RRC Integrity failure when the UE re-connects from RRC IDLE

Scenario: UE goes to RRC IDLE, e.g. when the UE during RRCReestablishment falls back to RRC IDLE.

Flow

1) UE goes to RRC IDLE

5.3.11 UE actions upon going to RRC_IDLE of 38.331

1> discard the KgNB key, the S-K gNB key, the S-K eNB key, the K RRCenc key, the K RRCint key, the K UPint key and the KUPenc key, if any; ... 1> indicate the release of the RRC connection to upper layers together with the release cause;

At this step keys are cleared and RRC connection release is notified to NAS.

2) Notify to NAS connection release

5.3.1.3 Release of the N1 NAS signalling connection of TS 24.501

[...] upon indication from lower layers that the access stratum connection has been released, the UE shall enter 5GMM-IDLE mode and consider the N1 NAS signalling connection released.

NAS connection is released, go to 5GMM-IDLE mode.

3) The UE is 5GMM-IDLE mode and 5GMM-REGISTERED state

Method 1: send a new Registration Request

Description:

When the UE goes into RRC IDLE, it clears out all security keys and while the gNB creates new keys, the UE never derives a new kgnb key and related keys.

This leads to an integrity failure of RRC Security Mode Command at UE after the new registration from RRC IDLE.

At core side I see that the UE stays in 5GMM-REGISTERED state, therefore even though a new Registration Request is sent, the core is not running a new Authentication procedure or send a Security Mode Command, which are normally used by the UE to derive the kgnb key.

What should the Core do when the new UE comes back from RRC IDLE? I see different scenarios in 5.4.2.2, 4.4.2.5 , 4.5.4.1 of TS 24.501 , however it is still unclear when the UE comes back from 5GMM-IDLE mode. The InitialContextSetupRequest only seems not to be enough.

To be done:

  • send KSI in NAS Registration Request: when UE deletes a security context, it needs to indicate that to AMF by using NAS key set identifier IE and set the value to no key is available (section 9.11.3.32 NAS key set identifier @ 3GPP TS 24.501 version 16.14.0 ) in the Registration Request message, so that AMF can trigger a new authentication procedure.
  • the CN should handle this IE in the AMF
  • UE should get the new security keys after re-connecting from RRC IDLE

Method 2: Send a Service Request

  • NAS Service Request implementation at UE -> #900
Edited by Guido Casati