Description
X-MAC is a cryptographic value computed during integrity protection verification in the Radio Resource Control (RRC) and Non-Access Stratum (NAS) protocols of LTE (E-UTRAN) and NR (NG-RAN). It is not a transmitted field but an internal calculated value. When a secured message is sent, the transmitting entity (e.g., the gNB or AMF) calculates a Message Authentication Code for Integrity (MAC-I) using a cryptographic integrity algorithm (like 128-EIA1, EIA2, or EIA3), a secret integrity key (K_{RRCint}, K_{RRCint} for NR, or K_{NASint}), a COUNT value (a counter preventing replay attacks), a bearer identifier, a direction bit, and the message itself. This MAC-I is appended to the message.
Upon receipt, the receiving entity (e.g., the UE or the network node) performs the same calculation on the received message data before the MAC-I is verified. The result of this local computation is the X-MAC. The receiver then compares the computed X-MAC with the MAC-I received in the message. If they match exactly, it confirms that the message has not been altered in transit (integrity) and that it originated from an entity possessing the correct secret key (authentication). If they do not match, the message is discarded, and the failure is logged, potentially triggering security recovery procedures.
The computation is specified in detail in 3GPP TS 33.401 (for LTE) and TS 33.501 (for 5G). The integrity keys are derived during the Authentication and Key Agreement (AKA) procedure and are specific to the UE, session, and protocol layer. The COUNT is systematically incremented, and its synchronization between sender and receiver is critical; a mismatch will cause an X-MAC vs. MAC-I verification failure. This mechanism protects critical signaling commands like handover instructions, connection reconfigurations, and service requests from tampering or forgery.
Purpose & Motivation
X-MAC verification exists to fulfill the fundamental security requirements of integrity and data origin authentication for control plane signaling. Without it, an attacker could modify or spoof signaling messages, leading to service disruption, forced handovers to rogue cells, denial of service, or privacy breaches. Prior to 3G and the full implementation of cryptographic integrity in LTE/5G, some signaling messages had weaker or no integrity protection, making networks vulnerable to certain attacks.
The introduction of mandatory integrity protection with strong algorithms in LTE Rel-8, and its continuation in NR, was a direct response to the evolving threat landscape for mobile networks. The X-MAC comparison is the operational heart of this protection. It allows the receiver to autonomously and efficiently verify every secured message without further network interaction. The design using a computed value (X-MAC) versus a received one (MAC-I) provides a clear procedural separation between the calculation and the verification step, which is important for secure software implementation and testing.
Key Features
- Locally computed value for integrity verification of RRC/NAS messages
- Uses standardized integrity algorithms (EIA1, EIA2, EIA3, NIA1, etc.)
- Derived from secret session keys, COUNT values, and message content
- Essential for preventing message tampering, forgery, and replay attacks
- Verification failure leads to message discard and security event reporting
- Fundamental to the security architecture of both LTE and 5G NR
Evolution Across Releases
Defining Specifications
| Specification | Title |
|---|---|
| TS 36.323 | 3GPP TR 36.323 |
| TS 38.323 | 3GPP TR 38.323 |