NH

Next Hop key

Security
Introduced in Rel-8
A security key used in 3GPP networks for forward security during handovers. It is derived from the current K_ASME or anchor key and is used to generate subsequent access stratum (AS) keys for the target base station, preventing compromise of future sessions if a current key is exposed. This is a fundamental mechanism for key hierarchy and handover security in LTE and 5G.

Description

The Next Hop (NH) key is a core component of the 3GPP key hierarchy, specifically designed to provide forward security for the Access Stratum (AS) during intra-RAT and inter-RAT handovers. It operates within the horizontal key derivation framework defined in TS 33.401. The NH key is not used directly for ciphering or integrity protection of user or control plane data. Instead, it serves as a parent key from which the target eNodeB/gNodeB's KeNB* (in LTE) or KgNB* (in 5G NR) is derived during a handover procedure. The derivation uses the Next Hop Chaining Counter (NCC), which is synchronized between the UE and the network, and the Physical Cell ID (PCI) of the target cell. This process ensures the new AS base key is cryptographically fresh and not directly linkable to previous keys.

The generation of a new NH key is triggered by specific security context management events, most notably an intra-cell handover where the KeNB/KgNB is updated using the vertical key derivation method (using the NAS uplink COUNT). When this vertical derivation occurs, the network also calculates a new NH parameter and increments the NCC. This new NH key is then stored by both the UE and the MME/AMF for future use. During the next handover that can utilize horizontal derivation (e.g., an X2-based handover in LTE), the source eNodeB provides the target eNodeB with the NH parameter and the NCC value. The target eNodeB and the UE can then independently derive the same new KeNB* using this NH key, the NCC, and the target cell's PCI, without needing to involve the core network (MME/AMF) for key generation.

This architecture decouples handover key management from the core network for subsequent hops, significantly reducing handover latency and signaling load. The NH chaining mechanism ensures forward security: even if an attacker compromises the current KeNB/KgNB, they cannot compute future NH keys or the KeNB/KgNB keys used after a vertical key derivation has occurred, as the NH key is derived from the anchor key (K_ASME) using a one-way function. The NCC acts as a sequence number, ensuring the UE and network agree on which NH key in the chain to use, preventing replay and synchronization attacks. The NH paradigm is thus critical for enabling secure, fast, and scalable mobility in 3GPP networks.

Purpose & Motivation

The NH key was introduced to solve critical security and performance challenges in cellular handovers, particularly with the advent of LTE and its flatter architecture. Prior to LTE, handover security in UMTS relied more heavily on core network involvement. The design goals for LTE included reducing handover latency and control plane signaling to support seamless mobility for high-speed users and real-time services. A security mechanism was needed that allowed a source base station to prepare a target base station securely without always querying the core network for new keys, as this would add delay.

The primary problem the NH key addresses is providing forward security for access stratum keys during a sequence of handovers. Without such a mechanism, if the key used at one base station was compromised, an adversary could derive all future session keys, breaking the security of the user's entire mobility path. The NH chaining concept creates a cryptographically independent key for each new handover hop after a core-network-verified key update, limiting the impact of a key compromise. It also addresses the performance problem by enabling 'horizontal' key derivation, where the source and target base stations can locally manage key transitions using pre-shared NH parameters, only periodically requiring a 'vertical' key refresh from the core network anchor key. This balanced approach optimizes both security and network efficiency.

Key Features

  • Enables forward security for Access Stratum (AS) keys during handovers
  • Supports horizontal key derivation (base-station-to-base-station) independent of the core network
  • Utilizes a Next Hop Chaining Counter (NCC) for synchronization between UE and network
  • Derived from the anchor security key (K_ASME or equivalent) during vertical key updates
  • Used to generate the KeNB (LTE) or KgNB (5G NR) key for the target cell
  • Reduces handover latency and core network signaling load

Evolution Across Releases

Rel-8 Initial

Introduced as part of the LTE security architecture in TS 33.401. Defined the NH key and NCC mechanism for horizontal key derivation during X2-based handovers to provide forward security and reduce dependency on the MME for every handover.

TS 33.401TS 33.859TS 36.300
Rel-13

Enhanced NH key usage with the introduction of Dual Connectivity (DC). Specifications defined how the NH key and NCC are managed and shared between a Master eNodeB (MeNB) and a Secondary eNodeB (SeNB) to securely establish the SeNB's AS security context.

TS 33.401TS 33.859TS 36.300
Rel-15

The NH key principle was carried forward into the 5G security architecture for NR, defined in TS 33.501. The concept is applied to the KgNB key hierarchy, supporting handovers between gNBs (Xn-handover) and between ng-eNBs, maintaining forward security for the 5G Access Stratum.

TS 33.401TS 33.859TS 36.300

Defining Specifications

SpecificationTitle
TS 33.401 3GPP TR 33.401
TS 33.859 3GPP TR 33.859
TS 36.300 3GPP TR 36.300