Home | Reports | Technical Documents | Tech-Blog | One-Shot Gallery | Korea ICT News | Korea Communication Market Data | List of Contributors | Become a Contributor |    
 
 
Section 5G 4G LTE C-RAN/Fronthaul Gigabit Internet IPTV/Video Streaming IoT SDN/NFV Wi-Fi KT SK Telecom LG U+ Network Protocol Samsung   Korean Vendors
 
CHANNELS     HFR    |  Mobile Fronthaul Solution  |  Carrier Ethernet Solution  | Resources        
CHANNELS     ZARAM    |  TWDM-PON SFP+ ONU  |  XGSPON 10G SFP+ ONT  |  Use cases  | Evolution of FTTH Access Network    

 

LTE Security II: NAS and AS Security
August 05, 2013 | By Netmanias (tech@netmanias.com)
Online viewer:
Comments (27)
36
Page 2 of 5

 

     

Table of Contents  

1. Introduction
2. NAS Security
3. AS Security
4. Security Context

5. Closing and References  

 

 

2. NAS Security

 

A detailed description of the NAS security previously mentioned in LTE Security I[1] will be given below. A NAS security setup procedure consists of NAS signaling, between a UE and an MME, by a Security Mode Command message that the MME sends to the UE and a Security Mode Command message that the UE sends to the MME. Descriptions of the NAS security setup procedure by NAS messages and how NAS messages are delivered thereafter will be provided in Sections 2.1 and 2.2, respectively.

 

2.1 NAS Security Setup

 

(1) Delivering a Security Mode Command message

 

Figure 2 shows how a Security Mode Command message is delivered during the NAS security setup procedure. The MME, by sending a Security Mode Command message to the UE, informs the UE that it is authenticated by the network and the NAS security setup procedure for secure message delivery between them is initiated. The Security Mode Command message is integrity protected and then sent to the UE, which then derives NAS security keys (a ciphering key and an integrity key) and verifies the integrity of the message using the integrity key.

 

A simplified LTE authentication procedure that precedes the NAS security setup procedure is shown as  and  in Figure 2[1]. The same KASME is shared by the UE and the MME as a result of the LTE authentication. We will explain the NAS security setup procedure presuming the MME allocates a KSIASME to identify KASME as 1 ("001"). 

Figure 2. NAS security setup: Delivery of a Security Mode Command message

 

 [MME] Selecting security algorithms

The MME selects ciphering and integrity algorithm to be applied to NAS messages based on UE Network Capability information included in the received Attach Request message from the UE. Figure 2 shows an example of selecting EEA1 for an encryption algorithm and EIA1 for an integrity algorithm, i.e., SNOW 3G algorithm (see LTE Security I [1]).

 

 [MME] Deriving NAS security keys

The MME derives KNASint and KNASenc from KASME using the algorithm IDs and algorithm distinguishers of the selected security algorithms. Table 1 lists algorithm IDs and algorithm distinguishers [2].

  • KNASint = KDF(KASME, NAS-int-alg, Alg-ID)

  • KNASenc = KDF(KASME, NAS-enc-alg, Alg-ID)

 

Table 1. Security algorithm IDs and algorithm distinguishers [2]

 It is applied when using relay nodes. As relay is out of the scope of this document, user plane integrity algorithms are not discussed herein. 

 

 [MME] Generating NAS-MAC for integrity protection

The MME forms a Security Mode Command message to send to the UE and calculates NAS-MAC (Message Authentication Code for NAS for Integrity) using the selected EIA algorithm (EIA1) with input parameters such as the Security Mode Command message and KNASint derived in . Figure 3 shows how NAS-MAC is calculated using the following EIA algorithm input parameters[2]: 

  • Count: 32-bit downlink NAS count 
  • Message: NAS message, i.e., Security Mode Command message herein
  • Direction: 1-bit direction of the transmission, 0 for uplink and 1 for downlink (set to 1 herein)
  • Bearer2: 5-bit bearer ID, constant value (set to 0)
  • KNASint: 128-bit NAS integrity key

 

Figure 3. Calculation of NAS-MAC [2]

 

 [UE  MME] Sending a Security Mode Command message

The MME attaches the NAS-MAC calculated in  to the Security Mode Command message and sends it to the UE. Here the message is integrity protected but not ciphered. Message parameters used are as follows:

  • KSIASME: 3-bit value associated with a KASME, used to identify the KASME (KSIASME=1 herein)
  • Replayed UE Security Capability: UE Security Capability included in the UE Network Capability in the Attach Request message sent by UE, indicates which security algorithms are supported by the UE
  • NAS Ciphering Algorithm: NAS ciphering algorithm selected by the MME, EEA1 herein
  • NAS Integrity Protection Algorithm: NAS integrity protection algorithm selected by the MME, EIA1 herein

 

 [UE] Setting KASME identifier (KSIASME)

When the UE receives a Security Mode Command message from the MME, it sets KSIASME in the message as its KSIASME and uses it as an identifier of the current KASME.

 

 [UE] Deriving NAS security keys

The UE, recognizing the NAS security algorithm that the MME selected, derives KNASint and KNASenc from KASME using the algorithm IDs and the algorithm distinguishers(see Table 1).

 

 [UE] Verifying the integrity of the Security Mode Command message

The UE checks the integrity of the received Security Mode Command message by verifying the NAS-MAC included in the message. It recognizes the NAS integrity algorithm selected by the MME is EIA1 and calculates XNAS-MAC, a message authentication code, by using the selected EIA1 algorithm with the Security Mode Command message and KNASint derived in . Figure 4 shows how XNAS-MAC is calculated using the same EIA input parameters as in [2]. The UE verifies the integrity of the message by examining whether the XNAS-MAC calculated by itself matches the NAS-MAC calculated by the MME. If they match, it is guaranteed that the Security Mode Command message has not been manipulated (e.g., inserted or replaced) on the way.

 

Figure 4. Calculation of XNAS-MAC [2]

 

 

(2) Delivering Security Mode Complete message

 

Figure 5 illustrates how a Security Mode Complete message is delivered during the NAS security setup procedure. The UE, by sending a Security Mode Complete message to the MME, informs the MME that the same NAS security keys as MME's are derived in the UE and that the integrity of the Security Mode Command message is verified. The Security Mode Complete message is ciphered and integrity protected for transmission.

 

Figure 5. NAS security setup: Delivery of a Security Mode Complete message

 

 [UE] Encrypting the message using the selected encryption algorithm (EEA1)

The UE forms and encrypts the Security Mode Complete message to be sent to the MME. The ciphered Security Mode Complete message (Cipher Text Block) is derived by performing bitwise XOR between the Security Mode Complete message (Plane Text Block) and the encryption key stream (Key Stream Block) generated using EEA1 algorithm with NAS encryption key (KNASenc). Figure 6 shows how NAS messages are encrypted [2]. EEA algorithm input parameters used to generate the key stream block are as follows:

  • Count: 32-bit uplink NAS count  
  • Bearer: 5-bit bearer ID, constant value (set to 0)
  • Direction: 1-bit direction of the transmission, 0 for uplink and 1 for downlink (set to 0 herein)
  • Length: the length of the key stream to be generated by the encryption algorithm
  • KNASenc: 128-bit NAS ciphering key

 

Figure 6. Encryption of NAS message by the sender (UE) [2]

 

 [UE] Generating NAS-MAC for integrity protection

The UE calculates NAS-MAC using EIA algorithm (EIA1) with the ciphered Security Mode Complete message and KNASint. Figure 3a shows how NAS-MAC is calculated using the following EIA algorithm input parameters:

  • Count: 32-bit uplink NAS count
  • Message: NAS message, Security Mode Complete message herein
  • Direction: 1-bit direction of the transmission, 0 for uplink and 1 for downlink (set to 0 herein)
  • Bearer: 5-bit bearer ID, constant value (set to 0)
  • KNASint: 128-bit NAS integrity key

 

Figure 3a. Calculation of NAS-MAC for the Ciphered Security Mode Complete message

 

 [UE  MME] Sending the Security Mode Complete message

The UE attaches the NAS-MAC calculated in  to the Security Mode Complete message and sends it to the MME. Here the message is integrity protected and ciphered, and all the NAS messages that the UE sends to the MME hereafter are securely delivered.

 

 [MME] Verifying the Integrity of the Security Mode Complete message

The MME checks the integrity of the received Security Mode Complete message by verifying NAS-MAC included in the message. MME calculates XNAS-MAC, a message authentication code, by using the selected EIA1 algorithm with the Security Mode Complete message and KNASint. Figure 4a shows how XNAS-MAC is calculated using the same EIA input parameters as in . The MME verifies the integrity of the message by examining whether the XNAS-MAC calculated by itself matches the NAS-MAC calculated by the UE. If they match, it is guaranteed that the Security Mode Complete message has not been manipulated on the way.

 

Figure 4a. Calculation of XNAS-MAC for the Ciphered Security Mode Complete message

 

 [MME] Decrypting of the Security Mode Complete message

After successful verification of the Security Mode Complete message, the MME decrypts the message using EEA algorithm (EEA1). Then the Security Mode Complete message, the original message generated by the UE, is derived through XOR between the ciphered Security Command Complete message and the key stream block. Figure 7 illustrates how the message is decrypted using the same EEA algorithm input parameters as in .

 

Figure 7. Decryption of the NAS message by the receiver (MME) [2]

 

 

2.2 After NAS Security Setup

 

Once the NAS security setup is completed as in Section 2.1, all the NAS messages between the UE and the MME thereafter are encrypted and integrity protected before being sent. Figure 8 shows how NAS messages are delivered between the UE and the MME after the NAS security setup.

 

Figure 8. Ciphering and integrity protection of the NAS Messages after the NAS security setup

 

When NAS messages are being sent, they are encrypted first and then integrity protected before being sent. The original NAS messages are first encrypted using an encryption key (KNASenc) and then integrity protected by including NAS-MAC calculated using an integrity key (KNASint) so that the messages are delivered as encrypted and integrity protected.

 

 

When received, however, the NAS messages are integrity verified first and then decrypted, which is in the opposite order of what has been done when they were sent. That is, the integrity of the NAS messages is verified first by comparing the XNAS-MAC calculated using the integrity key (KNASint) and the received NAS-MAC, and then the messages are decrypted to get the original NAS messages.

 

Page 2 of 5
Sitansu Baral 2014-08-05 18:25:16

It is a nice document on LTE Security

Eric 2014-08-14 15:49:22

I have two questions:

1. SQN, how to get this paremeters in UE side? Is it sent by MME?

2. "When RRC messages are being sent, they are encrypted first and then integrity protected before being sent."—— Can you confirm again? From 36.323, you can find the encrypted should be do first.

Netmanias 2014-10-14 23:04:00

Hi Eric, 


1) As gecuili said (thank you for the answer, gecuili!), SQN is concealed in AUTN in the form of (SQN)XOR(AK) (Please see TR, LTE Security I). When UE receives Authentication Request (RAND, AUTN, KSI_ASME) messages from MME, it computes AK and then derives SQN by performing bitwise XOR between AUTN and AK. (Please refer to the Figure 7 and 9 in 3GPP TS 33.102.)
SQNs are generated by HSS/AuC, and delivered to UE via MME.


2) Figure 12 is an error. When RRC messages are being sent, they are integrity protected first and then encrypted before being sent. We have corrected the error and updated this web post and pdf files. We are sorry for the error, and thank you for noticing us about that. 


gecuili 2014-10-14 17:18:54

Hi, Eric

1.SQN is concealed in AUTN according to section 6.3.3 in 33.102. Also Figure 9 illustrates this well.

 

jyothis 2014-10-16 14:46:06

Hi,

 

AUTN is having sqn of 6 bytes. Nas count is of 3 byte (MSb being 0) only of which sqn is 1 byte. Also, with authentication, 33.401 says to reset the count. 

I have 1 more question. which all part of nas msg is ciphered, does it include pd , security header and sqn of security protected msg ?

Netmanias 2014-10-16 17:31:07

Hi jyothis, 


"Plain NAS message" is ciphered. Then the ciphered NAS message and the NAS sequence number are integrity protected. Please refer to 4.4.4.1 and figure 9.1.2 in 3GPP TS 24.301.

(and/or you can see the the figure in 2.2. After NAS Security Setup on this post), 


- 4.4.4.1 
"When both ciphering and integrity protection are activated, the NAS message is first encrypted and then the encrypted NAS message and the NAS sequence number are integrity protected by calculating the MAC."


- Figure 9.1.2 (added some terms in blue by Netmanias)


jyothis 2014-10-17 14:59:24

Thanks,

Quick & great explanation.

What about the SN & AUTN part:

"AUTN is having sqn of 6 bytes. Nas count is of 3 byte (MSb being 0) only of which sqn is 1 byte. Also, with authentication, 33.401 says to reset the count."

jyothis 2014-10-21 14:25:54

I mean, the quote i made from 33.401, indicate that nas sn is not the one from AUTN, right ?

Josh 2014-09-04 04:10:42

This is excellent work. 

peeyoosh 2014-10-06 21:31:33

Hi,

Thanks for sharing such a nice info on LTE authentication and Security procedures. I have one doubt.

In NAS security, while handling Security mode command, Integrity is not known to UE, then does it try hit and trial method and genertate the IK and then X NAS MAC? in above example, UE striaghtly using ALGO-2 for integrity what if multiple Integrity algo supported by UE?

gecuili 2014-10-14 17:31:04

Hi,

"

 [MME] Selecting security algorithms

The MME selects ciphering and integrity algorithm to be applied to NAS messages based on UE Network Capability information included in the received Attach Request message from the UE. Figure 2 shows an example of selecting EEA1 for an encryption algorithm and EIA1 for an integrity algorithm, i.e., SNOW 3G algorithm (see LTE Security I [1]).

"

This will guarante the integrity algorithm which MME selected is exist in UE. If UE supports multiple algo, they may select the most priority one.

knokej 2014-11-18 03:03:45

Very nice write-up.  Some questions:

1) Does all this occur using SRB1?

2) Is all this preceded by an "Authentication Complete" message from the UE?

3) Does all this occur before S1 bearers are set up and before an "Attach Complete" is sent to the UE?

4) How does UE distinguish between AS and NAS versions of the Security Mode command?  Are they different message types in RRC?

 

Thanks.

vikas singh rawa 2014-12-10 16:09:42

Hello Team,

 

Good document, have a observation to share as below:-

In the figure Figure 2. NAS security setup: Delivery of a Security Mode Command message, isn't there a printing mistake for the step 3 and 7 for the alogorithm chosen at the MME and UE side for the generation for the Key ?

 

Thanks.

vikas singh rawa 2014-12-10 16:28:17

Hello Team,


Have aquery here,

Figure 5. NAS security setup: Delivery of a Security Mode Complete message, if the message itself has been encrypted already then how the UE comes to know that this is the security mode complete message cause the message is an important parameter for the generation of  the MAC vlaue in the uplink direction.


Thanks.

Shweta 2015-01-10 13:55:14

Hello, Well explained. But I have a query. Why is SMC complete message in NAS security procedure is both integrity protected and ciphered while SMC complete message in AS security procedure is only integrity protected and not ciphered. Thanks.

Shu 2015-03-14 01:42:34

Hello, A really good tutorial.  May I ask,

  1. after a UE is successfully authenticated and registers into a LTE network, how often does the network possibly re-authenticate the UE, even though there is no inter-RAT or inter-MME handover?  
  2. If there is a re-authentication after a successful registration, should the re-authentication happen when the UE is in its RRC_IDLE or it have to happen in RRC_CONNECTED?  

Thank you very much,

Shu 

Datong 2015-07-23 12:39:49

hi all,

one question:

NAS: The Security Mode Complete message is ciphered and integrity protected for transmission

AS: the Security Mode Complete message is delivered as integrity protected

Why the AS Security Mode Complete message is not ciphered as the NAS?

i have been confusing on this a long time.

 

thanks a lot,

wenhao

keerthana 2019-11-13 04:38:45

The UE shall apply integrity protection using the indicated algorithm (EIA) and the integrity key, KRRCint immediately, i.e. integrity protection shall be applied to all subsequent messages received and sent by the UE, including the SECURITY MODE COMPLETE message.

 

            The UE shall apply ciphering using the indicated algorithm (EEA), KRRCenc key and the KUPenc key after completing the procedure, i.e. ciphering shall be applied to all subsequent messages received and sent by the UE, except for the SECURITY MODE COMPLETE message which is sent un-ciphered.

debasish 2015-09-30 17:12:12

Any one please please tell me why authentication is delayed in case of connected mode TAU only...Why not in idle mode TAU??

bhupender jain 2015-10-21 20:52:20

Hi All,

 

From UE perspective, NAS message is first ciphered & then integrity protected.

& in AS, message is first integrity protected & then ciphered.

Why there is such difference between AS & NAS? Please explain as I am not able to get the required information from other sources.

santosh 2016-12-29 18:07:18

HI...

THE PAPER IS TOO GOOD...

IS THERE ANY IMPLEMANTATION CODE THAT YOU CAN PROVIDE SO THAT WE CAN PRACTICE PRACTICALLY???

wrangler 2017-08-28 23:15:56

The order of ciphering and integrity checking and verification is different across E-UTRAN and EPC. While in E-UTRAN Integrity checking and verification is followed by Ciphering, in EPC Ciphering is followed by Integrity Checking and Verification.
Can anyone comment as to why 3GPP followed a different strategy for EPC and E-UTRAN?

JouMan Lin 2017-10-12 09:46:24

Hi, 

Thanks for the detailed information to introduce the security system.

It's very useful.

 

I'd like to ask the same question as wrangler.

Why the order of integrity and encryption is different in NAS and AS layer? When sending a packet, in NAS, the encryption is performed first, then the integrity protection. But in AS layer, the protection order is reverse.

Wahidullah 2017-12-31 15:27:17

Useful :)

 

bandan.ars@gmail.com 2018-08-20 14:24:15

Can somebody explain how the NAS count wrap around works and how it should be handled? Both Downlink and Upliink

shailesh.y1987@gmail.com 2019-10-17 15:46:39

what all are AS messages are defined in lte call flow?

soqu36 2019-11-13 16:04:25

Very nice file!!!

I want to kown what tools do you have to make these nice figures? Thanks a lot!

Thank you for visiting Netmanias! Please leave your comment if you have a question or suggestion.
Related Contents
08/05/2013
Netmanias Technical Documents
07/31/2013
Netmanias Technical Documents
View All (174)
5G (7) Backbone (2) Backhaul (3) Blockchain (1) CDN (1) Carrier Ethernet (3) Charging (1) DHCP (4) ECM (2) EMM (16) EPS (2) Google (1) HLS (1) HTTP Adaptive Streaming (3) Handover (5) IPTV (4) Initial Attach (2) IoT (2) Korea (1) LTE (39) LTE Identification (2) LTE-A (1) MPLS (2) Mobility (2) NAT (7) Netflix (1) Network Architecture (3) Network Protocol (20) New Radio (1) OTT (1) PCRF (3) QoS (3) RCS (3) SDF (2) SDN/NFV (3) SK Telecom (1) Samsung (3) Security (5) Sk Telecom (1) Transparent Cache (1) Video Streaming (4) VoLTE (2) Wi-Fi (1) YouTube (2)
Password confirmation
Please enter your registered comment password.
Password