There are two ways to generate security keys for access stratum . One is known as horizontal key derivation and the other one "vertical key derivation".
During the X2 handover, Kenb* is generated by source eNodeB based on the parameters such as Kenb (source eNodeB), PCI and DL-EARFCN of target cell. This generated Kenb* is communicated to target cell by using the "HANDOVER REQUEST" message.
Once the X2 handover gets completed, target eNodeB sends "PATH SWITCH REQUEST" message to MME and MME responds to target eNodeB with the new {NH, NCC} parameters in "PATH SWITCH REQUEST ACKNOWLEDGE". These new security parameters will be used for the next subsequent handover. This is the example of horizontal key derivation.
During S1 based handover, MME knows the running status of a handover procedure so it takes care of security in advance. MME sends {NH, NCC} to target eNodeB and the target eNodeB generates new Kenb* based on the received parameter. This is the example of vertical key derivation.