11 NAS security context parameter handling

31.1213GPPRelease 16TSUICC-terminal interfaceUniversal Subscriber Identity Module (USIM) application test specification

Tools: ARFCN - Frequency Conversion for 5G NR/LTE/UMTS/GSM

11.1 NAS security context parameter handling when service "EMM Information" is available

11.1.1 Definition and applicability

The security parameters for authentication, integrity protection and ciphering are tied together in an EPS security context and identified by a key set identifier for E-UTRAN (eKSI). The relationship between the security parameters is defined in 3GPP TS 33.401 [27].

The EPS security context parameters shall be stored on the USIM if the corresponding file is present. If the corresponding file is not present on the USIM, these EMM parameters except allowed CSG list are stored in a non-volatile memory in the ME together with the IMSI from the USIM.

The EF_EPSNSC contains the EPS NAS Security context as defined in TS 33.401 [27]. This file shall contain only one record and shall be updated only when the requirements defined in TS 33.401 [27] are met.

11.1.2 Conformance requirement

EPS AKA is the authentication and key agreement procedure that shall be used over E-UTRAN.

Before security can be activated, the MME and the UE need to establish an EPS security context. Usually, the EPS security context is created as the result of an authentication procedure between MME and UE. The EPS security context parameters shall be stored on the USIM if the corresponding file is present, and shall be updated only when the requirements defined in TS 33.401 [27] are met. If the corresponding file is not present on the USIM, these EMM parameters except allowed CSG list are stored in a non-volatile memory in the ME together with the IMSI from the USIM.

– TS 24.301 [26], clause 4.4.2.1 and Annex C;

– TS 31.102 [4], clause 4.2.92;

– TS 33.401 [27], clause 6.1.1, 7.2.5.1 and 7.2.5.2.1.

11.1.3 Test purpose

To verify that the ME generates the EPS security context identified by a key set identifier for E-UTRAN (eKSI) and stores all inside EF_EPSNSC if this EF is available and when the requirements defined in TS 33.401 [27] , clauses 7.2.5.1 and 7.2.5.2.1 are met.

11.1.4 Method of test

11.1.4.1 Initial conditions

For this test an E-USS or a NB-SS is required.

The E-USS transmits on one cell, with the following network parameters:

– TAI (MCC/MNC/TAC): 246/081/0001.

– Access control: unrestricted.

The NB-SS transmits on one cell, with the following network parameters:

– TAI (MCC/MNC/TAC): 246/081/0001.

– Access control: unrestricted.

The default E-UTRAN UICC is used.

11.1.4.2 Procedure

a) The UE is switched on.

b) After receipt of an RRCConnectionRequest/RRCConnectionRequest-NB from the UE the E-USS/NB-SS sends RRCConnectionSetup/RRCConnectionSetup-NB to the UE, followed by RRCConnectionSetupComplete/RRCConnectionSetupComplete-NB sent by the UE to the E-USS/NB-SS.

c) During registration and after receipt of an AttachRequest (included in the RRCConnectionSetupComplete/RRCConnectionSetupComplete-NB) from the UE, the E-USS/NB-SS initiates the EPS authentication and AKA procedure. The E-USS/NB-SS uses

eKSI: ’00’

d) Afterwards the E-USS/NB-SS transmits a (NAS) SecurityModeCommand message to activate NAS security, and after receiving (NAS) SecurityModeComplete from the UE, the E-USS/NB-SS sends AttachAccept to the UE with:

TAI (MCC/MNC/TAC): 246/081/ 0001

GUTI: "24608100010266345678"

e) After receipt of the AttachComplete during registration from the UE, the E-USS/NB-SS sends RRCConnectionRelease/RRCConnectionRelease-NB to the UE.

f) The UE or the UE’s radio interface is switched off to perform the DETACH procedure.

11.1.5 Acceptance criteria

1) After step a) the UE shall read EF_UST and EF_EPSNSC.

2) During step b) the UE shall indicate in the AttachRequest that no key is available.

3) During step c) the UE shall send the AuthenticationResponse message.

4) During step d) the UE shall send the (NAS) SecurityModeComplete message.

5) EF_EPSNSC shall not be updated during steps c) to e), unless for invalidating the content of EF_EPSNSC.

Note: Invalidation of EF_EPSNSC is described in TS 31.102 [4], clause 4.2.92.

6) After step f) the UE shall send DETACH REQUEST to the E-USS/NB-SS.

7) After step f) EF_EPSNSC shall contain:

EF_EPSNSC (EPS NAS Security Context)

Logically: Key Set Identifier KSI_ASME: ’00’

ASME Key (KSI_ASME): 32 byte key, value not checked

Uplink NAS count: any value

Downlink NAS count: any value

Identifiers of selected NAS any value
integrity and encryption
algorithm

Coding:

…

Bxx

Hex

…

11.2 NAS security context parameter handling when service "EMM Information" is not available, no IMSI change

11.2.1 Definition and applicability

The EF_EPSNSC contains the EPS NAS Security context as defined in TS 33.401 [27]. This file shall contain only one record.

11.2.2 Conformance requirement

EPS AKA is the authentication and key agreement procedure that shall be used over E-UTRAN.

Before security can be activated, the MME and the UE need to establish an EPS security context. Usually, the EPS security context is created as the result of an authentication procedure between MME and UE. The EPS security context parameters shall be stored on the USIM if the corresponding file is present. If the corresponding file is not present on the USIM, these EMM parameters except allowed CSG list are stored in a non-volatile memory in the ME together with the IMSI from the USIM.

These EMM parameters can only be used if the IMSI from the USIM matches the IMSI stored in the non-volatile memory; else the UE shall delete the EMM parameters.

– TS 24.301 [26], clause 4.4.2.1 and Annex C;

– TS 31.102 [4], clause 4.2.92;

– TS 33.401 [27], clause 6.1.1.

11.2.3 Test purpose

To verify that the ME generates the EPS security context identified by a key set identifier for E-UTRAN (eKSI) and stores all inside a non-volatile memory in the ME as EMM information is not available on the USIM. During the test the IMSI on the USIM remains unchanged.

11.2.4 Method of test

11.2.4.1 Initial conditions

For this test an E-USS or a NB-SS is required.

The E-USS transmits on one cell, with the following network parameters:

– TAI (MCC/MNC/TAC): 246/081/0001.

– Access control: unrestricted.

The NB-SS transmits on one cell, with the following network parameters:

– TAI (MCC/MNC/TAC): 246/081/0001.

– Access control: unrestricted.

The default UICC (without the service "EMM Information") is installed into the Terminal.

11.2.4.2 Procedure

a) The UE is switched on.

b) After receipt of an RRCConnectionRequest/RRCConnectionRequest-NB from the UE the E-USS/NB-SS sends RRCConnectionSetup/RRCConnectionSetup-NB to the UE, followed by RRCConnectionSetupComplete/ RRCConnectionSetupComplete-NB sent by the UE to the E-USS/NB-SS.

eKSI: 00

TAI (MCC/MNC/TAC): 246/081/0001

GUTI: "24608100010266345678"

e) After receipt of the AttachComplete during registration from the UE, the E-USS/NB-SS sends RRCConnectionRelease/ RRCConnectionRelease-NB to the UE.

f) The UE is switched off and performs the Detach procedure.

g) The default UICC remains in use.

h) The Terminal is switched on.

i) After receipt of an RRCConnectionRequest/RRCConnectionRequest-NB from the UE the E-USS/NB-SS sends RRCConnectionSetup/RRCConnectionSetup-NB to the UE, followed by RRCConnectionSetupComplete/RRCConnectionSetupComplete-NB sent by the UE to the E-USS/NB-SS.

j) During registration and after receipt of an AttachRequest (included in the RRCConnectionSetupComplete/RRCConnectionSetupComplete-NB) from the UE, E-USS/NB-SS transmits a (NAS) SecurityModeCommand message to activate NAS security using the last known K_ASME, and after receiving (NAS) SecurityModeComplete from the UE, the E-USS/NB-SS sends AttachAccept to the UE with:

TAI (MCC/MNC/TAC): 246/081/0001

GUTI: "24608100010266345619"

k) After receipt of the AttachComplete during registration from the UE, the E-USS/NB-SS sends RRCConnectionRelease/RRCConnectionRelease-NB to the UE.

11.2.5 Acceptance criteria

1) After step a) the UE shall read EF_UST.

2) During step c) the UE shall send the AuthenticationResponse message.

3) During step d) the UE shall send the (NAS) SecurityModeComplete message.

4) During step j) the UE shall indicate in the AttachRequest eKSI as 00.

5) During step j) the UE shall send the (NAS) SecurityModeComplete message.

6) During step k) the UE shall send the AttachComplete message.

11.3 NAS security context parameter handling when service "EMM Information" is not available, IMSI changed

11.3.1 Definition and applicability

The EF_EPSNSC contains the EPS NAS Security context as defined in TS 33.401 [27]. This file shall contain only one record.

11.3.2 Conformance requirement

EPS AKA is the authentication and key agreement procedure that shall be used over E-UTRAN.

Before security can be activated, the MME and the UE need to establish an EPS security context. Usually, the EPS security context is created as the result of an authentication procedure between MME and UE. The EPS security context parameters shall be stored on the USIM if the corresponding file is present. If the corresponding file is not present on the USIM, these EMM parameters except allowed CSG list are stored in a non-volatile memory in the ME together with the IMSI from the USIM.

These EMM parameters can only be used if the IMSI from the USIM matches the IMSI stored in the non-volatile memory; else the UE shall delete the EMM parameters.

– TS 24.301 [26], clause 4.4.2.1 and Annex C;

– TS 31.102 [4], clause 4.2.92;

– TS 33.401 [27], clause 6.1.1.

11.3.3 Test purpose

1) To verify that the ME generates the EPS security context identified by a key set identifier for E-UTRAN (eKSI) and stores all inside a non-volatile memory in the ME as EMM information is not available on the USIM.

2) To verify that UE deletes existing EMM parameters from the ME’s non-volatile memory in case a different IMSI is activated.

11.3.4 Method of test

11.3.4.1 Initial conditions

For this test an E-USS or NB-SS is required.

The E-USS transmits on one cell, with the following network parameters:

– TAI (MCC/MNC/TAC): 246/081/0001.

– Access control: unrestricted.

The NB-SS transmits on one cell, with the following network parameters:

– TAI (MCC/MNC/TAC): 246/081/0001.

– Access control: unrestricted.

The default UICC (without the service "EMM Information") is installed into the Terminal.

11.3.4.2 Procedure

a) The UE is switched on.

eKSI: 00

TAI (MCC/MNC/TAC): 246/081/0001

GUTI: "24608100010266345678"

e) After receipt of the AttachComplete during registration from the UE, the E-USS/NB-SS sends RRCConnectionRelease/RRCConnectionRelease-NB to the UE.

f) The UE is switched off and performs the Detach procedure.

g) A new UICC with the following configuration is activated:

The default UICC with the following exception: The IMSI is set to "246081222233333".

h) The Terminal is switched on.

k) The UE responds with (NAS) SecurityModeReject.

l) The E-USS/NB-SS sends RRCConnectionRelease/RRCConnectionRelease-NB to the UE.

11.3.5 Acceptance criteria

1) After step a) the UE shall read EF_UST.

2) During step c) the UE shall send the AuthenticationResponse message.

3) During step d) the UE shall send the (NAS) SecurityModeComplete message.

4) During step j) the UE shall indicate in the AttachRequest that no key is available.

5) After step j) the UE shall send the (NAS) SecurityModeReject message.

11.4 EPS NAS Security Context Storage

11.4.1 Definition and applicability

11.4.2 Conformance requirement

EPS AKA is the authentication and key agreement procedure that shall be used over E-UTRAN.

– TS 24.301 [26], clause 4.4.2.1 and Annex C;

– TS 31.102 [4], clause 4.2.92 and 5.2.28;

– TS 33.401 [27], clause 6.1.1, 7.2.5.2, 7.2.6.1 and 7.2.6.3.

11.4.3 Test purpose

The update of EPS NAS security context shall be according to the rules and procedures specified in TS 33.401 [27], clause 6.1.1, 7.2.5.2, 7.2.6.1 and 7.2.6.3.

11.4.4 Method of test

11.4.4.1 Initial conditions

For this test an E-USS or a NB-SS is required.

The E-USS transmits on one cell, with the following network parameters:

– TAI (MCC/MNC/TAC): 246/081/0001.

– Access control: unrestricted.

The NB-SS transmits on one cell, with the following network parameters:

– TAI (MCC/MNC/TAC): 246/081/0001.

– Access control: unrestricted.

The default E-UTRAN UICC is used.

11.4.4.2 Procedure

a) The UE is switched on.

c) The E-USS/NB-SS receives an AttachRequest (included in the RRCConnectionSetupComplete/RRCConnectionSetupComplete-NB) from the UE.

d) The E-USS/NB-SS initiates the EPS authentication and AKA procedure. The E-USS/NB-SS uses

eKSI: ’00’

e) Afterwards the E-USS/NB-SS transmits a (NAS) SecurityModeCommand message to activate NAS security, and after receiving (NAS) SecurityModeComplete from the UE, the E-USS/NB-SS sends AttachAccept to the UE with:

TAI (MCC/MNC/TAC): 246/081/0001

GUTI: "24608100010266345678"

f) After receipt of the AttachComplete during registration from the UE, the E-USS/NB-SS sends RRCConnectionRelease/RRCConnectionRelease-NB, to the UE.

g) The E-USS/NB-SS sends Paging/Paging-NB to the UE using the S-TMSI.

– for WB-S1: with CN domain indicator set to ”PS”.with CN domain indicator set to ”PS”.

h) After receipt of a RRCConnectionRequest/RRCConnectionRequest-NB message from the UE, the E-USS/NB-SS sends RRCConnectionSetup/RRCConnectionSetup-NB message to the UE, followed by RRCConnectionSetupComplete/RRCConnectionSetupComplete–NB sent by the UE to the E-USS/NB-SS.

i) The UE sends:

– for WB-S1: EMM Service Request followed by the activation of AS security by the E-USS and the Dedicated EPS bearer.

– for NB-IoT: Control Plane Service Request, the NB-SS sends a Service Accept.

j) The following is checked:

– for WB-S1: After keeping the Dedicated EPS Bearer active for 5 seconds, the E-USS sends RRCConnectionRelease to the UE.

– for NB-IoT: After keeping the Default EPS Bearer active for 5 seconds, the NB-SS sends RRCConnectionRelease-NB to the UE.

11.4.5 Acceptance criteria

1) After step a) the UE shall read EF_UST and EF_EPSNSC.

2) After step a) and before step d) the UE shall either keep the content of EF_EPSNSC as specified in the initial conditions or invalidate the content of EF_EPSNSC as described in TS 31.102 [4], clause 4.2.92.

3) During step d) the UE shall send the AuthenticationResponse message.

4) During step e) the UE shall send the (NAS) SecurityModeComplete message.

5) After step f) the UE shall have entered idle mode.

6) After step i) the UE shall have

– for WB-S1: a Dedicated EPS bearer established.

– for NB-IoT: a Default bearer established.

7) During steps d), e), f), g), h), i) and j) the UE shall not update EF_EPSNSC.