diff --git a/pkg/networkserver/mac/rekey.go b/pkg/networkserver/mac/rekey.go
index 05b09cd851..755ea24670 100644
--- a/pkg/networkserver/mac/rekey.go
+++ b/pkg/networkserver/mac/rekey.go
@@ -54,10 +54,11 @@ func HandleRekeyInd(ctx context.Context, dev *ttnpb.EndDevice, pld *ttnpb.MACCom
 
 	conf := &ttnpb.MACCommand_RekeyConf{}
 	dev.MacState.LorawanVersion, conf.MinorVersion = macspec.NegotiatedVersion(dev.LorawanVersion, pld.MinorVersion)
+	dev.MacState.CipherId = macspec.NegotiatedCipherSuite(pld.Cipher)
 	dev.MacState.PendingJoinRequest = nil
 	dev.PendingMacState = nil
 	dev.PendingSession = nil
-	conf.Cipher = pld.Cipher
+	conf.Cipher = ttnpb.CipherEnum(dev.MacState.CipherId)
 
 	dev.MacState.QueuedResponses = append(dev.MacState.QueuedResponses, conf.MACCommand())
 	return append(evs,
diff --git a/pkg/networkserver/mac/rekey_test.go b/pkg/networkserver/mac/rekey_test.go
index 6b6b14b5a0..5bf842af65 100644
--- a/pkg/networkserver/mac/rekey_test.go
+++ b/pkg/networkserver/mac/rekey_test.go
@@ -294,23 +294,23 @@ func TestHandleRekeyInd(t *testing.T) {
 						{},
 						(&ttnpb.MACCommand_RekeyConf{
 							MinorVersion: 2,
-							Cipher:       3,
+							Cipher:       0,
 						}).MACCommand(),
 					},
 				},
 			},
 			Payload: &ttnpb.MACCommand_RekeyInd{
 				MinorVersion: 2,
-				Cipher:       3,
+				Cipher:       0,
 			},
 			Events: events.Builders{
 				EvtReceiveRekeyIndication.With(events.WithData(&ttnpb.MACCommand_RekeyInd{
 					MinorVersion: 2,
-					Cipher:       3,
+					Cipher:       0,
 				})),
 				EvtEnqueueRekeyConfirmation.With(events.WithData(&ttnpb.MACCommand_RekeyConf{
 					MinorVersion: 2,
-					Cipher:       3,
+					Cipher:       0,
 				})),
 			},
 		},
diff --git a/pkg/specification/macspec/specification.go b/pkg/specification/macspec/specification.go
index 2e39e6d68e..cb23d826a9 100644
--- a/pkg/specification/macspec/specification.go
+++ b/pkg/specification/macspec/specification.go
@@ -167,6 +167,20 @@ func NegotiatedVersion(v ttnpb.MACVersion, upperBound ttnpb.Minor) (ttnpb.MACVer
 	return version, upperBound
 }
 
+// NegotiatedCipherSuite returns the cipher suite that should be
+// used by the end device and network server as part of the
+// RekeyInd{Conf} handshake.
+// cipherEnum is the Device requested cipher suite.
+// The only supported cipher suite is the default (0).
+func NegotiatedCipherSuite(cipherEnum ttnpb.CipherEnum) uint32 {
+	switch cipherEnum {
+	case ttnpb.CipherEnum_CIPHER_0:
+		return 0
+	default:
+		panic(fmt.Errorf("unhandled cipher suite %d", cipherEnum))
+	}
+}
+
 // AllowDuplicateLinkADRAns reports whether v is allowed to use
 // duplicate LinkADRAns MAC responses within the same message.
 func AllowDuplicateLinkADRAns(v ttnpb.MACVersion) bool {