4.4 NAS security

24.5013GPPNon-Access-Stratum (NAS) protocol for 5G System (5GS)Release 17Stage 3TS

4.4.1 General

This clause describes the principles for the handling of 5G NAS security contexts in the UE and in the AMF, the procedures used for the security protection of NAS messages between the UE and the AMF, and the procedures used for the protection of NAS IEs between the UE and the UDM. Security protection involves integrity protection and ciphering of the 5GMM messages. 5GSM messages are security protected indirectly by being piggybacked by the security protected 5GMM messages (i.e. UL NAS TRANSPORT message and the DL NAS TRANSPORT message).

The signalling procedures for the control of NAS security are part of the 5GMM protocol and are described in detail in clause 5.

NOTE: The use of ciphering in a network is an operator option. In this subclause, for the ease of description, it is assumed that ciphering is used, unless explicitly indicated otherwise. Operation of a network without ciphering is achieved by configuring the AMF so that it always selects the "null ciphering algorithm", 5G-EA0.

4.4.2 Handling of 5G NAS security contexts

4.4.2.1 General

The security parameters for authentication, integrity protection and ciphering are tied together in a 5G NAS security context and identified by a key set identifier (ngKSI). The relationship between the security parameters is defined in 3GPP TS 33.501 [24].

Before security can be activated, the AMF and the UE need to establish a 5G NAS security context. Usually, the 5G NAS security context is created as the result of a primary authentication and key agreement procedure between the AMF and the UE. A new 5G NAS security context may also be created during an N1 mode to N1 mode handover. Alternatively, during inter-system change from S1 mode to N1 mode, the AMF not supporting interworking without N26 and the UE operating in single-registration mode may derive a mapped 5G NAS security context from an EPS security context that has been established while the UE was in S1 mode.

The 5G NAS security context is taken into use by the UE and the AMF, when the AMF initiates a security mode control procedure, during an N1 mode to N1 mode handover, or during the inter-system change procedure from S1 mode to N1 mode. The 5G NAS security context which has been taken into use by the network most recently is called current 5G NAS security context. This current 5G NAS security context can be of type native or mapped, i.e. originating from a native 5G NAS security context or mapped 5G NAS security context.

The key set identifier ngKSI is assigned by the AMF either during the primary authentication and key agreement procedure or, for the mapped 5G NAS security context, during the inter-system change. The ngKSI consists of a value and a type of security context parameter indicating whether a 5G NAS security context is a native 5G NAS security context or a mapped 5G NAS security context. When the 5G NAS security context is a native 5G NAS security context, the ngKSI has the value of KSIAMF, and when the current 5G NAS security context is of type mapped, the ngKSI has the value of KSIASME.

The 5G NAS security context which is indicated by an ngKSI can be taken into use to establish the secure exchange of NAS messages when a new N1 NAS signalling connection is established without executing a new primary authentication and key agreement procedure (see subclause 5.4.1) or when the AMF initiates a security mode control procedure. For this purpose, the initial NAS messages (i.e. REGISTRATION REQUEST, DEREGISTRATION REQUEST, SERVICE REQUEST and CONTROL PLANE SERVICE REQUEST) and the SECURITY MODE COMMAND message contain an ngKSI in the ngKSI IE indicating the current 5G NAS security context used to integrity protect the NAS message.

In the present document, when the UE is required to delete an ngKSI, the UE shall set the ngKSI to the value "no key is available" and consider also the associated keys KAMF or K’AMF, 5G NAS ciphering key and 5G NAS integrity key invalid (i.e. the 5G NAS security context associated with the ngKSI as no longer valid). In the initial registration procedure, when the key KAUSF, is invalid, the UE shall delete the ngKSI.

NOTE: In some specifications the term ciphering key sequence number might be used instead of the term key set identifier (KSI).

As described in subclause 4.8 in order to interwork with E-UTRAN connected to EPC, the UE supporting both S1 mode and N1 mode can operate in either single-registration mode or dual-registration mode. A UE operating in dual-registration mode shall independently maintain and use both EPS security context (see 3GPP TS 24.301 [15]) and 5G NAS security context. When the UE operating in dual-registration mode performs an EPS attach procedure, it shall take into use an EPS security context and follow the handling of this security context as specified in 3GPP TS 24.301 [15]. However, when the UE operating in dual-registration mode performs an initial registration procedure, it shall take into use a 5G NAS security context and follow the handling of this security context as described in the present specification.

The UE and the AMF need to be able to maintain two 5G NAS security contexts simultaneously, i.e. a current 5G NAS security context and a non-current 5G NAS security context, since:

a) after a 5G re-authentication, the UE and the AMF can have both a current 5G NAS security context and a non-current 5G NAS security context which has not yet been taken into use (i.e. a partial native 5G NAS security context); and

b) after an inter-system change from S1 mode to N1 mode, the UE and the AMF can have both a mapped 5G NAS security context, which is the current 5G NAS security context, and a non-current native 5G NAS security context that was created during a previous access in N1 mode.

The number of 5G NAS security contexts that need to be maintained simultaneously by the UE and the AMF is limited by the following requirements:

a) after a successful 5G (re-)authentication, which creates a new partial native 5G NAS security context, the AMF and the UE shall delete the non-current 5G NAS security context, if any;

b) when a partial native 5G NAS security context is taken into use through a security mode control procedure, the AMF shall delete the previously current 5G NAS security context. If the UE does not support multiple records of NAS security context storage for multiple registration (see 3GPP TS 31.102 [22]), the UE shall delete the previously current 5G NAS security context. If the UE supports multiple records of NAS security context storage for multiple registration, the UE shall:

1) replace the previously current 5G NAS security context stored in the first 5G security context of that access (see 3GPP TS 31.102 [22]) with the new 5G security context (taken into use through a security mode control procedure), when the UE activates the new 5G security context for the same PLMN and access; or

2) store the previously current 5G NAS security context in the second 5G security context of that access (see 3GPP TS 31.102 [22]) and store the new 5G security context (taken into use through a security mode control procedure) in the first 5G security context, when the UE activates the new 5G security context for a different PLMN over that access but the previously current 5G NAS security context is associated with the 5G-GUTI of the other access;

c) when the AMF and the UE create a 5G NAS security context using "null integrity protection algorithm" and "null ciphering algorithm" during an initial registration procedure for emergency services, or a registration procedure for mobility and periodic registration update for a UE that has an emergency PDU session (see subclause 5.4.2.2), the AMF and the UE shall delete the previous current 5G NAS security context;

d) when a new mapped 5G NAS security context or 5G NAS security context created using "null integrity protection algorithm" and "null ciphering algorithm" is taken into use during the inter-system change from S1 mode to N1 mode, the AMF and the UE shall not delete the previously current native 5G NAS security context, if any. Instead, the previously current native 5G NAS security context shall become a non-current native 5G NAS security context, and the AMF and the UE shall delete any partial native 5G NAS security context;

If no previously current native 5G NAS security context exists, the AMF and the UE shall not delete the partial native 5G NAS security context, if any;

e) when the AMF and the UE derive a new mapped 5G NAS security context during inter-system change from S1 mode to N1 mode, the AMF and the UE shall delete any existing current mapped 5G NAS security context;

f) when a non-current full native 5G NAS security context is taken into use by a security mode control procedure, then the AMF and the UE shall delete the previously current mapped 5G NAS security context;

g) when the UE or the AMF moves from 5GMM-REGISTERED to 5GMM-DEREGISTERED state, if the current 5G NAS security context is a mapped 5G NAS security context and a non-current full native 5G NAS security context exists, then the non-current 5G NAS security context shall become the current 5G NAS security context. Furthermore, the UE and the AMF shall delete any mapped 5G NAS security context or partial native 5G NAS security context.

h) when the UE operating in single-registration mode in a network supporting N26 interface performs an inter-system change from N1 mode to S1 mode:

1) if the UE has a mapped 5G NAS security context and the inter-system change is performed in:

i) 5GMM-IDLE mode, the UE shall delete the mapped 5G NAS security context after the successful completion of the tracking area update procedure or attach procedure (see 3GPP TS 24.301 [15]); or

ii) 5GMM-CONNECTED mode, the UE shall delete the mapped 5G NAS security context after the completion of the inter-system change.

After deletion of the mapped 5G NAS security context, if the UE has a non-current full native 5G NAS security context, then the non-current full native 5G NAS security context shall become the current full native 5G NAS security context; and

i) when the UE operating in single-registration mode in a network supporting N26 interface performs an inter-system change from S1 mode to N1 mode in 5GMM-IDLE mode, if the UE has a non-current full native 5G NAS security context, then the UE shall make the non-current full native 5G NAS security context as the current native 5G NAS security context. The UE shall delete the mapped 5G NAS security context, if any.

If the UE is capable of registration over both 3GPP access and non-3GPP access, the UE in the state 5GMM-DEREGISTERED over both 3GPP access and non-3GPP access shall mark the 5G NAS security contexts of the 3GPP access and the non-3GPP access on the USIM or in the non-volatile memory as invalid when the UE initiates an initial registration procedure over either 3GPP access or non-3GPP access as described in subclause 5.5.1.2 or when the UE leaves state 5GMM-DEREGISTERED for any other state except 5GMM-NULL over either 3GPP access or non-3GPP access. Otherwise, the UE shall mark the 5G NAS security context on the USIM or in the non-volatile memory as invalid when the UE initiates an initial registration procedure as described in subclause 5.5.1.2 or when the UE leaves state 5GMM-DEREGISTERED for any other state except 5GMM-NULL.

If the UE is capable of registration over both 3GPP access and non-3GPP access, the UE shall store the current native 5G NAS security contexts of the 3GPP access and the non-3GPP access as specified in annex C and mark them as valid only when the UE enters state 5GMM-DEREGISTERED from any other state except 5GMM-NULL over both the 3GPP access and non-3GPP access or only when the UE aborts the initial registration procedure without having left 5GMM-DEREGISTERED over both the 3GPP access and non-3GPP access. Otherwise, the UE shall store the current native 5G NAS security context as specified in annex C and mark it as valid only when the UE enters state 5GMM-DEREGISTERED from any other state except 5GMM-NULL or when the UE aborts the initial registration procedure without having left 5GMM-DEREGISTERED.

4.4.2.2 Establishment of a mapped 5G NAS security context during inter-system change from S1 mode to N1 mode in 5GMM-CONNECTED mode

In order for the UE operating in single-registration mode in a network supporting N26 interface to derive a mapped 5G NAS security context for an inter-system change from S1 mode to N1 mode in 5GMM-CONNECTED mode, the AMF shall construct a mapped 5G NAS security context from the EPS security context received from the source MME as indicated in 3GPP TS 33.501 [24]. The AMF shall select the 5G NAS security algorithms and derive the 5G NAS keys (i.e. KNASenc and KNASint). The AMF shall define an ngKSI for the newly derived K’AMF key such that the value field is taken from the eKSI of the KASME key and the type field is set to indicate a mapped security context and associate this ngKSI with the newly created mapped 5G NAS security context. The AMF shall then include the message authentication code, selected NAS algorithms, NCC and generated ngKSI in the S1 mode to N1 mode NAS transparent container IE (see subclause 9.11.2.9).

When the UE operating in single-registration mode in a network supporting N26 interface receives the command to perform inter-system change to N1 mode in 5GMM-CONNECTED mode, the UE shall derive a mapped K’AMF, as indicated in 3GPP TS 33.501 [24], using the KASME from the EPS security context. Furthermore, the UE shall also derive the 5G NAS keys from the mapped K’AMF using the selected NAS algorithm identifiers included in the S1 mode to N1 mode NAS transparent container IE and associate this mapped 5G NAS security context with the ngKSI value received. The UE shall then verify the received NAS MAC. In case the received NAS MAC is not verified successfully (see subclause 4.4.3.3) the UE shall discard the content of the received S1 mode to N1 mode NAS transparent container IE and inform the lower layers that the received S1 mode to N1 mode NAS transparent container is invalid.

When the UE operating in single-registration mode in a network supporting N26 interface has a PDN connection for emergency bearer services and has no current EPS security context, the AMF shall set 5G-IA0 and 5G-EA0 as the selected 5G NAS security algorithms in the S1 mode to N1 mode NAS transparent container IE. The AMF shall create a locally generated K’AMF. The AMF shall set the ngKSI value of the associated security context to "000" and the type of security context flag to "mapped security context" in the S1 mode to N1 mode NAS transparent container IE.

When the UE operating in single-registration mode in a network supporting N26 interface receives the command to perform inter-system change to N1 mode in 5GMM-CONNECTED mode (see 3GPP TS 38.331 [30]) and has a PDN connection for emergency bearer services, if 5G-IA0 and 5G-EA0 as the selected 5G NAS security algorithms are included in the S1 mode to N1 mode NAS transparent container IE, the UE shall create a locally generated K’AMF. Furthermore, the UE shall set the ngKSI value of the associated security context to the KSI value received.

After the new mapped 5G NAS security context is taken into use for the 3GPP access following a successful inter system change from S1 mode to N1 mode in 5GMM-CONNECTED mode and the UE is registered with the same PLMN over the 3GPP access and non-3GPP access:

a) if a native 5G NAS security context is used on the non-3GPP access and:

1) the UE is in 5GMM-IDLE mode over non-3GPP access, then the AMF and the UE shall activate and take into use the new mapped 5G NAS security context on the 3GPP access for the non-3GPP access as described in 3GPP TS 33.501 [24] after the AMF sends or the UE receives the REGISTRATION ACCEPT message respectively. The UE and AMF shall keep the native 5G NAS security context which was used on the non-3GPP access and make it a non-current native 5G NAS security context. The non-current native 5G NAS security context may be re-activated later using the security mode control procedure; or

2) the UE is in 5GMM-CONNECTED mode over non-3GPP access, in order to activate the native 5G NAS security context over the 3GPP access that is active on the non-3GPP access the AMF shall send the SECURITY MODE COMMAND message over the 3GPP access as described in 3GPP TS 33.501 [24]. The SECURITY MODE COMMAND message shall include the same ngKSI to identify the native 5G NAS security context that is used on the non-3GPP access; or

b) if a mapped 5G NAS security context is used on the non-3GPP access and:

1) the UE is in 5GMM-IDLE mode over non-3GPP access, the AMF and the UE shall activate and take into use the new mapped 5G NAS security context active on the 3GPP access for the non-3GPP access as described in 3GPP TS 33.501 [24] after the AMF sends or the UE receives the REGISTRATION ACCEPT message respectively; or

2) the UE is in 5GMM-CONNECTED mode over non-3GPP access, in order to activate the same mapped 5G NAS security context over one access that is used on the other access the AMF shall send the SECURITY MODE COMMAND message over one-access as described in 3GPP TS 33.501 [24]. The SECURITY MODE COMMAND message shall include the same ngKSI to identify the mapped 5G NAS security context that is used over the other access.

If the inter-system change from S1 mode to N1 mode in 5GMM-CONNECTED mode is not completed successfully, the AMF and the UE operating in single-registration mode in a network supporting N26 interface shall delete the new mapped 5G NAS security context.

4.4.2.3 Establishment of a 5G NAS security context during N1 mode to N1 mode handover

During an N1 mode to N1 mode handover, the target AMF may derive a new 5G NAS security context for which the target AMF creates a new 5G NAS security context as indicated in 3GPP TS 33.501 [24].

When a new 5G NAS security context is derived using the same KAMF, the target AMF includes the 8 least significant bits of the downlink NAS COUNT in the Intra N1 mode NAS transparent container IE, and indicates that a new KAMF shall not be derived (see subclause 9.11.2.6). The AMF shall increment the downlink NAS COUNT by one after creating the Intra N1 mode NAS transparent container IE.

When a new 5G NAS security context is created from a new KAMF, the target AMF includes the 8 least significant bits of the downlink NAS COUNT in the Intra N1 mode NAS transparent container IE and indicates that a new KAMF shall be derived (see subclause 9.11.2.6). The AMF shall then set both the uplink and downlink NAS COUNT counters of this 5G NAS security context to zero. The AMF shall increment the downlink NAS COUNT by one after creating the Intra N1 mode NAS transparent container IE.

The target AMF also includes the ngKSI with the same value as the ngKSI currently being used with the UE, the message authentication code, and the selected NAS algorithms in the Intra N1 mode NAS transparent container IE.

When the UE receives a command to perform handover to NG-RAN including an Intra N1 mode NAS transparent container IE (see subclause 9.11.2.6), the UE derives a new 5G NAS security context as described in 3GPP TS 33.501 [24]. When the Intra N1 mode NAS transparent container IE indicates that a new KAMF needs to be derived, the UE shall set both the downlink NAS COUNT and uplink NAS COUNT to zero after creating the new 5G NAS security context.

If the received Intra N1 mode NAS transparent container IE does not have a valid NAS COUNT (see subclause 4.4.3.2) or the received NAS MAC is not verified successfully (see subclause 4.4.3.3) the UE shall discard the content of the received Intra N1 mode NAS transparent container IE, continue to use the current 5G NAS security context, and inform the lower layers that the received Intra N1 mode NAS transparent container is invalid.

NOTE 1: During N1 mode to N1 mode handover, the Intra N1 mode NAS transparent container IE (see subclause 9.11.2.6) is equivalent to sending a SECURITY MODE COMMAND message to the UE in order to derive and use a new 5G NAS security context, optionally created with a new KAMF. The UE maintains the Selected EPS NAS security algorithms until the UE receives a new Selected EPS NAS security algorithms.

After the new 5G NAS security context is taken into use for 3GPP access following a successful N1 mode to N1 mode handover and the UE is registered with the same PLMN over the 3GPP access and non-3GPP access:

a) the UE is in 5GMM-IDLE mode over non-3GPP access, the AMF and the UE shall activate and take into use the new 5G NAS security context over the non-3GPP access as described in 3GPP TS 33.501 [24] after the AMF sends or the UE receives the REGISTRATION ACCEPT message respectively. If the new 5G NAS security context is created from a new KAMF, the AMF and the UE shall set the downlink NAS COUNT and uplink NAS COUNT to zero also for the non-3GPP access, otherwise the downlink NAS COUNT and uplink NAS COUNT for the non-3GPP access are not changed; or

b) the UE is in 5GMM-CONNECTED mode over non-3GPP access, in order to activate the new 5G NAS security context over the non-3GPP access that has been activated for the 3GPP access the AMF shall send the SECURITY MODE COMMAND message over the non-3GPP access as described in 3GPP TS 33.501 [24]. The SECURITY MODE COMMAND message shall include the same ngKSI to identify the new 5G NAS security context that was activated over the 3GPP access and shall include the horizontal derivation parameter indicating "KAMF derivation is not required". Otherwise, if the new 5G NAS security context is created from a new KAMF, the AMF and the UE shall set the downlink NAS COUNT and uplink NAS COUNT to zero for the non-3GPP access.

NOTE 2: Explicit indication "KAMF derivation is not required" for the non-3GPP access is to align security contexts within the UE without a subsequent derivation of a new KAMF in the non-3GPP access.

4.4.2.4 Establishment of an EPS security context during inter-system change from N1 mode to S1 mode in 5GMM-CONNECTED mode

In order for the UE operating in single-registration mode in a network supporting N26 interface to derive a mapped EPS security context for an inter-system change from N1 mode to S1 mode in 5GMM-CONNECTED mode, the AMF shall prepare a mapped EPS security context for the target MME as indicated in 3GPP TS 33.501 [24].

The AMF shall derive a K’ASME using the KAMF key and the downlink NAS COUNT of the current 5G NAS security context, include the corresponding NAS sequence number in the N1 mode to S1 mode NAS transparent container IE (see subclause 9.11.2.7) and then increments its stored downlink NAS COUNT value by one.

NOTE: The creation of the N1 mode to S1 mode NAS transparent container and the increment of the stored downlink NAS COUNT value by one are performed in prior to transferring the mapped EPS security context to the MME.

The AMF shall select the NAS algorithms identifiers to be used in the target MME after the inter-system change from N1 mode to S1 mode in 5GMM-CONNECTED mode, for encryption and integrity protection. The uplink and downlink NAS COUNT associated with the newly derived K’ASME key are set to the uplink and downlink NAS COUNT value of the current 5G NAS security context, respectively. The eKSI for the newly derived K’ASME key shall be defined such as the value field is taken from the ngKSI and the type field is set to indicate a mapped security context.

When the UE operating in single-registration mode in a network supporting N26 interface receives a command to perform inter-system change from N1 mode to S1 mode in 5GMM-CONNECTED mode, the UE shall derive the mapped EPS security context, i.e. derive K’ASME from KAMF using a downlink NAS COUNT based on the NAS sequence number received in the N1 mode to S1 mode NAS transparent container IE (see subclause 9.11.2.7) as described in 3GPP TS 33.501 [24]. The UE shall set the uplink and downlink NAS COUNT values associated with the newly derived K’ASME key to the uplink and downlink NAS COUNT values of the current 5G NAS security context respectively. The eKSI for the newly derived K’ASME key is defined such that the value field is taken from the ngKSI and the type field is set to indicate a mapped security context. The UE shall also derive the NAS keys as specified in 3GPP TS 33.401 [23A] using the EPS NAS security algorithms identifiers that are stored in the UE’s 5G NAS security context.

If the received N1 mode to S1 mode NAS transparent container IE does not have a valid NAS COUNT (see subclause 4.4.3.2) the UE shall discard the content of the received N1 mode to S1 mode NAS transparent container IE and inform the lower layers that the received N1 mode to S1 mode NAS transparent container is invalid.

If the inter-system change from N1 mode to S1 mode in 5GMM-CONNECTED mode is not completed successfully, the AMF and the UE shall delete the new mapped EPS security context.

4.4.2.5 Establishment of secure exchange of NAS messages

Secure exchange of NAS messages via a NAS signalling connection is usually established by the AMF during the registration procedure by initiating a security mode control procedure. After successful completion of the security mode control procedure, all NAS messages exchanged between the UE and the AMF are sent integrity protected using the current 5G security algorithms, and except for the messages specified in subclause 4.4.5, all NAS messages exchanged between the UE and the AMF are sent ciphered using the current 5G security algorithms.

During inter-system change from S1 mode to N1 mode in 5GMM-CONNECTED mode, secure exchange of NAS messages is established between the AMF and the UE by:

a) the transmission of NAS security related parameters encapsulated in the AS signalling from the AMF to the UE triggering the inter-system change in 5GMM-CONNECTED mode (see 3GPP TS 33.501 [24]). The UE uses these parameters to generate the mapped 5G NAS security context (see subclause 8.6.2 of 3GPP TS 33.501 [24]); and

b) after the inter-system change in 5GMM-CONNECTED mode, the transmission of a REGISTRATION REQUEST message from the UE to the AMF. The UE shall send this message integrity protected using the mapped 5G NAS security context and further protect this message as specified in subclause 4.4.6 and subclause 5.5.1.3.2. After the AMF receives the REGISTRATION REQUEST message:

1) if the AMF decides to take the native 5G NAS security context into use, the security mode control procedure is performed. From this time onward, all NAS messages exchanged between the UE and the AMF are sent integrity protected using the native 5G NAS security context, and except for the messages specified in subclause 4.4.5, all NAS messages exchanged between the UE and the AMF are sent ciphered using the native 5G NAS security context; or

2) if the AMF decides to take the mapped 5G NAS security context into use, from this time onward, all NAS messages exchanged between the UE and the AMF are sent integrity protected using the mapped 5G NAS security context, and except for the messages specified in subclause 4.4.5, all NAS messages exchanged between the UE and the AMF are sent ciphered using the mapped 5G NAS security context.

During inter-system change from S1 mode to N1 mode in 5GMM-IDLE mode, if the UE is operating in single-registration mode and:

a) if the UE has a valid native 5G NAS security context, the UE shall transmit a REGISTRATION REQUEST message integrity protected with the native 5G NAS security context. The UE shall include the ngKSI indicating the native 5G NAS security context value in the REGISTRATION REQUEST message.

After receiving the REGISTRATION REQUEST message including the ngKSI indicating a native 5G NAS security context value, the AMF shall check whether the ngKSI included in the REGISTRATION REQUEST message belongs to a 5G NAS security context available in the AMF, and shall verify the MAC of the REGISTRATION REQUEST message. If the verification is successful, the AMF deletes the EPS security context received from the source MME if any, and the AMF re-establishes the secure exchange of NAS messages by either:

1) replying with a REGISTRATION ACCEPT message that is integrity protected and ciphered using the native 5G NAS security context. From this time onward, all NAS messages exchanged between the UE and the AMF are sent integrity protected and except for the messages specified in subclause 4.4.5, all NAS messages exchanged between the UE and the AMF are sent ciphered; or

2) initiating a security mode control procedure. This can be used by the AMF to take a non-current 5G NAS security context into use or to modify the current 5G NAS security context by selecting new NAS security algorithms.

b) if the UE has no valid native 5G NAS security context, the UE shall send the REGISTRATION REQUEST message without integrity protection and encryption.

After receiving the REGISTRATION REQUEST message without integrity protection and encryption:

1) if N26 interface is supported:

i) if an EPS security context received from the source MME does not include the NAS security algorithms set to EIA0 and EEA0, the AMF shall either create a fresh mapped 5G NAS security context (see subclause 8.6.2 of 3GPP TS 33.501 [24]) or trigger a primary authentication and key agreement procedure to create a fresh native 5G NAS security context; or

ii) if an EPS security context received from the source MME includes the NAS security algorithms set to EIA0 and EEA0, the AMF shall trigger a primary authentication and key agreement procedure to create a fresh native 5G NAS security context; or

2) if N26 interface is not supported, the AMF shall trigger a primary authentication and key agreement procedure.

The newly created 5G NAS security context is taken into use by initiating a security mode control procedure and this context becomes the current 5G NAS security context in both the UE and the AMF. This re-establishes the secure exchange of NAS messages.

During an N1 mode to N1 mode handover, secure exchange of NAS messages is established between the AMF and the UE by:

– the transmission of NAS security related parameters encapsulated in the AS signalling from the target AMF to the UE triggering the N1 mode to N1 mode handover (see 3GPP TS 33.501 [24]). The UE uses these parameters to create a new 5G NAS security context.

The secure exchange of NAS messages shall be continued after N1 mode to N1 mode handover. It is terminated after inter-system change from N1 mode to S1 mode in 5GMM-CONNECTED mode or when the NAS signalling connection is released.

When a UE in 5GMM-IDLE mode establishes a new NAS signalling connection and has a valid current 5G NAS security context, the UE shall transmit the initial NAS message integrity protected with the current 5G NAS security context and further protect this message as specified in subclause 4.4.6. The UE shall include the ngKSI indicating the current 5G NAS security context value in the initial NAS message. The AMF shall check whether the ngKSI included in the initial NAS message belongs to a 5G NAS security context available in the AMF, and shall verify the MAC of the NAS message. If the verification is successful, the AMF may re-establish the secure exchange of NAS messages:

a) by replying with a NAS message that is integrity protected and ciphered using the current 5G NAS security context. From this time onward, all NAS messages exchanged between the UE and the AMF are sent integrity protected and except for the messages specified in subclause 4.4.5, all NAS messages exchanged between the UE and the AMF are sent ciphered; or

b) by initiating a security mode control procedure. This can be used by the AMF to take a non-current 5G NAS security context into use or to modify the current 5G NAS security context by selecting new NAS security algorithms.

When a UE attempts multiple registrations in the same or different serving network, both the AMF and the UE shall follow the behavior specified in subclause 6.3.2 of 3GPP TS 33.501 [24]. The UE may support multiple records of NAS security context storage for multiple registration (see 3GPP TS 31.102 [22]). If the UE supports multiple records of NAS security context storage for multiple registration, the UE can select the appropriate one among the stored 5G security contexts to protect the initial NAS message (see 3GPP TS 33.501 [24]).

NOTE: For the case when the UE has two records of NAS security context stored and is attempting registration to the PLMN associated with the 5G-GUTI (or an equivalent PLMN) for that access, the UE uses the first NAS security context of that access to protect the initial NAS message. For the case when the UE has two records of NAS security context stored and is attempting registration to the PLMN associated with the second record (or an equivalent PLMN) of that access, the UE uses the second NAS security context of that access to protect the initial NAS message. For other cases when the UE has two records of NAS security context stored and is attempting registration to a PLMN which is not associated with any NAS security context record, the UE uses either record of the NAS security context of that access to protect the initial NAS message.

4.4.2.6 Change of security keys

When the AMF initiates a re-authentication to create a new 5G NAS security context, the messages exchanged during the authentication procedure are integrity protected and ciphered using the current 5G NAS security context, if any.

Both UE and AMF shall continue to use the current 5G NAS security context, until the AMF initiates a security mode control procedure. The SECURITY MODE COMMAND message sent by the AMF includes the ngKSI of the new 5G NAS security context to be used. The AMF shall send the SECURITY MODE COMMAND message integrity protected with the new 5G NAS security context, but unciphered. When the UE responds with a SECURITY MODE COMPLETE message, it shall send the message integrity protected and ciphered with the new 5G NAS security context.

The AMF can also modify the current 5G NAS security context or take the non-current native 5G NAS security context, if any, into use, by sending a SECURITY MODE COMMAND message including the ngKSI of the 5G NAS security context to be modified and including a new set of selected NAS security algorithms. In this case the AMF shall send the SECURITY MODE COMMAND message integrity protected with the modified 5G NAS security context, but unciphered. When the UE replies with a SECURITY MODE COMPLETE message, it shall send the message integrity protected and ciphered with the modified 5G NAS security context.

4.4.3 Handling of NAS COUNT and NAS sequence number

4.4.3.1 General

Each 5G NAS security context shall be associated with two separate counters NAS COUNT per access type in the same PLMN: one related to uplink NAS messages and one related to downlink NAS messages. If the 5G NAS security context is used for access via both 3GPP and non-3GPP access in the same PLMN, there are two NAS COUNT counter pairs associated with the 5G NAS security context. The NAS COUNT counters use 24-bit internal representation and are independently maintained by UE and AMF. The NAS COUNT shall be constructed as a NAS sequence number (8 least significant bits) concatenated with a NAS overflow counter (16 most significant bits).

When NAS COUNT is input to NAS ciphering or NAS integrity algorithms it shall be considered to be a 32-bit entity which shall be constructed by padding the 24-bit internal representation with 8 zeros in the most significant bits.

The value of the uplink NAS COUNT that is stored or read out of the USIM or non-volatile memory as described in annex C, is the value that shall be used in the next NAS message.

The value of the downlink NAS COUNT that is stored or read out of the USIM or non-volatile memory as described in annex C, is the largest downlink NAS COUNT used in a successfully integrity checked NAS message.

The value of the uplink NAS COUNT stored in the AMF is the largest uplink NAS COUNT used in a successfully integrity checked NAS message.

The value of the downlink NAS COUNT stored in the AMF is the value that shall be used in the next NAS message.

The NAS sequence number part of the NAS COUNT shall be exchanged between the UE and the AMF as part of the NAS signalling. After each new or retransmitted outbound SECURITY PROTECTED 5GS NAS MESSAGE message, the sender shall increase the NAS COUNT number by one, except for the initial NAS messages if the lower layers indicated the failure to establish the RRC connection (see 3GPP TS 38.331 [30]). Specifically, on the sender side, the NAS sequence number shall be increased by one, and if the result is zero (due to wrap around), the stored NAS overflow counter shall also be incremented by one (see subclause 4.4.3.5). If, through implementation-dependent means, the receiver determines that the NAS message is a replay of an earlier NAS message, then the receiver handles the received NAS message as described in subclause 4.4.3.2. Otherwise, in order to determine the estimated NAS COUNT value to be used for integrity verification of a received NAS message:

– The sequence number part of the estimated NAS COUNT value shall be equal to the sequence number in the received NAS message; and

– If the receiver can guarantee that this NAS message was not previously accepted, then the receiver may select the estimated NAS overflow counter so that the estimated NAS COUNT value is lower than the stored NAS COUNT value; otherwise, the receiver selects the estimated NAS overflow counter so that the estimated NAS COUNT value is higher than the stored NAS COUNT value.

During the inter-system change from S1 mode to N1 mode in 5GMM-CONNECTED mode, when a mapped 5G NAS security context is derived and taken into use, the AMF shall set both the uplink and downlink NAS COUNT counters of this 5G NAS security context to zero. The UE shall set both the uplink and downlink NAS COUNT counters of this 5G NAS security context to zero.

During the inter-system change from S1 mode to N1 mode in 5GMM-CONNECTED mode, the AMF shall increment the downlink NAS COUNT by one after it has created an S1 mode to N1 mode NAS transparent container (see subclause 9.11.2.9).

During the inter-system change from N1 mode to S1 mode in 5GMM-CONNECTED mode, the AMF shall increment the downlink NAS COUNT by one after it has created an N1 mode to S1 mode NAS transparent container (see subclause 9.11.2.7).

During N1 mode to N1 mode handover:

a) if the new 5G NAS security context is created with the same KAMF, the AMF shall signal the 8 least significant bits of the current downlink NAS COUNT value in an Intra N1 mode NAS transparent container (see subclause 9.11.2.6). The AMF shall then increment the downlink NAS COUNT by one; or

b) if the new 5G NAS security context is created with a new KAMF, the AMF shall signal the 8 least significant bits of the current downlink NAS COUNT value in an Intra N1 mode NAS transparent container (see subclause 9.11.2.6) and shall then set both the uplink and downlink NAS COUNT counters of this 5G NAS security context to zero. The AMF shall then increment the downlink NAS COUNT by one. The UE shall also set both the uplink and downlink NAS COUNT counters to zero.

NOTE: During the inter-system change from S1 mode to N1 mode in 5GMM-CONNECTED mode, the S1 mode to N1 mode NAS transparent container (see subclause 9.11.2.9) is treated as an implicit SECURITY MODE COMMAND message for the UE and the AMF, and therefore the AMF regards the sending of the S1 mode to N1 mode NAS transparent container as the sending of an initial SECURITY MODE COMMAND message in order to derive and take into use a mapped 5G NAS security context for the purpose of the NAS COUNT handling.

4.4.3.2 Replay protection

Replay protection shall be supported for received NAS messages both in the AMF and the UE. However, since the realization of replay protection does not affect the interoperability between nodes, no specific mechanism is required for implementation.

Replay protection assures that one and the same NAS message is not accepted twice by the receiver. Specifically, for a given 5G NAS security context, a given NAS COUNT value shall be accepted at most one time and only if message integrity verifies correctly.

Replay protection is not applicable when 5G-IA0 is used.

4.4.3.3 Integrity protection and verification

The sender shall use its locally stored NAS COUNT as input to the integrity protection algorithm.

The receiver shall use the NAS sequence number included in the received message and an estimate for the NAS overflow counter as defined in subclause 4.4.3.1 to form the NAS COUNT input to the integrity verification algorithm.

The algorithm to calculate the integrity protection information is specified in 3GPP TS 33.501 [24], and in case of the:

a) SECURITY PROTECTED 5GS NAS MESSAGE message, the integrity protection shall include octet 7 to n, i.e. the Sequence number IE and the NAS message IE.

b) Intra N1 mode NAS transparent container IE and S1 mode to N1 mode NAS transparent container IE, the integrity protection shall include all octets of the value part of the IE starting from octet 7.

NOTE: To ensure backward compatibility, the UE uses all octets starting from octet 7 in the received NAS transparent container for the purpose of integrity check of the NAS transparent container irrespective of the release/version it supports. After a successful integrity check, the UE can ignore the octets which are not specified in the release/version which the UE supports.

In addition to the data that is to be integrity protected, the BEARER ID, DIRECTION bit, NAS COUNT and 5G NAS integrity key are input to the integrity protection algorithm. These parameters are described in 3GPP TS 33.501 [24].

After successful integrity protection validation, the receiver shall update its corresponding locally stored NAS COUNT with the value of the estimated NAS COUNT for this NAS message.

Integrity verification is not applicable when 5G-IA0 is used.

4.4.3.4 Ciphering and deciphering

The sender shall use its locally stored NAS COUNT as input to the ciphering algorithm.

The receiver shall use the NAS sequence number included in the received message and an estimate for the NAS overflow counter as defined in subclause 4.4.3.1 to form the NAS COUNT input to the deciphering algorithm.

The input parameters to the NAS ciphering algorithm are the BEARER ID, DIRECTION bit, NAS COUNT, NAS encryption key and the length of the key stream to be generated by the encryption algorithm.

When applying initial NAS message protection to the REGISTRATION REQUEST or SERVICE REQUEST message as described in subclause 4.4.6, the length of the key stream is set to the length of the entire plain NAS message that is included in the NAS message container IE, i.e. the value part of the NAS message container IE, that is to be ciphered.

When applying initial NAS message protection to the CONTROL PLANE SERVICE REQUEST message as described in subclause 4.4.6, the length of the key stream is set to the length of:

a) the value part of the CIoT small data container IE that is to be ciphered; or

b) the value part of the NAS message container IE that is to be ciphered.

4.4.3.5 NAS COUNT wrap around

If, when increasing the NAS COUNT as specified above, the AMF detects that either its downlink NAS COUNT or the UE’s uplink NAS COUNT is "close" to wrap around, (close to 224), the AMF shall take the following actions:

– If there is no non-current native 5G NAS security context with sufficiently low NAS COUNT values, the AMF shall initiate a new primary authentication and key agreement procedure with the UE, leading to a new established 5G NAS security context and the NAS COUNT being reset to 0 in both the UE and the AMF when the new 5G NAS security context is activated;

– Otherwise, the AMF can activate a non-current native 5G NAS security context with sufficiently low NAS COUNT values or initiate a new primary authentication and key agreement procedure as specified above.

If for some reason a new KAMF has not been established using primary authentication and key agreement procedure before the NAS COUNT wraps around, the node (AMF or UE) in need of sending a NAS message shall instead release the NAS signalling connection. Prior to sending the next uplink NAS message, the UE shall delete the ngKSI indicating the current 5G NAS security context.

When the 5G-IA0 is used as the NAS integrity algorithm, the UE and the AMF shall allow NAS COUNT wrap around. If NAS COUNT wrap around occurs, the following requirements apply:

a) the UE and the AMF shall continue to use the current 5G NAS security context;

b) the AMF shall not initiate the primary authentication and key agreement procedure;

c) the AMF shall not release the NAS signalling connection; and

d) the UE shall not perform a local release of the NAS signalling connection.

4.4.4 Integrity protection of NAS signalling messages

4.4.4.1 General

For the UE, integrity protected signalling is mandatory for the 5GMM NAS messages once a valid 5G NAS security context exists and has been taken into use. For the network, integrity protected signalling is mandatory for the 5GMM NAS messages once a secure exchange of 5GS NAS messages has been established for the NAS signalling connection. Integrity protection of all NAS signalling messages is the responsibility of the NAS. It is the network which activates integrity protection.

The use of "null integrity protection algorithm" 5G-IA0 (see subclause 9.11.3.34) in the current 5G NAS security context is only allowed:

a) for an unauthenticated UE for which establishment of emergency services is allowed;

b) for an W-AGF acting on behalf of an FN-RG; and

c) for a W-AGF acting on behalf of an N5GC device.

For setting the security header type in outbound NAS messages, the UE and the AMF shall apply the same rules irrespective of whether the "null integrity protection algorithm" or any other integrity protection algorithm is indicated in the 5G NAS security context.

If the "null integrity protection algorithm"5G-IA0 has been selected as an integrity protection algorithm, the receiver shall regard the NAS messages with the security header indicating integrity protection as integrity protected.

Details of the integrity protection and verification of NAS signalling messages are specified in 3GPP TS 33.501 [24].

When a NAS message needs to be sent both ciphered and integrity protected, the NAS message is first ciphered and then the ciphered NAS message and the NAS sequence number are integrity protected by calculating the MAC.

NOTE: NAS messages that are ciphered with the "null ciphering algorithm" 5G-EA0 are regarded as ciphered (see subclause 4.4.5).

When a NAS message needs to be sent only integrity protected and unciphered, the unciphered NAS message and the NAS sequence number are integrity protected by calculating the MAC.

When a 5GSM message is piggybacked in a 5GMM message, there is only one Sequence number IE and one Message authentication code IE for the 5GMM message piggybacking the 5GSM message.

4.4.4.2 Integrity checking of NAS signalling messages in the UE

Except the messages listed below, no NAS signalling messages shall be processed by the receiving 5GMM entity in the UE or forwarded to the 5GSM entity, unless the network has established secure exchange of 5GS NAS messages for the NAS signalling connection:

a) IDENTITY REQUEST (if requested identification parameter is SUCI);

b) AUTHENTICATION REQUEST;

c) AUTHENTICATION RESULT;

d) AUTHENTICATION REJECT;

e) REGISTRATION REJECT (if the 5GMM cause is not #76 or #78);

f) DEREGISTRATION ACCEPT (for non switch off); and

g) SERVICE REJECT (if the 5GMM cause is not #76 or #78).

NOTE: These messages are accepted by the UE without integrity protection, as in certain situations they are sent by the network before security can be activated.

Integrity protection is never applied directly to 5GSM messages, but to the 5GMM message in which the 5GSM message is included.

Once the secure exchange of NAS messages has been established, the receiving 5GMM entity in the UE shall not process any NAS signalling messages unless they have been successfully integrity checked by the NAS. If NAS signalling messages, having not successfully passed the integrity check, are received, then the NAS in the UE shall discard that message. The processing of the SECURITY MODE COMMAND message that has not successfully passed the integrity check is specified in subclause 5.4.2.5. If any NAS signalling message is received as not integrity protected even though the secure exchange of NAS messages has been established by the network, then the NAS shall discard this message.

4.4.4.3 Integrity checking of NAS signalling messages in the AMF

Except the messages listed below, no NAS signalling messages shall be processed by the receiving 5GMM entity in the AMF or forwarded to the 5GSM entity, unless the secure exchange of NAS messages has been established for the NAS signalling connection:

a) REGISTRATION REQUEST;

b) IDENTITY RESPONSE (if requested identification parameter is SUCI);

c) AUTHENTICATION RESPONSE;

d) AUTHENTICATION FAILURE;

e) SECURITY MODE REJECT;

f) DEREGISTRATION REQUEST; and

g) DEREGISTRATION ACCEPT;

NOTE 1: The REGISTRATION REQUEST message is sent by the UE without integrity protection, if the registration procedure is initiated due to an inter-system change in 5GMM-IDLE mode and no current 5G NAS security context is available in the UE. The other messages are accepted by the AMF without integrity protection, as in certain situations they are sent by the UE before security can be activated.

NOTE 2: The DEREGISTRATION REQUEST message can be sent by the UE without integrity protection, e.g. if the UE is registered for emergency services and there is no valid 5G NAS security context available, or if due to user interaction a registration procedure is cancelled before the secure exchange of NAS messages has been established. For these cases the network can attempt to use additional criteria (e.g. whether the UE is subsequently still performing periodic registration update or still responding to paging) before marking the UE as 5GMM-DEREGISTERED.

Integrity protection is never applied directly to 5GSM messages, but to the 5GMM message in which the 5GSM message is included.

Once a current 5G NAS security context exists, until the secure exchange of NAS messages has been established for the NAS signalling connection, the receiving 5GMM entity in the AMF shall process the following NAS signalling messages, even if the MAC included in the message fails the integrity check or cannot be verified, as the 5G NAS security context is not available in the network:

a) REGISTRATION REQUEST;

b) IDENTITY RESPONSE (if requested identification parameter is SUCI);

c) AUTHENTICATION RESPONSE;

d) AUTHENTICATION FAILURE;

e) SECURITY MODE REJECT;

f) DEREGISTRATION REQUEST;

g) DEREGISTRATION ACCEPT;

h) SERVICE REQUEST; and

i) CONTROL PLANE SERVICE REQUEST;

NOTE 3: These messages are processed by the AMF even when the MAC that fails the integrity check or cannot be verified, as in certain situations they can be sent by the UE protected with a 5G NAS security context that is no longer available in the network.

If a REGISTRATION REQUEST message for initial registration fails the integrity check and it is not a registration request for emergency services, the AMF shall authenticate the subscriber before processing the registration request any further. Additionally, the AMF shall initiate a security mode control procedure, and include the Additional 5G security information IE with the RINMR bit set to "Retransmission of the initial NAS message requested" in the SECURITY MODE COMMAND message as specified in subclause 5.4.2.2. For the case when the registration procedure is for emergency services see subclause 5.5.1.2.3 and subclause 5.4.1.3.5.

If a REGISTRATION REQUEST message for mobility and periodic registration update fails the integrity check and the UE provided EPS NAS message container IE which was successfully verified by the source MME, the AMF may create a mapped 5G NAS security context and initiate a security mode control procedure to take the new mapped 5G NAS security context into use; otherwise if the UE has only a non-emergency PDU session established, the AMF shall initiate a primary authentication and key agreement procedure to create a new native 5G NAS security context. Additionally, the AMF shall initiate a security mode control procedure, and include the Additional 5G security information IE with the RINMR bit set to "Retransmission of the initial NAS message requested" in the SECURITY MODE COMMAND message as specified in subclause 5.4.2.2. For the case when the UE has an emergency PDU session see subclause 5.5.1.3.3 and subclause 5.4.1.3.5.

If a DEREGISTRATION REQUEST message fails the integrity check, the AMF shall proceed as follows:

– If it is not a deregistration request due to switch off, and the AMF can initiate an authentication procedure, the AMF should authenticate the subscriber before processing the deregistration request any further.

– If it is a deregistration request due to switch off, or the AMF does not initiate an authentication procedure for any other reason, the AMF may ignore the deregistration request and remain in state 5GMM-REGISTERED.

NOTE 4: The network can attempt to use additional criteria (e.g. whether the UE is subsequently still performing periodic registration update or still responding to paging) before marking the UE as 5GMM-DEREGISTERED.

If a SERVICE REQUEST or CONTROL PLANE SERVICE REQUEST message fails the integrity check and the UE has only non-emergency PDU sessions established, the AMF shall send the SERVICE REJECT message with 5GMM cause #9 "UE identity cannot be derived by the network" and keep the 5GMM-context and 5G NAS security context unchanged. For the case when the UE has an emergency PDU session and integrity check fails, the AMF may skip the authentication procedure even if no 5G NAS security context is available and proceed directly to the execution of the security mode control procedure as specified in subclause 5.4.2. Additionally, the AMF shall include the Additional 5G security information IE with the RINMR bit set to "Retransmission of the initial NAS message requested" in the SECURITY MODE COMMAND message as specified in subclause 5.4.2.2. After successful completion of the service request procedure, the network shall perform a local release of all non-emergency PDU sessions. The emergency PDU sessions shall not be released.

Once the secure exchange of NAS messages has been established for the NAS signalling connection, the receiving 5GMM entity in the AMF shall not process any NAS signalling messages unless they have been successfully integrity checked by the NAS. If any NAS signalling message, having not successfully passed the integrity check, is received, then the NAS in the AMF shall discard that message. If any NAS signalling message is received, as not integrity protected even though the secure exchange of NAS messages has been established, then the NAS shall discard this message.

4.4.5 Ciphering of NAS signalling messages

The use of ciphering in a network is an operator option subject to AMF configuration. When operation of the network without ciphering is configured, the AMF shall indicate the use of "null ciphering algorithm" 5G-EA0 (see subclause 9.11.3.34) in the current 5G NAS security context for all UEs. For setting the security header type in outbound NAS messages, the UE and the AMF shall apply the same rules irrespective of whether the "null ciphering algorithm" or any other ciphering algorithm is indicated in the 5G NAS security context.

When the UE establishes a new N1 NAS signalling connection, it shall apply security protection to the initial NAS message as described in subclause 4.4.6.

The UE shall start the ciphering and deciphering of NAS messages when the secure exchange of NAS messages has been established for an N1 NAS signalling connection. From this time onward, unless explicitly defined, the UE shall send all NAS messages ciphered until the N1 NAS signalling connection is released, or the UE performs inter-system change to S1 mode.

The AMF shall start ciphering and deciphering of NAS messages as described in subclause 4.4.2.5. From this time onward, except for the SECURITY MODE COMMAND message, the AMF shall send all NAS messages ciphered until the N1 NAS signalling connection is released, or the UE performs inter-system change to S1 mode.

Ciphering is never applied directly to 5GSM messages, but to the 5GMM message in which the 5GSM message is included.

Once the encryption of NAS messages has been started between the AMF and the UE, the receiver shall discard the unciphered NAS messages which shall have been ciphered according to the rules described in this specification.

If the "null ciphering algorithm" 5G-EA0 has been selected as a ciphering algorithm, the NAS messages with the security header indicating ciphering are regarded as ciphered.

Details of ciphering and deciphering of NAS signalling messages are specified in 3GPP TS 33.501 [24].

4.4.6 Protection of initial NAS signalling messages

The 5GS supports protection of initial NAS messages as specified in 3GPP TS 33.501 [24]. The protection of initial NAS messages applies to the REGISTRATION REQUEST, SERVICE REQUEST and CONTROL PLANE SERVICE REQUEST message, and is achieved as follows:

a) If the UE does not have a valid 5G NAS security context, the UE sends a REGISTRATION REQUEST message including cleartext IEs only. After activating a 5G NAS security context resulting from a security mode control procedure:

1) if the UE needs to send non-cleartext IEs, the UE shall include the entire REGISTRATION REQUEST message (i.e. containing both cleartext IEs and non-cleartext IEs) in the NAS message container IE and shall include the NAS message container IE in the SECURITY MODE COMPLETE message; or

2) if the UE does not need to send non-cleartext IEs, the UE shall include the entire REGISTRATION REQUEST message (i.e. containing cleartext IEs only) in the NAS message container IE and shall include the NAS message container IE in the SECURITY MODE COMPLETE message.

b) If the UE has a valid 5G NAS security context and:

1) the UE needs to send non-cleartext IEs in a REGISTRATION REQUEST or SERVICE REQUEST message, the UE includes the entire REGISTRATION REQUEST or SERVICE REQUEST message (i.e. containing both cleartext IEs and non-cleartext IEs) in the NAS message container IE and shall cipher the value part of the NAS message container IE. The UE shall then send a REGISTRATION REQUEST or SERVICE REQUEST message containing the cleartext IEs and the NAS message container IE;

2) the UE needs to send non-cleartext IEs in a CONTROL PLANE SERVICE REQUEST message:

i) if CIoT small data container IE is the only non-cleartext IE to be sent, the UE shall cipher the value part of the CIoT small data container IE. The UE shall then send a CONTROL PLANE SERVICE REQUEST message containing the cleartext IEs and the CIoT small data container IE;

ii) otherwise, the UE includes non-cleartext IEs in the NAS message container IE and shall cipher the value part of the NAS message container IE. The UE shall then send a CONTROL PLANE SERVICE REQUEST message containing the cleartext IEs and the NAS message container IE;

3) the UE does not need to send non-cleartext IEs in a REGISTRATION REQUEST or SERVICE REQUEST message, the UE sends the REGISTRATION REQUEST or SERVICE REQUEST message without including the NAS message container IE; or

4) the UE does not need to send non-cleartext IEs in a CONTROL PLANE SERVICE REQUEST message, the UE sends the CONTROL PLANE SERVICE REQUEST message without including the NAS message container IE and the CIoT small data container IE.

When the initial NAS message is a REGISTRATION REQUEST message, the cleartext IEs are:

– Extended protocol discriminator;

– Security header type;

– Spare half octet;

– Registration request message identity;

– 5GS registration type;

– ngKSI;

– 5GS mobile identity;

– UE security capability;

– Additional GUTI;

– UE status;

– EPS NAS message container; and

– NID.

Editor’s note: (WI:MINT, CR#3585) it is FFS whether the PLMN with disaster condition IE is a cleartext IE.

When the initial NAS message is a SERVICE REQUEST message, the cleartext IEs are:

– Extended protocol discriminator;

– Security header type;

– Spare half octet;

– ngKSI;

– Service request message identity;

– Service type; and

– 5G-S-TMSI.

When the initial NAS message is a CONTROL PLANE SERVICE REQUEST message, the cleartext IEs are:

– Extended protocol discriminator;

– Security header type;

– Spare half octet;

– ngKSI;

– Control plane service request message identity; and

– Control plane service type.

When the UE sends a REGISTRATION REQUEST or SERVICE REQUEST or CONTROL PLANE SERVICE REQUEST message that includes a NAS message container IE, the UE shall set the security header type of the initial NAS message to "integrity protected".

When the AMF receives an integrity protected initial NAS message which includes a NAS message container IE, the AMF shall decipher the value part of the NAS message container IE. If the received initial NAS message is a REGISTRATION REQUEST message or a SERVICE REQUEST message, the AMF shall consider the NAS message that is obtained from the NAS message container IE as the initial NAS message that triggered the procedure.

When the AMF receives a CONTROL PLANE SERVICE REQUEST message which includes a CIoT small data container IE, the AMF shall decipher the value part of the CIoT small data container IE and handle the message as specified in subclause 5.6.1.4.2.

When the initial NAS message is a DEREGISTRATION REQUEST message, the UE always sends the NAS message unciphered.

If the UE:

a) has 5G-EA0 as a selected 5G NAS security algorithm; and

b) selects a PLMN other than Registered PLMN and EPLMN;

the UE shall delete the 5G NAS security context and send an initial NAS message including cleartext IEs only as described in this subclause for the case when the UE does not have a valid 5G NAS security context.

NOTE: UE deletes the 5G NAS security context only if the UE is not in the connected mode.

4.4.7 Protection of NAS IEs

The network can provide the SOR transparent container IE during the registration procedure to the UE in the REGISTRATION ACCEPT message. The SOR transparent container IE is integrity protected by the HPLMN or subscribed SNPN as specified in 3GPP TS 33.501 [24].

The UE can provide the SOR transparent container IE during the registration procedure to the network in the REGISTRATION COMPLETE message. The SoR-MAC-IUE in the SOR transparent container IE is generated by the UE as specified in 3GPP TS 33.501 [24].

The network can provide the Payload container IE during the Network-initiated NAS transport procedure to the UE in DL NAS TRANSPORT message. If the Payload container type IE is set to "SOR transparent container" or "UE parameters update transparent container", the Payload container IE is integrity protected by the HPLMN or subscribed SNPN as specified in 3GPP TS 33.501 [24]. If the Payload container type IE is set to "Multiple payloads" and the payload container type field of the payload container entry is set to "SOR transparent container" or "UE parameters update transparent container", the payload container entry contents field of the payload container entry is integrity protected correspondingly.

The UE can provide the Payload container IE during the UE-initiated NAS transport procedure to the network in UL NAS TRANSPORT message. If the Payload container type IE is set to "SOR transparent container" or "UE parameters update transparent container", the SoR-MAC-IUE or UPU-MAC-IUE in the Payload container IE is generated by the UE as specified in 3GPP TS 33.501 [24]. If the Payload container type IE is set to "Multiple payloads" and the payload container type field of the payload container entry is set to "SOR transparent container" or "UE parameters update transparent container", the SoR-MAC-IUE or UPU-MAC-IUE in the payload container entry contents field of the payload container entry is generated by the UE correspondingly.