The AAnF is the anchor function in the HPLMN. The AAnF stores the AKMA Anchor Key (KAKMA) and SUPI/GPSI for AKMA service, which is received from the AUSF/UDM after the UE completes a successful 5G primary authentication. The AAnF also generates the key material to be used between the UE and the Application Function (AF) and maintains UE AKMA contexts. The AAnF sends SUPI/GPSI of the UE to AF located inside the operator's network according to the AF request or sends SUPI to NEF. If GPSI is required, the AAnF retrieves the GPSI from UDM based on available SUPI. The AAnF has the capability to trigger a primary authentication for KAKMA refreshing purpose.

The AF is defined in TS 23.501 with additional functions:

• AF with the AKMA service enabling requests for AKMA Application Key, called KAF, from the AAnF using A-KID.
• AF shall be authenticated and authorized by the operator network before providing the KAF to the AF.
• The AF located inside the operator's network performs the AAnF selection.

The NEF is defined in TS 23.501 with additional functions:

• The NEF enables and authorizes the external AF assessing AKMA service and forwards the request towards the AAnF.
• The NEF performs the AAnF selection.

The AUSF is defined in TS 23.501 with additional functions:

• AUSF provides the SUPI and AKMA key material (A-KID,KAKMA) of the UE to the AAnF.
• AUSF performs the AAnF selection.

The UDM is defined in TS 23.501 with the additional functions:

• UDM stores AKMA subscription data of the subscriber and provides AKMA indication and RID to AUSF.
• UDM triggers primary authentication to refresh KAKMA.

The following interfaces are involved in AKMA network architecture:

• Nnef: Service-based interface exhibited by NEF.
• Nudm: Service-based interface exhibited by UDM.
• Naanf: Service-based interface exhibited by AAnF.

The AAnF interacts with the AUSF and the AF using Service-based Interfaces. When the AF is located in the operator's network, the AAnF shall use Service-Based Interface to communicate with the AF directly. When the AF is located outside the operator's network, the NEF shall be used to exchange the messages between the AF and the AAnF.

The following security requirements are applicable to AKMA:

• AKMA shall reuse the same UE subscription and the same credentials used for 5G access.
• AKMA shall reuse the 5G primary authentication procedure and methods specified in TS 33.501 for the sake of implicit authentication for AKMA services.
• The SBA interface between the AAnF and the AUSF shall be confidentiality, integrity and replay protected.
• The SBA interface between AAnF and AF/NEF shall be confidentiality, integrity and replay protected.
• The SBA interface between AAnF and UDM shall be confidentiality, integrity and replay protected.
• The AKMA Application Key (KAF) shall be provided with a maximum lifetime based on the operator's local authentication policy.

The Ua* reference point is application specific. The generic requirements for Ua* are:

• Ua* protocol shall be able to carry AKMA Key Identifier (A-KID).
• The UE and the AKMA AF shall be able to secure the reference point Ua* using the AKMA Application Key derived from the AKMA Anchor Key.
• The Ua* protocol shall be able to handle the expiration of KAF.

Requirements for AKMA Key Identifier (A-KID) are:

• A-KID shall be globally unique.
• A-KID shall be usable as a key identifier in protocols used in the reference point Ua*.
• AKMA AF shall be able to identify the AAnF serving the UE from the A-KID.

The requirements on the UE are:

• Applications on the UE shall not be able to get access to KAKMA.
• An application on the UE shall only get the KAF keys related to specific AF Identifiers (AF_IDs) that the application is authorized to get.
• An application on the UE shall not be able to get access to the KAF keys that belong to other applications.