Tech-invite3GPPspaceIETF RFCsSIP
Quick21222324252627282931323334353637384‑5x

Content for  TS 24.109  Word version:  17.2.0

Top   Top   None   None   Next
1…   4…   A…

 

1  Scopep. 7

The present document defines stage 3 for the HTTP Digest AKA as specified in RFC 3310 based implementation of Ub interface (UE-BSF), the Disposable-Ks model based implementation of Upa interface (NAF-UE) and the HTTP Digest as specified in RFC 7616 and the PSK TLS based implementation of bootstrapped security association usage over Ua interface (UE-NAF) in Generic Authentication Architecture (GAA) as specified in TS 33.220. The purpose of the Ub interface is to create a security association between UE and BSF for further usage in GAA applications. The purpose of the Upa interface is to provide a push mechanism to created a bootstrapped security association between the UE and NAF for secure communication of pushed messages. The purpose of the Ua interface is to use the so created bootstrapped security association between UE and NAF for secure communication.
The present document also defines stage 3 for the Authentication Proxy usage as specified in TS 33.222.
The present document also defines stage 3 for the subscriber certificate enrolment as specified in TS 33.221 which is one realization of the Ua interface. The subscriber certificate enrolment uses the HTTP Digest based implementation of bootstrapped security association usage to enrol a subscriber certificate and the delivery of a CA certificate.
The present document also defines stage 3 for TLS using AKMA (Authentication and Key Management for Applications) keys over the Ua* interface (AKMA AF-UE) as described in TS 33.535.
Up

2  Referencesp. 7

The following documents contain provisions, which, through reference in this text, constitute provisions of the present document.
  • References are either specific (identified by date of publication, edition number, version number, etc.) or non-specific.
  • For a specific reference, subsequent revisions do not apply.
  • For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP document (including a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same Release as the present document.
[1]
TS 33.220: "Generic Authentication Architecture (GAA); Generic bootstrapping architecture".
[2]
TR 33.919: "Generic Authentication Architecture (GAA); System description".
[3]
TS 29.109: "Generic Authentication Architecture (GAA); Zh and Zn Interfaces based on the Diameter protocol; Protocol details".
[4]
TS 33.221: "Generic Authentication Architecture (GAA); Support for Subscriber Certificates".
[5]
TS 33.222: "Generic Authentication Architecture (GAA); Access to network application functions using Hypertext Transfer Protocol over Transport Layer Security (HTTPS)".
[6]
RFC 3310:  "Hypertext Transfer Protocol (HTTP) Digest Authentication Using Authentication and Key Agreement (AKA)".
[7]
TS 23.003: "Numbering, addressing and identification".
[8]
RFC 3023:  "XML Media Types".
[9]  Void.
[10]  Void.
[11]  Void.
[12]
RFC 2818:  "HTTP over TLS".
[13]
TS 24.228: Release 5: "Signalling flows for the IP multimedia call control based on Session Initiation Protocol (SIP) and Session Description Protocol (SDP); Stage 3".
[14]  Void.
[15]  Void.
[16]
PKCS#10 v1.7: "Certification Request Syntax Standard". ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-10/pkcs-10v1_7.pdf
[17]
WAP Forum "WPKI: Wireless Application Protocol; Public Key Infrastructure Definition": http://www1.wapforum.org/tech/documents/WAP-217-WPKI-20010424-a.pdf.
[18]  Void.
[19]
Open Mobile Alliance "ECMAScript Crypto Object": http://www.openmobilealliance.org.
[20]
Open Mobile Alliance "WPKI": http://member.openmobilealliance.org/ftp/public_documents/SEC/Permanent_documents/.
[21]
TS 33.203: "3G security; Access security for IP-based services".
[22]
RFC 2234:  "Augmented BNF for Syntax Specifications: ABNF".
[23]  Void.
[24]
TS 33.223: "Generic Authentication Architecture (GAA); Generic Bootstrapping Architecture (GBA) Push function".
[25]
TS 33.310: "Network Domain Security (NDS); Authentication Framework (AF)".
[26]
Open Mobile Alliance Push Enabler Release v2.2: "Push Over the Air". http://www.openmobilealliance.org/Technical/release_program/push_v2_2.aspx.
[27]
Open Mobile Alliance Push Enabler Releasev 2.2: "Push Message Specification". http://www.openmobilealliance.org/Technical/release_program/push_v2_2.aspx.
[28]
Open Mobile Alliance Device Management Enabler Release v1.2: "Enabler Release Definition for OMA Device Management". http://www.openmobilealliance.org/Technical/release_program/dm_v1_2.aspx.
[29]
TS 33.303: "Proximity-based Services (ProSe); Security aspects".
[30]
RFC 7230:  "Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing".
[31]
RFC 7231:  "Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content".
[32]
RFC 7232:  "Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests".
[33]
RFC 7233:  "Hypertext Transfer Protocol (HTTP/1.1): Range Requests".
[34]
RFC 7234:  "Hypertext Transfer Protocol (HTTP/1.1): Caching".
[35]
RFC 7235:  "Hypertext Transfer Protocol (HTTP/1.1): Authentication".
[36]
RFC 7616:  "HTTP Digest Access Authentication".
[37]
RFC 4648:  "The Base16, Base32, and Base64 Data Encodings".
[38]
TS 33.535: "Authentication and Key Management for Applications (AKMA) based on 3GPP credentials in the 5G System (5GS)".
Up

3  Definitions and abbreviationsp. 9

3.1  Definitionsp. 9

For the purposes of the present document, the following terms and definitions apply.
Bootstrapping information:
set of parameters that have been established during bootstrapping procedure. The information consists of a bootstrapping transaction identifier (B-TID), key material (Ks), and a group of application specific security parameters related to the subscriber.
Bootstrapped security association:
association between a UE and a BSF that is established by running bootstrapping procedure between them. The association is identified by a bootstrapping transaction identifier (B-TID) and consists of bootstrapping information.
CA certificate:
The Certificate Authority public key is itself contained within a certificate, called a CA certificate. The CA sign all certificates that it issues with the private key that corresponds to the public key in the CA certificate.
Delivery of CA certificate:
procedure during which UE requests a root certificate from PKI portal, who delivers the certificate to the UE. The procedure is secured by using GBA.
PKI portal:
certification authority (or registration authority) operated by a cellular operator
Reverse proxy:
a reverse proxy is a gateway for servers, and enables one server (i.e., reverse proxy) to provide content from another server transparently, e.g., when UE's request for a particular information is received at a reverse proxy, the reverse proxy is configured to request the information from another server. The reverse proxy functionality is transparent to the UE, i.e., the UE does not know that the request is being forwarded to another server by the reverse proxy.
Root certificate:
a certificate that an entity explicitly trusts, typically a self-signed CA certificate
Subscriber certificate:
certificate issued to a subscriber. It contains the subscriber's own public key and possibly other information such as the subscriber's identity in some form.
Subscriber certificate enrolment:
procedure during which UE sends certification request to PKI portal and who issues a certificate to UE. The procedure is secured by using GBA.
WAP Identity Module (WIM):
used in performing WTLS, TLS, and application level security functions, and especially, to store and process information needed for user identification and authentication The WPKI may use the WIM for secure storage of certificates and keys (see TS 33.221, OMA ECMAScript [19], and OMA WPKI [20] specifications).
 
For the purposes of the present document, the following terms and definitions given in TS 33.220 apply:
Temporary IP Multimedia Private Identity
 
For the purposes of the present document, the following terms and definitions given in TS 33.223 apply:
Disposable-Ks model
Push-message
Push-NAF
Up

3.2  Abbreviationsp. 9

For the purposes of the present document, the following abbreviations apply:
A-KID
AKMA Key IDentifier
AKA
Authentication and Key Agreement
AKMA
Authentication and Key Management for Applications
AP
Authentication Proxy
AS
Application Server
AUTN
Authentication Token
AUTS
Re-synchronisation Token
AV
Authentication Vector
BSF
BootStrapping Function
B-TID
Bootstrapping - Transaction IDentifier
CA
Certification Authority
CK
Confidentiality Key
DER
Distinquished Encoding Rules
FQDN
Fully Qualified Domain Name
GAA
Generic Authentication Architecture
GBA
Generic Bootstrapping Architecture
GBA_ME
ME-based GBA
GBA_U
GBA with UICC-based enhancements
GPI
GBA Push Info
GUSS
GBA User Security Settings
HSS
Home Subscriber System
HTTP
Hypertext Transfer Protocol
HTTPS
HTTP over TLS
IK
Integrity Key
IMPI
IP Multimedia Private Identity
IMPU
IP Multimedia PUblic identity
Ks
Key material
Ks_NAF
NAF specific key material
MAC
Message Authentication Code
ME
Mobile Equipment
NAF
Network Application Function
PKCS
Public-Key Cryptography Standards
PKI
Public Key Infrastructure
PSK
Pre-Shared Secret
RAND
RANDom challenge
RES
authentication Response
SA
Security Association
SQN
SeQuence Number
TLS
Transport Layer Security
TMPI
Temporary IP Multimedia Private Identity
UE
User Equipment
UICC
Universal Integrated Circuit Card
URI
Uniform Resource Identifier
URN
Uniform Resource Name
USIM
User Service Identity Module
USS
User Security Settings
UTC
Coordinated Universal Time
WIM
Wireless Identity Module
WPKI
Wireless PKI
WTLS
Wireless Transport Layer Security
XRES
Expected authentication response
Up

Up   Top   ToC