There may be various reasons to apply two levels ( AS and NAS) security in lte. A Ue performs basically two operations (Control and Data ) operations. Its network responsibility to secure these two. I mean Network secure control and data. UE performs control signaling with eNB and MME like RRC message and NAS messages. UE receives and send data through ENB there is no direct interface with any other node for SGW.
So to secure NAS and RRC signalling both. There are two Security mode command sent out to UE. One for NAS and one for RRC. Kasme is used as input to generate NAS int and encryption keys for the security of NAS messages. Kenb is used as input to generate RRCint, RRCenc, RRCup keys for the security of RRC messages and Data.
NAS security mode command tells to UE about selected algorithm for NAS keys. To generate NAS Keys Kasme and selected algo is used. So NAS security keys changes only when either Kasme changes or supported algorithms changes. and Similarly AS security modes command tells to UE about selected algo for Radio.