TelcomIQ

Navigate

BrowseSecurityCoverageQuizContact

Graph

Full GraphBuilder

5G SA

5G Standalone β€” the cloud-native Service-Based Architecture core for 5G networks

Type

generation

Generations

5G

Threat level

medium
🧩

5G SA Knowledge Check

10 questions

Questions & comments

Join the discussion

Overview

5G Standalone β€” defined in 3GPP Release 15, published in 2018 β€” is the clean-slate target architecture for fifth-generation mobile networks. Where 5G Non-Standalone (NSA) grafts a 5G radio access network onto an existing 4G Evolved Packet Core, 5G SA replaces the core network entirely with the 5G Core (5GC), severing any architectural dependency on 4G infrastructure.

The defining characteristic of 5GC is the Service-Based Architecture (SBA). Rather than point-to-point protocol interfaces between monolithic network nodes β€” the model used by SS7 in 2G/3G and Diameter in 4G β€” every network function in 5GC exposes its capabilities as RESTful HTTP/2 APIs served over TLS. A Network Repository Function (NRF) acts as a service registry: network functions register their capabilities on startup and discover peer services dynamically. Any authorised network function can invoke any service on any other network function. This is not merely an implementation convenience β€” it is a deliberate architectural shift toward the loose coupling and horizontal scalability that cloud-native infrastructure demands.

At the protocol layer, 5G SA replaces SS7 and Diameter signalling with HTTP/2 and JSON throughout the control plane. The GTP-C signalling that carried session management in 4G is replaced by HTTP/2 on the N11 interface between AMF and SMF, and by PFCP (Packet Forwarding Control Protocol) on the N4 interface between SMF and UPF. GTP-U is retained for user plane bearer transport on N3.

Identity privacy receives a structural redesign. In all previous generations, the subscriber's permanent identity β€” the IMSI in 2G through 4G β€” could be transmitted in clear text during initial registration, enabling IMSI-catching attacks at the radio layer. 5G SA replaces IMSI with SUPI (Subscription Permanent Identifier) at the conceptual level, and mandates that SUPI is never transmitted unprotected over the air. Instead, the UE transmits a SUCI (Subscription Concealed Identifier): the SUPI encrypted with the home network's public key, stored in the USIM. Only the home network's AUSF and UDM can decrypt it. Visited networks β€” and any attacker positioned on the radio interface β€” see only an opaque ciphertext that changes with each registration.

For inter-operator roaming, the unprotected Diameter S8 and IPX exposure of 4G is replaced by the N32 interface, protected by a Security Edge Protection Proxy (SEPP) at each network boundary. SEPP enforces PRINS (Protection of Inter-PLMN NAS Signalling), providing end-to-end integrity and confidentiality for NF-to-NF messages traversing the IPX interconnect. The architectural exposure that made 4G Diameter roaming a fertile attack surface is addressed at the design level.

5G SA is also the foundation on which network slicing, multi-access edge computing, and massive IoT connectivity are built as first-class design requirements, not retrofits.

How it works

The SBA model begins at registration. When a 5G SA network function starts, it registers with the NRF β€” declaring its type, supported services, network slice memberships, and capacity. Consumer NFs query the NRF to discover which producer NF instances are available for a given service. Invocations are HTTP/2 requests carrying JSON bodies, protected by mutual TLS between NFs. Authorisation is enforced via OAuth 2.0: the NRF issues access tokens that producer NFs validate before serving any request. Every significant control plane interaction follows this discover-authorise-invoke pattern.

The principal network functions of 5GC:

  • AMF (Access and Mobility Management Function) β€” Handles UE registration, mobility management, and NAS (Non-Access Stratum) protocol termination. The single point of contact for the UE on the control plane. Replaces the mobility management role of the 4G MME.
  • SMF (Session Management Function) β€” Manages PDU sessions: IP address allocation, QoS policy enforcement, UPF selection and control via N4. Replaces the session management roles of the 4G MME, SGW-C, and PGW-C.
  • UPF (User Plane Function) β€” Forwards user plane packets between the radio network and external data networks. Enforces per-session packet forwarding rules delivered by the SMF over N4. Replaces the 4G SGW-U and PGW-U.
  • AUSF (Authentication Server Function) β€” Executes the authentication procedure on behalf of the home network, interfacing with UDM for credential retrieval and key derivation.
  • UDM (Unified Data Management) β€” Stores and manages subscriber data: subscription profiles, authentication credentials, and current serving AMF. Replaces the 4G HSS.
  • PCF (Policy Control Function) β€” Provides policy rules for sessions and UE access, replacing the 4G PCRF.
  • NRF (Network Repository Function) β€” Service registration and discovery registry for all NFs in the PLMN.
  • NSSF (Network Slice Selection Function) β€” Selects the appropriate network slice for a given UE and session based on subscription and local policy.
  • NEF (Network Exposure Function) β€” Exposes 5GC capabilities to external application functions in a controlled and authenticated manner.
  • SEPP (Security Edge Protection Proxy) β€” Protects all NF-to-NF traffic crossing the N32 inter-PLMN boundary, providing message-level security via PRINS.

5G-AKA authentication procedure

Authentication in 5G SA follows the 5G-AKA (Authentication and Key Agreement) procedure defined in TS 33.501. The sequence proceeds as follows.

The UE initiates a Registration Request, carrying its SUCI β€” the home network public-key-encrypted form of its SUPI β€” rather than the SUPI or IMSI in clear text. The serving AMF, unable to decrypt the SUCI itself, forwards an Authentication Request to the home AUSF over the N12 interface. The AUSF in turn queries the UDM over N13, providing the SUCI. The UDM decrypts the SUCI to recover the SUPI, retrieves the long-term credential (K) from the HE AV (Home Environment Authentication Vector) computation, and derives the 5G Home Environment Authentication Vector (5G HE AV), which it returns to the AUSF. The AUSF derives the 5G Authentication Vector (5G AV) β€” comprising RAND, AUTN, HXRES*, and KAUSF β€” and sends the relevant parameters to the AMF.

The AMF sends an Authentication Request to the UE carrying RAND and AUTN. The UE uses its USIM to verify AUTN, confirming that the authentication challenge originated from the legitimate home network β€” providing mutual authentication absent in all pre-5G generations. The UE then computes RES* from RAND and K, and returns it to the AMF. The AMF computes HRES* from RES* and compares it to the HXRES* it holds; it also forwards RES* to the AUSF for home network verification. On success, a hierarchy of session keys is derived: KAUSF, KSEAF, KAMF, and KgNB, with KgNB used to derive the radio interface ciphering and integrity protection keys.

SUCI and identity concealment

The SUCI mechanism works because the home network operator provisions a public key onto each USIM at the time of manufacture. When the UE needs to transmit its identity during initial registration β€” before any security context exists β€” it encrypts its SUPI using this public key with an ECIES (Elliptic Curve Integrated Encryption Scheme) scheme. The resulting SUCI is unlinkable across registrations because a fresh ephemeral key is used each time. The visited network AMF passes the SUCI to the home AUSF, which decrypts it using the home network's private key. The SUPI never traverses the radio interface or the roaming interconnect in clear text.

Session establishment and QoS

PDU session establishment is driven by the SMF. When the AMF receives a session establishment request from the UE on N1, it selects an SMF and forwards the request over N11. The SMF allocates a UPF via N4 using PFCP Session Establishment Request messages, which carry the packet detection and forwarding rules that the UPF must enforce. QoS flows are mapped to 5QI (5G QoS Identifier) values β€” standardised identifiers for scheduling priority, delay budget, and loss rate β€” which the SMF communicates to both the UPF and the AMF (which relays them to the gNB over N2). The UPF then forwards user plane traffic between the gNB (N3, via GTP-U) and the external data network (N6, plain IP).

Architecture role

5G SA is the end-state architecture of the 5G programme. Its position relative to predecessor and transitional architectures is worth stating precisely.

5G Non-Standalone (NSA, Option 3x in 3GPP terminology) uses the 5G NR radio access technology but anchors control plane signalling in the 4G EPC β€” the MME, HSS, and S/PGW remain in place. NSA was the first commercially deployed 5G configuration because it allowed operators to deliver 5G data speeds without replacing the core. It inherits the entire security exposure of 4G EPC, including Diameter attack surface and the absence of SUCI. 5G SA removes these inherited vulnerabilities by replacing the EPC entirely.

The functional mapping from 4G EPC to 5GC is direct:

  • AMF replaces the MME's mobility management and NAS termination functions, but session management is carved out to the SMF.
  • SMF consolidates the session management previously split across the MME (bearer management), SGW-C (S1-U anchor), and PGW-C (PDN gateway control).
  • UPF consolidates the SGW-U and PGW-U data path roles into a single, SMF-controlled forwarding element.
  • AUSF + UDM replace the HSS and AuC, with the authentication function separated from subscriber data management and exposed as a discrete NF service.
  • PCF replaces the PCRF.

The roaming architecture is similarly restructured. The 4G S8 interface between the visited PGW and home PGW carried GTP-C over an IPX network with no message-level protection β€” a well-documented attack surface for Diameter manipulation. In 5G SA roaming, all inter-PLMN NF-to-NF communication traverses the N32 interface between the visited network's SEPP and the home network's SEPP. PRINS provides JSON Web Signature (JWS)-based integrity protection and JSON Web Encryption (JWE)-based confidentiality at the application layer, independent of the IPX transport.

Cloud-native deployment is a design requirement in 5G SA, not an option. NFs are specified in a manner that is agnostic to whether they run as bare-metal processes, virtual machines, or containerised workloads on COTS hardware. Network slicing β€” the ability to instantiate logically isolated end-to-end networks within a single physical infrastructure β€” is a first-class architectural feature, with NSSF providing slice selection and each slice carrying its own AMF, SMF, and UPF instances where required.

Key interfaces

InterfaceBetweenProtocolPurpose
N1UE ↔ AMFNAS (5GMM)Registration, mobility, session control
N2AMF ↔ gNBNGAPRAN-core control plane
N3UPF ↔ gNBGTP-UUser plane bearer
N4SMF ↔ UPFPFCPSession management, forwarding rules
N6UPF ↔ Data NetworkIPExternal network connectivity
N8AMF ↔ UDMHTTP/2Subscriber data retrieval
N12AMF ↔ AUSFHTTP/2Authentication service
N32SEPP ↔ SEPPHTTP/2 + PRINSInter-PLMN NF-to-NF security

Security posture

5G SA represents a structural improvement over every previous generation of mobile network architecture β€” not in degree but in kind. The security problems of 2G and 3G (no authentication, SS7 openness), and of 4G (Diameter roaming exposure, IMSI in clear, no mutual authentication), were design properties of their respective architectures that could not be patched without replacing the architecture. 5G SA replaces the architecture.

SUCI eliminates IMSI catching at the radio layer. An attacker who deploys a fake base station and captures the UE's initial registration message sees a ciphertext that is computationally infeasible to reverse without the home network's private key. The SUPI is never exposed.

SEPP eliminates the unprotected Diameter roaming interface. Inter-PLMN traffic on N32 carries application-layer integrity protection and confidentiality regardless of the trustworthiness of the IPX provider in between. An IPX provider with a man-in-the-middle position sees protected JSON, not cleartext Diameter AVPs.

HTTP/2 over mutual TLS between NFs provides both confidentiality and NF-level authentication on every control plane interaction within the core. OAuth 2.0 token-based authorisation prevents a compromised NF from freely invoking services beyond its intended role.

However, the SBA model introduces an attack surface that has no direct equivalent in EPC. The total number of API endpoints exposed within a 5GC is orders of magnitude larger than the set of Diameter interfaces in an EPC. Any authenticated NF can invoke services on any other NF, subject to OAuth token scope. This means that the compromise of a single NF β€” or of the NRF token-signing key β€” has a blast radius that scales with the interconnectedness of the service mesh. Network slice isolation is mandatory in TS 23.501 but implementation depth varies significantly between vendors and deployment configurations.

Attack surface

N32/SEPP misconfiguration

SEPP deployment is mandatory for 5G SA inter-PLMN roaming, but its protection is contingent on correct PRINS enforcement configuration. If a SEPP is deployed in passthrough mode β€” forwarding N32 traffic without applying JWS integrity verification and JWE confidentiality β€” then inter-PLMN NF-to-NF messages traverse the IPX in cleartext or without integrity protection. An adversary with a position on the IPX interconnect, or a compromised IPX provider, can read and potentially modify NF service requests in transit. The impact is functionally equivalent to the 4G Diameter roaming attack surface: subscriber data can be queried, sessions can be manipulated, and identity information can be harvested.

Impact: Inter-PLMN signalling exposure; subscriber data leakage; potential session manipulation.
Difficulty: Requires IPX network position or a compromised roaming partner.

NRF token compromise

OAuth 2.0 authorisation in 5GC depends entirely on the integrity of the tokens issued by the NRF. If the NRF's token-signing private key is exposed β€” through a software vulnerability, misconfiguration, or a supply chain compromise of the NRF vendor β€” an attacker can forge access tokens that authorise calls to any NF service in the network. This is equivalent to obtaining administrative access to the entire 5GC control plane: AMF subscriber data, UDM credential stores, SMF session state, and PCF policy functions are all reachable. There is no additional authentication boundary once a valid token is held.

Impact: Full 5GC control plane compromise; subscriber data exfiltration; session manipulation at scale.
Difficulty: High. Token key compromise requires significant access. But the consequence of success is catastrophic.

SUPI timing correlation

The SUCI mechanism provides computational privacy β€” an attacker cannot decrypt the SUCI to recover the SUPI. However, if the timing of SUCI resolution at the AUSF is observable from the network side, it may be possible to correlate successive registrations from the same subscriber by observing the latency pattern of AUSF responses. The 3GPP specification requires that SUCI randomisation include a fresh ephemeral key per registration to prevent deterministic linkability, but not all implementations enforce this uniformly. Timing-based correlation is a side-channel, not a direct cryptographic attack, and its practicality depends heavily on the attacker's network observability.

Impact: Subscriber identity de-anonymisation; linkage of registration events to a persistent subscriber identity.
Difficulty: Medium. Requires network-level observation of AUSF response timing.

Downgrade to 5G NSA or LTE

A UE that supports 5G SA and attaches to a 5G SA cell can, under certain conditions, be induced through capability negotiation manipulation to fall back to 5G NSA or LTE. On 5G NSA, the core is the 4G EPC β€” Diameter-based, without SUCI, without SEPP. On LTE, the full 4G and SS7 attack surface applies. A radio-layer attacker who can manipulate the capability negotiation exchange β€” for example by operating a rogue base station that advertises itself as a 5G cell but rejects SA capability β€” can force a victim UE onto a network where legacy attack techniques are fully applicable.

Impact: Re-exposure to the complete 4G and SS7 attack surface; IMSI catching becomes viable; Diameter attacks apply.
Difficulty: Requires radio-layer capability β€” a rogue base station or software-defined radio platform with appropriate software.

Mitigations

The highest-priority control is correct SEPP deployment with PRINS enforcement. Every operator running 5G SA roaming must deploy SEPP instances at all N32 boundaries and configure them to enforce both JWS integrity verification on inbound inter-PLMN messages and JWE confidentiality for outbound messages carrying sensitive NF data. PRINS enforcement is defined in TS 33.501 Section 13 and is not optional β€” an N32 interface operating without it provides no meaningful improvement over 4G Diameter roaming exposure.

OAuth 2.0 token lifecycle management is the second critical control. Each NF must validate the access token presented on every incoming service request against the NRF's published JWKS (JSON Web Key Set). NRF-issued tokens must be scoped to specific NF service operations and issued with short TTLs to bound the exposure window from any single token compromise. The NRF private signing key must be treated as high-value key material: stored in a hardware security module, rotated on a defined schedule, and monitored for anomalous token issuance patterns.

SUCI must be operationally enforced end to end. This requires that the home network operator deploys a valid home network public key to USIMs at manufacture or via over-the-air provisioning. AMF configuration must be set to reject any UE that presents a SUPI in clear text during initial registration rather than a SUCI. This rejects a class of legacy device or misconfigured UE that would otherwise reintroduce IMSI-exposure risk into a 5G SA deployment.

UPF isolation is a network architecture control, not a protocol control. Because the UPF sits at the junction of the control plane (N4 to SMF) and the user plane (N3 to gNB, N6 to data network), it is the highest-value lateral movement target in 5GC for an attacker who has obtained a foothold elsewhere in the network. UPF instances β€” particularly those serving different network slices β€” must be segregated from control plane NFs at the network layer, with microsegmentation enforced per slice boundary.

Bidding-down protection requires AMF configuration to enforce 5G SA attachment for UEs that advertise SA capability when attaching to SA-capable cells. Operators should also consider 5G NR standalone-only cell configurations in deployments where the SA security posture must be guaranteed β€” eliminating the radio-layer condition that enables forced fallback.

Spec references

  • TS 23.501 β€” The normative system architecture specification for the 5G System. Section 4 defines the Service-Based Architecture concept, the NRF service discovery model, and the reference point representation. Section 6 defines each network function and its service operations. This is the primary reference for understanding how 5GC is structured and how NFs interact.

  • TS 33.501 β€” The security architecture and procedures specification. Section 5 covers the 5G security architecture overview and NDS/IP requirements for NF-to-NF protection. Section 6 specifies the 5G-AKA and EAP-AKA' authentication procedures and the SUCI mechanism in full. Section 9 addresses network domain security for the SBA, including the OAuth 2.0 framework and TLS profile. Section 13 specifies SEPP and PRINS in detail β€” this section is the normative reference for inter-PLMN security configuration.

  • TS 29.500 β€” The technical realisation of the Service-Based Architecture. Specifies the HTTP/2 binding for SBI (Service-Based Interface) interactions, the TLS version and cipher suite requirements, the use of JSON and OpenAPI for service definitions, and the Oauth2 token request and validation procedures. The operational companion to the architectural specification in TS 23.501.

Related topics

5G SA is the successor to both 4G EPC β€” which it replaces entirely β€” and the transitional 5G NSA architecture, which retains the 4G core. Understanding the delta between NSA and SA is essential for operators planning core migration.

The principal network functions of 5GC each have dedicated topics: AMF covers access and mobility management, SMF covers session management, UPF covers the user plane function, and AUSF covers authentication. These topics detail the per-NF service operations, interfaces, and security considerations that TS 23.501 Section 6 defines at a high level.

For the roaming dimension, Roaming architecture covers how 5G SA inter-PLMN roaming is structured relative to 4G and how SEPP fits into the overall interconnect model.

For the security dimension in full, 5G security provides the complete threat taxonomy for 5GC, covering SUCI implementation issues, SEPP misconfigurations, NRF token abuse, and the relationship between 5G SA security properties and the residual exposures inherited through NSA deployments and 2G/3G fallback paths.

Relationships