When your phone connects to a mobile network, a complex handshake happens behind the scenes—one that decides whether you’re a legitimate subscriber or just a rogue actor pretending to be one.
That process is governed by a family of protocols called Authentication and Key Agreement (AKA). These protocols are the gatekeepers of mobile security. But like many things in telecom, they carry assumptions that no longer hold up under modern threat models.
This post breaks down the core logic of AKA, its role in mobile network security, how it evolved from 3G to 5G, and where its real-world weaknesses lie.
What Is AKA (Authentication and Key Agreement)?
At its core, AKA is a cryptographic protocol used between a User Equipment (UE) (your phone), the Serving Network (SN), and the Home Network (HN) to:
- Authenticate the user to the network
- Authenticate the network to the user (in some cases)
- Generate encryption and integrity keys for securing communication
It's designed to prevent impersonation, eavesdropping, and session hijacking. It relies on shared secrets stored on the USIM (subscriber SIM card) and in the Home Subscriber Server (HSS) or Unified Data Management (UDM).
The AKA Family Tree
AKA has evolved across generations of mobile networks.
In 2G, proprietary algorithms like COMP128 were used, offering no mutual authentication and very little cryptographic rigor.
In 3G, UMTS-AKA introduced mutual authentication and basic key generation using the MAP protocol over SS7.
In 4G, EPS-AKA replaced MAP with Diameter and added more robust session key derivation (KASME).
In 5G, two options are introduced: 5G-AKA and EAP-AKA’. These rely on HTTP/2 APIs and the Service-Based Architecture (SBA). 5G-AKA enhances identity protection and network authentication, while EAP-AKA’ is used in Wi-Fi offload scenarios. Both support key derivation trees and SUPI/SUCI identity mechanisms.
Each evolution fixed some vulnerabilities from the previous generation—but none are bulletproof.
EPS-AKA (4G): Authentication in the Evolved Packet System
In 4G LTE, the EPS-AKA protocol is used over the S6a interface between the MME and HSS. The UE communicates via NAS messages, and the key agreement results in a derived session key, KASME, used for ciphering and integrity protection.
Protocol Flow Summary:
- UE sends IMSI to MME (unless temporary ID available)
- MME requests authentication vectors from HSS
- HSS returns AVs (RAND, AUTN, XRES, CK, IK)
- MME forwards RAND and AUTN to UE
- UE verifies AUTN, computes RES
- UE sends RES to MME
- MME compares RES with XRES → authentication succeeds/fails
Security Components:
- RAND: Random challenge
- AUTN: Authentication token
- RES: Response (computed by UE)
- XRES: Expected response (held by network)
- CK/IK: Cipher and Integrity keys
- KASME: Derived key for EPS use
Where It Fails:
- IMSI Disclosure: The IMSI is sent in cleartext unless a valid GUTI (temporary ID) is used. This enables IMSI catchers and passive location tracking.
- No Replay Protection on first attach.
- No Device Authentication (just subscriber).
- No End-to-End Encryption—keys are only for air interface.
5G-AKA and EAP-AKA': Trying to Fix the Past
With 5G, the AKA protocol gets a long-overdue upgrade.
First, the IMSI is replaced by SUPI (Subscription Permanent Identifier), which is transmitted as SUCI (Subscription Concealed Identifier) using public-key encryption. This prevents passive tracking by rogue base stations.
Second, stronger Key Derivation Functions (KDFs) generate intermediate keys like K_SEAF, K_AMF, and K_GNB, segmenting encryption across the architecture.
5G also introduces Serving Network Binding, which ensures the authentication request is coming from the correct network—not a malicious relay. Both 5G-AKA and EAP-AKA’ support these features, though EAP-AKA’ is usually reserved for non-3GPP access (e.g., Wi-Fi offload).
Remaining Weaknesses:
- No Subscriber-Anonymity Guarantee unless SUCI is encrypted (optional in some deployments)
- No End-to-End Protection between UE and Home Network (still)
- Devices that fall back to 4G or 3G may re-enable older flaws
Real-World Attacks on AKA Protocols
Despite decades of cryptographic maturity, AKA protocols have been exploited in the wild—sometimes with catastrophic implications.
📡 IMSI Catchers (aka Stingrays)
Still effective on both 4G and 5G NSA deployments. If no GUTI or SUCI is cached, the phone transmits its IMSI in cleartext, allowing for subscriber identification, location tracking, and passive surveillance.
⚠️ MITM in Untrusted Networks
In Wi-Fi offloading scenarios (using ePDG), attackers can intercept or manipulate IPSec tunnels, especially if certificate validation isn’t enforced. Many UEs blindly accept ePDG certs.
💣 Downgrade Attacks
Devices falling back from 5G to 4G (or even 3G) are open to all the legacy threats: weak authentication, fake base stations, and signaling abuse.
🛠 SIM Card Vulnerabilities
- SIMjacker and S@T Browser exploits let attackers execute remote commands over SMS.
- SIM cloning using outdated COMP128-1 algorithms (in poorly maintained 2G fallback environments).
AKA and the Trust Problem in Roaming
In international roaming scenarios, the authentication flow becomes even more fragile. The visited network must request authentication vectors from the home network, but:
- Diameter proxies may be poorly secured.
- AVs can be intercepted, modified, or replayed without strong mutual TLS.
- Some roaming partners accept unauthenticated AVs (yes, it still happens).
Roaming trust models rely on IPX security, which is often a euphemism for “just hope no one’s listening.”
AKA Isn’t Enough on Its Own
Authentication and key agreement are foundational, but they’re just the beginning of mobile security. AKA protects the start of a session, but once keys are negotiated, the rest of the protocol stack (NAS, GTP, SIP) takes over—and that’s where many of the practical attacks live.
Operators must complement AKA with:
- Regular pen testing of MME, AMF, and ePDG interfaces
- Strong SBI and Diameter interface security
- Subscriber IMSI privacy enforcement
- Real-time threat detection for rogue attach attempts and malformed AVs
Final Thoughts: AKA Is Secure… Until It Isn’t
AKA protocols are mathematically sound, but their deployment context isn’t. Weak encryption policies, partial upgrades, fallback mechanisms, and misconfigured interfaces turn theoretically secure protocols into practical attack surfaces.
4G EPS-AKA and 5G-AKA are massive improvements over early telecom authentication—but they still reflect an era of implicit trust between networks. In today’s threat landscape, that trust is often misplaced.
Until we see full end-to-end encryption, universal SUCI enforcement, and zero-trust network access, mobile networks will continue to suffer from "secure-in-theory" authentication.
