NAS Security Mode Control Procedure


Personally for me, I think this is one of the most complicated procedure and I made so many mistakes creating proper/flexible NAS security mode command (EMM : Security Mode Command) message.


I want to write down some important points to consider to creating EMM : Security Mode Command. Of course, these are not all.. so you may come across some other issues even though you checked everything described in this page.


Most of the contents in this page is based on 24.301 5.4.3 Security mode control procedure. Regarding the Security Algorithm, you need to refer to 33.401.



When network send EMM : Security Mode Command,


The MME shall set the security header type of the message to "integrity protected with new EPS security context".

: This mean that "Security protected NAS message.Security header type.Security header type" IE should be "integrity protected with new EPS security context".


24.301 5.4.3 States as follows

The MME shall include the replayed security capabilities of the UE (including the security capabilities with regard to NAS, RRC and UP (user plane) ciphering as well as NAS, RRC integrity, and other possible target network security capabilities, i.e. UTRAN/GERAN if UE included them in the message to network), the replayed nonceUE if the UE included it in the message to the network, the selected NAS ciphering and integrity algorithms and the Key Set Identifier (eKSI).

: This is the most complicated parts when it comes to creating the EMM : Security Mode Command and has been headache for me for so long. (probably  even until now -:)). The list of parameters you have to match or playback in EMM : Security Mode Command is as shown below. (There are corresponding parameters in Tracking Area Update Request as well. If EMM : Security Mode Command comes after Tracking Area Update Request, you have to replay those values from Tracking Area Update Request).

  • Attach request.NAS key set identifier
  • Attach request.UE network capability
  • Attach request.MS network capability



When UE received EMM : Security Mode Command,


When UE received EMM : Security Mode Command message, it goes through some basic process as follows :

  • perform the integrity check of the message
  • check that the received replayed UE security capabilities and the received nonceUE have not been altered compared to the latest values that the UE sent to the network.



EMM : Security Mode Reject


One of the most annoying things for troubleshooting is to fix this Security Mode Reject sent by UE. Of course, you cannot figure out anything from Network Log and even if you look into UE log, it would not tell much details. Then looking into 3GPP specification, following is all that I got. This is also not enough.


24.301- NAS security mode command not accepted by the UE describes as follows


If the security mode command cannot be accepted, the UE shall send a SECURITY MODE REJECT message. The

SECURITY MODE REJECT message contains an EMM cause that typically indicates one of the following cause



#23: UE security capabilities mismatch;

#24: security mode rejected, unspecified.



24.301 A.3 Causes related to PLMN specific network failures and congestion/authentication failures describes as follows


Cause #23 UE security capabilities mismatch

This EMM cause is sent to the network if the UE detects that the UE security capability does not match the one sent back by the network.


Cause #24 Security mode rejected, unspecified

This EMM cause is sent to the network if the security mode command is rejected by the UE if the UE detects that the nonceUE does not match the one sent back by the network or for unspecified reasons.



NOTE 1 : One of the common cause of Security Mode Reject Cause #24 would be due to Security Header type violation. The security header type for Security Mode Command should be as 24.301- states :

    The MME shall send the SECURITY MODE COMMAND message unciphered, but shall integrity protect the message with the NAS integrity key based on KASME or mapped K'ASME indicated by the eKSI included in the message. The MME shall set the security header type of the message to "integrity protected with new EPS security context".