Figure 1-1 shows the relationship between a Connection Layer packet, an Encryption Protocol packet, an Authentication Protocol packet, a Security Protocol packet, and a MAC Layer packet payload.

When a Connection Layer packet that is to be authenticated or encrypted is delivered to the Security Layer, the following steps are performed by the protocols in the Security Layer in the order specified below:

• The Security Layer protocol generates a cryptosync for the channel for which the Connection Layer packet is destined. For the purpose for referencing this value of cryptosync in the following steps, denote this value as TheCryptosync.

• The Connection Layer packet and TheCryptosync are delivered to the Encryption Protocol.

• If the Connection Layer packet is to be encrypted, the Encryption Protocol uses TheCryptosync, the encryption key, and other parameters specified by the Encryption Protocol (if any) to encrypt the Connection Layer packet and construct the Encryption Protocol packet.

• The Encryption Protocol delivers the Encryption Protocol packet and TheCryptosync to the Authentication Protocol.

• If the Encryption Protocol packet is to be authenticated, the Authentication Protocol uses TheCryptosync, authentication key, and other parameters specified by the Authentication Protocol to construct the Authentication Protocol packet.

• The Authentication Protocol delivers the Authentication Protocol packet and TheCryptosync to the Security Protocol.

• The Security Protocol uses TheCryptosync to construct the Security Protocol header and trailer (if any).

• The Security Protocol delivers the Security Protocol packet to the MAC layer.

Conversely, when the Security Layer receives a MAC Layer Packet payload that is either authenticated or encrypted, the following steps are performed by the protocols in the Security Layer in the order specified below:

• The Security Protocol constructs the Cryptosync using the Security Protocol header and trailer (if any). For the purpose for referencing this value of cryptosync in the following steps, denote this value as "TheCryptosync".

• The Security Protocol removes the Security Protocols header and trailer and delivers TheCryptosync and the Security Protocol payload to the Authentication Protocol.

• If the Authentication Protocol packet is authenticated, the Authentication Protocol uses TheCryptosync, authentication key, Authentication Protocol payload, Authnetication Protocol header and trailer, and other parameters specified by the Authentication Protocol (if any) to verify the authentication signature. If the authentication signature passes, then the Authentication Protocol delivers the  Authentication Protocol payload to the Encryption Protocol, otherwise the Authentication Protocol Packet is discarded. If the authentication signature does not pass, then the Authentication Protocol discards the packet.

• If the Authentication Protocol packet is not authenticated, then the Authentication Protocol delivers the Authentication Protocol payload to the Encryption Protocol.

• If the Encryption Protocol packet is encrypted, the Encryption Protocol uses TheCryptosync and the encryption key to decrypt the Encryption Protocol packet. The decrypted payload is then delivered to the Connection Layer.

• If the Encryption Protocol packet is not encrypted, the Encryption Protocol packet is delivered to the Connection Layer.

• The Security Layer provides two pairs of security information to the Connection Layer. The first indicates:

− Whether or not the Security Layer session configuration supported encryption of the Security Layer packet, and

− Whether or not the Security Layer decrypted the Security Layer packet1.

The second indicates:

− Whether or not the Security Layer session configuration supported encryption of the Security Layer packet, and

− Whether or not the Security Layer authenticated the Security Layer packet.

The receiving application or protocol may use these two pairs of security information to determine whether or not to discard the payload.

The access terminal shall not require Connection Layer packets that satisfy any of the following conditions to be encrypted:

• A Connection Layer packet that is received on the Control Channel and its encapsulating MAC Layer packets was not addressed using the Unicast Addressing mode.

• A Connection Layer packet that is received on the Control Channel and contains a SessionClose² message associated with the Default Session Management Protocol.

• The Connection Layer packets that contain any of the messages that are excluded from being encrypted by the protocol that defines the message.

² The access network must be able to close the session in case it does not have access terminals session (e.g., if it cannot retrieve the session from the old subnet).