Skip to content
YggdraSIM

3GPP NAA

Network Access Applications are the applets inside a UICC that actually authenticate a subscriber to a mobile network. In the 3GPP world the two dominant NAAs are the USIM and the ISIM. The 3GPP TS 31.102 specification describes the USIM shape, the file contents, and the authentication commands that every modern SIM and eSIM profile must implement. The vendored copy lives in docs/ts_131102v180400p.md.

On this page

Which NAA does what

NAA Standard Role
USIM 3GPP TS 31.102 2G/3G/4G/5G access authentication
ISIM 3GPP TS 31.103 IMS / VoLTE authentication
CSIM 3GPP2 C.S0065 CDMA access authentication

All three live as ADFs under the MF. The profile loader in RSP workflows always lands at least a USIM ADF, and often an ISIM ADF as well, depending on the SAIP template.

Authentication at a glance

sequenceDiagram
    participant NW as Serving network (HLR / HSS)
    participant TE as Terminal / modem
    participant USIM as USIM ADF
    NW->>TE: AUTN + RAND
    TE->>USIM: AUTHENTICATE (RAND, AUTN)
    USIM->>USIM: Milenage / TUAK inside card
    USIM-->>TE: RES, CK, IK (and AUTS on SQN failure)
    TE-->>NW: RES (or AUTS for resync)

Figure: 3GPP AKA authentication — RAND/AUTN challenge to RES, with SQN resync

The card keeps the long-term key K in tamper-resistant storage and only releases derived material. Two algorithm families are standard:

  • Milenage, originally specified in 3GPP TS 35.206
  • TUAK, specified in 3GPP TS 35.231, offering a Keccak-based alternative

YggdraSIM exposes authentication execution from the admin shell for diagnostic work. It does not leak K out of the card; it only observes the derived output the card returns.

Important USIM EFs

EF Purpose
EF IMSI current IMSI
EF Keys CK/IK cache
EF LOCI last location info
EF PSLOCI packet-switched LOCI
EF AD administrative data
EF SPN service provider name
EF OPL / EF PNN PLMN name overrides
EF ACC access class bits
EF FPLMN forbidden PLMN list
EF UST USIM service table

The EF UST service table tells the terminal which optional USIM features are active on this profile. It is a common thing to inspect and lint when a profile is built from a SAIP template.

ISIM shape

An ISIM ADF is smaller than a USIM ADF. Key EFs include:

  • EF IMPI for the IMS private identity
  • EF IMPU for IMS public identities
  • EF DOMAIN for the home network domain
  • EF IST for the ISIM service table

SUCI and the subscription identifier

5G introduced the SUCI to avoid sending SUPI in the clear. The USIM computes the SUCI locally using an ECIES scheme. YggdraSIM includes Tools/SuciTool to help generate and export the SUCI key material that a profile expects, and the in-process simulator (SIMCARD/) implements the full 3GPP TS 33.501 §C.3 SUCI calculation (Profile A and Profile B) plus the 3GPP TS 31.102 §7.1.2.4 GET IDENTITY command that surfaces the SUCI to the modem.

5G authentication and AKMA

The 5G stack adds a few authentication surfaces on top of the classic USIM AUTHENTICATE:

  • 5G AKA (3GPP TS 33.501) — AUTHENTICATE on the 5G UE-context produces RES* (a Kausf-bound transformation of RES) instead of RES directly.
  • EAP-AKA' (3GPP TS 33.402) — non-3GPP access authentication binding the same long-term key into an EAP exchange.
  • AKMA (3GPP TS 33.535) — application-layer keys derived from Kausf, surfaced as K_AKMA and the A-KID identifier.

The simulated UICC implements all three. The matching network-side AUSF / AAnF surfaces are the operator's responsibility — this release ships the SIM-side primitives only.

Where to look in YggdraSIM

  • SCP03 Admin Shell for live USIM/ISIM file access and AUTHENTICATE diagnostics
  • SUCI Tool for SUCI key handling
  • SIMCARD Simulator for the in-process 5G AKA / EAP-AKA' / AKMA / SUCI / GET IDENTITY surface
  • SAIP Profiles for how the SAIP template encodes the NAA that finally lands on a card