NAS Non Access Security

Non-Access Stratum (NAS) security refers to the security measures employed in the non-access stratum of a mobile network. The non-access stratum is responsible for providing the control plane and management functions of the mobile network, which includes signaling and authentication, mobility management, session management, and security management. NAS security is therefore crucial in ensuring the confidentiality, integrity, and availability of these management functions and the associated data.

NAS security mechanisms are designed to protect against a range of security threats, including eavesdropping, interception, modification, and impersonation attacks. These attacks can compromise the integrity of the network, compromise user privacy, and disrupt network operations. To prevent such attacks, mobile network operators (MNOs) employ a range of security measures in the non-access stratum.

Authentication and Key Agreement (AKA)

The Authentication and Key Agreement (AKA) mechanism is a key component of NAS security. AKA is a challenge-response mechanism that is used to authenticate the user to the network and establish a secure session key between the user and the network. AKA is used in both 3G and 4G networks and provides protection against impersonation and replay attacks.

The AKA mechanism involves three steps:

  1. Authentication: The user sends an authentication request to the network, which includes the user's identity and a random number (RAND) generated by the network.
  2. Authentication Response: The network sends an authentication response (RES), which is derived from the user's secret key (Ki) and the RAND.
  3. Session Key Generation: The user and the network use the RES to generate a session key (KASME), which is used to encrypt and authenticate the user's data.

The AKA mechanism provides mutual authentication, which means that both the user and the network authenticate each other. It also provides key freshness, which means that a new session key is generated for each session to prevent replay attacks.

Integrity Protection

Integrity protection is another important aspect of NAS security. Integrity protection is used to ensure that the data exchanged between the user and the network has not been modified in transit. Integrity protection is provided by using Message Authentication Codes (MACs), which are calculated based on the data and a secret key shared between the user and the network.

In 3G networks, the integrity protection mechanism is known as the Cipher-Based MAC (CMAC) mechanism, while in 4G networks, it is known as the Integrity Protection Algorithm for the NAS (NIA). Both mechanisms use the Advanced Encryption Standard (AES) algorithm to provide integrity protection.

Confidentiality Protection

Confidentiality protection is used to ensure that the data exchanged between the user and the network is kept confidential and cannot be eavesdropped upon by unauthorized parties. Confidentiality protection is provided by encrypting the data using a session key (KASME) that is generated during the AKA process.

In 3G networks, the confidentiality protection mechanism is known as the Encryption Algorithm (EA), while in 4G networks, it is known as the Encryption Algorithm for the NAS (NEA). Both mechanisms use the AES algorithm to provide confidentiality protection.

Mobile Network Security Architecture

The mobile network security architecture is a set of security functions that are designed to protect the mobile network against various security threats. The security architecture is based on a number of security domains, each of which is responsible for a specific security function.

The security domains include:

  1. UE (User Equipment) Security Domain: This domain is responsible for providing security functions for the user equipment, including authentication, integrity protection, and confidentiality protection.
  2. MME (Mobility Management Entity) Security Domain: This domain is responsible for providing security functions for the MME, including authentication and key agreement, integrity protection, and confidentiality protection.
  3. Network Domain Security: This domain is responsible for providing security functions for the core network, including authentication, integrity protection, and confidentiality protection.
  4. Application Domain Security: This domain is responsible for providing security functions for the application layer, including authentication, integrity protection, and confidentiality protection.

The security domains interact with each other to provide end-to-end security for the mobile network. For example, the UE security domain interacts with the MME security domain to authenticate the user and establish a secure session key, while the MME security domain interacts with the network domain security to protect the network against security threats.

Security Functions in the Non-Access Stratum

The non-access stratum provides a number of security functions that are designed to protect the mobile network against various security threats. These security functions include:

  1. Authentication and Key Agreement (AKA): AKA is used to authenticate the user to the network and establish a secure session key between the user and the network.
  2. Ciphering: Ciphering is used to encrypt the data exchanged between the user and the network to ensure confidentiality.
  3. Integrity Protection: Integrity protection is used to ensure that the data exchanged between the user and the network has not been modified in transit.
  4. Key Management: Key management is used to manage the encryption keys used to provide confidentiality and integrity protection.
  5. Radio Resource Control (RRC) Security: RRC security is used to protect the RRC messages exchanged between the user and the network.
  6. Mobility Management Security: Mobility management security is used to protect the signaling messages exchanged between the user and the network during handover and roaming.

Conclusion

NAS security is a critical aspect of mobile network security. It provides the control plane and management functions of the mobile network, which includes signaling and authentication, mobility management, session management, and security management. NAS security mechanisms are designed to protect against a range of security threats, including eavesdropping, interception, modification, and impersonation attacks. To prevent such attacks, mobile network operators employ a range of security measures in the non-access stratum, including AKA, ciphering, integrity protection, key management, RRC security, and mobility management security. By implementing these security measures, MNOs can ensure the confidentiality, integrity, and availability of their networks and the associated data.