Content deleted Content added
No edit summary |
Rescuing 2 sources and tagging 0 as dead.) #IABot (v2.0.9.5 |
||
| (8 intermediate revisions by 6 users not shown) | |||
Line 1:
GBA is standardized at the [[3GPP]] (http://www.3gpp.org/ftp/Specs/html-info/33220.htm). The user authentication is instantiated by a shared secret, one in the [[smartcard]], for example a [[SIM card]] inside the mobile phone and the other is on the HLR/HSS.
Line 13 ⟶ 14:
- There is no need for user enrollment phase nor secure deployment of keys, making this solution a very low cost one when compared to [[Public key infrastructure|PKI]].
- Another advantage is the ease with which the authentication method may be integrated into terminals and service providers, as it is based on [[HTTP]]'s well known "[[Digest access authentication]]". Every Web server already implement HTTP [[digest authentication]] and the effort to implement GBA on top of digest authentication is minimal. For example, it could be implemented on SimpleSAMLPhP http://rnd.feide.no/simplesamlphp {{Webarchive|url=https://web.archive.org/web/20081219004332/http://rnd.feide.no/simplesamlphp |date=2008-12-19 }} with 500 PHP lines of code and only a few tens of lines of code are Service Provider specific making it really easy to port it to another Web site.
- On device side is needed:
Line 20 ⟶ 21:
== Technical overview ==
Actually, contents in this section are from external literature.<ref>
There are two ways to use GAA (Generic Authentication Architecture).
Line 32 ⟶ 33:
Figure above shows the network GAA entities and interfaces between them. Optional entities are drawn with lines
network and borders dotted the scoreboard. The User Equipment (UE) is, for example, the user's mobile phone. The UE and
'''Bootstrapping Server Function''' ('''BSF''') mutually authenticate themselves during the Ub (number [2] above) interface, using the [[Digest access authentication]] [[AKA (security)|AKA]] protocol. The UE also communicates with the '''Network Application Functions''' ('''NAF'''), which are the implementation servers, over the Ua [4] interface, which can use any specific application protocol necessary.
BSF retrieves data from the subscriber from the Home Subscriber Server (HSS) during the Zh [3] interface, which uses the
Line 40 ⟶ 41:
== Uses ==
* The SPICE project developed an extended Use Case named "split terminal" where a user on a PC can authenticate with their mobile phone: http://www.ist-spice.org/demos/demo3.htm {{Webarchive|url=https://web.archive.org/web/20090324084359/http://www.ist-spice.org/demos/demo3.htm |date=2009-03-24 }}. The NAF was developed on SimpleSAMLPhP and a Firefox extension was developed to process the GBA digest authencation request from the BSF. Bluetooth SIM Access Profile was used between the Firefox browser and the mobile phone. Later a partner developed a "zero installation" concept.
* The research institute [[Fraunhofer Institute for Open Communication Systems|Fraunhofer FOKUS]] developed an OpenID extension for Firefox which uses GBA authentication.[https://web.archive.org/web/20150217142539/http://www.icin.biz/files/2008papers/Session5A-2.pdf
* The Open Mobile Terminal Platform http://www.omtp.org references GBA in its Advanced Trusted Environment: OMTP TR1<ref>
Sadly, despite many advantages and potential uses of GBA, its implementation in handsets has been limited since GBA standardization in 2006. Most notably, GBA was implemented in Symbian-based handsets.
| |||