← Book home
Part 2 · Authentication and Access Security
8

NAS Security

Protecting the conversation between the UE and the core

“The radio carries your data, but the NAS carries your intentions — register me, page me, set up my session. Forge those and you don’t need to read the data at all.” — WHY NAS SECURITY COMES FIRST

NAS — Non-Access Stratum — is the signaling dialogue between the UE and the AMF: registration, mobility, service requests, session setup. It rides transparently through the gNB, so it must protect itself end-to-end between UE and core. This chapter covers the NAS Security Mode Command, the NEA/NIA algorithms, the NAS COUNT that stops replay, and the bidding-down defense that keeps an attacker from forcing weak protection.

🎯 Learning objectives
📘 Standards reference box — Chapter 8
SpecificationTitleRelease / version verified
TS 33.5015G security — NAS security (clause 6.4, 6.7)Rel-18, v18.11.0 (2026-04)
TS 24.501NAS protocol for 5GS (messages, security header)Rel-18/19 edition
TS 33.401 / 35.215+EPS NAS security (comparison) / algorithm specscurrent

Checked June 2026 — verify against the latest 3GPP version.

8.1 What NAS Protects, and Where It Sits

NAS messages travel between the UE and the AMF; the gNB relays them without reading them (NAS is transparent to the RAN). So NAS cannot rely on radio (AS) security — it carries its own ciphering and integrity, keyed by the NAS keys derived from KAMF (Chapter 7). This is the first protection that engages after authentication, and it guards the most powerful signaling in the system.

FIGURE 8.1NAS Within the Protocol Stack — End-to-End to the Core
UE NAS RRC PDCP/RLC MAC/PHY gNB RRC / PDCP RLC / MAC / PHY NAS passes THROUGH — gNB can’t read it AMF (core) NAS NGAP SCTP/IP NAS SECURITY — ciphered + integrity-protected end-to-end (UE ↔ AMF), keyed by K_NASenc / K_NASint Uu (AS) N2 (NGAP)
Purpose: why NAS protects itself. Because the gNB only relays it, NAS security is the UE-to-core guarantee that survives a compromised or fake base station relaying signaling.

8.2 The NAS Security Mode Command

After authentication produces KAMF, the AMF turns protection on with the NAS Security Mode Command (SMC). It selects the algorithms, and — critically — echoes back the UE’s security capabilities it received earlier, integrity-protected, so the UE can confirm nobody tampered with them in the unprotected registration.

FIGURE 8.2The NAS Security Mode Command Procedure
UE AMF context: authentication done → K_AMF + NAS keys exist ① NAS Security Mode Command selected NEA & NIA · ngKSI · REPLAYED UE security capabilities · [IMEISV request] ↑ integrity-protected with K_NASint (not yet ciphered) ② UE verifies MAC-I, checks replayed caps == what it sent mismatch → bidding-down detected → reject ③ NAS Security Mode Complete now fully ciphered + integrity-protected · [IMEISV] from here on, all NAS is protected with the chosen NEA/NIA and the NAS keys
Purpose: the moment NAS protection switches on. The replayed-capabilities check (step ②) is the bidding-down defense — detailed in §8.6.
FIGURE 8.3Inside the NAS Security Mode Command Message
security header type“integrity protected with new context” selected NEA + NIAthe algorithms to use ngKSIkey set ID replayed UE sec capabilitiesechoed back to detect tampering NAS-MACintegrity tag WHY EACH FIELD MATTERS the header marks this as the first protected message · the selected algorithms bind the keys (Chapter 7) · ngKSI lets later messages reference this context the replayed capabilities close the bidding-down hole · the NAS-MAC proves the AMF holds K_NASint — a fake AMF can’t produce it
Purpose: field-by-field, what the SMC carries and why. The first protected message must be integrity-protected (so the UE can trust the algorithm choice) before ciphering fully engages.

8.3 The Algorithms: NEA Ciphering, NIA Integrity

5G defines a small, shared algorithm set used by both NAS and AS (Chapter 9). Ciphering algorithms are NEA0–NEA3; integrity algorithms are NIA0–NIA3. The “0” variants are null — and where they belong is a recurring theme of this book.

IDCiphering (NEA)Integrity (NIA)Core
0NEA0 — null (no encryption)NIA0 — null (no integrity)— (emergency only)
1128-NEA1128-NIA1SNOW 3G
2128-NEA2128-NIA2AES (CTR / CMAC)
3128-NEA3128-NIA3ZUC
FIGURE 8.4NEA Ciphering — How a NAS Message Is Encrypted
NEA( · ) key = K_NASenc COUNT (freshness) BEARER id DIRECTION (0/1) LENGTH KEYSTREAM block pseudo-random, per-message NAS plaintext data ciphertext the inputs (COUNT, BEARER, DIRECTION) make every keystream block unique — reuse any one (key,COUNT,bearer,direction) and the XOR cipher breaks (Chapter 7 pitfall)
Purpose: stream-cipher mechanics shared by NAS and AS. The uniqueness inputs are why COUNT discipline (Chapter 7) is non-negotiable.
FIGURE 8.5NIA Integrity — How a NAS Message Is Authenticated
NIA( · ) key = K_NASint COUNT, BEARER, DIRECTION + the whole message → 32-bit MAC-I message ∥ MAC-I (appended) receiver recomputes MAC-I, compares mismatch → discard (tamper/replay) integrity is MANDATORY for NAS signaling (except a few pre-security messages) — even when NEA0 ciphering is used, NIA must protect integrity
Purpose: the integrity half. Note the asymmetry with ciphering: NAS integrity is essentially always on, because a forged command is more dangerous than a read message.

8.4 NAS COUNT and Replay Protection

Each direction (uplink, downlink) has a NAS COUNT: a counter combining a sequence number and an overflow counter. It feeds both ciphering and integrity as a freshness input, and the receiver rejects messages whose COUNT it has already seen — a captured-and-replayed NAS message simply fails.

FIGURE 8.6NAS COUNT — Structure and Replay Defense
NAS COUNT (per direction) overflow counter sequence number increments every NAS message; uplink and downlink counted separately REPLAY ATTACK — and why it fails UE/AMF peer attacker captures msg (COUNT=42) replays it later… peer already saw COUNT 42 → DISCARD
Purpose: the counter that makes NAS messages one-time. Because COUNT also feeds the MAC, an attacker cannot “fix up” a replayed message to a new COUNT without KNASint.

8.5 Bidding-Down Defense: the Replayed Capabilities

Here is the attack 5G specifically closes. The UE’s security capabilities (which NEA/NIA it supports) are sent in the unprotected registration. A man-in-the-middle could strip the strong ones, hoping the AMF then selects a weak (or null) algorithm. 5G’s defense: the AMF echoes the capabilities back inside the integrity-protected SMC, and the UE compares them to what it actually sent. Any tampering shows up as a mismatch, and the UE aborts.

FIGURE 8.7Defeating Bidding-Down with Replayed Capabilities
UE MitM ☠ AMF ① Registration: caps = {NEA1,2,3 · NIA1,2,3} attacker strips to {NEA0 · NIA0} ② forwards weakened caps AMF sees only {NEA0,NIA0},but ECHOES exactly what it got ③ SMC (integrity-protected): replayed caps = {NEA0,NIA0} ④ UE: “I sent {NEA1,2,3,NIA1,2,3}!” replayed ≠ sent → MODIFICATION DETECTED ⑤ UE aborts — attack fails
Purpose: the bidding-down defense in action. The integrity-protected echo turns a silent downgrade into a detectable, abortable event — provided NIA is not itself null (which is why NIA0 outside emergency is so dangerous).
FIGURE 8.8Protecting Initial NAS Messages
when a security context exists the initial NAS message is sent in a “cleartext IE” + ciphered remainder form: only the IEs the AMF needs to route/identify are sent in clear; the rest is protected minimizes what an eavesdropper sees when no context exists yet the very first message (e.g. initial registration with SUCI) can’t be ciphered — but SUCI already conceals identity (Ch 4), and the SMC retroactively confirms caps → exposure window is minimized by design
Purpose: the careful handling of the bootstrap problem. 5G ciphers what it can as early as it can, and uses SUCI + the SMC echo to cover the unavoidable first message.

8.6 NAS Security Contexts and Multiple Connections

FIGURE 8.9NAS Security Contexts — Native/Mapped, Full/Partial
NATIVE created by a 5G authentication run full 5G security level MAPPED derived from an EPS (4G) context at interworking carries 4G ceiling (Ch 17) PARTIAL keys exist but security not yet activated (pre-SMC) → becomes FULL after SMC FULL algorithms selected, protection active normal operating state an audit question worth asking: how many of your subscribers are running on MAPPED contexts right now? (i.e. effectively at 4G security)
Purpose: the context vocabulary you will meet in traces and at the 4G/5G boundary. “Mapped” is the one to watch — it quietly imports the source system’s security level.
FIGURE 8.10Multiple NAS Connections — One KAMF, Separate COUNTs
K_AMF (shared) one per UE in the AMF 3GPP access NAS connection own UL/DL NAS COUNT pair own NAS keys (from K_AMF) via gNB non-3GPP access NAS connection SEPARATE UL/DL NAS COUNT pair own NAS keys (from same K_AMF) via N3IWF (Wi-Fi)
Purpose: how one subscriber can be securely attached over cellular and Wi-Fi at once. Separate COUNTs prevent cross-access replay; the shared KAMF keeps it one identity.
FIGURE 8.11NAS Security Across the Common Procedures
Registrationfirst msg: SUCI (concealed)then SMC → protectedcaps echoed & verified Service Requestintegrity-protected withexisting context (ngKSI)replay-protected by COUNT Periodic Updatekeeps registration aliveunder NAS protectionGUTI reallocation here (Ch 4) the ruleonce a context exists, NASintegrity is ALWAYS on;ciphering per policy/algorithm
Purpose: NAS security isn’t a one-time event — every subsequent procedure runs under it. Integrity is the constant; ciphering depends on the selected NEA.
FIGURE 8.12NAS Security Context — State Machine
NO contextpre-authentication authenticate PARTIAL contextkeys, not yet active NAS SMC FULL contextprotection active context release / deregistration / re-authentication
Purpose: the lifecycle in one picture — what state a UE’s NAS security is in at any moment, and what moves it between states.

8.7 The Practical Operator View

Common misconfiguration risks

8.8 Threats and Mitigations

ThreatVectorDefense
Algorithm bidding-downstrip caps in clear registrationintegrity-protected replayed capabilities
NAS message replaycapture & resend signalingNAS COUNT freshness + MAC
Forged NAS commandfake AMF / injectionNIA integrity (MAC from K_NASint)
Eavesdropping signalingpassive captureNEA ciphering + initial-message protection
Null-protection abuseNEA0/NIA0 misconfigpolicy forbidding null outside emergency; KPI
Downgrade via mapped context4G→5G interworkingpolicy control (Chapter 17)

8.9 Terminology, Example, Checklist

TermMeaning
NASNon-Access Stratum — UE↔AMF signaling, transparent to the gNB
NAS SMCNAS Security Mode Command — activates protection, selects algorithms
NEA0–3 / NIA0–3Ciphering / integrity algorithms (null, SNOW 3G, AES, ZUC)
NAS COUNTPer-direction counter feeding freshness + replay protection
replayed capabilitiesUE security capabilities echoed in the SMC to detect tampering
native / mapped contextFrom a 5G auth / converted from a 4G context

Real network example. A security team auditing a new 5G SA launch captured the NAS exchange and found registrations completing with NIA2 integrity but NEA0 (null) ciphering — signaling was authenticated but readable. The cause: the AMF’s ciphering algorithm priority list had NEA0 at the top, a copy-paste from an early integration profile. Because integrity (NIA2) was intact, the bidding-down defense still worked and there was no active attack — but every subscriber’s NAS content (including, on some messages, slice and session details) was being sent in clear. Fix: reorder to NEA2/NEA3 first, NEA0 emergency-only, and add a KPI alarm on null-ciphered registrations. Integrity saved them from attack; the cipher misconfig still leaked content.

Chapter Summary

? Review Questions

  1. Why does NAS need its own security when the radio (AS) is already encrypted?
  2. Walk through the NAS SMC. Which message is integrity-protected but not ciphered, and why must it be that order?
  3. Explain precisely how the replayed-capabilities mechanism defeats a bidding-down attacker — and why NIA0 would break it.
  4. How does NAS COUNT stop a replayed message, and why can’t the attacker simply change the COUNT?
  5. A trace shows NIA2 but NEA0 on registrations. Is the network under attack? What is leaking, and what do you fix?
  6. Distinguish native and mapped NAS security contexts and the security implication of each.
  7. Why does a UE attached over both cellular and Wi-Fi keep two NAS COUNT pairs but one K_AMF?
  8. Which NAS procedures run under security after the context exists, and what is always-on vs policy-dependent?
🧪 Mini lab — watch NAS protection switch on

With Open5GS + UERANSIM + Wireshark: (1) Capture a full registration and find the Security mode command and Security mode complete — note which message is integrity-protected-only and which is fully ciphered. (2) Expand the SMC and locate the replayed UE security capabilities IE; confirm it matches the capabilities the UE sent earlier. (3) In the UERANSIM/AMF config, force the AMF ciphering priority to NEA0 and re-capture — observe NAS payloads become readable while integrity (NIA) stays on, reproducing the real-network example. (4) Restore NEA2 first. You have now seen, in packets, both the protection turning on and the exact misconfiguration that silently disables confidentiality.

← Chapter 7 Chapter 8 Chapter 9 →