5.3.10 Security Function
23.4013GPPGeneral Packet Radio Service (GPRS) enhancements for Evolved Universal Terrestrial Radio Access Network (E-UTRAN) accessRelease 18TS
5.3.10.1 General
The security functions include:
– Guards against unauthorised EPS service usage (authentication of the UE by the network and service request validation).
– Provision of user identity confidentiality (temporary identification and ciphering).
– Provision of user data and signalling confidentiality (ciphering).
– Provision of origin authentication of signalling and user data (integrity protection).
– Authentication of the network by the UE.
Security-related network functions for EPS are described in TS 33.401 [41].
The aspects of user plane data integrity protection that involve interactions with the 5G Core are specified in TS 23.501 [83] and TS 23.502 [84].
5.3.10.2 Authentication and Key Agreement
EPS AKA is the authentication and key agreement procedure that shall be used over E-UTRAN, between the UE and MME. EPS AKA is specified in TS 33.401 [41].
5.3.10.3 User Identity Confidentiality
An M-TMSI identifies a user between the UE and the MME. The relationship between M-TMSI and IMSI is known only in the UE and in the MME.
5.3.10.4 User Data and Signalling Confidentiality
5.3.10.4.0 General
There are two different levels of the security associations between the UE and the network.
i) RRC and UP security association is between the UE and E‑UTRAN. The RRC security associations protect the RRC signalling between the UE and E‑UTRAN (integrity protection and ciphering). The UP security association is between the UE and E‑UTRAN and can provide user plane encryption and integrity protection.
ii) NAS security association is between the UE and the MME. It provides integrity protection and encryption of NAS signalling and, when the Control Plane CIoT EPS Optimisation is used, user data.
Some earlier releases of the EPS specifications do not support User Plane Integrity Protection in EPS (EPS-UPIP). Hence UEs that support EPS-UPIP indicate this capability in the security algorithm octets of the UE Network Capability IE as defined in TS 24.301 [46] and use it as described in TS 33.401 [41]; and the MME copies this capability into S1-AP signalling sent to the E-UTRAN. The E-UTRAN can be locally configured with a policy (to be used when no explicit EPS UPIP policy is received from the MME), e.g. that the use of EPS-UPIP is "Preferred" for UE(s) that support User Plane Integrity Protection in EPS.
For EPC networks with no 5GC interworking, E-UTRAN can have a preconfigured policy for "preferred" User Plane Integrity Protection that can be used if MME does not provide a security policy for the bearers of an UE and if the E-UTRAN has received an indication that the UE supports User Plane Integrity Protection. This preconfigured policy applies to any bearer of any UE unless the MME provides a User Plane Integrity Protection security policy to the E-UTRAN, in which case the MME policy overwrites the preconfigured E-UTRAN policy.
Differentiated User plane integrity protection beyond preconfigured policy is only supported for PDN connections served by a SMF+PGW-C: to support PDN connections that "Require" the use of EPS-UPIP, the MME shall select a SMF+PGW-C.
NOTE 1: See TS 23.502 [84] for additional features for EPS-UPIP in case of interworking with 5GC.
NOTE 2: In this Release of the specifications, EPS UPIP can only be supported by UEs that support NR-PDCP.
5.3.10.4.1 AS security mode command procedure
The MME triggers the RRC level AS security mode command procedure by sending the needed security parameters to the eNodeB. This enables ciphering of the UP traffic and ciphering and integrity protection of the RRC signalling as described in TS 33.401 [41].
NOTE: The integrity protection of the UP traffic is enabled using RRC reconfiguration procedure as described in TS 33.401 [41].
5.3.10.4.2 NAS Security Mode Command procedure
The MME uses the NAS Security Mode Command (SMC) procedure to establish a NAS security association between the UE and MME, in order to protect the further NAS signalling messages. This procedure is also used to make changes in the security association, e.g. to change the security algorithm.
Figure 5.3.10.4.2-1: NAS Security Mode Command Procedure
1. The MME sends NAS Security Mode Command (Selected NAS algorithms, eKSI, ME Identity request, UE Security Capability) message to the UE. ME identity request may be included when NAS SMC is combined with ME Identity retrieval (see clause 5.3.10.5).
2. The UE responds NAS with Security Mode Complete (NAS-MAC, ME Identity) message. The UE includes the ME Identity if it was requested in step 1.
NOTE: The NAS Security Mode Command procedure is typically executed as part of the Attach procedure (see clause 5.3.2.1) in advance of, or in combination with, executing the ME Identity Check procedure (see clause 5.3.10.5) and in the TAU procedure (see clauses 5.3.3.1 and 5.3.3.2).
More details of the procedure are described in TS 33.401 [41].
5.3.10.5 ME identity check procedure
The Mobile Equipment Identity Check Procedure permits the operator(s) of the MME and/or the HSS and/or the PDN GW to check the Mobile Equipment’s identity (e.g. to check that it has not been stolen, or, to verify that it does not have faults).
The ME Identity can be checked by the MME passing it to an Equipment Identity Register (EIR) and then the MME analysing the response from the EIR in order to determine its subsequent actions (e.g. sending an Attach Reject if the EIR indicates that the Mobile Equipment is prohibited).
The ME identity check procedure is illustrated in Figure 5.3.10.5-1.
Figure 5.3.10.5-1: Identity Check Procedure
1. The MME sends Identity Request (Identity Type) to the UE. The UE responds with Identity Response (Mobile Identity).
2. If the MME is configured to check the IMEI against the EIR, it sends ME Identity Check (ME Identity, IMSI) to EIR. The EIR responds with ME Identity Check Ack (Result).
NOTE: The Identity Check Procedure is typically executed as part of the Attach procedure (see clause 5.3.2.1).