In a communication system, a device (typically a mobile device) termed user equipment (UE) communicates wirelessly with a radio access network (such as the Universal Terrestrial Radio Access Network UTRAN). Communications between the UE and the radio access network are effected in accordance with a multi-layered communications protocol.
FIG. 1 shows a prior art Security Mode Command procedure between a UE 102 and radio access network 105 as described in the 3GPP 25.331 specification.
The security consists of two aspects, optional ciphering and mandatory integrity protection. Ciphering provides encryption according to a ciphering configuration to ensure that all signalling and data messages transmitted between the UE and the radio access network are ciphered over the air interface to provide data confidentiality. Integrity protection provides protection against message manipulation between the UE and the radio access network. That is, integrity protection prevents third parties from sending unauthorised signalling messages between the UE and radio access network. Typically, both ciphering and integrity protection are enabled during a call.
As part of the Security Mode Command procedure the radio access network sends a Security Mode Command 112 using the Radio Resource Control (RRC) protocol to the UE with an indication of a new integrity protection configuration and new cipher configuration to replace an original integrity and cipher configuration. In response to the Security Mode Command, the UE sends an acknowledgement message 114 to the radio access network and subsequently sends a RRC Security Mode Complete message 116 to the radio access network. In response to receiving the Security Mode Complete message from the UE, the radio access network sends an acknowledgement message RLC-ACK 118 to the UE.
The 3GPP 25.331 specification mandates a specific method to handle a cell update procedure during the security mode command procedure. This method is to abort the new integrity protection configuration and new cipher configuration, and continue with the original integrity protection configuration and cipher configuration (used prior to initiation of the security mode command procedure).
This is problematic because the Security Mode Command procedure terminates at different times in the UE and the radio access network, which can lead to the abortion of the Security Mode Command procedure in the UTRAN but not at the UE. In particular the UTRAN aborts the Security Mode Command procedure when the Cell Update message is received before the Security Mode Command Complete message from the UE. In contrast, the UE aborts the procedure when the Cell Update message is sent before it receives an acknowledgement 118 for the Security Mode Complete message from the radio access network.
When the UE performs a Cell Update whilst the UTRAN is waiting for the Security Mode Complete message from the UE, the UTRAN aborts the Security Mode Command procedure; however the UE does not abort the Security Mode Command procedure.
If the UE and radio access network do not abort the Security Mode Command procedure simultaneously, ciphering and integrity protection configuration will be not be the same in the UE and the radio access network which leads to the RRC connection to be lost. Loss of an RRC connection typically triggers a call drop, which is frustrating for the user of the UE.
Following the lost RRC connection the recovery can, depending on the radio conditions and network configuration, be a slow process. During the recovery procedure the user of a UE is disconnected from the network, unable to make or receive calls.