The purpose of the NAS Security Mode Control Procedure is to take an EPS security context into use, and initialise and start NAS signalling security between the UE and the MME with the corresponding EPS NAS keys and EPS security algorithms.
This enables UE to send NAS signalling messages between UE and MME in the control plane using NAS security keys.
The NAS security keys are derived from KASME and new keys are generated every time EPS AKA is performed
NAS encryption key (KNASenc) and a NAS integrity key (KNASint) are used in encryption and integrity protection.
The messages that are exchanged in this procedure are:
Security Mode Command
Security Mode Complete
or
Security Mode Reject
We shall see all the 3 messages in detail in this chapter.
Security Mode Command:
The MME initiates the NAS security mode control procedure by sending a SECURITY MODE COMMAND message to the UE and starting timer T3460
The MME shall send the SECURITY MODE COMMAND message unciphered, but shall integrity protect the message with the NAS integrity key based on KASME or mapped K’ASME indicated by the eKSI included in the message.
The MME shall set the security header type of the message to “integrity protected with new EPS security context”.
The MME shall create a locally generated KASME and send the SECURITY MODE COMMAND message including a KSI value in the NAS key set identifier IE set to “000” and EIA0 and EEA0 as the selected NAS security algorithms when the security mode control procedure is initiated:
The MME shall include the replayed security capabilities of the UE (including the security capabilities with regard to NAS, RRC and UP (user plane) ciphering etc…)
The MME shall include the replayed nonceUE if the UE included it in initial L3 message to the network
The MME may initiate a SECURITY MODE COMMAND in order to change the NAS security algorithms for a current EPS security context already in use.
Additionally, the MME may request the UE to send its IMEISV in the SECURITY MODE COMPLETE message
The UE shall process a SECURITY MODE COMMAND message including a KSI value in the NAS key set identifier IE set to “000” and EIA0 and EEA0 as the selected NAS security algorithms and, if accepted, create a locally generated KASME when the security mode control procedure is initiated:
Security Mode Complete
Direction: UE => E-UTRAN
Signalling Radio Bearer: SRB1
RLC Mode: AM
Logical Channel: DCCH
Transport Channel: UL-SCH
Security mode complete is the response to Security Mode command.
The UE shall send a SECURITY MODE COMPLETE message integrity protected with the selected NAS integrity algorithm and the EPS NAS integrity key based on the KASME or mapped K’ASME
Security Mode Reject
Direction: UE => E-UTRAN
Signalling Radio Bearer: SRB1
RLC Mode: AM
Logical Channel: DCCH
Transport Channel: UL-SCH
If the security mode command cannot be accepted, the UE shall send a SECURITY MODE REJECT message.
The SECURITY MODE REJECT message contains an EMM cause that typically indicates one of the following cause values:
#23: UE security capabilities mismatch;
#24: security mode rejected, unspecified.
Upon receipt of the SECURITY MODE REJECT message, the MME shall stop timer T3460. The MME shall also abort the ongoing procedure that triggered the initiation of the NAS security mode control procedure.
Reference: 3GPP TS 24.301