UE and AMF, handling functions like registration, authentication, and session management.

A key feature of 5G that allows multiple virtual networks to be created on top of a common physical infrastructure, each optimized for specific services or customers.

Next Generation Application Protocol is the control plane protocol used on the N2 interface between the gNB and AMF.

Network Slice Selection Function selects the appropriate network slice instances for UEs and provides assistance information for the AMF selection.

The authorization framework used in 5G service-based architecture to secure API access between network functions.

Policy Control Function provides policy rules to control plane functions and ensures consistent policy decisions across the network.

Packet Forwarding Control Protocol is used between the SMF and UPF to control user plane forwarding behaviors.

Representational State Transfer APIs are used in 5G service-based architecture for communication between network functions, based on HTTP methods.

Radio Resource Control is the protocol used for control signaling between the UE and gNB, handling functions like connection establishment and radio bearer configuration.

Service-Based Architecture is the architectural model of the 5G Core where network functions provide services to each other through RESTful APIs.

Security Anchor Function is part of the AMF and terminates the KSEAF from the home network, anchoring the security of a UE to the serving network.

Security Edge Protection Proxy provides security for interconnect traffic between different operator networks, implementing topology hiding and message filtering.

A security principle in network slicing where resources and traffic of one network slice are separated from other slices to prevent cross-slice attacks.

Session Management Function is responsible for session management, IP address allocation, and control aspects of user plane functions in 5G networks.

Single Network Slice Selection Assistance Information identifies a network slice and consists of a Slice/Service Type (SST) and optional Slice Differentiator (SD).

Subscription Concealed Identifier is the encrypted version of SUPI, used to protect the subscriber's permanent identity during initial registration.

Subscription Permanent Identifier is the permanent identity of a subscriber in 5G, typically in the form of an IMSI, but never transmitted in clear text over the air.

Transport Layer Security is used to secure HTTP/2 communications between network functions in the 5G Core and between SEPPs for inter-operator security.

The 3GPP technical specification that defines the security architecture and procedures for 5G systems, including authentication, key management, and security mechanisms.

Unified Data Management stores subscriber data and handles authentication credentials in 5G networks, containing the ARPF functionality.

User Equipment is the device used by an end-user for communication, such as a smartphone, tablet, or IoT device connected to the 5G network.

User Plane Function handles user data packets, packet routing and forwarding, QoS handling, and serves as the external PDU session point of interconnect to data networks.

Ultra-Reliable Low-Latency Communications is one of the three main 5G use cases, focusing on applications requiring extremely low latency and high reliability.

The part of the network that carries the actual user data traffic, as opposed to signaling and control information.

Universal Subscriber Identity Module is the application running on the physical SIM card that stores subscriber identity and authentication information for 5G networks.

Visited Public Land Mobile Network is the network that a subscriber is using when roaming outside their home network (HPLMN).

A security concept applied to 5G networks where trust is never assumed and verification is always required, regardless of whether the connection is from inside or outside the network perimeter.