top button
Flag Notify
    Connect to us
      Site Registration

Site Registration

Security mode command in LTE

+1 vote
675 views

In LTE, when a new security mode comes at NAS, when does the overflow and count get reset ? (Any spec ref please).

In the log, the scenario is that, when the new security mode is sent with SN=0, but Overflow=1 (i.e after sending the previous one with SN=256), the new one gets rejected. The UE is sending the Security Mode Reject.
But if we reset the overflow, the UE accepts the Security Mode Command.

Does anybody know special case when the Overflow is reset ? (any spec ref is helpful)

Currently the SecMode Reject is being sent, I think it may be because the overflow is not reset. Trying to debug this, as I have not much worked on this are earlier. (I had worked on 3G security, i remember we need to reset the count, on receipt of new keys)

posted Jan 30, 2018 by Pdk

Looking for an answer?  Promote on:
Facebook Share Button Twitter Share Button LinkedIn Share Button
The first security mode command is :
                            ProtocolIE-Field
                                id: id-NAS-PDU (26)
                                criticality: reject (0)
                                value
                                    NAS-PDU: 370d0071a4ff075d010605f070c04070
                                    Non-Access-Stratum (NAS)PDU
                                        0011 .... = Security header type: Integrity protected with new EPS security context (3)
                                        .... 0111 = Protocol discriminator: EPS mobility management messages (0x7)
                                        Message authentication code: 0x0d0071a4
                                        Sequence number: 255
                                        0000 .... = Security header type: Plain NAS message, not security protected (0)
                                        .... 0111 = Protocol discriminator: EPS mobility management messages (0x7)
                                        NAS EPS Mobility Management Message Type: Security mode command (0x5d)
                                        NAS security algorithms - Selected NAS security algorithms
                                            0... .... = Spare bit(s): 0x00
                                            .000 .... = Type of ciphering algorithm: EPS encryption algorithm EEA0 (null ciphering algorithm) (0)
                                            .... 0... = Spare bit(s): 0x00
                                            .... .001 = Type of integrity protection algorithm: EPS integrity algorithm 128-EIA1 (1)
                                        0000 .... = Spare half octet: 0
                                        .... 0... = Type of security context flag (TSC): Native security context (for KSIasme)
                                        .... .110 = NAS key set identifier:  (6) ASME
                                        UE security capability - Replayed UE security capabilities

The second one is :
                            ProtocolIE-Field
                                id: id-NAS-PDU (26)
                                criticality: reject (0)
                                value
                                    NAS-PDU: 370d0071a4ff075d010605f070c04070
                                    Non-Access-Stratum (NAS)PDU
                                        0011 .... = Security header type: Integrity protected with new EPS security context (3)
                                        .... 0111 = Protocol discriminator: EPS mobility management messages (0x7)
                                        Message authentication code: 0x0d0071a4
                                        Sequence number: 255
                                        0000 .... = Security header type: Plain NAS message, not security protected (0)
                                        .... 0111 = Protocol discriminator: EPS mobility management messages (0x7)
                                        NAS EPS Mobility Management Message Type: Security mode command (0x5d)
                                        NAS security algorithms - Selected NAS security algorithms
                                            0... .... = Spare bit(s): 0x00
                                            .000 .... = Type of ciphering algorithm: EPS encryption algorithm EEA0 (null ciphering algorithm) (0)
                                            .... 0... = Spare bit(s): 0x00
                                            .... .001 = Type of integrity protection algorithm: EPS integrity algorithm 128-EIA1 (1)
                                        0000 .... = Spare half octet: 0
                                        .... 0... = Type of security context flag (TSC): Native security context (for KSIasme)
                                        .... .110 = NAS key set identifier:  (6) ASME
                                        UE security capability - Replayed UE security capabilities
commented Jan 31, 2018 by Pdk
I think I was told UE is still in idle mode. But in the logs, I can see that the "Ue context Release Req" after the 1st security mode procedure. Does the "Ue context release Req" trigger the reset of Security context ? (I guess so)
commented Jan 31, 2018 by Pdk

Similar Questions
+2 votes
LTE: Why MME does replay of UE Security Capabilities in the Security mode command message ?

In attach request, UE sends UE network capability which contains the list of security algorithms can be used to enable security between UE and network node. My question is, when UE already knows its supported algorithms then why MME resend the same list of security algorithm to UE in security mode command ? What would be the reasoning behind it ?

+4 votes
LTE : NAS security mode command , how to form a final message M that is given as input to AES_CMAC function.?

For NAS security mode command ,input giving to CMAC (integrity check) function at both UE and MME side are same but still im getting intgrity check failed ,for exp:
1) KEY = \xef\x6b\xee\xda\x7f\x66\xc5\x67\x34\xa6\x1b\xcf\x1e\x8f\x12\x87.
2) COUNT = 0.
3) BEARER ID =0.
4) DIRECTION =1.
5) mesage = \x07\x5d\x22\x00\x02\xe0\xe0.
6)sequence no. = 0x00.
please can you explain me with this example ,what will be the final message(message forming) M.

+3 votes
Clarification on security mode procedure in LTE

I have couple of question regarding security procedure in case of NAS and AS Security procedure.
1> In case of NAS security procedure, MME sends Security mode command to UE with with only integrity protected, and UE sends Security mode complete after integrity verification to eNB with both integrity protected and ciphered too, as MME shared the ciphered algo with UE in command message.

But in case of AS security procedure, eNB sends security mode command with integrity protected and UE reply with only integrity protected Security mode complete message though eNB shared ciphering algo with UE.

Why in case of AS Security mode complete message it is only integrity protected and not ciphered but in case NAS security Complete message is both ciphered and integrity protected ? Any special requirement/reason for it ?

2> In case of NAS, after security is established every NAS message goes through Ciphering first and then Integrity protection added but in case AS security RRC messages why it is first integrity protection and than ciphered ?

What is the reason behind different order of integrity protection and ciphering in case of NAS and AS ?

...