Generic Bootstrapping Architecture: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 03:18, 3 April 2009 edit SmackBot (talk \| contribs) 3,734,324 edits m Date maintenance tags and general fixes ← Previous edit		Latest revision as of 07:10, 25 May 2024 edit undo InternetArchiveBot (talk \| contribs) Bots, Pending changes reviewers 5,698,993 edits Rescuing 2 sources and tagging 0 as dead.) #IABot (v2.0.9.5
(32 intermediate revisions by 27 users not shown)
Line 1: ~~In mobile phones,~~ '''Generic Bootstrapping Architecture''' ('''GBA''') is ~~one~~a technology ~~enabling~~that enables the authentication of a user. This authentication is possible if the user owns a valid identity on an HLR ([[~~GSM_core_network~~GSM core network#~~Home_Location_Register_~~Home ___location register .28HLR.29\|Home Location Register]]) or aon an HSS ([[Home Subscriber Server]]).▼ ~~==Introduction:==~~ GBA is standardized at the [[3GPP]] (http://www.3gpp.org/ftp/Specs/html-info/33220.htm) . The user authentication is instantiated by a shared secret, one in the [[smartcard]], for example a [[SIM card]] inside the mobile phone and the other is on the HLR/HSS.▼ ▲In mobile phones, '''Generic Bootstrapping Architecture''' (GBA) is one technology enabling the authentication of a user. This authentication is possible if the user owns a valid identity on an HLR [[GSM_core_network#Home_Location_Register_.28HLR.29\|Home Location Register]] or a [[Home Subscriber Server]] GBA authenticates by making a network component challenge the ~~[[simcard]] card~~smartcard and verify that the answer is ~~similar by~~ the one predicted by the HLR/HSS.▼ ▲GBA is standardized at the [[3GPP]] (http://www.3gpp.org/ftp/Specs/html-info/33220.htm) . The user authentication is instantiated by a shared secret, one in the [[smartcard]] inside the mobile phone and the other is on the HLR/HSS. Instead of asking the service provider to trust the [[Bootstrapping Server Function\|BSF]] and relying on it for every authentication request, the [[Bootstrapping Server Function\|BSF]] establishes a shared secret between the [[simcard]] card and the service provider. This shared secret is limited in time and for a specific ___domain. ▼ ▲GBA authenticates by making a network component challenge the [[simcard]] card and verify that the answer is similar by the one predicted by the HLR/HSS. [[Image:Generic Bootstrapping Architecture.jpg]] ▲Instead of asking the service provider to trust the [[Bootstrapping Server Function\|BSF]] and relying on it for every authentication request, the [[Bootstrapping Server Function\|BSF]] establishes a shared secret between the [[simcard]] card and the service provider. This shared secret is limited in time and for a specific ___domain. ~~[[Image:GBA.JPG]]~~ ==Strong points== This solution has some strong points of certificate and shared secrets without having some of their weaknesses: - There is no need for user enrollment phase nor secure deployment of keys, making this solution a very low cost one when compared to [[Public key infrastructure\|PKI]]. - Another advantage is the ease with which the authentication method may be integrated into terminals and service providers, as it is based on [[HTTP]]'s well known "[[Digest access authentication]]". Every Web server already implement HTTP [[digest authentication]] and the effort to implement GBA on top of digest authentication is minimal. For example, it could be implemented on SimpleSAMLPhP http://rnd.feide.no/simplesamlphp {{Webarchive\|url=https://web.archive.org/web/20081219004332/http://rnd.feide.no/simplesamlphp \|date=2008-12-19 }} with 500 PHP lines of code and only a few tens of ~~LoC~~lines of code are SPService Provider specific making it really easy to port it to another Web site. - On device side is needed: Line 22 ⟶ 20: * A means to dialog with a smartcard and signed the challenge sent by the BSF, either Bluetooth SAP or a Java or native application could be used to serve the request coming from the browser. == Technical overview: == Actually, contents in this section are from external literature.<ref>{{Cite web \|url=http://www.tml.tkk.fi/Publications/C/22/papers/Olkkonen_final.pdf \|title=Generic Authentication Architecture by Timo Olkkonen, Helsinki University of Technology \|access-date=2010-07-05 \|archive-date=2016-07-05 \|archive-url=https://web.archive.org/web/20160705130421/http://www.tml.tkk.fi/Publications/C/22/papers/Olkkonen_final.pdf \|url-status=dead }}</ref> There are two ways to use GAA (Generic Authentication Architecture). * The first, GBA, is based on a shared secret between the client and server * The second, SSC, is based on public-private key pairs and digital certificates. In the shared secret cases, the customer and the operator are first mutually authenticated through 3G and ~~authentication~~Authentication ~~key~~Key (AKA) and they agree on session keys which can then be used between the client and services that the customer wants to use. This is called ~~bootstrap~~''bootstrapping''. After that, the services can retrieve the ~~key~~session ~~Session~~keys offrom the operator, and they can be used in ~~specific~~some ~~applications~~application specific protocol between the client and services. ~~between the client and services [3].~~ ~~Fig.~~Figure 1above shows the network GAA entities and interfaces between them. Optional entities are drawn with lines network and borders dotted the scoreboard. The User Equipment (EUUE) is, for example, the user's mobile phone. The EUUE and '''Bootstrapping ~~function~~Server ~~server~~Function''' ('''BSF''') mutually authenticate themselves during the Ub (number [2] above) interface, using the [[Digest access authentication]] [[AKA (security)\|AKA]] protocol. The EUUE also ~~communicate~~communicates with the ~~network~~'''Network ~~application~~Application ~~functions~~Functions''' ('''NAF'''), which are the implementation servers, over the Ua [4] interface, which can use any specific application protocol necessary. ~~servers, over the Ua interface, which can use any specific application protocol necessary.~~ BSF retrieves data from the subscriber from the Home Subscriber Server (HSS) during the Zh [3] interface, which uses the [[Diameter (protocol)\|Diameter]] Base Protocol. If there are several HSS in the network, BSF must first know which one to use. This can be done by either setting up a pre-defined HSS to BSF, or by querying the Subscriber Locator Function (SLF). ~~Nafs~~NAFs recover the key session of BSF during the Zn [5] interface, which also uses the diameter at the base Protocol ~~[5]~~. If▼ ~~can be done by either setting up a pre-defined HSS to BSF, or by querying the subscriber Locator Function (SLF).~~ ~~NFA~~NAF is not in the home network, it must use a ~~proxy-~~Zn-proxy to contact BSF .▼ ▲Nafs recover the key session of BSF during the Zn interface, which also uses the diameter at the base Protocol [5]. If ▲NFA is not in the home network, it must use a proxy-Zn contact BSF . == Uses == * The SPICE project developed an extended Use Case named "split terminal" where a user on a PC can authenticate with ~~her~~their mobile phone: http://www.ist-spice.org/demos/demo3.htm {{Webarchive\|url=https://web.archive.org/web/20090324084359/http://www.ist-spice.org/demos/demo3.htm \|date=2009-03-24 }}. The NAF was developed on SimpleSAMLPhP and a Firefox extension was developed to process the GBA digest authencation request from the BSF. Bluetooth SIM Access Profile was used between the Firefox browser and the mobile phone. Later a partner developed a "zero installation" concept. * The research institute [[Fraunhofer ~~Fokus~~Institute ~~http://www.fokus.fraunhofer.de~~for Open Communication Systems\|Fraunhofer FOKUS]] developed an OpenID extension for Firefox which uses GBA authentication.~~{{Fact\|reason=please give a reliable source for this assertion~~[https://web.archive.org/web/20150217142539/http://www.icin.biz/files/2008papers/Session5A-2.pdf ~~Does~~Presentation ~~not~~at ~~appear~~ICIN on2008 ~~the~~by ~~website or in any articles found be google search\|date=April~~Peter ~~2009}}~~Weik] * The Open Mobile Terminal Platform http://www.omtp.org references GBA in its Advanced Trusted Environment: OMTP TR1<ref>[{{Cite web \|url=http://www.omtp.org/Publications/Display.aspx?Id=24ad518b-6dba-4155-ad51-3143bd43a234 \|title=OMTP Advanced Trusted Environment: OMTP TR1] \|access-date=2009-01-04 \|archive-url=https://web.archive.org/web/20081021071602/http://www.omtp.org/Publications/Display.aspx?Id=24ad518b-6dba-4155-ad51-3143bd43a234 \|archive-date=2008-10-21 \|url-status=dead }}</ref> recommendation, first released in May 2008. Sadly, despite many advantages and potential uses of GBA, its implementation in handsets has been limited since GBA standardization in 2006. Most notably, GBA was implemented in Symbian-based handsets. == References ==