The present document aims to describe the re-use of non-UICC credentials, in particular SIP Digest credentials, to provide security for access to applications. The process of providing security in a certain context (application) based on security already defined in some other context (e.g. 3GPP network access, IMS) is often called bootstrapping of security. Bootstrapping enables Single Sign-On (SSO) to applications using the security infrastructure already present for e.g. 3GPP network access or IMS. The Generic Bootstrapping Architecture (GBA), as defined in TS 33.220, provides a bootstrapping mechanism, but it is limited to UICC-based credentials. This means that other types of credentials, e.g. credentials used for access to the Common IMS, cannot benefit from GBA to provide security for the access to applications based on the security for network access or IMS. TS 33.203 defines, in particular, SIP Digest as an authentication mechanism for access to the Common IMS core over a non-3GPP access network, such as e.g. TISPAN NASS, or BBF, or cable access, or 3GPP2 access, or WiMAX access. The credentials used with SIP Digest are shared secrets, or passwords, stored in the HSS and in the terminal, or held by the user. By means of bootstrapping, GBA enables single sign-on to applications using the security infrastructure already present for 3GPP network access or IMS. As an example, GBA may be used for providing the security for the Ut interface used for self-administration of IMS subscribers, cf. TS 33.141. This Technical Report takes into consideration the benefits of SSO to applications and the provision of cryptographic keys to terminals and application servers, bootstrapped from IMS credentials that are available in those scenarios where non-UICC based authentication mechanisms, in particular SIP Digest, are used. SIP Digest is arguably the most commonly used authentication mechanism in current IMS deployments. As an example, an automated way for providing the security for the Ut interface, used for self-administration of IMS subscribers, would be for the benefit of subscribers using SIP Digest credentials. The re-use of SIP Digest credentials for SSO to applications would bring the benefit that there is no need to roll out a separate security infrastructure for these applications. In this way, a SSO mechanism re-using SIP Digest credentials would ease the introduction of new applications and services for the operator whose subscribers use SIP Digest credentials in Common IMS. Users would benefit from SSO as it reduces complexity for users when accessing applications. Furthermore, operators could provide a chargeable service to application providers. Charging users for the use applications could be tied to the IMS subscription, although this is a matter for further discussion. A similar need for the re-use of SIP Digest credentials for applications has been recognized by ETSI TISPAN.

The objective of this study item is to provide reference material for IMS based non-UICC based Single Sign On (SSO) to applications. This study item targets to re-use the SIP Digest Credentials for SSO to applications by re-using Common IMS and existing security elements. The study should describe needed extension to enable a re-use of SIP Digest credentials in Common IMS for providing security between a terminal and an application server. The study aims to maximise the commonalities of the SSO_APS with the currently defined application security approaches in 3GPP while efficiently satisfying the needs of Common IMS deployments using SIP Digest. The Technical Report targets to bring forth approaches with a security level for access to applications using SSO_APS that is at least as good as that provided by SIP Digest for Common IMS. This Technical Report is intended to be used where the usage of UICC is not possible in a UICC-less environment. If the usage of UICC is possible, then it is expected to used, but that is outside the scope of the present study. The scope of this Technical Report (Study Item Code SSO_APS) is restricted to environments where the storage of credentials on a UICC is not mandated.

The following documents contain provisions which, through reference in this text, constitute provisions of the present document.

• References are either specific (identified by date of publication, edition number, version number, etc.) or non-specific.
• For a specific reference, subsequent revisions do not apply.
• For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP document (including a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same Release as the present document.

Single Sign On (SSO) is a feature of an access control system for a range of independent systems, which are affiliated. The systems often are application services. This feature allows that the authentication process takes place once, and the user gains access to all affiliated systems without the need to authenticate again. The SSO subsystem provides the initial authentication and provides authentication information to the Application Server which is part of the SSO subsystem. The SSO feature in this report is meant to

• support the re-use of SIP Digest credentials as specified in TS 33.203, Annex N for initial authentication to the SSO subsystem for terminals that are not equipped with a UICC.
• support interworking and exploit commonalities with existing SSO subsystem deployments e.g. OpenID, GBA, Liberty Alliance.