Monday, November 28, 2011

NAS: Security Mode Command

Ø    The purpose of the NAS security mode control procedure is to take an EPS security context into use, and initialize and start NAS signalling security between the UE and the MME. The MME starts this procedure by sending SECURITY MODE COMMAND message
Ø     The MME may send a SECURITY MODE COMMAND in order to change the NAS security algorithms for a current EPS security context already in use
Ø      The MME shall send the SECURITY MODE COMMAND message unciphered, but shall integrity protect the message with the NAS integrity key based on KASME or mapped K'ASME indicated by the eKSI included in the message
Ø    The MME shall set the security header type of the message to "integrity protected with new EPS security context" since this message is only integrity protected but not ciphered
Ø     The MME shall include the replayed security capabilities of the UE (including the security capabilities with regard to NAS, RRC and UP (user plane) ciphering etc...)
Ø      The MME shall include the replayed nonceUE if the UE included it in initial L3 message to the network
Ø       Also, the MME shall send the selected NAS ciphering and integrity algorithms and the NAS Key Set Identifier (eKSI) in the SECURITY MODE COMMAND message
Ø        The MME shall include both the nonceMME and the nonceUE when creating a mapped EPS security context during inter-system change from A/Gb mode to S1 mode or Iu mode to S1 mode in EMM-IDLE mode
Ø        Additionally, the MME may request the UE to send its IMEISV in the SECURITY MODE COMPLETE message
Ø        The UE shall derive KNASenc and KNASint keys from the key KASME/K'ASME and the received EPS encryption and integrity algorithms (respectively)
Reference: 3GPP TS 24.301


  1. Is it mandatory to have NAS Security Mode Procedure as per spec?

    1. Hi,

      The NAS security is mandatory as per 3GPP. Please refer to 24.301. Also the security termination points are provided in the TS 36.300 table 14.2-1

  2. 2 questions:

    Q1. Does eKSI indicate which key in the KASME-list should be used?

    Q2. Which is then the NAS COUNT values (for down/uplink) that UE should use?


  3. Hi,

    eKSI indicates the key KASME. the eKSI may be either of type KSI-ASME or of type KSI-SGSN for native and mapped security contexts respectively. Please refer to section 4.4.3 in 24.301 for different cases of NAS COUNT handling


  4. HI,
    Which part of the Security Mode Command example show the eKSI value and how to derive the KASME from the eKSI value?

    Thank you

  5. Why is that there are two "Security header type" in the message.
    Will the second one ever have a non zero value ?

    This question is not only regarding SMC, for any security protected message.

  6. Looks like all security protected NAS messages are structured like this. See 8.2.23 of 24.301. After first security header, MAC, sequence number and then NAS message. NAS message for security mode command (8.2.20) by structure contains a security header.
    I think that before security mode command, all plan NAS messages use this security header.Once security is established, the first security header type needs to be used.

    I also think that the second security header will never be a non ZERO value

  7. Can not we merge NAS identity request and authentication request into one?

  8. Can anybody give example of Security Mode Command NAS LTE protocol for null integrity algo?

  9. Why there is separate NAS Security procedure in LTE while it is not in WCDMA?

  10. Why there is separate NAS Security procedure in LTE while it is not in WCDMA?

    1. check here:

  11. at what condition mme does not need to establish nas security i.e. not sending SECURITY MODE COMMAND message to ue

    1. For example, if the serving network policy allows unauthenticated IMS Emergency Sessions. Refer to 33.401 section 15.2.2

  12. What could be the possible values for Security Header Type in Security Mode complete message, I tried (4) "Integrity protected with new EPS security context" its working fine. Is that correct behaviour or not ?