TR133919中給出GAA的架構
其中,GBA包括HTTP Digest, Pre-Shared Key TLS, IKE with pre-shared secret and a priori any mechanism based on username and password等, SSC assumes that the
entity that needs to be authenticated (one or both partners in the communication) possesses a (public, private) key pair and a corresponding digital certificate. The latter validates the key pair and binds the key pair to its legitimate owner. Well-known protocols
whose authentication is based on (public, private) key pairs include
PGP and HTTP over TLS,
RFC 2818 [5] (the later is commonly called by its protocol identifier, "HTTPS").
GBA給出了一種基於3GPP AKA的應用實現機制,向client和application server提供一個shared secret,該shared secret可以用於認證client和application server之間的通信;GAA還提出了一種新的network element(NE)叫做Bootstrapping Server Function(BSF),UE與HSS之間的認證通過BSF來完成。From the resulting (CK, IK), a session key is derived in BSF and UE. An application server (called Network Application Function (NAF) in TS 33.220 [2]) can fetch this session key from the BSF together with subscriber profile information. In this way the application server (NAF) and the UE share a secret key that can subsequently be used for application security, in particular to authenticate UE and NAF at the start of the application session (possibly also for integrity and/or confidentiality protection although that might not be strictly in the scope of GAA). The communication between the UE and the BSF as well as that between NAF and BSF and between BSF and HSS are application independent and are described in TS 33.220
If only SIM cards or SIMs on UICC is available, and 2G_GBA is allowed, the BSF and UE mutually authenticates using the 2G AKA and TLS protocol.
SSC給出了一種爲mobile subscriber動態頒發數字證書的機制;If a mobile subscriber wants to have and make use of a (public, private) key pair, the key pair and a certificate should either be preloaded or the subscriber must have the means to either generate or obtain a key pair and dynamically obtain a corresponding digital certificate.
爲了請求證書,需要用戶向home operator的PKI portal發送一個適當的證書請求,該過程即可視爲一個mobile application的例子。且該過程需要雙方實體的相互認證。如果雙方已存在可用的證書,可以用已有證書認證,否則,需要執行GBA來獲得一個shared secret並用於認證,最後獲取新的證書。As with many mobile applications it requires authentication of the communicating entities, in this case the UE and the PKI portal (the latter plays the role of the application server). As for any other application there are 2 options for this authentication: pre-shared secret based or based on asymmetric cryptography and certificates. The latter is only an option when a new certificate is requested from the PKI portal while another still valid certificate is already loaded in the UE. The former method requires a shared secret between the PKI portal and the UE. If the shared secret is not pre-configured, GBA can be used to obtain such a shared secret.
HTTPS常用於UE和application server之間保護application sesstion安全。It is envisaged that HTTPS (or HTTP/TLS) may be used in a number of services to secure the application session between the UE and the application server (Ua interface in TS 33.220, see TS 33.222 [4]). TS 33.222 [4] describes the details of the possible authentication options when HTTPS is used between a UE and an application server. Any existing or future application based on HTTPS or Pre-Shared Key TLS can refer to TS 33.222 [4] for details on authentication and the set up of a secure HTTP session. 此種情形下有四種應用類型:
HTTPS with Authentication Proxy: UE可以通過AP同時連接多個AS,可以節省AV,節省UE需要開啓和維護的TLS會話數
HTTPS without Authentication Proxy
Pre-Shared Key TLS:HTTP client和server用GBA實現認證,通過BSF獲得的session key被NAF提取作爲shared secret,該shared secret可以作爲TLS會話中的master secret用於在TLS協議中生成會話密鑰。
總結,在LTE的應用層,3GPP給了一個通用的認證架構GAA,通過該架構可以實現獨立於application server和authentication proxy的用戶和server的相互認證機制,當然,獨立的AS可以開發特定的認證方式。總的來說採用GAA可以降低應用開發的複雜性,且該機制可以內置到USIM卡存儲中。