In a communication system, a device (typically a mobile device) termed user equipment (UE) communicates wirelessly with a radio access network. Communications between the UE and the radio access network are effected in accordance with a multi-layered communications protocol.
The 3GPP 25.331 specification classifies a Security Mode Command procedure shown in FIG. 1 between the UE 102 and the radio access network 105.
The security consists of two aspects, optional ciphering and mandatory integrity protection. Ciphering provides encryption according to a ciphering configuration to ensure that all signaling and data messages transmitted between the UE and the radio access network are ciphered over the air interface to provide data confidentiality. Integrity protection provides protection against message manipulation between the UE and the radio access network. That is, integrity protection prevents third parties from sending unauthorised signaling messages between the UE and radio access network. Typically, both ciphering and integrity protection are enabled during a call.
As part of the Security Mode Command procedure the radio access network sends a Security Mode Command 112 using the Radio Resource Control (RRC) protocol to the UE with an indication of a new integrity protection configuration and new cipher configuration. In response to the Security Mode Command, the UE sends an acknowledgement message 114 to the radio access network and subsequently sends a RRC Security Mode Complete message 116 to the radio access network. In response to receiving the Security Mode Complete message from the UE, the radio access network sends an acknowledgement message 118 to the UE.
The 3GPP 25.331 specification mandates a specific method to handle a cell update procedure during the security mode command procedure. This method is to abort the new integrity protection configuration and new cipher configuration, and continue with the original integrity protection configuration and cipher configuration (used prior to initiation of the security mode command procedure).
This is problematic because the Security Mode Command procedure terminates at different times in the UE and the radio access network, which can lead to the abortion of the Security Mode Command procedure in the UE but not in the radio access network. In particular, the radio access network terminates the Security Mode Command procedure when it sends the acknowledgement 118 to the UE after receipt of the Security Mode Complete message. In contrast, the UE terminates the Security Mode Command procedure when it receives the acknowledgement 118 for the Security Mode Complete message from the radio access network. The transmission of the acknowledgement 118 for the Security Mode Complete message from the radio access network to the UE is not completely reliable and therefore may not be received by the UE.
When the UE performs a Cell Update whilst the UE is waiting for the acknowledgement for the Security Mode Complete message from the radio access network, the UE aborts the Security Mode Command procedure; however the radio access network does not abort the Security Mode Command procedure.
If the UE and radio access network do not abort the Security Mode Command procedure simultaneously, ciphering and integrity protection configuration will be not be the same in the UE and the radio access network which leads to the RRC connection to be lost.
This issue has been addressed in 3GPP 25.331 specification release 10, where it requires updated functions in UE and the radio access network. In the 3GPP method the Security Mode Command procedure is allowed to be completed early if the UE successfully integrity checks an RRC message received on SRB3 using integrity check parameters from the Security Mode Command. This may reduce the time the problem can occur, but does not address the problem described above. In the 3GPP method the UE can signal to the radio access network in the Cell Update message if the Security Mode Command procedure was aborted. Because the Cell Update message is not ciphered, the radio access network can receive and process the Cell Update message and then align its security configuration for the UE, to that indicated. The Change Requests that introduce and subsequently correct this method are 4427 (November 2010), 4583 (May 2011), and 4884 (November 2011) all applying to the 3GPP 25.331 specification.