For the purposes of the present document, the following terms and definitions apply:
This term collectively refers to all GBA variants that make use of a form of the AKA protocol on the Ub interface, i.e. the term refers to GBA_ME, GBA_U, and 2G GBA, as defined in the present document, and to GBA_push as defined in TS 33.223
In all places in this document where the term application is used to refer to a service offered by the MNO or a third party to the mobile subscriber, then it always denotes the type of application and not the actual instance of an application installed on an application server.
Bootstrapping Server Function:
BSF is hosted in a network element under the control of an MNO. BSF, HSS, and UEs participate in GBA in which a shared secret is established between the network and a UE by running the bootstrapping procedure. The shared secret can be used between NAFs and UEs, for example, for authentication purposes.
Bootstrapping Usage Procedure:
A procedure using bootstrapped security association over Ua reference point.
A function on the ME executing the bootstrapping procedure with BSF (i.e. supporting the Ub reference point) and providing Ua applications with security association to run bootstrapping usage procedure. GBA function is called by a Ua application when a Ua application wants to use bootstrapped security association.
in GBA_ME, all GBA-specific functions are carried out in the ME. The UICC is GBA-unaware. If the term GBA is used in this document without any further qualification then always GBA_ME is meant, see clause 4
of this specification.
this is a GBA with UICC-based enhancement. In GBA_U, the GBA-specific functions are split between ME and UICC, see clause 5
of this specification.
A GBA variant that extends the usage of GBA to environments where the UICC is not available to the subscriber. In this variant, the GBA client on the UE and the BSF communicate using HTTP protocol and SIP Digest credentials, such as a shared secret or password, that are used for authentication instead of credentials stored in the SIM, USIM or ISIM.
Network Application Function:
NAF is hosted in a network element. GBA may be used between NAFs and UEs for authentication purposes, and for securing the communication path between the UE and the NAF.
Bootstrapping Transaction Identifier:
the bootstrapping transaction identifier (B-TID) is used to bind the subscriber identity to the keying material in reference points Ua, Ub and Zn.
GBA User Security Settings:
GUSS contains the BSF specific information element and the set of all application-specific USSs.
the timestamp of the GUSS is set by the HSS. It changes whenever the HSS has modified the GUSS.
A grouping of NAFs to allow assignment of different USSs to NAFs representing the same application. This grouping is done in each home network separately, i.e. one NAF contacting BSFs in different home networks belongs to different groups in every home network.
The FQDN of the NAF, concatenated with the Ua security protocol identifier.
Temporary IP Multimedia Private Identity:
a temporary identity which is used on the Ub interface to prevent passive eavesdropping attacks against the IMPI.
An application on the ME intended to run bootstrapping usage procedure with a NAF.
Ua security protocol identifier:
An identifier which is associated with a security protocol over Ua.
User Security Setting:
A USS is an application and subscriber specific parameter set that defines two parts, an authentication part, which contains the list of identities of the user needed for the application (e.g. IMPUs, MSISDN, pseudonyms), and an authorisation part, which contains the user permission flags (e.g. access to application allowed, type of certificates which may be issued). In addition, a USS may contain a key selection indication, which is used in the GBA_U case to mandate the usage of either the ME-based key (Ks_(ext)_NAF) or the UICC-based key (Ks_int_NAF) or both. Sometimes also called application-specific user security setting. The USS is delivered to the BSF as a part of GUSS from the HSS, and from the BSF to the NAF if requested by the NAF.
For the purposes of the present document, the following abbreviations apply:
Authentication and Key Agreement
Bootstrapping Transaction Identifier
Bootstrapping Server Function
Fully Qualified Domain Name
Generic Authentication Architecture
Generic Bootstrapping Architecture
GBA with UICC-based enhancements
GBA User Security Settings
Home Location Register
Home Subscriber System
Key Derivation Function
Derived key in GBA_U which remains on UICC
Derived key in GBA_U
Mobile Network Operator
Network Application Function
Public Key Infrastructure
Subscriber Locator Function
Temporary IP Multimedia Private Identity
User Security Setting
For the purposes of the present document, the following symbols apply:
All data variables in this specification are presented with the most significant substring on the left hand side and the least significant substring on the right hand side. A substring may be a bit, byte or other arbitrary length bitstring. Where a variable is broken down into a number of substrings, the leftmost (most significant) substring is numbered 0, the next most significant is numbered 1, and so on through to the least significant.