NSCI

New Security Context Indicator

Security →
Introduced in Rel-15

NSCI is a flag in NGAP signaling that indicates a new security context is established, triggering the RAN to apply fresh cryptographic keys to protect against replay attacks.

Category
Security
Introduced
Rel-15
Where
Core Network › 5G Core
Specifications
1 specs
NSCI Description Purpose Detected Changes Specifications

Description

The New Security Context Indicator (NSCI) is a critical security parameter within the 3GPP NG Application Protocol (NGAP), which is the signaling protocol between the 5G Core Network's Access and Mobility Management Function (AMF) and the Next Generation Radio Access Network (NG-RAN) node (gNB). It is a simple Boolean indicator (a single bit) included in specific NGAP messages, most notably the INITIAL CONTEXT SETUP REQUEST and the PATH SWITCH REQUEST ACKNOWLEDGE messages. Its primary function is to signal to the gNB that the core network has established a completely new security context for the User Equipment (UE) in question. A 'new security context' means that the core network (AMF and the Authentication Server Function, AUSF) has performed a fresh primary authentication and key agreement procedure with the UE, resulting in the generation of a new set of cryptographic keys distinct from any previously used keys.

Upon receiving an NGAP message with the NSCI set to 'true', the gNB understands that it must derive and apply a new set of access stratum (AS) security keys for that UE. These AS keys, namely the KgNB (the base key for the gNB) and the subsequent derived keys for integrity protection (KRRCint) and confidentiality (KRRCenc, KUPenc), are calculated using the new anchor key from the core network (the KAUSF or derived KAMF) and fresh nonces. This process is crucial because it ensures cryptographic separation between different security sessions. If the NSCI is set to 'false', the gNB may derive new keys based on the existing key context, typically using a key derivation function with fresh input parameters (like the Next Hop (NH) parameter), which is common during intra-AMF handovers.

The role of NSCI is fundamental in mitigating security threats, particularly replay attacks. During inter-AMF handovers or after a service request procedure following an idle mode, if the core network decides that a full re-authentication is necessary (e.g., due to security policy, timer expiry, or suspected compromise), it establishes a new security context. By explicitly indicating this to the RAN via NSCI, the system guarantees that old cryptographic material cannot be reused, even if an attacker captured previous signaling messages. This mechanism is a key part of 5G's forward security, ensuring that the compromise of a single session key does not affect the security of future sessions. The gNB's processing of the NSCI is mandatory and tightly integrated with the 5G security architecture defined in TS 33.501.

Purpose & Motivation

The NSCI was introduced in 5G (Release 15) to provide an explicit and reliable signaling mechanism for security context freshness, addressing limitations and ambiguities present in previous generations like LTE. In LTE, the indication of a new security context was implicit or tied to specific procedures, which could lead to implementation ambiguities and potential security vulnerabilities. For instance, during certain handover scenarios, it might not have been unequivocally clear to the eNB whether it should use a freshly derived key or a key derived from previous material. This ambiguity could be exploited in sophisticated attacks.

The core problem NSCI solves is ensuring synchronized security state between the core network and the RAN. The core network (AMF/AUSF) is the ultimate authority on UE authentication and key generation. When it decides to refresh the security context, the RAN must be unequivocally informed to discard any old keying material and start using new keys. The NSCI provides this clear, in-band signal within the standard NGAP signaling. This is especially important for 5G's enhanced mobility scenarios, including inter-system handovers and connections to non-3GPP access, where the security context might need to be re-established more frequently. Its creation was motivated by the need for stronger, more explicit, and future-proof security signaling to support the diverse and demanding use cases of 5G, including massive IoT and ultra-reliable communications, where security robustness is paramount.

Detected Changes Across Releases

from 3GPP Change Requests

Specific changes extracted from the „Change history“ tables of 3GPP specifications (13 CRs across 5 releases). Complements the general historical overview above with the evidence-based evolution of this function.

Rel-15 3 changes

In Release 15, the NSCI function was not explicitly detailed in the provided grounding context. The context describes the Initial Context Setup procedure for establishing the UE context at the NG-RAN node, which includes the Security Key, but does not specify the introduction of a New Security Context Indicator. The associated Change Requests for this release focused on NGAP corrections for procedures like Initial Context Setup and user-plane security handling during a PDU session's lifetime.

  • NGAP Corrections for UP Security Handling in DC during PDU Session Lifetime TS 38.413CR0005
  • NG Setup Correction and UE context retention TS 38.413CR0044
  • NGAP correction of Initial Context Setup procedure text TS 38.413CR0220
Rel-16 5 changes

In Release 16, the New Security Context Indicator (NSCI) function was clarified within the UE Context Modification procedure to explicitly manage AS re-keying. This provided specific procedural guidance for when a new security context is established between the UE and the network. The update ensured the handling of the NSCI was unambiguously defined during access stratum security key renewal.

  • (NGAP CR) support the UE Radio Capability for Paging in RACS context TS 38.413CR0688
  • Correction of Warning Security Information in ETWS primary notification TS 38.413CR0317
  • PDU session resource in UE context release TS 38.413CR0337
  • Clarification the usage of the New AMF UE NGAP ID included in the UE CONTEXT MODIFICATION REQUEST message TS 38.413CR0357
  • Clarification of AS re-keying in the UE Context Modification procedure TS 38.413CR0355
Rel-17 3 changes

In Release 17, the new NSCI function introduced support for mapping complete security capabilities from the NAS, specifically the UE Security Capabilities, during context establishment procedures. This enhancement provided a more comprehensive transfer of the UE's security parameters from the core network to the RAN, as part of the Initial Context Setup Request message. The change ensured the NG-RAN node had full visibility of the UE's supported security algorithms for robust session establishment.

  • Support for mapping complete security capabilities from NAS [UE_Sec_Caps] TS 38.413CR0669
  • Correction on UP security procedure TS 38.413CR0963
  • Clarification on IAB Authorized IE in UE Context Modification procedure TS 38.413CR0927
Rel-18 1 change

In Release 18, the enhancement for the New Security Context Indicator (NSCI) function specifically addressed a misalignment in the UE Context Release procedure. This update ensured proper coordination between network functions during context release to maintain security state consistency. The change was implemented to resolve procedural conflicts that could arise when managing the UE's security context.

  • Solving Misalignment in UE Context Release procedure TS 38.413CR1019
Rel-19 1 change

In Release 19, the New Security Context Indicator (NSCI) function was introduced to enhance security for Ambient IoT (A-IoT) services in isolated private networks. This involved a correction to ensure the proper inclusion of a specific security parameter for A-IoT during context establishment procedures. The update ensures that the necessary security context is correctly established and managed for these constrained devices.

  • Correction on the inclusion of security parameter for A-IoT TS 38.413CR1415

Explore further

Broader topics and technologies where NSCI plays a role.

Topics
Authentication (5G-AKA, EAP)RRC (Radio Resource Control)Encryption & IntegrityMEC (Edge Computing)LTE / LTE-AdvancedLawful Intercept
Technologies
LTE5G

Defining Specifications

3GPP specifications that define or reference NSCI, with the latest known release. Sourced from the 3GPP document catalog — see methodology.

SpecificationTitleRelease
TS 38.413 vj10 NG Application Protocol (NGAP) Rel-19