Hubbry Logo
Non-access stratumNon-access stratumMain
Open search
Non-access stratum
Community hub
Non-access stratum
logo
7 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
Non-access stratum
Non-access stratum
Non-access stratum
View on Wikipedia
from Wikipedia

Non-access stratum (NAS) is a functional layer in the NR, LTE, UMTS and GSM wireless telecom protocol stacks between the core network and user equipment.[1] This layer is used to manage the establishment of communication sessions and for maintaining continuous communications with the user equipment as it moves. The NAS is defined in contrast to the Access Stratum which is responsible for carrying information over the wireless portion of the network. A further description of NAS is that it is a protocol for messages passed between the User Equipment, also known as mobiles, and Core Nodes (e.g. Mobile Switching Center, Serving GPRS Support Node, or Mobility Management Entity) that is passed transparently through the radio network. Examples of NAS messages include Update or Attach messages, Authentication Messages, Service Requests and so forth. Once the User Equipment (UE) establishes a radio connection, the UE uses the radio connection to communicate with the core nodes to coordinate service. The distinction is that the Access Stratum is for dialogue explicitly between the mobile equipment and the radio network and the NAS is for dialogue between the mobile equipment and core network nodes.

For LTE, the Technical Specification for NAS is 3GPP TS 24.301. For NR, the Technical Specification for NAS is TS 24.501. 

+- – - – - -+       +- – - – - – -+
| HTTP      |       | Application |
+- – - – - -+       +- – - – - – -+
| TCP       |       | Transport   |
+- – - – - -+       +- – - – - – -+
| IP        |       | Internet    |
+- – - – - -+       +- – - – - – -+
| NAS       |       | Network     |
+- – - – - -+       +- – - – - – -+
| AS        |       | Link        |
+- – - – - -+       +- – - – - – -+
| Channels  |       | Physical    |
+- – - – - -+       +- – - – - – -+

Functionality

[edit]

The following functions exist in the non-access stratum:

  • Mobility management: maintaining connectivity and active sessions with user equipment as the user moves
  • Call control management
  • Session management: establishing, maintaining and terminating communication links
  • Identity management

See also

[edit]

References

[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

Non-access stratum

View on Grokipedia
from Grokipedia
The Non-Access Stratum () is a functional layer in the of mobile telecommunications networks, as defined by standards for systems including , LTE (EPS), and (), that enables signaling and communication between the (UE) and the core network, operating independently of the underlying . Positioned above the Access Stratum (AS), which handles radio-specific functions, the serves as a bridge for higher-layer control, ensuring seamless mobility, session handling, and security across and non- accesses without dependency on the physical or layers of the radio interface. In systems specifically, the NAS protocol is detailed in 3GPP TS 24.501 and comprises two primary sub-protocols: the 5G Mobility Management (5GMM) protocol, which manages UE registration, , connection states (such as 5GMM-IDLE and 5GMM-CONNECTED), and mobility procedures like tracking area updates; and the 5G Session Management (5GSM) protocol, which oversees (PDU) session establishment, modification, release, and (QoS) control, including session-AMBR and network slicing. Key functionalities of the NAS include securing signaling through (e.g., via Authentication and Key Agreement or EAP-based methods), integrity protection, and ciphering; supporting services such as over NAS, Location Services (via LPP), and Steering of (SOR); and facilitating inter-system mobility, such as transitions between 5GCN and EPC. It interacts with core network elements like the Access and Mobility Management Function (AMF) for mobility-related signaling and the Session Management Function (SMF) for session procedures, with messages relayed transparently through the AS to maintain technology-agnostic operation. The NAS also incorporates error handling mechanisms, such as timers (e.g., T3346 for back-off or T3510 for registration retries) and rejection causes, to ensure robust operation amid or failures. Originally introduced in UMTS and refined through LTE's Evolved Packet System (EPS) with protocols like EPS Mobility Management (EMM), the NAS has evolved to support 5G's demands for enhanced connectivity, low-latency services, and diverse access types, and further refined in Release 18 to support 5G Advanced features like enhanced positioning and non-terrestrial access, underpinning features like emergency services and UE policy delivery from the Policy Control Function (PCF).

Overview

Definition and Purpose

The Non-Access Stratum (NAS) constitutes the highest of the control plane between the (UE) and the core network () at the radio interface in mobile telecommunications systems, such as those defined by for LTE and . It encompasses protocols responsible for signaling related to core services, including for tracking UE location and reachability, and session management for establishing and maintaining data connections. The primary purpose of the is to facilitate end-to-end signaling and between the UE and that is independent of the underlying (), thereby enabling seamless core network operations across diverse access networks like LTE, , or even non-3GPP accesses. This independence ensures that higher-layer functions, such as , registration, and bearer setup, remain consistent regardless of radio-specific variations, supporting efficient network evolution and . A key characteristic of the NAS is its transparent operation over the radio interface, where it bypasses the access stratum—the counterpart layer handling RAT-specific functions like radio resource allocation—for direct interaction with core network elements. For instance, in LTE networks, NAS messages are encapsulated within access stratum signaling, such as Radio Resource Control (RRC) messages, to traverse the radio access network and reach the Mobility Management Entity (MME) in the evolved packet core without interpretation by the eNodeB.

Historical Development

The non-access stratum (NAS) evolved from foundational signaling concepts in earlier mobile standards, including the and , where non-access functions managed mobility and connections independently of radio access procedures. In (3GPP Release 99), the NAS was defined in TS 24.008, handling mobility and session management independently of the UTRAN access stratum. In GSM, initial mobility management functions supported basic location registration and handover signaling between the mobile equipment and core network elements. The EPS framework was introduced in Release 8 (frozen in 2009), which defined the Evolved Packet System (EPS) for Long-Term Evolution (LTE) networks, formalizing protocols for EPS in TS 24.301. This marked a significant advancement with the publication of the EPS specification in 3GPP Technical Specification (TS) 24.301, defining protocols for EPS mobility management (EMM) and EPS session management (ESM) to enable all-IP packet-switched communications. A key aspect of this evolution involved transitioning from the separate circuit-switched () and packet-switched () domains prevalent in () and 3G (UMTS) systems—where CS handled voice via protocols like Mobile Application Part (MAP) and PS managed data via General Packet Radio Service (GPRS) signaling—to a unified NAS approach in EPS and later systems. This unification streamlined procedures, reducing complexity in handling diverse services. In Release 15, completed in 2019, the further evolved into the protocol to support the 5G System (5GS), incorporating enhancements for network slicing, improved mobility robustness, and seamless interworking. Specified in TS 24.501, this version introduced unified signaling capable of operating across both EPS (4G) and 5GS () core networks, addressing interworking limitations such as dual connectivity and handover inefficiencies between generations.

Architecture and Integration

Position in Protocol Stack

The Non-Access Stratum (NAS) constitutes the highest stratum of the in mobile networks, positioned between the (UE) and core network entities such as the Entity (MME) in the Evolved Packet System (EPS) or the Access and Mobility Management Function (AMF) in the System (5GS). It operates as a Layer 3 protocol, handling non-radio-related signaling for mobility and session management while remaining transparent to the . NAS Protocol Data Units (PDUs) are encapsulated within Access Stratum (AS) messages for transport over the radio bearer, ensuring that signaling traverses the air interface without direct interaction with radio-specific protocols. In this model, messages, such as those for registration or session establishment, are embedded in AS containers like (RRC) signaling, with the AS providing the underlying radio resource allocation and transmission services. This encapsulation supports end-to-end delivery from the UE to the core network via interfaces like LTE-Uu/S1 in EPS or N1 in 5GS. Within the overall protocol architecture, layers above the AS sublayers—RRC, (), (), (), and Physical (PHY)—and below core network application layers, forming a clear vertical separation that isolates higher-level control functions from radio access details. This positioning enables to manage signaling independently of access technology variations, with the AS handling adaptation to the radio environment. In specifically, NAS interacts with the Next Generation Radio Access Network (NG-RAN) through the AS and directly with the 5G Core (5GC), accommodating dual connectivity scenarios where the UE maintains connections across multiple access types while NAS ensures unified control plane signaling.

Interaction with Access Stratum

The (NAS) interacts with the Access Stratum (AS) primarily through transparent transport mechanisms, where the AS conveys messages between the (UE) and the core network without interpreting their contents. This interaction relies on service primitives such as UL NAS TRANSPORT for uplink messages from the UE to the network and DL NAS TRANSPORT for downlink messages from the network to the UE, which encapsulate signaling over AS protocols like (RRC). Key interactions include the AS establishing signaling radio bearers to support message delivery, while the requests AS resources to initiate or maintain connectivity. For instance, during attachment or procedures, the signals the AS to allocate resources for signaling, enabling the transition between idle and connected states and ensuring continuity of procedures across cell changes. In the attach procedure, the generates an attach or registration request message, which the AS transports to the (eNB in or gNB in ), and the subsequently forwards it to the core network entity (MME in or in ) via the appropriate interface. This process establishes the initial signaling connection, with the AS handling the radio interface aspects without altering the NAS payload. The NAS design ensures independence from specific AS implementations, allowing seamless operation across different radio access technologies such as LTE, , or non-3GPP accesses like offloads, through standardized primitives that abstract underlying radio details.

Core Functions

Mobility Management

Mobility management in the non-access stratum (NAS) handles the registration, location tracking, and movement of (UE) within the network, ensuring seamless connectivity without involvement from the . In the Evolved Packet System (EPS) of , this is managed through EPS Mobility Management (EMM), which defines procedures for UE attachment to the network and updates to its location information. Similarly, in 5G systems, 5G System Mobility Management (5GMM) performs analogous functions, adapted for the 5G core network architecture, including support for network slicing and enhanced mobility scenarios. Key procedures in EMM include the attach procedure, which registers the UE with the network and establishes an EMM context, potentially activating a default bearer; detach procedures, initiated by the UE or network to release the context; and tracking area update (TAU), which informs the network of UE location changes or periodic checks. In idle mode, mobility is handled autonomously by the UE through TAU when it moves outside its assigned tracking area list, without needing an active radio connection. EMM defines states such as EMM-REGISTERED, where the UE maintains a valid context and can receive paging, and EMM-DEREGISTERED, indicating no active registration and unknown location. The EPS supports combined attach, allowing simultaneous registration for packet-switched services and circuit-switched fallback or SMS-only modes in a single procedure. In 5GMM, equivalent procedures are registration for initial or mobility updates, deregistration to terminate access, and mobility registration update as the counterpart to , triggered by tracking area identity changes or timers. Idle mode mobility in 5GMM-IDLE relies on these updates to maintain reachability, with the UE performing cell reselection and access stratum checks independently. States include 5GMM-REGISTERED for active registration with a valid security context and 5GMM-DEREGISTERED for unregistered UEs, each with substates like NORMAL-SERVICE or LIMITED-SERVICE to reflect service availability. Combined procedures in 5GMM enable registration alongside service requests or authentication in one transaction. TAU periodicity in EPS is controlled by the T3412 , a GPRS timer value assigned by the network in attach or TAU accept messages, with a configurable range typically from 54 minutes to 12 hours to balance signaling load and UE reachability, though much broader values, up to approximately 365 days or more depending on the unit coding in the GPRS timer 3 , are possible for extended scenarios such as power-saving modes. For example, shorter intervals like 30 minutes may apply in high-mobility areas, while longer ones up to 10 hours suit stationary UEs, based on network configuration. In , the analogous T3512 defaults to 54 minutes and governs periodic registration updates similarly. These timers ensure the UE periodically signals its presence, preventing implicit deregistration after expiry plus a mobile reachable timeout.

Session Management

In the Non-Access Stratum () protocol, session management handles the establishment, modification, and release of data sessions, including bearer contexts and (QoS) parameters, to enable efficient packet data network (PDN) connectivity between the (UE) and the core network. This functionality ensures that data flows are prioritized and resourced appropriately without direct involvement in radio access procedures. In Evolved Packet System (EPS), this is implemented through EPS Session Management (ESM), while in System (5GS), it is managed via 5G Session Management (5GSM). EPS Session Management (ESM) in 4G encompasses components such as EPS bearer contexts (default for initial connectivity and dedicated for additional resources), (APN) for PDN identification, and Protocol Configuration Options (PCO) for parameter exchange like IP addresses and QoS rules. Key procedures include the PDN connectivity request, where the UE initiates a connection to a PDN by sending a PDN CONNECTIVITY REQUEST message specifying the APN and PDN type, leading to default bearer activation by the network. Bearer and modification allow the UE to request or adjust resources via BEARER RESOURCE ALLOCATION REQUEST or MODIFICATION REQUEST messages, negotiating parameters like bit rates. Dedicated EPS bearer setup is network-initiated, linking to an existing default bearer and applying specific Traffic Flow Templates (TFTs) for packet filtering. In , 5G Session Management (5GSM) builds on similar principles but uses (PDU) sessions as the primary association between the UE and the data network (DN), with components including PDU Session Identifiers, Data Network Name (DNN) as the 5G equivalent of APN, and QoS Flows for granular resource handling within a PDU session. The PDU session establishment procedure, analogous to PDN connectivity, involves the UE sending a PDU SESSION ESTABLISHMENT REQUEST with DNN and Session and Service Continuity (SSC) mode, prompting the network to activate a default QoS flow and assign an . QoS flow management covers allocation, modification, and release through PDU SESSION MODIFICATION procedures, using operation codes to create or update flows with associated QoS rules. Dedicated QoS flow setup adds flows beyond the default, specified via QoS Flow Descriptions for services requiring distinct prioritization. APN selection in 4G occurs during the EPS attach procedure, where the UE provides an APN in the ATTACH REQUEST or ESM INFORMATION message, and the Mobility Management Entity (MME) selects or uses a default based on subscription data and network policies. Similarly, in 5G, DNN selection happens during registration or PDU session establishment, guided by UE Route Selection Policy (URSP) rules, with the Access and Mobility Management Function (AMF) and Session Management Function (SMF) applying subscription-based logic. QoS parameters in both systems prioritize traffic using identifiers: the (QCI) in and 5G QoS Identifier (5QI) in , with standardized values 1 through 9 defining characteristics like priority level, packet delay budget, and packet error rate for services such as conversational voice (QCI/5QI 1, high priority, low latency) or TCP-based applications (QCI/5QI 8, medium priority). These are complemented by bit rate controls, such as Maximum Bit Rate (MBR) or Guaranteed Flow (GFBR), enforced per bearer or flow. A representative example is the activation of a default bearer or QoS flow during initial connectivity: in 4G, the network sends an ACTIVATE DEFAULT EPS BEARER CONTEXT REQUEST message within the NAS PDU of the ATTACH ACCEPT, including the PDN Address information element for IPv4/IPv6 assignment, to which the UE responds with acceptance to complete IP connectivity. In 5G, the PDU SESSION ESTABLISHMENT ACCEPT similarly embeds the Protocol Configuration Options (PCO) with IP address details in the NAS PDU, activating the default QoS flow for data transmission. During handovers involving mobility state changes, session management ensures continuity of these bearers or flows across network elements.

Protocols and Procedures

Evolved Packet System NAS

The Evolved Packet System (EPS) Non-Access Stratum (NAS) protocol operates between the (UE) and the Entity (MME) in LTE networks, facilitating signaling for mobility and session management without involving the . It encompasses two main sublayers: EPS (EMM) for handling UE registration, location updates, and , and EPS Session Management (ESM) for establishing, modifying, and releasing IP connectivity bearers. This protocol ensures efficient resource allocation and seamless mobility within the EPS, supporting features like packet-switched services over E-UTRAN while maintaining compatibility with legacy systems. The protocol is formally specified in 3GPP Technical Specification (TS) 24.301, which details the stage 3 aspects including message formats, procedures, and information elements (IEs) for EPS signaling. For instance, the Attach Request message, used to initiate UE attachment to the network, includes mandatory IEs such as the (IMSI) for user identification and the UE Network Capability IE, which conveys the UE's supported algorithms (e.g., EEA0 to EEA7 for ciphering and EIA0 to EIA7 for integrity), SRVCC support, and other features like extended DRX (eDRX). Other IEs in this message include the EPS Attach Type, Key Set Identifier (eKSI), and an ESM Message Container that may embed a PDN Connectivity Request for default bearer setup. The message is initially sent in but becomes integrity-protected after activation. EPS NAS messages are categorized into mobility management and session management types, each with distinct formats and purposes. Mobility management messages, such as the Tracking Area Update (TAU) Request, enable the UE to notify the network of location changes or periodic updates, incorporating IEs like the EPS Update Type (indicating combined TAU or periodic updates), Old Globally Unique Temporary Identifier (GUTI), Last Visited Registered Tracking Area Identity (TAI), and UE Network Capability to maintain EMM context. Session management messages, exemplified by the PDN Connectivity Request, handle bearer activation for packet data network (PDN) access, featuring IEs including the Access Point Name (APN), PDN Type (e.g., IPv4, IPv6), Request Type (initial or handover), and Protocol Configuration Options for IP address allocation. These messages support up to 15 EPS bearer contexts per UE, as indicated in the UE's capabilities. Unique to EPS, the protocol includes specialized procedures like the combined EPS/IMSI attach, which allows UEs in circuit-switched fallback (CSFB) mode to simultaneously attach to both EPS for packet services and IMSI for non-EPS services, such as voice over circuit-switched domains; this is signaled via the EPS Attach Type IE set to "010" and includes additional IEs like MS Network Capability for legacy compatibility. Another EPS-specific procedure is attach, which grants limited access for emergency bearer services without full , using EPS Attach Type "110" and potentially null security algorithms (EIA0/EEA0), bypassing subscription checks to ensure rapid setup of an emergency PDN connection. These procedures enhance service continuity and accessibility in diverse scenarios. NAS security in EPS is activated post-authentication using the EPS security context derived from keys like K_ASME, with the NAS security header applying integrity protection via a (MAC-I). The MAC-I, a 32-bit value computed over the message payload and header, is included in integrity-protected messages ( header type "0001") and verified by the recipient using a hashed version; short MAC variants (e.g., 24-bit or 16-bit) may be used for . Ciphering is optional and applied similarly after integrity setup, ensuring and authenticity of signaling from the first protected message onward. This mechanism prevents tampering and supports secure mobility handovers. The EPS NAS protocol has evolved into the NAS framework, extending these foundations for next-generation enhancements.

5G NAS Protocol

The 5G Non-Access Stratum (NAS) protocol is specified in 3GPP Technical Specification (TS) 24.501, which defines the procedures for mobility management and session management in the 5G System (5GS). This protocol introduces two primary sublayers: 5G Mobility Management (5GMM) for handling UE registration, reachability, and mobility, and 5G Session Management (5GSM) for establishing and maintaining PDU sessions. Key advancements include new connection management states, such as 5GMM-REGISTERED, which indicates the UE is registered in the network and reachable for incoming sessions, and 5GMM-IDLE, where the UE is registered but not actively connected. Enhancements in the 5G NAS protocol support advanced 5G features, including network slicing through the use of Single Network Slice Selection Assistance Information (S-NSSAI), which allows the UE to request specific slices during registration for tailored service delivery. The protocol enables multiple PDU sessions to be established simultaneously over and non-3GPP accesses, facilitating diverse data connectivity options like IPv4, , or Ethernet to different data networks. Additionally, integration with is facilitated by NAS procedures that allow the UE to receive edge-specific information, such as Edge Application Server (EAS) details and discovery parameters, during PDU session establishment or modification. Core procedures in NAS include the registration procedure, which replaces the LTE attach process and involves the UE sending a REGISTRATION REQUEST message to the Access and Mobility Management Function (AMF) to establish a 5GMM context, potentially including requested NSSAI and 5G capabilities. Upon acceptance, the network responds with a REGISTRATION ACCEPT, assigning a 5G-Globally Unique Temporary Identifier (5G-GUTI) and configured NSSAI. The service request procedure enables transition from 5GMM-IDLE to 5GMM-CONNECTED by sending a SERVICE REQUEST message, activating user plane resources and resuming existing PDU sessions without full re-registration. The NAS protocol is used in standalone (SA) deployments, operating over the NG-RAN with the 5G Core Network (5GC). Non-standalone (NSA) deployments leverage E-UTRAN connected to the Evolved Packet Core (EPC) and use the EPS NAS protocol for control plane signaling. It maintains backward compatibility with the Evolved Packet System (EPS) NAS through interworking mechanisms, such as mapping 5G security contexts to EPS during handovers.

Security Mechanisms

Authentication Procedures

The authentication procedures in the Non-Access Stratum (NAS) establish mutual verification between the (UE) and the network, generating shared keys to secure subsequent NAS signaling. These procedures form the initial security handshake, ensuring the UE's subscription credentials are validated against the Home Subscriber Server (HSS) or Unified Data Management (ARPF) while protecting against unauthorized access. In Evolved Packet System (EPS) and systems, the processes are tailored to the respective architectures, incorporating challenge-response mechanisms and privacy enhancements. In EPS, the Evolved Packet System Authentication and Key Agreement (EPS AKA) procedure provides and key agreement over the E-UTRAN. The Mobility Management Entity (MME) initiates the process by requesting an EPS Authentication Vector from the HSS, which includes a random number (RAND), authentication token (AUTN), expected response (XRES), and base key (K ASME). The MME then sends an Request to the UE containing RAND, AUTN, and Key Set Identifier (KSI ASME). The UE's Universal Subscriber Identity Module (USIM) verifies the AUTN for network authenticity—checking the sequence number (SQN) masked by an anonymity key (AK)—and computes a response (RES) along with cipher key (CK) and integrity key (IK) using RAND. The UE returns RES to the MME, which compares it against XRES for UE authentication. Upon success, both derive K ASME from CK, IK, and serving network identity via a (). From K ASME, NAS encryption key (K_NASenc) and NAS integrity key (K_NASint) are generated using algorithm-specific identifiers, enabling secure NAS communications. This procedure relies on the Milenage algorithm set, which implements authentication functions (f1 for message authentication, f2 for RES, f3/f4 for CK/IK, and f5 for AK) based on a 128-bit subscriber key and Rijndael . The AKA procedure builds on EPS AKA with enhancements for privacy and flexibility, particularly in the 5G Core (5GC). To counter IMSI catchers, the UE transmits a Subscription Concealed Identifier (SUCI) instead of the Subscription Permanent Identifier (SUPI), where SUPI is encrypted using the key via schemes like Elliptic Curve Integrated Encryption Scheme (ECIES); the Subscription Identifier De-concealing Function (SIDF) decrypts it to obtain SUPI. The Security Anchor Function (SEAF) forwards SUCI to the Authentication Server Function (AUSF), which queries the UDM/ARPF for an Authentication Vector (AV) including RAND, AUTN, and XRES*. The SEAF sends a 5G NAS Authentication Request to the UE with RAND, AUTN, next-generation KSI (ngKSI), and Anchor Binding Binding Authentication (). The UE verifies AUTN, computes RES* (a truncated or full RES), and responds via 5G NAS Authentication Response. The AUSF confirms by comparing RES* with XRES*, then derives master key K_AUSF from CK, IK, and serving network name. K_SEAF follows from K_AUSF, and K_AMF from K_SEAF, SUPI, and ; finally, K_NASenc and K_NASint are derived from K_AMF via KDF (FC=0x69, algorithm type 0x02 or 0x01), yielding 128-bit keys for the selected algorithms. For non-3GPP access, EAP-AKA' adapts 5G AKA within the framework, supporting authentication over untrusted (via N3IWF) or trusted (via TNGF/TWIF) networks by deriving extended master session keys (EMSK) from modified CK' and IK', which yield non-3GPP-specific keys like K_TNGF. These keys are activated via Security Mode Command, briefly enabling ciphering and integrity protection for ongoing exchanges.

Integrity and Ciphering

The Non-Access Stratum (NAS) employs integrity protection and ciphering to safeguard signaling s against tampering and in both Evolved Packet System (EPS) and systems. Integrity protection ensures authenticity and prevents modification by appending a 32-bit for Integrity (MAC-I) to each protected NAS , while ciphering provides by encrypting the payload. These mechanisms are activated following procedures, which generate the necessary keys, and are mandatory for integrity with optional ciphering depending on network policy and UE capabilities. Algorithms for NAS integrity and ciphering are standardized in 3GPP specifications and selected based on UE-reported capabilities during initial attachment or security context activation. For integrity, the supported algorithms include 128-EIA1 (based on SNOW 3G), 128-EIA2 (AES-CMAC), and 128-EIA3 (ZUC) in EPS, with equivalent 128-NIA1 (SNOW 3G), 128-NIA2 (AES-CMAC), and 128-NIA3 (ZUC) in 5G; a null algorithm (EIA0 or NIA0) is permitted only for specific unauthenticated emergency sessions. For ciphering, the algorithms are 128-EEA1 (SNOW 3G), 128-EEA2 (AES-CTR), and 128-EEA3 (ZUC) in EPS, or 128-NEA1 (SNOW 3G), 128-NEA2 (AES-CTR), and 128-NEA3 (ZUC) in 5G, again with a null option (EEA0 or NEA0) for limited cases. These 128-bit algorithms ensure robust protection, with selection prioritizing and strength as negotiated by the mobility management entity (MME in EPS) or access and mobility management function (AMF in 5G). The key hierarchy for security derives from master keys established during : K_ASME in EPS or K_AMF in . In EPS, the NAS-specific keys K_NASint (for ) and K_NASenc (for ciphering) are generated from K_ASME using a (KDF) with inputs including a function code (e.g., FC=0x11), type (e.g., 0x02 for ), and algorithm identifier. Similarly, in , K_NASint and K_NASenc are derived from K_AMF via KDF (FC=0x69, type 0x02 or 0x01), yielding 128-bit keys for the selected algorithms. This hierarchy ensures separation of NAS keys from access stratum keys, maintaining end-to-end protection between the UE and core network. Activation of NAS integrity and ciphering occurs through the security mode command procedure, initiated by the MME or AMF after key derivation. The network sends an unprotected SECURITY MODE COMMAND message containing the selected algorithms, key set identifier (eKSI in EPS or ngKSI in 5G), and UE security capabilities. The UE verifies the command, activates the selected algorithms, and responds with a SECURITY MODE COMPLETE message that is integrity protected using K_NASint and optionally ciphered using K_NASenc. Replay protection is integrated via a 32-bit NAS COUNT value (comprising a sequence number and overflow counter), incremented per message and included in computations to discard out-of-sequence or repeated messages. Failure to verify integrity results in message discard and potential procedure abort. The integrity check computes the MAC-I using the selected algorithm as follows: MAC-I=f(KNASint,NAS COUNT,BEARER ID,DIRECTION,NAS message)\text{MAC-I} = f(K_{\text{NASint}}, \text{NAS COUNT}, \text{BEARER ID}, \text{DIRECTION}, \text{NAS message}) Here, ff denotes the integrity algorithm (e.g., 128-NIA2), NAS COUNT is the 32-bit counter (in network byte order), BEARER ID is typically 0x00 for NAS signaling, DIRECTION is 0 (uplink) or 1 (downlink), and the NAS message is the plaintext payload. The resulting 32-bit MAC-I is appended to the message for verification by the receiver, which recomputes and compares it using the shared key and parameters.
Add your contribution
Related Hubs
User Avatar
No comments yet.