Description in the LTE specification:
The UE shall accept a SECURITY MODE COMMAND message indicating the "null integrity protection algorithm" EIA0 as the selected NAS integrity algorithm only if the message is received for a UE that has a PDN connection for emergency bearer services established, or a UE that is attached for access to RLOS, or a UE that is establishing a PDN connection for emergency bearer services or a UE that is requesting attach for access to RLOS.
Input of TPG:
initiate state: UE has not established NAS security context (added by expert)
condition event: UE receives a SECURITY MODE COMMAND message indicating the "null integrity protection algorithm" EIA0 when UE does not has a PDN connection for emergency bearer services established, or a UE that is attached for access to RLOS, or a UE that is establishing a PDN connection for emergency bearer services or a UE that is requesting attach for access to RLOS.
expected operation: UE accept a SECURITY MODE COMMAND message
(negative testing)
Reasoned chain and sentences used:
Reason for condition event
>> The condition event is a message that the testing system can directly trigger, so it does not need to be reasoned. The message's parameter setting can be derived by expert from the sentence, which, actually, is the security requirement (description of the condition event) here.
condition event: UE receives a SECURITY MODE COMMAND message indicating the "null integrity protection algorithm" EIA0 when UE does not has a PDN connection for emergency bearer services established, or a UE that is attached for access to RLOS, or a UE that is establishing a PDN connection for emergency bearer services or a UE that is requesting attach for access to RLOS.
Reason for expected operation
EDG: SECURITY MODE COMMAND message can be accepted --> UE shall send a SECURITY MODE COMPLETE message
sentence: If the SECURITY MODE COMMAND message can be accepted, the UE shall send a SECURITY MODE COMPLETE message integrity protected with the selected NAS integrity algorithm and the EPS NAS integrity key based on the K'ASME or mapped K'ASME if the type of security context flag is set to "mapped security context" indicated by the eKSI.
>> This means that the observation of the event *UE sends a SECURITY MODE COMPLETE message* will indirectly prove the occurence of the event *SECURITY MODE COMMAND message can be accepted*. Notably, when the testing system observes it, it means that the UE performs a not-allowed operation (UE accept the SMC) violating this security requirement.
Note: the colored phrase are the messages to transmit and the parameters required to set.