4G/LTE - NAS  

 

 

 

NAS Integrity Algorithm

NAS Integrity is a mechanism that can let you (UE or Network) know if a NAS message is modified or corrupted in some way (See Confidentiality and Integrity pagefor the details of the concept of Integrity).

The NAS Integrity Algorithm is a vital mechanism within LTE networks designed to ensure the integrity of NAS  messages exchanged between the UE and the network. This mechanism enables both the UE and the network to detect if a NAS message has been tampered with, modified, or corrupted during transmission. By implementing integrity protection, the NAS Integrity Algorithm provides a cryptographic safeguard that verifies the authenticity and reliability of signaling messages. Through the use of cryptographic algorithms such as EIA (EPS Integrity Algorithms), the system computes a Message Authentication Code (MAC) that is appended to the message before it is transmitted. When the message is received, the MAC is recalculated and compared to ensure the message has not been altered. This process not only protects the communication from malicious attacks but also ensures the system's robustness and security, playing a critical role in maintaining trust and reliability in LTE communications.

Overall Key Flows

Overall flow from Key Generations and final output for NAS Integrity can be illustrated as follows : The key points of this diagrams are

  • The hierarchical derivation of keys used in LTE for NAS integrity protection.
  • How a NAS message is securely protected using these keys, ensuring its authenticity and preventing tampering or replay attacks.

 

Followings are breakdown of the illustration and brief descriptions of each step.

Key Derivation Process:

  • The root key K is stored in the USIM/AuC (Authentication Center).
  • Using the CK (Ciphering Key) and IK (Integrity Key) derived during the authentication process, the HSS (Home Subscriber Server) generates the intermediate key K_ASME.
  • The MME (Mobility Management Entity) derives two keys from K_ASME:
    • K_NASenc: Used for NAS message encryption.
    • K_NASint: Used for NAS message integrity protection.

eNB (eNodeB) Key Derivation:

  • Upon successful handover or initial attach, the MME provides the eNB with K_eNB.
  • From K_eNB, the eNB derives the following keys:
    • K_UPenc: For user plane encryption.
    • K_RRCenc: For RRC (Radio Resource Control) encryption.
    • K_RRCint: For RRC integrity protection.

Integrity Protection:

K_NASint is specifically used in this diagram to protect the integrity of NAS signaling messages. A cryptographic algorithm (EIA - EPS Integrity Algorithm) ensures that the NAS message is not tampered with during transmission by calculating a Message Authentication Code (MAC).

  • Protected NAS Message Format:
    • The NAS message is encapsulated in a security header.
    • Fields include:
      • Protocol Discriminator: Identifies the type of NAS message.
      • Sequence Number: Helps maintain synchronization and detect replay attacks.
      • MAC (Message Authentication Code): Calculated using K_NASint, the sequence number, and the NAS message.
  • Message Authentication Code (MAC):
    • The sender computes the MAC using the key K_NASint, along with message-specific inputs such as COUNT (sequence number and direction), message contents, and bearer information.
    • This MAC ensures the integrity of the NAS message.
  • Receiver Validation:
    • The receiver calculates its own MAC using the same algorithm and key.
    • It compares the computed MAC with the received MAC to verify the message’s integrity.
    • If the MACs match, the message is accepted; otherwise, it is discarded as corrupted or tampered with.

What does NAS Integrity Algorithm do ?

Simply put, NAS Integrity (in LTE and UMTS) is to calculate the Message Authentication Code (MAC, shown in Red) using various inputs (shown in Blue and Green) and to calculate MAC-I field in PDCP PDU as illustrated below.

The NAS Integrity Algorithm ensures the integrity of NAS (Non-Access Stratum) messages by:

  • Calculating a Message Authentication Code (MAC).
  • Using specific inputs (marked in green and violet) to verify that the NAS message has not been tampered with during transmission.

Followings are breakdown of the diagram above

  • Inputs to the NAS Integrity Algorithm
    • Sequence Number (Violet):
      • Ensures that each NAS message is unique and can be correctly identified.
      • Prevents replay attacks by maintaining message order.
    • NAS Message (Green):
      • The actual data or signaling message being sent, e.g., an attach request or authentication response.
    • Additional Inputs (Violet):
      • Includes other critical parameters like:
        • COUNT: Combines the sequence number, direction (uplink/downlink), and other protocol information.
        • Bearer: Identifies the logical channel for the NAS signaling.
        • Direction: Differentiates between uplink (UE to network) and downlink (network to UE).
  • Calculation Process
    • NAS Integrity Algorithm:
      • Takes the sequence number, NAS message, and additional inputs.
      • Processes them using the selected EPS Integrity Algorithm (EIA), such as EIA1 (based on SNOW 3G) or EIA2 (based on AES).
      • Generates the Message Authentication Code (MAC) as the output.
    • Message Authentication Code (Red):
      • The MAC (e.g., 205A8923) is appended to the NAS message.
      • It serves as a cryptographic fingerprint for the message.
  • Purpose of the MAC
    • The MAC allows the receiver to:
      • Verify the authenticity and integrity of the NAS message.
      • Ensure the message has not been altered or tampered with during transmission.
      • Discard the message if the computed MAC does not match the received MAC.

How MAC is integrated into PDCP ?

The PDCP PDU (Protocol Data Unit) is a key component in LTE communication, responsible for carrying data such as NAS messages, user data, or control plane signaling, and it includes the PDCP Sequence Number (PDCP SN) to maintain order and synchronization. Integrity protection in the PDCP PDU ensures that the transmitted data remains authentic and free from tampering. This is achieved through the use of a cryptographic code known as MAC-I (Message Authentication Code - Integrity), which is calculated using the NAS Integrity Algorithm. MAC-I serves as a safeguard to verify the integrity of the PDCP PDU, ensuring that it has not been altered during transmission. Once computed, the MAC-I is appended to the PDCP PDU, allowing the receiver to validate the authenticity of the message upon reception.

This is breakdown of the diagram shown above :

  • Input Preparation:
    • The NAS message (075D010002F070C1 in this example) and additional inputs (e.g., sequence number, COUNT, bearer ID) are fed into the NAS Integrity Algorithm.
    • The sequence number ( 0 in this example).
  • MAC-I Calculation:
    • The NAS Integrity Algorithm processes these inputs and computes the MAC-I value (205A8923 in this case).
    • This value serves as the integrity check code.
  • Integration into PDCP PDU:
    • The MAC-I is appended to the PDCP PDU as a part of the integrity-protected message.
    • If the message spans multiple PDUs, the MAC-I might also be distributed across PDUs.
  • Transmission:
    • The integrity-protected PDCP PDU, now containing the MAC-I, is sent to the receiver.
  • Verification at Receiver:
    • The receiver calculates the MAC-I using the same algorithm and inputs.
    • It compares the calculated MAC-I with the received MAC-I to verify the integrity of the message.
    • If the MAC-I matches, the message is considered authentic; otherwise, it is discarded as tampered or corrupted.

Key Generation Details

The NAS Integrity Algorithm used in LTE is called EIA(EPS Integrity Algorithm). High level functionality of EIA can be illustrated as below.

This section explains the key generation process for the NAS Integrity Algorithm (EIA) used in LTE, highlighting how integrity protection for NAS messages is achieved. It provides a detailed view of how the required inputs, such as the sequence number, direction, bearer, and message, contribute to generating the Message Authentication Code (MAC).

It highlights the systematic approach to generating and verifying message integrity in LTE using the NAS Integrity Algorithm. By utilizing the COUNT, Direction, Bearer, and Message as inputs, along with a cryptographic key, the system ensures that messages are secure and have not been tampered with during transmission. This process is vital for maintaining the integrity and security of NAS signaling in LTE networks.

As shown above, there are several different EIA that can be used for LTE and you need to go through a lot of other documents to understand the details of these algorithm.  For EIA1 as an example, refer to SNOW3G page.

Key Components in the Process

  • NAS Sequence Number (NAS SQN):
    • The NAS SQN is an 8-bit sequence number included in each NAS message to ensure unique identification of messages and prevent replay attacks.
    • When the NAS SQN reaches its maximum value, an additional NAS Overflow counter (16 bits) is incremented to maintain continuity.
    • Together, the NAS Overflow and the NAS SQN form the COUNT, a 32-bit value used in the integrity algorithm.
  • COUNT:
    • The COUNT value is constructed by combining:
      • NAS Overflow (16 bits).
      • NAS SQN (8 bits).
      • Spare bits or padding to make it a 32-bit field.
    • This COUNT serves as a unique identifier for the message.
  • Direction:
    • Indicates whether the message is uplink (0) or downlink (1).
    • This ensures that the algorithm can differentiate between messages sent by the UE and those sent by the network.
  • Bearer:
    • A 5-bit field that identifies the logical channel used for NAS signaling.
    • This is necessary to distinguish between different communication contexts.
  • Message:
    • The actual NAS message being transmitted, including its content, protocol discriminator, and other signaling information.

EIA (EPS Integrity Algorithm)

  • At the Sender:
    • Inputs (COUNT, Direction, Bearer, and Message) are processed by the NAS Integrity Algorithm, which uses a cryptographic key to generate the MAC-I (Message Authentication Code - Integrity).
    • This MAC-I is appended to the NAS message, ensuring its integrity.
  • At the Receiver:
    • The receiver computes a new MAC (XMAC) using the same algorithm and inputs (including COUNT, Direction, Bearer, and the received message).
    • The calculated XMAC is compared with the received MAC-I to verify the message's integrity.
    • If the MACs match, the message is considered authentic; otherwise, it is discarded as corrupted or tampered with.

Reference :