1、 TIA-1097-A October 2011Security Mechanisms Using GBA NOTICE TIA Engineering Standards and Publications are designed to serve the public interest through eliminating misunderstandings between manufacturers and purchasers, facilitating interchangeability and improvement of products, and assisting the
2、 purchaser in selecting and obtaining with minimum delay the proper product for their particular need. The existence of such Standards and Publications shall not in any respect preclude any member or non-member of TIA from manufacturing or selling products not conforming to such Standards and Public
3、ations. Neither shall the existence of such Standards and Publications preclude their voluntary use by Non-TIA members, either domestically or internationally. Standards and Publications are adopted by TIA in accordance with the American National Standards Institute (ANSI) patent policy. By such act
4、ion, TIA does not assume any liability to any patent owner, nor does it assume any obligation whatever to parties adopting the Standard or Publication. This Standard does not purport to address all safety problems associated with its use or all applicable regulatory requirements. It is the responsib
5、ility of the user of this Standard to establish appropriate safety and health practices and to determine the applicability of regulatory limitations before its use. (From Project No. 3-0237-RV1, formulated under the cognizance of the TIA TR-45 Mobile (b) there is no assurance that the Document will
6、be approved by any Committee of TIA or any other body in its present or any other form; (c) the Document may be amended, modified or changed in the standards development or any editing process. The use or practice of contents of this Document may involve the use of intellectual property rights (“IPR
7、”), including pending or issued patents, or copyrights, owned by one or more parties. TIA makes no search or investigation for IPR. When IPR consisting of patents and published pending patent applications are claimed and called to TIAs attention, a statement from the holder thereof is requested, all
8、 in accordance with the Manual. TIA takes no position with reference to, and disclaims any obligation to investigate or inquire into, the scope or validity of any claims of IPR. TIA will neither be a party to discussions of any licensing terms or conditions, which are instead left to the parties inv
9、olved, nor will TIA opine or judge whether proposed licensing terms or conditions are reasonable or non-discriminatory. TIA does not warrant or represent that procedures or practices suggested or provided in the Manual have been complied with as respects the Document or its contents. If the Document
10、 contains one or more Normative References to a document published by another organization (“other SSO”) engaged in the formulation, development or publication of standards (whether designated as a standard, specification, recommendation or otherwise), whether such reference consists of mandatory, a
11、lternate or optional elements (as defined in the TIA Engineering Manual, 4thedition) then (i) TIA disclaims any duty or obligation to search or investigate the records of any other SSO for IPR or letters of assurance relating to any such Normative Reference; (ii) TIAs policy of encouragement of volu
12、ntary disclosure (see Engineering Manual Section 6.5.1) of Essential Patent(s) and published pending patent applications shall apply; and (iii) Information as to claims of IPR in the records or publications of the other SSO shall not constitute identification to TIA of a claim of Essential Patent(s)
13、 or published pending patent applications. TIA does not enforce or monitor compliance with the contents of the Document. TIA does not certify, inspect, test or otherwise investigate products, designs or services or any claims of compliance with the contents of the Document. ALL WARRANTIES, EXPRESS O
14、R IMPLIED, ARE DISCLAIMED, INCLUDING WITHOUT LIMITATION, ANY AND ALL WARRANTIES CONCERNING THE ACCURACY OF THE CONTENTS, ITS FITNESS OR APPROPRIATENESS FOR A PARTICULAR PURPOSE OR USE, ITS MERCHANTABILITY AND ITS NONINFRINGEMENT OF ANY THIRD PARTYS INTELLECTUAL PROPERTY RIGHTS. TIA EXPRESSLY DISCLAI
15、MS ANY AND ALL RESPONSIBILITIES FOR THE ACCURACY OF THE CONTENTS AND MAKES NO REPRESENTATIONS OR WARRANTIES REGARDING THE CONTENTS COMPLIANCE WITH ANY APPLICABLE STATUTE, RULE OR REGULATION, OR THE SAFETY OR HEALTH EFFECTS OF THE CONTENTS OR ANY PRODUCT OR SERVICE REFERRED TO IN THE DOCUMENT OR PROD
16、UCED OR RENDERED TO COMPLY WITH THE CONTENTS. TIA SHALL NOT BE LIABLE FOR ANY AND ALL DAMAGES, DIRECT OR INDIRECT, ARISING FROM OR RELATING TO ANY USE OF THE CONTENTS CONTAINED HEREIN, INCLUDING WITHOUT LIMITATION ANY AND ALL INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES (INCLUDING DAMAGES
17、FOR LOSS OF BUSINESS, LOSS OF PROFITS, LITIGATION, OR THE LIKE), WHETHER BASED UPON BREACH OF CONTRACT, BREACH OF WARRANTY, TORT (INCLUDING NEGLIGENCE), PRODUCT LIABILITY OR OTHERWISE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE FOREGOING NEGATION OF DAMAGES IS A FUNDAMENTAL ELEMENT OF T
18、HE USE OF THE CONTENTS HEREOF, AND THESE CONTENTS WOULD NOT BE PUBLISHED BY TIA WITHOUT SUCH LIMITATIONS. Security Mechanisms Using GBA TIA-1097-A 1 Table of Contents 1 1 Introduction and Scope .3 2 2 References.3 3 2.1 Normative References 3 4 2.2 Informative References.3 5 3 Definitions and Abbrev
19、iations 4 6 3.1 Definitions 4 7 3.2 Abbreviations .4 8 4 Overview of GBA (Informative).5 9 4.1 Introduction to GBA.5 10 4.2 GBA Architecture.5 11 4.3 Requirements on Protocols using GBA keys6 12 5 TLS with Pre-Shared Keys .6 13 5.1 General .6 14 5.2 Ciphersuites 7 15 5.3 Signaling Flow for TLS-PSK w
20、ith GBA Keys.7 16 5.4 Resumable Session .9 17 5.5 Bootstrapping Required Indication.9 18 5.6 Bootstrapping Renegotiation Indication .9 19 5.7 Error Cases .10 20 6 DTLS with Pre-Shared Keys.10 21 6.1 General .10 22 6.2 Ciphersuites 10 23 6.3 Signaling Flow for DTLS-PSK with GBA Keys10 24 6.4 Resumabl
21、e Session .11 25 6.5 Bootstrapping Required Indication.11 26 6.6 Bootstrapping Renegotiation Indication .11 27 6.7 Error Cases .11 28 7 HTTP Digest.11 29 7.1 General .11 30 7.2 Signaling Flows for HTTP Digest with GBA Keys11 31 7.3 Bootstrapping Required Indication.13 32 7.4 Bootstrapping Renegotiat
22、ion Indication .13 33 7.5 Error Cases .13 34 8 Certificate Based NAF Authentication with Shared GBA Key MN Authentication 14 35 8.1 General .14 36 TIA-1097-A Security Mechanisms Using GBA 2 8.2 TLS Ciphersuites 14 1 8.3 Procedure14 2 8.4 Resumable Session .14 3 8.5 Bootstrapping Required Indication.
23、14 4 8.6 Bootstrapping Renegotiation Indication .15 5 8.7 Error Cases .15 6 Appendix-A Ua Security Protocol Identifier (Normative) 16 7 A.1 Definition16 8 A.2 Organization Octet16 9 A.3 Ua Protocols for cdma2000 16 10 Appendix-B: Example flow for TLS-PSK (Informative)17 11 B.1 Scope of the Signaling
24、 Flow.17 12 B.2 Key to Interpret the Signaling Flow .17 13 B.3 Signaling Flow Demonstrating a Successful TLS-PSK Authentication Procedure18 14 Appendix-C: Example Flow for HTTP Digest (Informative) .21 15 C.1 Scope of the Signaling Flow.21 16 C.2 Key to Interpret the Signaling Flow .21 17 C.3 Signal
25、ing Flow Demonstrating a Successful Digest Authentication Procedure .21 18 Security Mechanisms Using GBA TIA-1097-A 3 1 Introduction and Scope 1 This document describes profile of security mechanisms such that the mechanism can utilize 2 keys that have been generated using the Generic Bootstrapping
26、Architecture (GBA) 3. GBA 3 is a method of providing keys in a generic manner based on the cdma20001authentication 4 methods. Similar work has been carried out by 3GPP, see 8 and 9 as part of their General 5 Authentication Architecture work 6 6 2 References 7 2.1 Normative References 8 1 “The TLS Pr
27、otocol Version 1.0”, Dierks, IETF RFC 2246. 9 2 “Transport Layer Security (TLS) Extensions”, IETF RFC 3546. 10 3 3GPP2 S.S0109 “Generic Bootstrapping Architecture” 11 4 “Pre-Shared Key Cyphersuites for Transport Layer Security (TLS)”, IETF RFC 4279 12 10 “HTTP Authentication: Basic and Digest Access
28、 Authentication”, Franks, IETF RFC 13 2617 14 11 “Advanced Encryption Standard (AES) Ciphersuites for Transport Layer Security 15 (TLS)”, Chown, IETF RFC 3268. 16 12 “Datagram Transport Layer Security”, IETF RFC 4347 17 13 ETSI TS 129 109 V7.7.0: “Generic Authentication Architecture (GAA); Zh and Zn
29、 18 Interfaces based on the Diameter protocol; Stage 3,“ October 2007. 19 2.2 Informative References 20 5 TIA-820 “Removable User Identity Module for Spread Spectrum Systems” 21 6 3GPP TR 33.919 “Generic Authentication Architecture (GAA); System description” 22 7 3GPP TS 24.109 Rel-6 “Bootstrapping
30、Interface (Ub) and network application 23 function interface (Ua): Protocol details” 24 8 3GPP TS 33.220 “Generic Authentication Architecture (GAA); Generic bootstrapping 25 architecture” 26 1cdma2000is the trademark for the technical nomenclature for certain specifications and standards of the Orga
31、nizational Partners (OPs) of 3GPP2. Geographically (and as of the date of publication), cdma2000is a registered trademark of the Telecommunications Industry Association (TIA-USA) in the United States. TIA-1097-A Security Mechanisms Using GBA 4 9 3GPP TS 33.222 Rel-6 “Generic Authentication Architect
32、ure (GAA); Access to 1 network application functions using Hypertext Transfer Protocol over Transport 2 Layer Security (HTTPS)” 3 3 Definitions and Abbreviations 4 3.1 Definitions 5 Mobile Node For the purposes of this document, the Mobile Node is considered as two 6 separate entities, the User Iden
33、tity Module (UIM) and Mobile Equipment 7 (ME). 8 User Identity Module (UIM): The User Identity Module is a low power 9 processor that contains secure memory. The User Identity Module may be a 10 Removable-UIM (R-UIM 5) or part of the Mobile Node itself. 11 Removable UIM (R-UIM): An UIM that can be p
34、hysically removed 12 from the ME. An R-UIM may be used in multiple MEs. 13 Mobile Equipment (ME): The ME contains a high power 14 processor, but is not assumed to contain secure memory or secure processing. 15 Transport Layer Security (TLS) Protocol Transport layer protection of data. 16 Cipher suit
35、e A description of the set of algorithms used for authentication, key 17 agreement 18 TLS Handshake Protocol A sub protocol of TLS that performs the functions 19 of authentication, cipher suite agreement and session secret 20 establishment for securing application data. The handshake may 21 either e
36、stablish a new master secret, or resume a previous session 22 using the master secret established during that session. 23 TLS using a Pre-Shared Key TLS-PSK: A set of cipher suites for the TLS 24 Protocol in which a Pre-Shared Key (PSK) is used for mutual 25 authentication between the client and the
37、 server. 26 3.2 Abbreviations 27 BSF Bootstrapping Server Function 28 DTLS Datagram Transport Layer Security 29 DTLS-PSK DTLS using a Pre-Shared Key (PSK) 30 GBA Generic Bootstrapping Architecture 31 ME Mobile Equipment 32 MN Mobile Node 33 Security Mechanisms Using GBA TIA-1097-A 5 NAF Network Appl
38、ication Function 1 R-UIM Removable UIM 2 TLS Transport Layer Security 3 TLS-PSK TLS using a Pre-Shared Key (PSK) 4 UIM User Identity Module 5 4 Overview of GBA (Informative) 6 4.1 Introduction to GBA 7 The aim of GBA is to provide a method of generating keying material that can be used by an 8 MN an
39、d a Network Application Function (NAF). This keying material is generated using 9 methods based upon the cdma2000 authentication methods. Full details of GBA can be found 10 in 3 and are summarized below in section 4.2. The description of protocols that use GBA 11 generated keys are given in this do
40、cument. Section 4.3 describes the functionality for a 12 protocol to be able to use GBA derived keys. 13 4.2 GBA Architecture 14 15 Figure 1 GBA Architecture 16 Figure 1 gives the architecture for GBA. The following is a brief description of the GBA (for 17 full details see 3). 18 The MN and BSF run
41、 the bootstrapping procedure in order to generate a shared key, Ks, and 19 the bootstrapping identity, B-TID. The B-TID is the unique identifier that is used in GBA. The 20 BSF retrieves the necessary authentication material from the HLR/HSS/AAA depending on the 21 BSFUENAFHLR AAAUbUa Zh1 Zh2 Zh3ZnM
42、N HSSTIA-1097-A Security Mechanisms Using GBA 6 authentication method used. The Ks will be stored in either the ME or the UIM and the BSF 1 will know where it is stored. 2 The interaction between the MN and NAF is described in this document. As part of this the 3 MN and NAF must agree on the NAF ide
43、ntity and the MN must pass the B-TID to the NAF. 4 The NAF interacts with the BSF to request the keying material to use with the MN. The NAF 5 sends the B-TID and other parameters to the BSF, which uses these and Ks to calculate the 6 keying material for the NAF. The MN has access to the same parame
44、ters and can calculate the 7 key for itself. The reference point Zn is specified in TS 29.109 13. 8 When Ks is held on the ME, the keying material sent to the NAF from the BSF is called 9 Ks_NAF. If Ks is held on the UIM, the NAF is sent Ks_ext_NAF and Ks_int_NAF from the 10 BSF. Both Ks_ext_NAF and
45、 Ks_int_NAF are generated in the UIM. Ks_int_NAF is never 11 given out of the UIM, whereas Ks_ext_NAF is given to the ME. 12 4.3 Requirements on Protocols using GBA keys 13 Using GBA keys places the following requirements on a protocol 14 1. The MN and NAF must agree on a NAF identity (NAF-ID). 15 2
46、. The MN must pass the B-TID to the NAF. 16 3. The NAF must be able to fetch the keying material from the BSF during the protocol 17 after it has received the B-TID. 18 4. The MN and NAF must have some way of agreeing that GBA generated keys will be 19 used. 20 5 TLS with Pre-Shared Keys 21 5.1 Gene
47、ral 22 This section describes the case where the TLS application resides in the ME. In this case, 23 Ks_(ext_)NAF shall be used to create the TLS tunnel between the ME and NAF. 24 The method of using GBA generated keys in TLS with pre-shared keys follows that given in 25 clause 5.4 of 9 with further
48、 details in clause 5.3.3 of 7. 26 The Ua security protocol identifier for protocol shall be (0x01,0x00,0x01,yy,zz) where “yy,zz” 27 is the protection mechanism CipherSuite code according to the defined values for TLS 28 CipherSuites in 1 and 4. 29 Both the MN and the NAF shall support the features o
49、f GBA as described in 3. They shall 30 also support the TLS 1.0 1 and TLS-PSK 4. Additionally both the MN and NAF shall 31 support the server_name TLS extension as described in RFC 3546 2. All other TLS 32 extensions are optional. 33 Security Mechanisms Using GBA TIA-1097-A 7 5.2 Ciphersuites 1 The MN shall support the CipherSuite TLS_PSK_WITH_AES_128_CBC_SHA. All other 2 Cipher Suites as defined in TLS-PSK 4 are optional for implementation on the MN. 3 The NAF shall support the CipherSuite TLS_PSK_WITH_AES_128_CBC_SHA
