Generic Bootstrapping Architecture

Generic Bootstrapping Architecture (GBA) is a technology that enables the authentication of a user. This authentication is possible if the user owns a valid identity on an HLR (Home Location Register) or on an HSS (Home Subscriber Server).

GBA is standardized at the 3GPP (http://www.3gpp.org/ftp/Specs/html-info/33220.htm). The user authentication is instantiated by a shared secret, one in the smartcard, for example a SIM card inside the mobile phone and the other is on the HLR/HSS.

GBA authenticates by making a network component challenge the smartcard and verify that the answer is the one predicted by the HLR/HSS.

Instead of asking the service provider to trust the BSF and relying on it for every authentication request, the BSF establishes a shared secret between the simcard card and the service provider. This shared secret is limited in time and for a specific domain.

Strong points

This solution has some strong points of certificate and shared secrets without having some of their weaknesses:

- There is no need for user enrollment phase nor secure deployment of keys, making this solution a very low cost one when compared to PKI.

- Another advantage is the ease with which the authentication method may be integrated into terminals and service providers, as it is based on HTTP's well known "Digest access authentication". Every Web server already implement HTTP digest authentication and the effort to implement GBA on top of digest authentication is minimal. For example, it could be implemented on SimpleSAMLPhP http://rnd.feide.no/simplesamlphp with 500 PHP lines of code and only a few tens of lines of code are Service Provider specific making it really easy to port it to another Web site.

- On device side is needed:

Technical overview

Actually, contents in this section are from external literature.[1]

There are two ways to use GAA (Generic Authentication Architecture).

In the shared secret cases, the customer and the operator are first mutually authenticated through 3G and Authentication Key (AKA) and they agree on session keys which can then be used between the client and services that the customer wants to use. This is called bootstrapping. After that, the services can retrieve the session keys from the operator, and they can be used in some application specific protocol between the client and services.

Figure above shows the network GAA entities and interfaces between them. Optional entities are drawn with lines network and borders dotted the scoreboard. The User Equipment (UE) is, for example, the user's mobile phone. The UE and Bootstrapping Server Function (BSF) mutually authenticate themselves during the Ub (number [2] above) interface, using the Digest access authentication AKA protocol. The UE also communicates with the Network Application Functions (NAF), which are the implementation servers, over the Ua [4] interface, which can use any specific application protocol necessary.

BSF retrieves data from the subscriber from the Home Subscriber Server (HSS) during the Zh [3] interface, which uses the Diameter Base Protocol. If there are several HSS in the network, BSF must first know which one to use. This can be done by either setting up a pre-defined HSS to BSF, or by querying the Subscriber Locator Function (SLF). NAFs recover the key session of BSF during the Zn [5] interface, which also uses the diameter at the base Protocol. If NAF is not in the home network, it must use a Zn-proxy to contact BSF .

Uses

Sadly, despite many advantages and potential uses of GBA, its implementation in handsets has been limited since GBA standardization in 2006. Most notably, GBA was implemented in Symbian-based handsets.

References

This article is issued from Wikipedia - version of the Friday, November 27, 2015. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.