LTE RRC: Security Mode Command

Direction: E-UTRAN => UE
Signalling Radio Bearer: SRB1
RLC Mode: AM
Logical Channel: DCCH
Transport Channel: DL-SCH

The SECURITY MODE COMMAND message is used to command the UE for the activation of AS security. E-UTRAN always initiates this procedure prior to the establishment of Signalling Radio Bearer2 (SRB2) and Data Radio Bearers (DRBs).

AS security comprises of the integrity protection of RRC signalling (SRBs) as well as the ciphering of RRC signalling (SRBs) and user plane data (DRBs). The integrity protection algorithm is common for signalling radio bearers SRB1 and SRB2. The ciphering algorithm is common for all radio bearers (i.e. SRB1, SRB2 and DRBs). Neither integrity protection nor ciphering applies for SRB0.

The eNodeB sends integrity protected SECURITY MODE COMMAND message to the UE. The UE shall derive KeNB and KRRCint which is associated with integrity protection algorithm indicated in the SECURITY MODE COMMAND. Then, UE verifies the Integrity of the received SECURITY MODE COMMAND by checking the Message Authentication Code (MAC) in the SECURITY MODE COMMAND message. If the SECURITY MODE COMMAND message fails the integrity protection check, then the UE sends SECURITY MODE FAILURE to the eNodeB.

If the SECURITY MODE COMMAND passes the integrity protection check, then the UE shall derive the encryption keys KRRCenc key and the KUPenc keys associated with the ciphering algorithm indicated in the SECURITY MODE COMMAND.

The UE shall apply integrity protection using the indicated algorithm (EIA) and the integrity key, KRRCint immediately, i.e. integrity protection shall be applied to all subsequent messages received and sent by the UE, including the SECURITY MODE COMPLETE message.

            The UE shall apply ciphering using the indicated algorithm (EEA), KRRCenc key and the KUPenc key after completing the procedure, i.e. ciphering shall be applied to all subsequent messages received and sent by the UE, except for the SECURITY MODE COMPLETE message which is sent un-ciphered.

Example: Security Mode Command

More details about the security architecture and different kinds of keys are explained here

Reference: 3GPP TS 36.331 and 3GPP TS 33.401

15 comments:

  1. ue network capability use?

    ReplyDelete
    Replies
    1. UE Network capability is sent in TAU request message or attach request message. The purpose of the UE network capability information element is to provide the network with information concerning aspects of the UE related to EPS or interworking with GPRS. The contents might affect the manner in which the network handles the operation of the UE. The UE network capability information indicates general UE characteristics and it shall therefore, except for fields explicitly indicated, be independent of the frequency band of the channel it is sent on

      Please refer to section 9.9.3.34 in 24301 for more information

      Delete
    2. UE network capability contains information about the UE capabilities related to EPC or interworking with HSDPA/UMTS/GPRS. It also contains the info about hte UE categories also.

      Delete
  2. is the Message Authentication Code appended in the last four oct of Security Mode Command message? how to verify the integrity?

    ReplyDelete
  3. in case of inter-rat cell reselection from WCDMA to LTE ; UE sends the TAU request with NAS key set identifier->TSC= native security context ; Here the question is in same flow during EMM security what should be the TSC= ??? ; If I keep same as what I received in the EMM TAU request then UE send TAU reject ; if I set it to TSC= mapped security contex then everything goes fine could you please suggest something on this behave.

    ReplyDelete
  4. Why LTE required 2 level of security NAS security as well as AS security.

    ReplyDelete
  5. What if the SECURITY MODE COMMAND is not received at UE side. And what if its not being received at RRC, is it the MME that triggers this message?

    Thanks for your answer.

    ReplyDelete
    Replies
    1. This SECURITY Procedure is triggered by RRC.

      Delete
  6. Hi Swamy,
    Is it mandatory to initiate the RRC Security Mode procedure for each new RRC Connection. For Eg:- RRC Security Mode procedure is completed during Attach and RRC Connection is Released after Attach procedure is completed. Next if network or UE starts another RRC session for Data then whether we need to perform RRC Security Mode procedure again.

    ReplyDelete
    Replies
    1. Yes, the UE need to perform RRC security mode procedure again. Please refer to section 5.3 in 36.331

      Delete
  7. Is it necessarily that a ciphering and an integrity algorithms in the RRC SMC would be the same (i mean eea1-eia1, eea2-eia2)? or it's possible to have the compination eea0-eia1

    Thanks for your answer.

    ReplyDelete
  8. why ciphering is optional for NAS & AS messages.

    ReplyDelete
    Replies
    1. If you are talking about NULL ciphering algorithm, it could be used in cases for example, when making of an emergency call without a USIM. Also, for example in cases of inter-system Handover to E-UTRA, if the ciphering is not activated in other RAT.

      FYI.., from 24.301, if the "null ciphering algorithm" EEA0 has been selected as a ciphering algorithm, the NAS messages with the security header indicating ciphering are regarded as ciphered.

      From 36.331, The 'NULL' integrity protection algorithm (eia0) is used only for the UE in limited service mode [33.401]. In case the 'NULL' integrity protection algorithm is used, 'NULL' ciphering algorithm is also used.

      Delete
  9. Hi Swamy,

    Why integrity protection check failure will happen at UE side.

    ReplyDelete
  10. Such a nice Post ! thankyou for sharing such a valuable information.
    security driver

    ReplyDelete