Telecoms

5G control-plane signing and authentication

The 5G core network uses PKI-based authentication for N2 (AMF–gNB) and N3 (UPF–gNB) interfaces, as well as for network function (NF) service registration and discovery via the NRF. The certificates and signature schemes used in these protocols today are based on ECDSA or RSA. 3GPP Release 19 and the ongoing ETSI TC CYBER work on quantum-safe communication are beginning to define the transition path, but network operators cannot wait for a full standards cycle to begin their inventories.

Quanten maps the 5G core authentication interfaces against the CRQC timeline, identifying which signature operations carry multi-year validity periods that put them in the harvest risk window. Control-plane signing keys with 2-to-5 year validity issued today may still be active if a 2029–2033 risk scenario materializes. Migration to ML-DSA-87 for NF authentication certificates is technically straightforward — the IETF LAMPS working group has defined X.509 certificate extensions for ML-DSA — but requires coordinated rollout across the core network’s certificate management infrastructure.

Engagement deliverables

• Core-network authentication inventory across N2, N3, NRF, roaming, and inter-operator interfaces.
• Certificate-validity risk map that flags keys active inside the expected quantum-risk window.
• Standards watchlist for 3GPP, ETSI TC CYBER, IETF LAMPS, and IKEv2 hybrid-key-exchange work.

IPsec / IKEv2 with post-quantum key exchange

IPsec with IKEv2 is the dominant VPN technology for backhaul links, roaming agreements, and inter-operator interconnects in telecom networks. IKEv2 today uses ECDH or DH for key exchange. RFC 9370 defines a mechanism for including post-quantum key exchange methods in IKEv2 as additional key exchanges (AKE), allowing ML-KEM-1024 to be layered on top of the existing classical exchange without protocol renegotiation. This hybrid approach maintains interoperability with existing implementations while providing quantum-safe protection for the session key material.

• RFC 9370 additional key exchanges (AKE) for IKEv2 + ML-KEM-1024
• ML-DSA-87 for NF authentication certificates (IETF LAMPS X.509 extensions)
• ETSI TC CYBER TS 103 744 alignment
• 3GPP Release 19 PQC readiness assessment

Network-slice key isolation

5G network slicing allows a single physical infrastructure to serve multiple tenants with different security requirements — a public broadband slice alongside a government or critical-infrastructure slice. Key isolation between slices is essential: compromise of key material in one slice must not provide leverage against another. Quanten’s slice-aware key management enforces cryptographic isolation at the HSM boundary: each slice’s root key is generated and stored in a logically separate HSM partition, with no shared key derivation path between partitions. Algorithm profiles are configurable per slice, allowing a government slice to enforce ML-KEM-1024 while a legacy enterprise slice runs hybrid mode during its own transition.

Ready to assess your 5G PKI exposure? Talk to our security team — a typical telecom engagement starts with a two-day core-network authentication inventory and produces a prioritised migration roadmap within two weeks.