RRC 5G gNB -> UE 3GPP TS 38.331

5G NR - SecurityModeCommand

Downlink NR RRC message used by the gNB to activate AS security for the UE in RRC_CONNECTED.

Message Fact Sheet

Protocol	rrc	Network	5g
Spec	3GPP TS 38.331	Spec Section	5.3.4, 6.2.2, Annex B.1
Direction	gNB -> UE	Message Type	Security Control

Full message name	5G NR - SecurityModeCommand
Protocol	RRC
Technology	5G
Direction	gNB -> UE
Interface	Uu
Signaling bearer / channel	SRB1 / DL-DCCH
Typical trigger	The gNB initiates initial AS security activation after RRC setup is complete and the network is ready to activate the selected NR security algorithms.
Main purpose	Commands the UE to activate the selected RRC integrity and ciphering algorithms and to move the connection into protected AS signaling.
Procedures where used	Initial AS Security Activation, Initial Registration, Connected-Mode Security Setup
Related timers	T380
Related cause values	No explicit reject cause IE is carried in SecurityModeCommand itself, Failure diagnosis depends on integrity verification, selected algorithms, and the UE response
Main specification	3GPP TS 38.331, 5.3.4, 6.2.2, Annex B.1

What this message does in simple terms

Downlink NR RRC message used by the gNB to activate AS security for the UE in RRC_CONNECTED.

Commands the UE to activate the selected RRC integrity and ciphering algorithms and to move the connection into protected AS signaling.

Why this message matters

SecurityModeCommand is the gNB telling the UE which RRC security algorithms to activate so later connected-mode signaling can be protected.

Where this message is used

Initial AS Security Activation

Call flow position: Network command sent after the UE has entered connected mode and before later protected RRC procedures such as reconfiguration.

Typical state: UE is in RRC_CONNECTED with SRB1 available, but AS security activation is still being completed.

Preconditions:

RRC connection establishment completed successfully.
The network has selected the NR AS security algorithms for the UE.
SRB1 and DCCH signaling are available.

Next likely message: SecurityModeComplete if the UE accepts and successfully activates the configuration

5G Initial Registration

Call flow position: Appears after the initial radio setup and core-side authentication / NAS security steps in the broader registration path.

Typical state: UE is connected and the network is preparing to secure later RRC signaling.

Preconditions:

Initial access and RRC setup succeeded.
The registration procedure has advanced far enough for AS security activation.

Next likely message: SecurityModeComplete followed by later dedicated RRC signaling

Full Procedure Context

Previous message(s): RRCSetupComplete, Downlink NAS Transport

Next message(s): SecurityModeComplete, SecurityModeFailure, RRCReconfiguration

Message Direction and Transport

Sender and receiver: gNB -> UE

Interface: Uu

Domain: Access-side radio control with AS security activation

Signaling bearer: SRB1

Logical channel: DL-DCCH

Transport / encapsulation: RRC over DCCH on SRB1 after RRC connection establishment and before normal protected connected-mode signaling proceeds

Security context: SecurityModeCommand itself is integrity protected, but not ciphered. The message activates the AS security context used for later protected RRC signaling.

Message Structure Overview

SecurityModeCommand is structurally compact. The message is mostly the transaction identifier plus securityConfigSMC.
The operationally important part is the selected algorithm configuration, because it drives how the UE derives and applies the AS security context.
This page covers the NR RRC message from TS 38.331, not the NAS Security Mode Command defined in TS 24.501.

ASN.1 for 5G NR - SecurityModeCommand

SecurityModeCommand ::= SEQUENCE {
  rrc-TransactionIdentifier RRC-TransactionIdentifier,
  criticalExtensions CHOICE {
    securityModeCommand SecurityModeCommand-IEs,
    criticalExtensionsFuture SEQUENCE {}
  }
}

SecurityModeCommand-IEs ::= SEQUENCE {
  securityConfigSMC        SecurityConfigSMC,
  lateNonCriticalExtension OCTET STRING OPTIONAL,
  nonCriticalExtension     SEQUENCE {} OPTIONAL
}

SecurityConfigSMC ::= SEQUENCE {
  securityAlgorithmConfig  SecurityAlgorithmConfig
}

How to read this ASN.1

In practice, engineers should focus on the selected security algorithms and whether the UE successfully verifies integrity and responds with SecurityModeComplete.

Decoded Message Dump

DL-DCCH-Message
  message: securityModeCommand
    rrc-TransactionIdentifier: 2
    criticalExtensions:
      securityModeCommand:
        securityConfigSMC:
          securityAlgorithmConfig:
            cipheringAlgorithm: nea2
            integrityProtAlgorithm: nia2
        lateNonCriticalExtension: absent
        nonCriticalExtension: absent

How to read this dump

The most important values are the selected NR ciphering and integrity algorithms.
This message should arrive on SRB1 / DL-DCCH, not on SRB0.
A normal success path is SecurityModeCommand followed by SecurityModeComplete and then later protected RRC signaling such as RRC Reconfiguration.

Information Elements

IE	Required	Description
`rrc-TransactionIdentifier`	Yes	Transaction identifier used to correlate the SecurityModeCommand with the UE response.
`securityConfigSMC`	Yes	Core payload of the message. It carries the selected security algorithms for AS security activation.
`securityAlgorithmConfig`	Yes	Part of securityConfigSMC that indicates the chosen ciphering and integrity algorithms for NR RRC and related protected signaling.
`lateNonCriticalExtension`	Optional	Extension container used for release evolution and compatibility handling.
`nonCriticalExtension`	Optional	Forward-compatible extension branch for later release additions.

Detailed field explanation

`rrc-TransactionIdentifier`

Transaction identifier used to correlate the SecurityModeCommand with the UE response.

Presence: Required

`securityConfigSMC`

Core payload of the message. It carries the selected security algorithms for AS security activation.

Presence: Required

`securityAlgorithmConfig`

Part of securityConfigSMC that indicates the chosen ciphering and integrity algorithms for NR RRC and related protected signaling.

Presence: Required

`lateNonCriticalExtension`

Extension container used for release evolution and compatibility handling.

Presence: Optional

`nonCriticalExtension`

Forward-compatible extension branch for later release additions.

Presence: Optional

What to check in logs and traces

Confirm the message follows a valid RRC setup path and is sent on SRB1 / DL-DCCH.
Inspect the selected cipheringAlgorithm and integrityProtAlgorithm values.
Verify that the UE can support the chosen algorithms and that the network selection matches the scenario.
Check whether integrity verification of SecurityModeCommand succeeds at the UE.
Correlate with the next UE response: SecurityModeComplete or SecurityModeFailure.
If later signaling fails, verify whether AS security was activated correctly before RRCReconfiguration.

Common Issues and Troubleshooting

SecurityModeCommand is never sent after RRCSetupComplete.

Likely cause: The broader procedure may still be blocked in authentication, NAS security, or network-side admission logic before AS security activation starts.

What to inspect: Check the surrounding registration / authentication flow and whether the gNB is actually expected to start AS security.

Next step: Correlate radio traces with the core-side registration path before blaming the RRC message itself.

UE receives SecurityModeCommand but does not send SecurityModeComplete.

Likely cause: Integrity verification may fail, the security configuration may be inconsistent, or the UE may not accept the selected algorithms.

What to inspect: Check message integrity handling, algorithm values, key derivation assumptions, and any immediate UE-side failure indication.

Next step: Walk the security activation procedure and compare with a successful trace.

SecurityModeFailure or later RRC failure occurs after SecurityModeCommand.

Likely cause: AS security activation may have failed even though the message decode looks correct.

What to inspect: Check the UE response, transaction identifier correlation, and whether later RRC messages are protected as expected.

Next step: Validate the transition from unprotected early signaling to protected connected-mode signaling.

Engineers confuse this message with NAS Security Mode Command.

Likely cause: Both messages have similar names but belong to different protocol layers.

What to inspect: Check whether the message is in TS 38.331 RRC or TS 24.501 NAS signaling.

Next step: Separate RRC AS security activation analysis from NAS security analysis.

Detailed explanation

5G NR - SecurityModeCommand Message Explained

The SecurityModeCommand message is the NR RRC message the gNB uses to activate AS security for the UE in 5G NR. It is sent after the UE has already completed the basic RRC setup path and before the network continues with later protected connected-mode signaling.

In simple terms, this is the moment where the network tells the UE which RRC security algorithms to use. After this step succeeds, later RRC signaling is expected to use the activated protection context.

This page covers the NR RRC SecurityModeCommand from 3GPP TS 38.331. It does not cover the similarly named NAS Security Mode Command from TS 24.501.

Why SecurityModeCommand matters

SecurityModeCommand is the bridge between early connected-mode setup and protected RRC operation.

It matters because it tells you:

the network is ready to activate AS security
which ciphering and integrity algorithms were selected
whether the UE can move into protected RRC signaling
whether later failures might actually be rooted in security activation rather than reconfiguration

If this message is missing, malformed, or followed by the wrong UE behavior, later procedures such as RRC Reconfiguration can fail even though the earlier setup path looked healthy.

Where SecurityModeCommand appears in the call flow

A common success path is:

RRC Setup from gNB to UE
RRCSetupComplete from UE to gNB
SecurityModeCommand from gNB to UE
SecurityModeComplete from UE to gNB
RRC Reconfiguration and other later protected RRC signaling

In a broader registration trace, this means SecurityModeCommand usually appears after the UE has already delivered its initial NAS message through RRCSetupComplete and the network is ready to activate radio-side security.

Call flow position

A compact NR signaling view is:

UE                              gNB
|                               |
|----- RRCSetupComplete ------->|
|                               |
|<---- SecurityModeCommand -----|
|                               |
|---- SecurityModeComplete ---->|
|                               |
|<----- RRCReconfiguration -----|
|                               |

This sequence shows the normal success path:

RRCSetupComplete finishes the initial connection setup
SecurityModeCommand activates AS security
SecurityModeComplete confirms that the UE accepted and applied the security configuration
RRC Reconfiguration and later connected-mode signaling continue under the activated protection context

For the full procedure walkthrough, see the dedicated call flow page:

5G Security Mode Command Procedure

Transport characteristics

For trace analysis, the transport profile is:

Direction: gNB to UE
Bearer: SRB1
Logical channel: DL-DCCH
RLC mode: AM
Protocol layer: NR RRC

This is different from early setup messages on SRB0. By the time SecurityModeCommand appears, the UE is already using the dedicated connected-mode control bearer.

Protection behavior

SecurityModeCommand is special because it is part of security activation itself.

In practice:

the message is integrity protected
the message is not ciphered
the UE verifies the message and then activates the selected AS security context if the procedure succeeds

This is why engineers should not expect the command itself to be encrypted, even though it is directly tied to enabling later protected signaling.

What engineers should inspect first

When SecurityModeCommand appears, inspect in this order:

Did it arrive on SRB1 / DL-DCCH?
What algorithms were selected in securityAlgorithmConfig?
Does the UE respond with SecurityModeComplete or fail silently?
Are later messages protected as expected after this step?
Is there any confusion between RRC SecurityModeCommand and NAS Security Mode Command in the trace?

Practical troubleshooting guidance

This message is best analyzed together with:

If the command is present but the procedure still fails, the main engineering questions are:

did the UE verify the message successfully?
were the selected algorithms expected for this UE and scenario?
did the connection actually transition into protected RRC operation?
is the failure in AS security activation or in a later connected-mode procedure?

5G NR - RRC Setup for the connected-mode setup that typically precedes this message
5G NR - RRCSetupComplete for the UE response that commonly appears just before AS security activation
5G NR - RRC Reconfiguration for a later protected RRC message that often depends on this step succeeding

Summary

SecurityModeCommand is the NR RRC message that activates AS security in the radio connection.

The key engineering points are:

it is an RRC message, not the NAS message with a similar name
it carries the selected securityConfigSMC
it is sent on SRB1 / DL-DCCH
it is integrity protected but not ciphered
later connected-mode signaling depends on this step succeeding cleanly

FAQ

What does SecurityModeCommand do in 5G NR?

It commands the UE to activate the selected AS security algorithms for NR RRC signaling.

Who sends SecurityModeCommand?

The gNB sends SecurityModeCommand to the UE.

Is SecurityModeCommand an RRC or NAS message?

This page covers the NR RRC SecurityModeCommand defined in TS 38.331, not the NAS Security Mode Command from TS 24.501.

What is the most important IE in SecurityModeCommand?

securityConfigSMC, especially securityAlgorithmConfig, is the most important part because it tells the UE which algorithms to activate.

What comes after SecurityModeCommand?

A successful path leads to SecurityModeComplete, and later protected RRC signaling such as RRCReconfiguration.

Is SecurityModeCommand ciphered?

No. The message is integrity protected but not ciphered.

Why would SecurityModeCommand fail?

Typical reasons include integrity verification failure, unsupported or inconsistent algorithm handling, or broader security activation issues.

Summary

Downlink NR RRC message used by the gNB to activate AS security for the UE in RRC_CONNECTED.

Advanced Engineer Notes

SecurityModeCommand is a key transition point: after early connection-establishment signaling, the connection moves into AS-protected RRC operation.
The message is integrity protected but not ciphered, so engineers should not expect the command itself to be encrypted.
Many trace issues blamed on later RRCReconfiguration actually start here if the AS security activation step is incomplete or inconsistent.

LTE / 5G / Variant Comparison

RRC vs NAS Security Mode Command

This page covers the NR RRC SecurityModeCommand from TS 38.331. The NAS Security Mode Command is a different message in TS 24.501 and is used for NAS security rather than AS security.

Related Messages

Related Procedures

Related Tools

Use This Reference in Practice

Decode this message with the 3GPP Decoder, inspect the related message database, or open the matching call flow to see where this signaling step fits in the full procedure.

5G NR - SecurityModeCommand

Message Fact Sheet

What this message does in simple terms

Why this message matters

Where this message is used

Initial AS Security Activation

5G Initial Registration

Full Procedure Context

Message Direction and Transport

Message Structure Overview

ASN.1 for 5G NR - SecurityModeCommand

How to read this ASN.1

Decoded Message Dump

How to read this dump

Information Elements

Detailed field explanation

rrc-TransactionIdentifier

securityConfigSMC

securityAlgorithmConfig

lateNonCriticalExtension

nonCriticalExtension

What to check in logs and traces

Common Issues and Troubleshooting

SecurityModeCommand is never sent after RRCSetupComplete.

UE receives SecurityModeCommand but does not send SecurityModeComplete.

SecurityModeFailure or later RRC failure occurs after SecurityModeCommand.

Engineers confuse this message with NAS Security Mode Command.

Detailed explanation

5G NR - SecurityModeCommand Message Explained

Why SecurityModeCommand matters

Where SecurityModeCommand appears in the call flow

Call flow position

Transport characteristics

Protection behavior

What engineers should inspect first

Practical troubleshooting guidance

Related message pages

Summary

FAQ

What does SecurityModeCommand do in 5G NR?

Who sends SecurityModeCommand?

Is SecurityModeCommand an RRC or NAS message?

What is the most important IE in SecurityModeCommand?

What comes after SecurityModeCommand?

Is SecurityModeCommand ciphered?

Why would SecurityModeCommand fail?

Summary

Advanced Engineer Notes

LTE / 5G / Variant Comparison

RRC vs NAS Security Mode Command

Related Messages

Related Procedures

Related Tools

Use This Reference in Practice

`rrc-TransactionIdentifier`

`securityConfigSMC`

`securityAlgorithmConfig`

`lateNonCriticalExtension`

`nonCriticalExtension`