ASN1C 6.7 adds support for 3GPP NAS message security protection. Messages can use either the null algorithm or the AES-based security algorithms (we do not yet support the SNOW3G or ZUC based algorithms). You can try out our NAS decoder online. Or, you can download the 3GPP API ASN1C add-on kit here.
A 3GPP NAS Message that is security protected may have two kinds of protection. First, there is integrity protection. In short, this adds a hash of the original message to the final result in order to allow the recipient to detect message tampering. In addition to this, there is confidentiality protection. This option encrypts the original message so that only the recipient will be able to read it. Whenever a message is confidentiality-protected, it is also integrity-protected.
The 3GPP API handles NAS message security fairly transparently. In order to encode a protected message, there are five extra, simple steps to follow:
- Initialize the NAS security context
- Specify the algorithm and keys to use
- Set NAS security parameters (e.g. message count, and direction)
- Assign security header fields in the PDU. This indicates whether the message is integrity-protected only or also confidentiality-protected.
- Free the NAS security context when finished.
The PDU encode method will take care of wrapping your message with a security header and applying the chosen protection.
In order to decode a protected message, there are four extra, simple steps to follow:
- Initialize the NAS security context
- Specify the algorithm and keys to use
- Set NAS security parameters
- Free the NAS security context when finished.
The PDU decode method will detect the protection applied, decrypt if necessary, confirm integrity protection, and provide the resulting message.
For more information, the 3GPP API kit includes documentation and examples for using these features.