Content for  TS 33.501  Word version:  18.0.0

Each AMF shall be configured via network management with lists of algorithms which are allowed for usage. There shall be one list for NAS integrity algorithms, and one for NAS ciphering algorithms. These lists shall be ordered according to a priority decided by the operator. To establish the NAS security context, the AMF shall choose one NAS ciphering algorithm and one NAS integrity protection algorithm. The AMF shall then initiate a NAS security mode command procedure, and include the chosen algorithm and UE security capabilities (to detect modification of the UE security capabilities by an attacker) in the message to the UE (see subclause 6.7.2 of the present document). The AMF shall select the NAS algorithm which have the highest priority according to the ordered lists.

If the change of the AMF at N2-Handover or mobility registration update results in the change of algorithm to be used for establishing NAS security, the target AMF shall indicate the selected algorithm to the UE as defined in Clause 6.9.2.3.3 for N2-Handover (i.e., using NAS Container) and Clause 6.9.3 for mobility registration update (i.e., using NAS SMC). The AMF shall select the NAS algorithm which has the highest priority according to the ordered lists (see subclause 6.7.1.1 of the present document).

This clause provides the details for AS security algorithms negotiation and consideration during the UE initial AS security context establishment. Each gNB/ng-eNB shall be configured via network management with lists of algorithms which are allowed for usage. There shall be one list for integrity algorithms, and one for ciphering algorithms. These lists shall be ordered according to a priority decided by the operator. When AS security context is to be established in the gNB/ng-eNB, the AMF shall send the UE 5G security capabilities to the gNB/ng-eNB. The gNB/ng-eNB shall choose the ciphering algorithm which has the highest priority from its configured list and is also present in the UE 5G security capabilities. The gNB/ng-eNB shall choose the integrity algorithm which has the highest priority from its configured list and is also present in the UE 5G security capabilities. The chosen algorithms shall be indicated to the UE in the AS SMC. The chosen ciphering algorithm is used for ciphering (when activated) of the user plane and RRC traffic. The chosen integrity algorithm is used for integrity protection (when activated) of the user plane and RRC traffic. Activation of ciphering and integrity protection for the RRC traffic shall be done as defined by clause 6.7.4. Activation of ciphering and integrity protection for the user plane traffic shall be done based on the UP security policy received from the SMF as defined by clause 6.6.2.

At handover from a source gNB/ng-eNB over Xn to a target gNB/ng-eNB, the source gNB/ng-eNB shall include the UE's 5G security capabilities and ciphering and integrity algorithms used in the source cell in the handover request message. The target gNB/ng-eNB shall select the algorithm with highest priority from the received 5G security capabilities of the UE according to the prioritized locally configured list of algorithms (this applies for both integrity and ciphering algorithms). The chosen algorithms shall be indicated to the UE in the Handover Command message if the target gNB/ng-eNB selects different algorithms compared to the source gNB/ng-eNB. If the UE does not receive any selection of integrity and ciphering algorithms, it continues to use the same algorithms as before the handover (see TS 38.331 for gNB or TS 36.331 for ng-eNB). When a Xn-handover takes place from ng-eNB to gNB or vice versa, then the selected algorithms in the target node shall always be signalled in the Handover Command to the UE. In the Path-Switch message, the target gNB/ng-eNB shall send the UE's 5G security capabilities received from the source gNB/ng-eNB to the AMF. The AMF shall verify that the UE's 5G security capabilities received from the target gNB/ng-eNB are the same as the UE's 5G security capabilities that the AMF has locally stored. If there is a mismatch, the AMF shall send its locally stored 5G security capabilities of the UE to the target gNB/ng-eNB in the Path-Switch Acknowledge message. The AMF shall support logging capabilities for this event and may take additional measures, such as raising an alarm. If the target gNB/ng-eNB receives UE's 5G security capabilities from the AMF in the Path-Switch Acknowledge message, the target gNB/ng-eNB shall update the AS security context of the UE with these 5G security capabilities of the UE. The target gNB/ng-eNB shall select the algorithm with highest priority from these 5G security capabilities according to the locally configured prioritized list of algorithms (this applies for both integrity and ciphering algorithms). If the algorithms selected by the target gNB/ng-eNB are different from the algorithms used at the source gNB/ng-eNB, then the target gNB/ng-eNB shall initiate intra-cell handover procedure which includes RRC Connection Reconfiguration procedure indicating the selected algorithms and an NCC to the UE.

At handover from a source gNB/ng-eNB to a target gNB/ng-eNB over N2 (possibly including an AMF change and hence a transfer of the UE's 5G security capabilities from the source AMF to the target AMF), the target AMF shall send the UE's 5G security capabilities to the target gNB/ng-eNB in the NGAP HANDOVER REQUEST message (see TS 38.413). The target gNB/ng-eNB shall select the algorithm with highest priority from the UE's 5G security capabilities according to the locally configured prioritized list of algorithms (this applies for both integrity and ciphering algorithms). The chosen algorithms shall be indicated to the UE in the Handover Command message if the target gNB/ng-eNB selects different algorithms compared to the source gNB/ng-eNB. If the UE does not receive any selection of integrity and ciphering algorithms, it continues to use the same algorithms as before the handover (see TS 38.331). For N2-handover, the source gNB/ng-eNB shall include AS algorithms used in the source cell (ciphering and integrity algorithms) in the source to target transparent container that shall be sent to the target gNB/ng-eNB. The AS algorithms used by the source cell are provided to the target gNB/ng-eNB so that it can use them during the potential RRC Connection Re-establishment procedure use them as specified in clause 6.11 for gNB and TS 33.401 for ng-eNB.

It is not required to change the AS security algorithms during intra-gNB-CU/intra-ng-eNB handover. If the UE does not receive an indication of new AS security algorithms during an intra-gNB-CU/intra-ng-eNB handover, the UE shall continue to use the same algorithms as before the handover (see TS 38.331 for gNB and TS 36.331 for ng-eNB).

At state transition from RRC_INACTIVE to RRC_CONNECTED, the source gNB/ng-eNB shall include the UE 5G security capabilities and the ciphering and integrity algorithms the UE was using with the source cell in the Xn-AP Retrieve UE Context Response message. The target gNB/ng-eNB shall check if it supports the received algorithms, if the target gNB/ng-eNB supports the received ciphering and integrity algorithms, the target gNB/ng-eNB shall check the received algorithms to its locally configured list of algorithms (this applies for both integrity and ciphering algorithms). If the target gNB/ng-eNB selects the same security algorithms, the target gNB/ng-eNB shall use the selected algorithms to derive RRC integrity and RRC encryption keys to protect the RRCResume message and send to the UE on SRB1. If the target gNB/ng-eNB does not support the received algorithms or if the target gNB/ng-eNB prefers to use different algorithms, the target gNB/ng-eNB shall send an RRCSetup message on SRB0 in order to proceed with RRC connection establishment as if the UE was in RRC_IDLE (fallback procedure) to the UE. Then the UE performs NAS based RRC recovery and negotiates a suitable algorithm with target gNB/ng-eNB via AS SMC procedure.

If the source gNB/ng-eNB decides to relocate UE context to the target gNB/ng-eNB during an RNA Update procedure, the source gNB/ng-eNB shall include the UE 5G security capabilities and the ciphering and integrity algorithms the UE was using with the source cell in the <Xn-AP Retrieve UE Context Response> message. AS security algorithm selection is as described in clause 6.7.3.4.

UEs that are in limited service mode (LSM) and that cannot be authenticated by the AMF/SEAF (for whatever reason) may still be allowed to establish emergency session by sending the emergency registration request message. It shall be possible to configure whether the AMF allows unauthenticated UEs in LSM to establish bearers for emergency session or not. If an AMF allows unauthenticated UEs in LSM to establish bearers for an emergency session, then for the NAS protocol, the AMF shall use NIA0 and NEA0 as the integrity and ciphering algorithm respectively. If the AMF allows an unauthenticated UE in LSM to establish bearers for emergency session after it has received the emergency registration request message from the UE, the AMF shall:

• Select NIA0 and NEA0, regardless of the supported algorithms announced previously by the UE as the NAS algorithms and signal this to the UE via the NAS security mode command procedure when activating the 5G NAS security context.
• Set the UE 5G security capabilities to only contain EIA0, EEA0, NIA0 and NEA0 when sending these to the gNB/ng-eNB in the following messages:
  • NGAP UE INITIAL CONTEXT SETUP
  • NGAP UE CONTEXT MODIFICATION REQUEST
  • NGAP HANDOVER REQUEST

If NIA0 is disabled at the gNB for regulatory requirements and the gNB receives the UE 5G security capabilities to only contain NIA0 for integrity protection algorithms from the AMF in one of the above messages, the gNB shall reject the session. The rules for when the AMF shall select NIA0 for NAS integrity protection, and when the UE shall accept a NAS security mode command selecting NIA0 for NAS integrity protection depends on whether the UE and AMF can be certain that no 5G NAS security context can be established. The rules for determining this is defined in clause 10 of this specification. If the AMF has selected NIA0 as the NAS integrity protection algorithm, the UE shall accept selection of NIA0 or EIA0 as the AS integrity protection algorithm. Selection of AS integrity protection algorithm happens via the AS security mode command procedure or via a handover command. The UE shall under no other circumstances accept selection of null integrity algorithm as the AS integrity protection algorithm.