Copyright © 2002-2014 NMC Consulting Group. All rights reserved.
Netmanias Technical Document: LTE Security II - NAS and AS Security
5
[NAS Security Setup] Security Mode Command (2)
❶ [MME] Selection of security algorithms
Selects encryption and integrity protection algorithms applied to NAS messages
based on UE Security Capability information (e.g. EEA1 and EIA1)
❷ [MME] Derivation of NAS security keys, K
NASint
and K
NASenc
Derives K
NASint
and K
NASenc
with the following input parameters:
• K
ASME
derived in ❷ (authentication process)
• Security algorithm ID selected in ❶
• Security algorithm distinguisher
K
NASint
= KDF (K
ASME
, NAS-int-alg, Alg-ID)
K
NASenc
= KDF (K
ASME
, NAS-enc-alg, Alg-ID)
❸ [MME] Calculation of NAS-MAC for integrity protection
Generates Security Mode Command message and calculates NAS-MAC for the message using K
NASint
K
ASME
K
NASenc
K
NASint
KDF KDF
Alg-ID=01,
NAS-int-alg=02
Alg-ID=01,
NAS-enc-alg=01
Algorithm ID Description Value
Algorithm Distinguisher Value
Security Algorithm ID Algorithm Distinguisher
Input Parameter Description
32-bit downlink NAS count
NAS Message, Security Mode Command message herein
1-bit direction of message transmission, set to 1 for downlink
5-bit bearer ID, constant value (set to 0)
128-bit Integrity protection key for NAS messages
Input Parameters for EIA Algorithm
Calculation of NAS-MAC
EIA
NAS-MAC
(K
NASint
)
Count Direction
Bearer
Key
Message
Security Mode Command
Message
* for relay nodes only, not discussed herein