SGX-Enabled Encrypted Storage for Secure Management of 5G Authentication Data in Trusted Execution Environments

The fifth-generation (5G) core network, sensitive authentication data such as the Subscription Permanent Identifier (SUPI) and long-term cryptographic keys are centrally stored in the Unified Data Repository (UDR) to support primary authentication. Recent real-world incidents, including the 2025 SK Telecom (SKT) breach, demonstrate that compromise of core servers or databases can expose plaintext subscriber data even when transport-layer security is correctly deployed. This high- lights the need for strong data-at-rest protection and robust cryptographic key isolation within the 5G core. In this paper, we propose a storage-centric protection scheme that preserves the confidentiality and integrity of 5G authentication data even under authentication server compromise. Authentication records are encrypted before being stored in the UDR, with encryption and decryption operations in- voked through database triggers and executed inside an Intel Software Guard Extensions (SGX)-based Trusted Execution Environment (TEE). All cryptographic keys and sensitive operations are fully iso- lated within the enclave, preventing direct access from both the database and application layers. We implement the proposed design on the OpenAirInterface (OAI) 5G core using a MySQL-backed UDR, demonstrating its applicability to real-world and open-source 5G deployments. Performance evalua- tion over 10,000 end to end authentication procedures shows that the proposed approach introduces moderate CPU overhead, particularly during decryption-intensive operations, while incurring negli- gible memory overhead and minimal latency impact. These results indicate that SGX-based storage centric protection is a practical and effective mechanism for strengthening data at rest security in 5G core networks.