First round of validation

@startuml

title 5G UE Registration with HMAC-A Failure and gNodeB Session Termination\n(3GPP Release 16)

skinparam backgroundColor #FEFEFE

skinparam sequenceArrowThickness 2

skinparam roundcorner 10

skinparam maxmessagesize 200

skinparam sequenceParticipant underline

actor UE

participant "gNB" as RAN

participant AMF

participant AUSF

participant UDM

== RRC Connection Establishment ==

UE -> RAN: RRC Setup Request

activate RAN

RAN -> UE: RRC Setup

deactivate RAN

UE -> RAN: RRC Setup Complete\n(NAS: Registration Request attached)

note right of UE

UE enters RRC_CONNECTED state

RRC connection is established

end note

== Initial Registration Request ==

UE -> RAN: NAS: Registration Request\n(Registration Type: Initial,\n5G-GUTI/SUCI, Requested NSSAI,\nUE Security Capability)

activate RAN

RAN -> RAN: Store UE context\nAllocate RAN UE NGAP ID

RAN -> AMF: INITIAL UE MESSAGE\n(Registration Request, RAN UE NGAP ID,\nUser Location Info, RRC Establishment Cause)

activate AMF

AMF -> AMF: Allocate AMF UE NGAP ID\nCreate UE context

deactivate RAN

note over RAN, AMF

UE-associated logical NG connection

is now established between gNB and AMF

end note

== UE Identity Retrieval ==

alt SUCI provided

    AMF -> UDM: Nudm_UECM_Registration (SUCI)

    activate UDM

    UDM -> UDM: De-conceal SUCI\nRetrieve SUPI

    UDM -> AMF: SUPI, Subscription Data

    deactivate UDM

else 5G-GUTI provided

    note over AMF

    AMF resolves SUPI

    from 5G-GUTI mapping

    end note

end

== Authentication Vector Request ==

AMF -> AUSF: Nausf_UEAuthentication_Authenticate Request\n(SUPI, Serving Network Name)

activate AUSF

AUSF -> UDM: Nudm_Authentication_Get Request\n(SUPI, Serving Network Name)

activate UDM

UDM -> UDM: Generate 5G Authentication Vector:\n1. Retrieve permanent key K for SUPI\n2. Generate RAND (128 bits)\n3. Compute MAC-A = f1(K, SQN || RAND || AMF)\n4. Compute AUTN = SQN ⊕ AK || AMF || MAC-A\n5. Compute RES, CK, IK\n6. Derive XRES* = KDF(CK||IK, ...)\n7. Derive KAUSF

note right of UDM

5G AKA Authentication Vector:

- RAND: Random challenge

- AUTN: Authentication token

- XRES*: Expected response

- KAUSF: Key for AUSF

MAC-A = f1(K, SQN || RAND || AMF)

is critical for authentication

end note

UDM -> AUSF: 5G AV\n(RAND, AUTN, XRES*, KAUSF)

deactivate UDM

AUSF -> AUSF: Store XRES* and KAUSF\nDerive HXRES* = SHA-256(RAND || XRES*)

AUSF -> AMF: Authentication Material\n(RAND, AUTN, HXRES*)

deactivate AUSF

AMF -> AMF: Store HXRES*\nAllocate ngKSI\nStart authentication timer

== Authentication Request to UE ==

AMF -> RAN: DOWNLINK NAS TRANSPORT\n(AMF UE NGAP ID, RAN UE NGAP ID,\nNAS: Authentication Request: RAND, AUTN, ngKSI)

activate RAN

RAN -> UE: NAS: Authentication Request\n(RAND, AUTN, ngKSI, ABBA)

deactivate RAN

note right of UE

UE stores ngKSI and ABBA

Prepares to verify authentication

end note

== UE Authentication Processing - HMAC-A FAILURE ==

UE -> UE: Process AUTN\n1. Extract AK from AUTN\n2. Compute AK = f5(K, RAND)\n3. Retrieve SQN = (SQN ⊕ AK) ⊕ AK\n4. Extract AMF from AUTN\n5. Extract MAC-A from AUTN

UE -> UE: Verify MAC-A:\nCompute XMAC-A = f1(K, SQN || RAND || AMF)

note right of UE #FFB6C1

**CRITICAL FAILURE DETECTED**

XMAC-A ≠ MAC-A

Root Causes:

1. Key mismatch: K in USIM ≠ K in UDM

2. USIM malfunction or corruption

3. Incorrect subscription provisioning

4. Security breach attempt

5. SIM card authentication failure

Result: UE cannot authenticate network

Cannot derive security keys

Cannot proceed with registration

end note

UE -> UE: **AUTHENTICATION FAILED**\nDo NOT compute RES*\nDo NOT derive security keys

== Authentication Failure Reporting ==

UE -> RAN: NAS: Authentication Failure\n(Cause: "MAC failure",\nNo RES* included)

activate RAN

note right of UE

Authentication Failure Message:

- Cause: "MAC failure" (0x14)

- Indicates HMAC-A verification failed

- No RES* is computed or sent

- No security keys derived

end note

RAN -> AMF: UPLINK NAS TRANSPORT\n(AMF UE NGAP ID, RAN UE NGAP ID,\nNAS: Authentication Failure, Cause = "MAC failure")

deactivate RAN

AMF -> AMF: **Authentication Failed**\nStop authentication timer\nVerification impossible

note over AMF #FFB6C1

AMF cannot verify RES*

Authentication procedure failed

Cannot establish security context

Registration must be rejected

end note

== Failure Notification to AUSF/UDM ==

AMF -> AUSF: Nausf_UEAuthentication_Authenticate Response\n(SUPI, Result: FAILURE,\nFailure Cause: "MAC failure")

activate AUSF

AUSF -> AUSF: Record authentication failure\nIncrement failure counter for SUPI\nPrepare security alert

AUSF -> UDM: Nudm_Authentication_ResultConfirmation\n(SUPI, Auth Result: FAILURE)

activate UDM

UDM -> UDM: Log authentication failure:\n- Timestamp\n- SUPI\n- Failure type: MAC failure\n- Increment failure counter\n- Check threshold for blocking

note right of UDM #FFB6C1

Security Actions:

1. Log failure in security database

2. Increment failure counter

3. If threshold exceeded:

   - Temporary SUPI blocking

   - Security investigation trigger

   - Operator notification

4. Check for fraud patterns

end note

UDM -> AUSF: Confirmation\n(Failure recorded)

deactivate UDM

AUSF -> AMF: Authentication Failure Confirmed

deactivate AUSF

== Registration Rejection ==

AMF -> AMF: Prepare Registration Reject:\n- Clear temporary UE context\n- Select reject cause\n- Optionally set T3346 timer

note over AMF

Registration Reject Cause Options:

- #20: "MAC failure"

- #23: "Illegal UE"

- #3: "Illegal MS"

T3346 controls retry attempts

end note

AMF -> RAN: DOWNLINK NAS TRANSPORT\n(AMF UE NGAP ID, RAN UE NGAP ID,\nNAS: Registration Reject,\nCause = "MAC failure",\nT3346 = 1800 seconds)

activate RAN

RAN -> RAN: Forward NAS message\nStore reject information\nPrepare for cleanup

RAN -> UE: NAS: Registration Reject\n(Cause: "MAC failure",\nT3346 = 1800 seconds)

deactivate RAN

UE -> UE: **Registration REJECTED**\n- Delete temporary context\n- Start T3346 timer (30 min)\n- Enter limited service state

note right of UE #FFB6C1

UE Actions after Rejection:

1. Delete 5G-GUTI (if temporary)

2. Start T3346 timer

3. Disable 5G registration until:

   - T3346 expires

   - Power cycle

   - USIM removed/reinserted

   - Manual PLMN selection

4. May attempt EPS fallback

5. Inform user of failure

end note

== gNodeB Initiated Session Termination ==

note over RAN #FFFFE0

gNB Decision to Terminate Session:

- Authentication failed

- No security context established

- UE rejected by core network

- Resources need to be released

- No valid UE context to maintain

end note

RAN -> RAN: **Decision: Terminate UE session**\n- Release radio resources\n- Clear UE context\n- Prepare UE Context Release Request

== UE Context Release Request (gNB → AMF) ==

RAN -> AMF: UE CONTEXT RELEASE REQUEST\n(AMF UE NGAP ID, RAN UE NGAP ID,\nCause: "authentication-failure" or\n"unspecified-failure")

activate AMF

note over RAN, AMF

gNB requests AMF to release

UE-associated logical NG connection

and all related context

end note

AMF -> AMF: Receive release request\nValidate UE NGAP IDs\nPrepare context release

note over AMF

AMF verifies:

- UE context exists

- No active PDU sessions (none exist)

- No ongoing procedures

- Safe to release

end note

== UE Context Release Command (AMF → gNB) ==

AMF -> RAN: UE CONTEXT RELEASE COMMAND\n(UE NGAP ID pair,\nCause: "nas-normal-release")

deactivate AMF

activate RAN

note over AMF, RAN

AMF authorizes the release

All AMF-side UE context will be deleted

upon receiving release complete

end note

RAN -> RAN: Process release command:\n1. Validate UE context\n2. Prepare RRC release\n3. Stop all UE-related timers\n4. Prepare to release radio resources

== RRC Connection Release (gNB → UE) ==

RAN -> UE: RRC Release\n(Release Cause: "other",\nWait Time: optional,\nRedirection Info: optional)

note over RAN, UE

RRC Release message:

- Releases all radio bearers (SRBs)

- Releases RRC connection

- UE returns to RRC_IDLE state

- May include redirection to other RAT

- May include wait time before retry

end note

UE -> UE: **Process RRC Release:**\n1. Stop all RRC timers\n2. Release all radio resources\n3. Release SRB1, SRB2\n4. Clear RRC configuration\n5. Enter RRC_IDLE state\n6. Start cell selection

note right of UE

UE State Transition:

RRC_CONNECTED → RRC_IDLE

Actions:

- Release all radio bearers

- Stop T300, T301, T310, T311

- Clear RRC configuration

- Start cell reselection

- Remain in limited service

  (due to T3346 running)

end note

== Radio Resource Cleanup ==

RAN -> RAN: **Release Radio Resources:**\n1. De-allocate physical resources\n2. Release C-RNTI\n3. Clear UE scheduling\n4. Free RRC connection\n5. Clear RRM measurements\n6. Release PDCP/RLC/MAC entities

note over RAN #FFFFE0

Radio Resource Cleanup:

- C-RNTI released

- Physical resource blocks freed

- Scheduling contexts deleted

- L2 (PDCP/RLC/MAC) released

- L1 resources freed

- UE monitoring stopped

end note

== UE Context Release Complete (gNB → AMF) ==

RAN -> AMF: UE CONTEXT RELEASE COMPLETE\n(AMF UE NGAP ID, RAN UE NGAP ID,\nUser Location Info: final cell location,\nOptional: Information on Recommended Cells)

activate AMF

deactivate RAN

note over RAN, AMF

gNB confirms successful release

All NG-RAN resources released

UE-associated NG connection terminated

end note

== AMF Context Cleanup ==

AMF -> AMF: **Complete UE Context Release:**\n1. Delete UE NGAP context\n2. Delete AMF UE NGAP ID\n3. Delete temporary 5G-GUTI (if any)\n4. Clear security context\n5. Clear subscription data cache\n6. Release allocated resources\n7. Update UE reachability status

note over AMF #FFFFE0

AMF Cleanup Actions:

- Free AMF UE NGAP ID

- Delete UE-associated logical

  NG connection

- Clear all temporary UE data

- No PDU sessions to release

- Update analytics/statistics

- Log complete transaction

end note

AMF -> AMF: UE context fully deleted\nNG connection terminated

deactivate AMF

== Final State ==

note over UE #FFB6C1

**UE Final State:**

- RRC_IDLE mode

- No NAS security context

- No RRC connection

- T3346 timer running

- Limited service state

- 5G registration blocked until:

  * T3346 expires (30 min)

  * Power cycle

  * USIM change

  * Manual intervention

**User Actions Required:**

1. Check USIM/SIM card

2. Contact operator

3. Verify subscription status

4. Check for account issues

5. May need SIM replacement

end note

note over RAN #FFFFE0

**gNB Final State:**

- All UE resources released

- C-RNTI freed

- No UE context maintained

- Ready for new connections

- Resources available for other UEs

end note

note over AMF #FFFFE0

**AMF Final State:**

- No UE context stored

- UE not registered

- NG connection released

- Failure logged for analytics

- Security alert may be active

- Ready for new registration attempt

  after T3346 expires

end note

@enduml

skinparam sequenceParticipant underline

actor UE

participant "gNB/ng-eNB (SUT) 242.39" as RAN

participant "gNB/ng-eNB (TA) 242.39" as RAN

participant "AMF (IUT) 242.37" as AMF

participant AUSF

participant UDM

#include "rijndael.hh"

#include "opc.hh"

/**

 * @see https://www.ericsson.com/en/blog/2021/9/authentication-and-key-agreements

 */

namespace Lib__NG__NAS__Security__Functions {

  static uint8_t OP[16] = {0}; // FIXME FSCOM To be refined. This is a Q&D implementation

LibNGAP_Pixits.PX_PLMN_IDENTITY    := '00f110'O

LibNGAP_Pixits.PX_GNB_ID           := '0000000000000001001110'B

Lib_NG_NAS_Pixits.PX_CHECK_SECURITY                  := true

Lib_NG_NAS_Pixits.PX_CHECK_SECURITY                  := false

Lib_NG_NAS_Pixits.PX_SUPI_FORMAT                     := '0000'B

Lib_NG_NAS_Pixits.PX_SUPI_DIGITS                     := '00f110214300014444330302'O

# OP

# you want to log into the file or display on console (standard error).

LogFile := "../logs/Ats_NG_NAS/%e.%h-%r.%s"

FileMask := LOG_ALL | USER | DEBUG | MATCHING

ConsoleMask := LOG_ALL | USER | DEBUG | MATCHING

#FileMask := ERROR | WARNING | USER | MATCHING | EXECUTOR_RUNTIME | VERDICTOP | PORTEVENT | TESTCASE

#ConsoleMask := ERROR | WARNING | USER | MATCHING | EXECUTOR_RUNTIME | VERDICTOP | PORTEVENT | TESTCASE

#FileMask := LOG_ALL | USER | DEBUG | MATCHING

#ConsoleMask := LOG_ALL | USER | DEBUG | MATCHING

FileMask := ERROR | WARNING | USER | MATCHING | EXECUTOR_RUNTIME | VERDICTOP | PORTEVENT | TESTCASE

ConsoleMask := ERROR | WARNING | USER | MATCHING | EXECUTOR_RUNTIME | VERDICTOP | PORTEVENT | TESTCASE

LogSourceInfo := Stack

LogEntityName:= Yes

LogEventTypes:= Yes

#AtsImsIot_TestControl.control

# Verify that the IUT sends an AUTHENTICATION REQUEST message correctly upon receipt of a NAS Registration without an active security context

NG_NAS_TestCases.TC_5GNAS_AMF_AUT_REQ_01

#NG_NAS_TestCases.TC_5GNAS_AMF_AUT_REQ_01

# Verify that the IUT sends an AUTHENTICATION REJECT message correctly upon receipt of an AUTHENTICATION RESPONSE message indicating a wrong ARP IEI

#NG_NAS_TestCases.TC_5GNAS_AMF_AUT_REQ_02

# Verify that the IUT sends an IDENTITY REQUEST message correctly upon receipt of an AUTHENTICATION FAILURE message indicating a 5GMM cause value #20 - MAC failure

# Verify that the IUT sends a SECURITY MODE COMMAND message correctly to indicate NAS security mode procedure upon receipt of a NAS AUTHENTICATION RESPONSE

#NG_NAS_TestCases.TC_NGNAS_AMF_AUT_SEQ_01

# Verify that the IUT, upon receiving the NAS SECURITY MODE COMPLETE message after completing the NAS Authentication and Security procedure, successfully completes the registration process by accepting the registration

#NG_NAS_TestCases.TC_5GNAS_AMF_SEC_ACC_01

NG_NAS_TestCases.TC_5GNAS_AMF_SEC_ACC_01

# Verify that the IUT, upon receiving the NAS SECURITY MODE REJECT Message after a failed NAS Authentication and security procedure, successfully aborts the registration process by rejecting the registration

#NG_NAS_TestCases.TC_5GNAS_AMF_SEC_REJ_01

#NG_NAS_TestCases.TC_5GNAS_AMF_DLN_ACC_01

                    // Postamble

                    // Terminate call with rejection

                    f_terminate_NasRegistrationRequest_with_reject();

                    //TODO: f_postamble_NGAP_gNB();

                    f_send_NasAuthenticationFailure();

                    f_send_ue_context_release_request_await_ue_context_release_response(m_cause_nas(authentication_failure));

                    f_selfOrClientSyncAndVerdict(c_poDone, f_getVerdict());

                    log("*** " & __SCOPE__ & ": INFO: Postamble done. ***");

                } // End of function f_TC_5GNAS_AMF_AUT_REQ_01

                    f_recv_NGAP_PDU(

                                    mw_ngap_initMsg(

                                                    mw_n2_DownlinkNASTransport(

                                                                               PX_AMF_UE_NGAP_ID,

                                                                               ?,// Set by AMF - PX_AMF_UE_NGAP_ID,

                                                                               PX_RAN_UE_NGAP_ID,

                                                                               ? // SecurityModeCommand

                    )));

                    // Postamble

                    // Terminate call with rejection

                    f_terminate_NasRegistrationRequest_with_reject();

                    //TODO: f_postamble_NGAP_gNB();

                    f_send_NasAuthenticationFailure();

                    f_send_ue_context_release_request_await_ue_context_release_response(m_cause_nas(authentication_failure));

                    f_selfOrClientSyncAndVerdict(c_poDone, f_getVerdict());

                    log("*** " & __SCOPE__ & ": INFO: Postamble done. ***");

                } // End of function f_TC_5GNAS_AMF_AUT_REQ_02

                    // Postamble

                    // Terminate call with rejection

                    f_terminate_NasRegistrationRequest_with_reject();

                    //TODO: f_postamble_NGAP_gNB();

                    f_send_NasAuthenticationFailure();

                    f_send_ue_context_release_request_await_ue_context_release_response(m_cause_nas(authentication_failure));

                    f_selfOrClientSyncAndVerdict(c_poDone, f_getVerdict());

                    log("*** " & __SCOPE__ & ": INFO: Postamble done. ***");

                } // End of function f_TC_5GNAS_AMF_AUT_REQ_04

                    // Postamble

                    // Terminate call with rejection

                    f_terminate_NasRegistrationRequest_with_reject();

                    //TODO: f_postamble_NGAP_gNB();

                    f_send_NasAuthenticationFailure();

                    f_send_ue_context_release_request_await_ue_context_release_response(m_cause_nas(authentication_failure));

                    f_selfOrClientSyncAndVerdict(c_poDone, f_getVerdict());

                    log("*** " & __SCOPE__ & ": INFO: Postamble done. ***");

                } // End of function f_TC_5GNAS_AMF_AUT_REQ_05

                    // Postamble

                    // Terminate call with rejection

                    f_terminate_NasRegistrationRequest_with_reject();

                    //TODO: f_postamble_NGAP_gNB();

                    f_send_NasAuthenticationFailure();

                    f_send_ue_context_release_request_await_ue_context_release_response(m_cause_nas(authentication_failure));

                    f_selfOrClientSyncAndVerdict(c_poDone, f_getVerdict());

                    log("*** " & __SCOPE__ & ": INFO: Postamble done. ***");

                } // End of function f_TC_5GNAS_AMF_AUT_ABN_01

                    // Postamble

                    // Terminate call with rejection

                    f_terminate_NasRegistrationRequest_with_reject();

                    //TODO: f_postamble_NGAP_gNB();

                    f_send_NasAuthenticationFailure();

                    f_send_ue_context_release_request_await_ue_context_release_response(m_cause_nas(authentication_failure));

                    f_selfOrClientSyncAndVerdict(c_poDone, e_success);

                    log("*** " & __SCOPE__ & ": INFO: Postamble done. ***");

                } // End of function f_TC_NGNAS_AMF_AUT_SEQ_01

                    // Postamble

                    // Terminate call with rejection

                    f_terminate_NasRegistrationRequest_with_reject();

                    //TODO: f_postamble_NGAP_gNB();

                    f_send_NasAuthenticationFailure();

                    f_send_ue_context_release_request_await_ue_context_release_response(m_cause_nas(authentication_failure));

                   f_selfOrClientSyncAndVerdict(c_poDone, f_getVerdict());

                    log("*** " & __SCOPE__ & ": INFO: Postamble done. ***");

                } // End of function f_TC_5GNAS_AMF_SEC_ACC_01