Cell Broadcast Service or Public Warning System in 5G

  • Cell Broadcast Service or Public warning system is part of 5G cell broadcast mechanism.
  • Cell Broadcast Centre Function(CBCF), is generic broadcast centre responsible for all kind of broadcast messages including paid advertisement.
  • Public Warning System(PWS) is specific to public warning related broadcast messages like Earthquake, Tsunami etc.
Cell Broadcast and public warning system topology
  • Both the entities can Write/Replace/Cancel broadcast messages to AMF via Namf SAP(N50) interface.
  • When writing Broadcast message to AMF, CBCF/PWS need to provide the content of the message, message ID, number of broadcast, broadcast intervals etc.
  • At any point of time CBCF/PWS can cancel a broadcast by specifying the message ID that is currently actively broadcasted.

Warnning message delivery procedure in NG-RAN

Write/Replace Warnning message by AMF to NG-RAN

PWS Cancel Procedure

PWS Restart indication

PWS Failure Indication

5G Security (5G AKA Authentication)

5G Security Procedure between UE and Network

Security Types in 5G Network

  1. Security required for UE to access network services comes under Network access security. This security mainly cover Authentication, Integrity and ciphering of Signalling and data.
  2. Domain Security mainly covers secure communication between different Network nodes.
  3. Application domain security covers security mechanism between peer applications.
  4. There are two different kind of authentication

Different Authentication, Ciphering and Integrity Algorithms

  • In most cases for Authentication Key Agreement(AKA), operators use Milenage/TUAK algorithm. But some cases proprietary algorithm.
  • For Cyphering and Integrity Protection following Algorithms are used. 

Ciphering Algorithms

Integrity Algorithms

Key Distribution

5G AKA Authentication Procedure

Authentication Flow Steps

  1. After receiving Registration Request, AMF  initiates authentication procedure with UE, if UE security context is not existing with AMF.
  2. AMF sends Nausf_UEAuthentications Request with SUCI or SUPI and Serving network name.
  3. AUSF based on the Serving Network name, determine if AMF is authorised to send this message.
  4. Then AUSF, sends Nudm_UEAuthentication_Get Request with SUPI/SUCI to UDM.
  5. UDM Calculates the 5G HE AV as below. UDM Uses Milenage functions to derive MAC, XRES, CK, IK and AK.
  • UDM derives Kausf is as follows using HMAC-SHA-256(K, S) KDF(Key Derivation Function) function as below.
  • UDM derives XRES* as follows using HMAC-SHA-256(K, S) KDF function.
  • UDM derives 5G HE AV from above derived keys as below and send it to AUSF with message “Nudm_Authentication get Response” 5G HE AV = RAND ‖ XRES* ‖ Kausf ‖ AUTN
  1. Derivation of 5G SE AV at AUSF
  • HXRES* Calculation at AUSF: HXRES* is 128 bit MSB of the output of SHA-256 hash, calculated by passing RAND || XRES* as input to SHA-256 algorithm.
  • AUSF derives Kseaf from Kausf by passing K= Kausf  and S = 0x6C || Serving Network Name || Lenth of Serving Network Name to KDF function.
  • AUSF calculates 5G AV and 5G SE AV as below and send 5G SE AV to AMF. 5G AV = RAND ‖ HXRES* ‖ Kseaf ‖ AUTN 5G SE AV = RAND ‖ HXRES* ‖ AUTN
  1. AMF Sends NAS Authentication Request to UE with RAND and AUTN from 5G SE AV.
  1. UE Uses Milenage functions to derive XMAC, RES, CK, IK as below.
  1. UE Verify the MAC received in AUTN with XMAC calculated above to authenticate the network and check the freshness of AUTN. Here if the comparison fails then it will send authentication failure with AUTS.
  1. UE derives RES* as follows using HMAC-SHA-256(K, S) KDF function. using keys calculated above, and then sends RES* to AMF.
  1. AMF Calculates HRES* from RES* : HRES* is 128 bit MSB of the output of SHA-256 hash, calculated by passing RAND || RES* as input to SHA-256 algorithm.
  1. AMF compares HRES*(Calculated above) with HXRES* received from AUSF to check for successful authentication.
  1. AMF sends RES* received from UE to AUSF with “Authenticate Request” message.
  1. AUSF compares RES* with the XRES*(part of 5G HE AV) received from UDM in step 5.
  1. If Comparison is successful, AUSF sends Authentication Event notification to UDM with “Success”.

5G Network Identity SUPI/SUCI


In 5G in order to protect UE permanent Identity (SUPI- Subscription Permanent Identifier )  UE never transmit SUPI as it is. UE conceal(encrypt) SUPI using encryption scheme to create SUCI(Subscription Concealed Identifier), before sending it to core network.

Concealing can be done in USIM or ME(Mobile Equipment) depending on the indication configured in USIM by operator. If no indicator present, ME does the concealing.
In core network only UDM has authority to de-conceal the SUCI. 

Identity flow between UE and Network

Decoding of SUCI

SUPI Type: consisting in a value in the range 0 to 7. It identifies the type of the SUPI concealed in the SUCI. The following values are defined

–  0: IMSI
–  1: Network Specific Identifier
–  2 to 7: spare values for future use.

Home Network Identifier: identifying the home network of the subscriber.

When the SUPI Type is an IMSI, the Home Network Identifier is composed of two parts:
–  Mobile Country Code (MCC), consisting of three decimal digits.
–  Mobile Network Code (MNC), consisting of two or three decimal digits.
When the SUPI type is a Network Specific Identifier, the Home Network Identifier consists of a string of characters with a variable length representing a domain name. Ex. abc@xyz.com

Routing Indicator: consisting of 1 to 4 decimal digits assigned by the home network operator and provisioned in the USIM.

Routing Indicator: consisting of 1 to 4 decimal digits assigned by the home network operator and provisioned in the USIM.

Protection Scheme Identifier: consisting in a value in the range of 0 to 15 and represented in 4 bits.

  • null-scheme         0x0;
  • Profile <A>         0x1;
  • Profile <B>         0x2.

Home Network Public Key Identifier: consisting in a value in the range 0 to 255. It represents a public key provisioned by the HPLMN and it is used to identify the key used for SUPI protection. In case of null-scheme being used, this data field shall be set to the value 0;

Scheme Output: consisting of a string of characters with a variable length or hexadecimal digits, dependent on the used protection scheme.

  • Null Scheme – For null scheme no encryption happens and scheme output field is replaced by MSIN(value after taking out MCC and MNC from IMSI) value of IMSI as it is.
  • Elliptic Curve Integrated Encryption Scheme(ECIES) Profile A – In this case scheme out put is further divided in two  parts:
    1. ECC ephemeral public key 64 bits, freshly generated using the provisioned ECIES input parameters.
    2. Ciphered Text, is of variable length 
  • Elliptic Curve Integrated Encryption Scheme(ECIES) Profile B – In this case scheme out put is further divided in two  parts
    1. ECC ephemeral public key 66 bits, freshly generated using the provisioned ECIES input parameters.
    2. Ciphered Text, is of variable length

Note: Detailed into Elliptic Curve Integrated Encryption Scheme(ECIES) will be discussed in another Blog.

5G Network Slicing Concepts


In 5G network communication infrastructure is not just confined to mobile voice/text communication, it is now segregated and very diversified to different services like Industrial IoT, Smart home domestic IoT, Low latency Medical communication, high bandwidth mobile broadband etc. And each of these services require different data behavior and QoS from network infrastructure.

In 5G each network node is equipped with special features to serve the purpose of one or multiple services and the kind of service supported by a particular node is defined in NSSF(Network Slice Selection Function). For any particular service request from UE, is served by a set of network entities associated with that Service and called a slice.

NSSAI(Network Slice Selection Assistance Information) Structure and Fundamentals

  • Network Slice configuration Information can have multiple NSSAI
  • Each PLMN can have at most one configured NSSAI
  • Each NSSAI has multiple S-NSSAI slices.
  • Each S-NSSAI slice has multiple DNNs configured.
  • A configured NSSAI can be configured by a serving PLMN or default NSSAI configured by HPLMN.
  • If Serving PLMN doesn’t have specific configured PLMN then it uses default configured NSSAI from HPLMN.
  • UE is pre-configured/provisioned by signalling message with default configured NSSAI by HPLMN.
  • UE is only configured with a set of subscribed S-NSSAIs out of the default configured NSSAI, which is a subset of the S-NSSAIs configured inside default configured NSSAI in HPLMN.
  • Allowed S-NSSAIs provided to the UE can have values, which are not served by Serving PLMN, in that case Serving PLMN updates the allowed S-NSSAI list with mapping to corresponding S-NSSAI of the HPLMN.

S-NSSAI and it’s Structure

Each Slice is identified by S-NSSAI (single network slice selection identifier)

  • SST is required value where was SD is optional
  • SST refer to expected behaviour of the slice.
  • SD is optional and differentiates among multiple slices with same SST.

  • UE during Registration and PDU session Establishment sends S-NSSAI value and optionally HPLMN NSSAI value, if in visiting area.
  • The requested NSSAI signalled by UE to network allows the network to select appropriate serving AMF, Network slice and network slice instance.
  • Based on the subscription data, one UE can have subscription to multiple S-NSSAIs and one of them can be marked as default S-NSSAI.
  • Subscription information for each S-NSSAI may have multiple DNN and one of them is default DNN.

Services provided by NSSF

Nnssf_NSSelection_Get service operation

  • May be invoked during Registration, for serving AMF selection and re-allocation.
  • PDU session establishment procedure, for SMF selection.
  • UE configuration update procedure, to update allowed S-NNAIs to UEs in current serving PLMN.


  • Nnssf_NSSAIAvailability_Update : In this process, AMF updates NSSF with S-NSSAIs supported by AMF per TA and   gets back availability of S-NSSAIs for each TA.
  • Nnssf_NSSAIAvailability_Notify  : AMF notify NSSF with restricted S-NSSAIs per TA using this procedure.

AMF Re-allocation Procedure

During UE registration procedure, if AMF doesn’t support one or more requested S-NSSAIs which is allowed by SPLMN/HPLMN then it request NSSF to provide the appropriate AMF to redirect the registration request from UE.

5G Way Through Unlicensed Spectrum

Utilizing unlicensed Spectrum

Unlicensed spectrum band is used by low-power devices such as WiFi or Bluetooth devices to communicate wireless signals over short range. For this spectrum band, there is no regulatory to provide license or it is free band as far as the transmission power is low. Some common devices in this category are home security system, WiFi remote camera, cordless phones and Bluetooth speakers/headsets.

For unlicensed transmission, in order to avoid larger interference, different devices operate in different frequency range like WiFi is regulated to use 2.4 GHz or 5 GHz band.

Good examples of Unlicensed spectrum utilization in communication.

  • WiFi offload: Offloading cellular traffic over WiFi Access points.
  • LTE-U : Transmitting LTE signal over unlicensed spectrum with low power for Home base station to cover small buildings.
  • LAA : License Assisted Access is a LTE aggregation technology(R-13) to aggregate Licensed LTE band(Anchor Band) with unlicensed bands.
  • Higher order MIMO in WiFi: This is multiple antenna WiFi technology(802.11ac) gives higher order MIMO to transmit Gigabits/s of traffic over WiFi access points.

5G System Objectives

5G is more than just another version of mobile network. It has to deal with most diversified communication infrastructures which has very diversified aspects described as below.

High speed radio access: 5G will provide download speeds of up to 20 Gbps. Why would anyone ever need that much speed?, Because of the evaluation of cloud based technology, online gaming and mobile edge computing, all the devices need a high speed and low latency connectivity to other edge nodes. And these are main driving force behind high data rate requirement. And in future this requirement is going to go up. It’s also important to remember that bandwidth is shared by all the users on a cell tower.

Ultra-low latency: 5G networks will be used to control autonomous cars, Health care communication like remote operation theatre and high precision mission-critical system. High reliability and availability at all times is base target for 5G systems.

Massive Connectivity: In this increasing smart world, 5G has to deal with millions of IoT devices and higher order density. By 2020 there will be approximately 21 billions of connected devices, excluding smartphones. Most of the IoT devices are remotely located and operated by batteries and constrained to transmit small amount of data like Smart electricity or water meters and parking sensors.  And 5G has to deal with device transmission power management and scale of the devices.

5G Driving Forces

Speed and scale: Up to 20Gbps wireless connectivity, with help of Carrier aggregation, Massive MIMO, higher order QAM

Unlicensed Spectrum: Mobile Operators, now a days prefer to unlicensed spectrum technologies such as WiFi, LTE-U, LAA or Multifire to cover coverage holes where regular radio network can’t penetrate. And this is one of the preference due to low infrastructure cost, free spectrum availability. 5G defined specs deals with inter working of 5G system with these unlicensed access technologies.

IoT : In cellular technologies, IoT is not new, as it is part of LTE/4G in different transmission technologies such as NB-IoT(Narrow band IoT), CAT-M1. and also non-LTE technologies such as LoRA and Sigfox. 5G is also going to have inbuilt IoT technologies which is going to support massive scale of IoT devices.

Virtualization: NFV enables massive scaling of network functions, easy and quick deployment(elastic network) and early to market are integral feature of 5G system.  5G specs have defined fully virtualised network functions and service based interfaces for cloud based deployment of network elements.

New Radio (NR): 5G NR is a new air interface being developed for 5G which uses millimetre wave ranging frequency band from 2.5 Ghz to 40 GHz. Although 5G NR uses same OFDM modulation as LTE, it is optimised to have better performance.