Deriving keys from authentication to use them in the application layer

Dear free5GC community,

We are considering free5GC to prototype a 5G network where the RAN would be replaced by a non-3GPP access (namely, WiFi). Our goal is to authenticate subscribers using the 5G standard procedures and, from there, derive keys that will be used in the application layer to establish a VPN session (to a server outside the 5G core).

Currently, we don’t know yet whether we will be using N3IWF or TNGF for the non-3GPP access, but we could adapt our network to both models. Therefore, we wonder if any of them supports such type of key derivation (either completely, or partially).

Thank you very much, any tips will be highly appreciated.

Both N3IWF and TNGF perform a key derivation procedure during the authentication step. However, these keys are primarily used to secure NAS and IKEv2/IPsec tunnels. Neither of them provides direct access to authentication-derived keys for application-layer security, so you may need modifications.