Tech-invite3GPPspaceIETF RFCsSIP
Quick21222324252627282931323334353637384‑5x

Content for  TS 33.222  Word version:  17.1.0

Top   Top   None   None   Next
0…   4…

 

0  IntroductionWord‑p. 5

A number of services might be accessed over HTTP. For the Presence Service, it shall be possible to manage the data on the Presence Server over the Ut reference point, which is based on HTTP. Other services like conferencing, messaging, push, etc. might be accessed using HTTP.
Access to services over HTTP can be done in a secure manner. The present document describes how the access over HTTP can be secured using TLS in the Generic Authentication Architecture.

1  ScopeWord‑p. 6

The present document specifies secure access methods to Network Application Functions (NAF) using HTTP over TLS in the Generic Authentication Architecture (GAA), and provides Stage 2 security requirements, principles and procedures for the access. The present document describes both direct access to an Application Server (AS) and access to an Application Server through an Authentication Proxy (AP).
Up

2  ReferencesWord‑p. 6

The following documents contain provisions which, through reference in this text, constitute provisions of the present document.
  • References are either specific (identified by date of publication, edition number, version number, etc.) or non specific.
  • For a specific reference, subsequent revisions do not apply.
  • For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP document (including a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same Release as the present document.
[1]
TS 23.002: "Network architecture".
[2]
TS 22.250: "IP Multimedia Subsystem (IMS) group management"; Stage 1".
[3]
TS 33.220: "Generic Authentication Architecture (GAA); Generic Bootstrapping Architecture".
[4]  Void
[5]
TS 33.141: "Presence Service; Security".
[6]  Void.
[7]  Void.
[8]  Void.
[9]
RFC 2818  (2000): "HTTP Over TLS".
[10]  Void
[11]  Void
[12]  Void
[13]
TS 33.210: "3G Security; Network Domain Security; IP network layer security".
[14]  Void.
[15]  Void.
[16]
TS 33.221: "Generic Authentication Architecture (GAA); Support for subscriber certificates".
[17]  Void.
[18]
TS 24.109: "Bootstrapping interface (Ub) and network application function interface (Ua); Protocol details".
[19]
TS 29.109: "Generic Authentication Architecture (GAA), Zh and Zn Interface based on the Diameter protocol; Stage 3".
[20]
TS 33.310: "Network Domain Security (NDS); Authentication Framework (AF)".
[21]  Void.
[22]  Void.
[23]
TR 21.905: "Vocabulary for 3GPP Specifications".
[24]
W3C Working Draft (Jan 22, 2013): "HTML5.1 Nightly - A vocabulary and associated APIs for HTML and XHTML", work in progress, http://dev.w3.org/html5/spec/.
[25]
RFC 5929  (2010): "Channel Bindings for TLS".
[26]
W3C Working Draft (Oct 20, 2011): "File API", work in progress, http://www.w3.org/TR/FileAPI/.
[27]
W3C Candidate Recommendation (Dec 8, 2011): "Web Storage", work in progress, http://www.w3.org/TR/webstorage/
[28]
TS 33.203: "3G security; Access security for IP-based services".
[29]
RFC 5705  (2010): "Keying Material Exporters for Transport Layer Security (TLS)".
[30]
RFC 8446  (2018): "The Transport Layer Security (TLS) Protocol Version 1.3".
[31]
RFC 7235:  "Hypertext Transfer Protocol (HTTP/1.1): Authentication".
[32]
RFC 7616:  "HTTP Digest Access Authentication".
[33]
RFC 7231:  "Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content".
Up

3  Definitions, symbols and abbreviationsWord‑p. 7

3.1  DefinitionsWord‑p. 7

For the purposes of the present document, the terms and definitions given in TR 21.905 and the following apply. A term defined in the present document takes precedence over the definition of the same term, if any, in TR 21.905.
GBA web session:
A GBA web session consists of a sequence of related HTTP request/response transactions together with some associated server-side state with the following additional requirement: During a GBA web session, a NAF can identify that the messages relate to the same individual GBA enabled terminal and a particular browser instance running in that terminal. The lifetime of the session is the lifetime of the Ks_js_NAF which is equal or shorter than the Ks_NAF lifetime and it is also equal or shorter than the lifetime of the TLS session, which was used to derive the Ks_js_NAF.
HTML5:
HTML5 is a W3C specification [24] that defines the fifth major revision of the Hypertext Markup Language (HTML), the standard language for describing the contents and appearance of Web pages.
HTML FORM:
A HTML form is a section of a HTML document containing normal content, markup, special elements called controls (checkboxes, radio buttons, text fields, password fields, etc.) and labels on those controls. End users generally "complete" a form on a web page by modifying its controls (entering text, selecting radio buttons, etc.), before submitting the form to an agent for processing (e.g., to a web server).HTTPS: For the purpose of this document, HTTPS refers to the general concept securing the HTTP protocol using TLS. In some contexts, like in the IETF, the term HTTPS is used to refer to the reserved port number (443) for HTTP/TLS traffic.
JavaScript:
JavaScript is a prototype-based scripting language that was formalized in the ECMAScript language standard. JavaScript is primarily used in the form of client-side JavaScript, implemented as part of a Web browser in order to provide enhanced user interfaces and dynamic websites.
Reverse Proxy:
A reverse proxy is a web server system that is capable of serving web pages sourced from other web servers (AS), making these pages look like they originated at the reverse proxy.
Same origin policy:
Same origin policy is a security mechanism in a client browser that permits webpage scripts to access their associated website's data and methods but restricts its access to scripts and data stored by other websites.
Session management mechanism:
A mechanism for creating stateful sessions when using the HTTP protocol.
Up

3.2  AbbreviationsWord‑p. 8

For the purposes of the present document, the following abbreviations apply:
AP
Authentication Proxy
API
Application Programming Interface
AS
Application Server
B-TID
Bootstrapping Transaction Identifier
BSF
Bootstrapping Server Functionality
CA
Certification Authority
DNS
Domain Name System
FQDN
Fully Qualified Domain Name
GBA
Generic Bootstrapping Architecture
HSS
Home Subscriber System
HTML
HyperText Markup Language
HTTP
HypertTxt Transfer Protocol
HTTPS
HTTP over TLS
IMPI
IP Multimedia Private Identity
IMPU
IP Multimedia Public Identity
ME
Mobile Equipment
NAF
Network Application Function
NAF_ID
NAF identifier
TLS
Transport Layer Security
UE
User Equipment
URL
Uniform Resource Locator
Up

Up   Top   ToC