Why NAS Security is activated before AS security and not the other way round?
To answer this question, we need to have a look on the protocol stack of NAS and AS.
The purpose of NAS security is to securely deliver NAS signalling messages between a UE and an MME using NAS security keys.
Also as per 3GPP Access security activation must be performed after setting up SRB0 and SRB 1 and before setting up SRB2 and any DRBs.
SRB0 cannot be used after security activation.
While the purpose of AS security is to secure RRC messages between a UE and enb in the control plane and IP packets in the user plane using AS security keys.
Last but not the least…
AS is a continuous process where keys are derived from Kennedy and new keys are generated every time a new radio link is established which is not feasible or beneficial to do in case of NAS.
I believe that the priority of NAS security is to validate UE belongs to this Network, AS Security after ensuring that this UE can get services on this network.
Algorithm wise it’s like snow3g, null, etc.
With config like eea0, eea1 as per UE capability.
Can we discuss more on algo part?
Yes these are integrity identifier.
After receiving NAS security mode command from UE, MME Sends the KeNB to eNB with S1AP Initial Context Setup Request (Security key)
The purpose of AS security is to securely deliver RRC messages between a UE and an eNB in the control plane and IP packets in the user plane using AS security keys.
The AS security keys are derived from KeNB and new keys are generated every time a new radio link is established (that is, when RRC state moves from idle to connected)
so without KeNB witch sent after NAS security command ,AS security keys cannot be derived