NAS Security Mode Control Procedure
Personally for me, I think this is one of the most complicated procedure and I made so many mistakes creating proper/flexible NAS security mode command (EMM : Security Mode Command) message.
I want to write down some important points to consider to creating EMM : Security Mode Command. Of course, these are not all.. so you may come across some other issues even though you checked everything described in this page.
Most of the contents in this page is based on 24.301 5.4.3 Security mode control procedure. Regarding the Security Algorithm, you need to refer to 33.401.
When network send EMM : Security Mode Command,
The MME shall set the security header type of the message to "integrity protected with new EPS security context".
: This mean that "Security protected NAS message.Security header type.Security header type" IE should be "integrity protected with new EPS security context".
The MME shall include the replayed security capabilities of the UE (including the security capabilities with regard to NAS, RRC and UP (user plane) ciphering as well as NAS, RRC integrity, and other possible target network security capabilities, i.e. UTRAN/GERAN if UE included them in the message to network), the replayed nonceUE if the UE included it in the message to the network, the selected NAS ciphering and integrity algorithms and the Key Set Identifier (eKSI).
: This is the most complicated parts when it comes to creating the EMM : Security Mode Command and has been headache for me for so long. (probably even until now -:)). The list of parameters you have to match or playback in EMM : Security Mode Command is as shown below. (There are corresponding parameters in Tracking Area Update Request as well. If EMM : Security Mode Command comes after Tracking Area Update Request, you have to replay those values from Tracking Area Update Request).
When UE received EMM : Security Mode Command,
EMM : Security Mode Reject
One of the most annoying things for troubleshooting is to fix this Security Mode Reject sent by UE. Of course, you cannot figure out anything from Network Log and even if you look into UE log, it would not tell much details. Then looking into 3GPP specification, following is all that I got. This is also not enough.
24.301-18.104.22.168 NAS security mode command not accepted by the UE describes as follows
If the security mode command cannot be accepted, the UE shall send a SECURITY MODE REJECT message. The
SECURITY MODE REJECT message contains an EMM cause that typically indicates one of the following cause
#23: UE security capabilities mismatch;
#24: security mode rejected, unspecified.
24.301 A.3 Causes related to PLMN specific network failures and congestion/authentication failures describes as follows
Cause #23 – UE security capabilities mismatch
This EMM cause is sent to the network if the UE detects that the UE security capability does not match the one sent back by the network.
Cause #24 – Security mode rejected, unspecified
This EMM cause is sent to the network if the security mode command is rejected by the UE if the UE detects that the nonceUE does not match the one sent back by the network or for unspecified reasons.