Content for  TS 24.501  Word version:  18.5.0

Each 5G NAS security context shall be associated with two separate counters NAS COUNT per access type in the same PLMN: one related to uplink NAS messages and one related to downlink NAS messages. If the 5G NAS security context is used for access via both 3GPP and non-3GPP access in the same PLMN, there are two NAS COUNT counter pairs associated with the 5G NAS security context. The NAS COUNT counters use 24-bit internal representation and are independently maintained by UE and AMF. The NAS COUNT shall be constructed as a NAS sequence number (8 least significant bits) concatenated with a NAS overflow counter (16 most significant bits). When NAS COUNT is input to NAS ciphering or NAS integrity algorithms it shall be considered to be a 32-bit entity which shall be constructed by padding the 24-bit internal representation with 8 zeros in the most significant bits. The value of the uplink NAS COUNT that is stored or read out of the USIM or non-volatile memory as described in Annex C, is the value that shall be used in the next NAS message. The value of the downlink NAS COUNT that is stored or read out of the USIM or non-volatile memory as described in Annex C, is the largest downlink NAS COUNT used in a successfully integrity checked NAS message. The value of the uplink NAS COUNT stored in the AMF is the largest uplink NAS COUNT used in a successfully integrity checked NAS message. The value of the downlink NAS COUNT stored in the AMF is the value that shall be used in the next NAS message. The NAS sequence number part of the NAS COUNT shall be exchanged between the UE and the AMF as part of the NAS signalling. After each new or retransmitted outbound SECURITY PROTECTED 5GS NAS MESSAGE message, the sender shall increase the NAS COUNT number by one, except for the initial NAS messages if the lower layers indicated the failure to establish the RRC connection (see TS 38.331). Specifically, on the sender side, the NAS sequence number shall be increased by one, and if the result is zero (due to wrap around), the stored NAS overflow counter shall also be incremented by one (see subclause 4.4.3.5). If, through implementation-dependent means, the receiver determines that the NAS message is a replay of an earlier NAS message, then the receiver handles the received NAS message as described in subclause 4.4.3.2. Otherwise, in order to determine the estimated NAS COUNT value to be used for integrity verification of a received NAS message:

• The sequence number part of the estimated NAS COUNT value shall be equal to the sequence number in the received NAS message; and
• If the receiver can guarantee that this NAS message was not previously accepted, then the receiver may select the estimated NAS overflow counter so that the estimated NAS COUNT value is lower than the stored NAS COUNT value; otherwise, the receiver selects the estimated NAS overflow counter so that the estimated NAS COUNT value is higher than the stored NAS COUNT value.

During the inter-system change from S1 mode to N1 mode in 5GMM-CONNECTED mode, when a mapped 5G NAS security context is derived and taken into use, the AMF shall set both the uplink and downlink NAS COUNT counters of this 5G NAS security context to zero. The UE shall set both the uplink and downlink NAS COUNT counters of this 5G NAS security context to zero. During the inter-system change from S1 mode to N1 mode in 5GMM-CONNECTED mode, the AMF shall increment the downlink NAS COUNT by one after it has created an S1 mode to N1 mode NAS transparent container (see subclause 9.11.2.9). During the inter-system change from N1 mode to S1 mode in 5GMM-CONNECTED mode, the AMF shall increment the downlink NAS COUNT by one after it has created an N1 mode to S1 mode NAS transparent container (see subclause 9.11.2.7). During N1 mode to N1 mode handover:

1. if the new 5G NAS security context is created with the same KAMF, the AMF shall signal the 8 least significant bits of the current downlink NAS COUNT value in an Intra N1 mode NAS transparent container (see subclause 9.11.2.6). The AMF shall then increment the downlink NAS COUNT by one; or
2. if the new 5G NAS security context is created with a new KAMF, the AMF shall signal the 8 least significant bits of the current downlink NAS COUNT value in an Intra N1 mode NAS transparent container (see subclause 9.11.2.6) and shall then set both the uplink and downlink NAS COUNT counters of this 5G NAS security context to zero. The AMF shall then increment the downlink NAS COUNT by one. The UE shall also set both the uplink and downlink NAS COUNT counters to zero.

Replay protection shall be supported for received NAS messages both in the AMF and the UE. However, since the realization of replay protection does not affect the interoperability between nodes, no specific mechanism is required for implementation. Replay protection assures that one and the same NAS message is not accepted twice by the receiver. Specifically, for a given 5G NAS security context, a given NAS COUNT value shall be accepted at most one time and only if message integrity verifies correctly. Replay protection is not applicable when 5G-IA0 is used.

The sender shall use its locally stored NAS COUNT as input to the integrity protection algorithm. The receiver shall use the NAS sequence number included in the received message and an estimate for the NAS overflow counter as defined in subclause 4.4.3.1 to form the NAS COUNT input to the integrity verification algorithm. The algorithm to calculate the integrity protection information is specified in TS 33.501, and in case of the:

1. SECURITY PROTECTED 5GS NAS MESSAGE message, the integrity protection shall include octet 7 to n, i.e. the Sequence number IE and the NAS message IE.
2. Intra N1 mode NAS transparent container IE and S1 mode to N1 mode NAS transparent container IE, the integrity protection shall include all octets of the value part of the IE starting from octet 7.

In addition to the data that is to be integrity protected, the BEARER ID, DIRECTION bit, NAS COUNT and 5G NAS integrity key are input to the integrity protection algorithm. These parameters are described in TS 33.501. After successful integrity protection validation, the receiver shall update its corresponding locally stored NAS COUNT with the value of the estimated NAS COUNT for this NAS message. Integrity verification is not applicable when 5G-IA0 is used.

The sender shall use its locally stored NAS COUNT as input to the ciphering algorithm. The receiver shall use the NAS sequence number included in the received message and an estimate for the NAS overflow counter as defined in subclause 4.4.3.1 to form the NAS COUNT input to the deciphering algorithm. The input parameters to the NAS ciphering algorithm are the BEARER ID, DIRECTION bit, NAS COUNT, NAS encryption key and the length of the key stream to be generated by the encryption algorithm. When applying initial NAS message protection to the REGISTRATION REQUEST, DEREGISTRATION REQUEST or SERVICE REQUEST message as described in subclause 4.4.6, the length of the key stream is set to the length of the entire plain NAS message that is included in the NAS message container IE, i.e. the value part of the NAS message container IE, that is to be ciphered. When applying initial NAS message protection to the CONTROL PLANE SERVICE REQUEST message as described in subclause 4.4.6, the length of the key stream is set to the length of:

1. the value part of the CIoT small data container IE that is to be ciphered; or
2. the value part of the NAS message container IE that is to be ciphered.

If, when increasing the NAS COUNT as specified above, the AMF detects that either its downlink NAS COUNT or the UE's uplink NAS COUNT is "close" to wrap around, (close to 224), the AMF shall take the following actions:

• If there is no non-current native 5G NAS security context with sufficiently low NAS COUNT values, the AMF shall initiate a new primary authentication and key agreement procedure with the UE, leading to a new established 5G NAS security context and the NAS COUNT being reset to 0 in both the UE and the AMF when the new 5G NAS security context is activated;
• Otherwise, the AMF can activate a non-current native 5G NAS security context with sufficiently low NAS COUNT values or initiate a new primary authentication and key agreement procedure as specified above.

If for some reason a new KAMF has not been established using primary authentication and key agreement procedure before the NAS COUNT wraps around, the node (AMF or UE) in need of sending a NAS message shall instead release the NAS signalling connection. Prior to sending the next uplink NAS message, the UE shall delete the ngKSI indicating the current 5G NAS security context. When the 5G-IA0 is used as the NAS integrity algorithm, the UE and the AMF shall allow NAS COUNT wrap around. If NAS COUNT wrap around occurs, the following requirements apply:

1. the UE and the AMF shall continue to use the current 5G NAS security context;
2. the AMF shall not initiate the primary authentication and key agreement procedure;
3. the AMF shall not release the NAS signalling connection; and
4. the UE shall not perform a local release of the NAS signalling connection.

For the UE, integrity protected signalling is mandatory for the 5GMM NAS messages once a valid 5G NAS security context exists and has been taken into use. For the network, integrity protected signalling is mandatory for the 5GMM NAS messages once a secure exchange of 5GS NAS messages has been established for the NAS signalling connection. Integrity protection of all NAS signalling messages is the responsibility of the NAS. It is the network which activates integrity protection. The use of "null integrity protection algorithm" 5G-IA0 (see subclause 9.11.3.34) in the current 5G NAS security context is only allowed:

1. for an unauthenticated UE for which establishment of emergency services is allowed;
2. for a W-AGF acting on behalf of an FN-RG;
3. for a W-AGF acting on behalf of an N5GC device; and
4. for a 5G-RG acting on behalf of an AUN3 device.

For setting the security header type in outbound NAS messages, the UE and the AMF shall apply the same rules irrespective of whether the "null integrity protection algorithm" or any other integrity protection algorithm is indicated in the 5G NAS security context. If the "null integrity protection algorithm"5G-IA0 has been selected as an integrity protection algorithm, the receiver shall regard the NAS messages with the security header indicating integrity protection as integrity protected. Details of the integrity protection and verification of NAS signalling messages are specified in TS 33.501. When a NAS message needs to be sent both ciphered and integrity protected, the NAS message is first ciphered and then the ciphered NAS message and the NAS sequence number are integrity protected by calculating the MAC. When a NAS message needs to be sent only integrity protected and unciphered, the unciphered NAS message and the NAS sequence number are integrity protected by calculating the MAC. When a 5GSM message is piggybacked in a 5GMM message, there is only one Sequence number IE and one Message authentication code IE for the 5GMM message piggybacking the 5GSM message.

Except the messages listed below, no NAS signalling messages shall be processed by the receiving 5GMM entity in the UE or forwarded to the 5GSM entity, unless the network has established secure exchange of 5GS NAS messages for the NAS signalling connection:

1. IDENTITY REQUEST (if requested identification parameter is SUCI);
2. AUTHENTICATION REQUEST;
3. AUTHENTICATION RESULT;
4. AUTHENTICATION REJECT;
5. REGISTRATION REJECT (if the 5GMM cause is not #76, #78, #81 or #82);
6. DEREGISTRATION ACCEPT (for non switch off); and
7. SERVICE REJECT (if the 5GMM cause is not #76 or #78).

Integrity protection is never applied directly to 5GSM messages, but to the 5GMM message in which the 5GSM message is included. Once the secure exchange of NAS messages has been established, the receiving 5GMM entity in the UE shall not process any NAS signalling messages unless they have been successfully integrity checked by the NAS. If NAS signalling messages, having not successfully passed the integrity check, are received, then the NAS in the UE shall discard that message. The processing of the SECURITY MODE COMMAND message that has not successfully passed the integrity check is specified in subclause 5.4.2.5. If any NAS signalling message is received as not integrity protected even though the secure exchange of NAS messages has been established by the network, then the NAS shall discard this message.

Except the messages listed below, no NAS signalling messages shall be processed by the receiving 5GMM entity in the AMF or forwarded to the 5GSM entity, unless the secure exchange of NAS messages has been established for the NAS signalling connection:

1. REGISTRATION REQUEST;
2. IDENTITY RESPONSE (if requested identification parameter is SUCI);
3. AUTHENTICATION RESPONSE;
4. AUTHENTICATION FAILURE;
5. SECURITY MODE REJECT;
6. DEREGISTRATION REQUEST; and
7. DEREGISTRATION ACCEPT;

Integrity protection is never applied directly to 5GSM messages, but to the 5GMM message in which the 5GSM message is included. Once a current 5G NAS security context exists, until the secure exchange of NAS messages has been established for the NAS signalling connection, the receiving 5GMM entity in the AMF shall process the following NAS signalling messages, even if the MAC included in the message fails the integrity check or cannot be verified, as the 5G NAS security context is not available in the network:

1. REGISTRATION REQUEST;
2. IDENTITY RESPONSE (if requested identification parameter is SUCI);
3. AUTHENTICATION RESPONSE;
4. AUTHENTICATION FAILURE;
5. SECURITY MODE REJECT;
6. DEREGISTRATION REQUEST;
7. DEREGISTRATION ACCEPT;
8. SERVICE REQUEST; and
9. CONTROL PLANE SERVICE REQUEST;

If a REGISTRATION REQUEST message for initial registration fails the integrity check and it is not a registration request for emergency services, the AMF shall authenticate the subscriber before processing the registration request any further. Additionally, the AMF shall initiate a security mode control procedure, and include the Additional 5G security information IE with the RINMR bit set to "Retransmission of the initial NAS message requested" in the SECURITY MODE COMMAND message as specified in subclause 5.4.2.2. If authentication procedure is not successful the AMF shall maintain, if any, the 5GMM-context and 5G NAS security context unchanged.For the case when the registration procedure is for emergency services see subclause 5.5.1.2.3 and subclause 5.4.1.3.5. If a REGISTRATION REQUEST message for mobility and periodic registration update fails the integrity check and the UE provided EPS NAS message container IE which was successfully verified by the source MME, the AMF may create a mapped 5G NAS security context and initiate a security mode control procedure to take the new mapped 5G NAS security context into use; otherwise if the UE has only a non-emergency PDU session established, the AMF shall initiate a primary authentication and key agreement procedure to create a new native 5G NAS security context. Additionally, the AMF shall initiate a security mode control procedure, and include the Additional 5G security information IE with the RINMR bit set to "Retransmission of the initial NAS message requested" in the SECURITY MODE COMMAND message as specified in subclause 5.4.2.2. If authentication procedure is not successful the AMF shall maintain, if any, the 5GMM-context and 5G NAS security context unchanged. For the case when the UE has an emergency PDU session see subclause 5.5.1.3.3 and subclause 5.4.1.3.5. If a DEREGISTRATION REQUEST message fails the integrity check, the AMF shall proceed as follows:

• If it is not a deregistration request due to switch off, and the AMF can initiate an authentication procedure, the AMF should authenticate the subscriber before processing the deregistration request any further.
• If it is a deregistration request due to switch off, or the AMF does not initiate an authentication procedure for any other reason, the AMF may ignore the deregistration request and remain in state 5GMM-REGISTERED.

If a SERVICE REQUEST or CONTROL PLANE SERVICE REQUEST message fails the integrity check and the UE has only non-emergency PDU sessions established, the AMF shall send the SERVICE REJECT message with 5GMM cause #9 "UE identity cannot be derived by the network" and keep the 5GMM-context and 5G NAS security context unchanged. For the case when the UE has an emergency PDU session and integrity check fails, the AMF may skip the authentication procedure even if no 5G NAS security context is available and proceed directly to the execution of the security mode control procedure as specified in subclause 5.4.2. Additionally, the AMF shall include the Additional 5G security information IE with the RINMR bit set to "Retransmission of the initial NAS message requested" in the SECURITY MODE COMMAND message as specified in subclause 5.4.2.2. After successful completion of the service request procedure, the network shall perform a local release of all non-emergency PDU sessions. The emergency PDU session shall not be released. Once the secure exchange of NAS messages has been established for the NAS signalling connection, the receiving 5GMM entity in the AMF shall not process any NAS signalling messages unless they have been successfully integrity checked by the NAS. If any NAS signalling message, having not successfully passed the integrity check, is received, then the NAS in the AMF shall discard that message. If any NAS signalling message is received, as not integrity protected even though the secure exchange of NAS messages has been established, then the NAS shall discard this message.