The statements relating to UEs in clause 8 apply also to RNs regarding the security between a relay node and its MME.
Clause 8 also applies to the security procedures for data sent via the MME.
Input parameters to the NAS 128-bit integrity algorithms as described in Annex B are an 128-bit integrity key KNASint as KEY, an 5-bit bearer identity BEARER which shall equal the constant value 0x00, the direction of transmission DIRECTION, and a bearer specific, time and direction dependent 32-bit input COUNT which is constructed as follows:
COUNT := 0x00 || NAS OVERFLOW || NAS SQN
Where
the leftmost 8 bits are padding bits including all zeros.
NAS OVERFLOW is a 16-bit value which is incremented each time the NAS SQN is incremented from the maximum value.
NAS SQN is the 8-bit sequence number carried within each NAS message.
The use and mode of operation of the 128-bit integrity algorithms are specified in Annex B.
The supervision of failed NAS integrity checks shall be performed both in the ME and the MME. In case of failed integrity check (i.e. faulty or missing NAS-MAC) is detected after the start of NAS integrity protection, the concerned message shall be discarded except for some NAS messages specified in TS 24.301. For those exceptions the MME shall take the actions specified in TS 24.301 when receiving a NAS message with faulty or missing NAS-MAC. Discarding NAS messages can happen on the MME side or on the ME side.
NAS integrity shall be activated using the NAS SMC procedure or after a handover to E-UTRAN from UTRAN/GERAN. Replay protection shall be activated when integrity protection is activated (except for when the selected integrity protection algorithm is EIA0, see Annex B). Replay protection shall ensure that the receiver only accepts each particular incoming NAS COUNT value once using the same NAS security context. Once NAS integrity has been activated, NAS messages without integrity protection shall not be accepted by the UE or MME. Before NAS integrity has been activated, NAS messages without integrity protection shall only be accepted by the UE or MME in certain cases where it is not possible to apply integrity protection as specified in TS 24.301. While some NAS messages such as reject messages need to be accepted by the UE without integrity protection, the MME shall only send a reject message that causes the CSG list on the UE to be modified after the start of NAS security. The UE shall discard any message modifying the CSG list if it is not integrity protected.
NAS integrity stays activated until the EPS security context is deleted in either the UE or MME. In particular the NAS service request shall always be integrity protected and the NAS attach request message shall be integrity protected if the EPS security context is not deleted while UE is in EMM-DEREGISTERED. The length of the NAS-MAC is 32 bit. The full NAS-MAC shall be appended to all integrity protected messages except for the NAS service request. Only the 16 least significant bits of the 32 bit NAS-MAC shall be appended to the NAS service request message.
The use and mode of operation of the 128-EIA algorithms are specified in Annex B.
The input parameters for the NAS 128-bit ciphering algorithms shall be the same as the ones used for NAS integrity protection as described in clause 8.1, with the exception that a different key, KNASenc , is used as KEY, and there is an additional input parameter, namely the length of the key stream to be generated by the encryption algorithms.
If UE in EMM-IDLE mode uses Control Plane CIoT EPS optimisation for data transport, an initial plain NAS message including user data needs to be partially ciphered (see clause 4.4.5 of TS 24.301) with the same encryption algorithm that was agreed during the NAS SMC exchange. In this case the length of the key stream is set to the length of the part of the initial plain NAS message that is to be ciphered.
The use and mode of operation of the 128-bit ciphering algorithms are specified in Annex B.