---
# System prepended metadata

title: 蔡瀚興-讀書會-21/07/21

---

# 蔡瀚興-讀書會-21/07/21
## <font color="ff0000">推薦連結</font>
- [What is the difference between "partial native" and "full native "](https://www.queryhome.com/tech/116405/difference-between-partial-native-native-security-context)
## <font color="FF0000">Introduction</font>
![](https://i.imgur.com/pM6vqKF.jpg)
- **NAS security:**
Ensure that the control plane NAS messages between the UE and the MME are safe by $K_{ASME}$. 
- **AS security:**
The purpose of AS security is to ensure that control plane RRC messages and user plane IP data packets between the UE and eNB are safe.



## <font color="FF0000">NAS security</font>

### <font color="0000ff">一、Transmission of Security Mode Command message</font>
 (Assuming that MME assigns KSI-ASME = 1 to identify $K_{ASME}$.)
![](https://i.imgur.com/rfFFWOn.jpg)

1. **[MME] Select the security algorithm:** 
MME透過UE傳來的 Attach Request Message 中 network capability info 來選擇encryption 及 integrity algorithm

2. **[MME]Calculates the NAS security key:**
MME使用 Alg-ID 和 algorithm discriminator(用來選擇安全算法) 來從$K_{ASME}$中計算出$K_{NASinc}$和$K_{NASenc}$
![](https://i.imgur.com/psQftWf.jpg)

3. **[MME] Generate NAS-MAC for integrity protection:**
MME使用EIA algo及參數算出 NAS-MAC。
(參數如下：)
**1.Count    :** 32bit downlink NAS count
**2.Message  :** NAS message, here is Security Mode Command
**3.Direction:** 1bit ,0up or 1down
**4.Bearer   :** 5bit bearer ID, fixed value, set to 0
**5.$K_{NASinc}$ :** 128-bit NAS integrity key

4. **[UE <-MME] Sends a Security mode command message:**
MME將包含NAS-MAC的Security Mode Command Message給UE，有intergirty，無enryption
(訊息包含：)
**1.KSI-ASME:** 3bit and K-ASME associated value
**2.Return to UE security capabilities:** UE network capabilities
**3.NAS encryption algorithm:** NAS encryption algorithm selected by MME
**4.NAS integrity algorithm:** NAS integrity algorithm selected by MME

5. **[UE] Set $K_{ASME}$ representation (KSI-ASME):**
UE將KSI-ASME設為目前的K-ASME

6. **[UE] Generate NAS security key:**
UE使用$K_{ASME}$及選擇的演算法算出$K_{NASinc}$和$K_{NASenc}$

7. **[UE] Check the integrity of the Security mode command message:**
UE用MME選的intergrity algo算出XNAS-MAC消息鑑權碼和K-NASinc。
然後比較XNAS-MAC是否與NAS-MAC相同，來確認訊息完整性。
![](https://i.imgur.com/mr5bHcp.jpg)
### <font color="0000ff">二、Transmission of Security mode complete message</font>
(Security mode complete message transmission is encrypted and integrity protected)

![](https://i.imgur.com/4p8b44x.gif)

8. **[UE] uses the selected encryption algorithm EEA1 to encrypt the message:**
UE加密Security Mode Complete Message並傳給MME(由Encrypted algo及$K_{NASenc}$來加密)
(參數如下：)
**1.Count    :** 32bit uplink NAS count
**2.Length   :** Length of the key stream through the encryption algorithm
**3.Direction:** 1bit ,0up or 1down
**4.Bearer   :** 5bit bearer ID, fixed value, set to 0
**5.$K_{NASenc}$ :** 128-bit NAS integrity key

9. **[UE] Generate NAS-MAC for integrity protection:**
類似 3.

10. **[UE-> MME] Send Security Mode complete message:**
UE將包含NAS-MAC的Security Mode Complete Message傳給MME，有intergirty，有enryption
(此後UE及MME之間的NAS messages就安全了)

11. **[MME] Verify the integrity of the Security Mode complete message:**
類似 7.

12. **[MME] Decrypts the Security Mode complete message:**
完整性驗證成功後，MME開始解密訊息
![](https://i.imgur.com/9LKVNX8.jpg)

### <font color="0000ff">三、After the NAS is securely established</font>
一旦NAS security建立，所有UE及MME之間的NAS Message都是encrypted及integrity保護的
- NAS消息發送前，首先加密然後完整性保護。原NAS消息首先使用K-NASenc加密然後包含K-NASint計算出來的NAS-MAC做完整性保護。

- 當接收到NAS消息，首先做完整性驗證，然後解密。首先對比使用K-NASint計算出來的XNAS-MAC和接收到的NAS-MAC對比來檢查NAS消息的完整性，接著解密得到原始的NAS消息。



## <font color='ff0000'>AS Security</font>
### <font color="0000ff">一、Transmission of Security mode command message</font>
![](https://i.imgur.com/CX5tMgG.jpg)

1. **[MME] Calculate $K_{eNB}$ :**
MME用$K_{ASME}$產生$K_{eNB}$

2. **[eNB <-MME] Send $K_{eNB}$ :**
MME透過initial context setup request message傳Attach Accept Message給UE
(訊息包含：)
**1.UE security capability** 
**2.Security key:** 256bit $K_{eNB}$

3.  **[eNB] Select the security algorithm:**
類似NAS security中 1.

4.  **[eNB] Generate AS security key:**
![](https://i.imgur.com/pEl9Agt.jpg)

5. **[eNB] Generate MAC-I for integrity protection:**
eNB使用EIA algo及$K_{RRCint}$算出MAC-I
(參數如下：)
**1.Count    :** 32bit downlink PDCP count
**2.Message  :** RRC message, here is Security Mode Command
**3.Direction:** 1bit ,0up or 1down
**4.Bearer   :** 5bit bearer ID, fixed value, set to 0
**5.$K_{RRCint}$ :** 128-bit NAS integrity key

6. **[UE <-eNB] sends a Security mode command message:**
類似NAS security中 4.
![](https://i.imgur.com/BxZPKr0.jpg)

7. **[UE] Identification security algorithm: EEA1, EIA1**

8. **[UE] Generate AS security key:**
UE使用算法ID和算法分辨器從$K_{eNB}$中計算出$K_{RRCinc}$和$K_{RRCenc}$和$K_{UPenc}$

9. **[UE] Check the integrity of the Security mode command message:**
比較計算出來的XMAC-I及MAC-I

### <font color="0000ff">二、Transmission of Security mode complete message</font>
![](https://i.imgur.com/koIHc37.jpg)

10. **[UE] Generate NAS-MAC for integrity protection**

11. **[UE->MME] Send Security Mode complete message**

12. **[MME] Verify the integrity of the Security Mode complete message**

### <font color="0000ff">三、After AS security is established</font>
一旦AS安全建立完成，所有UE和eNB之間的RRC Message和IP-Packet都是encrypted及integrity保護
- **不同於NAS security先確認完整性再解密，AS security是先解密再確認完整性**
- IP-Packet是加密的但不進行完整性保護。IP-Packet在發送端使用K-UPenc進行加密，在接收端使用K-UPenc進行解密獲得原始的IP-Packet。



## <font color='ff0000'>Security Context</font>
- **EPS security contexts:** 在EPS entity中安全相關的資料，可產生NAS或AS security contexts
- **Partial native:** 在第一個SMC前的NAS security context
- **Full native:** 在第一個SMC後的NAS security context
![](https://i.imgur.com/UyemNuK.jpg)
![](https://i.imgur.com/R56vNNi.jpg)