NAS and AS security activation

Two-Phase Security Activation

After authentication completes and keys are derived, 5G activates security protection in two sequential phases. NAS security is established first, protecting signaling between the UE and the AMF. The AMF sends a NAS Security Mode Command selecting the ciphering algorithm (NEA) and integrity algorithm (NIA), using KNASenc and KNASint derived from KAMF. Critically, the SMC message itself is integrity-protected from the very first message, preventing downgrade attacks where an attacker tries to force weaker algorithms. The UE validates the command and replies with NAS Security Mode Complete.