5.3.4 Initial AS security activation

38.3313GPPNRProtocol specificationRadio Resource Control (RRC)Release 17TS

Tools: ARFCN - Frequency Conversion for 5G NR/LTE/UMTS/GSM

5.3.4.1 General

Figure 5.3.4.1-1: Security mode command, successful

Figure 5.3.4.1-2: Security mode command, failure

The purpose of this procedure is to activate AS security upon RRC connection establishment.

5.3.4.2 Initiation

The network initiates the security mode command procedure to a UE in RRC_CONNECTED. Moreover, the network applies the procedure as follows:

– when only SRB1 is established, i.e. prior to establishment of SRB2, multicast MRBs and/ or DRBs.

5.3.4.3 Reception of the SecurityModeCommand by the UE

The UE shall:

1> derive the K_gNB key, as specified in TS 33.501 [11];

1> derive the K_RRCint key associated with the integrityProtAlgorithm indicated in the SecurityModeCommand message, as specified in TS 33.501 [11];

1> request lower layers to verify the integrity protection of the SecurityModeCommand message, using the algorithm indicated by the integrityProtAlgorithm as included in the SecurityModeCommand message and the K_RRCint key;

1> if the SecurityModeCommand message passes the integrity protection check:

2> derive the K_RRCenc key and the K_UPenc key associated with the cipheringAlgorithm indicated in the SecurityModeCommand message, as specified in TS 33.501 [11];

2> derive the K_UPint key associated with the integrityProtAlgorithm indicated in the SecurityModeCommand message, as specified in TS 33.501 [11];

2> configure lower layers to apply SRB integrity protection using the indicated algorithm and the K_RRCint key immediately, i.e. integrity protection shall be applied to all subsequent messages received and sent by the UE, including the SecurityModeComplete message;

2> configure lower layers to apply SRB ciphering using the indicated algorithm, the K_RRCenc keyafter completing the procedure, i.e. ciphering shall be applied to all subsequent messages received and sent by the UE, except for the SecurityModeComplete message which is sent unciphered;

2> consider AS security to be activated;

2> submit the SecurityModeComplete message to lower layers for transmission, upon which the procedure ends;

1> else:

2> continue using the configuration used prior to the reception of the SecurityModeCommand message, i.e. neither apply integrity protection nor ciphering.

2> submit the SecurityModeFailure message to lower layers for transmission, upon which the procedure ends.