NAS Security Setup

NAS Security Setup
Once user authentication is completed, the MME initiates the NAS security setup procedure so that NAS messages can be securely exchanged between the two entities. Figure 5 shows the call flows in the NAS security setup procedure.

1) [MME] Generating NAS Security Keys
The MME selects ciphering and integrity algorithms to be applied to NAS messages from the Attach Request message received from the UE. Next, it derives a NAS integrity key (KNASint) and a NAS encryption key (KNASenc) from KASME, to be applied to NAS messages.

2) [UE  MME] Helping UE to Generate NAS Security Keys
The MME informs the UE of the selected security algorithms, by including them in a Security Mode Command (KSIASME, Security Algorithm, NAS-MAC) message, helping the UE to generate NAS security keys. The message is sent with its integrity-protected (by including NAS-MAC).

3) [UE] Generating NAS Security Keys
When the UE receives the Security Mode Command message, the UE generates NAS security keys (KNASint and KNASenc) by using the NAS security algorithm that the MME selected, and performs an integrity validation on the Security Mode Command message by using the NAS integrity key (KNASint). If the message passes the integrity check, it can be seen that the NAS security keys are successfully set and properly working between the two entities.

4) [UE  MME] NAS Security Key Generation Complete
The UE informs the MME of the successful generation of NAS security keys by sending a Security Mode Complete (NAS-MAC) message, after having it encrypted and integrity protected using the generated keys.

After completing the above steps, the procedure for NAS security setup between the two entities ends. Then messages between the two thereafter are securely delivered, as encrypted and integrity-protected.