MAC-I

Message Authentication Code for Integrity

Security
Introduced in Rel-8
A Message Authentication Code (MAC) used to provide integrity protection and data origin authentication for signaling messages and, in some cases, user data in 3GPP networks. It ensures that control plane messages between the UE and the network have not been altered in transit and originate from an authorized entity.

Description

MAC-I (Message Authentication Code for Integrity) is a cryptographic checksum appended to protocol data units (PDUs) in 3GPP radio access and core network protocols to guarantee their integrity. Unlike MAC-A, which is used for initial authentication, MAC-I is employed for ongoing integrity protection of signaling messages after security contexts are established. It is generated using a dedicated integrity key (IK), a freshness parameter (COUNT), a direction bit, the message itself, and a bearer identity. The most commonly referenced algorithms for its computation are the 128-EEA/128-EIA suites defined for LTE and NR, such as SNOW 3G, AES, and ZUC.

In the protocol stack, MAC-I is primarily associated with the Radio Resource Control (RRC) and Non-Access Stratum (NAS) signaling layers. For example, in LTE (TS 36.323), the PDCP (Packet Data Convergence Protocol) layer is responsible for integrity protection and verification of RRC messages using MAC-I. The transmitting entity (UE or eNodeB) calculates the MAC-I over the RRC PDU and includes it in the packet. The receiving entity independently recalculates the MAC-I using the same inputs and keys. If the calculated value matches the received MAC-I, the message is considered intact and authentic. A mismatch triggers a security failure, typically leading to the release of the radio connection.

The process involves a stateful counter (COUNT) to prevent replay attacks, ensuring that even identical messages sent at different times yield different MAC-I values. The direction bit distinguishes between uplink and downlink traffic, preventing reflection attacks. Architecturally, the integrity key (IK) used for MAC-I is derived during the AKA procedure from the root key K. In EPS, IK is part of the Kasme derivation; in 5GS, it is derived from the KAMF. This creates a cryptographically separated key hierarchy where compromise of traffic keys does not affect authentication keys.

MAC-I's role extends beyond RRC. In the core network, integrity protection for NAS messages between the UE and the MME (in EPS) or AMF (in 5GS) also utilizes a MAC-I mechanism, though the specific algorithm and key may differ (using KNASint). It is a mandatory security feature for all control plane signaling in modern 3GPP networks, forming a vital defense against tampering, message injection, and replay attacks on the air interface and within the network trust boundaries.

Purpose & Motivation

MAC-I was introduced to address the critical need for integrity and origin authentication of control signaling in packet-switched mobile networks. Earlier circuit-switched systems like GSM provided limited signaling protection, primarily focused on radio interface ciphering, leaving control channels vulnerable to manipulation. As networks evolved towards all-IP architectures with LTE and 5G, the risk of attackers modifying or forging signaling messages (e.g., handover commands, bearer setup requests, or paging messages) to disrupt service, cause denial-of-service, or redirect traffic became a paramount concern.

Its creation was motivated by the requirement for a robust, standardized integrity protection mechanism that could be applied hop-by-hop (e.g., over the Uu air interface) and end-to-end (e.g., for NAS). The problem it solves is ensuring that critical network control commands cannot be tampered with without detection. Without MAC-I, an attacker could alter a handover command to force a UE to camp on a malicious cell, or modify a paging message to track a user's location.

Furthermore, MAC-I enables the secure establishment of other security contexts. For instance, the integrity-protected RRC signaling is used to securely transport the ciphering algorithm configuration and the encrypted user plane security mode command. It forms an essential layer in the defense-in-depth strategy for 3GPP networks, working in conjunction with ciphering for confidentiality (using ENC algorithms) and AKA for initial authentication. Its stateful design with counters also addresses the limitation of static message authentication codes by providing replay protection, a crucial feature for time-sensitive mobility procedures.

Key Features

  • Provides integrity protection and data origin authentication for RRC and NAS signaling messages.
  • Uses a dedicated Integrity Key (IK) derived from the root key during AKA.
  • Incorporates a counter (COUNT) and direction bit to prevent replay and reflection attacks.
  • Calculated and verified at the PDCP layer (for RRC) and NAS layer in the protocol stack.
  • Mandatory for control plane security in LTE and NR; failure leads to connection release.
  • Supports multiple cryptographic algorithm options (e.g., SNOW 3G, AES, ZUC) as per 128-EIA.

Evolution Across Releases

Rel-8 Initial

Introduced as the primary integrity protection mechanism for LTE/EPC. Defined for the PDCP protocol (TS 36.323) to protect RRC signaling over the Uu interface. Supported the initial set of 128-EIA algorithms (EIA1 based on SNOW 3G, EIA2 based on AES). Established the use of COUNT, bearer identity, and direction as inputs to ensure freshness and context separation.

TS 21.905TS 31.102TS 33.105TS 33.401TS 36.323TS 38.323

Defining Specifications

SpecificationTitle
TS 21.905 3GPP TS 21.905
TS 31.102 3GPP TR 31.102
TS 33.105 3GPP TR 33.105
TS 33.401 3GPP TR 33.401
TS 36.323 3GPP TR 36.323
TS 38.323 3GPP TR 38.323