9.4 NAS Security

36.523-13GPPEvolved Universal Terrestrial Radio Access (E-UTRA) and Evolved Packet Core (EPC)Part 1: Protocol conformance specificationRelease 16TSUser Equipment (UE) conformance specification

9.4.1 Integrity protection / Correct functionality of EPS NAS integrity algorithm / SNOW3G

9.4.1.1 Test Purpose (TP)

(1)

with { successful completion of EPS authentication and key agreement (AKA) procedure }

ensure that {

when { UE receives a an integrity protected SECURITY MODE COMMAND message instructing to start integrity protection using algorithm SNOW3G }

then { UE transmits an integrity protected SECURITY MODE COMPLETE using SNOW3G and starts applying the NAS Integrity protection in both UL and DL }

(2)

with { Integrity protection successful started by executing Security Mode Procedure}

ensure that {

when { UE receives an IDENTITY REQUEST message without integrity protected }

then { UE foes not transmit an IDENTITY RESPONSE message }

}

9.4.1.2 Conformance requirements

References: The conformance requirements covered in the current TC are specified in: TS 24.301 clause 4.4.4.1, 4.4.4.2, 5.4.3.1, 5.4.3.2 and 5.4.3.3.

[TS 24.301, clause 4.4.4.1]

For the UE, integrity protected signalling is mandatory for the NAS messages once a valid EPS security context exists and has been taken into use. For the network, integrity protected signalling is mandatory for the NAS messages once a secure exchange of NAS messages has been established for the NAS signalling connection. Integrity protection of all NAS signalling messages is the responsibility of the NAS. It is the network which activates integrity protection.

[TS 24.301, clause 4.4.4.2]

Once the secure exchange of NAS messages has been established, the receiving EMM or ESM entity in the UE shall not process any NAS signalling messages unless they have been successfully integrity checked by the NAS. If NAS signalling messages, having not successfully passed the integrity check, are received, then the NAS in the UE shall discard that message. If any NAS signalling message is received as not integrity protected even though the secure exchange of NAS messages has been established by the network, then the NAS shall discard this message.

[TS 24.301, clause 5.4.3.1]

The purpose of the NAS security mode control procedure is to take an EPS security context into use, and initialise and start NAS signalling security between the UE and the MME with the corresponding NAS keys and security algorithms.

[TS 24.301, clause 5.4.3.2]

The MME initiates the NAS security mode control procedure by sending a SECURITY MODE COMMAND message to the UE and starting timer T3460 (see example in figure 5.4.3.2.1).

If the security mode control procedure is initiated further to a successful execution of the authentication procedure, the MME shall use the reset downlink NAS COUNT to integrity protect the SECURITY MODE COMMAND message.

The MME shall send the SECURITY MODE COMMAND message unciphered, but shall integrity protect the message with the NAS integrity key based on KASME or mapped K’ASME indicated by the eKSI included in the message. The MME shall set the security header type of the message to "integrity protected with new EPS security context".

The MME shall include the replayed security capabilities of the UE (including the security capabilities with regard to NAS, RRC and UP (user plane) ciphering as well as NAS, RRC integrity, and other possible target network security capabilities, i.e. UTRAN/GERAN if UE included them in the message to network), the replayed nonceUE if the UE included it in the message to the network, the selected NAS ciphering and integrity algorithms and the Key Set Identifier (eKSI).

Additionally, the MME may request the UE to include its IMEISV in the SECURITY MODE COMPLETE message.

NOTE: The AS and NAS security capabilities will be the same, i.e. if the UE supports one algorithm for NAS it is also be supported for AS.

[TS 24.301, clause 5.4.3.3]

Upon receipt of the SECURITY MODE COMMAND message, the UE shall check whether the security mode command can be accepted or not. This is done by performing the integrity check of the message and by checking that the received UE security capabilities and the received nonceUE have not been altered compared to what the UE provided in the initial layer 3 message that triggered this procedure.

If the type of security context flag is set to "native security context" and if the KSI matches a valid native EPS security context held in the UE while the UE has a mapped EPS security context as the current security context, the UE shall take the native EPS security context into use.

If the security mode command can be accepted, the UE shall reset the uplink NAS COUNT and the UE shall take the new EPS security context into use when:

a) the SECURITY MODE COMMAND message is received further to a successful execution of the authentication procedure; or

b) the type of security context flag is set to "mapped security context" in the NAS KSI IE included in the SECURITY MODE COMMAND message

If the security mode command can be accepted, the UE shall send a SECURITY MODE COMPLETE message integrity protected with the selected NAS integrity algorithm and the NAS integrity key based on the KASME or mapped K’ASME if the type of security context flag is set to "mapped security context" indicated by the eKSI. If the SECURITY MODE COMMAND message includes the type of security context flag set to "mapped security context" in the NAS KSI IE, nonceMME and nonceUE, the UE shall generate K’ASME from both nonces as indicated in 3GPP TS 33.401 [19] and reset the downlink NAS COUNT to check whether the SECURITY MODE COMMAND can be accepted or not. The UE shall cipher the SECURITY MODE COMPLETE message with the selected NAS ciphering algorithm and the NAS ciphering key based on the KASME or mapped K’ASME indicated by the eKSI. The UE shall set the security header type of the message to "integrity protected and ciphered with new EPS security context".

From this time onward the UE shall cipher and integrity protect all NAS signalling messages with the selected NAS ciphering and NAS integrity algorithms.

If the MME indicated in the SECURITY MODE COMMAND message that the IMEISV is requested, the UE shall include its IMEISV in the SECURITY MODE COMPLETE message.

9.4.1.3 Test description

9.4.1.3.1 Pre-test conditions

System Simulator:

– Cell A.

UE:

None.

Preamble:

– The UE is in state Switched OFF (state 1) according to TS 36.508 [18].

9.4.1.3.2 Test procedure sequence

Table 9.4.1.3.2-1: Main behaviour

St

Procedure

Message Sequence

TP

Verdict

U – S

Message

1

The UE is switched on.

2-4B

Steps 2-6 of the generic procedure for UE registration specified in TS 36.508 subclause 4.5.2.3 are performed.

5

The SS transmits a NAS SECURITY MODE COMMAND message to activate NAS security.. It is integrity protected.

<–

SECURITY MODE COMMAND

6

Check: Does the UE transmit a NAS SECURITY MODE COMPLETE message and starts applying the NAS Integrity protection in both UL and DL?

–>

SECURITY MODE COMPLETE

1

P

6Aa1-8Ec1

Steps 9a1-16c1 of the generic procedure for UE registration specified in TS 36.508 subclause 4.5.2.3 are performed.

9

The SS transmits an IDENTITY REQUEST message with Integrity protected and with default ciphering

<-

IDENTITY REQUEST

10

Check: Does the UE transmit an IDENTIY RESPONSE message with Integrity Protected and with default ciphering?

->

IDENTITY RESPONSE

1

P

11

The SS transmits an IDENTITY REQUEST message (not Integrity protected)

<-

IDENTITY REQUEST

12

Check: Does the UE transmit an IDENTIY RESPONSE message within the next 5 seconds?

->

IDENTITY RESPONSE

2

F

13-15

IF MULTI_PDN = TRUE (NOTE) THEN steps 10-12 of the generic procedure for network initiated release of additional PDN connectivity specified in TS 36.508 subclause 4.5A.18.3 are performed for the non-IMS PDN.

NOTE: MULTI_PDN as defined in TS 36.508 subclause 4.5.2.

9.4.1.3.3 Specific message contents

Table 9.4.1.3.3-1: SECURITY MODE COMMAND (Step 5)

Derivation path: 36.508 table 4.7.2-19

Information Element

Value/Remark

Comment

Condition

Selected NAS security algorithms

– Type of integrity protection algorithm

001

EPS integrity algorithm 128-EIA1[SNOW3G]

9.4.2 Integrity protection / Correct functionality of EPS NAS integrity algorithm / AES

9.4.2.1 Test Purpose (TP)

(1)

with { successful completion of EPS authentication and key agreement (AKA) procedure }

ensure that {

when { UE receives an integrity protected SECURITY MODE COMMAND message, to start integrity protection using algorithm AES }

then { UE sends SECURITY MODE COMPLETE, integrity protected with AES and starts applying the NAS Integrity protection in both UL and DL}

(2)

with { Integrity protection successful started by executing Security Mode Procedure}

ensure that {

when { UE receives a IDENTITY REQUEST message (requested identification parameter is not IMSI), without integrity protected }

then { UE Does not transmit IDENTITY Response}

}

9.4.2.2 Conformance requirements

Same Conformance requirements as in clause 9.4.1.2

9.4.2.3 Test description

9.4.2.3.1 Pre-test conditions

Same Pre-test conditions as in clause 9.4.1.3.1

9.4.2.3.2 Test procedure sequence

Same Test procedure sequence as in table 9.4.1.3.2.1, except the integrity protection algorithm is AES.

9.4.2.3.3 Specific message contents

Table 9.4.2.3.3-1: SECURITY MODE COMMAND (Step 6)

Derivation path: 36.508 table 4.7.2-19

Information Element

Value/Remark

Comment

Condition

Selected NAS security algorithms

– Type of integrity protection algorithm

010

EPS integrity algorithm 128-EIA2 (AES)

9.4.3 Ciphering and deciphering / Correct functionality of EPS NAS encryption algorithm / SNOW3G

9.4.3.1 Test Purpose (TP)

(1)

with { successful completion of EPS authentication and key agreement (AKA) procedure }

ensure that {

when { UE receives a SECURITY MODE COMMAND instructing to start ciphering using algorithm SNOW3G }

then { UE sends a SECURITY MODE COMPLETE message ciphered with SNOW3G and starts applying the NAS ciphering in both UL and DL}

}

9.4.3.2 Conformance requirements

References: The conformance requirements covered in the current TC are specified in: TS 24.301 clause 5.4.3.1, 5.4.3.2 and 5.4.3.3.

[TS 24.301, clause 5.4.3.1]

The purpose of the NAS security mode control procedure is to take an EPS security context into use, and initialise and start NAS signalling security between the UE and the MME with the corresponding NAS keys and security algorithms.

[TS 24.301, clause 5.4.3.2]

The MME initiates the NAS security mode control procedure by sending a SECURITY MODE COMMAND message to the UE and starting timer T3460 (see example in figure 5.4.3.2.1).

If the security mode control procedure is initiated further to a successful execution of the authentication procedure, the MME shall use the reset downlink NAS COUNT to integrity protect the SECURITY MODE COMMAND message.

The MME shall send the SECURITY MODE COMMAND message unciphered, but shall integrity protect the message with the NAS integrity key based on KASME or mapped K’ASME indicated by the eKSI included in the message. The MME shall set the security header type of the message to "integrity protected with new EPS security context".

The MME shall include the replayed security capabilities of the UE (including the security capabilities with regard to NAS, RRC and UP (user plane) ciphering as well as NAS, RRC integrity, and other possible target network security capabilities, i.e. UTRAN/GERAN if UE included them in the message to network), the replayed nonceUE if the UE included it in the message to the network, the selected NAS ciphering and integrity algorithms and the Key Set Identifier (eKSI).

Additionally, the MME may request the UE to include its IMEISV in the SECURITY MODE COMPLETE message.

NOTE: The AS and NAS security capabilities will be the same, i.e. if the UE supports one algorithm for NAS it is also be supported for AS.

[TS 24.301, clause 5.4.3.3]

Upon receipt of the SECURITY MODE COMMAND message, the UE shall check whether the security mode command can be accepted or not. This is done by performing the integrity check of the message and by checking that the received UE security capabilities and the received nonceUE have not been altered compared to what the UE provided in the initial layer 3 message that triggered this procedure.

If the type of security context flag is set to "native security context" and if the KSI matches a valid native EPS security context held in the UE while the UE has a mapped EPS security context as the current security context, the UE shall take the native EPS security context into use.

If the security mode command can be accepted, the UE shall reset the uplink NAS COUNT and the UE shall take the new EPS security context into use when:

a) the SECURITY MODE COMMAND message is received further to a successful execution of the authentication procedure; or

b) the type of security context flag is set to "mapped security context" in the NAS KSI IE included in the SECURITY MODE COMMAND message

If the security mode command can be accepted, the UE shall send a SECURITY MODE COMPLETE message integrity protected with the selected NAS integrity algorithm and the NAS integrity key based on the KASME or mapped K’ASME if the type of security context flag is set to "mapped security context" indicated by the eKSI. If the SECURITY MODE COMMAND message includes the type of security context flag set to "mapped security context" in the NAS KSI IE, nonceMME and nonceUE, the UE shall generate K’ASME from both nonces as indicated in 3GPP TS 33.401 [19] and reset the downlink NAS COUNT to check whether the SECURITY MODE COMMAND can be accepted or not. The UE shall cipher the SECURITY MODE COMPLETE message with the selected NAS ciphering algorithm and the NAS ciphering key based on the KASME or mapped K’ASME indicated by the eKSI. The UE shall set the security header type of the message to "integrity protected and ciphered with new EPS security context".

From this time onward the UE shall cipher and integrity protect all NAS signalling messages with the selected NAS ciphering and NAS integrity algorithms.

If the MME indicated in the SECURITY MODE COMMAND message that the IMEISV is requested, the UE shall include its IMEISV in the SECURITY MODE COMPLETE message.

9.4.3.3 Test description

9.4.3.3.1 Pre-test conditions

System Simulator:

– Cell A.

UE:

None.

Preamble:

– The UE is in state Switched OFF (state 1) according to TS 36.508 [18].

9.4.3.3.2 Test procedure sequence

Table 9.4.3.3.2-1: Main behaviour

St

Procedure

Message Sequence

TP

Verdict

U – S

Message

1

The UE is switched on.

2-4B

Steps 2-6 of the generic procedure for UE registration specified in TS 36.508 subclause 4.5.2.3 are performed.

5

The SS transmits a SECURITY MODE COMMAND message to activate NAS security.

<–

SECURITY MODE COMMAND

6

Check: Does the UE transmit a SECURITY MODE COMPLETE message ciphered and starts applying the NAS ciphering in both UL and DL?

–>

SECURITY MODE COMPLETE

1

P

6Aa1-8Ec1

Steps 9a1-16c1 of the generic procedure for UE registration specified in TS 36.508 subclause 4.5.2.3 are performed.

9

The SS transmits an IDENTITY REQUEST message Ciphered

<-

IDENTITY REQUEST

10

Check: Does the UE transmit an IDENTIY RESPONSE message Ciphered?

->

IDENTITY RESPONSE

1

P

11-13

IF MULTI_PDN = TRUE (NOTE) THEN steps 10-12 of the generic procedure for network initiated release of additional PDN connectivity specified in TS 36.508 subclause 4.5A.18.3 are performed for the non-IMS PDN.

NOTE: MULTI_PDN as defined in TS 36.508 subclause 4.5.2.

9.4.3.3.3 Specific message contents

Table 9.4.3.3.3-1: SECURITY MODE COMMAND (Step 5)

Derivation path: 36.508 table 4.7.2-19

Information Element

Value/Remark

Comment

Condition

Selected NAS security algorithms

– Type of ciphering algorithm

001

EPS encryption algorithm 128-EEA1 [SNOW3G]

9.4.4 Ciphering and deciphering / Correct functionality of EPS NAS encryption algorithm / AES

9.4.4.1 Test Purpose (TP)

(1)

with { successful completion of EPS authentication and key agreement (AKA) procedure }

ensure that {

when { UE receives a SECURITY MODE COMMAND, to start encryption using algorithm AES}

then { UE sends SECURITY MODE COMPLETE, encrypted with AES and starts applying the NAS encryption in both UL and DL }

}

9.4.4.2 Conformance requirements

Same Conformance requirements as in clause 9.4.3.2

9.4.4.3 Test description

9.4.4.3.1 Pre-test conditions

Same Pre-test conditions as in clause 9.4.3.3.1

9.4.4.3.2 Test procedure sequence

Same Test procedure sequence as in Table 9.4.3.3.2-1, except the integrity ciphering algorithm is AES.

9.4.4.3.3 Specific message contents

Table 9.4.4.3.3-1: SECURITY MODE COMMAND (Step 5)

Derivation path: 36.508 table 4.7.2-19

Information Element

Value/Remark

Comment

Condition

Selected NAS security algorithms

– Type of ciphering algorithm

010

EPS encryption algorithm 128-EEA2 (AES)

9.4.5 Integrity protection / Correct functionality of EPS NAS integrity algorithm / ZUC

9.4.5.1 Test Purpose (TP)

(1)

with { successful completion of EPS authentication and key agreement (AKA) procedure }

ensure that {

when { UE receives an integrity protected SECURITY MODE COMMAND message, to start integrity protection using algorithm ZUC }

then { UE sends SECURITY MODE COMPLETE, integrity protected with ZUC and starts applying the NAS Integrity protection in both UL and DL}

(2)

with { Integrity protection successful started by executing Security Mode Procedure}

ensure that {

when { UE receives a IDENTITY REQUEST message (requested identification parameter is not IMSI), without integrity protected }

then { UE Does not transmit IDENTITY Response}

}

9.4.5.2 Conformance requirements

Same Conformance requirements as in clause 9.4.1.2

9.4.5.3 Test description

9.4.5.3.1 Pre-test conditions

Same Pre-test conditions as in clause 9.4.1.3.1.

9.4.5.3.2 Test procedure sequence

Same Test procedure sequence as in table 9.4.1.3.2.1, except the integrity protection algorithm is ZUC.

9.4.5.3.3 Specific message contents

Table 9.4.5.3.3-1: SECURITY MODE COMMAND (Step 6)

Derivation path: 36.508 table 4.7.2-19

Information Element

Value/Remark

Comment

Condition

Selected NAS security algorithms

– Type of integrity protection algorithm

011

EPS integrity algorithm 128-EIA3 (ZUC)

9.4.6 Ciphering and deciphering / Correct functionality of EPS NAS encryption algorithm / ZUC

9.4.6.1 Test Purpose (TP)

(1)

with { successful completion of EPS authentication and key agreement (AKA) procedure }

ensure that {

when { UE receives a SECURITY MODE COMMAND, to start encryption using algorithm ZUC}

then { UE sends SECURITY MODE COMPLETE, encrypted with ZUC and starts applying the NAS encryption in both UL and DL }

}

9.4.6.2 Conformance requirements

Same Conformance requirements as in clause 9.4.3.2

9.4.6.3 Test description

9.4.6.3.1 Pre-test conditions

Same Pre-test conditions as in clause 9.4.3.3.1

9.4.6.3.2 Test procedure sequence

Same Test procedure sequence as in Table 9.4.3.3.2-1, except the integrity ciphering algorithm is ZUC.

9.4.6.3.3 Specific message contents

Table 9.4.6.3.3-1: SECURITY MODE COMMAND (Step 5)

Derivation path: 36.508 table 4.7.2-19

Information Element

Value/Remark

Comment

Condition

Selected NAS security algorithms

– Type of ciphering algorithm

011

EPS encryption algorithm 128-EEA3 (ZUC)