New radio Integrity Algorithm

Description

The New radio Integrity Algorithm (NIA) is a core component of the 5G security architecture, defined in 3GPP specification 33.501. It provides integrity protection for both the control plane (signaling) and user plane (data) traffic over the air interface between the User Equipment (UE) and the gNodeB (gNB). Integrity protection is a fundamental security service that guarantees the received data has not been altered, deleted, replayed, or inserted by an unauthorized party during transmission. The NIA suite is designed to work in conjunction with the New radio Encryption Algorithm (NEA) for confidentiality, forming a comprehensive cryptographic protection layer for 5G NR.

NIA operates within the Packet Data Convergence Protocol (PDCP) layer in the radio protocol stack. For each data packet, the transmitting entity (UE or gNB) calculates a Message Authentication Code (MAC-I) using the integrity algorithm, the integrity key (K~RRCint~ for signaling or K~UPint~ for user data), a count value (PDCP COUNT), the bearer identity, and the direction of transmission (uplink/downlink). This MAC-I is appended to the PDCP Protocol Data Unit (PDU) before transmission. The receiving entity independently recalculates the MAC-I using the same inputs and the received data. It then compares the calculated value (XMAC-I) with the received MAC-I. If they match, the data's integrity is verified; if not, the packet is discarded, and a security failure procedure may be initiated.

The NIA suite is not a single algorithm but a family, allowing for algorithm agility. The initial set in Release 15 included NIA0, NIA1, and NIA2. NIA0 is the 'null' integrity algorithm, providing no protection and used only in specific, predefined exceptional cases. NIA1 is based on the SNOW 3G stream cipher, a carry-over from 3G and 4G security for backward compatibility and migration. NIA2 is based on the AES-CTR mode using a 128-bit key, offering strong, modern cryptographic protection. The selection of which specific NIA algorithm to use for a connection is negotiated during the security mode command procedure between the UE and the Access and Mobility Management Function (AMF) in the core network, based on the security capabilities advertised by the UE and the network's security policy.

This integrity mechanism is crucial for preventing attacks such as message forgery, replay attacks, and man-in-the-middle manipulations. It protects critical signaling procedures like attachment, handover, and session management, ensuring the network's control over the UE is secure. For user data, it guarantees that the application data received is exactly what was sent, which is vital for services requiring high data assurance. The separation of integrity keys for control and user planes (K~RRCint~ and K~UPint~) provides additional security isolation. The integrity protection is applied end-to-end between the UE and the gNB on the radio link, which is the most vulnerable segment of the connection.

Purpose & Motivation

The primary purpose of NIA is to provide a standardized, robust, and future-proof mechanism for data integrity protection in the 5G system. As mobile networks evolved to 5G, supporting a vast array of new services like massive IoT, ultra-reliable low-latency communications (URLLC), and enhanced mobile broadband (eMBB), the threat landscape expanded significantly. Previous generations had integrity protection (e.g., EIA in LTE), but 5G required algorithms that could meet higher performance demands for latency and throughput while resisting more sophisticated cryptographic attacks. The creation of a new suite of algorithms under the 'NIA' umbrella was motivated by the need for algorithm agility—the ability to introduce new, stronger algorithms over time without overhauling the entire security architecture, thereby responding to advances in cryptanalysis and computational power.

Another key motivation was to address specific vulnerabilities identified in previous systems. For instance, in LTE, integrity protection was mandatory for signaling but optional for user plane data. This left user data vulnerable to certain over-the-air attacks in many deployments. 3GPP made a conscious decision in 5G to mandate integrity protection for the user plane by default, although it can be disabled by the network operator for specific Data Radio Bearers (DRBs) if needed for performance reasons (using NIA0). This shift significantly enhances the baseline security posture. The design also explicitly separates the cryptographic chains for integrity and confidentiality, preventing potential weaknesses in one algorithm from compromising the other service.

Furthermore, the development of NIA was part of a holistic 5G security redesign that included home control and enhanced key hierarchy. The integrity keys are derived from a root key in the home network, ensuring that even in roaming scenarios, the integrity of the connection is anchored to the subscriber's home operator. This addresses concerns about visited network security. By standardizing a clear set of algorithms (NIA1, NIA2) and a clear null algorithm (NIA0), 3GPP ensures global interoperability while giving operators the tools to deploy security appropriate to their risk assessment and the requirements of different network slices.

Key Features

• Provides integrity protection for both Control Plane (RRC) and User Plane (UP) data in 5G NR
• Implements algorithm agility with a defined suite including NIA0 (null), NIA1 (SNOW 3G), and NIA2 (AES-128)
• Operates at the PDCP layer using a Message Authentication Code (MAC-I) appended to each packet
• Uses separate integrity keys (K_RRCint, K_UPint) derived from the 5G core network's anchor key
• Protects against data tampering, replay, and insertion attacks on the radio interface
• Mandatory support for user plane integrity, enhancing baseline security compared to LTE

Evolution Across Releases

Defining Specifications