Tech-invite3GPPspaceIETF RFCsSIP

Content for  TR 33.804  Word version:  12.0.0

Top   Top   None   None   Next
0…   5…


0  Introductionp. 4

The present document aims to describe the re-use of non-UICC credentials, in particular SIP Digest credentials, to provide security for access to applications.
The process of providing security in a certain context (application) based on security already defined in some other context (e.g. 3GPP network access, IMS) is often called bootstrapping of security. Bootstrapping enables Single Sign-On (SSO) to applications using the security infrastructure already present for e.g. 3GPP network access or IMS.
The Generic Bootstrapping Architecture (GBA), as defined in TS 33.220, provides a bootstrapping mechanism, but it is limited to UICC-based credentials. This means that other types of credentials, e.g. credentials used for access to the Common IMS, cannot benefit from GBA to provide security for the access to applications based on the security for network access or IMS. TS 33.203 defines, in particular, SIP Digest as an authentication mechanism for access to the Common IMS core over a non-3GPP access network, such as e.g. TISPAN NASS, or BBF, or cable access, or 3GPP2 access, or WiMAX access. The credentials used with SIP Digest are shared secrets, or passwords, stored in the HSS and in the terminal, or held by the user. By means of bootstrapping, GBA enables single sign-on to applications using the security infrastructure already present for 3GPP network access or IMS. As an example, GBA may be used for providing the security for the Ut interface used for self-administration of IMS subscribers, cf. TS 33.141.
This Technical Report takes into consideration the benefits of SSO to applications and the provision of cryptographic keys to terminals and application servers, bootstrapped from IMS credentials that are available in those scenarios where non-UICC based authentication mechanisms, in particular SIP Digest, are used. SIP Digest is arguably the most commonly used authentication mechanism in current IMS deployments. As an example, an automated way for providing the security for the Ut interface, used for self-administration of IMS subscribers, would be for the benefit of subscribers using SIP Digest credentials.
The re-use of SIP Digest credentials for SSO to applications would bring the benefit that there is no need to roll out a separate security infrastructure for these applications. In this way, a SSO mechanism re-using SIP Digest credentials would ease the introduction of new applications and services for the operator whose subscribers use SIP Digest credentials in Common IMS.
Users would benefit from SSO as it reduces complexity for users when accessing applications. Furthermore, operators could provide a chargeable service to application providers. Charging users for the use applications could be tied to the IMS subscription, although this is a matter for further discussion.
A similar need for the re-use of SIP Digest credentials for applications has been recognized by ETSI TISPAN.

1  Scopep. 5

The objective of this study item is to provide reference material for IMS based non-UICC based Single Sign On (SSO) to applications. This study item targets to re-use the SIP Digest Credentials for SSO to applications by re-using Common IMS and existing security elements. The study should describe needed extension to enable a re-use of SIP Digest credentials in Common IMS for providing security between a terminal and an application server. The study aims to maximise the commonalities of the SSO_APS with the currently defined application security approaches in 3GPP while efficiently satisfying the needs of Common IMS deployments using SIP Digest.
The Technical Report targets to bring forth approaches with a security level for access to applications using SSO_APS that is at least as good as that provided by SIP Digest for Common IMS. This Technical Report is intended to be used where the usage of UICC is not possible in a UICC-less environment. If the usage of UICC is possible, then it is expected to used, but that is outside the scope of the present study.
The scope of this Technical Report (Study Item Code SSO_APS) is restricted to environments where the storage of credentials on a UICC is not mandated.

2  Referencesp. 5

The following documents contain provisions which, through reference in this text, constitute provisions of the present document.
  • References are either specific (identified by date of publication, edition number, version number, etc.) or non-specific.
  • For a specific reference, subsequent revisions do not apply.
  • For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP document (including a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same Release as the present document.
TR 21.905: "Vocabulary for 3GPP Specifications".
TS 33.220: "Generic Authentication Architecture (GAA); Generic Bootstrapping Architecture".
TS 33.203: "3G Security, Access security for IP-based services".
TS 33.141: "Presence Services, Security".
IETF, RFC 2617 (1999): "HTTP Authentication: Basic and Digest Access Authentication".
TS 33.222: "Generic Authentication Architecture (GAA); Access to network application functions using Hypertext Transfer Protocol over Transport Layer Security (HTTPS)".
TS 24.623: "Extensible Markup Language (XML) Configuration Access Protocol (XCAP) over the Ut interface for Manipulating Supplementary Services".
TR 33.980: "Interworking of Liberty Alliance Identity Federation Framework (ID-FF), Identity Web Service Framework (ID-WSF) and the Generic Authentication Architecture (GAA)".
TR 33.924: "Identity management and 3GPP security interworking; Identity management and Generic Authentication Architecture (GAA) interworking".
TS 24.229: "IP multimedia call control protocol based on Session Initiation Protocol (SIP) and Session Description Protocol (SDP); Stage 3".
TS 29.109: "Generic Authentication Architecture (GAA); Zh and Zn Interfaces based on the Diameter protocol; Stage 3".
TS 24.109: "Bootstrapping interface (Ub) and network application function interface (Ua); Protocol details".
IETF, RFC 3261: "SIP: Session Initiation Protocol".
OpenID Foundation "OpenID Authentication 2.0",
IETF, RFC 5705: "Keying Material Exporter for Transport Layer Security (TLS)".
TS 33.221: "Generic Authentication Architecture (GAA); Support for subscriber certificates".
IETF, RFC 5929: "Channel Bindings for TLS".

3  Definitions, symbols and abbreviationsp. 6

3.1  Definitionsp. 6

For the purposes of the present document, the terms and definitions given in TR 21.905 and the following apply. A term defined in the present document takes precedence over the definition of the same term, if any, in TR 21.905.
The definitions of Relaying Party (RP), OpenID Provider (OP) and Identity Provider (IdP) can be found in TR 33.924.

3.2  Abbreviationsp. 6

For the purposes of the present document, the abbreviations given in TR 21.905 and the following apply. An abbreviation defined in the present document takes precedence over the definition of the same abbreviation, if any, in TR 21.905.
Authenticating Agent
Authentication and Key Agreement Protocol
Application Server
Browsing Agent
Bootstrapping Server Function
Home Subscriber Server
Identity Provider
IP Multimedia Private Identity
IP Multimedia Subsystem
Generic Authentication Architecture
Generic Bootstrapping Architecture
GBA User Security Settings
Network Application Function
OpenID Provider
Relaying Party
Serving Call State Control Function
SIP Digest Authentication Vector
Single Sign On
Session Initiation Protocol
Subscriber Locator Function
User Equipment

4  Description of SSO featurep. 6

Single Sign On (SSO) is a feature of an access control system for a range of independent systems, which are affiliated. The systems often are application services. This feature allows that the authentication process takes place once, and the user gains access to all affiliated systems without the need to authenticate again. The SSO subsystem provides the initial authentication and provides authentication information to the Application Server which is part of the SSO subsystem.
The SSO feature in this report is meant to
  • support the re-use of SIP Digest credentials as specified in TS 33.203, Annex N for initial authentication to the SSO subsystem for terminals that are not equipped with a UICC.
  • support interworking and exploit commonalities with existing SSO subsystem deployments e.g. OpenID, GBA, Liberty Alliance.

Up   Top   ToC