Security is one of the strongest pillars of 5G NR.
Unlike previous generations, 5G is designed from the ground up to withstand:

• Man-in-the-Middle (MITM) attacks
• Impersonation attacks
• Rogue base stations (stingrays/IMSI catchers)
• Key extraction attempts
• Replay attacks
• Privacy breaches
   

Here, we explore how 5G securely authenticates users, handles keys, protects the air-interface, and maintains privacy through technologies like SUCI, 5G-AKA, NAS/RRC encryption, and secure SIM/eSIM architecture.

5G security is divided into three major layers:

Protects the interface between UE ↔ AMF.

Protects UE ↔ gNB RRC and user-plane data.

Protects inter-network traffic and vertical/enterprise applications.

5G pushes security deeper, introducing stronger algorithms, mutual authentication, and encrypted identities.

Authentication ensures:

• The network is genuine
• The UE is genuine
• Keys can be safely generated
   

5G uses two authentication methods:

1. 5G-AKA (Authentication and Key Agreement)
2. EAP-AKA’ (Extensible Authentication Protocol)

Both provide mutual authentication, meaning:

• UE verifies the network
• Network verifies the UE
   

This closes the door to most MITM and IMSI-catcher attacks.

In 2G/3G/4G, the IMSI (permanent identity) could be intercepted by a rogue base station.
In 5G, IMSI is transformed into a SUCI (Subscription Concealed Identifier) before being transmitted.

• UE stores the operator’s public key (in SIM/eSIM)
• Before sending its identity:
  • IMSI (aka SUPI) is encrypted using ECIES (Elliptic Curve Integrated Encryption Scheme)
  • Random salt + operator’s public key → SUCI
• SUCI is sent to network
• Only the operator’s private key in the home network can decrypt it
   

This means:

✔ IMSI is never exposed
✔ Rogue base stations cannot identify or track users
✔ MITM attacks lose the ability to hijack identities

Here is the authentication flow:

1. UE → gNB: SUCI
   The encrypted identity is sent.
2. gNB → AMF → AUSF/UDM: Authentication Request
   The core network retrieves the authentication vector.
3. Home Network Generates Authentication Vector
   Contains:
   • RAND (random challenge)
   • AUTN (authentication token)
   • XRES/XRES* (expected response)
   • K_AUSF (key)
      

1. UE Verifies Network
   UE checks AUTN → ensures the challenge is genuine.
2. UE Generates RES*
   RES* = f (RAND, key inside SIM)
   Sent back to network.
3. Network Compares XRES and RES**
   If they match → authentication succeeds.
    
4. Key Hierarchy Begins
   • K_AUSF → K_SEAF
   • K_SEAF → K_AMF
   • K_AMF → derive RRC/NAS/User-plane keys
      

This mutual authentication is the root of 5G cryptographic security.

5G uses encryption at multiple layers:

Protects:

• Registration
• Location updates
• Identity messages
• Mobility management
   

Encryption keys: K_NASenc, K_NASint

Algorithms: 128-NEA1/2/3 (encryption) and 128-NIA1/2/3 (integrity)

Protects:

• RRC signaling
• User-plane data
• Security configuration messages
   

Encryption keys: K_RRCenc, K_UPenc, K_RRCint

Algorithms:

• Encryption: NEA1/2/3
• Integrity: NIA1/2/3
   

Integrity protection is applied to all signaling, but not mandatory for user-plane.

The SIM includes:

• IMSI/SUPI (permanent identity)
• Operator public key (for SUCI)
• Milliwatt-secure hardware
• Authentication algorithm (MILENAGE, TUAK)
• Long-term symmetric key (K)
   

The SIM’s most important job:

✔ Never expose the secret key K
✔ Perform cryptographic functions internally
✔ Store SUCI encryption keys
✔ Verify AUTN
✔ Generate RES/RES*

The 5G SIM contains:

• Additional fields for SUCI
• Key derivation updates
• Enhanced security algorithms
• Better support for EAP-AKA’
• Non-IMSI-based identities
   

eSIM is:

• A programmable SIM chip soldered inside the phone
• Remote provisioning via SM-DP+ (Subscription Manager Data Preparation)
• Same security as SIM (hardware-level key protection)
   

Security advantages:

• Cannot be physically removed
• Harder to tamper
• Supports remote authentication profile switching
   

The secret key K is still stored in secure hardware and cannot be extracted.

Once authentication succeeds, the following keys are derived:

• K (never leaves SIM)

• K_AUSF: from K
• K_SEAF: session-specific
• K_AMF: signaling-level
• K_NASenc / K_NASint
• K_RRCenc / K_RRCint
• K_UPenc (user-plane encryption)
   

This layered key hierarchy prevents a single key compromise from breaking the whole system.

IMSI is never exposed → rogue stations cannot track UEs.

UE verifies the operator → fake towers fail AUTN validation.

Signaling messages cannot be tampered with.

The attacker cannot modify RRC or NAS messages.

Nonce + sequence numbers ensure messages cannot be replayed.

UEs can disable 2G entirely (optional), preventing downgrade attacks.

Even with the strongest cellular security to date, challenges remain.

Attackers force UEs to:

• Downgrade to LTE/UMTS/2G
• Exploit older security weaknesses
   

5G solves this partially, but device manufacturers must disable unsafe fallbacks.

Jamming remains a real concern:

• Sync signal jamming
• PUCCH/PUCCH denial
• PRACH flooding
   

In FR-U bands (5G NR-U), attackers may emulate gNBs since unlicensed band has no operator control.

Even SUCI is vulnerable to:

• Location correlation
• Timing analysis
• Serving cell fingerprinting
   

• MEC applications have access to network resources
• Slice isolation must be enforced
• Slice compromise can cascade across networks
   

gNB vendors, firmware, and chipsets are now critical infrastructure.

5G keys are not quantum-resistant.
6G aims to integrate PQC algorithms.

6G research is focusing on:

• AI-driven anomaly detection
• Quantum-safe cryptography
• SIM-free identity based on hardware roots
• Zero-trust architecture
• Physical layer fingerprinting
• Secure NTN (Non-Terrestrial Network) authentication

5G lays a strong foundation, but 6G will expand to global, AI-native, satellite-integrated, quantum-secure networks.