How it Works

This section describes how this feature works.

The UE Security Capability IE, received from the UE in Registration Request, is used by the network to indicate which security algorithms are supported by the UE for NAS security. The AMF creates a new security context for the UE and does the negotiation of encryption and integrity protection algorithms. These algorithms are configurable along with the priority of negotiation. The AMF compares the algorithms supported by the UE with configuration priority and selects the algorithms to be used for encryption and integrity protection. When integrity protection is disabled, ciphering is also auto-disabled.

In addition, the NasSubscriber database is a new database that stores the UE security context for both the AMF application and the protocol layer to access. The AMF application stores the derived keys and negotiated algorithms in the NasSubscriber database before sending the security mode command to the UE. The AMF protocol encodes the packets received from the AMF application and initiates the encryption and integrity protection based on the negotiated algorithm and the downlink Nas count.

The AMF extracts the security header from the packets to verify integrity protection in the uplink path. After verification, the AMF protocol deciphers the packets before sending it to the AMF application.