5.3.4 Initial security activation

36.3313GPPEvolved Universal Terrestrial Radio Access (E-UTRA)Protocol specificationRadio Resource Control (RRC)Release 15TS

5.3.4.1 General

Figure 5.3.4.1-1: Security mode command, successful

Figure 5.3.4.1-2: Security mode command, failure

The purpose of this procedure is to activate AS security upon RRC connection establishment.

5.3.4.2 Initiation

E-UTRAN initiates the security mode command procedure to a UE in RRC_CONNECTED. Moreover, E-UTRAN applies the procedure as follows:

– when only SRB1, or for NB-IoT SRB1 and SRB1bis, is established, i.e. prior to establishment of SRB2 and/ or DRBs.

5.3.4.3 Reception of the SecurityModeCommand by the UE

The UE shall:

1> derive the KeNB key, as specified in TS 33.401 [32] for E-UTRA/EPC, and TS 33.501 [86] for E-UTRA/5GC;

1> derive the KRRCint key associated with the integrityProtAlgorithm indicated in the SecurityModeCommand message, as specified in TS 33.401 [32];

1> request lower layers to verify the integrity protection of the SecurityModeCommand message, using the algorithm indicated by the integrityProtAlgorithm as included in the SecurityModeCommand message and the KRRCint key;

1> if the SecurityModeCommand message passes the integrity protection check:

2> derive the KRRCenc key and the KUPenc key associated with the cipheringAlgorithm indicated in the SecurityModeCommand message, as specified in TS 33.401 [32];

2> if connected as an RN:

3> derive the KUPint key associated with the integrityProtAlgorithm indicated in the SecurityModeCommand message, as specified in TS 33.401 [32];

2> configure lower layers to apply integrity protection using the indicated algorithm and the KRRCint key immediately, i.e. integrity protection shall be applied to all subsequent messages received and sent by the UE, including the SecurityModeComplete message;

2> configure lower layers to apply ciphering using the indicated algorithm, the KRRCenc key and the KUPenc key after completing the procedure, i.e. ciphering shall be applied to all subsequent messages received and sent by the UE, except for the SecurityModeComplete message which is sent unciphered;

2> if connected as an RN:

3> configure lower layers to apply integrity protection using the indicated algorithm and the KUPint key, for DRBs that are subsequently configured to apply integrity protection, if any;

2> consider AS security to be activated;

2> upon RRC connection establishment, if UE does not need UL gaps during continuous uplink transmission:

3> configure lower layers to stop using UL gaps during continuous uplink transmission in FDD for SecurityModeComplete message and subsequent uplink transmission in RRC_CONNECTED except for UL transmissions as specified in TS 36.211 [21];

2> submit the SecurityModeComplete message to lower layers for transmission, upon which the procedure ends;

1> else:

2> continue using the configuration used prior to the reception of the SecurityModeCommand message, i.e. neither apply integrity protection nor ciphering.

2> submit the SecurityModeFailure message to lower layers for transmission, upon which the procedure ends;