1. (p48)If the initial NAS message is a CONTROL PLANE SERVICE REQUEST message, the UE shall send the message integrity protected. If an ESM message container information element or a NAS message container information element is included the message shall be sent partially ciphered (see clause 4.4.5), otherwise the message shall be sent unciphered.
CONTROL PLANE SERVICE REQUES消息:
2. (p55)When the UE establishes a new NAS signalling connection, it shall send the initial NAS message
- partially ciphered, if it is a CONTROL PLANE SERVICE REQUEST message including an ESM message container information element or a NAS message container information element; and
- unciphered, if it is any other initial NAS message.
The UE shall partially cipher the CONTROL PLANE SERVICE REQUEST message by ciphering the value part of the ESM message container IE or the value part of the NAS message container, using the ciphering algorithm of the current EPS security context.
当UE建立新的NAS信令连接时,它应发送初始NAS消息
3. (p50)During the handover from UTRAN/GERAN to E-UTRAN, when a mapped EPS security context is derived and taken into use, the UE shall set both the uplink and downlink NAS COUNT counters to zero.
在从 UTRAN/GERAN 到 E-UTRAN 的切换过程中,当一个映射的 EPS 安全上下文被导出并被使用时。 UE 应将上行链路和下行链路 NAS COUNT 计数器都设置为零。
4. (p51)Replay protection must assure that one and the same NAS message is not accepted twice by the receiver. Specifically, for a given EPS security context, a given NAS COUNT value shall be accepted at most one time and only if message integrity verifies correctly. Replay protection is not applicable when EIA0 is used.
重放保护必须确保同一条 NAS 消息不会被接收方接受两次。具体来说,对于给定的 EPS 安全上下文,给定的 NAS COUNT 值最多应被接受一次,并且仅当消息完整性验证正确时。当使用 EIA0 时,重放保护不适用。
5. (p52)If for some reason a new KASME has not been established using AKA before the NAS COUNT wraps around, the node (MME or UE) in need of sending a NAS message shall instead release the NAS signalling connection. Prior to sending the next uplink NAS message, the UE shall delete the eKSI indicating the current EPS security context.
如果在NAS COUNT回绕之前没有使用AKA建立新的KASME,那么UE应释放NAS信令连接。在发送下一条上行NAS消息之前,UE应删除表示当前EPS安全上下文的eKSI。
6. (p53)Except the messages listed below, no NAS signalling messages shall be processed by the receiving EMM entity in the UE or forwarded to the ESM entity, unless the network has established secure exchange of NAS messages for the NAS signalling connection:
- IDENTITY REQUEST (if requested identification parameter is IMSI);
- AUTHENTICATION REQUEST;
- AUTHENTICATION REJECT;
- ATTACH REJECT (if the EMM cause is not #25);
- DETACH ACCEPT (for non switch off);
- TRACKING AREA UPDATE REJECT (if the EMM cause is not #25);
- SERVICE REJECT (if the EMM cause is not #25).
在安全激活前,只有这些消息在无完保下可以被UE接收
7. (p53)If NAS signalling messages, having not successfully passed the integrity check, are received, then the NAS in the UE shall discard that message.
在安全激活后,若UE收到未通过完整性校验的NAS信令消息,则丢弃。
8. (p71)If the UE performs a successful attach or combined attach procedure in S1 mode, it shall enter substates GMM-REGISTERED.NO-CELL-AVAILABLE and EMM-REGISTERED.NORMAL-SERVICE. The UE resets the attach attempt counter and the GPRS attach attempt counter (see 3GPP TS 24.008 [13]).
如果UE在S1模式下成功执行了附着或组合附着程序,它应进入子状态GMM-REGISTERED.NO-CELL-AVAILABLE和EMM-REGISTERED.NORMAL-SERVICE。UE重置附加尝试计数器和GPRS附加尝试计数器
9. (p71) If the UE performs a successful GPRS attach or combined GPRS attach procedure in A/Gb or Iu mode, it shall enter substates GMM-REGISTERED.NORMAL-SERVICE and EMM-REGISTERED.NO-CELL-AVAILABLE. The UE resets the attach attempt counter and the GPRS attach attempt counter (see 3GPP TS 24.008 [13]).
如果UE在A/Gb或Iu模式下成功执行了GPRS附着或组合GPRS附着程序,它应进入子状态GMM-REGISTERED.NORMAL-SERVICE和EMM-REGISTERED.NO-CELL-AVAILABLE。UE重置附加尝试计数器和GPRS附加尝试计数器
10. (p72)UEs that operate in CS/PS mode 1 or CS/PS mode 2 of operation should not use any MM timers related to MM specific procedures (e.g. T3210, T3211, T3212, T3213) while camped on E-UTRAN, unless the re-activation of these timers is explicitly described. If the MM timers are already running, the UE should not react on the expiration of the timers.
以 CS/PS 模式 1 或 CS/PS 模式 2 运行的 UE 在驻留在 E-UTRAN 时不应使用与 MM 特定过程相关的任何 MM 计时器(例如 T3210、T3211、T3212、T3213),除非重新激活明确描述了这些定时器。如果 MM 计时器已经在运行,则 UE 不应在计时器到期时做出反应。
11. (p73)The UE shall initiate an attach or combined attach procedure if timer T3346 is not running. If timer T3346 is running, the UE shall initiate an attach or combined attach procedure on the expiry of timer T3346. The UE may initiate attach for emergency bearer services even if timer T3346 is running.
测试UE在EMM-DEREGISTERED状态下的NORMAL-SERVICE子状态执行attach or combined attach procedure程序前是否检查T3346定时器的值。
UE需要检查T3346定时器的值,若该定时器没有在运行,或者该定时器到期,或者执行的是紧急承载服务程序才可以进行attach or combined attach procedure。这是为了拥塞控制(T3346计时器:为了进行拥塞控制)
12. (p74&77)
If a new PLMN is selected, the UE shall reset the attach attempt counter .
测试UE在PLMN-SEARCH子状态下,当UE选了一个新的PLMN之后,是否有重置attach attempt counter
13. (p83)In the UE, when user plane CIoT EPS optimization is used: Upon indication from the lower layers that the RRC connection has been resumed when in EMM-IDLE mode with suspend indication, the UE shall enter EMM-CONNECTED mode. If the pending NAS message is:
i) a SERVICE REQUEST message;
ii) a CONTROL PLANE SERVICE REQUEST message, and the UE did not include any ESM message container, NAS message container, EPS bearer context status information element, or UE request type information element; or
iii) an EXTENDED SERVICE REQUEST message, and the Service type information element indicates "packet services via S1" and the UE did not include any EPS bearer context status information element, or UE request type information element;
the message shall not be sent. Otherwise the UE shall cipher the message as specified in clause 4.4.5 and send the pending initial NAS message upon entering EMM-CONNECTED mode;
在UE中,当使用用户平面CIoT EPS优化时,当处于有挂起指示的待机模式时,如果有较低层的RRC连接已经恢复的指示,则UE应进入联机模式。
只有挂起的NAS消息是这三类消息时,在进入联机模式时不用再次发送,将这三类消息丢弃,与该消息相对应的上行链路NAS COUNT值被重新用于要发送的下一个上行链路NAS消息。其他被挂起的NAS消息都需要再次发送,发送的消息是否需要加密根据之前的加密规则(不加密、部分加密、加密)
14. (p107)When the UE receives an AUTHENTICATION REQUEST message, the UE shall store the received RAND together with the RES returned from the USIM in the volatile memory of the ME. When the UE receives a subsequent AUTHENTICATION REQUEST message, if the stored RAND value is equal to the new received value in the AUTHENTICATION REQUEST message, then the ME shall not pass the RAND to the USIM, but shall send the AUTHENTICATION RESPONSE message with the stored RES. If there is no valid stored RAND in the ME or the stored RAND is different from the new received value in the AUTHENTICATION REQUEST message, the ME shall pass the RAND to the USIM, shall override any previously stored RAND and RES with the new ones and start, or reset and restart timer T3416.
为了避免同步失败,当UE收到AUTHENTICATION REQUEST消息时,UE应将收到的RAND与从USIM返回的RES一起存储在ME的易失性存储器中。当UE收到后续的AUTHENTICATION REQUEST消息时,如果存储的RAND值等于AUTHENTICATION REQUEST消息中的新接收值,那么ME就不应将RAND传递给USIM,而应发送带有存储的RES的AUTHENTICATION RESPONSE消息。如果ME中没有有效存储的RAND,或者存储的RAND与AUTHENTICATION REQUEST消息中的新接收值不同,则ME应将RAND传递给USIM,应以新的RAND和RES覆盖任何先前存储的RAND和RES,并启动或重置和重启定时器T3416。
15. (p107)The RAND and RES values stored in the ME shall be deleted and timer T3416 shall be stopped:
- upon receipt of a
- SECURITY MODE COMMAND,
- SERVICE REJECT,
- SERVICE ACCEPT,
- TRACKING AREA UPDATE REJECT,
- TRACKING AREA UPDATE ACCEPT, or
- AUTHENTICATION REJECT message;
- upon expiry of timer T3416;
- if the UE enters the EMM state EMM-DEREGISTERED or EMM-NULL; or
- if the UE enters EMM-IDLE mode.
在以下情况下,存储在ME中的RAND和RES值应被删除,定时器T3416(如果运行)应被停止:
- 在收到SECURITY MODE COMMAND、SERVICE REJECT、SERVICE ACCEPT、TRACKING AREA UPDATE REJECT、TRACKING AREA UPDATE ACCEPT或AUTHENTICATION REJECT消息时;
- 在定时器T3416到期时;
- UE进入EMM-DEREGISTERED或EMM-NULL状态;
- UE进入EMM-IDLE模式。
16. (p108)Upon receipt of an AUTHENTICATION REJECT message,
b)if the message is received without integrity protection and if timer T3416, T3418 or T3420 is running, the UE shall start timer T3247 with a random value uniformly drawn from the range between 30 minutes and 60 minutes, if the timer is not running.
如果在没有完整性保护的情况下接收到AUTHENTICATION REJECT消息,并且计时器 T3416、T3418 或 T3420 正在运行,则 UE 应启动计时器 T3247,如果计时器未运行,则从 30 分钟到 60 分钟之间的范围内均匀抽取随机值
17. (p108)If the AUTHENTICATION REJECT message is received by the UE, the UE shall abort any EMM signalling procedure, stop any of the timers T3410, T3416, T3417, T3430, T3421, T3418 or T3420 (if they were running) and enter state EMM-DEREGISTERED.
如果 UE 收到AUTHENTICATION REJECT消息,UE 应中止任何 EMM 信令过程,停止任何计时器 T3410、T3416、T3417、T3430、T3421、T3418 或 T3420(如果它们正在运行)并进入状态EMM-DEREGISTERED。
18. (p109)If the UE finds the MAC code (supplied by the core network in the AUTN parameter) to be invalid, the UE shall send an AUTHENTICATION FAILURE message to the network, with the EMM cause #20 "MAC failure", to the network and start timer T3418. Furthermore, the UE shall stop any of the retransmission timers that are running (e.g. T3410, T3417, T3421 or T3430).
如果UE发现MAC码(由核心网络在AUTN参数中提供)无效,UE应向网络发送AUTHENTICATION FAILURE消息,EMM原因#20 "MAC失败",并启动定时器T3418(见图5.4.2.7.1中的例子)。此外,UE应停止任何正在运行的重传定时器(如T3410、T3417、T3421或T3430)。
19. (p109)If the UE finds that the "separation bit" in the AMF field of AUTN supplied by the core network is 0, the UE shall send an AUTHENTICATION FAILURE message to the network, with the EMM cause #26 "non-EPS authentication unacceptable" , to the network and start the timer T3418 . Furthermore, the UE shall stop any of the retransmission timers that are running (e.g. T3410, T3417, T3421 or T3430).
如果UE发现核心网络提供的AUTN的AMF字段中的 "分离位 "为0,UE应向网络发送AUTHENTICATION FAILURE消息,EMM原因#26 "非EPS认证不可接受",并启动定时器T3418。此外,UE应停止任何正在运行的重传定时器(如T3410、T3417、T3421或T3430)。
20. (p109)If the UE finds the SQN (supplied by the core network in the AUTN parameter) to be out of range, the UE shall send an AUTHENTICATION FAILURE message to the network, with the EMM cause #21 "synch failure" and a re-synchronization token AUTS provided by the USIM, to the network and start the timer T3420. Furthermore, the UE shall stop any of the retransmission timers that are running (e.g. T3410, T3417, T3421 or T3430).
如果UE发现SQN(由核心网络在AUTN参数中提供)超出范围,UE应向网络发送AUTHENTICATION FAILURE消息,EMM原因#21 "同步失败 "和USIM提供的重新同步令牌AUTS,并启动定时器T3420。此外,UE应停止任何正在运行的重传定时器(如T3410、T3417、T3421或T3430)。
21. (p109)If the UE returns an AUTHENTICATION FAILURE message to the network, the UE shall delete any previously stored RAND and RES and shall stop timer T3416, if running.
如果UE向网络返回AUTHENTICATION FAILURE消息,UE应删除任何先前存储的RAND和RES,并应停止定时器T3416(如果运行)。
22. (p112)If an AUTHENTICATION REJECT message is received without integrity protection and if none of the timers T3416, T3418 and T3420 is running, then the UE shall discard the AUTHENTICATION REJECT message. Additionally, the UE may request RRC to locally release the RRC connection and treat the active cell as barred.
如果收到没有完整性保护的AUTHENTICATION REJECT消息,且T3416、T3418和T3420计时器均未运行,那么UE应丢弃AUTHENTICATION REJECT消息。此外,UE可以请求RRC在本地释放RRC连接,并将活动小区视为禁区。
23. (p117)The UE shall accept a SECURITY MODE COMMAND message indicating the "null integrity protection algorithm" EIA0 as the selected NAS integrity algorithm only if the message is received for a UE that has a PDN connection for emergency bearer services established, or a UE that is attached for access to RLOS, or a UE that is establishing a PDN connection for emergency bearer services or a UE that is requesting attach for access to RLOS.
只有在收到这些消息时,UE才应接受表明 "空完整性保护算法 "EIA0为所选NAS完整性算法的SECURITY MODE COMMAND消息
24. (p115)The UE shall process a SECURITY MODE COMMAND message including a KSI value in the NAS key set identifier IE set to "000" and EIA0 and EEA0 as the selected NAS security algorithms and, if accepted, create a locally generated KASME when the security mode control procedure is initiated:
- during an attach procedure for emergency bearer services;
- during an attach procedure for access to RLOS;
- during a tracking area updating procedure when the UE has a PDN connection for emergency bearer services;
- during a tracking area updating procedure when the UE has a PDN connection for access to RLOS;
- during a service request procedure when the UE has a PDN connection for emergency bearer services;
- during a service request procedure when the UE has a PDN connection for access to RLOS;
- after an authentication procedure when the UE has a PDN connection for emergency bearer services or is establishing a PDN connection for emergency bearer services; or
- after an authentication procedure when the UE has a PDN connection for access to RLOS or is establishing a PDN connection for access to RLOS.
对于MME发过来的NAS密钥集标识IE中的KSI值设置为 "000 "以及EIA0和EEA0作为选择的NAS安全算法的SECURITY MODE COMMAND消息,UE在这些情况下才应该处理它,并在安全模式控制程序启动时创建本地生成的KASME。
25. (p117)Upon receipt of the SECURITY MODE COMMAND message, the UE shall check whether the security mode command can be accepted or not. This is done by performing the integrity check of the message and by checking that the received replayed UE security capabilities, the received replayed UE additional security capabilities.if included in the SECURITY MODE COMMAND message, and the received nonceUE have not been altered compared to the latest values that the UE sent to the network.
收到SECURITY MODE COMMAND消息后,UE需要决定是否可以接受该安全模式命令。
通过检查消息的完整性检查和检查收到的重播UE安全能力、收到的重播UE额外安全能力(如果包括在SECURITY MODE COMMAND消息中)和收到的nonceUE与UE发送给网络的最新值相比没有被改变。
26. (p117)If the type of security context flag included in the SECURITY MODE COMMAND message is set to "native security context" and if the KSI matches a valid non-current native EPS security context held in the UE while the UE has a mapped EPS security context as the current EPS security context, the UE shall take the non-current native EPS security context into use which then becomes the current native EPS security context and delete the mapped EPS security context.
如果包含在SECURITY MODE COMMAND消息中的安全上下文类型标志被设置为 "本地安全上下文",并且如果KSI与UE中持有的有效的非当前本地EPS安全上下文相匹配,而UE有一个映射的EPS安全上下文作为当前EPS安全上下文,则UE应将非当前本地EPS安全上下文投入使用,然后成为当前本地EPS安全上下文,并删除映射的EPS安全上下文。
27. (p117)If the SECURITY MODE COMMAND message can be accepted, the UE shall take the EPS security context indicated in the message into use. The UE shall in addition reset the uplink NAS COUNT counter if:
- the SECURITY MODE COMMAND message is received in order to take an EPS security context into use created after a successful execution of the EPS authentication procedure;
- the SECURITY MODE COMMAND message received includes the type of security context flag set to "mapped security context" in the NAS key set identifier IE the eKSI does not match the current EPS security context, if it is a mapped EPS security context.
如果SECURITY MODE COMMAND消息被接受,UE要将采用该消息中指示的EPS安全上下文。并且UE还应在以下情况下重置上行链路NASCOUNT计数器:
28. (p118)if the SECURITY MODE COMMAND message can be accepted,the UE shall send a SECURITY MODE COMPLETE message integrity protected with the selected NAS integrity algorithm and the EPS NAS integrity key based on the KASME or mapped K'ASME indicated by the eKSI, and cipher the SECURITY MODE COMPLETE message with the selected NAS ciphering algorithm and the EPS NAS ciphering key based on the KASME or mapped K'ASME indicated by the eKSI. The UE shall set the security header type of the message to "integrity protected and ciphered with new EPS security context".
UE对收到的SECURITY MODE COMMAND消息进行检查判定之后,如果接受:
29. (p118)If, during an ongoing attach or tracking area updating procedure, the SECURITY MODE COMMAND message includes a HASHMME, the UE shall compare HASHMME with a hash value locally calculated from the entire plain ATTACH REQUEST or TRACKING AREA UPDATE REQUEST message that the UE had sent to initiate the procedure. If HASHMME and the locally calculated hash value are different, the UE shall include the complete ATTACH REQUEST or TRACKING AREA UPDATE REQUEST message which the UE had previously sent in the Replayed NAS message container IE of the SECURITY MODE COMPLETE message.
30. (p119)If the security mode command cannot be accepted, the UE shall send a SECURITY MODE REJECT message.
如果UE经过检查判定之后不接受security mode command,则UE 应发送SECURITY MODE REJECT消息。
31. (p121)If the UE cannot encode the requested identity in the IDENTITY RESPONSE message, then it shall encode the identity type as "no identity".
如果UE不能在IDENTITY RESPONSE消息中编码要求的身份(例如因为没有有效的USIM),那么它应将身份类型编码为 "无身份"。