5G NR NAS & Core Section 11.2
NAS & Core

Registration & Authentication —
Proving identity, getting a temporary ID

After the RRC connection is established, the UE must register with the 5G Core. This involves concealing its real identity (SUCI), proving it is legitimate (5G-AKA), activating NAS security, and receiving a temporary identity (5G-GUTI). This section traces every message with exact field values.

TS 24.501 §5.5 TS 33.501 §6 TS 23.501 §5.9

SUCI — Subscription Concealed Identifier

In LTE, the UE transmitted its IMSI (International Mobile Subscriber Identity) in plaintext during initial attach. Anyone with a passive scanner could link the IMSI to a device and track it across cells. 5G fixes this with the SUCI.

The SUCI is computed by the UE using ECIES (Elliptic Curve Integrated Encryption Scheme) — the IMSI is encrypted with the home network's public key, which is stored on the SIM. The ciphertext changes each time, so even the serving network cannot correlate two registrations.

The UE shall use the SUCI when the UE does not have a valid 5G-GUTI, or when the AMF requests the UE to provide its identity. The SUCI is generated from the SUPI using the ECIES protection scheme with the home network public key stored on the USIM.
3GPP TS 24.501, Section 5.4.4.1
SUCI structure — our UE exampleTS 23.003 §2.2B
// SUPI (true identity on SIM, never transmitted):
SUPI = IMSI = 244051234567890
  MCC = 244, MNC = 05, MSIN = 1234567890

// SUCI (what is actually transmitted):
SUCI = [SUPI type][Home Network Identifier][Routing Indicator]
       [Protection Scheme ID][Home Network Public Key ID]
       [Scheme Output]

Protection Scheme = Profile A  (ECIES, curve25519)
Public Key ID     = 1           (index into key list on SIM)
Scheme Output     = 0x7A3F9C12... (128-byte ECIES ciphertext)
// Scheme Output = ENC_pk(MSIN) — changes every registration

// MSIN encrypted — AMF forwards to UDM/AUSF for decryption
// Only the home network (UDM) can decrypt with private key

Registration procedure — step by step

5G registration procedure — full message flow TS 24.501 §5.5.1

5G-AKA — Authentication and Key Agreement

5G-AKA is the primary authentication mechanism. It provides mutual authentication — the UE authenticates the network and the network authenticates the UE. Both derive the same root key (K_AUSF) from the long-term key K on the SIM.

In 5G-AKA, the AUSF sends an Authentication Request containing RAND and AUTN to the UE. The UE verifies AUTN (authenticating the network), computes RES from RAND and K, and returns RES*. The AUSF verifies RES* against XRES* to authenticate the UE.
3GPP TS 33.501, Section 6.1.3
5G-AKA key derivation chainTS 33.501 §A.2
// Root key (on SIM, never leaves device):
K = 128-bit symmetric key (provisioned at SIM manufacture)

// Network sends: RAND (random 128-bit), AUTN (authentication token)
// UE computes:
CK, IK   = f3(K, RAND), f4(K, RAND)    ← cipher/integrity keys
RES      = f2(K, RAND)                  ← response
AUTN_verify = check MAC in AUTN         ← authenticate network

// Key derivation (TS 33.501 Annex A):
K_AUSF   = KDF(CK||IK, "5G HE AV", SNN)   ← home auth key
K_SEAF   = KDF(K_AUSF, "K_SEAF", SNN)     ← serving auth key
K_AMF    = KDF(K_SEAF, "K_AMF", ABBA)     ← AMF key
K_gNB    = KDF(K_AMF, "K_gNB", UL_NAS_COUNT) ← gNB key
K_RRCint, K_RRCenc = KDF(K_gNB, ...)      ← RRC protection
K_UPint,  K_UPenc  = KDF(K_gNB, ...)      ← user plane protection
K_NASint, K_NASenc = KDF(K_AMF, ...)      ← NAS protection

Security Mode Command — activating NAS security

After successful authentication, the AMF sends a Security Mode Command to activate NAS ciphering and integrity protection. The UE responds with a Security Mode Complete — the first NAS message that is both integrity-protected and ciphered.

Upon receiving the Security Mode Command, the UE shall check the integrity of the message using the indicated NAS integrity algorithm and K_NASint. The UE shall send the Security Mode Complete message ciphered and integrity protected.
3GPP TS 24.501, Section 5.4.2.3

5G-GUTI — the temporary identity

After successful registration, the AMF assigns a 5G-GUTI (Globally Unique Temporary Identifier). From this point, the UE uses the 5G-GUTI in future registrations instead of the SUCI. The gNB can address the UE using the 5G-S-TMSI (a short form of 5G-GUTI) for paging.

5G-GUTI structure — Registration AcceptTS 23.003 §2.10
// 5G-GUTI = MCC + MNC + AMF Region ID + AMF Set ID + AMF Pointer + 5G-TMSI
5G-GUTI:
  PLMN:            244-05           (Elisa Finland)
  AMF Region ID:   0x01              (1 byte)
  AMF Set ID:      0x001             (10 bits)
  AMF Pointer:     0x3F              (6 bits)
  5G-TMSI:         0x3A7F9C12       (32 bits, random)

// 5G-S-TMSI (used for paging) = AMF Set ID + AMF Pointer + 5G-TMSI
// gNB sends paging with 5G-S-TMSI → UE recognises its own identity

// TAI (Tracking Area Identity) in Registration Accept:
TAI = 244-05-0x1F4    (PLMN + TAC = 500)
// UE monitors this TA — triggers TAU if it enters a new TA
Registration complete — UE now has:
Identity      → 5G-GUTI assigned (no longer needs SUCI)
Authentication → mutual — network and UE verified
NAS security  → K_NASint + K_NASenc active
RAN security  → K_gNB → K_RRCint/enc, K_UPenc
Location      → TAI 244-05-500 registered with AMF
Next          → PDU session establishment → data path open
← PreviousNAS Layer Overview