Part 2 · Authentication and Access Security

AS, RRC, and User-Plane Security

Where the keys finally meet the bits — and 5G’s headline upgrade

“4G encrypted your data but never checked whether someone changed it in flight. That single omission was exploited. 5G’s answer has a name: user-plane integrity.” — THE POINT OF THIS CHAPTER

Access Stratum (AS) security is the protection between the UE and the gNB — the radio link itself. It runs in the PDCP layer and covers both signaling (RRC) and user data. This chapter walks the AS Security Mode Command, the RRC and user-plane ciphering and integrity, and 5G’s defining radio-security upgrade: user-plane integrity protection, the fix for the aLTEr class of attacks.

🎯 Learning objectives

Explain the AS security model and where it executes (PDCP).
Walk the AS Security Mode Command.
Describe RRC ciphering and integrity, and user-plane ciphering and integrity.
Explain the UP security policy (SMF → gNB) and the required/preferred/not-needed model.
Explain how user-plane integrity closes the aLTEr attack.

📘 Standards reference box — Chapter 9

Specification	Title	Release / version verified
TS 33.501	5G security — AS security & UP security policy (clause 6.5, 6.6)	Rel-18, v18.11.0 (2026-04)
TS 38.331	NR RRC — security mode, RRC protection	Rel-18/19 edition
TS 38.323	NR PDCP — ciphering & integrity execution	Rel-18/19 edition

Checked June 2026 — verify against the latest 3GPP version. Full-rate UP integrity is Rel-16+; confirm RAN capability.

9.1 The Access-Stratum Model — Security in PDCP

AS security protects the Uu interface. Both RRC signaling and user data are secured in the PDCP layer using the AS keys derived from K_gNB (Chapter 7). RRC gets ciphering and integrity; user data gets ciphering and — new in 5G — optional integrity. Everything terminates at the gNB; the keys live there, which is why the gNB’s physical and platform security matters (Chapter 15).

FIGURE 9.1AS Security in the NR Stack — It All Happens in PDCP

Purpose: where radio security executes. PDCP is the single layer that ciphers and integrity-protects everything on the air — both your RRC commands and your data packets.

9.2 The AS Security Mode Command

After NAS security and the delivery of K_gNB, the gNB activates radio protection with its own AS Security Mode Command over RRC — selecting the AS algorithms and switching on RRC protection. Like NAS, the first message is integrity-protected so the UE can trust the algorithm choice before ciphering fully engages.

FIGURE 9.2The AS Security Mode Command Procedure

Purpose: the radio counterpart of the NAS SMC. RRC integrity starts first (so the algorithm choice is trustworthy), then full RRC ciphering, then data bearers are established under the UP security policy.

FIGURE 9.3SRB vs DRB — What Gets Which Protection

Purpose: the protection matrix you must know cold. Signaling integrity is mandatory; the headline change is that data integrity is now possible at all.

9.3 RRC Ciphering and Integrity

FIGURE 9.4RRC Protection — Ciphering and Integrity in PDCP

Purpose: RRC is the gNB’s command channel to the UE — so it gets both confidentiality and mandatory integrity. A forged RRC reconfiguration could move a UE or change its security; integrity stops it.

FIGURE 9.5The PDCP COUNT — HFN + SN

Purpose: the AS freshness counter. The HFN extends the short on-air SN so the effective COUNT space is huge — but not infinite, which is why long-lived bearers need re-keying.

9.4 User-Plane Ciphering and Integrity

User data on a DRB is ciphered in PDCP with K_UPenc exactly like RRC. The new dimension is user-plane integrity with K_UPint: each data PDU can carry a MAC-I, so the network (and UE) reject modified user packets. Whether it’s on is decided by the UP security policy.

FIGURE 9.6User-Plane Protection — Ciphering Always, Integrity by Policy

Purpose: the two halves of user-plane protection. Confidentiality is the old guarantee; integrity is the new one — and the one attackers had learned to exploit in its absence.

9.5 Why UP Integrity Matters: the aLTEr Attack

In LTE, user data was encrypted but not integrity-protected. Stream ciphers are malleable: flip a bit in the ciphertext and you flip the same bit in the plaintext. Researchers’ aLTEr attack used this to alter encrypted DNS requests, silently redirecting a victim to a malicious server — without ever breaking the encryption. 5G’s user-plane integrity makes any such modification fail the MAC check.

FIGURE 9.7The aLTEr Attack — and How UP Integrity Stops It

Purpose: the concrete attack that justifies an entire new key. Encryption hides content but doesn’t protect integrity — and for control-carrying traffic like DNS, integrity is what actually matters.

9.6 The UP Security Policy

Who decides whether a DRB gets integrity (and ciphering)? The SMF, per PDU session, sends a UP security policy to the gNB with two parameters — confidentiality and integrity — each set to required, preferred, or not needed. The gNB enforces it when setting up the DRB, and informs the UE.

FIGURE 9.8UP Security Policy — SMF Decides, gNB Enforces

Purpose: the policy that determines whether the aLTEr fix is actually active. “Preferred” is the trap — it can silently resolve to “off” on a RAN that lacks the capability, leaving you no integrity and no error.

FIGURE 9.9UP Integrity at Line Rate — the Rel-16 Upgrade

Purpose: why the release matters operationally. Early 5G could only integrity-protect low-rate data; mandating full-rate UP integrity requires a Rel-16+ capable RAN.

FIGURE 9.10The Bearer-Level Security Decision Tree

Purpose: exactly what happens per bearer. “Required” fails closed (reject); “preferred” fails open (silently off) — which is why security-critical slices must use “required,” not “preferred.”

FIGURE 9.11gNB Security Requirements Map

Purpose: AS security isn’t just algorithms — it assumes the gNB protects its keys. A physically compromised gNB undermines the strongest cipher.

FIGURE 9.12What an Attacker Sees on the Air

Purpose: the difference AS security makes, from the attacker’s seat. Even with perfect ciphering, traffic-analysis metadata remains — a reminder that confidentiality ≠ full privacy (Chapter 19).

FIGURE 9.13End-to-End — an App Packet Through the Security Layers

Purpose: follow a byte from the app to the antenna. Security lives at one well-defined layer — PDCP — which is why “where is it encrypted?” always has the same answer on the radio.

FIGURE 9.14AS and NAS — Two Independent Shields

Purpose: keep the two layers distinct. They use different keys, cover different spans, and a UE needs both — NAS for its conversation with the core, AS for its link to the gNB.

FIGURE 9.15Choosing UP Integrity by Service — an Operator Map

Purpose: a practical policy guide. The classic mistake (Chapter 1’s example) is copying the eMBB “not needed” default into an enterprise or IoT slice where integrity is exactly the point.

9.7 The Practical Operator View

Use “required,” not “preferred,” for UP integrity on security-critical PDU sessions — “preferred” fails open.
Confirm your RAN is Rel-16+ full-rate UP integrity capable before mandating it on high-throughput bearers.
Set per-DNN / per-slice UP security policies in the SMF deliberately; never let an eMBB template define an enterprise slice (Chapter 20).
Forbid NEA0/NIA0 on the AS outside emergency; alarm on null AS protection.
Monitor PDCP integrity-failure counters — clusters can indicate tampering attempts or radio issues.

Common misconfiguration risks

UP integrity “preferred” on a slice that needs it → silently off on a non-capable gNB.
eMBB “not needed” default copied into enterprise/IoT slices.
AS NEA0 high in algorithm priority → null radio ciphering.
K_gNB never refreshed on long-lived stationary bearers → COUNT exhaustion (Chapter 7).

9.8 Threats and Mitigations

Threat	Vector	Defense
User-plane modification (aLTEr)	bit-flip encrypted data	UP integrity (K_UPint), policy = required
RRC command forgery	inject/alter RRC	mandatory RRC integrity (K_RRCint)
Radio eavesdropping	passive capture	RRC + UP ciphering (NEA)
Keystream reuse	COUNT exhaustion	HFN+SN COUNT, K_gNB refresh
Silent integrity bypass	“preferred” on weak RAN	use “required”; verify RAN capability
Key extraction at site	physical gNB compromise	secure storage, secure boot (Ch 15)

9.9 Terminology, Example, Checklist

Term	Meaning
AS	Access Stratum — UE↔gNB radio-link protection
PDCP	The layer where AS ciphering and integrity execute
SRB / DRB	Signaling radio bearer (RRC) / data radio bearer (user data)
K_RRCenc/int, K_UPenc/int	RRC and user-plane ciphering/integrity keys (from K_gNB)
UP security policy	SMF-set per-session confidentiality/integrity = required/preferred/not-needed
aLTEr	The LTE attack exploiting absent user-plane integrity

Real network example. An industrial customer’s private-5G slice (Chapter 21) carried PLC control traffic. During acceptance testing, the integrator captured DRB setup and found UP integrity resolving to “off” despite the slice template saying “preferred.” The gNB model on site was an early Rel-15 unit that could only integrity-protect at a low rate, so “preferred” silently dropped it for the higher-rate control bearer. For a factory where a tampered command could move a robot arm, “off” was unacceptable. Fix: set the slice’s UP integrity to required (forcing the issue) and upgrade the affected cells to Rel-16-capable units; sessions on non-capable cells were then correctly rejected rather than silently unprotected. “Required” turned a silent gap into a visible, fixable error.

For each security-critical slice/DNN, confirm UP integrity = required (not preferred).
Verify RAN release supports full-rate UP integrity where you mandate it.
Capture a DRB setup: confirm the protection actually applied matches policy.
Confirm AS NEA0/NIA0 are emergency-only in algorithm priority.
Expose PDCP integrity-failure and COUNT-wrap indicators in monitoring.
Confirm K_gNB refresh policy for long-lived/stationary bearers.

★ Chapter Summary

AS security protects the UE↔gNB link and executes in PDCP, keyed from K_gNB.
The AS SMC activates radio protection; SRB (RRC) gets mandatory integrity + ciphering; DRB (data) gets ciphering + policy-controlled integrity.
User-plane integrity (K_UPint) is 5G’s headline upgrade — it closes the aLTEr class of attacks by making modified data PDUs fail the MAC check.
The SMF sets the UP security policy (required/preferred/not-needed); the gNB enforces it. “Preferred” fails open — use “required” for critical traffic.
Full-rate UP integrity needs a Rel-16+ RAN; the gNB must also protect its keys physically (Chapter 15).

? Review Questions

In which layer does AS security execute, and what two key pairs does it use?
Why is RRC integrity mandatory while user-plane integrity is policy-controlled?
Explain the aLTEr attack and exactly how user-plane integrity defeats it.
Contrast “required,” “preferred,” and “not needed” — which fails open, which fails closed, and why does it matter?
Why might mandating full-rate UP integrity fail on a Rel-15 RAN, and what is the correct response?
How does the PDCP COUNT (HFN+SN) prevent keystream reuse, and what triggers the need to refresh K_gNB?
A private-5G control slice shows UP integrity “off” despite a “preferred” template. Diagnose and fix it.
Distinguish AS and NAS security: spans, keys, and why a UE needs both.

🧪 Mini lab — see UP integrity decide

With Open5GS + UERANSIM: (1) Set the SMF UP security policy for a DNN to integrity = preferred and bring up a PDU session; capture the RRC/DRB setup and note whether integrity was actually applied. (2) Change the policy to required; if your UERANSIM gNB advertises the capability, confirm integrity is now on; if not, confirm the session is rejected rather than silently unprotected — the “fails closed” behavior. (3) Force AS ciphering to NEA0 and capture: see RRC and data become readable. (4) Restore NEA2 and integrity = required. You have now demonstrated, in packets, both 5G’s headline upgrade and the exact policy setting that makes it real.