Editing
My 3GPP 33.501 notes
(section)
Jump to navigation
Jump to search
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
=== 6.4.6 Protection of initial NAS message === <span style="color:red">The initial NAS message is the first NAS message that is sent after the UE transitions from the idle state</span>. The UE shall send <span style="color:red">a limited set of IEs (called the cleartext IEs) including those needed to establish security in the initial message when it has no NAS security context</span>. <span style="color:red">When the UE has a NAS security context, the UE shall send a message that has the complete initial NAS message ciphered in a NAS Container along with the cleartext IEs with whole message integrity protected.</span> The complete initial message is included in the NAS Security Mode Complete (SMC) message in a NAS Container when needed (e.g. AMF cannot find the used security context) in the latter case and always in the former case as described below. :Note: See 3GPP TS 24.501 5.4.2 for Security Mode Control procedure or [[My 3GPP 24.501 notes#5.4.2 Security mode control (SMC) procedure|my security mode control notes]] In case the UE selects a PLMN other than Registered PLMN/EPLMN in the 5GMM-IDLE state and the UE has a NAS security context containing the NEA0, then the UE shall discard the NAS security context and shall follow the procedure specified in this clause for protection of initial NAS message. The protection of the initial NAS message proceeds as shown in Figure 6.4.6-1 and following. [[File:Protecting initial NAS message.png|center|Protecting initial NAS message]] Step 1: The UE shall send the initial NAS message to the AMF. * If the UE has no NAS security context, the initial NAS message shall only contain the <span style="color:red">cleartext IEs, i.e. subscription identifiers (e.g. SUCI or GUTIs)</span>, UE security capabilities, ngKSI, indication that the UE is moving from EPC, Additional GUTI, and IE containing the TAU Request in the case idle mobility from LTE. *If the UE has a NAS security context, the <span style="color:red">message sent shall contain the information given above in cleartext and the complete initial NAS message ciphered in a NAS container</span> which is ciphered. With a NAS security context, the sent message shall also be integrity protected. In the case that the initial NAS message was protected and the AMF has the same security context, then steps 2 to 4 may be omitted In this case the AMF shall use the complete initial NAS message that is in the NAS container as the message to respond to.. Step 2: If the AMF is not able to find the security context locally or from last visited AMF, or if the integrity check fails, then the AMF shall initiate an authentication procedure with the UE. If the AMF fetches old security context from the last visited AMF, the AMF may decipher the NAS container with the same security context, and get the initial NAS message, then the step 2b to 4 may be omitted. If the AMF fetches new K<sub>AMF</sub> from the last visited AMF (receiving keyAmfChangeInd), the step 2b may be omitted. Step 3: If the authentication of the UE is successful, the AMF shall send the NAS Security Mode Command message. If the initial NAS message was protected but did not pass the integrity check (due either to a MAC failure or the AMF not being able to find the used security context) or the AMF could not decrypt the complete initial NAS message in the NAS container (due to receiving "keyAmfChangeInd" from the last visited AMF), then the AMF shall include in the Security Mode Command message a flag requesting the UE to send the complete initial NAS message in the NAS Security Mode Complete message. Step 4: The UE shall send the NAS Security Mode Complete message to the network in response to a NAS Security Mode Command message. The NAS Security Mode Complete message shall be ciphered and integrity protected. Furthermore the NAS Security Mode Complete message shall include the complete initial NAS message in a NAS Container if either requested by the AMF or the UE sent the initial NAS message unprotected. The AMF shall use the complete initial NAS message that is in the NAS container as the message to respond to. Step 5: <span style="color:red">The AMF shall send its response to the Initial NAS message. This message shall be '''ciphered and integrity''' protected</span>.
Summary:
Please note that all contributions to GotOpinion may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see
GotOpinion:Copyrights
for details).
Do not submit copyrighted work without permission!
Cancel
Editing help
(opens in new window)
Navigation menu
Personal tools
Not logged in
Talk
Contributions
Log in
Namespaces
Page
Discussion
English
Views
Read
Edit
Edit source
View history
More
Search
Navigation
Main page
Recent changes
Random page
Help about MediaWiki
Tools
What links here
Related changes
Special pages
Page information