As with respect to security they want to secure
1> Core network communication (UE - MME)
2> Network(Access ) Edge communication (UE-ENODEB)
So MME takes the Key from HSS and generates the authentication vectors and send them to UE and ENODEB But he directly not share the KASME generated by the UE.
The derived key will be used for security(Both AS and NAS) purpose.
Another scenario :-
When UE is in IDLE mode no context at ENodeB also , So using NAS Security only they communicate messages till UE comes to connected mode.